Malware Analysis Report

2025-04-03 16:51

Sample ID 241109-vc7zjsybld
Target 83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN
SHA256 83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520d
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520d

Threat Level: Known bad

The file 83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 16:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 16:51

Reported

2024-11-09 16:53

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bniajoic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkegah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Knhjjj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnjcomcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnjcomcf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohncbdbd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opihgfop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olebgfao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Achjibcl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opglafab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oippjl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cenljmgq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmedlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Plgolf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmhnkfpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llgjaeoj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Neiaeiii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgabdlfb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oippjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oplelf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akcomepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bigkel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkchmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdcifi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jlkngc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbmaon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nncbdomg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omnipjni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Khghgchk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nfoghakb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgchgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phnpagdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cileqlmg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jeafjiop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djdgic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpicle32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olbfagca.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qkfocaki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oibmpl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlqmmd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbmaon32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpkpadnl.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jeafjiop.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmhnkfpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlkngc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jojkco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgabdlfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkchmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khghgchk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kglehp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnbnpkp.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhjjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpicle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpkpadnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbqfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjaeoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjcomcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjhmcok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkqqnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mggabaea.exe N/A
N/A N/A C:\Windows\SysWOW64\Mobfgdcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfokinhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpgobc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbmaon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neknki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nncbdomg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfoghakb.exe N/A
N/A N/A C:\Windows\SysWOW64\Omioekbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Opglafab.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohncbdbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Oippjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opihgfop.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oibmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Oplelf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odgamdef.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Olbfagca.exe N/A
N/A N/A C:\Windows\SysWOW64\Opnbbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofhjopbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Oekjjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olebgfao.exe N/A
N/A N/A C:\Windows\SysWOW64\Obokcqhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Phlclgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Plgolf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Phnpagdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pebpkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgcmbcih.exe N/A
N/A N/A C:\Windows\SysWOW64\Pojecajj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmmeon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pplaki32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe N/A
N/A N/A C:\Windows\SysWOW64\Jeafjiop.exe N/A
N/A N/A C:\Windows\SysWOW64\Jeafjiop.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmhnkfpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmhnkfpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlkngc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlkngc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jojkco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jojkco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgabdlfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgabdlfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkchmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkchmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khghgchk.exe N/A
N/A N/A C:\Windows\SysWOW64\Khghgchk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kglehp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kglehp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnbnpkp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnbnpkp.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhjjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhjjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpicle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpicle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpkpadnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpkpadnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbqfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbqfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjaeoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjaeoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjcomcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjcomcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjhmcok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjhmcok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkqqnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkqqnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mggabaea.exe N/A
N/A N/A C:\Windows\SysWOW64\Mggabaea.exe N/A
N/A N/A C:\Windows\SysWOW64\Mobfgdcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mobfgdcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfokinhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfokinhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpgobc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpgobc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbmaon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbmaon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neknki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neknki32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Cjakccop.exe C:\Windows\SysWOW64\Cchbgi32.exe N/A
File created C:\Windows\SysWOW64\Jeafjiop.exe C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe N/A
File created C:\Windows\SysWOW64\Jlkngc32.exe C:\Windows\SysWOW64\Jmhnkfpa.exe N/A
File created C:\Windows\SysWOW64\Omnipjni.exe C:\Windows\SysWOW64\Oibmpl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oplelf32.exe C:\Windows\SysWOW64\Omnipjni.exe N/A
File created C:\Windows\SysWOW64\Pojecajj.exe C:\Windows\SysWOW64\Pgcmbcih.exe N/A
File created C:\Windows\SysWOW64\Nmlfpfpl.dll C:\Windows\SysWOW64\Ajmijmnn.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Ckjamgmk.exe N/A
File created C:\Windows\SysWOW64\Nappechk.dll C:\Windows\SysWOW64\Mggabaea.exe N/A
File created C:\Windows\SysWOW64\Hfiocpon.dll C:\Windows\SysWOW64\Omioekbo.exe N/A
File created C:\Windows\SysWOW64\Olebgfao.exe C:\Windows\SysWOW64\Oekjjl32.exe N/A
File created C:\Windows\SysWOW64\Lkpidd32.dll C:\Windows\SysWOW64\Phlclgfc.exe N/A
File opened for modification C:\Windows\SysWOW64\Pebpkk32.exe C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
File created C:\Windows\SysWOW64\Alecllfh.dll C:\Windows\SysWOW64\Bchfhfeh.exe N/A
File created C:\Windows\SysWOW64\Akafaiao.dll C:\Windows\SysWOW64\Nmfbpk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfoghakb.exe C:\Windows\SysWOW64\Nhlgmd32.exe N/A
File created C:\Windows\SysWOW64\Ohncbdbd.exe C:\Windows\SysWOW64\Opglafab.exe N/A
File opened for modification C:\Windows\SysWOW64\Pojecajj.exe C:\Windows\SysWOW64\Pgcmbcih.exe N/A
File created C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgoime32.exe C:\Windows\SysWOW64\Bdqlajbb.exe N/A
File opened for modification C:\Windows\SysWOW64\Omioekbo.exe C:\Windows\SysWOW64\Nfoghakb.exe N/A
File opened for modification C:\Windows\SysWOW64\Pleofj32.exe C:\Windows\SysWOW64\Pdjjag32.exe N/A
File created C:\Windows\SysWOW64\Cileqlmg.exe C:\Windows\SysWOW64\Cocphf32.exe N/A
File created C:\Windows\SysWOW64\Pobghn32.dll C:\Windows\SysWOW64\Ckjamgmk.exe N/A
File created C:\Windows\SysWOW64\Qkfocaki.exe C:\Windows\SysWOW64\Qdlggg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Acfmcc32.exe C:\Windows\SysWOW64\Allefimb.exe N/A
File created C:\Windows\SysWOW64\Jgabdlfb.exe C:\Windows\SysWOW64\Jojkco32.exe N/A
File created C:\Windows\SysWOW64\Kgnbnpkp.exe C:\Windows\SysWOW64\Kglehp32.exe N/A
File created C:\Windows\SysWOW64\Knhjjj32.exe C:\Windows\SysWOW64\Kgnbnpkp.exe N/A
File opened for modification C:\Windows\SysWOW64\Nncbdomg.exe C:\Windows\SysWOW64\Nhjjgd32.exe N/A
File created C:\Windows\SysWOW64\Odgamdef.exe C:\Windows\SysWOW64\Oplelf32.exe N/A
File created C:\Windows\SysWOW64\Pgfjhcge.exe C:\Windows\SysWOW64\Pdgmlhha.exe N/A
File created C:\Windows\SysWOW64\Hmdeje32.dll C:\Windows\SysWOW64\Bkegah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmhnkfpa.exe C:\Windows\SysWOW64\Jeafjiop.exe N/A
File created C:\Windows\SysWOW64\Fiqhbk32.dll C:\Windows\SysWOW64\Aficjnpm.exe N/A
File created C:\Windows\SysWOW64\Jjmeignj.dll C:\Windows\SysWOW64\Bhjlli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqlfaj32.exe C:\Windows\SysWOW64\Bieopm32.exe N/A
File created C:\Windows\SysWOW64\Cnkjnb32.exe C:\Windows\SysWOW64\Cgaaah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jojkco32.exe C:\Windows\SysWOW64\Jlkngc32.exe N/A
File created C:\Windows\SysWOW64\Eifppipg.dll C:\Windows\SysWOW64\Nlqmmd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhjjgd32.exe C:\Windows\SysWOW64\Neknki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Plgolf32.exe C:\Windows\SysWOW64\Phlclgfc.exe N/A
File created C:\Windows\SysWOW64\Qndkpmkm.exe C:\Windows\SysWOW64\Qkfocaki.exe N/A
File created C:\Windows\SysWOW64\Bkegah32.exe C:\Windows\SysWOW64\Bigkel32.exe N/A
File created C:\Windows\SysWOW64\Kglehp32.exe C:\Windows\SysWOW64\Khghgchk.exe N/A
File created C:\Windows\SysWOW64\Mkqqnq32.exe C:\Windows\SysWOW64\Mcjhmcok.exe N/A
File created C:\Windows\SysWOW64\Moohhbcf.dll C:\Windows\SysWOW64\Neiaeiii.exe N/A
File opened for modification C:\Windows\SysWOW64\Ohncbdbd.exe C:\Windows\SysWOW64\Opglafab.exe N/A
File created C:\Windows\SysWOW64\Oefdbdjo.dll C:\Windows\SysWOW64\Ofhjopbg.exe N/A
File created C:\Windows\SysWOW64\Bjkhdacm.exe C:\Windows\SysWOW64\Bgllgedi.exe N/A
File created C:\Windows\SysWOW64\Kpicle32.exe C:\Windows\SysWOW64\Knhjjj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdgmlhha.exe C:\Windows\SysWOW64\Pplaki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahpifj32.exe C:\Windows\SysWOW64\Ajmijmnn.exe N/A
File created C:\Windows\SysWOW64\Alqnah32.exe C:\Windows\SysWOW64\Aakjdo32.exe N/A
File created C:\Windows\SysWOW64\Ihkhkcdl.dll C:\Windows\SysWOW64\Bniajoic.exe N/A
File created C:\Windows\SysWOW64\Onaiomjo.dll C:\Windows\SysWOW64\Cnkjnb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjkhdacm.exe C:\Windows\SysWOW64\Bgllgedi.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe C:\Windows\SysWOW64\Bgoime32.exe N/A
File created C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Jkchmo32.exe N/A
File created C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Mpgobc32.exe N/A
File created C:\Windows\SysWOW64\Jfkgbapp.dll C:\Windows\SysWOW64\Nfoghakb.exe N/A
File created C:\Windows\SysWOW64\Oekjjl32.exe C:\Windows\SysWOW64\Ofhjopbg.exe N/A
File created C:\Windows\SysWOW64\Pdeqfhjd.exe C:\Windows\SysWOW64\Pebpkk32.exe N/A
File created C:\Windows\SysWOW64\Mdhpmg32.dll C:\Windows\SysWOW64\Pplaki32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnjcomcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alqnah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llbqfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdjjag32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmmeon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paknelgk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Allefimb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jojkco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mobfgdcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqbbagjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pojecajj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opihgfop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oibmpl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plgolf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofhjopbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olebgfao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkegah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khghgchk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nncbdomg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfoghakb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cileqlmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgnbnpkp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcjhmcok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Achjibcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jkchmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpicle32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neiaeiii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agolnbok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgllgedi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfdenafn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oplelf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qndkpmkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhjlli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odgamdef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahpifj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlkngc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pebpkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgchgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbmaon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oippjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjakccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phnpagdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbppnbhm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmfbpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omioekbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbmcibjp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgnbnpkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlemad32.dll" C:\Windows\SysWOW64\Mkqqnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nappechk.dll" C:\Windows\SysWOW64\Mggabaea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" C:\Windows\SysWOW64\Agolnbok.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahpifj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Akcomepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lnjcomcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mobfgdcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdgmlhha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pleofj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll" C:\Windows\SysWOW64\Akcomepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll" C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cocphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diibmpdj.dll" C:\Windows\SysWOW64\Jlkngc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mqbbagjo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afdiondb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgchgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" C:\Windows\SysWOW64\Opihgfop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obokcqhk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbppnbhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cocphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jojkco32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nfoghakb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnghel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll" C:\Windows\SysWOW64\Cjakccop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejloak32.dll" C:\Windows\SysWOW64\Jeafjiop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jojkco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llbqfe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Opihgfop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll" C:\Windows\SysWOW64\Pdjjag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bffbdadk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" C:\Windows\SysWOW64\Cocphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkclcjqj.dll" C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qkfocaki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oplelf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odgamdef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moohhbcf.dll" C:\Windows\SysWOW64\Neiaeiii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddaafojo.dll" C:\Windows\SysWOW64\Oidiekdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll" C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll" C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oidiekdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afdiondb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alqnah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bieopm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbioq32.dll" C:\Windows\SysWOW64\Mqbbagjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdecggq.dll" C:\Windows\SysWOW64\Nhlgmd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Omnipjni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bqlfaj32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe C:\Windows\SysWOW64\Jeafjiop.exe
PID 1484 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe C:\Windows\SysWOW64\Jeafjiop.exe
PID 1484 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe C:\Windows\SysWOW64\Jeafjiop.exe
PID 1484 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe C:\Windows\SysWOW64\Jeafjiop.exe
PID 1652 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Jeafjiop.exe C:\Windows\SysWOW64\Jmhnkfpa.exe
PID 1652 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Jeafjiop.exe C:\Windows\SysWOW64\Jmhnkfpa.exe
PID 1652 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Jeafjiop.exe C:\Windows\SysWOW64\Jmhnkfpa.exe
PID 1652 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Jeafjiop.exe C:\Windows\SysWOW64\Jmhnkfpa.exe
PID 2012 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Jmhnkfpa.exe C:\Windows\SysWOW64\Jlkngc32.exe
PID 2012 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Jmhnkfpa.exe C:\Windows\SysWOW64\Jlkngc32.exe
PID 2012 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Jmhnkfpa.exe C:\Windows\SysWOW64\Jlkngc32.exe
PID 2012 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Jmhnkfpa.exe C:\Windows\SysWOW64\Jlkngc32.exe
PID 1984 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Jlkngc32.exe C:\Windows\SysWOW64\Jojkco32.exe
PID 1984 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Jlkngc32.exe C:\Windows\SysWOW64\Jojkco32.exe
PID 1984 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Jlkngc32.exe C:\Windows\SysWOW64\Jojkco32.exe
PID 1984 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Jlkngc32.exe C:\Windows\SysWOW64\Jojkco32.exe
PID 2920 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Jojkco32.exe C:\Windows\SysWOW64\Jgabdlfb.exe
PID 2920 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Jojkco32.exe C:\Windows\SysWOW64\Jgabdlfb.exe
PID 2920 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Jojkco32.exe C:\Windows\SysWOW64\Jgabdlfb.exe
PID 2920 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Jojkco32.exe C:\Windows\SysWOW64\Jgabdlfb.exe
PID 2960 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Jgabdlfb.exe C:\Windows\SysWOW64\Jkchmo32.exe
PID 2960 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Jgabdlfb.exe C:\Windows\SysWOW64\Jkchmo32.exe
PID 2960 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Jgabdlfb.exe C:\Windows\SysWOW64\Jkchmo32.exe
PID 2960 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Jgabdlfb.exe C:\Windows\SysWOW64\Jkchmo32.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Jkchmo32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Jkchmo32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Jkchmo32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Jkchmo32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 2756 wrote to memory of 1804 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Kglehp32.exe
PID 2756 wrote to memory of 1804 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Kglehp32.exe
PID 2756 wrote to memory of 1804 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Kglehp32.exe
PID 2756 wrote to memory of 1804 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Kglehp32.exe
PID 1804 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Kglehp32.exe C:\Windows\SysWOW64\Kgnbnpkp.exe
PID 1804 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Kglehp32.exe C:\Windows\SysWOW64\Kgnbnpkp.exe
PID 1804 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Kglehp32.exe C:\Windows\SysWOW64\Kgnbnpkp.exe
PID 1804 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Kglehp32.exe C:\Windows\SysWOW64\Kgnbnpkp.exe
PID 3040 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Kgnbnpkp.exe C:\Windows\SysWOW64\Knhjjj32.exe
PID 3040 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Kgnbnpkp.exe C:\Windows\SysWOW64\Knhjjj32.exe
PID 3040 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Kgnbnpkp.exe C:\Windows\SysWOW64\Knhjjj32.exe
PID 3040 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Kgnbnpkp.exe C:\Windows\SysWOW64\Knhjjj32.exe
PID 1440 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Knhjjj32.exe C:\Windows\SysWOW64\Kpicle32.exe
PID 1440 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Knhjjj32.exe C:\Windows\SysWOW64\Kpicle32.exe
PID 1440 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Knhjjj32.exe C:\Windows\SysWOW64\Kpicle32.exe
PID 1440 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Knhjjj32.exe C:\Windows\SysWOW64\Kpicle32.exe
PID 1960 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Kpicle32.exe C:\Windows\SysWOW64\Kpkpadnl.exe
PID 1960 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Kpicle32.exe C:\Windows\SysWOW64\Kpkpadnl.exe
PID 1960 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Kpicle32.exe C:\Windows\SysWOW64\Kpkpadnl.exe
PID 1960 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Kpicle32.exe C:\Windows\SysWOW64\Kpkpadnl.exe
PID 2140 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Kpkpadnl.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2140 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Kpkpadnl.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2140 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Kpkpadnl.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2140 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Kpkpadnl.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 1072 wrote to memory of 680 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 1072 wrote to memory of 680 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 1072 wrote to memory of 680 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 1072 wrote to memory of 680 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 680 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Llgjaeoj.exe
PID 680 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Llgjaeoj.exe
PID 680 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Llgjaeoj.exe
PID 680 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Llgjaeoj.exe
PID 1864 wrote to memory of 1280 N/A C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lbcbjlmb.exe
PID 1864 wrote to memory of 1280 N/A C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lbcbjlmb.exe
PID 1864 wrote to memory of 1280 N/A C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lbcbjlmb.exe
PID 1864 wrote to memory of 1280 N/A C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lbcbjlmb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe

"C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe"

C:\Windows\SysWOW64\Jeafjiop.exe

C:\Windows\system32\Jeafjiop.exe

C:\Windows\SysWOW64\Jmhnkfpa.exe

C:\Windows\system32\Jmhnkfpa.exe

C:\Windows\SysWOW64\Jlkngc32.exe

C:\Windows\system32\Jlkngc32.exe

C:\Windows\SysWOW64\Jojkco32.exe

C:\Windows\system32\Jojkco32.exe

C:\Windows\SysWOW64\Jgabdlfb.exe

C:\Windows\system32\Jgabdlfb.exe

C:\Windows\SysWOW64\Jkchmo32.exe

C:\Windows\system32\Jkchmo32.exe

C:\Windows\SysWOW64\Khghgchk.exe

C:\Windows\system32\Khghgchk.exe

C:\Windows\SysWOW64\Kglehp32.exe

C:\Windows\system32\Kglehp32.exe

C:\Windows\SysWOW64\Kgnbnpkp.exe

C:\Windows\system32\Kgnbnpkp.exe

C:\Windows\SysWOW64\Knhjjj32.exe

C:\Windows\system32\Knhjjj32.exe

C:\Windows\SysWOW64\Kpicle32.exe

C:\Windows\system32\Kpicle32.exe

C:\Windows\SysWOW64\Kpkpadnl.exe

C:\Windows\system32\Kpkpadnl.exe

C:\Windows\SysWOW64\Lfhhjklc.exe

C:\Windows\system32\Lfhhjklc.exe

C:\Windows\SysWOW64\Llbqfe32.exe

C:\Windows\system32\Llbqfe32.exe

C:\Windows\SysWOW64\Llgjaeoj.exe

C:\Windows\system32\Llgjaeoj.exe

C:\Windows\SysWOW64\Lbcbjlmb.exe

C:\Windows\system32\Lbcbjlmb.exe

C:\Windows\SysWOW64\Lnjcomcf.exe

C:\Windows\system32\Lnjcomcf.exe

C:\Windows\SysWOW64\Lgchgb32.exe

C:\Windows\system32\Lgchgb32.exe

C:\Windows\SysWOW64\Mcjhmcok.exe

C:\Windows\system32\Mcjhmcok.exe

C:\Windows\SysWOW64\Mkqqnq32.exe

C:\Windows\system32\Mkqqnq32.exe

C:\Windows\SysWOW64\Mggabaea.exe

C:\Windows\system32\Mggabaea.exe

C:\Windows\SysWOW64\Mobfgdcl.exe

C:\Windows\system32\Mobfgdcl.exe

C:\Windows\SysWOW64\Mqbbagjo.exe

C:\Windows\system32\Mqbbagjo.exe

C:\Windows\SysWOW64\Mfokinhf.exe

C:\Windows\system32\Mfokinhf.exe

C:\Windows\SysWOW64\Mpgobc32.exe

C:\Windows\system32\Mpgobc32.exe

C:\Windows\SysWOW64\Nedhjj32.exe

C:\Windows\system32\Nedhjj32.exe

C:\Windows\SysWOW64\Nbhhdnlh.exe

C:\Windows\system32\Nbhhdnlh.exe

C:\Windows\SysWOW64\Nlqmmd32.exe

C:\Windows\system32\Nlqmmd32.exe

C:\Windows\SysWOW64\Neiaeiii.exe

C:\Windows\system32\Neiaeiii.exe

C:\Windows\SysWOW64\Nbmaon32.exe

C:\Windows\system32\Nbmaon32.exe

C:\Windows\SysWOW64\Neknki32.exe

C:\Windows\system32\Neknki32.exe

C:\Windows\SysWOW64\Nhjjgd32.exe

C:\Windows\system32\Nhjjgd32.exe

C:\Windows\SysWOW64\Nncbdomg.exe

C:\Windows\system32\Nncbdomg.exe

C:\Windows\SysWOW64\Nmfbpk32.exe

C:\Windows\system32\Nmfbpk32.exe

C:\Windows\SysWOW64\Nhlgmd32.exe

C:\Windows\system32\Nhlgmd32.exe

C:\Windows\SysWOW64\Nfoghakb.exe

C:\Windows\system32\Nfoghakb.exe

C:\Windows\SysWOW64\Omioekbo.exe

C:\Windows\system32\Omioekbo.exe

C:\Windows\SysWOW64\Opglafab.exe

C:\Windows\system32\Opglafab.exe

C:\Windows\SysWOW64\Ohncbdbd.exe

C:\Windows\system32\Ohncbdbd.exe

C:\Windows\SysWOW64\Oippjl32.exe

C:\Windows\system32\Oippjl32.exe

C:\Windows\SysWOW64\Opihgfop.exe

C:\Windows\system32\Opihgfop.exe

C:\Windows\SysWOW64\Ofcqcp32.exe

C:\Windows\system32\Ofcqcp32.exe

C:\Windows\SysWOW64\Oibmpl32.exe

C:\Windows\system32\Oibmpl32.exe

C:\Windows\SysWOW64\Omnipjni.exe

C:\Windows\system32\Omnipjni.exe

C:\Windows\SysWOW64\Oplelf32.exe

C:\Windows\system32\Oplelf32.exe

C:\Windows\SysWOW64\Odgamdef.exe

C:\Windows\system32\Odgamdef.exe

C:\Windows\SysWOW64\Oidiekdn.exe

C:\Windows\system32\Oidiekdn.exe

C:\Windows\SysWOW64\Olbfagca.exe

C:\Windows\system32\Olbfagca.exe

C:\Windows\SysWOW64\Opnbbe32.exe

C:\Windows\system32\Opnbbe32.exe

C:\Windows\SysWOW64\Ofhjopbg.exe

C:\Windows\system32\Ofhjopbg.exe

C:\Windows\SysWOW64\Oekjjl32.exe

C:\Windows\system32\Oekjjl32.exe

C:\Windows\SysWOW64\Olebgfao.exe

C:\Windows\system32\Olebgfao.exe

C:\Windows\SysWOW64\Obokcqhk.exe

C:\Windows\system32\Obokcqhk.exe

C:\Windows\SysWOW64\Phlclgfc.exe

C:\Windows\system32\Phlclgfc.exe

C:\Windows\SysWOW64\Plgolf32.exe

C:\Windows\system32\Plgolf32.exe

C:\Windows\SysWOW64\Pkjphcff.exe

C:\Windows\system32\Pkjphcff.exe

C:\Windows\SysWOW64\Phnpagdp.exe

C:\Windows\system32\Phnpagdp.exe

C:\Windows\SysWOW64\Pkmlmbcd.exe

C:\Windows\system32\Pkmlmbcd.exe

C:\Windows\SysWOW64\Pebpkk32.exe

C:\Windows\system32\Pebpkk32.exe

C:\Windows\SysWOW64\Pdeqfhjd.exe

C:\Windows\system32\Pdeqfhjd.exe

C:\Windows\SysWOW64\Pgcmbcih.exe

C:\Windows\system32\Pgcmbcih.exe

C:\Windows\SysWOW64\Pojecajj.exe

C:\Windows\system32\Pojecajj.exe

C:\Windows\SysWOW64\Pmmeon32.exe

C:\Windows\system32\Pmmeon32.exe

C:\Windows\SysWOW64\Pplaki32.exe

C:\Windows\system32\Pplaki32.exe

C:\Windows\SysWOW64\Pdgmlhha.exe

C:\Windows\system32\Pdgmlhha.exe

C:\Windows\SysWOW64\Pgfjhcge.exe

C:\Windows\system32\Pgfjhcge.exe

C:\Windows\SysWOW64\Paknelgk.exe

C:\Windows\system32\Paknelgk.exe

C:\Windows\SysWOW64\Pdjjag32.exe

C:\Windows\system32\Pdjjag32.exe

C:\Windows\SysWOW64\Pleofj32.exe

C:\Windows\system32\Pleofj32.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qkfocaki.exe

C:\Windows\system32\Qkfocaki.exe

C:\Windows\SysWOW64\Qndkpmkm.exe

C:\Windows\system32\Qndkpmkm.exe

C:\Windows\SysWOW64\Qpbglhjq.exe

C:\Windows\system32\Qpbglhjq.exe

C:\Windows\SysWOW64\Qdncmgbj.exe

C:\Windows\system32\Qdncmgbj.exe

C:\Windows\SysWOW64\Qjklenpa.exe

C:\Windows\system32\Qjklenpa.exe

C:\Windows\SysWOW64\Qnghel32.exe

C:\Windows\system32\Qnghel32.exe

C:\Windows\SysWOW64\Agolnbok.exe

C:\Windows\system32\Agolnbok.exe

C:\Windows\SysWOW64\Ajmijmnn.exe

C:\Windows\system32\Ajmijmnn.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Allefimb.exe

C:\Windows\system32\Allefimb.exe

C:\Windows\SysWOW64\Acfmcc32.exe

C:\Windows\system32\Acfmcc32.exe

C:\Windows\SysWOW64\Afdiondb.exe

C:\Windows\system32\Afdiondb.exe

C:\Windows\SysWOW64\Achjibcl.exe

C:\Windows\system32\Achjibcl.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Alqnah32.exe

C:\Windows\system32\Alqnah32.exe

C:\Windows\SysWOW64\Akcomepg.exe

C:\Windows\system32\Akcomepg.exe

C:\Windows\SysWOW64\Aficjnpm.exe

C:\Windows\system32\Aficjnpm.exe

C:\Windows\SysWOW64\Adlcfjgh.exe

C:\Windows\system32\Adlcfjgh.exe

C:\Windows\SysWOW64\Aqbdkk32.exe

C:\Windows\system32\Aqbdkk32.exe

C:\Windows\SysWOW64\Bhjlli32.exe

C:\Windows\system32\Bhjlli32.exe

C:\Windows\SysWOW64\Bgllgedi.exe

C:\Windows\system32\Bgllgedi.exe

C:\Windows\SysWOW64\Bjkhdacm.exe

C:\Windows\system32\Bjkhdacm.exe

C:\Windows\SysWOW64\Bdqlajbb.exe

C:\Windows\system32\Bdqlajbb.exe

C:\Windows\SysWOW64\Bgoime32.exe

C:\Windows\system32\Bgoime32.exe

C:\Windows\SysWOW64\Bkjdndjo.exe

C:\Windows\system32\Bkjdndjo.exe

C:\Windows\SysWOW64\Bniajoic.exe

C:\Windows\system32\Bniajoic.exe

C:\Windows\SysWOW64\Bqgmfkhg.exe

C:\Windows\system32\Bqgmfkhg.exe

C:\Windows\SysWOW64\Bdcifi32.exe

C:\Windows\system32\Bdcifi32.exe

C:\Windows\SysWOW64\Bfdenafn.exe

C:\Windows\system32\Bfdenafn.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bchfhfeh.exe

C:\Windows\system32\Bchfhfeh.exe

C:\Windows\SysWOW64\Bffbdadk.exe

C:\Windows\system32\Bffbdadk.exe

C:\Windows\SysWOW64\Bieopm32.exe

C:\Windows\system32\Bieopm32.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Bbmcibjp.exe

C:\Windows\system32\Bbmcibjp.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Bigkel32.exe

C:\Windows\system32\Bigkel32.exe

C:\Windows\SysWOW64\Bkegah32.exe

C:\Windows\system32\Bkegah32.exe

C:\Windows\SysWOW64\Cbppnbhm.exe

C:\Windows\system32\Cbppnbhm.exe

C:\Windows\SysWOW64\Cenljmgq.exe

C:\Windows\system32\Cenljmgq.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cileqlmg.exe

C:\Windows\system32\Cileqlmg.exe

C:\Windows\SysWOW64\Ckjamgmk.exe

C:\Windows\system32\Ckjamgmk.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cagienkb.exe

C:\Windows\system32\Cagienkb.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Caifjn32.exe

C:\Windows\system32\Caifjn32.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Cjakccop.exe

C:\Windows\system32\Cjakccop.exe

C:\Windows\SysWOW64\Ccjoli32.exe

C:\Windows\system32\Ccjoli32.exe

C:\Windows\SysWOW64\Djdgic32.exe

C:\Windows\system32\Djdgic32.exe

C:\Windows\SysWOW64\Dmbcen32.exe

C:\Windows\system32\Dmbcen32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 144

Network

N/A

Files

memory/1484-0-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jeafjiop.exe

MD5 02a098921d20940224cf5aea9131de80
SHA1 c17b60e46aaf12f8e65c27105459fb5be29b6b85
SHA256 1dff8dab8c275539a8aab87179997ed0b066f650f000f9ccbd4003beb7017de5
SHA512 15e3bce0b18c66ecf71ef617bde6650734b98093694995e646cb5c69c1c44e22dde66be177cd2a25ee4436e8c62acefe16e1bc6af1b70ff250e78d3a46369264

memory/1652-17-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jmhnkfpa.exe

MD5 211bd90ca70e9dcf4c818f22fecd786d
SHA1 41f62bf7519aa512321b3b14676471767e8c5d52
SHA256 838258eab4025890b449fe059d2f5a76508e0e385a8e463c2232545852ddadde
SHA512 68affb678024a1cd44b05eaca9f2ba5e897233bf66c67d0075bbddc1c57596be36476a7c031a4aa1efa8d94a2c5bc47bd9059d4ec6bc07fc489599f04904fac6

memory/2012-26-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Jlkngc32.exe

MD5 06f08b6afaf5eac6819524fad992999d
SHA1 1b271ebab9da747f6e23144467ea126f43ee860b
SHA256 b8c16e2d468f10e5036a9bbe70e3872ccc8f0eb5ed7ce5d76aee843e7f28014c
SHA512 c7833380b6a961e6bb56c5c0b4953026b2652d94720f9a42b804baead01a78f2d1ea8384b40782eb4933d8c82a871b77d8bce65cd7634f91e241b09f7cff06d8

memory/1984-43-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jojkco32.exe

MD5 7b1cf2c832ec11eb1c3129efb768a902
SHA1 1e912893dcaabe292957fbab5d46c8e83465cb8b
SHA256 0771d0566be6f686b2cbc66b0a839b3f4c39662da9d169f5ce9012ddde19159b
SHA512 ac47f40c89284962c52a1ae13102e221f7a895ce2b940c8d1b260cf0431c5a9cd65d7abedea9dd337b90a0bfcbe8d25cc844cd527d8a9f5f6cf58814f1e4c8e2

memory/2920-54-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1652-53-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1484-51-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1484-12-0x0000000000250000-0x0000000000291000-memory.dmp

\Windows\SysWOW64\Jgabdlfb.exe

MD5 e3866472fdbcb890bedf1f9c256cf600
SHA1 1968046e5fb74ab5b4e063cd5b96e42483688c00
SHA256 c4c31a2676c3527956a7a4c4a51fa338145358cbe9af815ad26cdb981554b57c
SHA512 e977b720d2358c3f166fc21f9e8114c98088e9e4384201a08bf06f88ea313e680301de2b7cb9ec4eed0f31f21a29cb0645de5653444fe5d22a215a24acfd8c5f

memory/2960-68-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2920-67-0x0000000000250000-0x0000000000291000-memory.dmp

\Windows\SysWOW64\Jkchmo32.exe

MD5 1af6f2a206cac3c72936b3624fe56b3c
SHA1 b27d121e637a9b73f83ac6190116422141246533
SHA256 e420ac889d929ff12dbdb04179f018d976b6b0c4070d5f43f1f84c2dbbcdc4a6
SHA512 49c0de642d2f681dd60489c2dd3e9ca39693660c34d62709ff0bd232c4848c055b09f604454fb32a32f70de31086596cefe7aa50847d9db3d78d4bf7979269fa

memory/2960-76-0x00000000002D0000-0x0000000000311000-memory.dmp

memory/2012-81-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2960-82-0x00000000002D0000-0x0000000000311000-memory.dmp

\Windows\SysWOW64\Khghgchk.exe

MD5 4e4beab13461fada778a14360e0260ca
SHA1 e0c66eff34dc1e3a0fb3bf5bb5d4831363067aa8
SHA256 bc9fed33d6d682fa2467657bb592d4c4d0605f02a01a572899b542af32d3c4bf
SHA512 5c741e5853c686dc016c4e5cd4a42127225c238754281bae281e4b4a4eeb6fb39aaa8226502669a2f0236bf5d0588da8600a6d4751e6b597f08d8bcc9a86d9f4

memory/1936-90-0x0000000001F40000-0x0000000001F81000-memory.dmp

memory/1936-97-0x0000000001F40000-0x0000000001F81000-memory.dmp

memory/1984-96-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Kglehp32.exe

MD5 d8c38becb115679df0df79e41f950c5c
SHA1 05da43c5ea18c0121e484572893c844bc50bade5
SHA256 3ebafd2600d30061b150c85f24041125f3a5ca5874ba48b3df61264db0459e7e
SHA512 7fa19f469cfa6fbaa83f20d88cb3de22413d708e981b857fa7cf90242e86d677e81956643256406f75c3d0eb3de98d47857e920ddb6e4dd42311922908a13b29

memory/2920-111-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1804-114-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2920-113-0x0000000000250000-0x0000000000291000-memory.dmp

memory/2756-110-0x0000000000250000-0x0000000000291000-memory.dmp

\Windows\SysWOW64\Kgnbnpkp.exe

MD5 95742964fe024f4e9259c724e321f5af
SHA1 80e46a04009efa88a23c47e7e2c47b7993c0b838
SHA256 09293d8bda4e03b6f769a72120f32873fe944a3c263e69ca4e2b473cfcf70b0e
SHA512 15245437cd5786f75097a38cd8037c27dc3edd71ac56b8ef1e6738b67409058a1963fb95d2d6aebbfc55eeb574ee29243d09929f938f61cce60d4c8bb2c12e0a

memory/2960-126-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3040-131-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2960-130-0x00000000002D0000-0x0000000000311000-memory.dmp

memory/1804-127-0x0000000001F40000-0x0000000001F81000-memory.dmp

memory/1440-147-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1936-146-0x0000000001F40000-0x0000000001F81000-memory.dmp

C:\Windows\SysWOW64\Knhjjj32.exe

MD5 60944b794f4a469fe4a32e856dbf50f8
SHA1 10c2dd59252bb4e4775e07e2eac6bf8a374ce72e
SHA256 e6fc3271da0f06c6a9ad4475d15d34ddcf8bb67e0d5ddeb9cff2adf00636cbfc
SHA512 6d28949e14c90998b1d9a6c1b40ec4d84fbb665ebb3f7b195734c8445240719fd6be58625176f6c3f5674b339b8118f598786e3d8564a002fedece9483d9ce63

memory/3040-144-0x00000000003B0000-0x00000000003F1000-memory.dmp

memory/3040-143-0x00000000003B0000-0x00000000003F1000-memory.dmp

memory/1936-142-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Kpicle32.exe

MD5 86cf82d4d205a7fb5e8ae577e83c4513
SHA1 5fb18d6c1347914fb2c466e2d9c6e237bc0d5fd0
SHA256 052febe5e6694087341d000d16acd2e27854d974dd404ae0710bb1bd65b6d514
SHA512 3f7498f62a3c38cd7476fb4213b07420f92a975ca6128fda86f4863a2cdd7cda496c6313dc10c521a2b9e2f60899fc3340e41981b6a6e6faee9dd996cb467fcd

memory/1960-162-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2756-160-0x0000000000250000-0x0000000000291000-memory.dmp

memory/2756-159-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Kpkpadnl.exe

MD5 1ca039f6cb0d2fecc2f7d54f1ea59c82
SHA1 4dea0d16d31116e846f9fb913f0503a5cbdce5a4
SHA256 19a8822dc0d69da0548e5c920dbc998c9fe39164a979890717854996291f6a05
SHA512 a3f8be08593d7bbde5aa3e15db41edd4cb4dd60252137fd1505c7a7f4482030ac47f456d7b247c798808eba82608d8192f63a3b5eac1e1e77c686c9c52a871e1

memory/1804-174-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2140-177-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1960-175-0x0000000000250000-0x0000000000291000-memory.dmp

\Windows\SysWOW64\Lfhhjklc.exe

MD5 cab9a5c509baed69cb0a7a28f79c7099
SHA1 b04614f5cfd06308ec2a5445a40aefa254138f25
SHA256 05dd9bf020f7ef2d6e1fba59313f9f91886ba8f9e86b364fe3fa2809e97c6d32
SHA512 5a3c5d5a31ec3298190c79cdad18999ca9328aee7ee3fd42752dacc6222e2844e61d6d1e54877484b981baac72eaa4fad49c964edec419b12c5608b9305a841c

memory/3040-191-0x00000000003B0000-0x00000000003F1000-memory.dmp

memory/3040-192-0x00000000003B0000-0x00000000003F1000-memory.dmp

memory/1072-196-0x0000000000400000-0x0000000000441000-memory.dmp

memory/680-212-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1440-211-0x0000000000310000-0x0000000000351000-memory.dmp

C:\Windows\SysWOW64\Llbqfe32.exe

MD5 f02af4d05b534f295e42c9228e7642c9
SHA1 768216c1443d6cc3235c94fa0cb9f9c75be3f7e2
SHA256 59356e67a8eafd34920234f5b70ebd64581b21835011f48ee3b4bb653f9934ec
SHA512 92eaf9b5833b7d3dca172e78386fae85d62f3c4e4f6b3528e885e84a91f7309b27f635d12f02359a85a0c6de933d2ec79e9e5414d9cba343f7253972988fc7df

memory/1440-209-0x0000000000310000-0x0000000000351000-memory.dmp

memory/1072-208-0x0000000000290000-0x00000000002D1000-memory.dmp

memory/1440-207-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2140-193-0x0000000000250000-0x0000000000291000-memory.dmp

memory/2140-185-0x0000000000250000-0x0000000000291000-memory.dmp

memory/3040-184-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Llgjaeoj.exe

MD5 68b984d4792bfde42d1f7c089e359baa
SHA1 14d383984eaee4dfbe30fb59847acd581485f7b1
SHA256 ae04de3f783cf90fe7773a87776123ae2db007391bbe4776dffbf9311352cabf
SHA512 22b8dcfd464ada2783effe9031604a4b468b642d0d459f4c88c5c604c101c0d153766d0f9945fc957c0ccf68706a40b4f18a39663b5b46ae012877cd5b2dffc3

memory/680-221-0x00000000002D0000-0x0000000000311000-memory.dmp

memory/1960-219-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Lbcbjlmb.exe

MD5 240141bc59e19bd8cdf7deb7245401cb
SHA1 e8242802776905ff7d8da269f3130d190ba0fe62
SHA256 1a7de4a09aa4c9cfd2e2dfdc92ad91ee1c17a35b7f6e1c7aae8ef1fe2b0d3782
SHA512 8826a73d0e3fbac6b0d40d05e45210cc281f38cb774782407354fe8ea25dc9ed4a55e32a9f313265b8a373af90d94e43ba65c5e376639966ca066a3332f8b071

memory/1864-236-0x0000000000260000-0x00000000002A1000-memory.dmp

memory/2140-235-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1864-233-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1280-249-0x00000000002F0000-0x0000000000331000-memory.dmp

memory/1072-247-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lnjcomcf.exe

MD5 3df5b598ad024de870a2651b81985df8
SHA1 ef885452087ebe37fc2717103abccc7ed7f005aa
SHA256 fe5d1882cc5ef9518e85942592b3df7b83603081a20ece48c1d3867d6cab403e
SHA512 041cf80d0ee14fa56dbfa2279eac51b909d460292bc2f34cf837c3c19c5fe1d04cd7218251e8fa7f1e8fd722cb81c28c81125b4855d7493f1963157024a8193a

memory/1280-253-0x00000000002F0000-0x0000000000331000-memory.dmp

memory/680-262-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lgchgb32.exe

MD5 afc460903c291f4cbc3559549e7379f8
SHA1 dfe5097f8550db7112be7525a7be8c4d632c9847
SHA256 3afb14c2f3037fa6d151bd01640485322f5d719634ca6a59e46d0ec23c0c7e1d
SHA512 8ffd0ebd3a0dc6bbde40b73f11eda6ad88fbba729800ed40fcc6868f65b79fe48a7580c3e4d20ae0d67da986976a3c06fa5744cd81fc0c129d780c30315bb8ce

memory/1864-266-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1640-265-0x0000000000400000-0x0000000000441000-memory.dmp

memory/556-264-0x0000000000250000-0x0000000000291000-memory.dmp

memory/556-263-0x0000000000250000-0x0000000000291000-memory.dmp

memory/1640-272-0x0000000001F50000-0x0000000001F91000-memory.dmp

C:\Windows\SysWOW64\Mcjhmcok.exe

MD5 0d0e75aa5cf87eecd9b6b3f47ad1aaea
SHA1 2eeea5c23af08e34eb65ba5069143fed910d1cdd
SHA256 fb6cfa0894725a0d46641b2be96b4fef59bf827a251f90efb511a7e6a6496311
SHA512 10f16d178d11496be9ea7cda268edec670ba40d3201aa8525fd5915443bb0b47f431853aa5f8c99d91b7d5afb0493de0a933b858596072e860348f86c463274d

memory/1640-276-0x0000000001F50000-0x0000000001F91000-memory.dmp

memory/1280-285-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1160-286-0x0000000000250000-0x0000000000291000-memory.dmp

memory/1956-288-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1280-287-0x00000000002F0000-0x0000000000331000-memory.dmp

C:\Windows\SysWOW64\Mkqqnq32.exe

MD5 5ccfb9d9a5d5968ea0218fc91505ca40
SHA1 f908d2ca6a1bc5f0a7dbe9326c019e3be3a7b2fd
SHA256 44905868dccd28b459d74fa09c9a07ee76427a81acc08f7a21b6bb0895b8ac7d
SHA512 9c2c8b9d76195f98d0c5cb0026632ab96ff575f6aab82726581063fbac3de26f24761d81ad8284242461b1dfa3e3d057b6a24a7e78fd66cdf51d892632b01a2c

memory/1956-298-0x0000000000290000-0x00000000002D1000-memory.dmp

memory/1956-299-0x0000000000290000-0x00000000002D1000-memory.dmp

memory/1612-301-0x0000000000400000-0x0000000000441000-memory.dmp

memory/556-300-0x0000000000250000-0x0000000000291000-memory.dmp

C:\Windows\SysWOW64\Mggabaea.exe

MD5 84c29f02a90895fabd072bcd49c6e6ee
SHA1 6700124f9426d46d4d94feafe1970c5ea4497089
SHA256 154bb53a04d25b913672310177629c9b3d1ecd4ee1b0fa03e6ad725e94f88f37
SHA512 f387c12d7ec709eed89061ad2a51a0e71f04a9c654c636815c97123c151e550f67a7f563483a5585cdee32ed22d43ab38e8a957e1c6063d50bd96495951da3be

memory/556-294-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mobfgdcl.exe

MD5 db2a043fd5974f16350478fe13ee723d
SHA1 37e8c43540c2b79c7bd13eee40a22c4ef39c4c64
SHA256 f4577d8ae833f2287087f3d338c8bdd55f49ea07a94cf8920dfcb270ab185cd7
SHA512 c36bfcbe989d6908bd223413b8381eaf15ef9dc3f1d0dd332509da1a958e38790df2e2f70e0412c8bfa4bed2e5ba34561a8afdb918feea7af31e6edf637e2175

memory/2652-313-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1640-312-0x0000000001F50000-0x0000000001F91000-memory.dmp

memory/1612-311-0x0000000000250000-0x0000000000291000-memory.dmp

memory/1640-310-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2652-320-0x00000000002D0000-0x0000000000311000-memory.dmp

memory/1160-318-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1160-321-0x0000000000250000-0x0000000000291000-memory.dmp

C:\Windows\SysWOW64\Mqbbagjo.exe

MD5 960ecfe50774ebd3735658af0eb81591
SHA1 b97b2bb555333023662792b4a34d4e9d02a06486
SHA256 a8ba5ccbb3dd6f016a3c29e87d04145fca69acef15296adc1b005a57df48664f
SHA512 315cce3323cde89fb05f72463e2d78354f1b44adacd4febfcc4f4f02a7c6c1de5b10e26ad5339cd104b3464f70ddb6a4a9bcd033bfc620d0aad0bd2d40692b2b

memory/1956-329-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2600-331-0x00000000002E0000-0x0000000000321000-memory.dmp

C:\Windows\SysWOW64\Mfokinhf.exe

MD5 6fc0d3c5179b4b3c4bd59fca2d1dc750
SHA1 0f523c0f041cda3cd48f48d756423cc7166278d4
SHA256 052d3315d54e74ff2a27e386a1ca1d830edbb0c78497ef27a53f815bcef075b2
SHA512 7f40bda929d1557d1d8fe600abca6d0eacfc87c3e686db3fc6d7d16570979673a45b7fbae4451d23b6d107825fa2395d75234707d83da50a3f641b7f27296123

memory/2524-342-0x0000000000300000-0x0000000000341000-memory.dmp

memory/1612-340-0x0000000000250000-0x0000000000291000-memory.dmp

memory/1612-339-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mpgobc32.exe

MD5 6eaaedc4b70b20469828cc11b46b4192
SHA1 75fcfb0c12eeb25a88a4eddda0d79d43a16e3989
SHA256 b4642cdd443175c074db0092350ed685fb7c79b0a3a5d163c31d3e77708aa119
SHA512 46af21d9df9ca11c6d512f9c0825e651e3664951b23927d60c0f25acf301a9df3f5dd2bac3e6218a556d6f6c09e6f45823ef27ebf16e1eb3437a9abe972d051a

memory/2896-350-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Nedhjj32.exe

MD5 100445f7a71a00dc86e3a3b6f530a42c
SHA1 8b292cbaa3da7560949862d8af75d996c5a68e7e
SHA256 27c8026e235a2711e55d7927a81871369fcf416370adfcba3d791853a01b15c4
SHA512 ec0af72b97da82051a5cba55189f9ae3c4843c0b6b9bc7e312770b9d14c5754bb27ddc25cc3882c06960478b2b11b2e6bcaa4e1f2e9a1455fbc6806653fc0275

memory/2896-357-0x0000000001F80000-0x0000000001FC1000-memory.dmp

memory/2856-356-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2652-355-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2856-363-0x0000000000450000-0x0000000000491000-memory.dmp

memory/2856-368-0x0000000000450000-0x0000000000491000-memory.dmp

memory/2600-367-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Nbhhdnlh.exe

MD5 f8c26fea33d7b63deafdde6bbe62a7fc
SHA1 04ed14ba4efcde8c1b0316c17ac1adf462cabf57
SHA256 ad80eb32fd89b3093d6411125ab1b8304897b49239609ca96644ccc2cc5f5a50
SHA512 52135a6fea419199a15fe702bb53756bfc183ea8e976e2c3aa211e1e01dd70231fbe4ff48dc5e631d4addbd5bf1d01db8de1c02ea95ba05018689c5d99f2667e

memory/2264-369-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2524-375-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2264-376-0x0000000000450000-0x0000000000491000-memory.dmp

C:\Windows\SysWOW64\Nlqmmd32.exe

MD5 0465884df1aa602ac107eb1b208d7339
SHA1 dda114ae61256d4870535d27a5d898e7b8a06fcc
SHA256 2e156d996ad38239f72f107d8b94d6938ea07d75115840ef67fcd1c0c43409e4
SHA512 c777171d5e0e809bee9cb8714a4f2209b6de8d3e798cee433e71e98b26ea16cddd86f93336971a5b929554a3c80fc8dc8ad4d31fdbdb9e8e84d02322445a48b5

memory/2796-385-0x0000000000290000-0x00000000002D1000-memory.dmp

memory/2896-389-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2796-390-0x0000000000290000-0x00000000002D1000-memory.dmp

memory/2856-391-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Neiaeiii.exe

MD5 9cf88b878139d19dc90f693f603f5891
SHA1 720e3ed91339dbe778b9aa422d511f764327a337
SHA256 a9c81a461dbf97260da692cbea3cd833796657c4c3c85f29ca71259ac4a98678
SHA512 13ab8d63d37b8b255b1f18a316617f50eb9b6c354e0c78103ddacfde4b282f5c94ac2f0ce4a85a47616a260a4e7875ef3d3cd35e82c8336748533eb0c19e10c6

C:\Windows\SysWOW64\Nbmaon32.exe

MD5 805d15654c4bb7579cf36983b7c5f06f
SHA1 cb0cb68c367622a6a48bb3010b7ca0660cf69201
SHA256 dadff7400cf28b037bd924d1a1f2f56537a58f13582f55648d136e155e4f091d
SHA512 ed1faaf651fbc39e58685a73ff87c54abdaf2b9ed70ff852eb3774244648dcf3bfc6fefc89a4399c4cab89439a4be42ae0650a7042ccb59a4767003a7a667e92

C:\Windows\SysWOW64\Neknki32.exe

MD5 93b417df20979ba77c99f28a5de81340
SHA1 594dcaf6b74b6b7f09027edb6befdf5dcf802ff6
SHA256 acdbd2c20050a4ac6ad86ae412a192c8026d06dd6c1f12a4389fb85ebe0da1fc
SHA512 c3b4effd9c128baab580f651914020b694b83a29e9b941005e0ac0cbc0c3ec5e68de2fc36727dd48abb35232018d91e936acb80b7586788fd032dfe0592169a7

C:\Windows\SysWOW64\Nhjjgd32.exe

MD5 4057d126839f509c7ad019ab0fd0f57c
SHA1 0cb69693dcb198a1e6d6e3393e54470b99e800d1
SHA256 0b14f4170ca58dc9a20a8160c5b4f46267c704e9f4154e9301abddbf273d0eae
SHA512 f5c0580b489a9c469e785d03cbae496eca6aeb3aaa7744b6b90013cdb1c53dfe9bee6a9339e82a4891aba2c88bc7ed2f3d6cb99ae6187ecb8c626d2491c5c140

C:\Windows\SysWOW64\Nncbdomg.exe

MD5 edb89d6c0dc34053101a883c074d1481
SHA1 649c5a923a8a25820cb3a49e0a84dffa202fb16c
SHA256 468c5e2c0fe2608e12e214536bab004896f3ecde8cf5c7ff788ad997c77fdc04
SHA512 46514c43a20f1f6e802eb2eb61b82add8799c85501d2d84ebb3a16f464ef099edf055b62edcd08619c2846026a7c87838d39da9a25fbbcb70555e3be240e24dd

C:\Windows\SysWOW64\Nmfbpk32.exe

MD5 0148dbb8e6504f1fe1443880a9271f69
SHA1 52f3380284b47aa84c962a9315861cc4f79b1f6f
SHA256 d2cff7a428a65dd1001f1ee15c0ef28a6903fc359c70e34da95480ea1bc039e8
SHA512 fd5fc3f7f81e1e9ef2536645057fa8baf2b880b087c66b65a668a08c08eb2aca6d5fb8309560838f31de3f993bfcf9f4fe6109c034dcbe24cd8bc971d4fe68d4

C:\Windows\SysWOW64\Nhlgmd32.exe

MD5 3bbc288458ce7d02edbc30ab78fc5cf0
SHA1 6dd7b48a94c8cdf89918b5dde1316ed2717813e5
SHA256 7b3a3dbb46976942cbc6c6c55155c15b9bbb5f22319cde3c0b9b2ef271c9f79f
SHA512 7f4320cd706aed9ca5d3fa78fbae6190c9b8096a6a84d1bc8f3fbc2f85607e32f0d0ea70403556459411ccd99ac04b061650147f66a6075e839c853a1290b578

C:\Windows\SysWOW64\Nfoghakb.exe

MD5 89649805a0a5c4ecc1e5e2fe14275936
SHA1 a9b9b2e049b1b93537741c6c3df7e0c7b75e4bf1
SHA256 f7ffe0af6e95f6b95e73e19d0f23953bdacba2ed8d36d2f6087668d287f5be17
SHA512 cdc83b12c504467435fbf75e3c99d32068441ca4540a984e49b107660e914fd6a7b0af4c79bab925884be32326a401d924ec95a618405f51430e3e86e6f3174d

C:\Windows\SysWOW64\Omioekbo.exe

MD5 f72873b52610ca1c66d947d3ccb945be
SHA1 0cd75bdc4966567e34b7dcc22f70cfb43a29447d
SHA256 3fe2acc40b3344b5e97c975e8b4d2f4867c949ecce4c32751005f1bd31978c67
SHA512 20f9e249c375b20e7544f253e922ba2833ad29db960c8429540683e3b80857846e19a1491f7ab2f1519888df381b49725f64420200db992f9a2ca08e9601d231

C:\Windows\SysWOW64\Opglafab.exe

MD5 09ebd9ed2c92205b1f970d89201a7160
SHA1 984bb8629d3dc0102c1ff8dc845ab66851fb0e7e
SHA256 9ff5df7b4deda2fbb4c96f9f3fedc8b76194385c5228baa7279c098988653d87
SHA512 d7cf2014ec5d20f97d91fbf2860b8f9ca610e9f55a9128e20328fd482e678fba229a929330f9e833eb78e2701a57f273fd325038eb5901d5be5cdd2eb4691437

C:\Windows\SysWOW64\Ohncbdbd.exe

MD5 7f743583de009c03ec1039bbd81b2637
SHA1 0e4176db215a91ac29bd4706045a919ce5631104
SHA256 d8f1d3109beab08e0a22e0127e2fb61d2d729c70c5d82b546df8b662786f32de
SHA512 7778fca14e7ce9f11ded9170f67b7b8a0e39dee06e58e8c57697429456cdb5434ebe46e2109ca11cc366e05d8f6644b6bc99f18328e91335bd8d8670426f6da6

C:\Windows\SysWOW64\Oippjl32.exe

MD5 67669be0712a2e4a3b3c924e04992e66
SHA1 aba983d8c66edfa629a12580c00d131d7c4fd45f
SHA256 94aadc2fdfc6670fd25f48a480d8a6d888f8b3d30061e523d4d412fe00a51d7d
SHA512 d7cf30caa62d4f4c306770a383ff83b4b1041d886b3a0c54224c9596aab2ebd1f821b199f45e7696961901790d8bef08bbf26636a4a672a90b234ab39afe71f3

C:\Windows\SysWOW64\Opihgfop.exe

MD5 3db4244cf1d4d63b5c5078769f5d6ba8
SHA1 c05bbddb98d2d1088366c460040a292ef684a5cc
SHA256 278e5c2000c200a4b45521dafe0283f95de9de082ca80d3f5832bf83a74be413
SHA512 9f814b7308ef84c5a1c404aeb45c6a9f2723aaecb36bacd9dec1e309db043910e4eb0a92471e8b43c8feee185de53d4070d12ff74693187fe00acae2f839461c

C:\Windows\SysWOW64\Ofcqcp32.exe

MD5 f6af8216580fb57dbad01daec885c626
SHA1 2e5c86c74a25ad924f1821bcf6e46bff52e63eb2
SHA256 5e1ffe69f3e3dea18c898c2890ae6d8cd1f3dfdcce87963514c4e2e2873d7172
SHA512 ab5fffcc2f878be970c32e4814c07c556b08b12e5706d9debcc586956c14e9c6fe9087cfbca35338533b7bead84a1b798b4912c7dbe87ba2985bc106d10cd113

C:\Windows\SysWOW64\Oibmpl32.exe

MD5 2e88843960ee366ec18f4d266684b4c8
SHA1 f67570a98677f7854dfe5e982b5b7efa7b1f2e73
SHA256 86f0bfeb15155ff1ced6bffbc693900f5e4ae010b1158558b6db3f0a201ae68c
SHA512 0922ce9a77619174483f9064ea83f28aee2456b472f41b5a7d15a961297b2fec7163bed9ce1b6d157f8b2457c6a469c655caf0288d70f1ce8b9019d6eb7ba4ff

C:\Windows\SysWOW64\Omnipjni.exe

MD5 6f9a487bb97a2e2d28f34944fbaae629
SHA1 4baff07e2e51a5b7f09f91b3c86e4d149d42fb99
SHA256 644686606645c7a3c40ebc6899cb205e1e8d3e3e4ed272adce2a9b21fbeb1e4f
SHA512 05af3463f341e3a743bc509483a5c81e9d4f13cfaa39990bb12e1fa65eba511fa2bf64787787c37ea695f638563f81fcab79e4590e76bdb1e890ecacbc37db09

C:\Windows\SysWOW64\Oplelf32.exe

MD5 94c462b16796e9d49980c803fa8711f1
SHA1 dbe8c258dc02a08746e519df217ae577095e8a59
SHA256 d052100b5b1edd28bccb4c0c53cad4367aa5f6149a3f55d28c1c8ea60f33e341
SHA512 0d9cdf89605334403e792c433683f6dc0c2c203c5dab9531c11f5f5239916e14c410aff8a7fe08400ea22d3ea0ae87b46ff8e64c1645d5d2b3d028b10a6f5ad3

C:\Windows\SysWOW64\Odgamdef.exe

MD5 a0042c42b8b49e1ccff655bd72df509f
SHA1 61bb5f8d3fcbaecbf298e9e4269b980a663ef497
SHA256 411ff69e787995354371bc9ed05fced2aafcc8e2a0990596f2973eb7e75a0636
SHA512 aa777c5276f8b0dcb3ed9b73b0bbb4ce7c8d307215871ea62e68a2d7c6db8755b4d9fddf116e8717abb4cf29b9a8ed95b49b417b33e09615f65902dc31068873

C:\Windows\SysWOW64\Oidiekdn.exe

MD5 a955af8bb3855ac73146a130ab1a12b1
SHA1 a6c40e67c1ab820663c3c0c37ba6ff056a7c50fe
SHA256 af42092b5e2987ba4775fae82f909fcf6e6baf7e06a7ee9c7b292102170eede5
SHA512 9cd8bcc71718f46643fbfc6f1a90f159e1f62008ee0c5873f027fb6d6b9e453962330b12b07237f262238d9ded618ae25a9809419d8b9d94a5ac3d751f530226

C:\Windows\SysWOW64\Olbfagca.exe

MD5 1309277cedfb1040eaba094441dbcd2f
SHA1 a72d86bbf656079f7125d879c2cfb6e336529290
SHA256 8541c3e1226d11138b155a5e3c88531e77768b27d6aca6a8f4dec6d3daae3ed5
SHA512 7294dc828f9a7f74a62902e5808daf6e0a57982e9362d5bfa52cd7f98860d64f0a706f2944f105727793445e8ee1dc939d9f403daa5f7f4488021f4464f35d8b

C:\Windows\SysWOW64\Opnbbe32.exe

MD5 d49fd213394bdf86b1f387c460ab1070
SHA1 5e26d8a44f3367079586fb93383cce59e1f98344
SHA256 e65165b1cb46a507c6e78a94b9aa101128589cd6ca682493a12a2b7df99054f4
SHA512 76c58e04f8846fabe4f1f73a9d56d438014ff1766bc8432915bbde80f1a22e142207332aaf05a0d786102f4451a526ff1cd96d9486b955ac766e8f2bf15342aa

C:\Windows\SysWOW64\Ofhjopbg.exe

MD5 1a634e0ad5c8a6fb147bcc0f25b6baa5
SHA1 c5627b7ef5bfa155a4df8509fa2079b2813c910e
SHA256 4deb03eb5abf53080f5290d54f0db3737b502e811ee5694b72a6e653b6d34620
SHA512 18c725ce8451a5fbbf976cbdc86946c1b4539f11614329c80c4167b7ddebb05b54f09df971d811e75981142073d848b7cc7027ca5b919e618276b2744872ac2d

C:\Windows\SysWOW64\Oekjjl32.exe

MD5 effce0476f6f2a582792d17a0c788919
SHA1 7c3371ff778934462a80a3644c78c3a43b1958b9
SHA256 9a70b605caeca92ea07c5b92432af215ef84a8b2a085c95ed47cc7bd7672c0a5
SHA512 bce37266e85605c1b0e9683c721c8696923cdc60d5892780514d56c9d7c7a5a523f39642556763a0fbf46176ab10d628a9fddd6883e9e43a9fbeba4da523fd19

C:\Windows\SysWOW64\Olebgfao.exe

MD5 d6a07d6cf2909ae98c2ee3deb3077418
SHA1 f2e7293305acd099714072a24870db19b09f7acf
SHA256 706e2b041e555b47be4517b2737dd4022f83c16b349a5b898e0d99197a38e848
SHA512 98d5f886375c9098bb4e22a625612c65c0e9cbafdba813aa515efb63141de2ccf085c2befe600fadd8cb2a9b0fa85b2e9f4b40bf39516555b02dbbe1be34eed7

C:\Windows\SysWOW64\Obokcqhk.exe

MD5 aed20d646ae63de199cf736596e618ac
SHA1 0dfcd777e5f182569cfb3787f81ef4003e01db4e
SHA256 819911974b15c8d3781f575ef77eb995afed1da047a786de19bd185c8be252ba
SHA512 9081821a5e7c0627d58562a56a3d3ed21fb934c4fdc562e7ab8cd6785c85c667539acf8f35e4b772a28b10d2027c5887a6bb0651c6a4be1c0cfc838289c9e986

C:\Windows\SysWOW64\Phlclgfc.exe

MD5 24794bed643fb7d5c4105d53c97303d2
SHA1 89429ce7570aa990e0058307d1b0b19af419d0d0
SHA256 f6517d9728db89a7a93369d034708a804cc39f5d0b915f4ff024de90b380cb0b
SHA512 44dff24675701deab6a68755ccd2bd89820012f4135415d2ce5b95c598d840e7cbf5f24a465f922411e63d454a57a2b72819fa97439e321d426486756c3e48b8

C:\Windows\SysWOW64\Plgolf32.exe

MD5 02a1d2064d70ae418a8c4d2c7cb1efd1
SHA1 c84363992f97857db713f431211bea5c9923dc23
SHA256 94fa7952fe4c72e6bc67973160a6a19cbd41ba05497d6042013bf094a24943ec
SHA512 4d67746246345a5f2cdf9e84cbe484cd09dd1e72efe4ef77ab1478cb8ea680fcc2d4c3603ab56c0e196a3a36a8268a80c779043625114e94357160bda35db504

C:\Windows\SysWOW64\Pkjphcff.exe

MD5 7c5e9cc1b49f1c222b16c06074344246
SHA1 f42761746d6994a110c1e68e3e8d949aac7cee75
SHA256 4e4a26192c52911ed33c1a4a71485e60d9b4a8f86dacd738d0dab08722d3590a
SHA512 28b658c98c6bc7c55ac4fa0756794a4f311ef96472ab645d3558096efbb9c02db4fa20b1e707c204177c3d5aaa9e4ecf9006b77b162826c4fcdb123609eade10

C:\Windows\SysWOW64\Phnpagdp.exe

MD5 459b5d4da1f2b756ebd003e177e05e3d
SHA1 6547362bd0421f43620de71d16b9808f28133e7e
SHA256 b62951b718e253199edda2e7c5e2ae62cda57c616a6198f9c319634545657fef
SHA512 3323a80018d04b7cc524cb14620cf72efbd240e169bbf429475625fa397ba37eb7de14eced84994a37faf557f90f9ec803d8fb49df7210aa7ee36f3c6fb689a3

C:\Windows\SysWOW64\Pkmlmbcd.exe

MD5 80edadb764b8752194ab4f9b3f62d403
SHA1 d5230f64ffce3719807097d8042fd15b41ded5f7
SHA256 5a99fff592afa0d7e80ac178818045d67bcc13a539e79b9b8c7d29dff9958588
SHA512 baf30b5bc4a2d641e82a626ba36a794b5a3baa3ee8d0b4650910d04da0aef5ff0b9014c132cc687e5e5e17f0ede07656d000a994e1927b3b60c2825597f43f33

C:\Windows\SysWOW64\Pebpkk32.exe

MD5 c582b3b87b1fa155effe13825c866956
SHA1 52992cdb011573a1dd850f730635f434eb721234
SHA256 2c90900639b4567a6bb501a6b1531ddd0a81bec484e24c4ee92910c846b9be13
SHA512 7204c9d09fed26296f699620a32993190cfa429a22ec950850f985b79efdbc0671330ab47f27bae8b6a3938782ee55357a0a961f2b7612a87bc1bafa5ebeba15

C:\Windows\SysWOW64\Pdeqfhjd.exe

MD5 a7996a2ee535212bb608b833b581d478
SHA1 d7de039714475bb6b71716939bbdaba64b8a31a7
SHA256 4e38ab1acb9b51c2c56c4aa594a1246c9e42a344fe084c1a6323a2e17dca3216
SHA512 2bd308bef0c34a1a60ab3a93af3d4c6875d3620f5bbcf7565060682ac63e0f66a986ccff461b983dc93afec0dd2229c4ccaeff4b7bf80608231b3a604db163fb

C:\Windows\SysWOW64\Pgcmbcih.exe

MD5 ce0436883839e22f6e69e291b5075a1c
SHA1 4030e98cb2c9fdef6c91177a6401860d01e42693
SHA256 98088a839f46c5a905a02de42c266c0af73765927d70679e950398ad8f829036
SHA512 367561ec85f806d43ae69cd5e7ae2693928d4d281f7edc324da8d3f647bf3f71fa85ee5f5a7acc0e104b2787d3069641e2a17a18bf4483057addec22b467d9a9

C:\Windows\SysWOW64\Pojecajj.exe

MD5 62443c5123e51db18432c72ff0ac1a17
SHA1 6af7414e2c48c217e51ba3c7ee8bc57acabce06e
SHA256 0a8734625177b778c523ca30d1556ec37c3ae9cb586d051572163e40d6e0cb0c
SHA512 672f23a690dde191fcc131fa410595b215dcb71ace17bcbaf14387d7e10a965e74d16d408801e8672da60eb7c2dd7c1a85fc804d890726b51a22a7f27c0460f2

C:\Windows\SysWOW64\Pmmeon32.exe

MD5 2a88e146b1d5d0e53fb852ba02670449
SHA1 58ff179ea30b33ec190c8bb51a53e73730ef48ba
SHA256 ab9fd7e2b1146e358bac0ae8dcf6cbb104bc0e81d5dadbc66f48fada5195a8e2
SHA512 e5add598a5e59b5aa2715adccaf1545ac307e79a562acbb0d0e0fe2296e794a5555afa3a337d494b2e7112e6c0c4563becb8ccf5212933c246e5e38a41f1a08a

C:\Windows\SysWOW64\Pplaki32.exe

MD5 cedacb7a3c93d7c079c5e226fa879831
SHA1 811b24bcd2eee700e0b952e12eccfe0bc99ae128
SHA256 321b86e2b5fcc3fc4e810a4f2ce4fc81f7d6fab574e7d2cd7f0d2e4f2bb385b1
SHA512 f3322cfc49f3828a45304c905c42d2053ee4b7b806a5b8a84a14f53d16be0a9525011cb71ba163ae9c417bd908e5a8ee875adea27a44652b8a1f67e16441ea39

C:\Windows\SysWOW64\Pdgmlhha.exe

MD5 cb4decc9dc4b80b6d040008fcb5e7a72
SHA1 0ef7b5cf271b9ed0bfdcb43a7cf4051d1d366da8
SHA256 b8af787d2040fc7f16d826aa9731ece196be107b7475987518ab6b126282898a
SHA512 9fbc903bb8a186cab8bb40a732b527584482ac268635abffe39727567c66e82ba1212fdf7477a966ebc770420310c0a845420bfd9d548cc5c7963cd53aec9141

C:\Windows\SysWOW64\Pgfjhcge.exe

MD5 ce1a2a847e8562e201f95b8a19c25a89
SHA1 28ea6d2ea0c848f2c56b42435a96871ac8b5b71a
SHA256 87332e7dcba968571c2529acb845a93200f3a992850f1a6220d9e5d72a46a9ae
SHA512 6880ff403b1cff7eebb3d7d689f7d87253793134508dd8467a2ac6b32ac79a1959890ac9db3f0c4aaeee10c62331f8ae02e9069ce71c797647b2633adf036880

C:\Windows\SysWOW64\Paknelgk.exe

MD5 2ea48c2d7a46024658f62815a3f43908
SHA1 4da518d1e2d3335cb7efbfa3f4ab3b3b39d3b47e
SHA256 d360d247f62ac355e33ea8163abd7ea7f60a2e9f64c22cb26ac4ab999f091d38
SHA512 6a993afff48ef4623df68aeb5efbf0468c4988c6f62cfe0cd803ebeb1184710bf195b4969cc6ad05ec91a5a0eeceed3a81b3f16e10c62e7fc61229620c50f6cd

C:\Windows\SysWOW64\Pdjjag32.exe

MD5 9b0bd4e97be483ce17420312f915c120
SHA1 d609a8f845be622eebebbb9781fa277f65c3aa1a
SHA256 987988cf64a59ca7bb4477a9476a4f18bbdf20123148e151d9aee3dddefde6e0
SHA512 0b40a6e293fe2fe48040a232f3ca5e08ba5aa4cddd934ebb2cce07d96bde05a78d1b4b744655dba21e090b180f962c05c8a755dd833d01be1d093a4459677b94

C:\Windows\SysWOW64\Pleofj32.exe

MD5 2f036f32d00978ecaa66ed855b4b40fd
SHA1 02361c43589f77e1be0550538aa16df1d0be9e9d
SHA256 7d0fe0a75578a7544f3e43f4ac751530d870987b6be00b8face7058457b6beda
SHA512 286b2b5203387ccadb462ed3ec07692c57d30b39867b4cbf0836bf385771ea5936d007478cb531e1d956810b54ce35ade56be83a392b355b26a46ad8931e391f

C:\Windows\SysWOW64\Qdlggg32.exe

MD5 04d5d014f56c55c7d23290f6b871ac0a
SHA1 139b51da275aa932b1964a7d961268bf2846c7a3
SHA256 64004c35d9fe04ddee965b81c848ecc6de4e73ef3a86d07a5b3822367ba5ac59
SHA512 9f10f7ccea2abd920c2de9017936953f89a63b0ac768b2017fce91ce2776ecf24e19f7e07279b75b65ce7c5b23c12a0cec67519ade9b47d7af2288738955aef7

C:\Windows\SysWOW64\Qkfocaki.exe

MD5 adef81d66f6ac6db472b887637f1b8f5
SHA1 12a7587d54b4dfce8564a9d467acc6e39cd72d50
SHA256 3da9ce39d65883c3dfb795df93c43ab20a0495b5508587be5cec01850a2e8c9a
SHA512 a85797108a8c3cd45743b091ab13d9e3cc42a1bed5267d4628d5de4855cd0da79bdb2cf5dc5e99bfc0b9786a9b11115f1be5e476f9743bd4ecca4720a14580dc

C:\Windows\SysWOW64\Qndkpmkm.exe

MD5 d5a7ad8be6d0bf5639a86c40eb0d44f3
SHA1 42d5226905d26687db1a8521b4b05f4e7c0a3e15
SHA256 631b7051a5b1a61ee107d739fda33a19a3366630563de985acaa0cef63624833
SHA512 65e88cb7a02fffcaade6fb1ba0a9a73217a5abdb30d79cf7bc3e6ef4235372f97788113070b369cb18ac15fe7f6ad61c87a793971340fd656fa81f652f735cd9

C:\Windows\SysWOW64\Qpbglhjq.exe

MD5 e26b561dec7540af1e9c655fc2d090f5
SHA1 0a1dd04ddf028cd8114d2009e3f61e16ff8d6467
SHA256 dd58358609bc78d9b5cb3ab88c03bb7036cca31ebbac8db9871079028858dcc9
SHA512 2e772f3f2947a02b10d610f2e2391820a5d28bf3ab2be977ee6837c905401c2576a289a2423d2943ad3559f8088acc152a6ce33ee86eb5ccb7c058452d5ef8e2

C:\Windows\SysWOW64\Qdncmgbj.exe

MD5 4489b6598b36f8dd347e7419750246bb
SHA1 ba897cf369efb18a5c3149430f2da81eca7d9ccc
SHA256 63d8e116969ef3a29e28b8293256b09d0fe3f4fd940c18d5f00569caceedc110
SHA512 4d2282ec2bcc2cf642eec03656d839a3568370795bd7114eac5cda1b6c6dfb08c5ce57d18121652d44f1a4f36397f86f8f2b088c283d80df69f3048ed85e4b71

C:\Windows\SysWOW64\Qjklenpa.exe

MD5 0efade5f9ff24aa3049ff51096a7a141
SHA1 375dd09cbb8e8b525938f128ae9a8d9492d8dd31
SHA256 156758585eb4e0dc88e0142edaca300229f351f7010f2f90925326fae370454a
SHA512 54c461aa78e7a7fa068823d8f4c5ed47434582abb1cff73050b14f54012a98bea73ac293829a1055f55b1ce0da700a3e906592eed4da28091cd0d5f2190cb0f8

C:\Windows\SysWOW64\Qnghel32.exe

MD5 90d27be3ed46eed1419bbfad8b1c62c8
SHA1 b4910c511cf73959e6153bd0c58f741fe2622462
SHA256 54e7a181848f2f830d1b20922853eff8660bb225484eedcf8a8755ba1843619d
SHA512 033b4b9a8250c9500c35035bd4c8af7603bfbe853ab4250ea4ded16a82512415242a19b123e4046ca12103451854a63763496df5868acd38c573a734c4ebd5e8

C:\Windows\SysWOW64\Agolnbok.exe

MD5 c20f7928b76a17a0c3463a5d6871ba93
SHA1 73f846067b25d1af7d119515386d1bafb3c29966
SHA256 a057a71b3ed51ffccb055fa4fe90eeadc9164d4b4dcb4eab00ecb7ebcdd54312
SHA512 0a293e0a60a1a6fc27ea9611da53919bba8f8cd1e5ed88f22d0039b424bd1d39f0dc6ef16c2a24a80d48c8f77f5a94de763f5badbc4eaf7ea7a85a90518352a7

C:\Windows\SysWOW64\Ajmijmnn.exe

MD5 204a511f8f6c89663c8a88ddc11bdf3b
SHA1 3a56213f873b7c3fd3c34eae2f0ba2325c7527c9
SHA256 b31dc087edfdabfaad065ee3b9b023e055771b1acd0c6c45d9b7a0e20bc60e6b
SHA512 2b3066a499f1bf7541f0e69270e35828f376f62e96893e0c4791b827b29b6ec442acd25e81019c908d51a9820327580e61407170da76d9f888cdfc3681748370

C:\Windows\SysWOW64\Ahpifj32.exe

MD5 6b183a1e8ac6ae80384844b3223dfc0b
SHA1 0571b7439e7070ae9381b0d8ef1779667fd7a1f7
SHA256 38a5c5de484d7984354341ab9030c935b13c5d9d55317b19728261ffb31ed423
SHA512 0a3edd1e982c4f941a5730c72346413ef1b936ef782f12ebb12b0eec5e2400649e895803e461ad6649b453e35368e2175c2ef16b06f2a6a0832d59b1147d9069

C:\Windows\SysWOW64\Allefimb.exe

MD5 d2d8b9624a3f1deeee3e87dd575ec407
SHA1 58b8a4091f4169f4fa8b5488966ad7e3299cd178
SHA256 89f1c39264ba7984ee4069d332309550971ae4f30c3075a815e918b02f82a89f
SHA512 d72372347fe56e36f14bbeada8cd0f0f8121de60e257e2c539f58af72f1ac1028cb3ffc2b0f3920b294f442dd67744e38cd7d448db045b96f79957471e0915a7

C:\Windows\SysWOW64\Acfmcc32.exe

MD5 879769ece76ac2d618db2a42da34cf01
SHA1 31ecaca22e66f0db6c943ea82f651cc394c70006
SHA256 85b37a9cda63edcef00090bc79d44c24bd7572675543aedbd9047867e76f2545
SHA512 4a5538ae76bd0bb7943369b14c5d641ab66c6d288c3b43206f8ed01a082463bf97d5fafb692247835dab67446b6536927a2909772072e5eda40f7e40b4895eda

C:\Windows\SysWOW64\Afdiondb.exe

MD5 1bbea4c9ffe0142b65da01cf01b63333
SHA1 c9dead417c9bebdae01e5d8c46e871cacb6411f9
SHA256 2eb0a97a6e4b93bf2f33143c0f7b1d9314e7fc1d4549799894f71b9319e5e43a
SHA512 80ebbd05d0adc68905f49fa8cfd229ea6046d75de3062f828c908d23131d5ddffcf2c560916efce9e2d25ce1eab264c4d4bd3aa9fd1ccc7aaed9b9ffc5d0981c

C:\Windows\SysWOW64\Achjibcl.exe

MD5 89aed9523ea069e8737af028174f986e
SHA1 b66ff00b9143efa352758f220694a2b1cd16d28a
SHA256 9c621c17569659e09ea7aa0836a57ea1356c783b51922bed3ea37db3559e0bc2
SHA512 ae0171e6392d860f80d7c96b8e8f0979d425fed8e0aa16ed08eb74a577cf7bd6cbb0f6269ef25ad6c1d140112e29ea3d4872e8cb52652a0fb34bcaf67789e17c

C:\Windows\SysWOW64\Aakjdo32.exe

MD5 049d84abc58bc61052a61986dcc8d646
SHA1 892bf6f948fc7c70ce618b3298f43552c1834fc4
SHA256 1c94ddea0c12bfc023129192ef606d9b2ca80d22d4b06ee7d0c144404b847802
SHA512 4a95efcad730a1f25ae92bba1b253827866c40ae4ab0e00a44e64b0bd2efc15b22f66c00e43db75bf2c0e3bb763f685c4876d15170305bec19c41b97266c5850

C:\Windows\SysWOW64\Alqnah32.exe

MD5 a81b1928daa1803f4387a00685b4ae45
SHA1 eedff8a81f3e7bb8076442a6ab1d7c9a2bcb04a5
SHA256 231aa63ba186f4a4fb4e1758c86d7c2fc02aaa483b3326127f8fdf7d8a95717e
SHA512 a6b32e6d8219adebb5432a152e27b0aee54bea73f98924e5972f979ed867d10de8883dc2f06e1ee15d2743a3b3ad7e2ed13ad34ebb1d556f0e836a8c589bdc4e

C:\Windows\SysWOW64\Akcomepg.exe

MD5 b4f7261ad4290a1e969268e156be32e1
SHA1 30681eb604d0dc37b9064abed6e2a216eb9f1b6f
SHA256 e3bb8c1dfb07f874e63e3b7844055ba2ce87f8d858af6c876f9b88fc3a36f096
SHA512 bf62c8e2f6fd000c996a8e0d241b38a31ea2b7f94d91221daa3b87e280d6743fae8c2162edc89a48e5dfea1a3cbed3902cab5bc03ce3902f400e05f5d73701b8

C:\Windows\SysWOW64\Aficjnpm.exe

MD5 a701b6a85c2a7c14110e9b2e52119972
SHA1 f05776fcaafa69cc9d40f5b263fad523e93827c6
SHA256 e94c8fd266db2029a44afa209a56f2df89ab1a75f13bedeb1e6b5a9d2bd03a77
SHA512 b9aaba5b18ed8cffa86fdd1318d923da59f10133b8c7a98a5277a3a80140d460e55fbf17d8dea9d1b9c641358cfeb5a54cee4b5f18c914afdb47debed087543c

C:\Windows\SysWOW64\Adlcfjgh.exe

MD5 56bc9b138da57a8c15ad6833f67646c2
SHA1 d5cce1d34609927214b0c1328a0b0391df0d7a99
SHA256 6907d07d20f89da66b4c85537cc4b651db8e58a700a738fdc90f6b3eae59d137
SHA512 e2378047db10f4f3707f9008730cc452445b118230e8db47bf1d586dd84c02fe3565a5223a24fba7f654626db57d884d412cf7c2a21283e183171f66feae1697

C:\Windows\SysWOW64\Aqbdkk32.exe

MD5 167c81f02c002d1b03a8a3ab8fc5d925
SHA1 1530a7f29eda082df71288ccddd8e3122691f04f
SHA256 e637fb5ed6060afabb7798af881f932ab451cfd4b39b788af0fd035189a0cdec
SHA512 51fa570ec00078c02dcfa9720210a830903cb7a48423003d0a2b44ec2e8fa67bd00d9d10a27d3aa1593ce681f77401d2afedbebefda46eda4dca10b4c6951bce

C:\Windows\SysWOW64\Bhjlli32.exe

MD5 3c48c0ea1ee174ccc01096ad7df11a7e
SHA1 6822ad519a63603eb4d52d5960b2e185045a4dcd
SHA256 8396b1c96ea1d60b6a6c77698b47fe9fa10cf9c1a8e9271a21807384fb58b1ea
SHA512 66d8a369152bd36279caeabc551a253220b29560445dfe72eedb745d1cfbbfa4873f6d9b60392d765d4cbd097f2e66f25f000352a3bc17f0d38c8f0636fe930b

C:\Windows\SysWOW64\Bgllgedi.exe

MD5 67504c82c426f6e3bc616c87a12f4d6c
SHA1 12913ce8e83cd1c985f4530f7335d207b4073f16
SHA256 227d3be3c002857157c2b3d90b83fc8a6190cf2072ee272b287b43adacee750c
SHA512 9c4762771c0406fa738001131252c04142934c06643cde08bb2897bbec7da97c241d762bbc7c668f6e60a31e254321b389f266ed7d6f333c0b21244aad5c214f

C:\Windows\SysWOW64\Bjkhdacm.exe

MD5 7a05b56aaab1cb6fe11a870477eb9543
SHA1 0825d655812e5faf8655249ef63c0f14f4635245
SHA256 099671f5aee0cde58ac3a97ab659b40eadc276a3316fce769f865b0249e70dc9
SHA512 cd3f3b5548b43b8b54601f2c5493fbcc8795842d0f5271c30c6212a0dbf87fe7cd6d9b6a630c837f488f757b9ee902807ab460605a342c4be834addf40c2b245

C:\Windows\SysWOW64\Bdqlajbb.exe

MD5 f89767abf9ea9b78853c47f2bdcb64e9
SHA1 740429a55e49e81d4b80694f2e2f3bdd0edef3b7
SHA256 f1a30d03b8398515f3fc71271a6bac6d7fe3a94533a017a5a99638b41116912f
SHA512 bb8886b2ce7f4b0f16f09ab80cd14f6d1a0c0384d38a68098b7efd88849183bd794b39e517538a6bfb57de37f5a07e6322526401b841f020bbb294d7de840a3d

C:\Windows\SysWOW64\Bgoime32.exe

MD5 1520ea3e43f64a683c9699e60449b5bd
SHA1 8f04caffbf1f29692d9bfcf99db656bf498de9b3
SHA256 c261b3b65b6972b193cb0e63ec284da6a2da85fcb6c1ead6d2c3a976144706ff
SHA512 ce7e2b2af03d7bc730c8bd3008807fb87a27a99b6ef3c7027a57c33bb9165224b5dcf30778eba0d648182ec65c2c0b2d59a0fd81871f8b18a25ae95f147cb8c5

C:\Windows\SysWOW64\Bkjdndjo.exe

MD5 c915f16a1a512ad9972f37b80dacba3c
SHA1 c0002351c9b8dd214f776fe1ae797a83bf1b8982
SHA256 d13a5d528e578521a1a1a12d2bda5e38e0e8fb4001f0497a1e13ced9c3a9a67e
SHA512 35aac0ee8d56b303d23e03ae6e5fa95dfd1119390058f94e3f8fed96a210c4cb7b292656040e4fa3d6fe0aad3bee93e370ed01c304475eb69bc5a908a8b396e8

C:\Windows\SysWOW64\Bniajoic.exe

MD5 3d1bccd0da37f03dc1a889c0cd46b594
SHA1 41a0660ddfc4f61db4c311dc803d82ea7bf8cffa
SHA256 f26b81ba087bb611eba3f6bc8b48d1e45f4cf85b2172450c30da4b0626f1b123
SHA512 603c5ea05c5dc3510546e173ab8ee0f76895656f8e020085dd379b292617ec8e8ec29236294ad8bfe1a15f51704cd40312bd958b78d8b86b381c268ec2eb5af1

C:\Windows\SysWOW64\Bqgmfkhg.exe

MD5 ab8fa78d1b5693003f16b56ded37d863
SHA1 60ead16c6a96f83f307c1b36a72fd79d5b7cfdf4
SHA256 754fbcb6f7bcaaab0b7677af71deaec6c6f80aa4d7ec0dbc010753256f9d0dfe
SHA512 4f3870bcd992baa7356a2a260bf71f3031aa2ad3693e94a3ff67619cf5a1557af9f7d25af588bd5243a5fed5d9793c60f276ce5f46d8397d76dc18b7ba3f69f6

C:\Windows\SysWOW64\Bdcifi32.exe

MD5 0d9981c3178ef0f3ce1f26a931410a6f
SHA1 404dfd85b940d0e7b494cf9e8c504c126e7f3255
SHA256 bf5698a95cbcba10740f7806af2cc3ebcb3145338dc2949715f714636f2107f0
SHA512 0faa9834e16aed3be3d2d9732a79e110426daeb6ecc8dc2ad76b4ffd0841f85e2609b02dc326fd166530b2cfd0e16da45ffb510fc8b72ee572286e0f20e87ab7

C:\Windows\SysWOW64\Bfdenafn.exe

MD5 ab021406319404a3d046fb0d74e71740
SHA1 ce1cc86fde5848cacf6e935e015edcd6d407f13b
SHA256 c82faa64a4cadd4b5e55b0548ee1d2caaa51b6f61f7bb192c453cf5f99d1b817
SHA512 5db556fd5c7bc042e403b73d4686977c137c54cabe5111c04e44291721ecf13351ef6b1ec1b3ed7736d6e56f741e6f05dd56691fc8c27dae827f49963f94b1d1

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 33687013094c8d845018beb1127a6128
SHA1 a2880e9e78e6270f15c52b829c139979a300e665
SHA256 7c18d8bd13864cc09bf05e9ef6535d47e5fd362e8b4b462fdf679137f4d97952
SHA512 cf2af1e7282009f6009de6c2e31d6ad1271e9fd46a8dce4dc2366d07bb5c309ef472cba49634e337dec9517339c6c7c55cc1384fc599f14765dfdd35c67f935e

C:\Windows\SysWOW64\Bchfhfeh.exe

MD5 3986ec5b6c10c427b29f9e57620c807c
SHA1 3cffd792043ab4e5cd6e8db806923b97c9f026bb
SHA256 ff3272e09603bf5669ad1492a323d78f19ecc43d6dac59df5ddd8f7f3befddb5
SHA512 04302013e9217fdb70516338e210a71876a81225149ea1b7b63af11e8d3e132e7645405d720eade01c9fea5e393545a9f8a924b556be9909b3d94f82577229bc

C:\Windows\SysWOW64\Bffbdadk.exe

MD5 bbdf972c99394652dbbf165340af6222
SHA1 b5786271aa68f487c2cf539f99ec1a811f9fe71c
SHA256 689bcbfaed2be9163fba733c5c5e7a976578b00d4d577cc462755f9ad6f860cb
SHA512 e3ff397c8c74d027db72861fa8f934670a7e22c3785c6b8ec7e782d0a89779e5772eaa290c03ccf3c791e2268c2087b9a4add2f1d5efc34336e4a7df36dd2675

C:\Windows\SysWOW64\Bieopm32.exe

MD5 f63cada09bd0c0781bc1f3573eca086d
SHA1 21a265cdf5c290914b75969918963385376c4688
SHA256 f915aee8c3a80f667b3c531b364ac46d534f710aeb4d414773981d5b808db457
SHA512 05ee0f6ff7c5e20d54a4e0e86065aac61be41b5c6535433180bdf6ba793a083a81ac887c4a88fa5f2856da1b4a674ffaeb0c9f806150745cfa9957adc08aba92

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 5b79e84420be416cf7e17aba53615318
SHA1 963fb60e580acf16b62a5e97f85d02d34c74aba9
SHA256 00a41e97dd1213bf325c7130cc7fbef021688e4fe71a52902ded28524171ee23
SHA512 b94153f16e8d52a35f4d53d05684a5538064e48fd72205d6b505cd6c321ba53df2919fd9ef0d61a6b83f85286d74ea500da68baf284265bb0d6ecfa743aa05d4

C:\Windows\SysWOW64\Bbmcibjp.exe

MD5 11d1f77db3bc09c430619cdec447fb90
SHA1 1178c56f3e2dca13b45bf333cf5a6e43e2909c68
SHA256 dc247511d6594c975aac9055e7c30d90685a063fe41cba3112db942e0ce31a18
SHA512 8429794d061081bd9dfcdd2d6add5caf99ddd9409dbf94c296126d770863f6225876db321658297678ee2d6f8375d384050c5131c32a2122c915a7006676e8ce

C:\Windows\SysWOW64\Bfioia32.exe

MD5 b21b54ad57e0d5889cc8cf0023a7b255
SHA1 3c93156f50237c7e1b067aabb42659cb41b67aa1
SHA256 3028dbf6f0dd3c9f4dcbbce615547a9286f92d229afe6310133ee32f91ba3b26
SHA512 622fcbf48a991261fafeaad99a18c82156c7722696f14a6ff9c7f55b9680b6694aa3a81300aae4d988cc1c1c46050893a84a1c5233419c1a70e1256a8599b28d

C:\Windows\SysWOW64\Bigkel32.exe

MD5 a3bed02155d6fbcfa7913fc5f7cd16b8
SHA1 a86a405eed2c11b6fb53e2c913a0eb69b71cf299
SHA256 9fe38692e1b052364c5c20eb01a50226727199df11ae8c12193ed45ad2ce3a62
SHA512 894c47f20bb8fb390044481bdfea7453cc8650bcfcd39d2d1d5aee7a2641843e11674e7d12cd0a6743b26785a3aa39c6567539ad5d18f0a43680e0477928506f

C:\Windows\SysWOW64\Bkegah32.exe

MD5 81378e9489b01394cf943886f54b9aa7
SHA1 af6aff74dd5982963b141fd8427a278ba7634def
SHA256 0fed9dbd6552ee4e26654d692a6dfd19740d11205833cfb7dd7c8e9530db8448
SHA512 8640644ef5ed6575c7d360893f249a0945c8d3280702d40aa147973b8be9429bb9974e9e2a7293c890a1007a14940f72137b4e711741e1453b2bbbe063bf4a69

C:\Windows\SysWOW64\Cbppnbhm.exe

MD5 76ad9d773402516c91ae2fbace580be1
SHA1 4733bf471a0badfa141e6c7770f47369fcf73d2a
SHA256 4b888a068bce3e04f94805b71b7cc46411cb7d95e4dffcf4320394b30fe298b1
SHA512 6befdb49dfae8cbeb3b8366a3def93ab8a963f349340afc3ba4c5df5f9f9d59ddd318630cada78bce98d438be7f17a9aa7342acd0b4093cfc5a14bd0162abbb7

C:\Windows\SysWOW64\Cenljmgq.exe

MD5 f698e3ed1296406291f704dee9ffa666
SHA1 8b59930aabf0098f1cbce00d55e78f954a121186
SHA256 d7127c7613147a77a69e9b635f1aa879d6da6f12f5ddc7ca4f86c50967366ef7
SHA512 2363ac2411cd2886d0b72c9736d929450ea093027b513692641f70900434e317b8a6a07471a139d9acc91f6f783c2d0824e0fe5ded8795556f49859f3001ce57

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 02807b5050593ef4b3c2c8466a12deeb
SHA1 fbc36429174d0d9c1e38c1aa51d551ad0824a944
SHA256 c2cc8b957eebf6677c68953dfe6e79b297a1a829b060e3559a152e99c7443fab
SHA512 d6a069042cb63dd81af15092deff31feb53e0bb49cfee53318a30f7510b309c02b0f2177d4a6a2429877d40716d9d7a24f640231a93f4def3c4415e8149205a6

C:\Windows\SysWOW64\Cocphf32.exe

MD5 a5f18ba45c75a23d02f04e2d8e9b53a7
SHA1 332813b4ec861d4e301511c5ce4550dcc1365960
SHA256 9444b64d0b73016ae686649b20843a2c4076573686388f50cbf7a712f226daa1
SHA512 6c0130fd2cec3d9ae1e20059918c8c219138a7b92938c7c0beccd371389d6665f2955b1609070ffb9c7c5fcd02f73c09b14490d2e737c1294d26c17c08fb48e8

C:\Windows\SysWOW64\Cileqlmg.exe

MD5 7cfbe860b53093efc17da378f1a512d8
SHA1 ea7be8841c8688347f951cf17dd0fecdd96374ad
SHA256 62a22e24b9c8ef2d42fe812d0530d48251878ddb0ddd1048f47389be69b071f9
SHA512 0745faaf623386e857eb148fa3df7730b01b691611a0a76ac33e39f4c29c646504bda93c7b95ae421a4b0c455ee15f35eb77814ff14f94a6da854e2dc0381fd2

C:\Windows\SysWOW64\Ckjamgmk.exe

MD5 9cd3f66788e4fb43f1179e721d747e3e
SHA1 e0149bade0753fcc7171e6edf88d9e84964a5d15
SHA256 6872cc955d77c74a09fb2c1e09c593cc6b73d91767a97047118778e5742b805a
SHA512 587c8c967ab4a0a06642ebdc3b4d48f5b09ee67870edbaa434edad94b9938f1854cc1331ad4fb7656d4a82359aa2909661f799a6341dad765f6c29ea07291194

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 fedd5ba2728f5f073f6c08c51c71be8c
SHA1 589c7ee17facbafbca4bf1e02bcde6eff1c2b20d
SHA256 2650bd03cbec85e529a4e90ed6f0b578514f4ba37483e75089b01b3e788d227f
SHA512 e29db8a745eea11a9df65da6551b84be6b5bdabeeed1dcc28e3533baa203d66f1a74c825ab7e7e79dca65f47729db09554f8c0ef0428772cb090350f20e66364

C:\Windows\SysWOW64\Cagienkb.exe

MD5 4d923ac4ec16f1be8b59529c3114aece
SHA1 0215eecded8a5458099ece621ef081b8456ac6d2
SHA256 b99b749ec3dc7a9121819f15f4460a867ea46debb29d1bc59512a728084973b3
SHA512 3c75ba2b5c73ea3b79ff5b7a7ff88769d6ce25b4a42f72e3e52d73f823eb51036417a5a2e33982a43b89be235c06908f1d6399c636e9ef47a8f10233b62726f8

C:\Windows\SysWOW64\Cgaaah32.exe

MD5 850986bcda2c9ad9dc47465dc7d49a95
SHA1 c380da3e5c6f5f3b31e54046cf939cea33f97e20
SHA256 8d95a4c2cb9cee963f4264fea0d06220fec2c2c69c45210385d5a8ca35f2ad57
SHA512 e77b5862240c947b839ec554c5ccb4a8572fa5e7d29a41b7468aab326ae39c40fa0f4c11c94b136708b619f8e967841022f484ab91cdb3036f9805744ad9f4a4

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 c6ac2f5d394665ac07470ef4f00e9280
SHA1 2eec9913b2212dac8e16a2f1634d6d7f15abd6cb
SHA256 29ed63f29899e4a65198e5b7c9ace1611aabcce2df54bc37a8595b4e86973aeb
SHA512 be6ae48e17c0df86643534b7de7aa166cbc3f5eddafb87d0d09e03ea60b816644602906028dbb586a521cdcff7ce39a9ea56c78adfd1750a2dab1e2f8d1941a2

C:\Windows\SysWOW64\Caifjn32.exe

MD5 04f8b87f35810b09795f8566d3226fe4
SHA1 1be15888bf38b4861697eadfbe1ed25d4d9c64c5
SHA256 8c0b2085c04496dc9f6e132b7be89578ea7d3086f236fe7d3f5650354a63c02b
SHA512 268828f904dd88e55794b97d52491ba18f9465f50f837167e06445051adf7da42551038a87b437cb910678f2938a29a7443c6e6220af965a3a1f610d4b85e7b7

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 f2090a123c1f42230694af73accb2639
SHA1 e5ab686015814440b5f827782f86414b10c6a332
SHA256 3236cbc6050854be272817a7a64ae2f2bcd6e57412419a109233364580078760
SHA512 5d0d294519802aab081a044cc0c988fa8c671e892ce8aced32986e3ac7422d482b9dae73d84a4dd97a104ad49594876793914f1bf6c404f38c5aecb63b4351b4

C:\Windows\SysWOW64\Cjakccop.exe

MD5 8f4b6751900a061d3146ec8d7e95aaf2
SHA1 bebd9a11707331ce6c0117bf414ed21412ae1ded
SHA256 e3b358b86594d37cb04a0d68dbc1edd9a328db7b5fae45b211cb39a471ef7a14
SHA512 7e6c48310e4838eb49c52d45465f82b9a7621ae58538611b5c5bcc36d6e3c9c522fbc4bf0525f6ba3878579132ec5e039ccdd9c07d30a8959daf5a7229fa220e

C:\Windows\SysWOW64\Ccjoli32.exe

MD5 2f99b5da3a65ad70197d83f90ae57020
SHA1 e8e076bcbedb8fae2a3864d183f4fc148d088d69
SHA256 01f0afea4716ddb6cd8485e8295b6a5a7673a42ccfd5e4db84e714f989e0a1b2
SHA512 420a59de4c9a03e2e2b6b52915b19bcf1c702b681f8f0848a6aab382a2bda2ce50f4123f46c97e8b34d6d404fe296a7fe2f7c5c817e9fb77d3adfe99c8a202a6

C:\Windows\SysWOW64\Djdgic32.exe

MD5 832c249d758cbe6f82a855f4875aebb0
SHA1 9c7ad433c135d59ea3fed7661ec8749c100b5c99
SHA256 e69e5e85da6ca52c7c246cf06a2189a075e88eaa01069239ffae2bb2137012d7
SHA512 b3dbff002595f0194f5f97a10cbf7a34a5c492928e09092a578535a915887294be240f9b4868b67e4fe72428b14d38a4d28e46c50ffbbcad07557f2be1cd7389

C:\Windows\SysWOW64\Dmbcen32.exe

MD5 4633776c3f54f24c4146b36d5e500c8b
SHA1 e70c79098c469f326404ae9d9a26b83a6ed95e12
SHA256 73cdc02a4d97330219d900c2fde3004099c704851e5aca959eb0f9e63bf1d951
SHA512 3a020daca785c8eaeb664841a81e851d71dea140a4365a6a7a578b8964d29d63b66bb0e7d957919e35f0abac108e745af7fb74c1e031cdb9ef9bd971eb07fb94

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 4b6ce58f7bbce643dd637cc5b0e0a7ae
SHA1 b125bfd7885c8cf1ad6fff0335f1f60dddac902c
SHA256 cd4a8ba6ec2337da6894672fbeeb898f13077b235ac57f9085f49d232d0bdd9d
SHA512 2b2e5135f4d8f8f671030c933ba3f134197fae0c0daeee8fe8fbb58ee16a97a2fdc6ecf2fa8535465c886f82ef2820a98e1eca5a85f9f0b498c719db8f362309

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 16:51

Reported

2024-11-09 16:53

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbcjnilj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poomegpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Papfgbmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhoqeibl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idahjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Idfaefkd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mqafhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahfmpnql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjbogmdb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Maodigil.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Achegd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecbjkngo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oaajed32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Diccgfpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iljpij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oeokal32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnjpfcl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifmqfm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njiegl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afinioip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljclki32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkbjjbda.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmabggdm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ipmbjgpi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oelolmnd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okgaijaj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjnmpl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaohcj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Digehphc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocgbld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgcihgaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jdfjld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhahaiec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omjpeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Miofjepg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahgjejhd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njmqnobn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmpqfq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icknfcol.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chnlgjlb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dheibpje.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npiiffqe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Opeiadfg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lghcocol.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lihpif32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qhlkilba.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccbadp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lknojl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohkkhhmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfeeabda.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aopemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaiimadl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cimmggfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Napjdpcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mehcdfch.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nliaao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiobceef.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kqbdldnq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Boihcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlpokp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhkikq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnkpnclp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aafemk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdpcal32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kiggbhda.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbpkkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgmcce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbbhqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgopidgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjmmepfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgamnded.exe N/A
N/A N/A C:\Windows\SysWOW64\Knkekn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Leenhhdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgcjdd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbinam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Legjmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkabjbih.exe N/A
N/A N/A C:\Windows\SysWOW64\Lankbigo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lghcocol.exe N/A
N/A N/A C:\Windows\SysWOW64\Lihpif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljilqnlm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lacdmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijlof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhmmjbkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljkifn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbbagk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Meamcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhoipb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlkepaam.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjneln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbenmk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mahnhhod.exe N/A
N/A N/A C:\Windows\SysWOW64\Miofjepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhafeb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjpbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnlnbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbgjbkfg.exe N/A
N/A N/A C:\Windows\SysWOW64\Meefofek.exe N/A
N/A N/A C:\Windows\SysWOW64\Miaboe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlpokp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjbogmdb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnnkgl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbighjdd.exe N/A
N/A N/A C:\Windows\SysWOW64\Mehcdfch.exe N/A
N/A N/A C:\Windows\SysWOW64\Micoed32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhfppabl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlbkap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnphmkji.exe N/A
N/A N/A C:\Windows\SysWOW64\Mblcnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Maodigil.exe N/A
N/A N/A C:\Windows\SysWOW64\Mejpje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mldhfpib.exe N/A
N/A N/A C:\Windows\SysWOW64\Njghbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbnpcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Naaqofgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nemmoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nihipdhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhkikq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njiegl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Noeahkfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbqmiinl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nacmdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nijeec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhmeapmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nliaao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nognnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbcjnilj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nafjjf32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Eecphp32.exe C:\Windows\SysWOW64\Efpomccg.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjmoag32.exe C:\Windows\SysWOW64\Mgobel32.exe N/A
File created C:\Windows\SysWOW64\Melmcj32.dll C:\Windows\SysWOW64\Oehlkc32.exe N/A
File created C:\Windows\SysWOW64\Adhdjpjf.exe C:\Windows\SysWOW64\Aajhndkb.exe N/A
File created C:\Windows\SysWOW64\Nnojho32.exe C:\Windows\SysWOW64\Mfhbga32.exe N/A
File created C:\Windows\SysWOW64\Hankellh.dll C:\Windows\SysWOW64\Ipmbjgpi.exe N/A
File created C:\Windows\SysWOW64\Bdlhkf32.dll C:\Windows\SysWOW64\Cocacl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojhpimhp.exe C:\Windows\SysWOW64\Ocohmc32.exe N/A
File created C:\Windows\SysWOW64\Anbpqqmm.dll C:\Windows\SysWOW64\Nbnpcj32.exe N/A
File created C:\Windows\SysWOW64\Palklf32.exe C:\Windows\SysWOW64\Pjbcplpe.exe N/A
File opened for modification C:\Windows\SysWOW64\Bobabg32.exe C:\Windows\SysWOW64\Bdmmeo32.exe N/A
File created C:\Windows\SysWOW64\Mejpje32.exe C:\Windows\SysWOW64\Maodigil.exe N/A
File created C:\Windows\SysWOW64\Aaohcj32.exe C:\Windows\SysWOW64\Adkgje32.exe N/A
File created C:\Windows\SysWOW64\Ckbcpc32.dll C:\Windows\SysWOW64\Ppahmb32.exe N/A
File created C:\Windows\SysWOW64\Opkpck32.dll C:\Windows\SysWOW64\Hibafp32.exe N/A
File created C:\Windows\SysWOW64\Cjelhg32.dll C:\Windows\SysWOW64\Gdaociml.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnfihkqm.exe C:\Windows\SysWOW64\Adndoe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pahpfc32.exe C:\Windows\SysWOW64\Pkogiikb.exe N/A
File opened for modification C:\Windows\SysWOW64\Qepkbpak.exe C:\Windows\SysWOW64\Qcaofebg.exe N/A
File opened for modification C:\Windows\SysWOW64\Klcekpdo.exe C:\Windows\SysWOW64\Kjeiodek.exe N/A
File created C:\Windows\SysWOW64\Bokehc32.exe C:\Windows\SysWOW64\Bkoigdom.exe N/A
File opened for modification C:\Windows\SysWOW64\Qodeajbg.exe C:\Windows\SysWOW64\Qfmmplad.exe N/A
File created C:\Windows\SysWOW64\Kgopidgf.exe C:\Windows\SysWOW64\Kbbhqn32.exe N/A
File created C:\Windows\SysWOW64\Lbinam32.exe C:\Windows\SysWOW64\Lgcjdd32.exe N/A
File created C:\Windows\SysWOW64\Mnphmkji.exe C:\Windows\SysWOW64\Mlbkap32.exe N/A
File created C:\Windows\SysWOW64\Kdigadjo.exe C:\Windows\SysWOW64\Jdfjld32.exe N/A
File opened for modification C:\Windows\SysWOW64\Imgicgca.exe C:\Windows\SysWOW64\Ifmqfm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbgcih32.exe C:\Windows\SysWOW64\Nolgijpk.exe N/A
File opened for modification C:\Windows\SysWOW64\Nijeec32.exe C:\Windows\SysWOW64\Nacmdf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oklkdi32.exe C:\Windows\SysWOW64\Ohnohn32.exe N/A
File created C:\Windows\SysWOW64\Adnipccc.dll C:\Windows\SysWOW64\Gfmojenc.exe N/A
File created C:\Windows\SysWOW64\Nklinjmj.dll C:\Windows\SysWOW64\Dfiildio.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebommi32.exe C:\Windows\SysWOW64\Eppqqn32.exe N/A
File created C:\Windows\SysWOW64\Jpfepf32.exe C:\Windows\SysWOW64\Jdodkebj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mbenmk32.exe C:\Windows\SysWOW64\Mjneln32.exe N/A
File created C:\Windows\SysWOW64\Danihi32.dll C:\Windows\SysWOW64\Qeodhjmo.exe N/A
File created C:\Windows\SysWOW64\Nnicid32.exe C:\Windows\SysWOW64\Njmhhefi.exe N/A
File created C:\Windows\SysWOW64\Hnnhejgh.dll C:\Windows\SysWOW64\Pkpmdbfd.exe N/A
File created C:\Windows\SysWOW64\Qikgco32.exe C:\Windows\SysWOW64\Qepkbpak.exe N/A
File created C:\Windows\SysWOW64\Napjdpcn.exe C:\Windows\SysWOW64\Nghekkmn.exe N/A
File created C:\Windows\SysWOW64\Emmdom32.exe C:\Windows\SysWOW64\Enkdaepb.exe N/A
File opened for modification C:\Windows\SysWOW64\Gipdap32.exe C:\Windows\SysWOW64\Gdcliikj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgclpkac.exe C:\Windows\SysWOW64\Mkmkkjko.exe N/A
File created C:\Windows\SysWOW64\Ichqihli.dll C:\Windows\SysWOW64\Akblfj32.exe N/A
File created C:\Windows\SysWOW64\Lkabjbih.exe C:\Windows\SysWOW64\Legjmh32.exe N/A
File created C:\Windows\SysWOW64\Cjliajmo.exe C:\Windows\SysWOW64\Cfqmpl32.exe N/A
File created C:\Windows\SysWOW64\Egqbff32.dll C:\Windows\SysWOW64\Cjliajmo.exe N/A
File created C:\Windows\SysWOW64\Gkoafbld.dll C:\Windows\SysWOW64\Lomqcjie.exe N/A
File opened for modification C:\Windows\SysWOW64\Bohibc32.exe C:\Windows\SysWOW64\Bljlfh32.exe N/A
File created C:\Windows\SysWOW64\Ecbjkngo.exe C:\Windows\SysWOW64\Dpgnjo32.exe N/A
File created C:\Windows\SysWOW64\Ekiapmnp.dll C:\Windows\SysWOW64\Cacckp32.exe N/A
File created C:\Windows\SysWOW64\Hlegnjbm.exe C:\Windows\SysWOW64\Hkdjfb32.exe N/A
File created C:\Windows\SysWOW64\Nondlbmd.dll C:\Windows\SysWOW64\Bkkple32.exe N/A
File created C:\Windows\SysWOW64\Bcfahbpo.exe C:\Windows\SysWOW64\Bokehc32.exe N/A
File created C:\Windows\SysWOW64\Nkddkljd.dll C:\Windows\SysWOW64\Mlbkap32.exe N/A
File created C:\Windows\SysWOW64\Legokici.dll C:\Windows\SysWOW64\Njiegl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhbolp32.exe C:\Windows\SysWOW64\Neccpd32.exe N/A
File created C:\Windows\SysWOW64\Eblimcdf.exe C:\Windows\SysWOW64\Ekaapi32.exe N/A
File created C:\Windows\SysWOW64\Ljclki32.exe C:\Windows\SysWOW64\Ldgccb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfnjpfcl.exe C:\Windows\SysWOW64\Cocacl32.exe N/A
File created C:\Windows\SysWOW64\Pllgnl32.exe C:\Windows\SysWOW64\Oimkbaed.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhcjqinf.exe C:\Windows\SysWOW64\Bcfahbpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffaong32.exe C:\Windows\SysWOW64\Fllkqn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnoddcef.exe C:\Windows\SysWOW64\Bhblllfo.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qebhhp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dooaoj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpaekqhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjneln32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Miofjepg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nacmdf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Poomegpf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dikihe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amjbbfgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjmoag32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flmqlg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klcekpdo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgcjdd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mahnhhod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bokehc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iljpij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfqlfb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkibgh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nognnj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neqopnhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojbacd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekdnei32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlbkap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nijeec32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Papfgbmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icknfcol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lqndhcdc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkqaoe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhmmjbkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Elbhjp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cleegp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nihipdhl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipmbjgpi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bacjdbch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppahmb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mejpje32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gjfnedho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iphioh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ijegcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efafgifc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmlpaoaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Geaepk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfoann32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmhand32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qeodhjmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gldglf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aajhndkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbbhqn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpnmbl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnmhpg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qobhkjdi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lknojl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnkpnclp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plndcl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccdnjp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjnffjkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gipdap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plbmokop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgobel32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjpode32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmpqfq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbnmke32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afbgkl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adfgdpmi.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Adfgdpmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhamkipi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmennnni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmmqg32.dll" C:\Windows\SysWOW64\Eblimcdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lljklo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebqacjl.dll" C:\Windows\SysWOW64\Noeahkfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pabblb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bljlfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fflohaij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmqinmi.dll" C:\Windows\SysWOW64\Mhafeb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagnlg32.dll" C:\Windows\SysWOW64\Nbcjnilj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nghekkmn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ojigdcll.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjneln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgfkbgm.dll" C:\Windows\SysWOW64\Ohnohn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Plndcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qikgco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpidaqmj.dll" C:\Windows\SysWOW64\Jilfifme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll" C:\Windows\SysWOW64\Bhmbqm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecbjkngo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmhabha.dll" C:\Windows\SysWOW64\Cmhigf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Flmqlg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oaajed32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahgjejhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ccdnjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" C:\Windows\SysWOW64\Ohkkhhmh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emjgim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oihagaji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdpmbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjofoqdn.dll" C:\Windows\SysWOW64\Hekgfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiagakg.dll" C:\Windows\SysWOW64\Embddb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialjan32.dll" C:\Windows\SysWOW64\Emmdom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll" C:\Windows\SysWOW64\Pjpfjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lghcocol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjikc32.dll" C:\Windows\SysWOW64\Meefofek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaiimadl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfigpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jiiicf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kjmfjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blickdlj.dll" C:\Windows\SysWOW64\Efhlhh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnoddcef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlphbnoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbjkkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmifh32.dll" C:\Windows\SysWOW64\Eecphp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Knkekn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpnmbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Achegd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ljkifn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhmmpnk.dll" C:\Windows\SysWOW64\Mnphmkji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Onpjichj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adikdfna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflbhhom.dll" C:\Windows\SysWOW64\Fbgihaji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlegnjbm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ipoopgnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaedkn32.dll" C:\Windows\SysWOW64\Ljilqnlm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lljklo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bohibc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Efccmidp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpgal32.dll" C:\Windows\SysWOW64\Hplicjok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojigdcll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epllglpf.dll" C:\Windows\SysWOW64\Efafgifc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njkkbehl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bogkmgba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe C:\Windows\SysWOW64\Kiggbhda.exe
PID 4504 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe C:\Windows\SysWOW64\Kiggbhda.exe
PID 4504 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe C:\Windows\SysWOW64\Kiggbhda.exe
PID 1520 wrote to memory of 4000 N/A C:\Windows\SysWOW64\Kiggbhda.exe C:\Windows\SysWOW64\Kbpkkn32.exe
PID 1520 wrote to memory of 4000 N/A C:\Windows\SysWOW64\Kiggbhda.exe C:\Windows\SysWOW64\Kbpkkn32.exe
PID 1520 wrote to memory of 4000 N/A C:\Windows\SysWOW64\Kiggbhda.exe C:\Windows\SysWOW64\Kbpkkn32.exe
PID 4000 wrote to memory of 396 N/A C:\Windows\SysWOW64\Kbpkkn32.exe C:\Windows\SysWOW64\Kgmcce32.exe
PID 4000 wrote to memory of 396 N/A C:\Windows\SysWOW64\Kbpkkn32.exe C:\Windows\SysWOW64\Kgmcce32.exe
PID 4000 wrote to memory of 396 N/A C:\Windows\SysWOW64\Kbpkkn32.exe C:\Windows\SysWOW64\Kgmcce32.exe
PID 396 wrote to memory of 4460 N/A C:\Windows\SysWOW64\Kgmcce32.exe C:\Windows\SysWOW64\Kbbhqn32.exe
PID 396 wrote to memory of 4460 N/A C:\Windows\SysWOW64\Kgmcce32.exe C:\Windows\SysWOW64\Kbbhqn32.exe
PID 396 wrote to memory of 4460 N/A C:\Windows\SysWOW64\Kgmcce32.exe C:\Windows\SysWOW64\Kbbhqn32.exe
PID 4460 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Kbbhqn32.exe C:\Windows\SysWOW64\Kgopidgf.exe
PID 4460 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Kbbhqn32.exe C:\Windows\SysWOW64\Kgopidgf.exe
PID 4460 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Kbbhqn32.exe C:\Windows\SysWOW64\Kgopidgf.exe
PID 4380 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Kgopidgf.exe C:\Windows\SysWOW64\Kjmmepfj.exe
PID 4380 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Kgopidgf.exe C:\Windows\SysWOW64\Kjmmepfj.exe
PID 4380 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Kgopidgf.exe C:\Windows\SysWOW64\Kjmmepfj.exe
PID 4580 wrote to memory of 5068 N/A C:\Windows\SysWOW64\Kjmmepfj.exe C:\Windows\SysWOW64\Kgamnded.exe
PID 4580 wrote to memory of 5068 N/A C:\Windows\SysWOW64\Kjmmepfj.exe C:\Windows\SysWOW64\Kgamnded.exe
PID 4580 wrote to memory of 5068 N/A C:\Windows\SysWOW64\Kjmmepfj.exe C:\Windows\SysWOW64\Kgamnded.exe
PID 5068 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Kgamnded.exe C:\Windows\SysWOW64\Knkekn32.exe
PID 5068 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Kgamnded.exe C:\Windows\SysWOW64\Knkekn32.exe
PID 5068 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Kgamnded.exe C:\Windows\SysWOW64\Knkekn32.exe
PID 4092 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Knkekn32.exe C:\Windows\SysWOW64\Leenhhdn.exe
PID 4092 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Knkekn32.exe C:\Windows\SysWOW64\Leenhhdn.exe
PID 4092 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Knkekn32.exe C:\Windows\SysWOW64\Leenhhdn.exe
PID 2800 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Leenhhdn.exe C:\Windows\SysWOW64\Lgcjdd32.exe
PID 2800 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Leenhhdn.exe C:\Windows\SysWOW64\Lgcjdd32.exe
PID 2800 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Leenhhdn.exe C:\Windows\SysWOW64\Lgcjdd32.exe
PID 2476 wrote to memory of 3196 N/A C:\Windows\SysWOW64\Lgcjdd32.exe C:\Windows\SysWOW64\Lbinam32.exe
PID 2476 wrote to memory of 3196 N/A C:\Windows\SysWOW64\Lgcjdd32.exe C:\Windows\SysWOW64\Lbinam32.exe
PID 2476 wrote to memory of 3196 N/A C:\Windows\SysWOW64\Lgcjdd32.exe C:\Windows\SysWOW64\Lbinam32.exe
PID 3196 wrote to memory of 4852 N/A C:\Windows\SysWOW64\Lbinam32.exe C:\Windows\SysWOW64\Legjmh32.exe
PID 3196 wrote to memory of 4852 N/A C:\Windows\SysWOW64\Lbinam32.exe C:\Windows\SysWOW64\Legjmh32.exe
PID 3196 wrote to memory of 4852 N/A C:\Windows\SysWOW64\Lbinam32.exe C:\Windows\SysWOW64\Legjmh32.exe
PID 4852 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Legjmh32.exe C:\Windows\SysWOW64\Lkabjbih.exe
PID 4852 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Legjmh32.exe C:\Windows\SysWOW64\Lkabjbih.exe
PID 4852 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Legjmh32.exe C:\Windows\SysWOW64\Lkabjbih.exe
PID 2728 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Lkabjbih.exe C:\Windows\SysWOW64\Lankbigo.exe
PID 2728 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Lkabjbih.exe C:\Windows\SysWOW64\Lankbigo.exe
PID 2728 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Lkabjbih.exe C:\Windows\SysWOW64\Lankbigo.exe
PID 1972 wrote to memory of 3688 N/A C:\Windows\SysWOW64\Lankbigo.exe C:\Windows\SysWOW64\Lghcocol.exe
PID 1972 wrote to memory of 3688 N/A C:\Windows\SysWOW64\Lankbigo.exe C:\Windows\SysWOW64\Lghcocol.exe
PID 1972 wrote to memory of 3688 N/A C:\Windows\SysWOW64\Lankbigo.exe C:\Windows\SysWOW64\Lghcocol.exe
PID 3688 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Lghcocol.exe C:\Windows\SysWOW64\Lihpif32.exe
PID 3688 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Lghcocol.exe C:\Windows\SysWOW64\Lihpif32.exe
PID 3688 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Lghcocol.exe C:\Windows\SysWOW64\Lihpif32.exe
PID 2420 wrote to memory of 3904 N/A C:\Windows\SysWOW64\Lihpif32.exe C:\Windows\SysWOW64\Ljilqnlm.exe
PID 2420 wrote to memory of 3904 N/A C:\Windows\SysWOW64\Lihpif32.exe C:\Windows\SysWOW64\Ljilqnlm.exe
PID 2420 wrote to memory of 3904 N/A C:\Windows\SysWOW64\Lihpif32.exe C:\Windows\SysWOW64\Ljilqnlm.exe
PID 3904 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ljilqnlm.exe C:\Windows\SysWOW64\Lacdmh32.exe
PID 3904 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ljilqnlm.exe C:\Windows\SysWOW64\Lacdmh32.exe
PID 3904 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ljilqnlm.exe C:\Windows\SysWOW64\Lacdmh32.exe
PID 3048 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Lacdmh32.exe C:\Windows\SysWOW64\Lijlof32.exe
PID 3048 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Lacdmh32.exe C:\Windows\SysWOW64\Lijlof32.exe
PID 3048 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Lacdmh32.exe C:\Windows\SysWOW64\Lijlof32.exe
PID 1364 wrote to memory of 4908 N/A C:\Windows\SysWOW64\Lijlof32.exe C:\Windows\SysWOW64\Lhmmjbkf.exe
PID 1364 wrote to memory of 4908 N/A C:\Windows\SysWOW64\Lijlof32.exe C:\Windows\SysWOW64\Lhmmjbkf.exe
PID 1364 wrote to memory of 4908 N/A C:\Windows\SysWOW64\Lijlof32.exe C:\Windows\SysWOW64\Lhmmjbkf.exe
PID 4908 wrote to memory of 3636 N/A C:\Windows\SysWOW64\Lhmmjbkf.exe C:\Windows\SysWOW64\Ljkifn32.exe
PID 4908 wrote to memory of 3636 N/A C:\Windows\SysWOW64\Lhmmjbkf.exe C:\Windows\SysWOW64\Ljkifn32.exe
PID 4908 wrote to memory of 3636 N/A C:\Windows\SysWOW64\Lhmmjbkf.exe C:\Windows\SysWOW64\Ljkifn32.exe
PID 3636 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Ljkifn32.exe C:\Windows\SysWOW64\Mbbagk32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe

"C:\Users\Admin\AppData\Local\Temp\83c8b4083744946c6910de26bdc14b7388d6a31bfd4185ca416e078f5b08520dN.exe"

C:\Windows\SysWOW64\Kiggbhda.exe

C:\Windows\system32\Kiggbhda.exe

C:\Windows\SysWOW64\Kbpkkn32.exe

C:\Windows\system32\Kbpkkn32.exe

C:\Windows\SysWOW64\Kgmcce32.exe

C:\Windows\system32\Kgmcce32.exe

C:\Windows\SysWOW64\Kbbhqn32.exe

C:\Windows\system32\Kbbhqn32.exe

C:\Windows\SysWOW64\Kgopidgf.exe

C:\Windows\system32\Kgopidgf.exe

C:\Windows\SysWOW64\Kjmmepfj.exe

C:\Windows\system32\Kjmmepfj.exe

C:\Windows\SysWOW64\Kgamnded.exe

C:\Windows\system32\Kgamnded.exe

C:\Windows\SysWOW64\Knkekn32.exe

C:\Windows\system32\Knkekn32.exe

C:\Windows\SysWOW64\Leenhhdn.exe

C:\Windows\system32\Leenhhdn.exe

C:\Windows\SysWOW64\Lgcjdd32.exe

C:\Windows\system32\Lgcjdd32.exe

C:\Windows\SysWOW64\Lbinam32.exe

C:\Windows\system32\Lbinam32.exe

C:\Windows\SysWOW64\Legjmh32.exe

C:\Windows\system32\Legjmh32.exe

C:\Windows\SysWOW64\Lkabjbih.exe

C:\Windows\system32\Lkabjbih.exe

C:\Windows\SysWOW64\Lankbigo.exe

C:\Windows\system32\Lankbigo.exe

C:\Windows\SysWOW64\Lghcocol.exe

C:\Windows\system32\Lghcocol.exe

C:\Windows\SysWOW64\Lihpif32.exe

C:\Windows\system32\Lihpif32.exe

C:\Windows\SysWOW64\Ljilqnlm.exe

C:\Windows\system32\Ljilqnlm.exe

C:\Windows\SysWOW64\Lacdmh32.exe

C:\Windows\system32\Lacdmh32.exe

C:\Windows\SysWOW64\Lijlof32.exe

C:\Windows\system32\Lijlof32.exe

C:\Windows\SysWOW64\Lhmmjbkf.exe

C:\Windows\system32\Lhmmjbkf.exe

C:\Windows\SysWOW64\Ljkifn32.exe

C:\Windows\system32\Ljkifn32.exe

C:\Windows\SysWOW64\Mbbagk32.exe

C:\Windows\system32\Mbbagk32.exe

C:\Windows\SysWOW64\Meamcg32.exe

C:\Windows\system32\Meamcg32.exe

C:\Windows\SysWOW64\Mhoipb32.exe

C:\Windows\system32\Mhoipb32.exe

C:\Windows\SysWOW64\Mlkepaam.exe

C:\Windows\system32\Mlkepaam.exe

C:\Windows\SysWOW64\Mjneln32.exe

C:\Windows\system32\Mjneln32.exe

C:\Windows\SysWOW64\Mbenmk32.exe

C:\Windows\system32\Mbenmk32.exe

C:\Windows\SysWOW64\Mahnhhod.exe

C:\Windows\system32\Mahnhhod.exe

C:\Windows\SysWOW64\Miofjepg.exe

C:\Windows\system32\Miofjepg.exe

C:\Windows\SysWOW64\Mhafeb32.exe

C:\Windows\system32\Mhafeb32.exe

C:\Windows\SysWOW64\Mjpbam32.exe

C:\Windows\system32\Mjpbam32.exe

C:\Windows\SysWOW64\Mnlnbl32.exe

C:\Windows\system32\Mnlnbl32.exe

C:\Windows\SysWOW64\Mbgjbkfg.exe

C:\Windows\system32\Mbgjbkfg.exe

C:\Windows\SysWOW64\Meefofek.exe

C:\Windows\system32\Meefofek.exe

C:\Windows\SysWOW64\Miaboe32.exe

C:\Windows\system32\Miaboe32.exe

C:\Windows\SysWOW64\Mlpokp32.exe

C:\Windows\system32\Mlpokp32.exe

C:\Windows\SysWOW64\Mjbogmdb.exe

C:\Windows\system32\Mjbogmdb.exe

C:\Windows\SysWOW64\Mnnkgl32.exe

C:\Windows\system32\Mnnkgl32.exe

C:\Windows\SysWOW64\Mbighjdd.exe

C:\Windows\system32\Mbighjdd.exe

C:\Windows\SysWOW64\Mehcdfch.exe

C:\Windows\system32\Mehcdfch.exe

C:\Windows\SysWOW64\Micoed32.exe

C:\Windows\system32\Micoed32.exe

C:\Windows\SysWOW64\Mhfppabl.exe

C:\Windows\system32\Mhfppabl.exe

C:\Windows\SysWOW64\Mlbkap32.exe

C:\Windows\system32\Mlbkap32.exe

C:\Windows\SysWOW64\Mnphmkji.exe

C:\Windows\system32\Mnphmkji.exe

C:\Windows\SysWOW64\Mblcnj32.exe

C:\Windows\system32\Mblcnj32.exe

C:\Windows\SysWOW64\Maodigil.exe

C:\Windows\system32\Maodigil.exe

C:\Windows\SysWOW64\Mejpje32.exe

C:\Windows\system32\Mejpje32.exe

C:\Windows\SysWOW64\Mldhfpib.exe

C:\Windows\system32\Mldhfpib.exe

C:\Windows\SysWOW64\Njghbl32.exe

C:\Windows\system32\Njghbl32.exe

C:\Windows\SysWOW64\Nbnpcj32.exe

C:\Windows\system32\Nbnpcj32.exe

C:\Windows\SysWOW64\Naaqofgj.exe

C:\Windows\system32\Naaqofgj.exe

C:\Windows\SysWOW64\Nemmoe32.exe

C:\Windows\system32\Nemmoe32.exe

C:\Windows\SysWOW64\Nihipdhl.exe

C:\Windows\system32\Nihipdhl.exe

C:\Windows\SysWOW64\Nhkikq32.exe

C:\Windows\system32\Nhkikq32.exe

C:\Windows\SysWOW64\Njiegl32.exe

C:\Windows\system32\Njiegl32.exe

C:\Windows\SysWOW64\Noeahkfc.exe

C:\Windows\system32\Noeahkfc.exe

C:\Windows\SysWOW64\Nbqmiinl.exe

C:\Windows\system32\Nbqmiinl.exe

C:\Windows\SysWOW64\Nacmdf32.exe

C:\Windows\system32\Nacmdf32.exe

C:\Windows\SysWOW64\Nijeec32.exe

C:\Windows\system32\Nijeec32.exe

C:\Windows\SysWOW64\Nhmeapmd.exe

C:\Windows\system32\Nhmeapmd.exe

C:\Windows\SysWOW64\Nliaao32.exe

C:\Windows\system32\Nliaao32.exe

C:\Windows\SysWOW64\Nognnj32.exe

C:\Windows\system32\Nognnj32.exe

C:\Windows\SysWOW64\Nbcjnilj.exe

C:\Windows\system32\Nbcjnilj.exe

C:\Windows\SysWOW64\Nafjjf32.exe

C:\Windows\system32\Nafjjf32.exe

C:\Windows\SysWOW64\Neafjdkn.exe

C:\Windows\system32\Neafjdkn.exe

C:\Windows\SysWOW64\Nhpbfpka.exe

C:\Windows\system32\Nhpbfpka.exe

C:\Windows\SysWOW64\Nknobkje.exe

C:\Windows\system32\Nknobkje.exe

C:\Windows\SysWOW64\Nojjcj32.exe

C:\Windows\system32\Nojjcj32.exe

C:\Windows\SysWOW64\Nahgoe32.exe

C:\Windows\system32\Nahgoe32.exe

C:\Windows\SysWOW64\Neccpd32.exe

C:\Windows\system32\Neccpd32.exe

C:\Windows\SysWOW64\Nhbolp32.exe

C:\Windows\system32\Nhbolp32.exe

C:\Windows\SysWOW64\Nkqkhk32.exe

C:\Windows\system32\Nkqkhk32.exe

C:\Windows\SysWOW64\Nolgijpk.exe

C:\Windows\system32\Nolgijpk.exe

C:\Windows\SysWOW64\Nbgcih32.exe

C:\Windows\system32\Nbgcih32.exe

C:\Windows\SysWOW64\Nefped32.exe

C:\Windows\system32\Nefped32.exe

C:\Windows\SysWOW64\Niakfbpa.exe

C:\Windows\system32\Niakfbpa.exe

C:\Windows\SysWOW64\Nlphbnoe.exe

C:\Windows\system32\Nlphbnoe.exe

C:\Windows\SysWOW64\Okchnk32.exe

C:\Windows\system32\Okchnk32.exe

C:\Windows\SysWOW64\Objpoh32.exe

C:\Windows\system32\Objpoh32.exe

C:\Windows\SysWOW64\Oampjeml.exe

C:\Windows\system32\Oampjeml.exe

C:\Windows\SysWOW64\Oehlkc32.exe

C:\Windows\system32\Oehlkc32.exe

C:\Windows\SysWOW64\Ohghgodi.exe

C:\Windows\system32\Ohghgodi.exe

C:\Windows\SysWOW64\Olbdhn32.exe

C:\Windows\system32\Olbdhn32.exe

C:\Windows\SysWOW64\Okedcjcm.exe

C:\Windows\system32\Okedcjcm.exe

C:\Windows\SysWOW64\Oblmdhdo.exe

C:\Windows\system32\Oblmdhdo.exe

C:\Windows\SysWOW64\Oaompd32.exe

C:\Windows\system32\Oaompd32.exe

C:\Windows\SysWOW64\Oekiqccc.exe

C:\Windows\system32\Oekiqccc.exe

C:\Windows\SysWOW64\Ohiemobf.exe

C:\Windows\system32\Ohiemobf.exe

C:\Windows\SysWOW64\Okgaijaj.exe

C:\Windows\system32\Okgaijaj.exe

C:\Windows\SysWOW64\Oocmii32.exe

C:\Windows\system32\Oocmii32.exe

C:\Windows\SysWOW64\Oaajed32.exe

C:\Windows\system32\Oaajed32.exe

C:\Windows\SysWOW64\Oihagaji.exe

C:\Windows\system32\Oihagaji.exe

C:\Windows\SysWOW64\Oadfkdgd.exe

C:\Windows\system32\Oadfkdgd.exe

C:\Windows\SysWOW64\Oiknlagg.exe

C:\Windows\system32\Oiknlagg.exe

C:\Windows\SysWOW64\Ohnohn32.exe

C:\Windows\system32\Ohnohn32.exe

C:\Windows\SysWOW64\Oklkdi32.exe

C:\Windows\system32\Oklkdi32.exe

C:\Windows\SysWOW64\Obcceg32.exe

C:\Windows\system32\Obcceg32.exe

C:\Windows\SysWOW64\Oimkbaed.exe

C:\Windows\system32\Oimkbaed.exe

C:\Windows\SysWOW64\Pllgnl32.exe

C:\Windows\system32\Pllgnl32.exe

C:\Windows\SysWOW64\Pkogiikb.exe

C:\Windows\system32\Pkogiikb.exe

C:\Windows\SysWOW64\Pahpfc32.exe

C:\Windows\system32\Pahpfc32.exe

C:\Windows\SysWOW64\Piphgq32.exe

C:\Windows\system32\Piphgq32.exe

C:\Windows\SysWOW64\Plndcl32.exe

C:\Windows\system32\Plndcl32.exe

C:\Windows\SysWOW64\Pchlpfjb.exe

C:\Windows\system32\Pchlpfjb.exe

C:\Windows\SysWOW64\Pibdmp32.exe

C:\Windows\system32\Pibdmp32.exe

C:\Windows\SysWOW64\Plpqil32.exe

C:\Windows\system32\Plpqil32.exe

C:\Windows\SysWOW64\Poomegpf.exe

C:\Windows\system32\Poomegpf.exe

C:\Windows\SysWOW64\Pamiaboj.exe

C:\Windows\system32\Pamiaboj.exe

C:\Windows\SysWOW64\Pidabppl.exe

C:\Windows\system32\Pidabppl.exe

C:\Windows\SysWOW64\Plbmokop.exe

C:\Windows\system32\Plbmokop.exe

C:\Windows\SysWOW64\Poajkgnc.exe

C:\Windows\system32\Poajkgnc.exe

C:\Windows\SysWOW64\Papfgbmg.exe

C:\Windows\system32\Papfgbmg.exe

C:\Windows\SysWOW64\Pifnhpmi.exe

C:\Windows\system32\Pifnhpmi.exe

C:\Windows\SysWOW64\Plejdkmm.exe

C:\Windows\system32\Plejdkmm.exe

C:\Windows\SysWOW64\Pabblb32.exe

C:\Windows\system32\Pabblb32.exe

C:\Windows\SysWOW64\Qhlkilba.exe

C:\Windows\system32\Qhlkilba.exe

C:\Windows\SysWOW64\Qlggjk32.exe

C:\Windows\system32\Qlggjk32.exe

C:\Windows\SysWOW64\Qcaofebg.exe

C:\Windows\system32\Qcaofebg.exe

C:\Windows\SysWOW64\Qepkbpak.exe

C:\Windows\system32\Qepkbpak.exe

C:\Windows\SysWOW64\Qikgco32.exe

C:\Windows\system32\Qikgco32.exe

C:\Windows\SysWOW64\Qohpkf32.exe

C:\Windows\system32\Qohpkf32.exe

C:\Windows\SysWOW64\Qcclld32.exe

C:\Windows\system32\Qcclld32.exe

C:\Windows\SysWOW64\Qebhhp32.exe

C:\Windows\system32\Qebhhp32.exe

C:\Windows\SysWOW64\Allpejfe.exe

C:\Windows\system32\Allpejfe.exe

C:\Windows\SysWOW64\Akoqpg32.exe

C:\Windows\system32\Akoqpg32.exe

C:\Windows\SysWOW64\Acfhad32.exe

C:\Windows\system32\Acfhad32.exe

C:\Windows\SysWOW64\Aaiimadl.exe

C:\Windows\system32\Aaiimadl.exe

C:\Windows\SysWOW64\Ajpqnneo.exe

C:\Windows\system32\Ajpqnneo.exe

C:\Windows\SysWOW64\Alnmjjdb.exe

C:\Windows\system32\Alnmjjdb.exe

C:\Windows\SysWOW64\Achegd32.exe

C:\Windows\system32\Achegd32.exe

C:\Windows\SysWOW64\Akcjkfij.exe

C:\Windows\system32\Akcjkfij.exe

C:\Windows\SysWOW64\Ackbmcjl.exe

C:\Windows\system32\Ackbmcjl.exe

C:\Windows\SysWOW64\Afinioip.exe

C:\Windows\system32\Afinioip.exe

C:\Windows\SysWOW64\Ahgjejhd.exe

C:\Windows\system32\Ahgjejhd.exe

C:\Windows\SysWOW64\Aoabad32.exe

C:\Windows\system32\Aoabad32.exe

C:\Windows\SysWOW64\Acmobchj.exe

C:\Windows\system32\Acmobchj.exe

C:\Windows\SysWOW64\Afkknogn.exe

C:\Windows\system32\Afkknogn.exe

C:\Windows\SysWOW64\Ahjgjj32.exe

C:\Windows\system32\Ahjgjj32.exe

C:\Windows\SysWOW64\Aleckinj.exe

C:\Windows\system32\Aleckinj.exe

C:\Windows\SysWOW64\Aodogdmn.exe

C:\Windows\system32\Aodogdmn.exe

C:\Windows\SysWOW64\Bfngdn32.exe

C:\Windows\system32\Bfngdn32.exe

C:\Windows\SysWOW64\Bjicdmmd.exe

C:\Windows\system32\Bjicdmmd.exe

C:\Windows\SysWOW64\Bkkple32.exe

C:\Windows\system32\Bkkple32.exe

C:\Windows\SysWOW64\Boflmdkk.exe

C:\Windows\system32\Boflmdkk.exe

C:\Windows\SysWOW64\Bbdhiojo.exe

C:\Windows\system32\Bbdhiojo.exe

C:\Windows\SysWOW64\Bfpdin32.exe

C:\Windows\system32\Bfpdin32.exe

C:\Windows\SysWOW64\Bhoqeibl.exe

C:\Windows\system32\Bhoqeibl.exe

C:\Windows\SysWOW64\Bljlfh32.exe

C:\Windows\system32\Bljlfh32.exe

C:\Windows\SysWOW64\Bohibc32.exe

C:\Windows\system32\Bohibc32.exe

C:\Windows\SysWOW64\Bcddcbab.exe

C:\Windows\system32\Bcddcbab.exe

C:\Windows\SysWOW64\Bbgeno32.exe

C:\Windows\system32\Bbgeno32.exe

C:\Windows\SysWOW64\Bjnmpl32.exe

C:\Windows\system32\Bjnmpl32.exe

C:\Windows\SysWOW64\Bhamkipi.exe

C:\Windows\system32\Bhamkipi.exe

C:\Windows\SysWOW64\Bkoigdom.exe

C:\Windows\system32\Bkoigdom.exe

C:\Windows\SysWOW64\Bokehc32.exe

C:\Windows\system32\Bokehc32.exe

C:\Windows\SysWOW64\Bcfahbpo.exe

C:\Windows\system32\Bcfahbpo.exe

C:\Windows\SysWOW64\Bhcjqinf.exe

C:\Windows\system32\Bhcjqinf.exe

C:\Windows\SysWOW64\Bombmcec.exe

C:\Windows\system32\Bombmcec.exe

C:\Windows\SysWOW64\Bfgjjm32.exe

C:\Windows\system32\Bfgjjm32.exe

C:\Windows\SysWOW64\Bjbfklei.exe

C:\Windows\system32\Bjbfklei.exe

C:\Windows\SysWOW64\Bmabggdm.exe

C:\Windows\system32\Bmabggdm.exe

C:\Windows\SysWOW64\Bopocbcq.exe

C:\Windows\system32\Bopocbcq.exe

C:\Windows\SysWOW64\Bckkca32.exe

C:\Windows\system32\Bckkca32.exe

C:\Windows\SysWOW64\Cfigpm32.exe

C:\Windows\system32\Cfigpm32.exe

C:\Windows\SysWOW64\Cihclh32.exe

C:\Windows\system32\Cihclh32.exe

C:\Windows\SysWOW64\Ccmgiaig.exe

C:\Windows\system32\Ccmgiaig.exe

C:\Windows\SysWOW64\Cbphdn32.exe

C:\Windows\system32\Cbphdn32.exe

C:\Windows\SysWOW64\Cjgpfk32.exe

C:\Windows\system32\Cjgpfk32.exe

C:\Windows\SysWOW64\Cijpahho.exe

C:\Windows\system32\Cijpahho.exe

C:\Windows\SysWOW64\Ckilmcgb.exe

C:\Windows\system32\Ckilmcgb.exe

C:\Windows\SysWOW64\Ccpdoqgd.exe

C:\Windows\system32\Ccpdoqgd.exe

C:\Windows\SysWOW64\Cbbdjm32.exe

C:\Windows\system32\Cbbdjm32.exe

C:\Windows\SysWOW64\Cjjlkk32.exe

C:\Windows\system32\Cjjlkk32.exe

C:\Windows\SysWOW64\Cimmggfl.exe

C:\Windows\system32\Cimmggfl.exe

C:\Windows\SysWOW64\Cmhigf32.exe

C:\Windows\system32\Cmhigf32.exe

C:\Windows\SysWOW64\Ckkiccep.exe

C:\Windows\system32\Ckkiccep.exe

C:\Windows\SysWOW64\Ccbadp32.exe

C:\Windows\system32\Ccbadp32.exe

C:\Windows\SysWOW64\Cfqmpl32.exe

C:\Windows\system32\Cfqmpl32.exe

C:\Windows\SysWOW64\Cjliajmo.exe

C:\Windows\system32\Cjliajmo.exe

C:\Windows\SysWOW64\Cmjemflb.exe

C:\Windows\system32\Cmjemflb.exe

C:\Windows\SysWOW64\Ckmehb32.exe

C:\Windows\system32\Ckmehb32.exe

C:\Windows\SysWOW64\Ccdnjp32.exe

C:\Windows\system32\Ccdnjp32.exe

C:\Windows\SysWOW64\Cbgnemjj.exe

C:\Windows\system32\Cbgnemjj.exe

C:\Windows\SysWOW64\Cjnffjkl.exe

C:\Windows\system32\Cjnffjkl.exe

C:\Windows\SysWOW64\Cmmbbejp.exe

C:\Windows\system32\Cmmbbejp.exe

C:\Windows\SysWOW64\Dbjkkl32.exe

C:\Windows\system32\Dbjkkl32.exe

C:\Windows\SysWOW64\Diccgfpd.exe

C:\Windows\system32\Diccgfpd.exe

C:\Windows\SysWOW64\Dpnkdq32.exe

C:\Windows\system32\Dpnkdq32.exe

C:\Windows\SysWOW64\Dmalne32.exe

C:\Windows\system32\Dmalne32.exe

C:\Windows\SysWOW64\Dckdjomg.exe

C:\Windows\system32\Dckdjomg.exe

C:\Windows\SysWOW64\Dlghoa32.exe

C:\Windows\system32\Dlghoa32.exe

C:\Windows\SysWOW64\Dpbdopck.exe

C:\Windows\system32\Dpbdopck.exe

C:\Windows\SysWOW64\Dbqqkkbo.exe

C:\Windows\system32\Dbqqkkbo.exe

C:\Windows\SysWOW64\Dflmlj32.exe

C:\Windows\system32\Dflmlj32.exe

C:\Windows\SysWOW64\Dikihe32.exe

C:\Windows\system32\Dikihe32.exe

C:\Windows\SysWOW64\Dlieda32.exe

C:\Windows\system32\Dlieda32.exe

C:\Windows\SysWOW64\Dcpmen32.exe

C:\Windows\system32\Dcpmen32.exe

C:\Windows\SysWOW64\Dfoiaj32.exe

C:\Windows\system32\Dfoiaj32.exe

C:\Windows\SysWOW64\Djjebh32.exe

C:\Windows\system32\Djjebh32.exe

C:\Windows\SysWOW64\Dmhand32.exe

C:\Windows\system32\Dmhand32.exe

C:\Windows\SysWOW64\Dlkbjqgm.exe

C:\Windows\system32\Dlkbjqgm.exe

C:\Windows\SysWOW64\Dpgnjo32.exe

C:\Windows\system32\Dpgnjo32.exe

C:\Windows\SysWOW64\Ecbjkngo.exe

C:\Windows\system32\Ecbjkngo.exe

C:\Windows\SysWOW64\Efafgifc.exe

C:\Windows\system32\Efafgifc.exe

C:\Windows\SysWOW64\Ejlbhh32.exe

C:\Windows\system32\Ejlbhh32.exe

C:\Windows\SysWOW64\Eiobceef.exe

C:\Windows\system32\Eiobceef.exe

C:\Windows\SysWOW64\Elnoopdj.exe

C:\Windows\system32\Elnoopdj.exe

C:\Windows\SysWOW64\Epikpo32.exe

C:\Windows\system32\Epikpo32.exe

C:\Windows\SysWOW64\Ebhglj32.exe

C:\Windows\system32\Ebhglj32.exe

C:\Windows\SysWOW64\Efccmidp.exe

C:\Windows\system32\Efccmidp.exe

C:\Windows\SysWOW64\Emmkiclm.exe

C:\Windows\system32\Emmkiclm.exe

C:\Windows\SysWOW64\Efepbi32.exe

C:\Windows\system32\Efepbi32.exe

C:\Windows\SysWOW64\Elbhjp32.exe

C:\Windows\system32\Elbhjp32.exe

C:\Windows\SysWOW64\Efhlhh32.exe

C:\Windows\system32\Efhlhh32.exe

C:\Windows\SysWOW64\Embddb32.exe

C:\Windows\system32\Embddb32.exe

C:\Windows\SysWOW64\Eppqqn32.exe

C:\Windows\system32\Eppqqn32.exe

C:\Windows\SysWOW64\Ebommi32.exe

C:\Windows\system32\Ebommi32.exe

C:\Windows\SysWOW64\Fpbmfn32.exe

C:\Windows\system32\Fpbmfn32.exe

C:\Windows\SysWOW64\Ffmfchle.exe

C:\Windows\system32\Ffmfchle.exe

C:\Windows\SysWOW64\Ffobhg32.exe

C:\Windows\system32\Ffobhg32.exe

C:\Windows\SysWOW64\Fllkqn32.exe

C:\Windows\system32\Fllkqn32.exe

C:\Windows\SysWOW64\Ffaong32.exe

C:\Windows\system32\Ffaong32.exe

C:\Windows\SysWOW64\Fipkjb32.exe

C:\Windows\system32\Fipkjb32.exe

C:\Windows\SysWOW64\Ffclcgfn.exe

C:\Windows\system32\Ffclcgfn.exe

C:\Windows\SysWOW64\Flqdlnde.exe

C:\Windows\system32\Flqdlnde.exe

C:\Windows\SysWOW64\Fideeaco.exe

C:\Windows\system32\Fideeaco.exe

C:\Windows\SysWOW64\Fmpqfq32.exe

C:\Windows\system32\Fmpqfq32.exe

C:\Windows\SysWOW64\Gpnmbl32.exe

C:\Windows\system32\Gpnmbl32.exe

C:\Windows\SysWOW64\Gbmingjo.exe

C:\Windows\system32\Gbmingjo.exe

C:\Windows\SysWOW64\Gigaka32.exe

C:\Windows\system32\Gigaka32.exe

C:\Windows\SysWOW64\Gjfnedho.exe

C:\Windows\system32\Gjfnedho.exe

C:\Windows\SysWOW64\Glgjlm32.exe

C:\Windows\system32\Glgjlm32.exe

C:\Windows\SysWOW64\Gfmojenc.exe

C:\Windows\system32\Gfmojenc.exe

C:\Windows\SysWOW64\Gmggfp32.exe

C:\Windows\system32\Gmggfp32.exe

C:\Windows\SysWOW64\Gdaociml.exe

C:\Windows\system32\Gdaociml.exe

C:\Windows\SysWOW64\Gfokoelp.exe

C:\Windows\system32\Gfokoelp.exe

C:\Windows\SysWOW64\Gingkqkd.exe

C:\Windows\system32\Gingkqkd.exe

C:\Windows\SysWOW64\Glldgljg.exe

C:\Windows\system32\Glldgljg.exe

C:\Windows\SysWOW64\Gdcliikj.exe

C:\Windows\system32\Gdcliikj.exe

C:\Windows\SysWOW64\Gipdap32.exe

C:\Windows\system32\Gipdap32.exe

C:\Windows\SysWOW64\Hmlpaoaj.exe

C:\Windows\system32\Hmlpaoaj.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hplicjok.exe

C:\Windows\system32\Hplicjok.exe

C:\Windows\SysWOW64\Hgfapd32.exe

C:\Windows\system32\Hgfapd32.exe

C:\Windows\SysWOW64\Hienlpel.exe

C:\Windows\system32\Hienlpel.exe

C:\Windows\SysWOW64\Hkdjfb32.exe

C:\Windows\system32\Hkdjfb32.exe

C:\Windows\SysWOW64\Hlegnjbm.exe

C:\Windows\system32\Hlegnjbm.exe

C:\Windows\SysWOW64\Hgkkkcbc.exe

C:\Windows\system32\Hgkkkcbc.exe

C:\Windows\SysWOW64\Hdokdg32.exe

C:\Windows\system32\Hdokdg32.exe

C:\Windows\SysWOW64\Iljpij32.exe

C:\Windows\system32\Iljpij32.exe

C:\Windows\SysWOW64\Idahjg32.exe

C:\Windows\system32\Idahjg32.exe

C:\Windows\SysWOW64\Iphioh32.exe

C:\Windows\system32\Iphioh32.exe

C:\Windows\SysWOW64\Igbalblk.exe

C:\Windows\system32\Igbalblk.exe

C:\Windows\SysWOW64\Idfaefkd.exe

C:\Windows\system32\Idfaefkd.exe

C:\Windows\SysWOW64\Ijcjmmil.exe

C:\Windows\system32\Ijcjmmil.exe

C:\Windows\SysWOW64\Innfnl32.exe

C:\Windows\system32\Innfnl32.exe

C:\Windows\SysWOW64\Ipmbjgpi.exe

C:\Windows\system32\Ipmbjgpi.exe

C:\Windows\SysWOW64\Icknfcol.exe

C:\Windows\system32\Icknfcol.exe

C:\Windows\SysWOW64\Ikbfgppo.exe

C:\Windows\system32\Ikbfgppo.exe

C:\Windows\SysWOW64\Ijegcm32.exe

C:\Windows\system32\Ijegcm32.exe

C:\Windows\SysWOW64\Ipoopgnf.exe

C:\Windows\system32\Ipoopgnf.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Ikdcmpnl.exe

C:\Windows\system32\Ikdcmpnl.exe

C:\Windows\SysWOW64\Jlfpdh32.exe

C:\Windows\system32\Jlfpdh32.exe

C:\Windows\SysWOW64\Jdmgfedl.exe

C:\Windows\system32\Jdmgfedl.exe

C:\Windows\SysWOW64\Jkgpbp32.exe

C:\Windows\system32\Jkgpbp32.exe

C:\Windows\SysWOW64\Jdodkebj.exe

C:\Windows\system32\Jdodkebj.exe

C:\Windows\SysWOW64\Jpfepf32.exe

C:\Windows\system32\Jpfepf32.exe

C:\Windows\SysWOW64\Jgpmmp32.exe

C:\Windows\system32\Jgpmmp32.exe

C:\Windows\SysWOW64\Jjoiil32.exe

C:\Windows\system32\Jjoiil32.exe

C:\Windows\SysWOW64\Jddnfd32.exe

C:\Windows\system32\Jddnfd32.exe

C:\Windows\SysWOW64\Jdfjld32.exe

C:\Windows\system32\Jdfjld32.exe

C:\Windows\SysWOW64\Kdigadjo.exe

C:\Windows\system32\Kdigadjo.exe

C:\Windows\SysWOW64\Kjepjkhf.exe

C:\Windows\system32\Kjepjkhf.exe

C:\Windows\SysWOW64\Kgipcogp.exe

C:\Windows\system32\Kgipcogp.exe

C:\Windows\SysWOW64\Kqbdldnq.exe

C:\Windows\system32\Kqbdldnq.exe

C:\Windows\SysWOW64\Kglmio32.exe

C:\Windows\system32\Kglmio32.exe

C:\Windows\SysWOW64\Kdpmbc32.exe

C:\Windows\system32\Kdpmbc32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Kjmfjj32.exe

C:\Windows\system32\Kjmfjj32.exe

C:\Windows\SysWOW64\Lnjnqh32.exe

C:\Windows\system32\Lnjnqh32.exe

C:\Windows\SysWOW64\Lknojl32.exe

C:\Windows\system32\Lknojl32.exe

C:\Windows\SysWOW64\Ldgccb32.exe

C:\Windows\system32\Ldgccb32.exe

C:\Windows\SysWOW64\Ljclki32.exe

C:\Windows\system32\Ljclki32.exe

C:\Windows\SysWOW64\Lqndhcdc.exe

C:\Windows\system32\Lqndhcdc.exe

C:\Windows\SysWOW64\Lkchelci.exe

C:\Windows\system32\Lkchelci.exe

C:\Windows\SysWOW64\Lgjijmin.exe

C:\Windows\system32\Lgjijmin.exe

C:\Windows\SysWOW64\Mcqjon32.exe

C:\Windows\system32\Mcqjon32.exe

C:\Windows\SysWOW64\Mnfnlf32.exe

C:\Windows\system32\Mnfnlf32.exe

C:\Windows\SysWOW64\Mccfdmmo.exe

C:\Windows\system32\Mccfdmmo.exe

C:\Windows\SysWOW64\Mgobel32.exe

C:\Windows\system32\Mgobel32.exe

C:\Windows\SysWOW64\Mjmoag32.exe

C:\Windows\system32\Mjmoag32.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mgclpkac.exe

C:\Windows\system32\Mgclpkac.exe

C:\Windows\SysWOW64\Mkadfj32.exe

C:\Windows\system32\Mkadfj32.exe

C:\Windows\SysWOW64\Mnpabe32.exe

C:\Windows\system32\Mnpabe32.exe

C:\Windows\SysWOW64\Nghekkmn.exe

C:\Windows\system32\Nghekkmn.exe

C:\Windows\SysWOW64\Napjdpcn.exe

C:\Windows\system32\Napjdpcn.exe

C:\Windows\SysWOW64\Njinmf32.exe

C:\Windows\system32\Njinmf32.exe

C:\Windows\SysWOW64\Nhmofj32.exe

C:\Windows\system32\Nhmofj32.exe

C:\Windows\SysWOW64\Njkkbehl.exe

C:\Windows\system32\Njkkbehl.exe

C:\Windows\SysWOW64\Neqopnhb.exe

C:\Windows\system32\Neqopnhb.exe

C:\Windows\SysWOW64\Nccokk32.exe

C:\Windows\system32\Nccokk32.exe

C:\Windows\SysWOW64\Nlkgmh32.exe

C:\Windows\system32\Nlkgmh32.exe

C:\Windows\SysWOW64\Njmhhefi.exe

C:\Windows\system32\Njmhhefi.exe

C:\Windows\SysWOW64\Nnicid32.exe

C:\Windows\system32\Nnicid32.exe

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Neclenfo.exe

C:\Windows\system32\Neclenfo.exe

C:\Windows\SysWOW64\Nhahaiec.exe

C:\Windows\system32\Nhahaiec.exe

C:\Windows\SysWOW64\Nlmdbh32.exe

C:\Windows\system32\Nlmdbh32.exe

C:\Windows\SysWOW64\Nnkpnclp.exe

C:\Windows\system32\Nnkpnclp.exe

C:\Windows\SysWOW64\Najmjokc.exe

C:\Windows\system32\Najmjokc.exe

C:\Windows\SysWOW64\Ohcegi32.exe

C:\Windows\system32\Ohcegi32.exe

C:\Windows\SysWOW64\Oloahhki.exe

C:\Windows\system32\Oloahhki.exe

C:\Windows\SysWOW64\Ojbacd32.exe

C:\Windows\system32\Ojbacd32.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Oeheqm32.exe

C:\Windows\system32\Oeheqm32.exe

C:\Windows\SysWOW64\Ohfami32.exe

C:\Windows\system32\Ohfami32.exe

C:\Windows\SysWOW64\Onpjichj.exe

C:\Windows\system32\Onpjichj.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Ohhnbhok.exe

C:\Windows\system32\Ohhnbhok.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Omegjomb.exe

C:\Windows\system32\Omegjomb.exe

C:\Windows\SysWOW64\Oelolmnd.exe

C:\Windows\system32\Oelolmnd.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Ohkkhhmh.exe

C:\Windows\system32\Ohkkhhmh.exe

C:\Windows\SysWOW64\Ojigdcll.exe

C:\Windows\system32\Ojigdcll.exe

C:\Windows\SysWOW64\Oeokal32.exe

C:\Windows\system32\Oeokal32.exe

C:\Windows\SysWOW64\Ohmhmh32.exe

C:\Windows\system32\Ohmhmh32.exe

C:\Windows\SysWOW64\Okkdic32.exe

C:\Windows\system32\Okkdic32.exe

C:\Windows\SysWOW64\Omjpeo32.exe

C:\Windows\system32\Omjpeo32.exe

C:\Windows\SysWOW64\Plkpcfal.exe

C:\Windows\system32\Plkpcfal.exe

C:\Windows\SysWOW64\Pdfehh32.exe

C:\Windows\system32\Pdfehh32.exe

C:\Windows\SysWOW64\Pkpmdbfd.exe

C:\Windows\system32\Pkpmdbfd.exe

C:\Windows\SysWOW64\Pajeam32.exe

C:\Windows\system32\Pajeam32.exe

C:\Windows\SysWOW64\Pkbjjbda.exe

C:\Windows\system32\Pkbjjbda.exe

C:\Windows\SysWOW64\Palbgl32.exe

C:\Windows\system32\Palbgl32.exe

C:\Windows\SysWOW64\Plbfdekd.exe

C:\Windows\system32\Plbfdekd.exe

C:\Windows\SysWOW64\Pejkmk32.exe

C:\Windows\system32\Pejkmk32.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Qemhbj32.exe

C:\Windows\system32\Qemhbj32.exe

C:\Windows\SysWOW64\Qlgpod32.exe

C:\Windows\system32\Qlgpod32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qeodhjmo.exe

C:\Windows\system32\Qeodhjmo.exe

C:\Windows\SysWOW64\Aafemk32.exe

C:\Windows\system32\Aafemk32.exe

C:\Windows\SysWOW64\Aknifq32.exe

C:\Windows\system32\Aknifq32.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Adikdfna.exe

C:\Windows\system32\Adikdfna.exe

C:\Windows\SysWOW64\Aehgnied.exe

C:\Windows\system32\Aehgnied.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Aaohcj32.exe

C:\Windows\system32\Aaohcj32.exe

C:\Windows\SysWOW64\Adndoe32.exe

C:\Windows\system32\Adndoe32.exe

C:\Windows\SysWOW64\Bnfihkqm.exe

C:\Windows\system32\Bnfihkqm.exe

C:\Windows\SysWOW64\Bdpaeehj.exe

C:\Windows\system32\Bdpaeehj.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Bklfgo32.exe

C:\Windows\system32\Bklfgo32.exe

C:\Windows\SysWOW64\Bebjdgmj.exe

C:\Windows\system32\Bebjdgmj.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Bakgoh32.exe

C:\Windows\system32\Bakgoh32.exe

C:\Windows\SysWOW64\Coohhlpe.exe

C:\Windows\system32\Coohhlpe.exe

C:\Windows\SysWOW64\Clchbqoo.exe

C:\Windows\system32\Clchbqoo.exe

C:\Windows\SysWOW64\Coadnlnb.exe

C:\Windows\system32\Coadnlnb.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Cfkmkf32.exe

C:\Windows\system32\Cfkmkf32.exe

C:\Windows\SysWOW64\Cleegp32.exe

C:\Windows\system32\Cleegp32.exe

C:\Windows\SysWOW64\Cocacl32.exe

C:\Windows\system32\Cocacl32.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Cdpjlb32.exe

C:\Windows\system32\Cdpjlb32.exe

C:\Windows\SysWOW64\Cfpffeaj.exe

C:\Windows\system32\Cfpffeaj.exe

C:\Windows\SysWOW64\Cohkokgj.exe

C:\Windows\system32\Cohkokgj.exe

C:\Windows\SysWOW64\Cdecgbfa.exe

C:\Windows\system32\Cdecgbfa.exe

C:\Windows\SysWOW64\Dnmhpg32.exe

C:\Windows\system32\Dnmhpg32.exe

C:\Windows\SysWOW64\Dkahilkl.exe

C:\Windows\system32\Dkahilkl.exe

C:\Windows\SysWOW64\Dbkqfe32.exe

C:\Windows\system32\Dbkqfe32.exe

C:\Windows\SysWOW64\Dfglfdkb.exe

C:\Windows\system32\Dfglfdkb.exe

C:\Windows\SysWOW64\Dheibpje.exe

C:\Windows\system32\Dheibpje.exe

C:\Windows\SysWOW64\Dmadco32.exe

C:\Windows\system32\Dmadco32.exe

C:\Windows\SysWOW64\Dkceokii.exe

C:\Windows\system32\Dkceokii.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Dbnmke32.exe

C:\Windows\system32\Dbnmke32.exe

C:\Windows\SysWOW64\Dfiildio.exe

C:\Windows\system32\Dfiildio.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Dmcain32.exe

C:\Windows\system32\Dmcain32.exe

C:\Windows\SysWOW64\Doaneiop.exe

C:\Windows\system32\Doaneiop.exe

C:\Windows\SysWOW64\Dbpjaeoc.exe

C:\Windows\system32\Dbpjaeoc.exe

C:\Windows\SysWOW64\Dflfac32.exe

C:\Windows\system32\Dflfac32.exe

C:\Windows\SysWOW64\Ddnfmqng.exe

C:\Windows\system32\Ddnfmqng.exe

C:\Windows\SysWOW64\Dmennnni.exe

C:\Windows\system32\Dmennnni.exe

C:\Windows\SysWOW64\Dngjff32.exe

C:\Windows\system32\Dngjff32.exe

C:\Windows\SysWOW64\Eiloco32.exe

C:\Windows\system32\Eiloco32.exe

C:\Windows\SysWOW64\Emhkdmlg.exe

C:\Windows\system32\Emhkdmlg.exe

C:\Windows\SysWOW64\Ekkkoj32.exe

C:\Windows\system32\Ekkkoj32.exe

C:\Windows\SysWOW64\Enigke32.exe

C:\Windows\system32\Enigke32.exe

C:\Windows\SysWOW64\Ebdcld32.exe

C:\Windows\system32\Ebdcld32.exe

C:\Windows\SysWOW64\Efpomccg.exe

C:\Windows\system32\Efpomccg.exe

C:\Windows\SysWOW64\Eecphp32.exe

C:\Windows\system32\Eecphp32.exe

C:\Windows\SysWOW64\Emjgim32.exe

C:\Windows\system32\Emjgim32.exe

C:\Windows\SysWOW64\Enkdaepb.exe

C:\Windows\system32\Enkdaepb.exe

C:\Windows\SysWOW64\Emmdom32.exe

C:\Windows\system32\Emmdom32.exe

C:\Windows\SysWOW64\Ekaapi32.exe

C:\Windows\system32\Ekaapi32.exe

C:\Windows\SysWOW64\Eblimcdf.exe

C:\Windows\system32\Eblimcdf.exe

C:\Windows\SysWOW64\Ekdnei32.exe

C:\Windows\system32\Ekdnei32.exe

C:\Windows\SysWOW64\Fmcjpl32.exe

C:\Windows\system32\Fmcjpl32.exe

C:\Windows\SysWOW64\Fflohaij.exe

C:\Windows\system32\Fflohaij.exe

C:\Windows\SysWOW64\Fmhdkknd.exe

C:\Windows\system32\Fmhdkknd.exe

C:\Windows\SysWOW64\Flmqlg32.exe

C:\Windows\system32\Flmqlg32.exe

C:\Windows\SysWOW64\Fbgihaji.exe

C:\Windows\system32\Fbgihaji.exe

C:\Windows\SysWOW64\Fmmmfj32.exe

C:\Windows\system32\Fmmmfj32.exe

C:\Windows\SysWOW64\Gfeaopqo.exe

C:\Windows\system32\Gfeaopqo.exe

C:\Windows\SysWOW64\Gnqfcbnj.exe

C:\Windows\system32\Gnqfcbnj.exe

C:\Windows\SysWOW64\Gldglf32.exe

C:\Windows\system32\Gldglf32.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Goglcahb.exe

C:\Windows\system32\Goglcahb.exe

C:\Windows\SysWOW64\Geaepk32.exe

C:\Windows\system32\Geaepk32.exe

C:\Windows\SysWOW64\Gimqajgh.exe

C:\Windows\system32\Gimqajgh.exe

C:\Windows\SysWOW64\Hfaajnfb.exe

C:\Windows\system32\Hfaajnfb.exe

C:\Windows\SysWOW64\Holfoqcm.exe

C:\Windows\system32\Holfoqcm.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hffken32.exe

C:\Windows\system32\Hffken32.exe

C:\Windows\SysWOW64\Hmpcbhji.exe

C:\Windows\system32\Hmpcbhji.exe

C:\Windows\SysWOW64\Hekgfj32.exe

C:\Windows\system32\Hekgfj32.exe

C:\Windows\SysWOW64\Hemdlj32.exe

C:\Windows\system32\Hemdlj32.exe

C:\Windows\SysWOW64\Ifmqfm32.exe

C:\Windows\system32\Ifmqfm32.exe

C:\Windows\SysWOW64\Imgicgca.exe

C:\Windows\system32\Imgicgca.exe

C:\Windows\SysWOW64\Iohejo32.exe

C:\Windows\system32\Iohejo32.exe

C:\Windows\SysWOW64\Imiehfao.exe

C:\Windows\system32\Imiehfao.exe

C:\Windows\SysWOW64\Iipfmggc.exe

C:\Windows\system32\Iipfmggc.exe

C:\Windows\SysWOW64\Iibccgep.exe

C:\Windows\system32\Iibccgep.exe

C:\Windows\SysWOW64\Impliekg.exe

C:\Windows\system32\Impliekg.exe

C:\Windows\SysWOW64\Jcmdaljn.exe

C:\Windows\system32\Jcmdaljn.exe

C:\Windows\SysWOW64\Jpaekqhh.exe

C:\Windows\system32\Jpaekqhh.exe

C:\Windows\SysWOW64\Jiiicf32.exe

C:\Windows\system32\Jiiicf32.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jllokajf.exe

C:\Windows\system32\Jllokajf.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Jjpode32.exe

C:\Windows\system32\Jjpode32.exe

C:\Windows\SysWOW64\Komhll32.exe

C:\Windows\system32\Komhll32.exe

C:\Windows\SysWOW64\Kckqbj32.exe

C:\Windows\system32\Kckqbj32.exe

C:\Windows\SysWOW64\Kjeiodek.exe

C:\Windows\system32\Kjeiodek.exe

C:\Windows\SysWOW64\Klcekpdo.exe

C:\Windows\system32\Klcekpdo.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Knenkbio.exe

C:\Windows\system32\Knenkbio.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Lljklo32.exe

C:\Windows\system32\Lljklo32.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Lomqcjie.exe

C:\Windows\system32\Lomqcjie.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lmdnbn32.exe

C:\Windows\system32\Lmdnbn32.exe

C:\Windows\SysWOW64\Lobjni32.exe

C:\Windows\system32\Lobjni32.exe

C:\Windows\SysWOW64\Mqafhl32.exe

C:\Windows\system32\Mqafhl32.exe

C:\Windows\SysWOW64\Mjjkaabc.exe

C:\Windows\system32\Mjjkaabc.exe

C:\Windows\SysWOW64\Mfqlfb32.exe

C:\Windows\system32\Mfqlfb32.exe

C:\Windows\SysWOW64\Mnhdgpii.exe

C:\Windows\system32\Mnhdgpii.exe

C:\Windows\SysWOW64\Mqfpckhm.exe

C:\Windows\system32\Mqfpckhm.exe

C:\Windows\SysWOW64\Mfchlbfd.exe

C:\Windows\system32\Mfchlbfd.exe

C:\Windows\SysWOW64\Mmmqhl32.exe

C:\Windows\system32\Mmmqhl32.exe

C:\Windows\SysWOW64\Mokmdh32.exe

C:\Windows\system32\Mokmdh32.exe

C:\Windows\SysWOW64\Mfeeabda.exe

C:\Windows\system32\Mfeeabda.exe

C:\Windows\SysWOW64\Mmpmnl32.exe

C:\Windows\system32\Mmpmnl32.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Mfhbga32.exe

C:\Windows\system32\Mfhbga32.exe

C:\Windows\SysWOW64\Nnojho32.exe

C:\Windows\system32\Nnojho32.exe

C:\Windows\SysWOW64\Nggnadib.exe

C:\Windows\system32\Nggnadib.exe

C:\Windows\SysWOW64\Nnafno32.exe

C:\Windows\system32\Nnafno32.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Nncccnol.exe

C:\Windows\system32\Nncccnol.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Nfohgqlg.exe

C:\Windows\system32\Nfohgqlg.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Nadleilm.exe

C:\Windows\system32\Nadleilm.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Njmqnobn.exe

C:\Windows\system32\Njmqnobn.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Npiiffqe.exe

C:\Windows\system32\Npiiffqe.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Ocgbld32.exe

C:\Windows\system32\Ocgbld32.exe

C:\Windows\SysWOW64\Ojajin32.exe

C:\Windows\system32\Ojajin32.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Ojdgnn32.exe

C:\Windows\system32\Ojdgnn32.exe

C:\Windows\SysWOW64\Oanokhdb.exe

C:\Windows\system32\Oanokhdb.exe

C:\Windows\SysWOW64\Opqofe32.exe

C:\Windows\system32\Opqofe32.exe

C:\Windows\SysWOW64\Oghghb32.exe

C:\Windows\system32\Oghghb32.exe

C:\Windows\SysWOW64\Onapdl32.exe

C:\Windows\system32\Onapdl32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Ojhpimhp.exe

C:\Windows\system32\Ojhpimhp.exe

C:\Windows\SysWOW64\Omgmeigd.exe

C:\Windows\system32\Omgmeigd.exe

C:\Windows\SysWOW64\Opeiadfg.exe

C:\Windows\system32\Opeiadfg.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Pmiikh32.exe

C:\Windows\system32\Pmiikh32.exe

C:\Windows\SysWOW64\Ppgegd32.exe

C:\Windows\system32\Ppgegd32.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Ppjbmc32.exe

C:\Windows\system32\Ppjbmc32.exe

C:\Windows\SysWOW64\Pjpfjl32.exe

C:\Windows\system32\Pjpfjl32.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Pdhkcb32.exe

C:\Windows\system32\Pdhkcb32.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Phfcipoo.exe

C:\Windows\system32\Phfcipoo.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Ppahmb32.exe

C:\Windows\system32\Ppahmb32.exe

C:\Windows\SysWOW64\Qhhpop32.exe

C:\Windows\system32\Qhhpop32.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qpcecb32.exe

C:\Windows\system32\Qpcecb32.exe

C:\Windows\SysWOW64\Qfmmplad.exe

C:\Windows\system32\Qfmmplad.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Afpjel32.exe

C:\Windows\system32\Afpjel32.exe

C:\Windows\SysWOW64\Amjbbfgo.exe

C:\Windows\system32\Amjbbfgo.exe

C:\Windows\SysWOW64\Aphnnafb.exe

C:\Windows\system32\Aphnnafb.exe

C:\Windows\SysWOW64\Afbgkl32.exe

C:\Windows\system32\Afbgkl32.exe

C:\Windows\SysWOW64\Aoioli32.exe

C:\Windows\system32\Aoioli32.exe

C:\Windows\SysWOW64\Adfgdpmi.exe

C:\Windows\system32\Adfgdpmi.exe

C:\Windows\SysWOW64\Agdcpkll.exe

C:\Windows\system32\Agdcpkll.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Akblfj32.exe

C:\Windows\system32\Akblfj32.exe

C:\Windows\SysWOW64\Aaldccip.exe

C:\Windows\system32\Aaldccip.exe

C:\Windows\SysWOW64\Ahfmpnql.exe

C:\Windows\system32\Ahfmpnql.exe

C:\Windows\SysWOW64\Aopemh32.exe

C:\Windows\system32\Aopemh32.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bobabg32.exe

C:\Windows\system32\Bobabg32.exe

C:\Windows\SysWOW64\Bpdnjple.exe

C:\Windows\system32\Bpdnjple.exe

C:\Windows\SysWOW64\Bhkfkmmg.exe

C:\Windows\system32\Bhkfkmmg.exe

C:\Windows\SysWOW64\Bkibgh32.exe

C:\Windows\system32\Bkibgh32.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Bogkmgba.exe

C:\Windows\system32\Bogkmgba.exe

C:\Windows\SysWOW64\Bphgeo32.exe

C:\Windows\system32\Bphgeo32.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bpkdjofm.exe

C:\Windows\system32\Bpkdjofm.exe

C:\Windows\SysWOW64\Bhblllfo.exe

C:\Windows\system32\Bhblllfo.exe

C:\Windows\SysWOW64\Bnoddcef.exe

C:\Windows\system32\Bnoddcef.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Cggimh32.exe

C:\Windows\system32\Cggimh32.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Cdkifmjq.exe

C:\Windows\system32\Cdkifmjq.exe

C:\Windows\SysWOW64\Ckebcg32.exe

C:\Windows\system32\Ckebcg32.exe

C:\Windows\SysWOW64\Cncnob32.exe

C:\Windows\system32\Cncnob32.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Cdpcal32.exe

C:\Windows\system32\Cdpcal32.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cogddd32.exe

C:\Windows\system32\Cogddd32.exe

C:\Windows\SysWOW64\Dpiplm32.exe

C:\Windows\system32\Dpiplm32.exe

C:\Windows\SysWOW64\Dgcihgaj.exe

C:\Windows\system32\Dgcihgaj.exe

C:\Windows\SysWOW64\Dojqjdbl.exe

C:\Windows\system32\Dojqjdbl.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 12600 -ip 12600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 12600 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4504-0-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4504-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Kiggbhda.exe

MD5 9dbcb71b2d32f6129b39b2c3e64bca0b
SHA1 55652246d5be6e031e957472fada89781d2b5bc7
SHA256 4040530edb74953e79e49821bc6e2187eb731b780391e389b0512f53ed31d85a
SHA512 71d4210f0cb6fdb688be27a4d7b006b66d7bd1fadc4b85406964fedb95d942111a5094b53a58a06f92663c72e9ee899560653310b5af677f22d03c103943cae6

memory/1520-8-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kbpkkn32.exe

MD5 c94c05f6d46be8722882c5e86bd2b6d4
SHA1 2d35b6fe9cd18932137190e5bef12fed6e0ef070
SHA256 07918aac83ab16e36e7b059040c4c92a94734b7f150139c2f0de448b1416bf8a
SHA512 e6ca297ba9039c051a0b1b6a7375c72fbc70855c33fe0847806a622b154e3d8aa187277c3e99b89ef03c1d3213206d8f779e266e444ecef9a8dfbc4ee0124ba8

memory/4000-16-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kgmcce32.exe

MD5 2c141f198386a4adb776a794757389a7
SHA1 b46a547e4d77912f4d6de2facb7263ed6c7be016
SHA256 b44fc2ceed76a3b499d47778629083383a3931d49a95ffe44cd037e586d18563
SHA512 bcb6f5010956f6c8c9e2b609a632e92e0fe3598cbdb1e440a96e67c7d0e781f4c4cc9548b8e1d7950f55d981b8e7d5e72485cdb5ec0d08667b0546f0a35a5143

memory/396-24-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kbbhqn32.exe

MD5 8177958119edd683aa2187640dcf3180
SHA1 99dc8b864a799becfa8743b356bfa387f0daef06
SHA256 96d9bcef2ecf4d1149fd5ac4bcdd4e1d371ad7350ab3a80cc0dd707258de40ac
SHA512 83bdda4d689e85051a1baf56782cb8871881b0cfd25210e794fe5ec58d6d8c2f92f84cc2b761edcf024e6818fce5a3a7a7fc1468fee596d997150b9e784d52a6

memory/4460-32-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kgopidgf.exe

MD5 0c7d2a28859f922731f9d0355731b19e
SHA1 2a416c95853751041ed22f0a9dc5b4752a022395
SHA256 101c6be19e21ea3ed1b38f2d6e73b5722f15004c247e0b64f8b41bbac3eacaa2
SHA512 1975b8d7269b994c0d602a8f047acbb7f7bd14ed1b5a0efa0dd43d6f96451b3efe18e410cd953346605de7b1744744fc54f0176612fdf2a5368757f147d094cf

memory/4380-40-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kjmmepfj.exe

MD5 a94a6a7e118cc4a877eeb384b7d9d164
SHA1 32a8f0268204e61a916799b12a34145c1d012577
SHA256 048a9eb936bfae1baaaf7b14f5e919efd3ba76aa2fccaf131f875da5401c7beb
SHA512 98fdb1a6855958a83998687ae00a358cfdf64a17c643e1df475890625fd27c16c04eaeaaa6c30bbdb2b18972403a387b4a0618084d446823e195ca559831eb43

memory/4580-48-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kgamnded.exe

MD5 7d576ac18ed883c1f42110022c1b7374
SHA1 2f0b96feea0e66387abb6628c2d109636cf53712
SHA256 f1def178a274caae62ce28a47983620ad991b2740b0c0c418401dd388228415b
SHA512 f9242abaf79c721274b2a2283c58a15feb6cac67ba324efad8ce45062781a1e8723ad8dbc6fa35b423a0509fb46f596b2fb6a86f6812e7823669df9f69388ba8

memory/5068-56-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Knkekn32.exe

MD5 28996888aac2d9c251eb1b6d27780811
SHA1 242a9e031eb64a4125b0ee974b8d4a7dd4d3190c
SHA256 7454c3633449aefaa85726d16a24b9917ce06647c4bfbb54e9575a2385c04df2
SHA512 2d1494b8b6ed68c4bd046e3d28d69607b0b60b550a1e67d34ffacd27d77a612277bca1edf1b534438d4ed4c08e0bae61880a190d4d38068bd9dc69cd3dd76d46

memory/4092-64-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Leenhhdn.exe

MD5 0ffb16ae9ad9121e1e6538eb44c98951
SHA1 bfe314eb08fdfc4cdce00f39bb7f8f9b4f396d2a
SHA256 f520265aea32f9617ca77068fcf9c31dc72a16527565630fb1d6001933c3f792
SHA512 fe1b18eecbd5e45841a61795e1ffc34430b8290c9a8b9af49d56c5553ebd998c7ff955c6c7da25ff4a728dfee1561a91323f3ba1a98bac64528b1d8aa774b2fb

memory/4504-72-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2800-73-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2476-81-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lgcjdd32.exe

MD5 d9ae90df80082a4a45bef0b791320f71
SHA1 79c14aa4119c477e97e14431757a3f82d963c65a
SHA256 d50d60eef4193b1cdf30777a29447240d2def41ca5881c3a2d8ae6090f200984
SHA512 91b9e2bdc36d049788c0ba73edf6bc960c28b799274396a3bd1d111949ce188cc92c1adc6cfc7b055a3fb870b90336291f277e2ef3a7c2a89c28cd6018ddcd74

C:\Windows\SysWOW64\Lbinam32.exe

MD5 db86a95d93078e2e0fd0c6578a88b711
SHA1 a7ce9b85e986d14a3d0214b9b3823664eeacbce0
SHA256 08254718f3ceab79c47e1b03e5695fc4d3053b63ae5ba0d9d343001ae0992f3f
SHA512 8f9a4744c2c48c4481f40d39c2a62cc2dfdfe9b24f96087581af103a559b899e07aa235835d827eed90e53e330eca9eb2cc12927c6d38278c16661306115d2cb

memory/1520-89-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3196-91-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4000-98-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4852-99-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Legjmh32.exe

MD5 8e3a2fc585b67b9029390c72e8b6b9e5
SHA1 6dd1c90d09cdd6b39892dc0237fcf194373a3637
SHA256 6a6a8816f7b0e66e94329e991e8c5b01790340fb60810abe7ba9f900f49f4a1b
SHA512 c54d85ba84d838f7993152eb31cad4a83b6c8bbaf52baacb21adcfd7132e2f4368421aa3b4199da811d3389e745bf1e51938b885c207c29750c5a6786c7114a6

C:\Windows\SysWOW64\Lkabjbih.exe

MD5 b7298baf6654eea6f78f5bd26f3b3948
SHA1 f83f03cd6f966feca9e72222a4e7f6dea8abbb7b
SHA256 89f4016aa57ede903a03fd7522b630960eaf4944420b1d6ac4c7942324ee8d36
SHA512 111c4b9b1ad1ccc8ecadc89381bd20a9208ffdf5ea5d2e880bb959eea3300342dbd309ae2b15513e52db18d32d27723da057c3bc8a397deed8df440362a388be

memory/396-107-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2728-109-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lankbigo.exe

MD5 237c7d1b50f23275e4c2023f9364394c
SHA1 174bcbc6abd7e12ddc08bb277664228fd3ae7bc7
SHA256 3e181195673c384ec820ae69a3f52548ccda8a99e868343c673591260d3481ec
SHA512 ce2d300443f8cad5824b5292f41e0861ca327f9e242fb1ba7add4bdfa52550877242437e37a66f33f236fca58c36c6eebe264e2b3b3a5f6cd33aaee8e7f4fe56

memory/4460-116-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1972-117-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lghcocol.exe

MD5 c98198471c861506818e2e7143f43f67
SHA1 ed3461b2cf5c2f3a0f4d1eefb339130e97c37e9f
SHA256 14388ca31530012a0c8ff94d9e3bef19bc69908fd2d0778846de6cb739a10caf
SHA512 017735d5f4190fed1fa07efe3f766b1896d0d2f78b34e9792be85eb423d33110f026c53b19495125edaebb78eae1ea5bf98441778bf5f62f95d5877a4d9f57fc

memory/3688-126-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4380-125-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lihpif32.exe

MD5 2373ad24f5ca3ef6e68e24d69b414258
SHA1 20ea272f97daa8dd923c08ea8148eb727f566d8b
SHA256 7110a02bbe572a12f6c638cd5020136127a87e5d503d64a0ef1220d9039c1aa7
SHA512 ec1cc580957cefcee2b65b4232308e15999ffed11e8a61a78d1ce2a5c45bd8b3f6c1edefb380fff77558b62428be7a7499c6440639258156938bffb4cfaed093

memory/4580-135-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2420-136-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ljilqnlm.exe

MD5 309e11394765c5a647333cc1ba2f9e30
SHA1 9bce25c7cc296b3a34367d28857ea7dd9cb80c31
SHA256 d7dff5f8cbe4038f6a3e338abbf4daa5b1e3f76bc9068a8ec72f3c54c6a468d1
SHA512 ee8d204db64820f7f24033c16496593756f7150d9c72efd01f5708aebc60d9f44e8c1348f6c284007a39d8cdf564fd7e6f7b5c40c0873c57b5f1e459f4f41f89

memory/3904-149-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3048-154-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4092-153-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lacdmh32.exe

MD5 e7ea34e3c6fab5138b1824576fb2871d
SHA1 e06fbc6632b9c63da4f082ae5a4a7483c97f524f
SHA256 dcb719420c60094dd725098122e8534cefa62276be18f27911f6a0face14206b
SHA512 4891d7870cf4e36515830abb193a40e81466ea21211b8e544cafdc86ce0c2a9d73f00ed1ead7b06707fad3684ccaba1b39b9a1ce0b61ef72a1f5cb4edbbe8acb

memory/5068-148-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lijlof32.exe

MD5 225943563ee368f453018ad9d561c619
SHA1 4dbd158cc36287b7ce44cbc308f1ce993a47708a
SHA256 bd1a573488064ae8ff14a006a1b24fbbcdf495aa70b2d0e4b12713ead3f2e332
SHA512 76aa1f8c41532293bad4b103f6cb2507759dc135928ff87736cfc50a81256c6d0de634afe929dd7955a7d60a9e4d3ebd5d34326fee870ad5b030444f4c858cfb

memory/1364-167-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ljkifn32.exe

MD5 8fb1d3089a085fd82b9ea7b28283c05b
SHA1 3ce2d5e2cb2b9791d13192515158a8625ca03865
SHA256 8d31db1c0eed62504e5e263d2eceb3eaa77907852e32237d1e8df104a734f9c0
SHA512 b321f47af1a0e5c28c0c0e92dfee98361b30204997d3297875930bd1f18cce78eede5b7af5ad088b9420ce50054ef0b125616fbfe46a9483f75167dd70207fbe

memory/3636-185-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mbbagk32.exe

MD5 7d51e44cf5a4059a98de674670545904
SHA1 b49ae02a2606ff3076c0ac7dccb13fa5f84de5eb
SHA256 d286b2ed76a85ef798f472e6daf2599733d7daca058bbba3b1d0cb9a735773f7
SHA512 3eb3b857a7681c9d7c31d2aba33b275140e0ab405b63034f8b79e51328f56a1ad8eef95b15cfa7955fa25161d24563913cb2cef8572602bab689e6a9b4f8da0c

memory/2728-202-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2152-221-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mbenmk32.exe

MD5 4837c72d89520985decc8fd0c1e8ed96
SHA1 412f5039fb0c6a5c71b196753075538bb84b8dd8
SHA256 a0a78cc8156770292605368cd728bcce9739b491ee000b6dddc3b7e44569484a
SHA512 ab16619a8f99feeb657d4962a1b90c15cc80d0dd7f597544139af0528567b0ff80e4bebd76efc2cfa24aacbce43346abe0f2cfb8e99986b545906937043a3275

C:\Windows\SysWOW64\Miofjepg.exe

MD5 f588e95f4563e2ac71539b3793e77351
SHA1 ec6f3b899aaece2010ee2fbf0fa0e4798f03a1ee
SHA256 989fb1ee678cfeed024957c0f1961e8ab05d3cac3b6c98bfbf9a3175435b299e
SHA512 d8d0cc6456d09b130ca6d570725f64b953d198d9d6515f9cecd9b9c75619d07c0baf98bb0791a80beb55c60c8ce6ca42d2997f3a0902fa1546fcf827afa3f41c

C:\Windows\SysWOW64\Mnlnbl32.exe

MD5 a1c4f91fbb023986b15ca5155bf83004
SHA1 7fd6a6a1034f07edb4a8365b2b617dd8237c8df4
SHA256 4c1dc79d111bce40dfde71ba87db50a2c8fafb808e4673bab8929925ebe8f62b
SHA512 a596a5532d22c476471723f5b9588d545c064fa70cb69c1ed0158bbea7dc293984fe05a3fd4ad054f51af6fb952b2c5e3c4ee9611f6f82d8b74eb0c6a917e0e8

memory/1780-322-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1784-358-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5064-388-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2544-412-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3556-448-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4468-496-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4608-520-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3696-538-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2448-532-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4048-526-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4732-514-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3384-508-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1224-502-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3888-490-0x0000000000400000-0x0000000000441000-memory.dmp

memory/264-484-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3024-478-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2916-472-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4640-466-0x0000000000400000-0x0000000000441000-memory.dmp

memory/680-460-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4152-454-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1280-442-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1332-436-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4372-430-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4864-424-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1228-418-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4868-406-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2716-400-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1732-394-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2260-382-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3124-376-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3808-370-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2200-364-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1464-352-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3588-346-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1920-340-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1648-334-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4332-328-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2028-316-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4212-310-0x0000000000400000-0x0000000000441000-memory.dmp

memory/960-304-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1548-298-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1060-292-0x0000000000400000-0x0000000000441000-memory.dmp

memory/948-286-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3840-280-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4400-272-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mjpbam32.exe

MD5 68e37824606089bad8c23a3fcb888444
SHA1 f324b863b93bb6d3c05990f8a7293c2c97630a15
SHA256 610572f01d33c0a928a00f3059f11066ad6140afe018e6aa66f35889f47c0906
SHA512 9f97238bf15f63829ad4f59b81a6c9d0dd6dd233070f8db82179e953ccc7383e9866df839b82743ddb9a1623442ab99df3f71be32d36f27d0144a43bf054ff75

memory/3364-264-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4908-263-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mhafeb32.exe

MD5 ca32fda59b8cd48930d565422920ce48
SHA1 096d485d2a24acc7a9392dbe20d32fb948b5e158
SHA256 0e9d1f91a1e26f380b6be195ce550ec1011add21c1e214375f8dfe448440aa23
SHA512 a5fdac3a2d5ab8639eefc9024057231859e3d957b029284bcae4f800ef29700c41417f8f0e22666bc3bc880c9b982f1743c4e4b0e0b536ef241e0d793c89af60

memory/2156-255-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4560-247-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3048-246-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mahnhhod.exe

MD5 1c63fb6f903f5b2e99737adf769efa34
SHA1 a8c86b7029fda4963f9723b1f341455927e07dd3
SHA256 34c168780302c12798f8390c2d9e6aa47f666d82f492dba37f8ccf5c2e3dadad
SHA512 a4c1bb2ffb1fa3ae8be4c1f6d4fd7a0b39aa743d4d79556fbea629536c786cf0fdd66fe562d4ac7a33bbbfae3d143a1163bc628cd501bc22c0a01305aad732a2

memory/1512-238-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4844-230-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2420-229-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mjneln32.exe

MD5 d350fb9a30e83c62020ce327379f93fb
SHA1 a2f9306b690c37fd64d064de6d0f4516065a9d04
SHA256 7e443e17b1eac1431a8ce43d42e115e8b5cdb3481afa08b49c49adfbe6118270
SHA512 b9576f986bc454d2eba148ecef1b452d4a7d2e10d5085f9b5830f834bb43ce89ed2b379ba1f2c37a5fbc7b0a8b42ee1736e2c48078ce3205a09d291e1974720c

memory/3688-220-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mlkepaam.exe

MD5 60636c841ebd80978628ca43561acc2b
SHA1 33b8dd8a3de03632de2d89950218c78bf20593c3
SHA256 06ea7b2026ab2ff42cf6c68aa225ef0b3d2d3ef593208cbde4f240414dcc066b
SHA512 e19099350c6d640c2e4ed26903e6ecc465e71f34e541be0646509d4bb8d426d94b0c16c8bfc8032d3608739f834342c3d1e5deeac11b755c55457fbec209f53f

memory/1044-212-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1972-211-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mhoipb32.exe

MD5 9787ec68470a0daca0f3f25e31cb530f
SHA1 488743b608af35bdd9959395870937750301e2f2
SHA256 011648714fa4fa1c3edf52e65ea4fc4a77ed5b593e87bfdef4e3ce13034e9771
SHA512 a2194173fcf7e90aa1209e2268efbf0a0ec520c7ce2484c3220f466980b65998a2cec45cf1aac5be0df85e9e545bf7ac8f5f1737e836da634dea7a5c33250351

memory/3744-203-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Meamcg32.exe

MD5 d24bb83c5f6c7b9baa9dd065ede15673
SHA1 b5a5baaa2e9a52701e304b0b391c0ed47cf688c5
SHA256 27da63a4cd207d22f63748e507a6b980959b5a605485e8423fade679255ef080
SHA512 5283712be61ab3053979c92fceebf8259e5942d4b44c6e973d05647f7fe02d005eb38b96e75a6ba599ce2c580452a68b6495443a9c887ed469d67a3660da659f

memory/2548-194-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4852-193-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3196-184-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4908-172-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2476-171-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lhmmjbkf.exe

MD5 4f3ffa73034a8aa336767de434fe322d
SHA1 09f75cd4c46802b826dd8ced83602bb4222577d8
SHA256 6e80fd820d57a66418f8a7df3451ee57f0b4573422f9b5a919fd68e24f4d27e3
SHA512 43a7424bd9322cc5eaab951bfc1313146cc8ead89aad09d258761b285dd5b2d3cf10e7f0913470044bc7a25541cf6d2e6af46277ca2746178a85a321d7739921

memory/2800-166-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Oihagaji.exe

MD5 24de8aef6bef344a736114c3c6d4e4ba
SHA1 7990fcbaebfd95684de60a427cd9f5785937f5d4
SHA256 85b35574129c1d16b18ffd1f151c3dad5e4f152fab95db4395ec6330eb99fdf9
SHA512 33dd7e98bea4963e9c3771fafc892a8946e3ef395b056461a1892e96bd5c39cb8b531eb0748fed780dff61645408ba8fbeec38c29b0307d474ec5f981abb61bd

C:\Windows\SysWOW64\Qcaofebg.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Bfngdn32.exe

MD5 92f637cc6721b3c161be17d870d3e1b7
SHA1 e063611d9b204e7884dc46e91025d89f468d675a
SHA256 7f9196d1b8b33e42539eb29ffb82ac49ddd8fb632f1df26343b4d2d1f7c35f11
SHA512 d1db15f37cc39ba07b282c6a4846778ab9a6c67b34d52690eba3dc5e296dba8a8af56d3a2dec143056a4d82a3f45dfea39bacc5c9729bbb86fa9b0f8955499fc

C:\Windows\SysWOW64\Bfgjjm32.exe

MD5 3a63f0a3a2260477ee1c8eabf91aad43
SHA1 8249f75b66ae959c574d42caaf122a688ade3394
SHA256 193c34ceb3950f8e97eec8fd1fcc4383928d17d81544f4573994db4df9986875
SHA512 966b5c82056de09d1927707563fd48268d7dbc5afb735c17acfa87cdd3abab43dceee870077957609ecbf434d199b64359c4530ac537a2d89bada6c62ab65420

C:\Windows\SysWOW64\Cihclh32.exe

MD5 e332279a57591badcd0ebc6b2a03a60b
SHA1 079f3c206ac01b7404cb24ce47aa5d21d555e4a1
SHA256 c675f00ce49eeb70c275b03ca49d24c822b92c27eb4bc6551e61056a3c26bda0
SHA512 754b509e4fe9887b1ded46b3c667381d052b2f260130e5ceabcb876f17efe6bff94decc5489856e8c11cdb7b268c7af7e296aed7b82193fbc996c17569d6c330

C:\Windows\SysWOW64\Elbhjp32.exe

MD5 9f8a2f91f493e457404622e8659dab11
SHA1 0d57cadc9c41db481eb8c44f42738025ad05f1ab
SHA256 dba55c3db99299828dae1b0af22f4f395dee5461b78ca443b4f4934b923a5ec2
SHA512 25ca23cc85d61b5b189e4befbc4acc9dbb0fddefede948f30a74b874531ab58d65cebd30d236477113ac71dba099d12bd01d2f332aed049252fa345a681a3836

C:\Windows\SysWOW64\Flqdlnde.exe

MD5 6d0076075b15e15bcd2cf8da468efd6f
SHA1 6a84f23f5fd53429e785714d4c97401547172df8
SHA256 c782e188df256f5ff6f4aa046d92cbda23bf109e3eb6c39ea42997261a584e7d
SHA512 90c416d867b1aa00fb575c8cc6c74b7d1722e812abff6596fd16593fe13f31231d7d83846cc61758f4f90e1f3d2a740d96af5ce5b5fbf0c93f2163e0de6b47c9

C:\Windows\SysWOW64\Fmpqfq32.exe

MD5 3a2ca8036c88297ac2355f64b255322f
SHA1 bac3d134ca156c48fca6a071888822019d717d56
SHA256 1d4dcc0c5c6d0274f35baae153d6cf0e2c170a5cb100cb0d72e34f032e296f42
SHA512 ed327ecf6e5e443d03be355b46d438f9c35dd6bee274ad8c98785332dd5624a2e0ca906e9f56b149c9bf0d25fca435e2cb44076cbff6dc42ea38a19bcdc0ab70

C:\Windows\SysWOW64\Gigaka32.exe

MD5 9dbaaa4cff3b816d865a03b1e87e8847
SHA1 5b1d171eb806aedb57f0972e8dad50a9f42e77d1
SHA256 ab7216465080e9cc12c3bfcf496097b88a1991448783cb4dbf6b5053429ae570
SHA512 9eb716f41707cb052ed94a843a81871b40e815973a16a409f92787e89ea7dbedf8f3980db9f466a322e42cebaa0b5d974cb4e1e75d6c2060225c7548eae0ec00

C:\Windows\SysWOW64\Glgjlm32.exe

MD5 685400627527584e6d3dd0a37e3ef294
SHA1 97297517143eb00da939bdae99b9db2a7f06db3e
SHA256 0d7231ca233ba4bb581910094ebf25a39e46293d41d269bb07fd2df948e1add3
SHA512 36758d229d191bf96c4916de51f5110e06ed78fc37a0bee4c3f66c9f4d73d66dab66e8decf4759480ee9cdcda9af96ed2f503012fe0a11bbbb125c9764d98774

C:\Windows\SysWOW64\Gdaociml.exe

MD5 d3e4dc8762a6c523e690e9a82062803b
SHA1 bd346737e36e9b83b195a79f7b92dfa1b6d1796a
SHA256 cd1f42641e89a2712879661cd33c2008db92c8e23266ab0f44e3f663f473359e
SHA512 0c027e248fd45d4bc539617611d4f479fae9f4b7a37ef1a208b965479bfeac00bfd8def33fb45235d38fd15f541c4656d7b4d8fef011ff7078b15da7f2003b0a

C:\Windows\SysWOW64\Hkdjfb32.exe

MD5 721fdf9f09f5a9fced9ee4c01320a949
SHA1 b1f3c1e76cf1f3288f8e92a98dbfa67bd298866e
SHA256 8bf4bc2f2efa192007179c3fb10c266b40dc4bc1b33680bf327dd484e8f265a7
SHA512 cdad3bc97961d6d8a5eb60ba7859afad676da8d78bb6d7f28866955774c9e725aabf06a5068df8350143624f6a2c75d30b0fe4e730e9d8ca9907eee5832cbd70

C:\Windows\SysWOW64\Idahjg32.exe

MD5 da807fde93aa266b7c82310bfe8aa6f9
SHA1 a491bdf648699f4da431d807e2f4a0f692aa6381
SHA256 3f5fc6dbb810ee9f65255308f47935e129d27314dbd5d71790b0bd220a5ec737
SHA512 9597f836e3fd5db0a7419c7b6dc4864a3775cc4d3ffa245b822e92be8cd619fa2a290fcabfefd65a780178a5bf8b27ac9a69929b5f2d8a7771c6bd40c426a635

C:\Windows\SysWOW64\Ikdcmpnl.exe

MD5 5ea37b9ee69a949c4631850c4b20e1b2
SHA1 151fd08a581143c070a369552bfb2ae735a303a8
SHA256 c9d2334955eb64979ff30edb022ad645925dfdba673b222dad64e077e99ac0d1
SHA512 a8e574815c2dcf169f1c6147f63ca87a1ad2b56a6cfd52bfdc1427d9697ad50e1ef0b12049787088016d3d17de2fcf68f0b30d51b3fe9176c46ad3e841e2e217

C:\Windows\SysWOW64\Jkgpbp32.exe

MD5 f906672b317d86e15c6fa651da5965fd
SHA1 8d4b1f0e0756378faa056c69026131862f116f7b
SHA256 43627e35fb193c8a51c1016da4d3f1c6efa26b7ea52b97ef9f6f56542e272a4c
SHA512 607169d5256867328901030560e1567413916da13abbf1f5b4efa92e0a8546ce920130f57d6682d6fbce9ae90d561a48a33ce32ad905d3ff5490294b0702cfe0

C:\Windows\SysWOW64\Kgninn32.exe

MD5 b100b40bf05d22ef6675ddbc989fd464
SHA1 4852b02d4165dc254ece1c688ff65b19ed6ec887
SHA256 a8e468073ad9bf651ee28d8305296a31ffd258c938720de33f2f6dca201a5f39
SHA512 de00643ca4586481701f3fd3e545e288f29c766376b4326b0aa1b29b9cc0d04e3664aa30ffc107c85b5a7d7967f6584ba737f323d14eba89e46b2312cd95fc44

C:\Windows\SysWOW64\Ljclki32.exe

MD5 11d47990e0e1dc6e761d5f99feef08bb
SHA1 d0e137bfcbce8d908e8734ba1d988a39ccd7a79b
SHA256 dc84162a5938297a4fb2306fc5327615eb93e1e5c55e9019a9e775906cf80023
SHA512 5cac213ebac9f4b0e5735a21a9a559aa7cd5e713dea9ca88b8a41552f03819df8311c3f65cfa5235588aa685eceffbef4f4d908260aef12ecf9524b5dffe66df

C:\Windows\SysWOW64\Mnfnlf32.exe

MD5 477a5dcbd8389615c0c8e54f32742d05
SHA1 8ad5c93710cf963d97eb5da2506586e359c3cc25
SHA256 94e1e1ec97bc9502d5debd7c550de95bb76963a50d7e5a8ea8d6efe10e914cff
SHA512 34fcdd5b7a150ee4d807acc8e652f3c8d7b56e0e1956cc7ade4c67c5bf9c98ba154cf17612aa94bb5e9f238fe05827971d1d674caacd9a8f198333db33f03eea

C:\Windows\SysWOW64\Mjmoag32.exe

MD5 e1b35e333afb7fd2f4096a28cf19f445
SHA1 e69f25fc24594dc99f2416c02df1e842cb1d4efe
SHA256 444884a68e847ad8baf976c978fe84a009833c5310cdd892d87bc70aed56c588
SHA512 e3b19091ead5f112ab9ede3c785ca225f97111d5d26676f92080762ba2c11e56081b682e8fa412d5161bd92ad1112cba9b899663f23faee69041afff5f35b0d7

C:\Windows\SysWOW64\Mgclpkac.exe

MD5 b15e6ed96abb1c37135dc0b0dabececf
SHA1 90aa0e6e8edc9eea7ab76bf8135be81faf208948
SHA256 7173bf7f0d2d0893cac406d1120236b59beb51098509783ea9f07b4bf7bcf6e1
SHA512 a1bf5edc2bea4baf02a133223b7a611a1636154ff8f6792d869a3d077a60eae686965300c2aa9a1baf757c57e36ccd26e8227ff394d0e3b36589e5437e039e5d

C:\Windows\SysWOW64\Nhmofj32.exe

MD5 4143a20cc234ff3a48ba669c9008c4fb
SHA1 1d3f0ec6daebb09a3aea3b907eaf0e5e2d54f6c7
SHA256 5ca03f1b0db5e40bca4b0dd5845aa05e94cc34660234cf29e4ca442ffb1e3ce1
SHA512 7b58eb7ad6be272e4eb8f201cf495dd7cbb090e77795d46a3bd1e9932ac77b8e0c47acaeed9a38701f5bcd13191274a613f8fc8432dea9db343adfd2028a7cd9

C:\Windows\SysWOW64\Nnkpnclp.exe

MD5 84bf727b999dfe65f8eac50ac653e877
SHA1 a2a272a4a8f4af3f4f900e5f0f262ef9cfa8fe04
SHA256 d654efa792fcd2cd398dc9cfcbfbceabfffbf09d18d4e576b07528ebe3614a9f
SHA512 95596cf7b4da05871ccf038207561d0d2601a5d587264a1e5cef6425c2da238b543a8aed586d0f29d7bb9514fe01f5e2e4121191ccbc0030f313d7795d69c256

C:\Windows\SysWOW64\Oeokal32.exe

MD5 42879d0b2be8248e8e145e838868a247
SHA1 ed61de85a63fa3cc9186601db2345de6dba597d0
SHA256 50c932f5c0beea1d4c7c3aabd8922e6f88efc694ed92a53777426399eb993922
SHA512 af49e0309f23e53d505820458baf9e12c5ef7da7cee4467b62cc14fc1aa86a1cf406de98dd22fe8dfec134004c13aacc9fc711cf004aff8e643489a56e346b1b

C:\Windows\SysWOW64\Plbfdekd.exe

MD5 42547b9f5beef5404af2e3d8995cbc4a
SHA1 68a353e89934bfafab3ac89ecd7651e5345be72a
SHA256 f810cc6ff5a631709169cc8f678831ff1e1d549aacdc8ad8a559097b73ab914e
SHA512 3822a4533f6dcf13f6aaec6dd28824f1ec46bdc27e6a30098a09f77da1c4b2c58d1608ddb0ad8af87621d506178f102cebf1de503cdd4d785b9d40686cd4fde6

C:\Windows\SysWOW64\Coohhlpe.exe

MD5 43b9a5928d97ffef119cfd6469c7ff89
SHA1 e5e533e25ad5149372acd079c1a0821c1599b00e
SHA256 50247fa4d21afa5063a74645570fea16adb00cf23870809ec3c84ace94a2df31
SHA512 52de21857e0b93034bdd6d02be4a4db52b69c918c096d97b6fb8bc6e6e37f38c7c77703acd1f9eafff16df4c3be1a5b36daf2a4f4fa14d1a49f6be747206b188

C:\Windows\SysWOW64\Cleegp32.exe

MD5 c7965822f88de14a3804bd12e902be30
SHA1 c202dd337519adaafe53c2c0ff2fefbfcdd33a2a
SHA256 6d66a8507d8043418656f16aa4f0b7788c7e6f45184d98d411e76af516d74942
SHA512 c8dab626693ef2423bc7ce09349f8c898bacb2d6a051f194aa88ad3f144634ff4a79d80b0c55d883ba2d5c23b2f5a47ea5ec490e91f5f97adfccaaf21b3cab7a

C:\Windows\SysWOW64\Cdecgbfa.exe

MD5 40d8de7f78256c6a47c0094971819826
SHA1 56ed51addd3fb86b378148cad9c16735033ea0bd
SHA256 cb20e49eadea346c9c716e9529a03e1c600cfa18e4a630ea55f2986cc693efbe
SHA512 987f9dd0aefa32f0c9c58395093c66be2c342eb8f1b98dbd2198c869bfa059269c403c8abef8f0ecbf404b372268bdca275068b993e3e4a09be2015214f9109b

C:\Windows\SysWOW64\Emmdom32.exe

MD5 4aaee621cc5da7451b2561301386451b
SHA1 d02e18afaa30b8894485d6ade2955a98431b3f69
SHA256 fd29e4191e935f20bb546e24fbf7bbc3a8ed43de78e57dadb4b3a7ad272dc090
SHA512 d39259140ebb79a062c0afba0eefa9a460c8c9cbdc8abcae59a57f78d2f3c9ab87445f1aaeb87bce1b1fb012aa00caddf3bbd839c36469f7891f61a8d17b4d90

C:\Windows\SysWOW64\Gnqfcbnj.exe

MD5 8829485c9d6cd0b44766ae0df2fc3288
SHA1 0c04d086d157825c0fd660f712301ef63a58cd47
SHA256 e27f41d932404c72681a988ed87931161c6440298b3ad0fba321dcc7c3c7178b
SHA512 ce935840f7a4f804d8b7bbd278f1e41d17cd6bdc1b8ba72051598e3802d4c64a8c34e35382742a8d316cfd8924f6c1489634345ac35d00882f17d01a6542a619

C:\Windows\SysWOW64\Gbalopbn.exe

MD5 35a312aaa1dde74b390560b1ee117591
SHA1 d379f25b5974d781419e0b452f4eb6c50f65d833
SHA256 a4134235e5681ad867193497d48e047d0d5a1314ec3ec0d19ea4dbc4e093e207
SHA512 d96de2df7df8de8fdab7538002c76d24031b8ec0daf9d8de379db920e7961a1865676c035fa21f7be63e61a155b735b05e70abd97d42cb4a6f445a63b3426069

C:\Windows\SysWOW64\Hffken32.exe

MD5 4107b875fe0d29e6d0c6ff1a4f97278e
SHA1 977c58f1756167888bd9a192923c2f298d211e62
SHA256 02ea1ddc998d79e799b848ec016a68d92bacb698880728abea379d0478d4d4bf
SHA512 5b593306a9d3d7dce4834916b43e45788455bf5a3171b71dd8942946fa8dc08fdfb24574da8d4cf65246748f3d40b909dbf0d65a14a3839aaf78e5f637b21ffa

C:\Windows\SysWOW64\Hekgfj32.exe

MD5 8f42b45863793f733f2eeddd2b32bf98
SHA1 12568ab146d8c59ef6f76cf067c9eb9d6e5cc59a
SHA256 f545dbf54012e1e2a0d1a3c882eaf840ed510c0bbdea638ef7b02c21ec341395
SHA512 cd29e019f704758e464873057da3ebfd93fd2d698a2c7856b07d751ba45c3e187c7ad0da676f2c98dae1f7e39dcef41254d73a922e138037aff684e5cfc8cb32

C:\Windows\SysWOW64\Iipfmggc.exe

MD5 0a21b931c238b4fd8b30810df85a95aa
SHA1 197d802020e6bc3d11d726c7edc4254e3ff5c925
SHA256 3fe58b3b2e9c062ddcc5cb023cecb01ef953bdbac0d61125d1e47513cb33e031
SHA512 20a1b6e3cc935af52810b0e852b403f4f0bc8cda7fa60247f814a962ae04e9f4f68f4e2683621c0f273a98a0b0c959b6c8891052938363680674e4b6b4cd854d

C:\Windows\SysWOW64\Jcmdaljn.exe

MD5 a5e295e840895f41fc498050328c3c1e
SHA1 289b17a55c39d5cdfba8b297c8a95eb836536bf1
SHA256 9f13419c50aed7bb0df4dbcb6e96c65c061a54ba5d2cb50c93183e37c8e7d7ee
SHA512 96b9bc54aef0f0a39ba6d0a5aa6c8a0ab7bf25186511bddf1d31318546a407e321f7b5d190d193500a208251f810ce0b1e3ffcd6dcc65be1d8d0934abdedde18

C:\Windows\SysWOW64\Jllokajf.exe

MD5 21ee6b7315232c18350a39686d2d8145
SHA1 753e9d52fe373b87ae3dbb29d9cb24b174b9964a
SHA256 3bb09d7c17f5cadd43f017ea08200856ed5c81e53599578698fb85925aaa748f
SHA512 12803a906f2e857e3606c4cc0f45747b241e634222b1eac7f952c761117c2065f66f8987bb5b90ca5b278ac92640efcffa2088fe270bd2ad72102fdced115719

C:\Windows\SysWOW64\Klcekpdo.exe

MD5 9f6d99d2a5c176d0050555a23afcb930
SHA1 2f0a577533b55667f7e6d0a17956621322bbc451
SHA256 c8b21b3add32b472b7ed4cf778cdf3ac2345950b405abe03765fc5c53d7dbbec
SHA512 dfe065127b148b02b8bf8106f4cc44e20d23861b47adfeaf4de3fb1316a4cab9cb164a3552162985f6a135ec20ed267fa35d1c0b201c1da72ee9e664a4c3dd97

C:\Windows\SysWOW64\Lljklo32.exe

MD5 f2199e6e441433f1522e4fa34e92793c
SHA1 410c70ac9b9b7ad2040623205bcbbdccbc915658
SHA256 712412186ff6625cd9eea5fc1fbe6576a03eede6ee74aaa84965bb790cca8c87
SHA512 ea10af78457e36e0427857074d1dfefd00df3426cd3569e6726a8038e761b0c26c79b1e465c54d79a9a854d0f3d89f7dbcafc1a61709981511b10a952a4e0590

C:\Windows\SysWOW64\Lobjni32.exe

MD5 a1226e6b8352feb454064f51d240e5ac
SHA1 4a136a6e41c0deae234ec6f73201a3007cb33d06
SHA256 7fe2c0404adc6802b0c58a2e4de749158b938dbb87de07263a6ba70b85bc5498
SHA512 cebaa0a8ff5c2c5d86b0c0d76e5978ff05926c042eb47a60825b1fd9dc788487fa28966862622bc9330b050d5ebb8b8e56d36d70a553f28b335884446a2fe0d2

C:\Windows\SysWOW64\Mfchlbfd.exe

MD5 46b09dc724900856ead01ae44b6b50f8
SHA1 6a10bce01fe73a737b96515ec3a832b44625ab69
SHA256 0942b73621bcd17859b1abde11d6a185e62d473727009b60e8cf4c881bcc4af2
SHA512 7c131509ad6b39341d4118637ef1ded2b3190b5db6d6630f2fb05c2fd53f6883897ed44b9dd8bf29f6ab447587fb7602d2437cf08dc3109585c3bab48fee9d37

C:\Windows\SysWOW64\Mfhbga32.exe

MD5 1629d5f209a9e0a4c20312c3c019f6d6
SHA1 2924ca6dd20711f440843da4d38f28453d891c94
SHA256 84e0b40ea14624a343b372c206bca2a503df0c42cab698f4413719088e1cf594
SHA512 2dccd57f9ed3f001176e9bf14eaee2ac2e450384a6ec9302f87fa8cd0bd91033591f1953a29b78ef11277a25bae76c4ac89235c8f4e5726101e3127b56cf942a

C:\Windows\SysWOW64\Nggnadib.exe

MD5 a75b81819dadc9e4243ca8bb982fe4ec
SHA1 32f2d7ac836f9b92297f90308087d537ca8bfaef
SHA256 bf472b87e8a4d3d005c5aae344892fcc39cda6434dac76b01583af0cc829725b
SHA512 d0e5e45c451bde1f8760a42ed6c329fdb2dca62cf7104e6e30e154ce6e576f208c50dbd3e04bbc33b381025a4f2b04d1d00907b5b4c003d028833f95cbf50911

C:\Windows\SysWOW64\Ngjkfd32.exe

MD5 4c6ea772f24261e74a31d05ddb14cfc0
SHA1 23598e01ed1c3ba4be8ef35820f44c1c4f2a012b
SHA256 29c5c134b53fcb586c6a5fd6517da4d2cb98cd45030ebe0f8b20183fecfc2ff8
SHA512 b3f95056bbd859196b01a642f8e6caa601148fe84b821e4213cd788826394cfad29121251e00c3d810cc8bf45c647c3220da3cf2c17b77abd8c99283196f3594

C:\Windows\SysWOW64\Njmqnobn.exe

MD5 f39b9d0187ecdfb7b485fc9b68015180
SHA1 e724142ba98a53013671e851c27ff37d4e4d8b6c
SHA256 90598abce355c3631c333b23992d55478467d9b47a2258d9ccb0084a5722d6bc
SHA512 14dd0093721db096ff15262e76fa4cda3bd083bbbb66ed0371ad74015d9f3f1530983dfe161676f378bcfcf625986570979ff9388751e44ec5cf7903254a62b2

C:\Windows\SysWOW64\Oplfkeob.exe

MD5 3179a5c9067d67fd88e16d80d1f3d081
SHA1 dacf5203ce3c1d2722d3bf79055840551df2e588
SHA256 1751c4758cefa5987376c6c3cde808687510e6ba49b04e48f6068d48aad42430
SHA512 6baad3e0fa85bb758a9fd6f932ed606730b88076fa22739ef3836ed54cd705d4f254f8488f14ee395cb621c03f23233333856b6b24f8cacb3f96a2b49ae3ddf2

C:\Windows\SysWOW64\Oakbehfe.exe

MD5 e5f11bf7cd3a8e77525be1827278fc0e
SHA1 5b3f09a80ae2117fd5f73b4c86e5a914fdffdf1f
SHA256 f64c4e8d57081ec4cb94834b912cc23d0fe66ebddb008dafba7e65a8d31dfb9b
SHA512 af6592485ef9a61988b63bb142e680977701c5f9691b7a4231b7174d21c648cc362bb6ad313e8d53289109c874df9ab48b026b2a8ac9dd25d93e69e4c9469a90

C:\Windows\SysWOW64\Ocohmc32.exe

MD5 8b4e94deb4da5198109f1d905780ee88
SHA1 fd4ab10f50e6ba834c19abc23668f979e242c533
SHA256 da9183638cd4c83da5333da31b3cec49426a4b26087d4cfad9296faea22ef5df
SHA512 3e318574edc7e7f89a942ad43a1e8503e8a20511b68345f8f0775f57a0ae4b0bf52c6cd18b5fa31be41ac7fde656350efc2df395b02e5192e7ae04476154281f

C:\Windows\SysWOW64\Pfoann32.exe

MD5 b7496b7f795ef18a77eee3adaf8d7375
SHA1 dc957e643d3a356a7ef1fd810896212ca04c2b12
SHA256 5a6e7ede5f47bacb1759db6e5cf5bad5651d00f0d598b18141790ed868c175f4
SHA512 19a1a91267f1f3ae0aab5a8d18071f65077bfe26ca5e48051a45055510eedf0f7596999b0e7849c39ee9d34456cdb462d41c138b713b5c5f5dcf7e84961eefad

C:\Windows\SysWOW64\Pfandnla.exe

MD5 f065674f3943dd66a027dde4a423879a
SHA1 50ff5ef51800ade3830ad82db4b78b17931075bc
SHA256 b1fcb6ba9ddfdedc98186edbe2435d441816e7c8a0694c6029721f87672c2c75
SHA512 12f1eac0af5373e8a5cbf594fc7717cbcc8e9f2b69d3fa3a1f5aad71f92cceb814fd6fb27a588c6439451e2355b724657881e4957b83c1a30158788b36c7cb7b

C:\Windows\SysWOW64\Pjpfjl32.exe

MD5 06c9b625cb01d7d3364d7f76f62c53e6
SHA1 57762e3ab4225b8583f98dcbc98875175906d4a4
SHA256 20a1bb8f4857ebdf74d1859219ba020c10c2134f0697fcd2bde9def876c81721
SHA512 bc0c0dc3bfefa8b3e2d31332ede8ff8d7b9df19966cfaeb58ce2fc4f14c0dbf51d2ed31cf5a3c4751cd343d2b560b60db86f49aecce0b1256cd41b3b724c6779

C:\Windows\SysWOW64\Pnplfj32.exe

MD5 af820e8f9840575222a45d8093924abc
SHA1 f57f53a00dd5b1242af99f169054ca7c864fb147
SHA256 2b7cfef95adf3694aa3495e10683e1e70f136e9254281860edd619eeaee72a85
SHA512 5dc774e6f573e2b60973bcf904c8b2dd6ea22ea75ef894b4158f2d733368b05ed3c7c271efe434375be045913f7a17c0fcd0f1d8e2aaa1e960fe84ba6266744f

C:\Windows\SysWOW64\Qhhpop32.exe

MD5 5e8fa4035e035ae902d3fcab5c4d64a5
SHA1 7637fe7374494b7401b4d86628d1d6f0ef1307cd
SHA256 72287c83647653b8d8b667d13154d1e624546560e24fe5982a03b633814c4696
SHA512 1e6d0e80292054fa8173ab3124516d971c2515b465c2813dc804d5babf4a1f6467437d793273e935ebe1731c8ac8c215e43a94ef36a8dc0d1232b0a39c0761be

C:\Windows\SysWOW64\Qpeahb32.exe

MD5 41a0f52f8c1b0c7e0900446a0e1dadf0
SHA1 a3d7b80006b0ec8b52e5ee16fc90e6badcc9661b
SHA256 d12a99a18236588cb3180ca3143f46f805ce84dfc48912b5546179bed5f325a8
SHA512 75ca9087c386ca15b2b68761686f62a3be87dd69bdf58061acc26e3f4b6449d003be4180613b1567c1b740bf09674e1f10f1bd105e6c6847ca69cc881356c382

C:\Windows\SysWOW64\Afpjel32.exe

MD5 a00b80cf526ed10a52f9d0f8f64da137
SHA1 cf1a165bde563e0c26062d8396736fb114ef523a
SHA256 ac736ed702164af5bda7a5bae71704d3e3d255b0f44e0d3fc27a374d64b34aa0
SHA512 64ea467117f42cf87cf963a2877ba633b446772bb8b7d49d252579863ff2c2fdac2a3e8f86d2ff07de326ffd4ed9bb48b2553aa6d809753428fa74ce6f85663d

C:\Windows\SysWOW64\Agdcpkll.exe

MD5 9d86fdadccb573ce9e18c381e04a588b
SHA1 dc573cde3cdaf3405943dc131fd2b903de8cbd74
SHA256 74b736fb492376a6a2e19f8fd7bce18a5d6fc25593bf283c64a8e136a28013be
SHA512 d0c9f9f10d352d966a17282a721868da1430c583c329f79477e4c1b7903f144f90d54c7420ec78ea3f52495246c6651f8beae0f2ef828f5c3c22cfd9aa67733a

C:\Windows\SysWOW64\Akblfj32.exe

MD5 2c9c07223b6578bcac9cab3839e118ed
SHA1 ecfbd988816f86ee4bf6be4e672d67e849deccae
SHA256 2a9fc9be3f747dd16a09986cb28c4cf106d47b43229cc551e53544ec7fb3d675
SHA512 f27b6e0b8157a111eb034f5577c38af9e6e18b906fca89616be1553b33467ce0ef344a8b5e7c01f990608261b4e25e768beb4400fb2e2eaf98547147d717660c

C:\Windows\SysWOW64\Amcehdod.exe

MD5 1fd766809c8c5a62c5bf666a415d8f63
SHA1 60c3bdc7e7adae4d8a6fa7df4009dae6260156b6
SHA256 e74c5478502f6ae25329f137f6e668f36de1ac6b1f79acba41253c0f3793278e
SHA512 0ff1e637243996e6ca3e5323635329e777db4556b1b21b2f292f9a4de6c4eb59ae89f0573dcf5e4f0ab2db78bf9fd50f76d6b89c964cec85615cb0dd000ff165

C:\Windows\SysWOW64\Bhkfkmmg.exe

MD5 689d1be302181d5da0a744f60620d6af
SHA1 0d3e3e7858b591534692b341654f3cb8292b85db
SHA256 f27f05ab9f279fcf52df277ab9764623c15b45ac9c2877241b5031bf0f9fdff4
SHA512 ecf5007c95565ea27e62981a8ee407099da9320b2acc5a84c3d134fff50a48b2ce4479c67df76cff7dce6bc395427f1032dd6983e40a461ff935da0956a31af2

C:\Windows\SysWOW64\Bhmbqm32.exe

MD5 951ede9a3c8975df48aa0e0d2c8a0a4d
SHA1 79d82b13644db75dbd66a485d158513acda6f4a3
SHA256 d4969b4899d427facfef1b63bd868a1847e7b7369aca8ede12a8ef4b5157e70c
SHA512 64c7e556e10c6ab8b7e6aa67c5730b29385d156c0b921067a7fa43c5fef16fd08087129f865661fece496c60b61086dc0488e66fa6f17c02dc876bde5d64a9c3

C:\Windows\SysWOW64\Bphgeo32.exe

MD5 5b46af3bd53100cbd918a08437177562
SHA1 c0ff49a384b6ee3ef2199930da91a4fe7d3684d4
SHA256 0e029b485c5dbdb3e055bc31a9cd6dbb89e8266ab5ee7813b4f417439563790a
SHA512 046e43777c6ec8cd806ef708b908612b238cc371680655ca8ed011276a778d92bea3c5a5da5d43fa343c46e8e51945bbdbca2b6b5412ce24dcbdf9494b25f578

C:\Windows\SysWOW64\Cggimh32.exe

MD5 7549ea933719d69bea02da8ef944a8a8
SHA1 85311859ae8c4bebd271f88ff8eb2ee7d5bcf3bc
SHA256 59198570443b92699b6197ee8be181d190ef3e26c1c5b24411cfe282418dd287
SHA512 cd668e53da49db33ac5f5f61bdbc6fe59282dc68b4fa30603822d4dffea64beaa06a9243fe1b2e98d2f9f17a84d4827e4e282be26c096deb7909020fb585675b

C:\Windows\SysWOW64\Cacckp32.exe

MD5 c974c8a02271f34e4066f80930993817
SHA1 ed7541a55ef97cb7d4fa1a70979b3aae1133977d
SHA256 9456e53e1b199af6caa78b4efb8b56ea847a5003ae4d47ff4bc2691225283cdd
SHA512 df27373ad86c31d6f8f6c39b2f04c5694380959c67d581a089a9f24e407e2e1d32e21dc734bf24974fdca2b9a5a715fffddd27db7581d6ebd2135a542984cbf1

C:\Windows\SysWOW64\Cogddd32.exe

MD5 15ce51f474726869031d1e5454d30e71
SHA1 33251f5f6b6196d2db7aebf5f9c59216561b081e
SHA256 76d9d06485b296a87c75a610fce3f59c27e1fd68130a71c7573bf2c4ebdf88de
SHA512 083c4af9d52e69bbc6bc5733076bcc5ea5fd531e745080d06ee986d2de68932422d29bc2f9a30af0e903190ec4e0ec6169a85b6ee1b20e2aac9cd831a02ef001