Malware Analysis Report

2024-11-13 17:43

Sample ID 241110-b4le3swlbt
Target adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0
SHA256 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0

Threat Level: Known bad

The file adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0 was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:41

Reported

2024-11-10 01:44

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfaalh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieibdnnp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Libjncnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llpfjomf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kpgionie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfaalh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Libjncnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llpfjomf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ieibdnnp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpgionie.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ieibdnnp.exe C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieibdnnp.exe C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
File created C:\Windows\SysWOW64\Fbbngc32.dll C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
File created C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Ieibdnnp.exe N/A
File created C:\Windows\SysWOW64\Dnhanebc.dll C:\Windows\SysWOW64\Ieibdnnp.exe N/A
File created C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Jllqplnp.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpgionie.exe C:\Windows\SysWOW64\Jmkmjoec.exe N/A
File created C:\Windows\SysWOW64\Bccjfi32.dll C:\Windows\SysWOW64\Libjncnc.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Jllqplnp.exe N/A
File created C:\Windows\SysWOW64\Hapbpm32.dll C:\Windows\SysWOW64\Jllqplnp.exe N/A
File created C:\Windows\SysWOW64\Kfaalh32.exe C:\Windows\SysWOW64\Kpgionie.exe N/A
File opened for modification C:\Windows\SysWOW64\Libjncnc.exe C:\Windows\SysWOW64\Kfaalh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\Llpfjomf.exe N/A
File created C:\Windows\SysWOW64\Jbdhhp32.dll C:\Windows\SysWOW64\Jmkmjoec.exe N/A
File created C:\Windows\SysWOW64\Phblkn32.dll C:\Windows\SysWOW64\Kpgionie.exe N/A
File created C:\Windows\SysWOW64\Ipbkjl32.dll C:\Windows\SysWOW64\Kfaalh32.exe N/A
File created C:\Windows\SysWOW64\Llpfjomf.exe C:\Windows\SysWOW64\Libjncnc.exe N/A
File created C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\Llpfjomf.exe N/A
File created C:\Windows\SysWOW64\Ipafocdg.dll C:\Windows\SysWOW64\Llpfjomf.exe N/A
File opened for modification C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Ieibdnnp.exe N/A
File created C:\Windows\SysWOW64\Kpgionie.exe C:\Windows\SysWOW64\Jmkmjoec.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfaalh32.exe C:\Windows\SysWOW64\Kpgionie.exe N/A
File created C:\Windows\SysWOW64\Libjncnc.exe C:\Windows\SysWOW64\Kfaalh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe C:\Windows\SysWOW64\Libjncnc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jllqplnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpgionie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfaalh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Libjncnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ieibdnnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llpfjomf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbjofi32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ieibdnnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" C:\Windows\SysWOW64\Llpfjomf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll" C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpgionie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kfaalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" C:\Windows\SysWOW64\Ieibdnnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfaalh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Libjncnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Llpfjomf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llpfjomf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll" C:\Windows\SysWOW64\Libjncnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpgionie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll" C:\Windows\SysWOW64\Kpgionie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieibdnnp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll" C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" C:\Windows\SysWOW64\Kfaalh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Libjncnc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe C:\Windows\SysWOW64\Ieibdnnp.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe C:\Windows\SysWOW64\Ieibdnnp.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe C:\Windows\SysWOW64\Ieibdnnp.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe C:\Windows\SysWOW64\Ieibdnnp.exe
PID 2784 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Ieibdnnp.exe C:\Windows\SysWOW64\Jllqplnp.exe
PID 2784 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Ieibdnnp.exe C:\Windows\SysWOW64\Jllqplnp.exe
PID 2784 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Ieibdnnp.exe C:\Windows\SysWOW64\Jllqplnp.exe
PID 2784 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Ieibdnnp.exe C:\Windows\SysWOW64\Jllqplnp.exe
PID 2680 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jmkmjoec.exe
PID 2680 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jmkmjoec.exe
PID 2680 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jmkmjoec.exe
PID 2680 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jmkmjoec.exe
PID 2636 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Kpgionie.exe
PID 2636 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Kpgionie.exe
PID 2636 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Kpgionie.exe
PID 2636 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Kpgionie.exe
PID 2620 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Kpgionie.exe C:\Windows\SysWOW64\Kfaalh32.exe
PID 2620 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Kpgionie.exe C:\Windows\SysWOW64\Kfaalh32.exe
PID 2620 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Kpgionie.exe C:\Windows\SysWOW64\Kfaalh32.exe
PID 2620 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Kpgionie.exe C:\Windows\SysWOW64\Kfaalh32.exe
PID 3048 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Kfaalh32.exe C:\Windows\SysWOW64\Libjncnc.exe
PID 3048 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Kfaalh32.exe C:\Windows\SysWOW64\Libjncnc.exe
PID 3048 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Kfaalh32.exe C:\Windows\SysWOW64\Libjncnc.exe
PID 3048 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Kfaalh32.exe C:\Windows\SysWOW64\Libjncnc.exe
PID 2336 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Libjncnc.exe C:\Windows\SysWOW64\Llpfjomf.exe
PID 2336 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Libjncnc.exe C:\Windows\SysWOW64\Llpfjomf.exe
PID 2336 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Libjncnc.exe C:\Windows\SysWOW64\Llpfjomf.exe
PID 2336 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Libjncnc.exe C:\Windows\SysWOW64\Llpfjomf.exe
PID 2140 wrote to memory of 668 N/A C:\Windows\SysWOW64\Llpfjomf.exe C:\Windows\SysWOW64\Lbjofi32.exe
PID 2140 wrote to memory of 668 N/A C:\Windows\SysWOW64\Llpfjomf.exe C:\Windows\SysWOW64\Lbjofi32.exe
PID 2140 wrote to memory of 668 N/A C:\Windows\SysWOW64\Llpfjomf.exe C:\Windows\SysWOW64\Lbjofi32.exe
PID 2140 wrote to memory of 668 N/A C:\Windows\SysWOW64\Llpfjomf.exe C:\Windows\SysWOW64\Lbjofi32.exe
PID 668 wrote to memory of 2264 N/A C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\WerFault.exe
PID 668 wrote to memory of 2264 N/A C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\WerFault.exe
PID 668 wrote to memory of 2264 N/A C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\WerFault.exe
PID 668 wrote to memory of 2264 N/A C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe

"C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe"

C:\Windows\SysWOW64\Ieibdnnp.exe

C:\Windows\system32\Ieibdnnp.exe

C:\Windows\SysWOW64\Jllqplnp.exe

C:\Windows\system32\Jllqplnp.exe

C:\Windows\SysWOW64\Jmkmjoec.exe

C:\Windows\system32\Jmkmjoec.exe

C:\Windows\SysWOW64\Kpgionie.exe

C:\Windows\system32\Kpgionie.exe

C:\Windows\SysWOW64\Kfaalh32.exe

C:\Windows\system32\Kfaalh32.exe

C:\Windows\SysWOW64\Libjncnc.exe

C:\Windows\system32\Libjncnc.exe

C:\Windows\SysWOW64\Llpfjomf.exe

C:\Windows\system32\Llpfjomf.exe

C:\Windows\SysWOW64\Lbjofi32.exe

C:\Windows\system32\Lbjofi32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 140

Network

N/A

Files

memory/2656-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ieibdnnp.exe

MD5 5e01beffe79a41e6f09b61ff5a457c5e
SHA1 35e12d29b3d45724fc28e2328d5381014fa418ca
SHA256 72eeaba3d740d55ac0e8757f1f8148fb5fb4d5f232a8cb76d9045bea4151eff0
SHA512 76d4d5c24913d22c2db04ace1b0ed2ec61a40a7b9fdf318861356193c21a40773f3c2f1a3089cc319e2d9267daa2894063abd4b071a75d2c27da671bdc56b609

memory/2784-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2656-13-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/2656-12-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/2784-22-0x0000000000440000-0x0000000000473000-memory.dmp

\Windows\SysWOW64\Jllqplnp.exe

MD5 a5a588c34a831e241ad5ec3e5715a712
SHA1 999c3849929b1fc7b31d326b6479b59e98fd4250
SHA256 a9d50af0bfe54f623aad4e58d349a46705e59c06cffe3d88066c74c1c57d631b
SHA512 594af61ccc05414e24902934ba16918fd8235448c4f37250af9a329e74b7661187955c7d72cff72d22f9b4535162530462be4fe63168046ac8e023dd124958b9

memory/2784-28-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2636-43-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2680-42-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2680-41-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Jmkmjoec.exe

MD5 1ed78d9918ca66573fc2ccf1f7e5ae55
SHA1 215dda545a91ae543987357b35a3712e30fcbbd4
SHA256 9b6bf432f06d57afa0ecd0fa20ae85d68a4e70331402e52c896724d734b889e0
SHA512 94c21014444c67e5aeba275b08a79650d8b48db8305031ec49c2040890ae580d45cf25383b1957672109008810ce97621cc6abea2f79dd1f882e9b6f39d36865

C:\Windows\SysWOW64\Kpgionie.exe

MD5 c5a0708afd52606de17819712cb226be
SHA1 a7745e68806a4029bb5af4a3afd2cf76fbc0680e
SHA256 23835044709fcdc8a5d11f33f09f346ff313486210b050db58a6d65b45960d9c
SHA512 28ac90e966c43a6a9e4ab0b269313fadbcf82580cfb75f059b9e205818c4ab91841b52525883295268413b6eab4b9fb99941864aa945f7f8244d27c0fb5bdde9

memory/2620-61-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2620-69-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/3048-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2620-70-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Kfaalh32.exe

MD5 3cba1a9c4d3477d040f9be21ffd34d87
SHA1 fd0b0f9b1106be0ebf7b73d312d3a94b6f92d591
SHA256 4dfe9c7653f4152fe35b413064263982256bdbeff2c35e9611dc7b91b4530699
SHA512 f7ebd9072414854a0c31a2375ab608bd159d29486b36186fc4667f8236606f67c5f1671802eaf200c15ea2a496f2c6eda4afc0b55857814d721cb6dd7d482d27

memory/2336-88-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2140-98-0x0000000000400000-0x0000000000433000-memory.dmp

memory/668-110-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lbjofi32.exe

MD5 fb1e3f845273bfff7d42b73796001e00
SHA1 ab03ced1617615a7430961026cf86202db5f0c17
SHA256 969b7772a9c3fd934fd5e8a5b979aadf24c799dbfa654bbaabb18ebefc9ae1d5
SHA512 78612b90c950ecf27dde63cb67bf4a67cccb51738ec020a3a8f2d32a64b9cce5d278f4447205dcd27e806a90669c83f0aacc804da737e8cdd213bd2056b07039

C:\Windows\SysWOW64\Llpfjomf.exe

MD5 f0d0d0e7a8cc777177460d3a00dfb6e7
SHA1 de30f649bf07cb844e8b17f7e455feb041b31a40
SHA256 742deae66bc10ce8ad4e87435a6832f33a92d0a9e8bbd63dff57fe5ce60e630c
SHA512 02104cf60857cd7a37d729bf776af5dd4f5734642a26ce51ed752507f15dd285abe6975edf1bf4d1a493375fcd816c9aea2322a6f2483f5dcf7e34621eab0144

C:\Windows\SysWOW64\Libjncnc.exe

MD5 d95702d1e517f1c8de798fd1ffd22cbf
SHA1 036fbd334f1e458c8acb0ca19d56ff9059141558
SHA256 0459ce6434a731c0e572bc9aab8278bb9598104da24b0e2fbda9c100edfda72a
SHA512 c5266108ff47336c84607dcab8b3c9f630800b1856283616dd4107b291a00c80d8b3d1176e8884807cafb243c2d8b9fabd77c179cc0b921e5b1fad327a456582

memory/2140-118-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2656-131-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2784-130-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2620-127-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2636-126-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2680-125-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3048-124-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2336-119-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:41

Reported

2024-11-10 01:44

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhfpbpdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gfmojenc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kjhloj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggfglb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Odoogi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aonoao32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jilfifme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ipflihfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iphioh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iggjga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcikgacl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdglmkeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iloidijb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiloco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Likhem32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pidlqb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fgiaemic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmkkmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Neclenfo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oloahhki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfiildio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkmdecbg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpaleglc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdkdgchl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jlgepanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbeapmll.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dblgpl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdccbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkmdecbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnlhncgi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnoddcef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnljkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gfheof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odoogi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klfaapbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lqhdbm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdglmkeg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phodcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcffnbee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Famhmfkl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpcodihc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieojgc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbhmbdle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Peahgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qeodhjmo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lopmii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jldbpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncofplba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgbloglj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hoobdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njljch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjoiil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Naecop32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Moipoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jqhafffk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ihkjno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnljkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmjmekgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dolmodpi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpalgenf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmbjcljl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ompfej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkmkkjko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbdjeg32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ajpqnneo.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgacokc.exe N/A
N/A N/A C:\Windows\SysWOW64\Alqjpi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhoqeibl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbfklei.exe N/A
N/A N/A C:\Windows\SysWOW64\Cihclh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cijpahho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbeapmll.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjliajmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjnffjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckpbnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccgjopal.exe N/A
N/A N/A C:\Windows\SysWOW64\Djqblj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoohe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpnkdq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dblgpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djcoai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmalne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dckdjomg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfjpfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dihlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlghoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcnqpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflmlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dikihe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlieda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcpmen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjebh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlkbjqgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejlbhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elnoopdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebhglj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejoomhmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Elpkep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebjcajjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejalcgkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Elbhjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eciplm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejchhgid.exe N/A
N/A N/A C:\Windows\SysWOW64\Eleepoob.exe N/A
N/A N/A C:\Windows\SysWOW64\Eclmamod.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejfeng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elgaeolp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbajbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjhacf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flinkojm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdqfll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjjnifbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fllkqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdccbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffaong32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmkgkapm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpjcgm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbhpch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fibhpbea.exe N/A
N/A N/A C:\Windows\SysWOW64\Flqdlnde.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdglmkeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fffhifdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmpqfq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpnmbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfheof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmbmkpie.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdlfhj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfkbde32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Iloidijb.exe C:\Windows\SysWOW64\Iknmla32.exe N/A
File created C:\Windows\SysWOW64\Mnmdme32.exe C:\Windows\SysWOW64\Mkohaj32.exe N/A
File created C:\Windows\SysWOW64\Adcjop32.exe C:\Windows\SysWOW64\Aogbfi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bobabg32.exe C:\Windows\SysWOW64\Bhhiemoj.exe N/A
File created C:\Windows\SysWOW64\Dolmodpi.exe C:\Windows\SysWOW64\Dnmaea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbhildae.exe C:\Windows\SysWOW64\Bkmeha32.exe N/A
File created C:\Windows\SysWOW64\Backpf32.dll C:\Windows\SysWOW64\Hdehni32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lobjni32.exe C:\Windows\SysWOW64\Ljeafb32.exe N/A
File created C:\Windows\SysWOW64\Aobmce32.dll C:\Windows\SysWOW64\Feqeog32.exe N/A
File created C:\Windows\SysWOW64\Gicbkkca.dll C:\Windows\SysWOW64\Kmfhkf32.exe N/A
File created C:\Windows\SysWOW64\Mmmncpmp.dll C:\Windows\SysWOW64\Ipgkjlmg.exe N/A
File created C:\Windows\SysWOW64\Gihfoi32.dll C:\Windows\SysWOW64\Fdpnda32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ikpjbq32.exe C:\Windows\SysWOW64\Iciaqc32.exe N/A
File created C:\Windows\SysWOW64\Ihbjebjh.dll C:\Windows\SysWOW64\Paoollik.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebgpad32.exe C:\Windows\SysWOW64\Ekmhejao.exe N/A
File created C:\Windows\SysWOW64\Aogbfi32.exe C:\Windows\SysWOW64\Qpeahb32.exe N/A
File created C:\Windows\SysWOW64\Dkekjdck.exe C:\Windows\SysWOW64\Dqpfmlce.exe N/A
File created C:\Windows\SysWOW64\Icifhjkc.dll C:\Windows\SysWOW64\Apjdikqd.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmnnimak.exe C:\Windows\SysWOW64\Bbhildae.exe N/A
File opened for modification C:\Windows\SysWOW64\Nccokk32.exe C:\Windows\SysWOW64\Naecop32.exe N/A
File created C:\Windows\SysWOW64\Dmlkhofd.exe C:\Windows\SysWOW64\Cbfgkffn.exe N/A
File created C:\Windows\SysWOW64\Dkpjdo32.exe C:\Windows\SysWOW64\Dnljkk32.exe N/A
File created C:\Windows\SysWOW64\Iggjga32.exe C:\Windows\SysWOW64\Idhnkf32.exe N/A
File created C:\Windows\SysWOW64\Hlhefcoo.dll C:\Windows\SysWOW64\Paeelgnj.exe N/A
File created C:\Windows\SysWOW64\Dohnnkjk.dll C:\Windows\SysWOW64\Apeknk32.exe N/A
File created C:\Windows\SysWOW64\Dokmlmhl.dll C:\Windows\SysWOW64\Hlcjhkdp.exe N/A
File created C:\Windows\SysWOW64\Igpdfb32.exe C:\Windows\SysWOW64\Ipflihfq.exe N/A
File created C:\Windows\SysWOW64\Jpfepf32.exe C:\Windows\SysWOW64\Jjlmclqa.exe N/A
File created C:\Windows\SysWOW64\Kgninn32.exe C:\Windows\SysWOW64\Kdpmbc32.exe N/A
File created C:\Windows\SysWOW64\Blghiiea.dll C:\Windows\SysWOW64\Eqmlccdi.exe N/A
File created C:\Windows\SysWOW64\Paoinm32.dll C:\Windows\SysWOW64\Fbplml32.exe N/A
File created C:\Windows\SysWOW64\Djcoai32.exe C:\Windows\SysWOW64\Dblgpl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dckdjomg.exe C:\Windows\SysWOW64\Dmalne32.exe N/A
File created C:\Windows\SysWOW64\Lfifmo32.dll C:\Windows\SysWOW64\Dfjpfj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejfeng32.exe C:\Windows\SysWOW64\Eclmamod.exe N/A
File created C:\Windows\SysWOW64\Gfkbde32.exe C:\Windows\SysWOW64\Gdlfhj32.exe N/A
File created C:\Windows\SysWOW64\Eegiklal.dll C:\Windows\SysWOW64\Mebcop32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe C:\Windows\SysWOW64\Bnmoijje.exe N/A
File opened for modification C:\Windows\SysWOW64\Dncpkjoc.exe C:\Windows\SysWOW64\Dalofi32.exe N/A
File created C:\Windows\SysWOW64\Kcpahpmd.exe C:\Windows\SysWOW64\Kmfhkf32.exe N/A
File created C:\Windows\SysWOW64\Eoaedogc.dll C:\Windows\SysWOW64\Phfjcf32.exe N/A
File created C:\Windows\SysWOW64\Ilnbicff.exe C:\Windows\SysWOW64\Igajal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abhqefpg.exe C:\Windows\SysWOW64\Apjdikqd.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdigadjo.exe C:\Windows\SysWOW64\Knooej32.exe N/A
File created C:\Windows\SysWOW64\Chnidloo.dll C:\Windows\SysWOW64\Bdickcpo.exe N/A
File created C:\Windows\SysWOW64\Fbdehlip.exe C:\Windows\SysWOW64\Fkjmlaac.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibcjqgnm.exe C:\Windows\SysWOW64\Ieojgc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nmfmde32.exe C:\Windows\SysWOW64\Noblkqca.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcffnbee.exe C:\Windows\SysWOW64\Dmjmekgn.exe N/A
File created C:\Windows\SysWOW64\Acajpc32.dll C:\Windows\SysWOW64\Dmjmekgn.exe N/A
File created C:\Windows\SysWOW64\Oeehkn32.exe C:\Windows\SysWOW64\Nnkpnclp.exe N/A
File created C:\Windows\SysWOW64\Ohlqcagj.exe C:\Windows\SysWOW64\Opclldhj.exe N/A
File opened for modification C:\Windows\SysWOW64\Phajna32.exe C:\Windows\SysWOW64\Pagbaglh.exe N/A
File created C:\Windows\SysWOW64\Goniok32.dll C:\Windows\SysWOW64\Ihbponja.exe N/A
File opened for modification C:\Windows\SysWOW64\Mfnhfm32.exe C:\Windows\SysWOW64\Mfkkqmiq.exe N/A
File created C:\Windows\SysWOW64\Eclmamod.exe C:\Windows\SysWOW64\Eleepoob.exe N/A
File created C:\Windows\SysWOW64\Gmggfp32.exe C:\Windows\SysWOW64\Gfmojenc.exe N/A
File created C:\Windows\SysWOW64\Mmkkmc32.exe C:\Windows\SysWOW64\Mepfiq32.exe N/A
File created C:\Windows\SysWOW64\Lobjni32.exe C:\Windows\SysWOW64\Ljeafb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jqhafffk.exe C:\Windows\SysWOW64\Jjoiil32.exe N/A
File created C:\Windows\SysWOW64\Ndqojdee.dll C:\Windows\SysWOW64\Nggnadib.exe N/A
File created C:\Windows\SysWOW64\Cmgqpkip.exe C:\Windows\SysWOW64\Cgmhcaac.exe N/A
File opened for modification C:\Windows\SysWOW64\Neclenfo.exe C:\Windows\SysWOW64\Nmlddqem.exe N/A
File opened for modification C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Cgiohbfi.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Gddgpqbe.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gaqhjggp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkbgjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebhglj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flqdlnde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlgepanl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcffnbee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdmoohbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pajeam32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfipef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhiemoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfhmjf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fbgihaji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdjgha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opclldhj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmfgek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fbelcblk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Moipoh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekgqennl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eahobg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gbfldf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmfhkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phajna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qclmck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Meepdp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeehkn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blgifbil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnhmnn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebfign32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dflmlj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmhlgmmm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckclhn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dijbno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hoobdp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipoopgnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qeodhjmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npbceggm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mepfiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnbnhedj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lopmii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkjmlaac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbkfbcpb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fdkdibjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjbfklei.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gdobnj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fbplml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adgmoigj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbfmgd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dncpkjoc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fibhpbea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgninn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibaeen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hlcjhkdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akepfpcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ieojgc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjmekgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aahbbkaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmgelf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnkbkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmlddqem.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeokal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hpcodihc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Feqeog32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjnffjkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pldcjeia.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgpeha32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apedgj32.dll" C:\Windows\SysWOW64\Alqjpi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dcnqpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ijegcm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Badanigc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djjebh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kcejco32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iebngial.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddnobj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipgdi32.dll" C:\Windows\SysWOW64\Galoohke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll" C:\Windows\SysWOW64\Pimfpc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ekgqennl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hplicjok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empmffib.dll" C:\Windows\SysWOW64\Ijegcm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnfgcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll" C:\Windows\SysWOW64\Adhdjpjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Joekag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Badanigc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfbped32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinclj32.dll" C:\Windows\SysWOW64\Dolmodpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mogcihaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjocbhbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dlkbjqgm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Elpkep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfkbde32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Alpbecod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckclhn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ebgpad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbpchb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Joahqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjnffjkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmalne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgehfkop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Omgcpokp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bakgoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnplfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajiqfi32.dll" C:\Windows\SysWOW64\Geanfelc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icifhjkc.dll" C:\Windows\SysWOW64\Apjdikqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlejfm32.dll" C:\Windows\SysWOW64\Dcnqpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgipcogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmokmkpo.dll" C:\Windows\SysWOW64\Kjhloj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nccokk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll" C:\Windows\SysWOW64\Fbplml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblbgn32.dll" C:\Windows\SysWOW64\Aimogakj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jcgnbaeo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodlnfco.dll" C:\Windows\SysWOW64\Nccokk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnmog32.dll" C:\Windows\SysWOW64\Gpnfge32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iefgbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgdpni32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fdglmkeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjkblhfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cggimh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll" C:\Windows\SysWOW64\Dnljkk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qobhkjdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qpeahb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbdpnaj.dll" C:\Windows\SysWOW64\Gpmomo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dlieda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbokg32.dll" C:\Windows\SysWOW64\Hdjbiheb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" C:\Windows\SysWOW64\Iloidijb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lmmolepp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccopc32.dll" C:\Windows\SysWOW64\Hpqldc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oqhoeb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Binhnomg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 904 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe C:\Windows\SysWOW64\Ajpqnneo.exe
PID 904 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe C:\Windows\SysWOW64\Ajpqnneo.exe
PID 904 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe C:\Windows\SysWOW64\Ajpqnneo.exe
PID 3896 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Ajpqnneo.exe C:\Windows\SysWOW64\Afgacokc.exe
PID 3896 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Ajpqnneo.exe C:\Windows\SysWOW64\Afgacokc.exe
PID 3896 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Ajpqnneo.exe C:\Windows\SysWOW64\Afgacokc.exe
PID 2856 wrote to memory of 4404 N/A C:\Windows\SysWOW64\Afgacokc.exe C:\Windows\SysWOW64\Alqjpi32.exe
PID 2856 wrote to memory of 4404 N/A C:\Windows\SysWOW64\Afgacokc.exe C:\Windows\SysWOW64\Alqjpi32.exe
PID 2856 wrote to memory of 4404 N/A C:\Windows\SysWOW64\Afgacokc.exe C:\Windows\SysWOW64\Alqjpi32.exe
PID 4404 wrote to memory of 1836 N/A C:\Windows\SysWOW64\Alqjpi32.exe C:\Windows\SysWOW64\Bhoqeibl.exe
PID 4404 wrote to memory of 1836 N/A C:\Windows\SysWOW64\Alqjpi32.exe C:\Windows\SysWOW64\Bhoqeibl.exe
PID 4404 wrote to memory of 1836 N/A C:\Windows\SysWOW64\Alqjpi32.exe C:\Windows\SysWOW64\Bhoqeibl.exe
PID 1836 wrote to memory of 232 N/A C:\Windows\SysWOW64\Bhoqeibl.exe C:\Windows\SysWOW64\Bjbfklei.exe
PID 1836 wrote to memory of 232 N/A C:\Windows\SysWOW64\Bhoqeibl.exe C:\Windows\SysWOW64\Bjbfklei.exe
PID 1836 wrote to memory of 232 N/A C:\Windows\SysWOW64\Bhoqeibl.exe C:\Windows\SysWOW64\Bjbfklei.exe
PID 232 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Bjbfklei.exe C:\Windows\SysWOW64\Cihclh32.exe
PID 232 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Bjbfklei.exe C:\Windows\SysWOW64\Cihclh32.exe
PID 232 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Bjbfklei.exe C:\Windows\SysWOW64\Cihclh32.exe
PID 2980 wrote to memory of 3936 N/A C:\Windows\SysWOW64\Cihclh32.exe C:\Windows\SysWOW64\Cijpahho.exe
PID 2980 wrote to memory of 3936 N/A C:\Windows\SysWOW64\Cihclh32.exe C:\Windows\SysWOW64\Cijpahho.exe
PID 2980 wrote to memory of 3936 N/A C:\Windows\SysWOW64\Cihclh32.exe C:\Windows\SysWOW64\Cijpahho.exe
PID 3936 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Cijpahho.exe C:\Windows\SysWOW64\Cbeapmll.exe
PID 3936 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Cijpahho.exe C:\Windows\SysWOW64\Cbeapmll.exe
PID 3936 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Cijpahho.exe C:\Windows\SysWOW64\Cbeapmll.exe
PID 1004 wrote to memory of 348 N/A C:\Windows\SysWOW64\Cbeapmll.exe C:\Windows\SysWOW64\Cjliajmo.exe
PID 1004 wrote to memory of 348 N/A C:\Windows\SysWOW64\Cbeapmll.exe C:\Windows\SysWOW64\Cjliajmo.exe
PID 1004 wrote to memory of 348 N/A C:\Windows\SysWOW64\Cbeapmll.exe C:\Windows\SysWOW64\Cjliajmo.exe
PID 348 wrote to memory of 4968 N/A C:\Windows\SysWOW64\Cjliajmo.exe C:\Windows\SysWOW64\Cjnffjkl.exe
PID 348 wrote to memory of 4968 N/A C:\Windows\SysWOW64\Cjliajmo.exe C:\Windows\SysWOW64\Cjnffjkl.exe
PID 348 wrote to memory of 4968 N/A C:\Windows\SysWOW64\Cjliajmo.exe C:\Windows\SysWOW64\Cjnffjkl.exe
PID 4968 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Cjnffjkl.exe C:\Windows\SysWOW64\Ckpbnb32.exe
PID 4968 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Cjnffjkl.exe C:\Windows\SysWOW64\Ckpbnb32.exe
PID 4968 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Cjnffjkl.exe C:\Windows\SysWOW64\Ckpbnb32.exe
PID 2352 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Ckpbnb32.exe C:\Windows\SysWOW64\Ccgjopal.exe
PID 2352 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Ckpbnb32.exe C:\Windows\SysWOW64\Ccgjopal.exe
PID 2352 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Ckpbnb32.exe C:\Windows\SysWOW64\Ccgjopal.exe
PID 1656 wrote to memory of 4572 N/A C:\Windows\SysWOW64\Ccgjopal.exe C:\Windows\SysWOW64\Djqblj32.exe
PID 1656 wrote to memory of 4572 N/A C:\Windows\SysWOW64\Ccgjopal.exe C:\Windows\SysWOW64\Djqblj32.exe
PID 1656 wrote to memory of 4572 N/A C:\Windows\SysWOW64\Ccgjopal.exe C:\Windows\SysWOW64\Djqblj32.exe
PID 4572 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Djqblj32.exe C:\Windows\SysWOW64\Dmoohe32.exe
PID 4572 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Djqblj32.exe C:\Windows\SysWOW64\Dmoohe32.exe
PID 4572 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Djqblj32.exe C:\Windows\SysWOW64\Dmoohe32.exe
PID 1140 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Dmoohe32.exe C:\Windows\SysWOW64\Dpnkdq32.exe
PID 1140 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Dmoohe32.exe C:\Windows\SysWOW64\Dpnkdq32.exe
PID 1140 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Dmoohe32.exe C:\Windows\SysWOW64\Dpnkdq32.exe
PID 2944 wrote to memory of 4548 N/A C:\Windows\SysWOW64\Dpnkdq32.exe C:\Windows\SysWOW64\Dblgpl32.exe
PID 2944 wrote to memory of 4548 N/A C:\Windows\SysWOW64\Dpnkdq32.exe C:\Windows\SysWOW64\Dblgpl32.exe
PID 2944 wrote to memory of 4548 N/A C:\Windows\SysWOW64\Dpnkdq32.exe C:\Windows\SysWOW64\Dblgpl32.exe
PID 4548 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Dblgpl32.exe C:\Windows\SysWOW64\Djcoai32.exe
PID 4548 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Dblgpl32.exe C:\Windows\SysWOW64\Djcoai32.exe
PID 4548 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Dblgpl32.exe C:\Windows\SysWOW64\Djcoai32.exe
PID 1672 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Djcoai32.exe C:\Windows\SysWOW64\Dmalne32.exe
PID 1672 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Djcoai32.exe C:\Windows\SysWOW64\Dmalne32.exe
PID 1672 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Djcoai32.exe C:\Windows\SysWOW64\Dmalne32.exe
PID 2016 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dckdjomg.exe
PID 2016 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dckdjomg.exe
PID 2016 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dckdjomg.exe
PID 1696 wrote to memory of 932 N/A C:\Windows\SysWOW64\Dckdjomg.exe C:\Windows\SysWOW64\Dfjpfj32.exe
PID 1696 wrote to memory of 932 N/A C:\Windows\SysWOW64\Dckdjomg.exe C:\Windows\SysWOW64\Dfjpfj32.exe
PID 1696 wrote to memory of 932 N/A C:\Windows\SysWOW64\Dckdjomg.exe C:\Windows\SysWOW64\Dfjpfj32.exe
PID 932 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Dfjpfj32.exe C:\Windows\SysWOW64\Dihlbf32.exe
PID 932 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Dfjpfj32.exe C:\Windows\SysWOW64\Dihlbf32.exe
PID 932 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Dfjpfj32.exe C:\Windows\SysWOW64\Dihlbf32.exe
PID 3044 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Dihlbf32.exe C:\Windows\SysWOW64\Dlghoa32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe

"C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe"

C:\Windows\SysWOW64\Ajpqnneo.exe

C:\Windows\system32\Ajpqnneo.exe

C:\Windows\SysWOW64\Afgacokc.exe

C:\Windows\system32\Afgacokc.exe

C:\Windows\SysWOW64\Alqjpi32.exe

C:\Windows\system32\Alqjpi32.exe

C:\Windows\SysWOW64\Bhoqeibl.exe

C:\Windows\system32\Bhoqeibl.exe

C:\Windows\SysWOW64\Bjbfklei.exe

C:\Windows\system32\Bjbfklei.exe

C:\Windows\SysWOW64\Cihclh32.exe

C:\Windows\system32\Cihclh32.exe

C:\Windows\SysWOW64\Cijpahho.exe

C:\Windows\system32\Cijpahho.exe

C:\Windows\SysWOW64\Cbeapmll.exe

C:\Windows\system32\Cbeapmll.exe

C:\Windows\SysWOW64\Cjliajmo.exe

C:\Windows\system32\Cjliajmo.exe

C:\Windows\SysWOW64\Cjnffjkl.exe

C:\Windows\system32\Cjnffjkl.exe

C:\Windows\SysWOW64\Ckpbnb32.exe

C:\Windows\system32\Ckpbnb32.exe

C:\Windows\SysWOW64\Ccgjopal.exe

C:\Windows\system32\Ccgjopal.exe

C:\Windows\SysWOW64\Djqblj32.exe

C:\Windows\system32\Djqblj32.exe

C:\Windows\SysWOW64\Dmoohe32.exe

C:\Windows\system32\Dmoohe32.exe

C:\Windows\SysWOW64\Dpnkdq32.exe

C:\Windows\system32\Dpnkdq32.exe

C:\Windows\SysWOW64\Dblgpl32.exe

C:\Windows\system32\Dblgpl32.exe

C:\Windows\SysWOW64\Djcoai32.exe

C:\Windows\system32\Djcoai32.exe

C:\Windows\SysWOW64\Dmalne32.exe

C:\Windows\system32\Dmalne32.exe

C:\Windows\SysWOW64\Dckdjomg.exe

C:\Windows\system32\Dckdjomg.exe

C:\Windows\SysWOW64\Dfjpfj32.exe

C:\Windows\system32\Dfjpfj32.exe

C:\Windows\SysWOW64\Dihlbf32.exe

C:\Windows\system32\Dihlbf32.exe

C:\Windows\SysWOW64\Dlghoa32.exe

C:\Windows\system32\Dlghoa32.exe

C:\Windows\SysWOW64\Dcnqpo32.exe

C:\Windows\system32\Dcnqpo32.exe

C:\Windows\SysWOW64\Dflmlj32.exe

C:\Windows\system32\Dflmlj32.exe

C:\Windows\SysWOW64\Dikihe32.exe

C:\Windows\system32\Dikihe32.exe

C:\Windows\SysWOW64\Dlieda32.exe

C:\Windows\system32\Dlieda32.exe

C:\Windows\SysWOW64\Dcpmen32.exe

C:\Windows\system32\Dcpmen32.exe

C:\Windows\SysWOW64\Djjebh32.exe

C:\Windows\system32\Djjebh32.exe

C:\Windows\SysWOW64\Dlkbjqgm.exe

C:\Windows\system32\Dlkbjqgm.exe

C:\Windows\SysWOW64\Ejlbhh32.exe

C:\Windows\system32\Ejlbhh32.exe

C:\Windows\SysWOW64\Elnoopdj.exe

C:\Windows\system32\Elnoopdj.exe

C:\Windows\SysWOW64\Ebhglj32.exe

C:\Windows\system32\Ebhglj32.exe

C:\Windows\SysWOW64\Ejoomhmi.exe

C:\Windows\system32\Ejoomhmi.exe

C:\Windows\SysWOW64\Elpkep32.exe

C:\Windows\system32\Elpkep32.exe

C:\Windows\SysWOW64\Ebjcajjd.exe

C:\Windows\system32\Ebjcajjd.exe

C:\Windows\SysWOW64\Ejalcgkg.exe

C:\Windows\system32\Ejalcgkg.exe

C:\Windows\SysWOW64\Elbhjp32.exe

C:\Windows\system32\Elbhjp32.exe

C:\Windows\SysWOW64\Eciplm32.exe

C:\Windows\system32\Eciplm32.exe

C:\Windows\SysWOW64\Ejchhgid.exe

C:\Windows\system32\Ejchhgid.exe

C:\Windows\SysWOW64\Eleepoob.exe

C:\Windows\system32\Eleepoob.exe

C:\Windows\SysWOW64\Eclmamod.exe

C:\Windows\system32\Eclmamod.exe

C:\Windows\SysWOW64\Ejfeng32.exe

C:\Windows\system32\Ejfeng32.exe

C:\Windows\SysWOW64\Elgaeolp.exe

C:\Windows\system32\Elgaeolp.exe

C:\Windows\SysWOW64\Fbajbi32.exe

C:\Windows\system32\Fbajbi32.exe

C:\Windows\SysWOW64\Fjhacf32.exe

C:\Windows\system32\Fjhacf32.exe

C:\Windows\SysWOW64\Flinkojm.exe

C:\Windows\system32\Flinkojm.exe

C:\Windows\SysWOW64\Fdqfll32.exe

C:\Windows\system32\Fdqfll32.exe

C:\Windows\SysWOW64\Fjjnifbl.exe

C:\Windows\system32\Fjjnifbl.exe

C:\Windows\SysWOW64\Fllkqn32.exe

C:\Windows\system32\Fllkqn32.exe

C:\Windows\SysWOW64\Fdccbl32.exe

C:\Windows\system32\Fdccbl32.exe

C:\Windows\SysWOW64\Ffaong32.exe

C:\Windows\system32\Ffaong32.exe

C:\Windows\SysWOW64\Fmkgkapm.exe

C:\Windows\system32\Fmkgkapm.exe

C:\Windows\SysWOW64\Fpjcgm32.exe

C:\Windows\system32\Fpjcgm32.exe

C:\Windows\SysWOW64\Fbhpch32.exe

C:\Windows\system32\Fbhpch32.exe

C:\Windows\SysWOW64\Fibhpbea.exe

C:\Windows\system32\Fibhpbea.exe

C:\Windows\SysWOW64\Flqdlnde.exe

C:\Windows\system32\Flqdlnde.exe

C:\Windows\SysWOW64\Fdglmkeg.exe

C:\Windows\system32\Fdglmkeg.exe

C:\Windows\SysWOW64\Fffhifdk.exe

C:\Windows\system32\Fffhifdk.exe

C:\Windows\SysWOW64\Fmpqfq32.exe

C:\Windows\system32\Fmpqfq32.exe

C:\Windows\SysWOW64\Gpnmbl32.exe

C:\Windows\system32\Gpnmbl32.exe

C:\Windows\SysWOW64\Gfheof32.exe

C:\Windows\system32\Gfheof32.exe

C:\Windows\SysWOW64\Gmbmkpie.exe

C:\Windows\system32\Gmbmkpie.exe

C:\Windows\SysWOW64\Gdlfhj32.exe

C:\Windows\system32\Gdlfhj32.exe

C:\Windows\SysWOW64\Gfkbde32.exe

C:\Windows\system32\Gfkbde32.exe

C:\Windows\SysWOW64\Gmdjapgb.exe

C:\Windows\system32\Gmdjapgb.exe

C:\Windows\SysWOW64\Gdobnj32.exe

C:\Windows\system32\Gdobnj32.exe

C:\Windows\SysWOW64\Gfmojenc.exe

C:\Windows\system32\Gfmojenc.exe

C:\Windows\SysWOW64\Gmggfp32.exe

C:\Windows\system32\Gmggfp32.exe

C:\Windows\SysWOW64\Gpecbk32.exe

C:\Windows\system32\Gpecbk32.exe

C:\Windows\SysWOW64\Gbdoof32.exe

C:\Windows\system32\Gbdoof32.exe

C:\Windows\SysWOW64\Gkkgpc32.exe

C:\Windows\system32\Gkkgpc32.exe

C:\Windows\SysWOW64\Glldgljg.exe

C:\Windows\system32\Glldgljg.exe

C:\Windows\SysWOW64\Gbfldf32.exe

C:\Windows\system32\Gbfldf32.exe

C:\Windows\SysWOW64\Gkmdecbg.exe

C:\Windows\system32\Gkmdecbg.exe

C:\Windows\SysWOW64\Hmlpaoaj.exe

C:\Windows\system32\Hmlpaoaj.exe

C:\Windows\SysWOW64\Hdehni32.exe

C:\Windows\system32\Hdehni32.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hplicjok.exe

C:\Windows\system32\Hplicjok.exe

C:\Windows\SysWOW64\Hckeoeno.exe

C:\Windows\system32\Hckeoeno.exe

C:\Windows\SysWOW64\Hkbmqb32.exe

C:\Windows\system32\Hkbmqb32.exe

C:\Windows\SysWOW64\Hlcjhkdp.exe

C:\Windows\system32\Hlcjhkdp.exe

C:\Windows\SysWOW64\Hdjbiheb.exe

C:\Windows\system32\Hdjbiheb.exe

C:\Windows\SysWOW64\Hkdjfb32.exe

C:\Windows\system32\Hkdjfb32.exe

C:\Windows\SysWOW64\Hmbfbn32.exe

C:\Windows\system32\Hmbfbn32.exe

C:\Windows\SysWOW64\Hdmoohbo.exe

C:\Windows\system32\Hdmoohbo.exe

C:\Windows\SysWOW64\Hgkkkcbc.exe

C:\Windows\system32\Hgkkkcbc.exe

C:\Windows\SysWOW64\Hmechmip.exe

C:\Windows\system32\Hmechmip.exe

C:\Windows\SysWOW64\Hpcodihc.exe

C:\Windows\system32\Hpcodihc.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Ipflihfq.exe

C:\Windows\system32\Ipflihfq.exe

C:\Windows\SysWOW64\Igpdfb32.exe

C:\Windows\system32\Igpdfb32.exe

C:\Windows\SysWOW64\Iinqbn32.exe

C:\Windows\system32\Iinqbn32.exe

C:\Windows\SysWOW64\Iphioh32.exe

C:\Windows\system32\Iphioh32.exe

C:\Windows\SysWOW64\Icfekc32.exe

C:\Windows\system32\Icfekc32.exe

C:\Windows\SysWOW64\Iknmla32.exe

C:\Windows\system32\Iknmla32.exe

C:\Windows\SysWOW64\Iloidijb.exe

C:\Windows\system32\Iloidijb.exe

C:\Windows\SysWOW64\Iciaqc32.exe

C:\Windows\system32\Iciaqc32.exe

C:\Windows\SysWOW64\Ikpjbq32.exe

C:\Windows\system32\Ikpjbq32.exe

C:\Windows\SysWOW64\Innfnl32.exe

C:\Windows\system32\Innfnl32.exe

C:\Windows\SysWOW64\Idhnkf32.exe

C:\Windows\system32\Idhnkf32.exe

C:\Windows\SysWOW64\Iggjga32.exe

C:\Windows\system32\Iggjga32.exe

C:\Windows\SysWOW64\Ijegcm32.exe

C:\Windows\system32\Ijegcm32.exe

C:\Windows\SysWOW64\Ipoopgnf.exe

C:\Windows\system32\Ipoopgnf.exe

C:\Windows\SysWOW64\Igigla32.exe

C:\Windows\system32\Igigla32.exe

C:\Windows\SysWOW64\Jjgchm32.exe

C:\Windows\system32\Jjgchm32.exe

C:\Windows\SysWOW64\Jpaleglc.exe

C:\Windows\system32\Jpaleglc.exe

C:\Windows\SysWOW64\Jgkdbacp.exe

C:\Windows\system32\Jgkdbacp.exe

C:\Windows\SysWOW64\Jjjpnlbd.exe

C:\Windows\system32\Jjjpnlbd.exe

C:\Windows\SysWOW64\Jpdhkf32.exe

C:\Windows\system32\Jpdhkf32.exe

C:\Windows\SysWOW64\Jcbdgb32.exe

C:\Windows\system32\Jcbdgb32.exe

C:\Windows\SysWOW64\Jjlmclqa.exe

C:\Windows\system32\Jjlmclqa.exe

C:\Windows\SysWOW64\Jpfepf32.exe

C:\Windows\system32\Jpfepf32.exe

C:\Windows\SysWOW64\Jgpmmp32.exe

C:\Windows\system32\Jgpmmp32.exe

C:\Windows\SysWOW64\Jjoiil32.exe

C:\Windows\system32\Jjoiil32.exe

C:\Windows\SysWOW64\Jqhafffk.exe

C:\Windows\system32\Jqhafffk.exe

C:\Windows\SysWOW64\Jcgnbaeo.exe

C:\Windows\system32\Jcgnbaeo.exe

C:\Windows\SysWOW64\Jjafok32.exe

C:\Windows\system32\Jjafok32.exe

C:\Windows\SysWOW64\Jqknkedi.exe

C:\Windows\system32\Jqknkedi.exe

C:\Windows\SysWOW64\Jcikgacl.exe

C:\Windows\system32\Jcikgacl.exe

C:\Windows\SysWOW64\Knooej32.exe

C:\Windows\system32\Knooej32.exe

C:\Windows\SysWOW64\Kdigadjo.exe

C:\Windows\system32\Kdigadjo.exe

C:\Windows\SysWOW64\Kggcnoic.exe

C:\Windows\system32\Kggcnoic.exe

C:\Windows\SysWOW64\Knalji32.exe

C:\Windows\system32\Knalji32.exe

C:\Windows\SysWOW64\Kdkdgchl.exe

C:\Windows\system32\Kdkdgchl.exe

C:\Windows\SysWOW64\Kgipcogp.exe

C:\Windows\system32\Kgipcogp.exe

C:\Windows\SysWOW64\Kjhloj32.exe

C:\Windows\system32\Kjhloj32.exe

C:\Windows\SysWOW64\Kmfhkf32.exe

C:\Windows\system32\Kmfhkf32.exe

C:\Windows\SysWOW64\Kcpahpmd.exe

C:\Windows\system32\Kcpahpmd.exe

C:\Windows\SysWOW64\Kkgiimng.exe

C:\Windows\system32\Kkgiimng.exe

C:\Windows\SysWOW64\Kmieae32.exe

C:\Windows\system32\Kmieae32.exe

C:\Windows\SysWOW64\Kdpmbc32.exe

C:\Windows\system32\Kdpmbc32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Knhakh32.exe

C:\Windows\system32\Knhakh32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Kcejco32.exe

C:\Windows\system32\Kcejco32.exe

C:\Windows\SysWOW64\Ljobpiql.exe

C:\Windows\system32\Ljobpiql.exe

C:\Windows\SysWOW64\Lmmolepp.exe

C:\Windows\system32\Lmmolepp.exe

C:\Windows\SysWOW64\Lcggio32.exe

C:\Windows\system32\Lcggio32.exe

C:\Windows\SysWOW64\Mcqjon32.exe

C:\Windows\system32\Mcqjon32.exe

C:\Windows\SysWOW64\Mjkblhfo.exe

C:\Windows\system32\Mjkblhfo.exe

C:\Windows\SysWOW64\Mepfiq32.exe

C:\Windows\system32\Mepfiq32.exe

C:\Windows\SysWOW64\Mmkkmc32.exe

C:\Windows\system32\Mmkkmc32.exe

C:\Windows\SysWOW64\Mebcop32.exe

C:\Windows\system32\Mebcop32.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mmnhcb32.exe

C:\Windows\system32\Mmnhcb32.exe

C:\Windows\SysWOW64\Meepdp32.exe

C:\Windows\system32\Meepdp32.exe

C:\Windows\SysWOW64\Mkohaj32.exe

C:\Windows\system32\Mkohaj32.exe

C:\Windows\SysWOW64\Mnmdme32.exe

C:\Windows\system32\Mnmdme32.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Nlcalieg.exe

C:\Windows\system32\Nlcalieg.exe

C:\Windows\SysWOW64\Nnbnhedj.exe

C:\Windows\system32\Nnbnhedj.exe

C:\Windows\SysWOW64\Napjdpcn.exe

C:\Windows\system32\Napjdpcn.exe

C:\Windows\SysWOW64\Ncofplba.exe

C:\Windows\system32\Ncofplba.exe

C:\Windows\SysWOW64\Njinmf32.exe

C:\Windows\system32\Njinmf32.exe

C:\Windows\SysWOW64\Nnfgcd32.exe

C:\Windows\system32\Nnfgcd32.exe

C:\Windows\SysWOW64\Naecop32.exe

C:\Windows\system32\Naecop32.exe

C:\Windows\SysWOW64\Nccokk32.exe

C:\Windows\system32\Nccokk32.exe

C:\Windows\SysWOW64\Njmhhefi.exe

C:\Windows\system32\Njmhhefi.exe

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Neclenfo.exe

C:\Windows\system32\Neclenfo.exe

C:\Windows\SysWOW64\Nlmdbh32.exe

C:\Windows\system32\Nlmdbh32.exe

C:\Windows\SysWOW64\Nnkpnclp.exe

C:\Windows\system32\Nnkpnclp.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Oloahhki.exe

C:\Windows\system32\Oloahhki.exe

C:\Windows\SysWOW64\Oalipoiq.exe

C:\Windows\system32\Oalipoiq.exe

C:\Windows\SysWOW64\Onpjichj.exe

C:\Windows\system32\Onpjichj.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Ohhnbhok.exe

C:\Windows\system32\Ohhnbhok.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Oaqbkn32.exe

C:\Windows\system32\Oaqbkn32.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Olfghg32.exe

C:\Windows\system32\Olfghg32.exe

C:\Windows\SysWOW64\Omgcpokp.exe

C:\Windows\system32\Omgcpokp.exe

C:\Windows\SysWOW64\Oeokal32.exe

C:\Windows\system32\Oeokal32.exe

C:\Windows\SysWOW64\Ohmhmh32.exe

C:\Windows\system32\Ohmhmh32.exe

C:\Windows\SysWOW64\Okkdic32.exe

C:\Windows\system32\Okkdic32.exe

C:\Windows\SysWOW64\Peahgl32.exe

C:\Windows\system32\Peahgl32.exe

C:\Windows\SysWOW64\Phodcg32.exe

C:\Windows\system32\Phodcg32.exe

C:\Windows\SysWOW64\Pahilmoc.exe

C:\Windows\system32\Pahilmoc.exe

C:\Windows\SysWOW64\Plmmif32.exe

C:\Windows\system32\Plmmif32.exe

C:\Windows\SysWOW64\Poliea32.exe

C:\Windows\system32\Poliea32.exe

C:\Windows\SysWOW64\Pajeam32.exe

C:\Windows\system32\Pajeam32.exe

C:\Windows\SysWOW64\Phdnngdn.exe

C:\Windows\system32\Phdnngdn.exe

C:\Windows\SysWOW64\Ponfka32.exe

C:\Windows\system32\Ponfka32.exe

C:\Windows\SysWOW64\Palbgl32.exe

C:\Windows\system32\Palbgl32.exe

C:\Windows\SysWOW64\Phfjcf32.exe

C:\Windows\system32\Phfjcf32.exe

C:\Windows\SysWOW64\Paoollik.exe

C:\Windows\system32\Paoollik.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Qkipkani.exe

C:\Windows\system32\Qkipkani.exe

C:\Windows\SysWOW64\Qmhlgmmm.exe

C:\Windows\system32\Qmhlgmmm.exe

C:\Windows\SysWOW64\Qeodhjmo.exe

C:\Windows\system32\Qeodhjmo.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Aeaanjkl.exe

C:\Windows\system32\Aeaanjkl.exe

C:\Windows\SysWOW64\Alkijdci.exe

C:\Windows\system32\Alkijdci.exe

C:\Windows\SysWOW64\Aojefobm.exe

C:\Windows\system32\Aojefobm.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Aajohjon.exe

C:\Windows\system32\Aajohjon.exe

C:\Windows\SysWOW64\Adikdfna.exe

C:\Windows\system32\Adikdfna.exe

C:\Windows\SysWOW64\Alpbecod.exe

C:\Windows\system32\Alpbecod.exe

C:\Windows\SysWOW64\Aonoao32.exe

C:\Windows\system32\Aonoao32.exe

C:\Windows\SysWOW64\Aehgnied.exe

C:\Windows\system32\Aehgnied.exe

C:\Windows\SysWOW64\Akepfpcl.exe

C:\Windows\system32\Akepfpcl.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Ahippdbe.exe

C:\Windows\system32\Ahippdbe.exe

C:\Windows\SysWOW64\Bdpaeehj.exe

C:\Windows\system32\Bdpaeehj.exe

C:\Windows\SysWOW64\Blgifbil.exe

C:\Windows\system32\Blgifbil.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Badanigc.exe

C:\Windows\system32\Badanigc.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Bklfgo32.exe

C:\Windows\system32\Bklfgo32.exe

C:\Windows\SysWOW64\Bebjdgmj.exe

C:\Windows\system32\Bebjdgmj.exe

C:\Windows\SysWOW64\Bnmoijje.exe

C:\Windows\system32\Bnmoijje.exe

C:\Windows\SysWOW64\Bakgoh32.exe

C:\Windows\system32\Bakgoh32.exe

C:\Windows\SysWOW64\Bdickcpo.exe

C:\Windows\system32\Bdickcpo.exe

C:\Windows\SysWOW64\Ckclhn32.exe

C:\Windows\system32\Ckclhn32.exe

C:\Windows\SysWOW64\Cfipef32.exe

C:\Windows\system32\Cfipef32.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Chiigadc.exe

C:\Windows\system32\Chiigadc.exe

C:\Windows\SysWOW64\Cnfaohbj.exe

C:\Windows\system32\Cnfaohbj.exe

C:\Windows\SysWOW64\Ckjbhmad.exe

C:\Windows\system32\Ckjbhmad.exe

C:\Windows\SysWOW64\Cbdjeg32.exe

C:\Windows\system32\Cbdjeg32.exe

C:\Windows\SysWOW64\Cljobphg.exe

C:\Windows\system32\Cljobphg.exe

C:\Windows\SysWOW64\Cbfgkffn.exe

C:\Windows\system32\Cbfgkffn.exe

C:\Windows\SysWOW64\Dmlkhofd.exe

C:\Windows\system32\Dmlkhofd.exe

C:\Windows\SysWOW64\Domdjj32.exe

C:\Windows\system32\Domdjj32.exe

C:\Windows\SysWOW64\Dfiildio.exe

C:\Windows\system32\Dfiildio.exe

C:\Windows\SysWOW64\Dkfadkgf.exe

C:\Windows\system32\Dkfadkgf.exe

C:\Windows\SysWOW64\Dbpjaeoc.exe

C:\Windows\system32\Dbpjaeoc.exe

C:\Windows\SysWOW64\Dijbno32.exe

C:\Windows\system32\Dijbno32.exe

C:\Windows\SysWOW64\Eiloco32.exe

C:\Windows\system32\Eiloco32.exe

C:\Windows\SysWOW64\Ekmhejao.exe

C:\Windows\system32\Ekmhejao.exe

C:\Windows\SysWOW64\Ebgpad32.exe

C:\Windows\system32\Ebgpad32.exe

C:\Windows\SysWOW64\Emmdom32.exe

C:\Windows\system32\Emmdom32.exe

C:\Windows\SysWOW64\Ebimgcfi.exe

C:\Windows\system32\Ebimgcfi.exe

C:\Windows\SysWOW64\Ekaapi32.exe

C:\Windows\system32\Ekaapi32.exe

C:\Windows\SysWOW64\Enbjad32.exe

C:\Windows\system32\Enbjad32.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fmfgek32.exe

C:\Windows\system32\Fmfgek32.exe

C:\Windows\SysWOW64\Fealin32.exe

C:\Windows\system32\Fealin32.exe

C:\Windows\SysWOW64\Fimhjl32.exe

C:\Windows\system32\Fimhjl32.exe

C:\Windows\SysWOW64\Fbelcblk.exe

C:\Windows\system32\Fbelcblk.exe

C:\Windows\SysWOW64\Fmkqpkla.exe

C:\Windows\system32\Fmkqpkla.exe

C:\Windows\SysWOW64\Fbgihaji.exe

C:\Windows\system32\Fbgihaji.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Flpmagqi.exe

C:\Windows\system32\Flpmagqi.exe

C:\Windows\SysWOW64\Fnnjmbpm.exe

C:\Windows\system32\Fnnjmbpm.exe

C:\Windows\SysWOW64\Gidnkkpc.exe

C:\Windows\system32\Gidnkkpc.exe

C:\Windows\SysWOW64\Gpnfge32.exe

C:\Windows\system32\Gpnfge32.exe

C:\Windows\SysWOW64\Gppcmeem.exe

C:\Windows\system32\Gppcmeem.exe

C:\Windows\SysWOW64\Gfjkjo32.exe

C:\Windows\system32\Gfjkjo32.exe

C:\Windows\SysWOW64\Gflhoo32.exe

C:\Windows\system32\Gflhoo32.exe

C:\Windows\SysWOW64\Glipgf32.exe

C:\Windows\system32\Glipgf32.exe

C:\Windows\SysWOW64\Gmimai32.exe

C:\Windows\system32\Gmimai32.exe

C:\Windows\SysWOW64\Hipmfjee.exe

C:\Windows\system32\Hipmfjee.exe

C:\Windows\SysWOW64\Hbhboolf.exe

C:\Windows\system32\Hbhboolf.exe

C:\Windows\SysWOW64\Hoobdp32.exe

C:\Windows\system32\Hoobdp32.exe

C:\Windows\SysWOW64\Hehkajig.exe

C:\Windows\system32\Hehkajig.exe

C:\Windows\SysWOW64\Hblkjo32.exe

C:\Windows\system32\Hblkjo32.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Ibaeen32.exe

C:\Windows\system32\Ibaeen32.exe

C:\Windows\SysWOW64\Iliinc32.exe

C:\Windows\system32\Iliinc32.exe

C:\Windows\SysWOW64\Iohejo32.exe

C:\Windows\system32\Iohejo32.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Imiehfao.exe

C:\Windows\system32\Imiehfao.exe

C:\Windows\SysWOW64\Igajal32.exe

C:\Windows\system32\Igajal32.exe

C:\Windows\SysWOW64\Ilnbicff.exe

C:\Windows\system32\Ilnbicff.exe

C:\Windows\SysWOW64\Iefgbh32.exe

C:\Windows\system32\Iefgbh32.exe

C:\Windows\SysWOW64\Joahqn32.exe

C:\Windows\system32\Joahqn32.exe

C:\Windows\SysWOW64\Jlgepanl.exe

C:\Windows\system32\Jlgepanl.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jokkgl32.exe

C:\Windows\system32\Jokkgl32.exe

C:\Windows\SysWOW64\Kpjgaoqm.exe

C:\Windows\system32\Kpjgaoqm.exe

C:\Windows\SysWOW64\Kgdpni32.exe

C:\Windows\system32\Kgdpni32.exe

C:\Windows\SysWOW64\Knnhjcog.exe

C:\Windows\system32\Knnhjcog.exe

C:\Windows\SysWOW64\Knqepc32.exe

C:\Windows\system32\Knqepc32.exe

C:\Windows\SysWOW64\Kgiiiidd.exe

C:\Windows\system32\Kgiiiidd.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kcpjnjii.exe

C:\Windows\system32\Kcpjnjii.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Kfpcoefj.exe

C:\Windows\system32\Kfpcoefj.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Loighj32.exe

C:\Windows\system32\Loighj32.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Lnjgfb32.exe

C:\Windows\system32\Lnjgfb32.exe

C:\Windows\SysWOW64\Lqhdbm32.exe

C:\Windows\system32\Lqhdbm32.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Lgdidgjg.exe

C:\Windows\system32\Lgdidgjg.exe

C:\Windows\SysWOW64\Lnoaaaad.exe

C:\Windows\system32\Lnoaaaad.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lggejg32.exe

C:\Windows\system32\Lggejg32.exe

C:\Windows\SysWOW64\Ljeafb32.exe

C:\Windows\system32\Ljeafb32.exe

C:\Windows\SysWOW64\Lobjni32.exe

C:\Windows\system32\Lobjni32.exe

C:\Windows\SysWOW64\Lgibpf32.exe

C:\Windows\system32\Lgibpf32.exe

C:\Windows\SysWOW64\Mgloefco.exe

C:\Windows\system32\Mgloefco.exe

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mmmqhl32.exe

C:\Windows\system32\Mmmqhl32.exe

C:\Windows\SysWOW64\Mcgiefen.exe

C:\Windows\system32\Mcgiefen.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Mfhbga32.exe

C:\Windows\system32\Mfhbga32.exe

C:\Windows\SysWOW64\Nmbjcljl.exe

C:\Windows\system32\Nmbjcljl.exe

C:\Windows\SysWOW64\Nggnadib.exe

C:\Windows\system32\Nggnadib.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nceefd32.exe

C:\Windows\system32\Nceefd32.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Ompfej32.exe

C:\Windows\system32\Ompfej32.exe

C:\Windows\SysWOW64\Opnbae32.exe

C:\Windows\system32\Opnbae32.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Ojdgnn32.exe

C:\Windows\system32\Ojdgnn32.exe

C:\Windows\SysWOW64\Oanokhdb.exe

C:\Windows\system32\Oanokhdb.exe

C:\Windows\SysWOW64\Opclldhj.exe

C:\Windows\system32\Opclldhj.exe

C:\Windows\SysWOW64\Ohlqcagj.exe

C:\Windows\system32\Ohlqcagj.exe

C:\Windows\SysWOW64\Paeelgnj.exe

C:\Windows\system32\Paeelgnj.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Pagbaglh.exe

C:\Windows\system32\Pagbaglh.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Pdjgha32.exe

C:\Windows\system32\Pdjgha32.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qmgelf32.exe

C:\Windows\system32\Qmgelf32.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Ahofoogd.exe

C:\Windows\system32\Ahofoogd.exe

C:\Windows\SysWOW64\Aoioli32.exe

C:\Windows\system32\Aoioli32.exe

C:\Windows\SysWOW64\Agdcpkll.exe

C:\Windows\system32\Agdcpkll.exe

C:\Windows\SysWOW64\Amnlme32.exe

C:\Windows\system32\Amnlme32.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Adkqoohc.exe

C:\Windows\system32\Adkqoohc.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Bobabg32.exe

C:\Windows\system32\Bobabg32.exe

C:\Windows\SysWOW64\Bmhocd32.exe

C:\Windows\system32\Bmhocd32.exe

C:\Windows\SysWOW64\Bogkmgba.exe

C:\Windows\system32\Bogkmgba.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Bhblllfo.exe

C:\Windows\system32\Bhblllfo.exe

C:\Windows\SysWOW64\Bnoddcef.exe

C:\Windows\system32\Bnoddcef.exe

C:\Windows\SysWOW64\Cggimh32.exe

C:\Windows\system32\Cggimh32.exe

C:\Windows\SysWOW64\Cpbjkn32.exe

C:\Windows\system32\Cpbjkn32.exe

C:\Windows\SysWOW64\Chiblk32.exe

C:\Windows\system32\Chiblk32.exe

C:\Windows\SysWOW64\Dpiplm32.exe

C:\Windows\system32\Dpiplm32.exe

C:\Windows\SysWOW64\Dnmaea32.exe

C:\Windows\system32\Dnmaea32.exe

C:\Windows\SysWOW64\Dolmodpi.exe

C:\Windows\system32\Dolmodpi.exe

C:\Windows\SysWOW64\Dakikoom.exe

C:\Windows\system32\Dakikoom.exe

C:\Windows\SysWOW64\Dqpfmlce.exe

C:\Windows\system32\Dqpfmlce.exe

C:\Windows\SysWOW64\Dkekjdck.exe

C:\Windows\system32\Dkekjdck.exe

C:\Windows\SysWOW64\Ddnobj32.exe

C:\Windows\system32\Ddnobj32.exe

C:\Windows\SysWOW64\Ekjded32.exe

C:\Windows\system32\Ekjded32.exe

C:\Windows\SysWOW64\Ebfign32.exe

C:\Windows\system32\Ebfign32.exe

C:\Windows\SysWOW64\Eqlfhjig.exe

C:\Windows\system32\Eqlfhjig.exe

C:\Windows\SysWOW64\Eqncnj32.exe

C:\Windows\system32\Eqncnj32.exe

C:\Windows\SysWOW64\Fnbcgn32.exe

C:\Windows\system32\Fnbcgn32.exe

C:\Windows\SysWOW64\Fdlkdhnk.exe

C:\Windows\system32\Fdlkdhnk.exe

C:\Windows\SysWOW64\Fbplml32.exe

C:\Windows\system32\Fbplml32.exe

C:\Windows\SysWOW64\Feqeog32.exe

C:\Windows\system32\Feqeog32.exe

C:\Windows\SysWOW64\Fkjmlaac.exe

C:\Windows\system32\Fkjmlaac.exe

C:\Windows\SysWOW64\Fbdehlip.exe

C:\Windows\system32\Fbdehlip.exe

C:\Windows\SysWOW64\Fganqbgg.exe

C:\Windows\system32\Fganqbgg.exe

C:\Windows\SysWOW64\Fgcjfbed.exe

C:\Windows\system32\Fgcjfbed.exe

C:\Windows\SysWOW64\Galoohke.exe

C:\Windows\system32\Galoohke.exe

C:\Windows\SysWOW64\Ggfglb32.exe

C:\Windows\system32\Ggfglb32.exe

C:\Windows\SysWOW64\Gpmomo32.exe

C:\Windows\system32\Gpmomo32.exe

C:\Windows\SysWOW64\Gpolbo32.exe

C:\Windows\system32\Gpolbo32.exe

C:\Windows\SysWOW64\Gaqhjggp.exe

C:\Windows\system32\Gaqhjggp.exe

C:\Windows\SysWOW64\Gndick32.exe

C:\Windows\system32\Gndick32.exe

C:\Windows\SysWOW64\Gijmad32.exe

C:\Windows\system32\Gijmad32.exe

C:\Windows\SysWOW64\Geanfelc.exe

C:\Windows\system32\Geanfelc.exe

C:\Windows\SysWOW64\Hbenoi32.exe

C:\Windows\system32\Hbenoi32.exe

C:\Windows\SysWOW64\Hhaggp32.exe

C:\Windows\system32\Hhaggp32.exe

C:\Windows\SysWOW64\Hajkqfoe.exe

C:\Windows\system32\Hajkqfoe.exe

C:\Windows\SysWOW64\Hhfpbpdo.exe

C:\Windows\system32\Hhfpbpdo.exe

C:\Windows\SysWOW64\Hejqldci.exe

C:\Windows\system32\Hejqldci.exe

C:\Windows\SysWOW64\Ihkjno32.exe

C:\Windows\system32\Ihkjno32.exe

C:\Windows\SysWOW64\Ieojgc32.exe

C:\Windows\system32\Ieojgc32.exe

C:\Windows\SysWOW64\Ibcjqgnm.exe

C:\Windows\system32\Ibcjqgnm.exe

C:\Windows\SysWOW64\Iimcma32.exe

C:\Windows\system32\Iimcma32.exe

C:\Windows\SysWOW64\Ipgkjlmg.exe

C:\Windows\system32\Ipgkjlmg.exe

C:\Windows\SysWOW64\Ihbponja.exe

C:\Windows\system32\Ihbponja.exe

C:\Windows\SysWOW64\Ipkdek32.exe

C:\Windows\system32\Ipkdek32.exe

C:\Windows\SysWOW64\Jhgiim32.exe

C:\Windows\system32\Jhgiim32.exe

C:\Windows\SysWOW64\Jldbpl32.exe

C:\Windows\system32\Jldbpl32.exe

C:\Windows\SysWOW64\Jhkbdmbg.exe

C:\Windows\system32\Jhkbdmbg.exe

C:\Windows\SysWOW64\Joekag32.exe

C:\Windows\system32\Joekag32.exe

C:\Windows\SysWOW64\Johggfha.exe

C:\Windows\system32\Johggfha.exe

C:\Windows\SysWOW64\Kiphjo32.exe

C:\Windows\system32\Kiphjo32.exe

C:\Windows\SysWOW64\Kbhmbdle.exe

C:\Windows\system32\Kbhmbdle.exe

C:\Windows\SysWOW64\Kpnjah32.exe

C:\Windows\system32\Kpnjah32.exe

C:\Windows\SysWOW64\Likhem32.exe

C:\Windows\system32\Likhem32.exe

C:\Windows\SysWOW64\Lindkm32.exe

C:\Windows\system32\Lindkm32.exe

C:\Windows\SysWOW64\Lpjjmg32.exe

C:\Windows\system32\Lpjjmg32.exe

C:\Windows\SysWOW64\Lhenai32.exe

C:\Windows\system32\Lhenai32.exe

C:\Windows\SysWOW64\Lfiokmkc.exe

C:\Windows\system32\Lfiokmkc.exe

C:\Windows\SysWOW64\Mfkkqmiq.exe

C:\Windows\system32\Mfkkqmiq.exe

C:\Windows\SysWOW64\Mfnhfm32.exe

C:\Windows\system32\Mfnhfm32.exe

C:\Windows\SysWOW64\Mcdeeq32.exe

C:\Windows\system32\Mcdeeq32.exe

C:\Windows\SysWOW64\Mfbaalbi.exe

C:\Windows\system32\Mfbaalbi.exe

C:\Windows\SysWOW64\Mjpjgj32.exe

C:\Windows\system32\Mjpjgj32.exe

C:\Windows\SysWOW64\Nqmojd32.exe

C:\Windows\system32\Nqmojd32.exe

C:\Windows\SysWOW64\Nmcpoedn.exe

C:\Windows\system32\Nmcpoedn.exe

C:\Windows\SysWOW64\Noblkqca.exe

C:\Windows\system32\Noblkqca.exe

C:\Windows\SysWOW64\Nmfmde32.exe

C:\Windows\system32\Nmfmde32.exe

C:\Windows\SysWOW64\Nimmifgo.exe

C:\Windows\system32\Nimmifgo.exe

C:\Windows\SysWOW64\Njljch32.exe

C:\Windows\system32\Njljch32.exe

C:\Windows\SysWOW64\Ooibkpmi.exe

C:\Windows\system32\Ooibkpmi.exe

C:\Windows\SysWOW64\Oqhoeb32.exe

C:\Windows\system32\Oqhoeb32.exe

C:\Windows\SysWOW64\Obnehj32.exe

C:\Windows\system32\Obnehj32.exe

C:\Windows\SysWOW64\Omdieb32.exe

C:\Windows\system32\Omdieb32.exe

C:\Windows\SysWOW64\Opbean32.exe

C:\Windows\system32\Opbean32.exe

C:\Windows\SysWOW64\Pimfpc32.exe

C:\Windows\system32\Pimfpc32.exe

C:\Windows\SysWOW64\Pafkgphl.exe

C:\Windows\system32\Pafkgphl.exe

C:\Windows\SysWOW64\Pmmlla32.exe

C:\Windows\system32\Pmmlla32.exe

C:\Windows\SysWOW64\Pidlqb32.exe

C:\Windows\system32\Pidlqb32.exe

C:\Windows\SysWOW64\Pciqnk32.exe

C:\Windows\system32\Pciqnk32.exe

C:\Windows\SysWOW64\Pfhmjf32.exe

C:\Windows\system32\Pfhmjf32.exe

C:\Windows\SysWOW64\Qclmck32.exe

C:\Windows\system32\Qclmck32.exe

C:\Windows\SysWOW64\Qpbnhl32.exe

C:\Windows\system32\Qpbnhl32.exe

C:\Windows\SysWOW64\Qbajeg32.exe

C:\Windows\system32\Qbajeg32.exe

C:\Windows\SysWOW64\Qikbaaml.exe

C:\Windows\system32\Qikbaaml.exe

C:\Windows\SysWOW64\Apeknk32.exe

C:\Windows\system32\Apeknk32.exe

C:\Windows\SysWOW64\Aimogakj.exe

C:\Windows\system32\Aimogakj.exe

C:\Windows\SysWOW64\Apjdikqd.exe

C:\Windows\system32\Apjdikqd.exe

C:\Windows\SysWOW64\Abhqefpg.exe

C:\Windows\system32\Abhqefpg.exe

C:\Windows\SysWOW64\Amnebo32.exe

C:\Windows\system32\Amnebo32.exe

C:\Windows\SysWOW64\Adgmoigj.exe

C:\Windows\system32\Adgmoigj.exe

C:\Windows\SysWOW64\Ajaelc32.exe

C:\Windows\system32\Ajaelc32.exe

C:\Windows\SysWOW64\Afhfaddk.exe

C:\Windows\system32\Afhfaddk.exe

C:\Windows\SysWOW64\Bmdkcnie.exe

C:\Windows\system32\Bmdkcnie.exe

C:\Windows\SysWOW64\Biklho32.exe

C:\Windows\system32\Biklho32.exe

C:\Windows\SysWOW64\Bdapehop.exe

C:\Windows\system32\Bdapehop.exe

C:\Windows\SysWOW64\Binhnomg.exe

C:\Windows\system32\Binhnomg.exe

C:\Windows\SysWOW64\Bbfmgd32.exe

C:\Windows\system32\Bbfmgd32.exe

C:\Windows\SysWOW64\Bkmeha32.exe

C:\Windows\system32\Bkmeha32.exe

C:\Windows\SysWOW64\Bbhildae.exe

C:\Windows\system32\Bbhildae.exe

C:\Windows\SysWOW64\Cmnnimak.exe

C:\Windows\system32\Cmnnimak.exe

C:\Windows\SysWOW64\Cbkfbcpb.exe

C:\Windows\system32\Cbkfbcpb.exe

C:\Windows\SysWOW64\Cmpjoloh.exe

C:\Windows\system32\Cmpjoloh.exe

C:\Windows\SysWOW64\Cpogkhnl.exe

C:\Windows\system32\Cpogkhnl.exe

C:\Windows\SysWOW64\Cgiohbfi.exe

C:\Windows\system32\Cgiohbfi.exe

C:\Windows\SysWOW64\Cigkdmel.exe

C:\Windows\system32\Cigkdmel.exe

C:\Windows\SysWOW64\Cdmoafdb.exe

C:\Windows\system32\Cdmoafdb.exe

C:\Windows\SysWOW64\Cdolgfbp.exe

C:\Windows\system32\Cdolgfbp.exe

C:\Windows\SysWOW64\Cgmhcaac.exe

C:\Windows\system32\Cgmhcaac.exe

C:\Windows\SysWOW64\Cmgqpkip.exe

C:\Windows\system32\Cmgqpkip.exe

C:\Windows\SysWOW64\Dgpeha32.exe

C:\Windows\system32\Dgpeha32.exe

C:\Windows\SysWOW64\Dmjmekgn.exe

C:\Windows\system32\Dmjmekgn.exe

C:\Windows\SysWOW64\Dcffnbee.exe

C:\Windows\system32\Dcffnbee.exe

C:\Windows\SysWOW64\Dnljkk32.exe

C:\Windows\system32\Dnljkk32.exe

C:\Windows\SysWOW64\Dkpjdo32.exe

C:\Windows\system32\Dkpjdo32.exe

C:\Windows\SysWOW64\Dckoia32.exe

C:\Windows\system32\Dckoia32.exe

C:\Windows\SysWOW64\Dkbgjo32.exe

C:\Windows\system32\Dkbgjo32.exe

C:\Windows\SysWOW64\Dalofi32.exe

C:\Windows\system32\Dalofi32.exe

C:\Windows\SysWOW64\Dncpkjoc.exe

C:\Windows\system32\Dncpkjoc.exe

C:\Windows\SysWOW64\Dpalgenf.exe

C:\Windows\system32\Dpalgenf.exe

C:\Windows\SysWOW64\Ekgqennl.exe

C:\Windows\system32\Ekgqennl.exe

C:\Windows\SysWOW64\Edoencdm.exe

C:\Windows\system32\Edoencdm.exe

C:\Windows\SysWOW64\Ekimjn32.exe

C:\Windows\system32\Ekimjn32.exe

C:\Windows\SysWOW64\Ejlnfjbd.exe

C:\Windows\system32\Ejlnfjbd.exe

C:\Windows\SysWOW64\Epffbd32.exe

C:\Windows\system32\Epffbd32.exe

C:\Windows\SysWOW64\Ephbhd32.exe

C:\Windows\system32\Ephbhd32.exe

C:\Windows\SysWOW64\Eahobg32.exe

C:\Windows\system32\Eahobg32.exe

C:\Windows\SysWOW64\Ecikjoep.exe

C:\Windows\system32\Ecikjoep.exe

C:\Windows\SysWOW64\Eqmlccdi.exe

C:\Windows\system32\Eqmlccdi.exe

C:\Windows\SysWOW64\Fggdpnkf.exe

C:\Windows\system32\Fggdpnkf.exe

C:\Windows\SysWOW64\Fjeplijj.exe

C:\Windows\system32\Fjeplijj.exe

C:\Windows\SysWOW64\Famhmfkl.exe

C:\Windows\system32\Famhmfkl.exe

C:\Windows\SysWOW64\Fdkdibjp.exe

C:\Windows\system32\Fdkdibjp.exe

C:\Windows\SysWOW64\Fgiaemic.exe

C:\Windows\system32\Fgiaemic.exe

C:\Windows\SysWOW64\Fjhmbihg.exe

C:\Windows\system32\Fjhmbihg.exe

C:\Windows\SysWOW64\Fboecfii.exe

C:\Windows\system32\Fboecfii.exe

C:\Windows\SysWOW64\Fcpakn32.exe

C:\Windows\system32\Fcpakn32.exe

C:\Windows\SysWOW64\Fjjjgh32.exe

C:\Windows\system32\Fjjjgh32.exe

C:\Windows\SysWOW64\Fdpnda32.exe

C:\Windows\system32\Fdpnda32.exe

C:\Windows\SysWOW64\Fgnjqm32.exe

C:\Windows\system32\Fgnjqm32.exe

C:\Windows\SysWOW64\Fnhbmgmk.exe

C:\Windows\system32\Fnhbmgmk.exe

C:\Windows\SysWOW64\Fdbkja32.exe

C:\Windows\system32\Fdbkja32.exe

C:\Windows\SysWOW64\Fjocbhbo.exe

C:\Windows\system32\Fjocbhbo.exe

C:\Windows\SysWOW64\Gddgpqbe.exe

C:\Windows\system32\Gddgpqbe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3204 -ip 3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/904-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/904-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Ajpqnneo.exe

MD5 7286e3a1dc2a7b5da0ca6e1b2b5caa19
SHA1 1915d7d30a960f690f81617670d2c96b33f446e9
SHA256 13c15edcf6daa34a7661b835e9fcbc7cfbfb3859226e3921c4c6ad4f5714466e
SHA512 74f3f3783a86f49180ee6f2706ab7e478405d2d77f59d703d1b42dd43f270e40fe2d6e3baddae357071af9a97966bed524bcce5740d20c70f416e12b8b106ca1

memory/3896-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Afgacokc.exe

MD5 f59e263794fcdb27396be0428cea584f
SHA1 26297f65d8599577d3cfca345795455831d1e303
SHA256 cb2b9cd374a5779769698608216d9c0f3cee9d18baf89575b1ccf8e257869026
SHA512 629bff1b4d169cdee9a7644c266531c83b4f7ba2546edab1219041a3b0ba5d37dc414d76c0de210de5b6781ec979c199c347dd75183624058e927b7a1a4c3778

memory/2856-21-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Alqjpi32.exe

MD5 acd816e2e0346da821087dcbd321ee3e
SHA1 f61987581d81cc3624ad3d75d9d579a420ca1189
SHA256 c7a8a0587e0264c6a61331e120f34d42ffef56f9a2d689f94030b2828cd23a8c
SHA512 176654744674271014f2689d816a3d833e6f89488febb73ed47a62cef3ce74da0e9ea44d4243772ada12c06707dcd16a47308a889e3b33367f9c71017e121192

memory/4404-25-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bhoqeibl.exe

MD5 76e446b3c4b29401f6ec81761ce3d516
SHA1 f585ff27ba84ef11e114a4643c73f664258d4094
SHA256 7fcadef2bd9faa41727d2333a7e1dd5c33e487b7edb916e428f639c1f8d038bb
SHA512 3cab2f1774907d75b31b2a97538f7b2b530264fb50619db0024d09008de2b8f822bbfd2514a819b32941b5964aeed795cb93f87a7f2e46bdfc5eeef9c8c6791c

memory/1836-32-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bjbfklei.exe

MD5 5b95bb2ac6bc40986369a2f4513a50f4
SHA1 174a3af958db0c92bc9c851b08fb751c96966713
SHA256 901c9572e8732dd86cac1294183a407f7cbcd0abdc7e5a351ab5728611f3162b
SHA512 5dba212a802f8d3f10ae53840683bb042623aaabd075d756d396da5f5510d52b4775e9dad337040d3bf712ca7e7aa8be498f9eccbe1f8f8372831cba290eb6ec

memory/232-40-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2980-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cihclh32.exe

MD5 5d3677f9101342d6faa265c8aace7b53
SHA1 387c89f43e5efae837bf786f021826a34840615f
SHA256 153de7da438f1daa6c3ffae2e38f451bc83e3effc1a675c97b8aae03a90815a5
SHA512 b586f90555391fa8781bd9b20255ae2c475a286fafddff8d6b20ad1861c24c8b68ece147ef9bd4cdee3ff489766e7c5e6a2f74564e90e730545d317e9f8fbc0a

memory/3936-56-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cijpahho.exe

MD5 acd93bb10343a6b059f469b1bbc1f039
SHA1 5d9435dbab3c59aa8e2aa12ed60c6a5009b667cd
SHA256 789276526a2a0956092ef7fb4d212654bd2e02c1ec54ce8f4047919282765092
SHA512 3426b8f326abbdf6bd3aca6134e3204cce3bae1fa4afbad28bf801026dfab3050b6810c89d4455e01bf6d0fa3c6ccf164eb7d80574d62d6683073911c77de245

C:\Windows\SysWOW64\Cbeapmll.exe

MD5 a53ec442c367aa43d64abeefc59980f4
SHA1 0248bf8386e764e570e22c22d73394804832f60c
SHA256 b33b9b42c5f0574d78ba5cf8542e8ee7e45ee1f8a6a4fadeb87aac8a7fe57f08
SHA512 77b15fdf1668ccfecb4753ec93eeb19d3ddcf615f5878fc7a224bf034791d3adce023a9e1c74ca76ff89d4d650fd0dac015b57cd1e4964e6ac24171fcd30397b

memory/1004-69-0x0000000000400000-0x0000000000433000-memory.dmp

memory/348-77-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ckpbnb32.exe

MD5 2cf50a11e54b5708efe40dfac86ba6c2
SHA1 e8a44ac71477f05a2d23bf495b6cfc0573364d4c
SHA256 15837452a3e57aeb63913ec90cd5dd36b48edbb511949524d2802d92b20a2c15
SHA512 23f8e14ec0a26f832103b8fdce815ec2c96b447d644c671a0c69f7297672b5d400888c369dca085d6c3e1aa224280087c2e41c56d6903b132529729597a4c4d5

memory/2352-93-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1656-101-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Djqblj32.exe

MD5 e2d92111f2a20d9bf87b7896f5dda967
SHA1 d845f8c2975f93560ce03c2df4491198552a0a65
SHA256 058b98fda844384ec9eb50a53da3fe263c899176f36cbfd8c7fc6d6dd70df237
SHA512 61eb1d151f4c5e8f7e0c052e3c563145b0537ec993285e6971fa5d97a4dc5584c1e40c22a3c86cec15a4c0e10343f4ae6502533142098e1103d6bcddb76de01d

C:\Windows\SysWOW64\Dmoohe32.exe

MD5 975b277163baf6834e9b1c7495337cd0
SHA1 90d7f61a175fe15d310091eba1398dc59f70ae82
SHA256 1a9881aa6225a581aba02bcedac2aadac9cf5e5b3622cf6d054e9417ec4497bd
SHA512 d2d71de4e7359b165ac0adf17dfa4081e6ab88696527e9f4c163b8bec4ed7ae325c4c81428463ecaa86561c82b094f10f770ed4e5156a901a3ed1a03447e6184

memory/4548-133-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dmalne32.exe

MD5 6fce65e63311a777b938e266301adf8b
SHA1 a4f84cc4f3662d669eb37309ea194dbaae068437
SHA256 430f7b48128a6f30da1bd29456e3176199ec348ff5690ba8b98c6f203590acb7
SHA512 c13482c708581bf7d20ba2215396569b8da00ee0f44136a9be6ba94cb73f3137679de380086d7e17746ecaabda357a7455c7f20b81934c2629bcebbfda4293a5

memory/3044-173-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1388-189-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dlieda32.exe

MD5 fc7af0f956f0e5f20646be6130cc14db
SHA1 9dc718d00273faee9802d901db53de4bd480b708
SHA256 3a3c903ed73687f9827590e4a52a7285c4cb5f85df308162589bc22c4433f48a
SHA512 7f1f87acd6466216bbe0680e1381b65f08f8020467089f9ebf875ca9044c361fee1f35fcb4aab3be96e73a8e5ec87b02d8606c8ec026e97ab1044f5c35f1267f

C:\Windows\SysWOW64\Djjebh32.exe

MD5 e52fd32f726d43069040a1c7289c4bcd
SHA1 a7011bc7f28fc87852079e5c23b10c000cf6d6dd
SHA256 61c232ed57e720bed36b9082be0728ffeeb3745468a1f497272ef3496c6b1a6f
SHA512 599e43e6df339e435a126aeac6ec4249507147ab812f7711bcd03c2b2dbdc90c6daee8c1229fb729eb30dca82f8cfbc40a95b969b2d531be121e8aeac9e0e667

memory/3892-237-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ebhglj32.exe

MD5 8563325cea1a9ce8d2e7bb4862e3e8ec
SHA1 d319e39707f71b84c39de482d8a857e7d768daf5
SHA256 648c865a3623f41f5c2a8459b6eab0ee746053e3edae5f4a9afe52a16e7d1df7
SHA512 a43536bd70404b55b2eee5b82189a708b718ec80a0888bd722da82a3ba85aca842a21e72de7274296479db287fe5e3dd3867c4ca4886261d0d650b6f6ce9e0f7

memory/2372-273-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1328-297-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4888-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1676-339-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2448-363-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4212-393-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5744-570-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lcggio32.exe

MD5 210287e970e8617b2b9fc70d7b6c3bad
SHA1 ad43e26f44180afbe8f2ab88d1dae57a94e5b90f
SHA256 1fe5f81701181962214b7e0c1e0054a57bccac183ca341513a681211ebed41bc
SHA512 df9c04af2beabb8c0386bbe10ffb970f48d8bd9b2b10fc44b2f51e30201e0594d5791f2010c63f741cdddc4498c15d7d226887eec60f69766a0ce953f69075f1

memory/5916-598-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3936-597-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5872-591-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2980-590-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5828-584-0x0000000000400000-0x0000000000433000-memory.dmp

memory/232-583-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5784-577-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1836-576-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4404-569-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5700-563-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5660-557-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3896-556-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5616-550-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5576-544-0x0000000000400000-0x0000000000433000-memory.dmp

memory/904-543-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5536-537-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5496-531-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5456-525-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5416-519-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5376-513-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5336-507-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5296-501-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5256-495-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5216-489-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5176-483-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5136-477-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3168-471-0x0000000000400000-0x0000000000433000-memory.dmp

memory/548-465-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3668-459-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2556-453-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3388-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4508-441-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1600-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4168-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4464-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3008-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4912-411-0x0000000000400000-0x0000000000433000-memory.dmp

memory/796-405-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1624-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3868-387-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1868-381-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5024-375-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1968-369-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1744-357-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4132-351-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4984-345-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5052-333-0x0000000000400000-0x0000000000433000-memory.dmp

memory/728-327-0x0000000000400000-0x0000000000433000-memory.dmp

memory/372-321-0x0000000000400000-0x0000000000433000-memory.dmp

memory/860-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3468-303-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2928-291-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3488-285-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3644-279-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3940-267-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4328-261-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2524-253-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Elnoopdj.exe

MD5 2da893a25fefea22f4c485dc119c35fc
SHA1 75d9d9ab2c11001f6791e34183e619088ac999ad
SHA256 8fdb4b70e35bf360dcfc81a3e1321bfcae91eca8333871a5bbbf656d315a19ec
SHA512 b0f40a7f2432282f13ef62a80b9f01e9318caeb8f25bd09d4335070cbec8a918d37f35ffcfe5dcbd7978228cc52bb5acd6854a7c0c5705b0521cf6c7eb225255

memory/2592-245-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ejlbhh32.exe

MD5 018fc45aec46f7e1e59d5964c10f1caf
SHA1 9b1feae2495d593a9067e03b59413574e1bdc909
SHA256 12efd614536959a1b6ce273e6f10190c54ad8ef8378bd71ab6be468d1ae07ff6
SHA512 d10a8b3c6cba0702ffe1a8191605bc92cbaf7ba2c0e423decfff0c2a3ee7357a248f7d4412ab338887888497f503b6596c7edbe879d4460106f415a72f1bdd32

C:\Windows\SysWOW64\Dlkbjqgm.exe

MD5 d54729c84223aa21c63d7d2837ac3674
SHA1 3b60a24b5475cda4405e45e5e01c34ad2e08ce3c
SHA256 8bf0a1713a77a8b976c07fe8e3f629a42cc5913c792e3a7b084ce7156635c57c
SHA512 5b98fd34f24ef6040655f26ea264d01029ddee76b880917adef29dba24a04f9b5a954785dce3b232d79a271786c5545a08b8874b3a9344294ce9fa38724868b8

memory/1312-229-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4028-221-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dcpmen32.exe

MD5 a09aabb72cd8584f883d8372cb8fdb37
SHA1 f475138b89477c9f3a24aea30f7aa480471b8d98
SHA256 ca60b337888572acfc6dff3ee1238e716ec1a0e56eebda89eb728d73a878d321
SHA512 61fb2ee879de1ea835d46892c338279b7ca295033750e1354528f747c10fa8c59f1b1b9ec5ab14d8c3d6d80574f607ec069497f7e5caea29967c030bdd7e48a4

memory/3396-213-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4040-205-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dikihe32.exe

MD5 0057319d80abbe72248057119436ee54
SHA1 b036f4c01b963ad658d9be42736bee8d97b5f73c
SHA256 279458beb9ad0c45a8c201781fd8d58c8b1f41de8db34acbc730370e8cf09f68
SHA512 3f9718b7bf99f62f45fb6620cdb903084615bf2bdc5fbc11e2486592dc68086877f06d5b2ef74c98b50014e104174b9d4b26fb0496852fcb4442d683a362dfca

memory/3120-197-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dflmlj32.exe

MD5 253d7967f6f3afdf23a2f2badd7414e0
SHA1 8fe47de4d8dc8ff2ca3e2c38b9c4ae7ffec9b948
SHA256 14e021d56a2ce5738e53e7fa26adac03c27404c1c378b858ae880e9cc934cf83
SHA512 2eb8224965c09b912c1463cdd27cfb8f328694f88c8e51b769c53e12483e877b8e73e4a96c912f84de4eb958b38d57cb11bd21be850a27dcd94ca085b3fd5ee7

C:\Windows\SysWOW64\Dcnqpo32.exe

MD5 a01a9206539b7d6feeeae780622259f8
SHA1 0ce71e95e71969f481cce107a5411f76266d09b3
SHA256 289762289bc3910164ccb2e078955d244452f0836fa85ea6030f2abdaf1e0f4f
SHA512 b9eedef90c133bb72c3fc7ce571e1edc658355388250e88da43044e7eb70d9eef5937e9ba68490156ad483e55cbac63bb495613a01270295f0e29b4a640d98eb

memory/2788-181-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dlghoa32.exe

MD5 1cf3f7325cec6f76c45506301e87a592
SHA1 7a3bf53cdcb9c4d0e1eed7d09f476a310928fafb
SHA256 9401f03dc1efa75d31711160fb873b049952e8c525eac7dacb3dbd03a275116c
SHA512 ef00830efeb0c5532cd5b4735db854863fa0903eb30d14fa6efb013d69b3cec3bae3f6679e8380482a67f831e849bded10a355127793e4c85b228ad2e46ff522

C:\Windows\SysWOW64\Dihlbf32.exe

MD5 39695e73585d09e3346c85445904bd5b
SHA1 15000aae1f31d3d45f2c584a824a53a5c1cf1463
SHA256 5cd500a93eb05a8da13ec341aeb499cabc4f5c334d8f17120156d6cbd40a2399
SHA512 13635542a235cf8b303ef821027deb9208473c1baa739a43babaeeebc4ce3be61c4941050e9bd99add0e3788bc694d0dcb17249a3b798993d20bc76d6ee4e1b9

memory/932-165-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dfjpfj32.exe

MD5 963dd0d7a24ebe92dc3c0b177d159732
SHA1 ec4bd1c1073f87f46530e47e89e250e9796171de
SHA256 f69b16b097e95bb85309a7acd6af549b5316c443c7661d2779297ab806208bcd
SHA512 1f25c08b052e73460454041e70ba12b8e61b451b7d9572684e3458081fd19469003fb56970271a9e8449fbee405d4103b0ac83d334088608a0c09be2421d23fb

memory/1696-157-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dckdjomg.exe

MD5 7dae4009429764f170c1f510f4e573a1
SHA1 545a72c9ed7b656a46eda4cfc191b6fb40a72d80
SHA256 fb5270f893b1361faa241a5db98221d11ed45c69a521c2fa8bbf20300ef01e25
SHA512 ac1d0c7a52bc47cf6b157d88a30f8b30e717a414bb8668eb44bc8446208d211db18c5a8cf28a929712e5eede24de2185b3a3659748c4dae221e2b3aa1e0bdf98

memory/2016-149-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1672-141-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Djcoai32.exe

MD5 1bd220683b55694c1014b2b2871c9e4d
SHA1 4ce3812f1fe9854da7693a8d587344143434706f
SHA256 bdfec9934ec0942c7eb34398b33070544f83f12f4510a382b84dd3a1476be9cc
SHA512 b6d0032a413fc2e49be49bb9a42cfa24c509c9d012098849d8e16123cc4d23b25633ec5ef5607d5c5b56758df434d297211d1916e405c3e51aeaba5028c90956

C:\Windows\SysWOW64\Dblgpl32.exe

MD5 039495bbc364d6dd142fac94c9ddefaf
SHA1 68031ae120a3951b3a88549281e3a8e685ac5bc6
SHA256 aee7f60dc25b8fc1d7c1ccfe6b93d8ecad8357421c380f0c767de0600e61409c
SHA512 4d2314017e422dd9767457e50cd3995b7dbb1ec790753988eaa9490f7bf97798b20003daafdc05d03a827d66c81f8458ad5d07c1bd633b6ed05ba9af3826adf4

memory/2944-125-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dpnkdq32.exe

MD5 d2c2ddf79403a4ee57448e6eef3c60f1
SHA1 06a8611c79dd349506dcba9d075bb0425e5164a1
SHA256 eb273a4a8d4911c6c6931d06396bb2b435434a2bb0bfa511c2828bb3b101b5f9
SHA512 56544719593a3fd0d92ed2c70d3291036d8db7834715445e610a42a953237934563482b8e3bd607fc46f93407cca82fac020060da3083437706af9e41bebcf3f

memory/1140-117-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4572-109-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ccgjopal.exe

MD5 558b6b2bd633d5620de00ec9f3f6d1f0
SHA1 1df7857e0af3c00149e4d280a2277b39689769ee
SHA256 1c0fbd8e8a732a2cf0488f500960abd72424c86169f6646e844fa7a5e8ababc7
SHA512 091f986f14718fb95ee1eca652bca6c31de25642d4035d37b985df47b461dbb390f182bb759f615245d840dcac04dc137e8203db001261d6f5f7cf1266889fb2

memory/4968-85-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cjnffjkl.exe

MD5 ab38b3f542caa6839f99965c050c7692
SHA1 f095089cc470c5f8f57ce648ab3ed87b437ab5f6
SHA256 0fd2af20ca3e13915ccf90ae791b460762c0063ae080c7d633191da97ae036ab
SHA512 89bd79ec10f8a3d9fb4fe24a6508bbc77c4eca05787b953c1c6d527ef03c222e74f20dfc9b6a366373dcbd1982a5841b695e110044f5b70d0f35edc012a36024

C:\Windows\SysWOW64\Cjliajmo.exe

MD5 adc63224fb47ee9ade2d00571ed09116
SHA1 64e2ef2f821a238f5cba297ece0139056784d5df
SHA256 427be6f8ee64621a864ffda5e8a8c4695a90b0ced4eb212aadabafc723aa0c63
SHA512 d38eb2319b13641a7851b9a7375be808e5643517bd87246e99ea1705ff3ad7f4dbb365b11293330b7b70000b3c51a1cfcf24b2e1b7bf65da9efbcaf501dcf09d

C:\Windows\SysWOW64\Mjkblhfo.exe

MD5 ac344466b10119353062806925b98b51
SHA1 6522fa83a431fa565b2245503d9310e26f457c25
SHA256 3283d091e2bec60cfa64c6b79e3ff0d6126248d1cb9b1afcf2acf792d892e4d9
SHA512 a0948cfbc46570f3872f03d81002c6abbd8d164d3d6204b632f54ea55cb767b3a851172733094ee9cac40992770bbb4faaa45cfb31d9d408743c0671e3d21c02

C:\Windows\SysWOW64\Mkohaj32.exe

MD5 6183d91e7e8171c2f7758ae7e242984c
SHA1 a4ebf4bc1902d73344aa1d2df8938217b0a9574c
SHA256 82aa0a55d8e0bc0420ac98e5ca049fb82e265bf2520b3ef52c07242109debd80
SHA512 6f5b1283323ebf303567e2659bb979e5a5ebb3391440c6c1e260a4ed44c7a6924951ed84b4b8c7deaa08e248fbe58580221c2c07cad66f2e8e9cc00f38dd89a5

C:\Windows\SysWOW64\Mgehfkop.exe

MD5 898a202039f794c088dcf65e820bd34e
SHA1 e9a80ccb77ee167c32ebad74830fe4896a7d419a
SHA256 95417076dd440c5be21a20320666821339cf1f9ba8beeaab8cbe46e741c2c4a2
SHA512 2d392a821b578643754d50efaea02c245a360c21ca6975141b399dcac7d9caca1c782fa5215ef7f19db859aaf59dd1c09eaa3bcb4339de29dff58f75c3bb565a

C:\Windows\SysWOW64\Njinmf32.exe

MD5 eba2c1bab5c28098082e164549db4c8f
SHA1 f4fc9517c186440d49e451b899d303b0a74e4043
SHA256 17c32b834d21cc7ef34199140ef866ecc8be28d3636d0436ba67a69bb792c37e
SHA512 4b7671a7f78ca2b15a3265d26b628cee9859aa206668ca6544444d1b0ffcb7c3dd1bba8db4c8f975c433702c3f915e7aa17cd5c720372c5cf177e5e025870521

C:\Windows\SysWOW64\Oloahhki.exe

MD5 2402f43531e081e90a0b3d0bbf7311c5
SHA1 50f236c26eac442427f5a02191602520e9f4fefe
SHA256 127eb3de2bbb18a651c8543aeaa4d92ba4b3b7d20e0ae2f869adc2cb31b36502
SHA512 6b8ac325a9ffaf92197da3f232dde9927577c57d2b85a5fbc5d20d5a6a52624cad3c5d923e19ef03fe21f35714f51cbddad12ec2a7b4578f2f6943e8ac1af0ab

C:\Windows\SysWOW64\Phodcg32.exe

MD5 068be1df6ff5ada415f023c6c3623274
SHA1 7a05eb22e1d26d10452b10c878cbb0213fac68c6
SHA256 e7eb479149975186a5bade1b2fa5e006fb98916af005e319dce30387101d1d49
SHA512 e04f6847f9662034a49f9e310541636fdfa47d041ba4a50e0495e36f71bea2ee693bd352caf9d702b0685d1fe38fd688edef56e9efc7e96591d002fe5253d2ee

C:\Windows\SysWOW64\Pldcjeia.exe

MD5 c47fe615c9e4738a4c438292b89412b5
SHA1 257f6cd7dee756baaa9ff812099b60a6a317abba
SHA256 f06bbae57af663c0b2099646092bdc84af8f9140942549436d98bd33c6b48dfa
SHA512 0b3ddd322d3c8ee93dc56d58e79e4496f244ab3fae01e13155aa31ed1834e64c36e2d08d14928fa8c81935298ff3763c9ffa4310b5d8a15939b1c03ceeafd206

C:\Windows\SysWOW64\Qeodhjmo.exe

MD5 e1bcc964b2e25410db12fe051b4a60c6
SHA1 a901b5a7d3754100a0e920d98abe3e37531f36d2
SHA256 1274795c62a8e2d42f9dec09a1fb504de1472e8bd1d3c1353d1e05fcfa3f231f
SHA512 e5d5eb3b0f58a3bd561b5afaed3b9bcb9bea4bae7b5700bff8a32b7d5c5663fc0dbb4e2aa264165a47acf2f7540bb5d119bc9df2c127c4853be23317bc4e76b5

C:\Windows\SysWOW64\Aahbbkaq.exe

MD5 ffb807ccf1f46c6ec8373b2ba23720ae
SHA1 39d29d20a3958c5ccc3c80e711e82fbe3ffdcc9b
SHA256 38ff75ada78b4d563471e7f42f22407e9afb67c69b1cc9f94ad523f509ce3175
SHA512 86e6ee266d2ad34faaea5be57bd958dd417768a9dde83b4a23ab4ae6cd6530a099a117b456dffdd108162705c7d9eae8c4eca1868bc5986103ceba38843af5ee

C:\Windows\SysWOW64\Aonoao32.exe

MD5 a207a0ad49851567261437b6e7c86221
SHA1 e30d78a3a888d731efa2c9f066c58a574238ef76
SHA256 e2f01b6423bf24191d849ef64b8621567fdc9218e35d7619368208a7e2521729
SHA512 deae99fd383b4d850053fab6d73d8ac269913208cf50caa26b92fad55d673337cd239d48152cf3f3367ceb77408fa950cef4c48c7cf4e2d037f40e45b04f6fd1

C:\Windows\SysWOW64\Aekddhcb.exe

MD5 e44f4f3c2b47709c1a3f9790afe652e0
SHA1 690d3fa11c7a767722af8c3d514c221fd381aa85
SHA256 52b711e9b298042ed39292d17cec948e068a7d68ad9db060f2f657d8346a1401
SHA512 77f85951dc1ba8c60ef410668b96647fad61a4415b01a82687a0023d01d752fe62a3228c59cafba7cf688bf6d3963faa99361fee61818906836eb3926f744baf

C:\Windows\SysWOW64\Bklfgo32.exe

MD5 727a8858d13856b8ebe92d750b3f0c32
SHA1 c7d83fda9dc555ef6b1a276902b1d58f84365e90
SHA256 6e8b4238075796f0586e994223d31e259dcefa7422e68ea3b2f4bd6d7f9441f3
SHA512 822dd348952711d179204c2c69b40a064db2137255a0902dd7a2ee17aa73003a7cd4f8cd988511cf9fdebcfeb8c29492657344313027f3f01b8908a7b002ed17

C:\Windows\SysWOW64\Bnmoijje.exe

MD5 b162ce28527aa6b867a9c3efadd8de14
SHA1 5d810912e5110bcfef64beafd7a2bb2996f445fc
SHA256 b1f716d116dd14ce4813053c2aa6f37d8dc17e5f527fa1f8831a171b914e2da4
SHA512 4a9ddd876d28787700f3411dd523ce29b3b74c7cf904928751b1c741cc91bcc9967300b350b10a72069ebc25220e94d137581d7a702f376f33100fa64dd30f5f

C:\Windows\SysWOW64\Cnfaohbj.exe

MD5 67c5e0870acddbc867ec1b6defc237ab
SHA1 548f7fab3c3c43efc78525aff8e3ddff57d8a067
SHA256 e028846e0f2ec1e529d4b2d6feee5828468af236a5cfb08c9db35e2f14b01a76
SHA512 c72e955baf0d553bf4c1b46d72fd87a099a014f2f779861b73ba603f61a1bd8c668ba48943551cc5aa00fd3a0d834124af642f0491842842f36a1f5d966020c1

C:\Windows\SysWOW64\Dmlkhofd.exe

MD5 c6f3a27f63014d8a5a1c7fa48d514865
SHA1 74d548ba03c30bd49c885edd3118d7ffd534912f
SHA256 433ac9e6d10452ed7e7888ec6a557385fd208dfa653f95070b909afce59132b1
SHA512 33341eb4f2666fd47532ea55ae443149c66cc7e4883c8742ed82deb6cbfcd8aaa0165ff2dac6b6756ca68f10621a04861af55153bcfbec7e9a68fe3fdac05565

C:\Windows\SysWOW64\Domdjj32.exe

MD5 559a471243c4254b652518e8a885374f
SHA1 0bed01c1aed0d4de397c9d9fd8169fdba3351335
SHA256 bed03afbe4ccd35d12d0e46b3f21b0d912c32e7e1457a0a989258901b05de72d
SHA512 760f474a38d70d1e68d5f69d2dbcec0d42a91b96c1c119277f85e1f7a4f0d027b2972ba0b02cc680256aad27f27a16d2d207c0dbc02bf5f4b1d92ecfe882c3dc

C:\Windows\SysWOW64\Dkfadkgf.exe

MD5 b48c0b0bc1df3625d38c1fcc71938064
SHA1 b4a68e0635d5a148708e652a0ac85acfc638e52d
SHA256 f9be50be0e1ea7824e55e29ecdad01a2c53ee2a3e7db2f3258dab3317eee1484
SHA512 a5a7d51a0a8afaa8c94e038906edae8d209c37e3b3faf1dc39b4118da50e14beabc010746596aee8f8c11070fa7244798b27cce50a6c302fcc89e3f715968dc9

C:\Windows\SysWOW64\Eiloco32.exe

MD5 44ba481dafb12bff89495ecaf284891f
SHA1 f5a24b417c06ba0013f594cfbc7f7ef243b2ac7f
SHA256 1cea9eb1a548dfa632dc87ec4aa0b15d16c5b28007457e72451b33a98379965c
SHA512 73fd41a445b2b20fb56ab2542611a5c80c4b8da8115064f4c7d38f2ba817115c611a7b14bd6a69cd5339a887b8f90407bafb86759069216c68dfbf3ba864ad06

C:\Windows\SysWOW64\Ekaapi32.exe

MD5 29372c184c6c3652b478bb2a39203627
SHA1 955a912bd17ba5d6dc6e263c5ebc76d06b8cf40b
SHA256 3113d198a28b43e412535d59774e37ccc325990edde1e6e6a5642a851e11e9aa
SHA512 cb3d876de36ad11403c78f073d2024fb2ef80ae15685eaa0ed65abe6893319f6064e3c8c6128c0f8be5e532c42beb3518ebb4030d7c77f5dd877fbeb3010a2d4

C:\Windows\SysWOW64\Enbjad32.exe

MD5 ac2c7e4ed85ffbd643a67bc53cec13d4
SHA1 c4f63a327bab5c519f9b254253571cc348b7c5e6
SHA256 b607d6d79a87268938da3d43c92c27ea64e382d47e41e1cfde14a571efb832c4
SHA512 52bec4ab38cb6d3389dc31c056675e645f08364c70e426f9219d74816d9303b8c6319dc07c4fc7aa8252cffa6d8cb5a02c209118eff2b2614906f5bcb4ab3559

C:\Windows\SysWOW64\Gpnfge32.exe

MD5 7f277d98f326429d8b0aab677090105a
SHA1 46299d9cf8040ceb3403bf2821275c7042dbc344
SHA256 e884ac671cac4c7087c3caa5aa8ac6dca4dc68f12a26ebeea23f5864425dfbe7
SHA512 eab659307fe78d7aa75383c6d0e6db24a3ca975185d562266db93e6a10c5501ab053d93716cb7b2fef44a210f38ca81994c6b7925502a4e607dcd9c9e90ae343

C:\Windows\SysWOW64\Gflhoo32.exe

MD5 e3e483f38079761428a263188b47e63a
SHA1 3eddcbafa91ef86d20e021c27fd4beac485f41a8
SHA256 42574c61651d6b23251e93e9aa0224bb8347f588817e8ec064675f1cf869395d
SHA512 c199a9223ebddc3371bd5abb23aaae3c21eae3779bc8890ea99e55a764a47d259a0ca14f17d8204a3e7643371080ba5bc05487e96ffa1b95893c16285e55c5de

C:\Windows\SysWOW64\Ilnbicff.exe

MD5 e573752bb272bb96909175832a53730e
SHA1 5bc482f78223f90748a067f9f24383533cb2e064
SHA256 0e9f97e7ea2b49c1e36f2340432208849744592a56a738cb4cabd777cf4e83e0
SHA512 fff9989e396cf646403572bde431c41041af5f25f73c9292faf5ae35c7a45ed5ebc4c98ab0f6e1bf2027b6817958b6d3f46432ab3744c334f4bc801227ecc225

C:\Windows\SysWOW64\Iefgbh32.exe

MD5 618c83bd22739957830b924d89e3c30b
SHA1 b1e97a8b7db5c56fdfb48a97d5967c5ae9f0cf2d
SHA256 53904352eba7ade6b9331eed8833e864912dc6a0090d9ee28c9e987dff72dcbd
SHA512 ec81bc0a535f8837d289bc4da71ad4cd107d96ec561aaa55f62540d6b2b4397c2bfa6d267327bc531fda7ce24471d6dc9659f260636dace6580fd78fa08fd92f

C:\Windows\SysWOW64\Jilfifme.exe

MD5 61ff80805e325b8d274ff179623dd0df
SHA1 efb351b96f09096dad4dcfa60870002fdc325d0c
SHA256 c624450bac951776f19966ab0cd87309ce7cc0ae02328c8f064128b1c0daa091
SHA512 1482b736527357e8334b8630c2e7a21d3df47525dd86f17c36fe875df1bdcfa109d6953cbf52503f40dd3ddda4c5280c90adb3edf8a6a85413dcacf199c5a298

C:\Windows\SysWOW64\Knnhjcog.exe

MD5 badb716e74cae29e913a7ed831f31867
SHA1 380f414800acc990fc1e2b9a9a248c94179c8600
SHA256 ba8d9c6edb4f0c20ae86b506676986a1d3baa2456cabb32cdee104b8875306b2
SHA512 f0c608b64bda0041e93d064e31779b427a832e143c69fade65a3b365e9087e01eedb436ec7adc4c6703708b4cdbb28efbbbcbe085012624138bcf93ec914315a

C:\Windows\SysWOW64\Kcpjnjii.exe

MD5 98ebbbb64e75c66c712ad5b93d493b06
SHA1 3f84ee61aecd679484794e611f9a0c9b3917d8ec
SHA256 6a61150bb9770b9515aee923daee57a5191b773b9ec9256b67acdb4220dd82f7
SHA512 a4d64b476134baab0934916d557390e7303f1e6213e339d5a8671a36ec05cb5214dd9184c43d1654bec96a4500ae07e34eef820d7958c79944ac1db4bc0a4c45

C:\Windows\SysWOW64\Lgbloglj.exe

MD5 bbd589375dbd42e47756c6116c97f2b7
SHA1 305a305858d756c273dc29d99839191099bb080b
SHA256 e913714319dc1fbb03871d7af4f9ec726719c59b20f493a758f62c38097aafca
SHA512 0a2f7bd0f14e12b1cf5a93182b428b31bab39736a9b804b2d954941ab5174938187d7f9b541238c212bdfb4e30acd61c0b269f42c52be59229c3d1d6b1432ad4

C:\Windows\SysWOW64\Lgibpf32.exe

MD5 94dcfa19bf75558636a75c6aadf83a65
SHA1 055a922104c593236ad2ad0980b687b8c0d07de7
SHA256 9b1175c3b1cfc32b42fd9d4bfc1108a73a9230a57f8ff26e8fc27266ed58f74c
SHA512 f9b748517c71640202e0e4f0dd465b47c8e9029766fca27ef08fd6ac0431d8948bce4eec69b905a51716685507cacfdeb4451435e7dd93141c8a69b045d4336a

C:\Windows\SysWOW64\Mmmqhl32.exe

MD5 22a915d8ec1587e9d9b708805cdec071
SHA1 ef3d93d6e99cfb58a0ebe0d2dffcff58bdec0fe5
SHA256 5eb7b744ad57e713ff1db4b4bc3c73da52f162e8b5a49ed579f895ada26948b3
SHA512 6ec18e07add5bc8efc57a3b40de1fc8c7ec8d839cfdca203bb31cb7621fe66fe2dc1d5130fe891fc92147266868bda8b5561da1c298a7586ffac1c666bcff367

C:\Windows\SysWOW64\Opclldhj.exe

MD5 c0aebc4a6cc96a45e15a642ffaf2cbaf
SHA1 51a31fce8e4bfb9ac69a7d884541e143b0f90cd5
SHA256 6208115f009af3ae32ff98a256cec6c01fd0683b90f03a0712134ac7d7dea8f4
SHA512 59ae9f3064b67c501dbd04a82e328fc1fff2b24866cc32881f1f96729c7f15b965e3bddf37738ecc4840a58e5c13f3110eb69893f5be1e8509e98c9ca331d895

C:\Windows\SysWOW64\Phajna32.exe

MD5 e10b57d7a1f9ffc40a7054921d50b5af
SHA1 62a0ffb41728eb352a7ec95491fd0d59a1d51afc
SHA256 cdde912fefd2776089af3f71f306676f2a23309bddc2cd5d62d391220724f277
SHA512 146b6ee3448e3d7ca3026de4c45c1db29a7f5536bf0d21fd73768d8c1ad44fb118fd5cc2baba00d52a23a8035bdedab7bf70bebc78a23255bc5938d2acc5d297

C:\Windows\SysWOW64\Phcgcqab.exe

MD5 fdf9810de802e9fc833b9ae16f486df2
SHA1 dd81109a9e8f17c8ffa4192bee52636e1c9e0400
SHA256 c0b652f20d66779f4a8ddbab4386261afa197135e84b84ceb8d665dd3e6dacad
SHA512 3eda8cdec060a32b42a26f90d0aff2f913b6d42e9555ed6e763f6b0e7a01875d0782e47aec4a3b6919421cc9e96258bb31f271e08471f2833991022e800562c4

C:\Windows\SysWOW64\Pnplfj32.exe

MD5 043e01dd9351f3e58a38a6b0215a7d0d
SHA1 3f125d99924352371bdc3eef6c0e618774056fd8
SHA256 480c214ada85caad72ce8c6838279f64c164f1917225ca2949c6f04f4cfafd7f
SHA512 cef82c33fc1b2e77cb9142d77051e509b7ba9346463502cc59dcbf64deb3d06992955fedd5bec2dedd91952c19721bb0aeca792289e422ef079255b96bc4d3fb

C:\Windows\SysWOW64\Qobhkjdi.exe

MD5 c151e4f4ce915a25c4e3dc9f4072db12
SHA1 32b110fa0e1a07af769968042c349f4faddb08e5
SHA256 c537030422a370d4eff83bfc2bca6a93374b1398271c17d75c1e52602e8f8328
SHA512 bf70cfb29d44920de048ace580d6300d024d939a31ad429b51144bfbb9dd2615792afef04e8f3ecbf5c012070dd7e60abfcb827ef1ce275066c68d2e6497f5cd

C:\Windows\SysWOW64\Qpeahb32.exe

MD5 86dc326c6d8a2c63d7d4f6b3282f8606
SHA1 274e5a01593988ad7a9710b744a8fd5fed3a56b3
SHA256 d2d5e35706197643010e6b60bfd05071cc0cece5bbb0913e6b7a0e1916692612
SHA512 7ce3382a66138121bc086e3742343c4cc4fb477e661433599574bcc1cf95455392507987ecbb7d38a3333fbe98aea2fa0b612475355010cdd1ae0e5eb179b2a7

C:\Windows\SysWOW64\Aoioli32.exe

MD5 0d1b151d5f59f8301104841503383f95
SHA1 0201ae36a94aca2f4c6178ced41fd828079870ee
SHA256 f5e40d7d8d1992cc376168a8a1c1aba9086f5b6713d33466d34f41be72a0ba61
SHA512 ee87f362c8a70361b7f8b11272bd08fb6b091a7502284a403e17d9835d5791fb5638249f2475a46aa6b1a0b1009cd5d8e4bcba80c7758e35785597c70a54f19e

C:\Windows\SysWOW64\Adhdjpjf.exe

MD5 eaa1d8009e92ec4b6d5f5e65d3f17831
SHA1 7ceb818d868b3b04888168b388e5e198e1f38752
SHA256 0589c3fb15d00eac07c1319d7587dc9b2e922474f549e6646ac6f7d5a54b6d52
SHA512 ec002b285573b1030dc14c234311561e1ce6b8306a07a760b780089198bd4666ace243a0880f343097bd82789b14ecf49c7ca6fe88213d62bd3c2db652abca9e

C:\Windows\SysWOW64\Bogkmgba.exe

MD5 b846db1273fb8fadb1eaa6d5de55fbc5
SHA1 5c41fb1a30d5ca775ce07e3b34d35a872639c72b
SHA256 2648240300e46c734dfe70edb9374c778e3b80d4002dcb749e18e3653677c8b3
SHA512 50bd227676e72078062c3352c260a9c14377cb265f5415bf3db3fd92de88cd6dd685dc530b0afadba1b4ee2e0d21f5b7c90bc57c9aafb2011c45f9bb7f7c0409

C:\Windows\SysWOW64\Cggimh32.exe

MD5 1508ddaeca8a608d00aa47020828d10e
SHA1 0a869e165de47ed8ea7dc93b72ea5475f4b0e653
SHA256 e4b43425f1a4c0c38b56cc4676e4e9e6794b2fcf6a2d94effd698fcee7bdb62e
SHA512 4ae3b12bf4c36a1e2ef5b25c837b86f2faf3e813bc67ae9f2436571cffa0e7804b0b715f3a9b9fa1acff32679a10e0962870f86856636935af46f8541ab3d68f

C:\Windows\SysWOW64\Chiblk32.exe

MD5 9d6ab20cc50379cc600735334fe7a126
SHA1 05ad92c5c41257830a8a00decdaecdcd72cab0c6
SHA256 9b1d42e751988d7456e780b20b1a808a0ed72285245e5cf25acf4c99d6bbfbf5
SHA512 11b20eb21e3ffc90a78cdd97130fd1f719986c91c626536ab130ec020e76bc4a1ab0aad2493455d6b712d4f465908de04059de13bff65cacee4611f409625c56

C:\Windows\SysWOW64\Dnmaea32.exe

MD5 03047c8dc441d1dace8c60bc13f003f9
SHA1 b76c7d701ba619e59dd7510609b13b47bfbb14c8
SHA256 fb7cb4566536849ef0ea69a33a283b8d2fe4850fab99b35285c3ce3dc5717381
SHA512 e5cfbb4758a50e9a4757276a9a2ff387108ac98172932b83ff6fc2ed42da76d43b711ea0e3a502aa2a235b3d09908557487fa7be2873fb941b241022a453f436

C:\Windows\SysWOW64\Dakikoom.exe

MD5 3db6ddd14ea2cca1c086962ef1d459ab
SHA1 fd0db30969c81a272b0b6c45c57bc6fe7c100eef
SHA256 13fb5de701cadbe335848bb96a7f4e556f1f39f3c5c01ba45f4ea480e3b471b9
SHA512 4b90c5ae2c79ced0044d24a308a2369e23306fccb01edfac3dfd43e034db310fdba076336d36462e706f25ebd0e77f529e32f75ca87f0df686138519f32366f8

C:\Windows\SysWOW64\Eqncnj32.exe

MD5 abc50f8a1aa41e5047c27c95c3f58970
SHA1 53234c630f758c78a7aefcd0db7c65022938cc2e
SHA256 934b61c40884977552093dd8a4899b050e685e005fdf685d8b8390ddcbaafb7f
SHA512 c2bd211c0ac1720a3045134a5ef0940c8365a820da28f59d7976dd616e3e4861e6a7a96b5843aa24ad9f5a4c579ec0a20c96b02e2b99bf51a01e4b60954d9a7f

C:\Windows\SysWOW64\Fkjmlaac.exe

MD5 28868bc735938797f72b733c49e2453e
SHA1 c98e6a69aaf42284b9a79a81c5ee37e9a88450a1
SHA256 e78e5f4dc977ce0fecd282b42bbdc7ec9c237f42592a2662a97222ec53ded820
SHA512 6a83b29b06eeac55a98d4f0d47b960cc7ae617b5ac5528f4052bbe9983026c846b626a4b47d840780347532c35eed2a119b03be9f6369a8ef97a5aafcee172c7

C:\Windows\SysWOW64\Fbdehlip.exe

MD5 fe48e0840865a6a6277e0fc72b5fdc7b
SHA1 ffbdc7e6420a04c30ebd7abe9710232f9a3e9f86
SHA256 484c8a2e8ddca7a3b10066d28187583fa4e3003fad7d851a182746b3063792fb
SHA512 5108e0cd77e4a0e1392ea21a114070a1d65deb28fadb2085930e1b08570e2699f599416ffe944143dd481c849166f8ba7ea0a187145260a92483885b4e137e0e

C:\Windows\SysWOW64\Gndick32.exe

MD5 b08e71cea9dfafe2b91691f7d8a207ab
SHA1 bc282137c84c1279fe41cacb7ee74a07b6e27756
SHA256 dd2d2666c07fee977833c63a9e0d6e7d21464b27bbcc95780d5fd5872a8d7833
SHA512 244565218dedac0915fc2a92945ab9c26f5f7f8d7d8c9460879f232a7f07ead425f5e77d0496ec4437e8147cd943e3d927e5048d2d78694528eee1b5fbe746a6

C:\Windows\SysWOW64\Hbenoi32.exe

MD5 7ca352a1f14ff96f493a6217359bf21a
SHA1 e19f6df03d424aaa8dc85e0dbaf140b38f9b142b
SHA256 5b49b88d66f8597d847f8bdf4f2b00750c6ac6602430ac1bac845e629cd566d6
SHA512 9328057f6b030c92c17c2864f430f7ded171877a4cc76c6906dda2dfde53ca7f9405aa715708165b4ddf2573e50ea68f93cb9738a05b183da019494b44a94200

C:\Windows\SysWOW64\Hajkqfoe.exe

MD5 2c39b00ddf6a62cae6784c960dee50f8
SHA1 0c769980ac0a4f41972efc52d233d595c2fdf08d
SHA256 ba05f5341fc2714768e1a5f36c15f9311ed5be1ea25bae8659973551f954d32c
SHA512 8269d8f630f24181c39eafa411fbee224fd8f0e242608e7b24367b960869e4f118bd55862464ede00eff04e6f08a844b32680f2933d0150effb1fb4021e36684

C:\Windows\SysWOW64\Ihbponja.exe

MD5 2666194ab9c0bef41f4ee01119a35a38
SHA1 1fd55dbc0be9af154c3e9b674cc2cf8ae6fcb0b3
SHA256 281636d7c01461d4548dc32ff622df70eb14c8f4244b5e57bf92e4c5afb93173
SHA512 220f447d711071383b78f4294e05c264d5653676084a7e62d5100f4e2997c50340ccf9b4b0e94aca0755fe156c7a643a5b0fca29ca5b8a7e3c267cf6e8b7167f

C:\Windows\SysWOW64\Jldbpl32.exe

MD5 11775ad9c7da806308eb313d649f48f7
SHA1 1e5d04c439edc00160b86285737ef486d82f0d59
SHA256 6e4c1001bcfcf59a261f5bd07999ae69aa1e9aacaaf514fa85c763deedcc8a76
SHA512 e2c2446f645d0540989aac02c34a8e8b7279c6b36a465a5178814455c906768475a20a150f7369b0b27931c7eab4095b58ccb11db74e40accead1eb474c6f2fe

C:\Windows\SysWOW64\Johggfha.exe

MD5 03cfca3db75a8932dc3560c2cea4e4ff
SHA1 b682c6e7bdd374c15cd57e0cd3d1bd4ecc6f7a8b
SHA256 bf47af8b45ce452146b749237a7e9ebbe7c74b727230335f2d586ae5f42daab5
SHA512 2266b95aa5b7ce77b9ecd30927027b9c12841ffef8107c2f8a5e82e792960a46b33a566c91debd3ad81ff8490a8aba41b709face585985c8b6046a0e5da68f72

C:\Windows\SysWOW64\Kbhmbdle.exe

MD5 f6a972adc35ec42ceb5fe9eca6481567
SHA1 06b134dc96709dffc6d906c3e1e8e56d4105d97d
SHA256 2eaf8fcdab1b9e7fd9da161da466841ba952dfbe47339a1e542efc8a6c0edae7
SHA512 45c8d2c3287d7074828349fcf2a969810117fbe1bd4ab72b74c604fd42418115acd106e5938d1888adba7641104fb79dbe4681db16a886d3722416a2777f103f

C:\Windows\SysWOW64\Lindkm32.exe

MD5 fd8f6c3bb73a2e0ba25a1dbc0c6565b5
SHA1 d6f77f07aa5c5a983e46587aa7a96ba3d1ccdbdc
SHA256 f0ba6274279c3bbd2d673ebceffdb7768dc508818b090ad38dd405a72bf1135c
SHA512 4c91677fc80af3ceb7db8e6ca746c1a61d0fc5f01b72696a80669bd6eaf308191875ec44416d6a192f9df4d35df1dd104007f7e33c126bbca18094d43d9491c2

C:\Windows\SysWOW64\Lfiokmkc.exe

MD5 742b7e33497e640d34d5303f6f6331fb
SHA1 4dad7388e44dfc7ee322c44f38ba2b766708eada
SHA256 08bda4465ecf8e3fda2fc4de41a119b113cf111e1ffdfbea9d39852babb21b9f
SHA512 da4f02926711b961fc82a34bb30889b9dbed20481a06bc005805ef3a43b479dcf60d4e682e79843940d5f92f3c0e068ea810393cd9e2f45fe9803f1e28c9fba8

C:\Windows\SysWOW64\Mfnhfm32.exe

MD5 6627b264f7868deda718bd3bc8026f08
SHA1 8416802479c7edfbf1c443aaa634d8667046dc21
SHA256 ee11ce1a14581ae9d540c2f4a72564f76b9ad5fa5743e70dded103515b416cfe
SHA512 98db42c9e1be070f847f7a3242f8299297ab5d99524d0db747e1b01cbb9de6a6674a4ad9baf60357cf7c7aee13ec5ff7f872bbdcc3039e38e9dfeef1aef6436d

C:\Windows\SysWOW64\Mfbaalbi.exe

MD5 9b23ae5c8f4464a4f92c86bb150174ee
SHA1 fbe0c8069d4c1101a010003ac03753fe339cfb5d
SHA256 17223083c3cd2e07c9c6a89cede7ecfb489cac21e9cf5caa653f580083b38d9c
SHA512 c2ceb3f3e5b3f0523506dff4032956d68ba0ff9bffc8938df2169ed98f8a4fc64ca293f5d3684fb7eed80dfda14c0567b7cd011ca0aaa0b66fd2f70d74d11a3c

C:\Windows\SysWOW64\Nqmojd32.exe

MD5 8037f4885b30e8d1625c8e2ede606f62
SHA1 20409341d59d71003471fbbea8d264af3b7f0f0f
SHA256 d6bbf11e4a716b79398922c99dd8d324fccfc2792e199a9c2875eae992fdd09c
SHA512 831410f9875b83d06fbe685e16c6beb5c03603a0118ee05fe8d0a2d03087fc6dc245be9c4f42a74c3ae6cd9ed0b56f006e01de57ee4ce5640e18afbca89d765c

C:\Windows\SysWOW64\Nimmifgo.exe

MD5 3658ac2645abb5a9c2f6ad69de46a3b3
SHA1 0da3319409a853268458c99a0d00fa0d8c50848e
SHA256 3b76082fbeb4f65a3c63ad931952875778e297d00232f569f5b119ee74c3fa22
SHA512 e6e6ac358c83e611243055d6e5b724ef7caae0afebb4d044a4a58b412bc094c48030a25865744fc976abe65ff366065277cd79233672eda11f1f90627e2a61a4

C:\Windows\SysWOW64\Opbean32.exe

MD5 31ff4658ea038b72612cb8ceda9521d4
SHA1 24176e43dcfd5950f38686d6c1cc4378ce847155
SHA256 5c8bcb59fc4e568f1cb3062b879879ffea48897f5cf10681e3f245a21c0068e9
SHA512 aefe5ec0aec960c70315b6a42ecd4d7014a80642eb29d0e9e9eedfed57ce2eab4e1a7479ce188250dc85f9d6e6917198ef7295bb57d0aed54a1f0c7ec13999af

C:\Windows\SysWOW64\Qclmck32.exe

MD5 20dc78b5ee5a14f2ee13fdc62cb02157
SHA1 a416460775f4e0079c4f1acaf09207cf43e4fadd
SHA256 a8ddc38e53cc3de240ab4f6ef13bb3af7490acc96d931db30bb6ad74905e26be
SHA512 eba059fa5b02453db3a4c09fd25e922de0f10e6ca0bca85a1e4c0a115f26d4fc13219237a4a31215a9b624826e58dea539816d12f2c5cad723f34b0edd954ff5

C:\Windows\SysWOW64\Aimogakj.exe

MD5 6b0e5a267983a407f0c661008d0950d2
SHA1 76933cc6b348926edf3d4ab855ec1274803ce313
SHA256 f9a7b7ec46f6a716f6c74fd56039f3ee788e566c93d71b9162eab6c20e9f6aaf
SHA512 7c1a001a3b729171b8c119a625e281bf88f45b499e219d3e6da7bb287755d752e779f914b40947ecd9974915e15c559126fa47070ec190baf669c916b24a7cab

C:\Windows\SysWOW64\Abhqefpg.exe

MD5 aee3b170a37641da25cd56e285be137f
SHA1 3eb3f6edaa70ed5621ae275bb4f3162db3590a80
SHA256 982144a233b4cf0b63da8b5c89c9cb52be29158b0422a329c50641251ad35f9c
SHA512 b4063e3a2c7981a328c5f7f5fad6b84a353448d7c0f12efc20475817dc893813fd03f8e373994d50b0e04ab16f336d060a0111100b48712c66b922d8cce6d096

C:\Windows\SysWOW64\Ajaelc32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Bmdkcnie.exe

MD5 5a4f26f56807b16f4c6e403e7f2d4dde
SHA1 011b77f6b314520294ad56f6fa2d7608f7c6465d
SHA256 562760bc3dc5af5e200c2f91b908d41e6ae617081ac380533aca10e06a7187c5
SHA512 f4464f83f8f6ee010919ddb06dbd6d0d333df535fabdfe67d39ee0083568176b15f58edbe4ac024be5ff81725b2f4ac2fb721d7977e96688190644e4be9812fb

C:\Windows\SysWOW64\Binhnomg.exe

MD5 ae701bb8cc0f9fae20634b6f1b6ccbdc
SHA1 f0c5d59b313ef97738efb8e17e29fbff673d180c
SHA256 aed0fe3cf8ff53206072f1352b4b66ec0eb0de37bca4c90764cef13b1f0015c5
SHA512 95416bdffaad6180e11cddfa5cd15133c6c7be353a6ca804e3e763090c185733b107a71c257e1d2acc5e7a8183124da75f6587636acce4a3dbae5501399f4ce2

C:\Windows\SysWOW64\Cdmoafdb.exe

MD5 8769c611bbae6d72e7459421f740a308
SHA1 97abae8ffc5552c2a986aed223d5181753158bc9
SHA256 41517b760cfc444d1c4724d4348c439e4aacb7f5109e9355faf54e418bf7a1c9
SHA512 2242d88ce0340401a6bc1d3b78d8c37afbb02879bc5a212e06087d217cbd3545245a9c06f146da7d30b2fff5f658c541b587edc50a37a3eeab801ac065e38418

C:\Windows\SysWOW64\Dgpeha32.exe

MD5 38cfcc4b22faefeac0df3d4d1e09f628
SHA1 9256ab2886c0e7e048c61d96dfdf861190cec9a8
SHA256 48dab589028f8bd8bb5c7cb3a8bf519a410eccd2a9df8278a4d2bf3b01df7992
SHA512 63dc93552c89af0de88892bb85b308e5732272a53572ce6b21d9f8fab98dc278b8779082f7ca558e37476e01629273689cca2ab951806d3015b488aab0be90d6

C:\Windows\SysWOW64\Dnljkk32.exe

MD5 645cf862928da9cf79f61a8160069375
SHA1 0e42aaccd4894ce2b32ce510b3084285c076a8ac
SHA256 da4b2e50b5c0c159a98f0b947955070255e4c65f38016d8ef8dd4d4bc9089bfe
SHA512 b708f9c31f60071eaeea985afb86010bbce99ba98630929b4f9b3ad191b9d1333fccd898350acbdd6d088f3dd7f0b272e7511207199378d7060b16362f2fbbf5

C:\Windows\SysWOW64\Dalofi32.exe

MD5 21d6cb927fdd465b122d7fcf374fc71a
SHA1 0febaa04157106faa55427199dc32130c376cca1
SHA256 90340c978ed4f22ca5971591999e6129cd1c8bd33d911425a68ccad5ca1c3b6b
SHA512 af3d762b3091ab445fbf6855547974b75bf11a834b18be48b6d0a561a7da2bd5ac2f05f89d7449479bff90b85110e81eb3f1c8ad1791f7b28c01a70e8dc84c4f

C:\Windows\SysWOW64\Edoencdm.exe

MD5 04e27988320122f6318f48fc4380a202
SHA1 750727dfdc26cc6bf0b1bdb5b6c25a67d363cffd
SHA256 4ac7326c1980e9ce3ff2e579aa50caa051174704ff32d29a2fc03554dcc987ee
SHA512 529607d8d2346992c246186a26010e4a35d1c3b53e42aba106faa71f95fb3ac9d4f7e6e20e8d927ebaee43bc681f51170450cad2364022a5d5911cf60cdcb106

C:\Windows\SysWOW64\Ecikjoep.exe

MD5 f2472d010618d63dfc0f05b41a5091af
SHA1 83973c1ceb558fe6e86818fe21a4638366de2928
SHA256 7bd93d858e531e5e54abbddec8945aacb003ff824edcef1b86828046a446dcfb
SHA512 9f89f28601daf676a13f26aa1a2ec9fc76d3ccd86e140a4db1384060b7a4df6cc2ff72c5ced01233172caa99468c45324336483b6a3952884595333716441b2b

C:\Windows\SysWOW64\Fdbkja32.exe

MD5 341f7dc3e1e9cb8d97eefe0fb31fac6e
SHA1 f6aaf2e1daa42ff12854b72ef626ca7599842347
SHA256 a36162af663bfcbb0d8ba96f57aa16d6d73c93f474175ee5516290ee57ee6925
SHA512 45dc27faca73398249aaea36cd5cc677010eddf1ebf6d156987e2d28055231b4a71f24ef59ecfc2614d93e9de2136c6abbc01efee630055a90bcefe45c7a0ef2