Malware Analysis Report

2024-11-13 17:41

Sample ID 241110-bp6gpswenm
Target a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9
SHA256 a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9

Threat Level: Known bad

The file a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9 was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:20

Signatures

Berbew family

berbew

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:20

Reported

2024-11-10 01:22

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nahgoe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aaldccip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjeiodek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jhlgfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kjffdalb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omgcpokp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jjafok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohfami32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnaaib32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdfoio32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibmeoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qlggjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gaamlecg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhfppabl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojbacd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hnodaecc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjkpoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hkeaqi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecefqnel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Popbpqjh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pllgnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pemomqcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lkabjbih.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Leopnglc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mldhfpib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Olbdhn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qhngolpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Innfnl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmieae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmgjia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iqklon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kelkaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nobdbkhf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgeakekd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cacckp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dlieda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmpqfq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njpdnedf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iknmla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jnhpoamf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogekbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bhkmec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gklnjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ihnkel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ipjedh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gijekg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pkhjph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lieccf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oeokal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mejpje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Allpejfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ijcjmmil.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcikgacl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mmpdhboj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gnhnaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jglklggl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kniieo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbgalmej.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnjejjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Naaqofgj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhmnn32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ehcfaboo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbbmnnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Efhcbodf.exe N/A
N/A N/A C:\Windows\SysWOW64\Eangpgcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Edmclccp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejflhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emehdh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmgejhgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhmigagd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fineoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgbfhmll.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpjjac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmnkkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpmggb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmqgpgoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpodlbng.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkdhjknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpaqbbld.exe N/A
N/A N/A C:\Windows\SysWOW64\Gijekg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaamlecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkeio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggnedlao.exe N/A
N/A N/A C:\Windows\SysWOW64\Gilapgqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnhnaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacjadad.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpfjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmbno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggpbjkpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Gklnjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ginnfgop.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnjjfegi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaefgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddbcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghpocngo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggbook32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gknkpjfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnlgleef.exe N/A
N/A N/A C:\Windows\SysWOW64\Gahcmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpkchqdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdfoio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhbkinel.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkpheidp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjchaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnodaecc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hajpbckl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpmpnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhdhon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgghjjid.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkbdki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjedffig.exe N/A
N/A N/A C:\Windows\SysWOW64\Hammhcij.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpomcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdkidohn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgiepjga.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkeaqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjhalefe.exe N/A
N/A N/A C:\Windows\SysWOW64\Haoimcgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpbiip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhiajmod.exe N/A
N/A N/A C:\Windows\SysWOW64\Hglaej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjjnae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnfjbdmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Haafcb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdpbon32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ncabfkqo.exe C:\Windows\SysWOW64\Nmgjia32.exe N/A
File created C:\Windows\SysWOW64\Cnffoibg.dll C:\Windows\SysWOW64\Ofmdio32.exe N/A
File created C:\Windows\SysWOW64\Boenhgdd.exe C:\Windows\SysWOW64\Bdojjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpomcp32.exe C:\Windows\SysWOW64\Hammhcij.exe N/A
File opened for modification C:\Windows\SysWOW64\Jglklggl.exe C:\Windows\SysWOW64\Jhijqj32.exe N/A
File created C:\Windows\SysWOW64\Phbhcmjl.exe C:\Windows\SysWOW64\Piphgq32.exe N/A
File created C:\Windows\SysWOW64\Lfbped32.exe C:\Windows\SysWOW64\Kngkqbgl.exe N/A
File created C:\Windows\SysWOW64\Nmfcok32.exe C:\Windows\SysWOW64\Ngjkfd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaamlecg.exe C:\Windows\SysWOW64\Gijekg32.exe N/A
File created C:\Windows\SysWOW64\Piomhofd.dll C:\Windows\SysWOW64\Iqipio32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bombmcec.exe C:\Windows\SysWOW64\Bmofagfp.exe N/A
File created C:\Windows\SysWOW64\Cjpqjh32.dll C:\Windows\SysWOW64\Bcinna32.exe N/A
File created C:\Windows\SysWOW64\Cbphdn32.exe C:\Windows\SysWOW64\Cmcolgbj.exe N/A
File created C:\Windows\SysWOW64\Gpkchqdj.exe C:\Windows\SysWOW64\Gahcmd32.exe N/A
File created C:\Windows\SysWOW64\Pjglocmi.dll C:\Windows\SysWOW64\Leopnglc.exe N/A
File created C:\Windows\SysWOW64\Oeehkn32.exe C:\Windows\SysWOW64\Nmnqjp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Popbpqjh.exe C:\Windows\SysWOW64\Pehngkcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmkigh32.exe C:\Windows\SysWOW64\Gpgind32.exe N/A
File created C:\Windows\SysWOW64\Kioghlbd.dll C:\Windows\SysWOW64\Qodeajbg.exe N/A
File created C:\Windows\SysWOW64\Ljdceo32.exe C:\Windows\SysWOW64\Lkabjbih.exe N/A
File created C:\Windows\SysWOW64\Clghdi32.dll C:\Windows\SysWOW64\Hhiajmod.exe N/A
File opened for modification C:\Windows\SysWOW64\Jqdoem32.exe C:\Windows\SysWOW64\Jbaojpgb.exe N/A
File created C:\Windows\SysWOW64\Clomci32.dll C:\Windows\SysWOW64\Jibmgi32.exe N/A
File created C:\Windows\SysWOW64\Jdqlliil.dll C:\Windows\SysWOW64\Cioilg32.exe N/A
File created C:\Windows\SysWOW64\Dmhand32.exe C:\Windows\SysWOW64\Dfoiaj32.exe N/A
File created C:\Windows\SysWOW64\Oidalg32.dll C:\Windows\SysWOW64\Ddligq32.exe N/A
File created C:\Windows\SysWOW64\Klkfenfk.dll C:\Windows\SysWOW64\Gimqajgh.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmqgpgoc.exe C:\Windows\SysWOW64\Fpmggb32.exe N/A
File created C:\Windows\SysWOW64\Fmnkkg32.exe C:\Windows\SysWOW64\Fpjjac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljbfpo32.exe C:\Windows\SysWOW64\Lgcjdd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pefhlaie.exe C:\Windows\SysWOW64\Pakllc32.exe N/A
File created C:\Windows\SysWOW64\Icknfcol.exe C:\Windows\SysWOW64\Ipmbjgpi.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjodla32.exe C:\Windows\SysWOW64\Mqfpckhm.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngjkfd32.exe C:\Windows\SysWOW64\Npbceggm.exe N/A
File created C:\Windows\SysWOW64\Nabbod32.dll C:\Windows\SysWOW64\Ejflhm32.exe N/A
File created C:\Windows\SysWOW64\Dmhidbhg.dll C:\Windows\SysWOW64\Ahcajk32.exe N/A
File created C:\Windows\SysWOW64\Bcahmb32.exe C:\Windows\SysWOW64\Bkkple32.exe N/A
File opened for modification C:\Windows\SysWOW64\Efepbi32.exe C:\Windows\SysWOW64\Emmkiclm.exe N/A
File created C:\Windows\SysWOW64\Ejnocehc.dll C:\Windows\SysWOW64\Ljhefhha.exe N/A
File opened for modification C:\Windows\SysWOW64\Oeokal32.exe C:\Windows\SysWOW64\Omgcpokp.exe N/A
File created C:\Windows\SysWOW64\Pmiikh32.exe C:\Windows\SysWOW64\Pfoann32.exe N/A
File opened for modification C:\Windows\SysWOW64\Neoieenp.exe C:\Windows\SysWOW64\Nbqmiinl.exe N/A
File created C:\Windows\SysWOW64\Mapmipen.dll C:\Windows\SysWOW64\Jkomneim.exe N/A
File opened for modification C:\Windows\SysWOW64\Nahgoe32.exe C:\Windows\SysWOW64\Nojjcj32.exe N/A
File created C:\Windows\SysWOW64\Okgaijaj.exe C:\Windows\SysWOW64\Ohiemobf.exe N/A
File created C:\Windows\SysWOW64\Niehpfnk.dll C:\Windows\SysWOW64\Cbbdjm32.exe N/A
File created C:\Windows\SysWOW64\Nlhkgi32.exe C:\Windows\SysWOW64\Ncabfkqo.exe N/A
File created C:\Windows\SysWOW64\Ocaikjof.dll C:\Windows\SysWOW64\Hnodaecc.exe N/A
File created C:\Windows\SysWOW64\Jhijqj32.exe C:\Windows\SysWOW64\Iqbbpm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhijqj32.exe C:\Windows\SysWOW64\Iqbbpm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qlggjk32.exe C:\Windows\SysWOW64\Qhlkilba.exe N/A
File opened for modification C:\Windows\SysWOW64\Anmfbl32.exe C:\Windows\SysWOW64\Aknifq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aphnnafb.exe C:\Windows\SysWOW64\Aogbfi32.exe N/A
File created C:\Windows\SysWOW64\Gklnjj32.exe C:\Windows\SysWOW64\Ggpbjkpl.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkjjlhle.exe C:\Windows\SysWOW64\Hhknpmma.exe N/A
File created C:\Windows\SysWOW64\Jbaojpgb.exe C:\Windows\SysWOW64\Jnfcia32.exe N/A
File created C:\Windows\SysWOW64\Jhlgfj32.exe C:\Windows\SysWOW64\Jqdoem32.exe N/A
File created C:\Windows\SysWOW64\Pnpban32.dll C:\Windows\SysWOW64\Kijchhbo.exe N/A
File created C:\Windows\SysWOW64\Hiacfqch.dll C:\Windows\SysWOW64\Jjlmclqa.exe N/A
File opened for modification C:\Windows\SysWOW64\Fpgpgfmh.exe C:\Windows\SysWOW64\Fbbpmb32.exe N/A
File created C:\Windows\SysWOW64\Gmophg32.dll C:\Windows\SysWOW64\Ifmqfm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gacjadad.exe C:\Windows\SysWOW64\Gnhnaf32.exe N/A
File created C:\Windows\SysWOW64\Pfoann32.exe C:\Windows\SysWOW64\Oabhfg32.exe N/A
File created C:\Windows\SysWOW64\Jkaicd32.exe C:\Windows\SysWOW64\Jibmgi32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qohpkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qodeajbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpjjac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iahlcaol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pekbga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohfami32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjbcplpe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnkggfkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdkifmjq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hnodaecc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hhknpmma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkabjbih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nolgijpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qhlkilba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Elnoopdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eangpgcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iddljmpc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gilapgqb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hjjnae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phbhcmjl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjafok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bedgjgkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkokcl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jdmgfedl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncabfkqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjpode32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npepkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcobaedj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bljlfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icfekc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jdbhkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jkaicd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlnkmnah.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfoiaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmcolgbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oaqbkn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhphmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpmggb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnahdi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgelgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fhmigagd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kijchhbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kecabifp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnelok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bklomh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Meamcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmofagfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pejkmk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkaobnio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Panhbfep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaldccip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kndojobi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkkple32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbphdn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhndljll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbmoen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efjimhnh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofmdio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkfcndce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olbdhn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gigaka32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmbfbn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gklnjj32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aagkhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fmnkkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingcceof.dll" C:\Windows\SysWOW64\Objpoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlljcfl.dll" C:\Windows\SysWOW64\Efjimhnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jnjejjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilmjcon.dll" C:\Windows\SysWOW64\Lggldm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oejbfmpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll" C:\Windows\SysWOW64\Ckgohf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjmcnbdm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jjdjoane.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklhm32.dll" C:\Windows\SysWOW64\Jjdjoane.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ljdceo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Njiegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkaobnio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peehmbji.dll" C:\Windows\SysWOW64\Nklbmllg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Polppg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebadmmge.dll" C:\Windows\SysWOW64\Fhmigagd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gacjadad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migidc32.dll" C:\Windows\SysWOW64\Ginnfgop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gpkchqdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgaaeham.dll" C:\Windows\SysWOW64\Hgiepjga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meickkqm.dll" C:\Windows\SysWOW64\Iahlcaol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ggahedjn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnidao32.dll" C:\Windows\SysWOW64\Hgmgqc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdmgfedl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bnhenj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Npbceggm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmieae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jocefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhdhon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhginhk.dll" C:\Windows\SysWOW64\Hpomcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjlbppk.dll" C:\Windows\SysWOW64\Jjmcnbdm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llhikacp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahjgjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijcjmmil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aajhndkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kndojobi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kijchhbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgkbp32.dll" C:\Windows\SysWOW64\Poomegpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdqlliil.dll" C:\Windows\SysWOW64\Cioilg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncijina.dll" C:\Windows\SysWOW64\Oeheqm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhpjc32.dll" C:\Windows\SysWOW64\Cdnmfclj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Anmfbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll" C:\Windows\SysWOW64\Nceefd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pnifekmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bildbk32.dll" C:\Windows\SysWOW64\Gnhnaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Neoieenp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oekiqccc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Poomegpf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mkhapk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ipoheakj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll" C:\Windows\SysWOW64\Bdagpnbk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ihnkel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfpfg32.dll" C:\Windows\SysWOW64\Ikcmbfcj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jbaojpgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqomopfd.dll" C:\Windows\SysWOW64\Nojjcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmhand32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohfami32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aaldccip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbbhqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjlmclqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojigdcll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll" C:\Windows\SysWOW64\Qklmpalf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebnfbcbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe C:\Windows\SysWOW64\Ehcfaboo.exe
PID 216 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe C:\Windows\SysWOW64\Ehcfaboo.exe
PID 216 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe C:\Windows\SysWOW64\Ehcfaboo.exe
PID 2960 wrote to memory of 408 N/A C:\Windows\SysWOW64\Ehcfaboo.exe C:\Windows\SysWOW64\Ejbbmnnb.exe
PID 2960 wrote to memory of 408 N/A C:\Windows\SysWOW64\Ehcfaboo.exe C:\Windows\SysWOW64\Ejbbmnnb.exe
PID 2960 wrote to memory of 408 N/A C:\Windows\SysWOW64\Ehcfaboo.exe C:\Windows\SysWOW64\Ejbbmnnb.exe
PID 408 wrote to memory of 3800 N/A C:\Windows\SysWOW64\Ejbbmnnb.exe C:\Windows\SysWOW64\Efhcbodf.exe
PID 408 wrote to memory of 3800 N/A C:\Windows\SysWOW64\Ejbbmnnb.exe C:\Windows\SysWOW64\Efhcbodf.exe
PID 408 wrote to memory of 3800 N/A C:\Windows\SysWOW64\Ejbbmnnb.exe C:\Windows\SysWOW64\Efhcbodf.exe
PID 3800 wrote to memory of 3636 N/A C:\Windows\SysWOW64\Efhcbodf.exe C:\Windows\SysWOW64\Eangpgcl.exe
PID 3800 wrote to memory of 3636 N/A C:\Windows\SysWOW64\Efhcbodf.exe C:\Windows\SysWOW64\Eangpgcl.exe
PID 3800 wrote to memory of 3636 N/A C:\Windows\SysWOW64\Efhcbodf.exe C:\Windows\SysWOW64\Eangpgcl.exe
PID 3636 wrote to memory of 4496 N/A C:\Windows\SysWOW64\Eangpgcl.exe C:\Windows\SysWOW64\Edmclccp.exe
PID 3636 wrote to memory of 4496 N/A C:\Windows\SysWOW64\Eangpgcl.exe C:\Windows\SysWOW64\Edmclccp.exe
PID 3636 wrote to memory of 4496 N/A C:\Windows\SysWOW64\Eangpgcl.exe C:\Windows\SysWOW64\Edmclccp.exe
PID 4496 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Edmclccp.exe C:\Windows\SysWOW64\Ejflhm32.exe
PID 4496 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Edmclccp.exe C:\Windows\SysWOW64\Ejflhm32.exe
PID 4496 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Edmclccp.exe C:\Windows\SysWOW64\Ejflhm32.exe
PID 1880 wrote to memory of 4968 N/A C:\Windows\SysWOW64\Ejflhm32.exe C:\Windows\SysWOW64\Emehdh32.exe
PID 1880 wrote to memory of 4968 N/A C:\Windows\SysWOW64\Ejflhm32.exe C:\Windows\SysWOW64\Emehdh32.exe
PID 1880 wrote to memory of 4968 N/A C:\Windows\SysWOW64\Ejflhm32.exe C:\Windows\SysWOW64\Emehdh32.exe
PID 4968 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Emehdh32.exe C:\Windows\SysWOW64\Fmgejhgn.exe
PID 4968 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Emehdh32.exe C:\Windows\SysWOW64\Fmgejhgn.exe
PID 4968 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Emehdh32.exe C:\Windows\SysWOW64\Fmgejhgn.exe
PID 2304 wrote to memory of 220 N/A C:\Windows\SysWOW64\Fmgejhgn.exe C:\Windows\SysWOW64\Fhmigagd.exe
PID 2304 wrote to memory of 220 N/A C:\Windows\SysWOW64\Fmgejhgn.exe C:\Windows\SysWOW64\Fhmigagd.exe
PID 2304 wrote to memory of 220 N/A C:\Windows\SysWOW64\Fmgejhgn.exe C:\Windows\SysWOW64\Fhmigagd.exe
PID 220 wrote to memory of 4668 N/A C:\Windows\SysWOW64\Fhmigagd.exe C:\Windows\SysWOW64\Fineoi32.exe
PID 220 wrote to memory of 4668 N/A C:\Windows\SysWOW64\Fhmigagd.exe C:\Windows\SysWOW64\Fineoi32.exe
PID 220 wrote to memory of 4668 N/A C:\Windows\SysWOW64\Fhmigagd.exe C:\Windows\SysWOW64\Fineoi32.exe
PID 4668 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Fineoi32.exe C:\Windows\SysWOW64\Fgbfhmll.exe
PID 4668 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Fineoi32.exe C:\Windows\SysWOW64\Fgbfhmll.exe
PID 4668 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Fineoi32.exe C:\Windows\SysWOW64\Fgbfhmll.exe
PID 2716 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Fgbfhmll.exe C:\Windows\SysWOW64\Fpjjac32.exe
PID 2716 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Fgbfhmll.exe C:\Windows\SysWOW64\Fpjjac32.exe
PID 2716 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Fgbfhmll.exe C:\Windows\SysWOW64\Fpjjac32.exe
PID 2640 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Fpjjac32.exe C:\Windows\SysWOW64\Fmnkkg32.exe
PID 2640 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Fpjjac32.exe C:\Windows\SysWOW64\Fmnkkg32.exe
PID 2640 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Fpjjac32.exe C:\Windows\SysWOW64\Fmnkkg32.exe
PID 2808 wrote to memory of 3424 N/A C:\Windows\SysWOW64\Fmnkkg32.exe C:\Windows\SysWOW64\Fpmggb32.exe
PID 2808 wrote to memory of 3424 N/A C:\Windows\SysWOW64\Fmnkkg32.exe C:\Windows\SysWOW64\Fpmggb32.exe
PID 2808 wrote to memory of 3424 N/A C:\Windows\SysWOW64\Fmnkkg32.exe C:\Windows\SysWOW64\Fpmggb32.exe
PID 3424 wrote to memory of 3880 N/A C:\Windows\SysWOW64\Fpmggb32.exe C:\Windows\SysWOW64\Fmqgpgoc.exe
PID 3424 wrote to memory of 3880 N/A C:\Windows\SysWOW64\Fpmggb32.exe C:\Windows\SysWOW64\Fmqgpgoc.exe
PID 3424 wrote to memory of 3880 N/A C:\Windows\SysWOW64\Fpmggb32.exe C:\Windows\SysWOW64\Fmqgpgoc.exe
PID 3880 wrote to memory of 3128 N/A C:\Windows\SysWOW64\Fmqgpgoc.exe C:\Windows\SysWOW64\Fpodlbng.exe
PID 3880 wrote to memory of 3128 N/A C:\Windows\SysWOW64\Fmqgpgoc.exe C:\Windows\SysWOW64\Fpodlbng.exe
PID 3880 wrote to memory of 3128 N/A C:\Windows\SysWOW64\Fmqgpgoc.exe C:\Windows\SysWOW64\Fpodlbng.exe
PID 3128 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Fpodlbng.exe C:\Windows\SysWOW64\Gkdhjknm.exe
PID 3128 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Fpodlbng.exe C:\Windows\SysWOW64\Gkdhjknm.exe
PID 3128 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Fpodlbng.exe C:\Windows\SysWOW64\Gkdhjknm.exe
PID 5056 wrote to memory of 620 N/A C:\Windows\SysWOW64\Gkdhjknm.exe C:\Windows\SysWOW64\Gpaqbbld.exe
PID 5056 wrote to memory of 620 N/A C:\Windows\SysWOW64\Gkdhjknm.exe C:\Windows\SysWOW64\Gpaqbbld.exe
PID 5056 wrote to memory of 620 N/A C:\Windows\SysWOW64\Gkdhjknm.exe C:\Windows\SysWOW64\Gpaqbbld.exe
PID 620 wrote to memory of 3232 N/A C:\Windows\SysWOW64\Gpaqbbld.exe C:\Windows\SysWOW64\Gijekg32.exe
PID 620 wrote to memory of 3232 N/A C:\Windows\SysWOW64\Gpaqbbld.exe C:\Windows\SysWOW64\Gijekg32.exe
PID 620 wrote to memory of 3232 N/A C:\Windows\SysWOW64\Gpaqbbld.exe C:\Windows\SysWOW64\Gijekg32.exe
PID 3232 wrote to memory of 3716 N/A C:\Windows\SysWOW64\Gijekg32.exe C:\Windows\SysWOW64\Gaamlecg.exe
PID 3232 wrote to memory of 3716 N/A C:\Windows\SysWOW64\Gijekg32.exe C:\Windows\SysWOW64\Gaamlecg.exe
PID 3232 wrote to memory of 3716 N/A C:\Windows\SysWOW64\Gijekg32.exe C:\Windows\SysWOW64\Gaamlecg.exe
PID 3716 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Gaamlecg.exe C:\Windows\SysWOW64\Ghkeio32.exe
PID 3716 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Gaamlecg.exe C:\Windows\SysWOW64\Ghkeio32.exe
PID 3716 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Gaamlecg.exe C:\Windows\SysWOW64\Ghkeio32.exe
PID 4472 wrote to memory of 4080 N/A C:\Windows\SysWOW64\Ghkeio32.exe C:\Windows\SysWOW64\Ggnedlao.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe

"C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe"

C:\Windows\SysWOW64\Ehcfaboo.exe

C:\Windows\system32\Ehcfaboo.exe

C:\Windows\SysWOW64\Ejbbmnnb.exe

C:\Windows\system32\Ejbbmnnb.exe

C:\Windows\SysWOW64\Efhcbodf.exe

C:\Windows\system32\Efhcbodf.exe

C:\Windows\SysWOW64\Eangpgcl.exe

C:\Windows\system32\Eangpgcl.exe

C:\Windows\SysWOW64\Edmclccp.exe

C:\Windows\system32\Edmclccp.exe

C:\Windows\SysWOW64\Ejflhm32.exe

C:\Windows\system32\Ejflhm32.exe

C:\Windows\SysWOW64\Emehdh32.exe

C:\Windows\system32\Emehdh32.exe

C:\Windows\SysWOW64\Fmgejhgn.exe

C:\Windows\system32\Fmgejhgn.exe

C:\Windows\SysWOW64\Fhmigagd.exe

C:\Windows\system32\Fhmigagd.exe

C:\Windows\SysWOW64\Fineoi32.exe

C:\Windows\system32\Fineoi32.exe

C:\Windows\SysWOW64\Fgbfhmll.exe

C:\Windows\system32\Fgbfhmll.exe

C:\Windows\SysWOW64\Fpjjac32.exe

C:\Windows\system32\Fpjjac32.exe

C:\Windows\SysWOW64\Fmnkkg32.exe

C:\Windows\system32\Fmnkkg32.exe

C:\Windows\SysWOW64\Fpmggb32.exe

C:\Windows\system32\Fpmggb32.exe

C:\Windows\SysWOW64\Fmqgpgoc.exe

C:\Windows\system32\Fmqgpgoc.exe

C:\Windows\SysWOW64\Fpodlbng.exe

C:\Windows\system32\Fpodlbng.exe

C:\Windows\SysWOW64\Gkdhjknm.exe

C:\Windows\system32\Gkdhjknm.exe

C:\Windows\SysWOW64\Gpaqbbld.exe

C:\Windows\system32\Gpaqbbld.exe

C:\Windows\SysWOW64\Gijekg32.exe

C:\Windows\system32\Gijekg32.exe

C:\Windows\SysWOW64\Gaamlecg.exe

C:\Windows\system32\Gaamlecg.exe

C:\Windows\SysWOW64\Ghkeio32.exe

C:\Windows\system32\Ghkeio32.exe

C:\Windows\SysWOW64\Ggnedlao.exe

C:\Windows\system32\Ggnedlao.exe

C:\Windows\SysWOW64\Gilapgqb.exe

C:\Windows\system32\Gilapgqb.exe

C:\Windows\SysWOW64\Gnhnaf32.exe

C:\Windows\system32\Gnhnaf32.exe

C:\Windows\SysWOW64\Gacjadad.exe

C:\Windows\system32\Gacjadad.exe

C:\Windows\SysWOW64\Gpfjma32.exe

C:\Windows\system32\Gpfjma32.exe

C:\Windows\SysWOW64\Ghmbno32.exe

C:\Windows\system32\Ghmbno32.exe

C:\Windows\SysWOW64\Ggpbjkpl.exe

C:\Windows\system32\Ggpbjkpl.exe

C:\Windows\SysWOW64\Gklnjj32.exe

C:\Windows\system32\Gklnjj32.exe

C:\Windows\SysWOW64\Ginnfgop.exe

C:\Windows\system32\Ginnfgop.exe

C:\Windows\SysWOW64\Gnjjfegi.exe

C:\Windows\system32\Gnjjfegi.exe

C:\Windows\SysWOW64\Gaefgd32.exe

C:\Windows\system32\Gaefgd32.exe

C:\Windows\SysWOW64\Gddbcp32.exe

C:\Windows\system32\Gddbcp32.exe

C:\Windows\SysWOW64\Ghpocngo.exe

C:\Windows\system32\Ghpocngo.exe

C:\Windows\SysWOW64\Ggbook32.exe

C:\Windows\system32\Ggbook32.exe

C:\Windows\SysWOW64\Gknkpjfb.exe

C:\Windows\system32\Gknkpjfb.exe

C:\Windows\SysWOW64\Gnlgleef.exe

C:\Windows\system32\Gnlgleef.exe

C:\Windows\SysWOW64\Gahcmd32.exe

C:\Windows\system32\Gahcmd32.exe

C:\Windows\SysWOW64\Gpkchqdj.exe

C:\Windows\system32\Gpkchqdj.exe

C:\Windows\SysWOW64\Gdfoio32.exe

C:\Windows\system32\Gdfoio32.exe

C:\Windows\SysWOW64\Hhbkinel.exe

C:\Windows\system32\Hhbkinel.exe

C:\Windows\SysWOW64\Hkpheidp.exe

C:\Windows\system32\Hkpheidp.exe

C:\Windows\SysWOW64\Hjchaf32.exe

C:\Windows\system32\Hjchaf32.exe

C:\Windows\SysWOW64\Hnodaecc.exe

C:\Windows\system32\Hnodaecc.exe

C:\Windows\SysWOW64\Hajpbckl.exe

C:\Windows\system32\Hajpbckl.exe

C:\Windows\SysWOW64\Hpmpnp32.exe

C:\Windows\system32\Hpmpnp32.exe

C:\Windows\SysWOW64\Hhdhon32.exe

C:\Windows\system32\Hhdhon32.exe

C:\Windows\SysWOW64\Hgghjjid.exe

C:\Windows\system32\Hgghjjid.exe

C:\Windows\SysWOW64\Hkbdki32.exe

C:\Windows\system32\Hkbdki32.exe

C:\Windows\SysWOW64\Hjedffig.exe

C:\Windows\system32\Hjedffig.exe

C:\Windows\SysWOW64\Hammhcij.exe

C:\Windows\system32\Hammhcij.exe

C:\Windows\SysWOW64\Hpomcp32.exe

C:\Windows\system32\Hpomcp32.exe

C:\Windows\SysWOW64\Hdkidohn.exe

C:\Windows\system32\Hdkidohn.exe

C:\Windows\SysWOW64\Hgiepjga.exe

C:\Windows\system32\Hgiepjga.exe

C:\Windows\SysWOW64\Hkeaqi32.exe

C:\Windows\system32\Hkeaqi32.exe

C:\Windows\SysWOW64\Hjhalefe.exe

C:\Windows\system32\Hjhalefe.exe

C:\Windows\SysWOW64\Haoimcgg.exe

C:\Windows\system32\Haoimcgg.exe

C:\Windows\SysWOW64\Hpbiip32.exe

C:\Windows\system32\Hpbiip32.exe

C:\Windows\SysWOW64\Hhiajmod.exe

C:\Windows\system32\Hhiajmod.exe

C:\Windows\SysWOW64\Hglaej32.exe

C:\Windows\system32\Hglaej32.exe

C:\Windows\SysWOW64\Hjjnae32.exe

C:\Windows\system32\Hjjnae32.exe

C:\Windows\SysWOW64\Hnfjbdmk.exe

C:\Windows\system32\Hnfjbdmk.exe

C:\Windows\SysWOW64\Haafcb32.exe

C:\Windows\system32\Haafcb32.exe

C:\Windows\SysWOW64\Hdpbon32.exe

C:\Windows\system32\Hdpbon32.exe

C:\Windows\SysWOW64\Hhknpmma.exe

C:\Windows\system32\Hhknpmma.exe

C:\Windows\SysWOW64\Hkjjlhle.exe

C:\Windows\system32\Hkjjlhle.exe

C:\Windows\SysWOW64\Hjlkge32.exe

C:\Windows\system32\Hjlkge32.exe

C:\Windows\SysWOW64\Hacbhb32.exe

C:\Windows\system32\Hacbhb32.exe

C:\Windows\SysWOW64\Hpfcdojl.exe

C:\Windows\system32\Hpfcdojl.exe

C:\Windows\SysWOW64\Ihnkel32.exe

C:\Windows\system32\Ihnkel32.exe

C:\Windows\SysWOW64\Igqkqiai.exe

C:\Windows\system32\Igqkqiai.exe

C:\Windows\SysWOW64\Iklgah32.exe

C:\Windows\system32\Iklgah32.exe

C:\Windows\SysWOW64\Injcmc32.exe

C:\Windows\system32\Injcmc32.exe

C:\Windows\SysWOW64\Iafonaao.exe

C:\Windows\system32\Iafonaao.exe

C:\Windows\SysWOW64\Iqipio32.exe

C:\Windows\system32\Iqipio32.exe

C:\Windows\SysWOW64\Iddljmpc.exe

C:\Windows\system32\Iddljmpc.exe

C:\Windows\SysWOW64\Igchfiof.exe

C:\Windows\system32\Igchfiof.exe

C:\Windows\SysWOW64\Ikndgg32.exe

C:\Windows\system32\Ikndgg32.exe

C:\Windows\SysWOW64\Ijadbdoj.exe

C:\Windows\system32\Ijadbdoj.exe

C:\Windows\SysWOW64\Iahlcaol.exe

C:\Windows\system32\Iahlcaol.exe

C:\Windows\SysWOW64\Iqklon32.exe

C:\Windows\system32\Iqklon32.exe

C:\Windows\SysWOW64\Idghpmnp.exe

C:\Windows\system32\Idghpmnp.exe

C:\Windows\SysWOW64\Iakiia32.exe

C:\Windows\system32\Iakiia32.exe

C:\Windows\SysWOW64\Idieem32.exe

C:\Windows\system32\Idieem32.exe

C:\Windows\SysWOW64\Iggaah32.exe

C:\Windows\system32\Iggaah32.exe

C:\Windows\SysWOW64\Ikcmbfcj.exe

C:\Windows\system32\Ikcmbfcj.exe

C:\Windows\SysWOW64\Ijfnmc32.exe

C:\Windows\system32\Ijfnmc32.exe

C:\Windows\SysWOW64\Ibmeoq32.exe

C:\Windows\system32\Ibmeoq32.exe

C:\Windows\SysWOW64\Iqpfjnba.exe

C:\Windows\system32\Iqpfjnba.exe

C:\Windows\SysWOW64\Idkbkl32.exe

C:\Windows\system32\Idkbkl32.exe

C:\Windows\SysWOW64\Igjngh32.exe

C:\Windows\system32\Igjngh32.exe

C:\Windows\SysWOW64\Ikejgf32.exe

C:\Windows\system32\Ikejgf32.exe

C:\Windows\SysWOW64\Indfca32.exe

C:\Windows\system32\Indfca32.exe

C:\Windows\SysWOW64\Ibobdqid.exe

C:\Windows\system32\Ibobdqid.exe

C:\Windows\SysWOW64\Iqbbpm32.exe

C:\Windows\system32\Iqbbpm32.exe

C:\Windows\SysWOW64\Jhijqj32.exe

C:\Windows\system32\Jhijqj32.exe

C:\Windows\SysWOW64\Jglklggl.exe

C:\Windows\system32\Jglklggl.exe

C:\Windows\SysWOW64\Jkhgmf32.exe

C:\Windows\system32\Jkhgmf32.exe

C:\Windows\SysWOW64\Jnfcia32.exe

C:\Windows\system32\Jnfcia32.exe

C:\Windows\SysWOW64\Jbaojpgb.exe

C:\Windows\system32\Jbaojpgb.exe

C:\Windows\SysWOW64\Jqdoem32.exe

C:\Windows\system32\Jqdoem32.exe

C:\Windows\SysWOW64\Jhlgfj32.exe

C:\Windows\system32\Jhlgfj32.exe

C:\Windows\SysWOW64\Jgogbgei.exe

C:\Windows\system32\Jgogbgei.exe

C:\Windows\SysWOW64\Jjmcnbdm.exe

C:\Windows\system32\Jjmcnbdm.exe

C:\Windows\SysWOW64\Jnhpoamf.exe

C:\Windows\system32\Jnhpoamf.exe

C:\Windows\SysWOW64\Jbdlop32.exe

C:\Windows\system32\Jbdlop32.exe

C:\Windows\SysWOW64\Jdbhkk32.exe

C:\Windows\system32\Jdbhkk32.exe

C:\Windows\SysWOW64\Jhndljll.exe

C:\Windows\system32\Jhndljll.exe

C:\Windows\SysWOW64\Jgadgf32.exe

C:\Windows\system32\Jgadgf32.exe

C:\Windows\SysWOW64\Jjopcb32.exe

C:\Windows\system32\Jjopcb32.exe

C:\Windows\SysWOW64\Jnkldqkc.exe

C:\Windows\system32\Jnkldqkc.exe

C:\Windows\SysWOW64\Jbfheo32.exe

C:\Windows\system32\Jbfheo32.exe

C:\Windows\SysWOW64\Jdedak32.exe

C:\Windows\system32\Jdedak32.exe

C:\Windows\SysWOW64\Jhpqaiji.exe

C:\Windows\system32\Jhpqaiji.exe

C:\Windows\SysWOW64\Jkomneim.exe

C:\Windows\system32\Jkomneim.exe

C:\Windows\SysWOW64\Jqlefl32.exe

C:\Windows\system32\Jqlefl32.exe

C:\Windows\SysWOW64\Jibmgi32.exe

C:\Windows\system32\Jibmgi32.exe

C:\Windows\SysWOW64\Jkaicd32.exe

C:\Windows\system32\Jkaicd32.exe

C:\Windows\SysWOW64\Jjdjoane.exe

C:\Windows\system32\Jjdjoane.exe

C:\Windows\SysWOW64\Kqnbkl32.exe

C:\Windows\system32\Kqnbkl32.exe

C:\Windows\SysWOW64\Kdinljnk.exe

C:\Windows\system32\Kdinljnk.exe

C:\Windows\SysWOW64\Kkcfid32.exe

C:\Windows\system32\Kkcfid32.exe

C:\Windows\SysWOW64\Kjffdalb.exe

C:\Windows\system32\Kjffdalb.exe

C:\Windows\SysWOW64\Kbmoen32.exe

C:\Windows\system32\Kbmoen32.exe

C:\Windows\SysWOW64\Kelkaj32.exe

C:\Windows\system32\Kelkaj32.exe

C:\Windows\SysWOW64\Kiggbhda.exe

C:\Windows\system32\Kiggbhda.exe

C:\Windows\SysWOW64\Kkfcndce.exe

C:\Windows\system32\Kkfcndce.exe

C:\Windows\SysWOW64\Kndojobi.exe

C:\Windows\system32\Kndojobi.exe

C:\Windows\SysWOW64\Kqbkfkal.exe

C:\Windows\system32\Kqbkfkal.exe

C:\Windows\SysWOW64\Kijchhbo.exe

C:\Windows\system32\Kijchhbo.exe

C:\Windows\SysWOW64\Kkhpdcab.exe

C:\Windows\system32\Kkhpdcab.exe

C:\Windows\SysWOW64\Kjkpoq32.exe

C:\Windows\system32\Kjkpoq32.exe

C:\Windows\SysWOW64\Kbbhqn32.exe

C:\Windows\system32\Kbbhqn32.exe

C:\Windows\SysWOW64\Kjmmepfj.exe

C:\Windows\system32\Kjmmepfj.exe

C:\Windows\SysWOW64\Kniieo32.exe

C:\Windows\system32\Kniieo32.exe

C:\Windows\SysWOW64\Kageaj32.exe

C:\Windows\system32\Kageaj32.exe

C:\Windows\SysWOW64\Kecabifp.exe

C:\Windows\system32\Kecabifp.exe

C:\Windows\SysWOW64\Kgamnded.exe

C:\Windows\system32\Kgamnded.exe

C:\Windows\SysWOW64\Kkmioc32.exe

C:\Windows\system32\Kkmioc32.exe

C:\Windows\SysWOW64\Knkekn32.exe

C:\Windows\system32\Knkekn32.exe

C:\Windows\SysWOW64\Lbgalmej.exe

C:\Windows\system32\Lbgalmej.exe

C:\Windows\SysWOW64\Leenhhdn.exe

C:\Windows\system32\Leenhhdn.exe

C:\Windows\SysWOW64\Lgcjdd32.exe

C:\Windows\system32\Lgcjdd32.exe

C:\Windows\SysWOW64\Ljbfpo32.exe

C:\Windows\system32\Ljbfpo32.exe

C:\Windows\SysWOW64\Lbinam32.exe

C:\Windows\system32\Lbinam32.exe

C:\Windows\SysWOW64\Legjmh32.exe

C:\Windows\system32\Legjmh32.exe

C:\Windows\SysWOW64\Licfngjd.exe

C:\Windows\system32\Licfngjd.exe

C:\Windows\SysWOW64\Lkabjbih.exe

C:\Windows\system32\Lkabjbih.exe

C:\Windows\SysWOW64\Ljdceo32.exe

C:\Windows\system32\Ljdceo32.exe

C:\Windows\SysWOW64\Lankbigo.exe

C:\Windows\system32\Lankbigo.exe

C:\Windows\SysWOW64\Lieccf32.exe

C:\Windows\system32\Lieccf32.exe

C:\Windows\SysWOW64\Lghcocol.exe

C:\Windows\system32\Lghcocol.exe

C:\Windows\SysWOW64\Ljgpkonp.exe

C:\Windows\system32\Ljgpkonp.exe

C:\Windows\SysWOW64\Lbngllob.exe

C:\Windows\system32\Lbngllob.exe

C:\Windows\SysWOW64\Lelchgne.exe

C:\Windows\system32\Lelchgne.exe

C:\Windows\SysWOW64\Lihpif32.exe

C:\Windows\system32\Lihpif32.exe

C:\Windows\SysWOW64\Llflea32.exe

C:\Windows\system32\Llflea32.exe

C:\Windows\SysWOW64\Lndham32.exe

C:\Windows\system32\Lndham32.exe

C:\Windows\SysWOW64\Lacdmh32.exe

C:\Windows\system32\Lacdmh32.exe

C:\Windows\SysWOW64\Leopnglc.exe

C:\Windows\system32\Leopnglc.exe

C:\Windows\SysWOW64\Llhikacp.exe

C:\Windows\system32\Llhikacp.exe

C:\Windows\SysWOW64\Mbbagk32.exe

C:\Windows\system32\Mbbagk32.exe

C:\Windows\SysWOW64\Meamcg32.exe

C:\Windows\system32\Meamcg32.exe

C:\Windows\SysWOW64\Mlpokp32.exe

C:\Windows\system32\Mlpokp32.exe

C:\Windows\SysWOW64\Mjbogmdb.exe

C:\Windows\system32\Mjbogmdb.exe

C:\Windows\SysWOW64\Mehcdfch.exe

C:\Windows\system32\Mehcdfch.exe

C:\Windows\SysWOW64\Mhfppabl.exe

C:\Windows\system32\Mhfppabl.exe

C:\Windows\SysWOW64\Mejpje32.exe

C:\Windows\system32\Mejpje32.exe

C:\Windows\SysWOW64\Mldhfpib.exe

C:\Windows\system32\Mldhfpib.exe

C:\Windows\SysWOW64\Nobdbkhf.exe

C:\Windows\system32\Nobdbkhf.exe

C:\Windows\SysWOW64\Naaqofgj.exe

C:\Windows\system32\Naaqofgj.exe

C:\Windows\SysWOW64\Nemmoe32.exe

C:\Windows\system32\Nemmoe32.exe

C:\Windows\SysWOW64\Nhkikq32.exe

C:\Windows\system32\Nhkikq32.exe

C:\Windows\SysWOW64\Njiegl32.exe

C:\Windows\system32\Njiegl32.exe

C:\Windows\SysWOW64\Nbqmiinl.exe

C:\Windows\system32\Nbqmiinl.exe

C:\Windows\SysWOW64\Neoieenp.exe

C:\Windows\system32\Neoieenp.exe

C:\Windows\SysWOW64\Nijeec32.exe

C:\Windows\system32\Nijeec32.exe

C:\Windows\SysWOW64\Nklbmllg.exe

C:\Windows\system32\Nklbmllg.exe

C:\Windows\SysWOW64\Nbcjnilj.exe

C:\Windows\system32\Nbcjnilj.exe

C:\Windows\SysWOW64\Neafjdkn.exe

C:\Windows\system32\Neafjdkn.exe

C:\Windows\SysWOW64\Nimbkc32.exe

C:\Windows\system32\Nimbkc32.exe

C:\Windows\SysWOW64\Nlkngo32.exe

C:\Windows\system32\Nlkngo32.exe

C:\Windows\SysWOW64\Nojjcj32.exe

C:\Windows\system32\Nojjcj32.exe

C:\Windows\SysWOW64\Nahgoe32.exe

C:\Windows\system32\Nahgoe32.exe

C:\Windows\SysWOW64\Neccpd32.exe

C:\Windows\system32\Neccpd32.exe

C:\Windows\SysWOW64\Nlnkmnah.exe

C:\Windows\system32\Nlnkmnah.exe

C:\Windows\SysWOW64\Nolgijpk.exe

C:\Windows\system32\Nolgijpk.exe

C:\Windows\SysWOW64\Nbgcih32.exe

C:\Windows\system32\Nbgcih32.exe

C:\Windows\SysWOW64\Nefped32.exe

C:\Windows\system32\Nefped32.exe

C:\Windows\SysWOW64\Niakfbpa.exe

C:\Windows\system32\Niakfbpa.exe

C:\Windows\SysWOW64\Nlphbnoe.exe

C:\Windows\system32\Nlphbnoe.exe

C:\Windows\SysWOW64\Oondnini.exe

C:\Windows\system32\Oondnini.exe

C:\Windows\SysWOW64\Objpoh32.exe

C:\Windows\system32\Objpoh32.exe

C:\Windows\SysWOW64\Olbdhn32.exe

C:\Windows\system32\Olbdhn32.exe

C:\Windows\SysWOW64\Okedcjcm.exe

C:\Windows\system32\Okedcjcm.exe

C:\Windows\SysWOW64\Ooqqdi32.exe

C:\Windows\system32\Ooqqdi32.exe

C:\Windows\SysWOW64\Oaompd32.exe

C:\Windows\system32\Oaompd32.exe

C:\Windows\SysWOW64\Oekiqccc.exe

C:\Windows\system32\Oekiqccc.exe

C:\Windows\SysWOW64\Ohiemobf.exe

C:\Windows\system32\Ohiemobf.exe

C:\Windows\SysWOW64\Okgaijaj.exe

C:\Windows\system32\Okgaijaj.exe

C:\Windows\SysWOW64\Oboijgbl.exe

C:\Windows\system32\Oboijgbl.exe

C:\Windows\SysWOW64\Oaajed32.exe

C:\Windows\system32\Oaajed32.exe

C:\Windows\SysWOW64\Oihagaji.exe

C:\Windows\system32\Oihagaji.exe

C:\Windows\SysWOW64\Olgncmim.exe

C:\Windows\system32\Olgncmim.exe

C:\Windows\SysWOW64\Okjnnj32.exe

C:\Windows\system32\Okjnnj32.exe

C:\Windows\SysWOW64\Obafpg32.exe

C:\Windows\system32\Obafpg32.exe

C:\Windows\SysWOW64\Oeoblb32.exe

C:\Windows\system32\Oeoblb32.exe

C:\Windows\SysWOW64\Ohnohn32.exe

C:\Windows\system32\Ohnohn32.exe

C:\Windows\SysWOW64\Oklkdi32.exe

C:\Windows\system32\Oklkdi32.exe

C:\Windows\SysWOW64\Oohgdhfn.exe

C:\Windows\system32\Oohgdhfn.exe

C:\Windows\SysWOW64\Obcceg32.exe

C:\Windows\system32\Obcceg32.exe

C:\Windows\SysWOW64\Oeaoab32.exe

C:\Windows\system32\Oeaoab32.exe

C:\Windows\SysWOW64\Oimkbaed.exe

C:\Windows\system32\Oimkbaed.exe

C:\Windows\SysWOW64\Pllgnl32.exe

C:\Windows\system32\Pllgnl32.exe

C:\Windows\SysWOW64\Pkogiikb.exe

C:\Windows\system32\Pkogiikb.exe

C:\Windows\SysWOW64\Pcepkfld.exe

C:\Windows\system32\Pcepkfld.exe

C:\Windows\SysWOW64\Pahpfc32.exe

C:\Windows\system32\Pahpfc32.exe

C:\Windows\SysWOW64\Piphgq32.exe

C:\Windows\system32\Piphgq32.exe

C:\Windows\SysWOW64\Phbhcmjl.exe

C:\Windows\system32\Phbhcmjl.exe

C:\Windows\SysWOW64\Pkadoiip.exe

C:\Windows\system32\Pkadoiip.exe

C:\Windows\SysWOW64\Polppg32.exe

C:\Windows\system32\Polppg32.exe

C:\Windows\SysWOW64\Pakllc32.exe

C:\Windows\system32\Pakllc32.exe

C:\Windows\SysWOW64\Pefhlaie.exe

C:\Windows\system32\Pefhlaie.exe

C:\Windows\SysWOW64\Phedhmhi.exe

C:\Windows\system32\Phedhmhi.exe

C:\Windows\SysWOW64\Poomegpf.exe

C:\Windows\system32\Poomegpf.exe

C:\Windows\SysWOW64\Peieba32.exe

C:\Windows\system32\Peieba32.exe

C:\Windows\SysWOW64\Pidabppl.exe

C:\Windows\system32\Pidabppl.exe

C:\Windows\SysWOW64\Poajkgnc.exe

C:\Windows\system32\Poajkgnc.exe

C:\Windows\SysWOW64\Pekbga32.exe

C:\Windows\system32\Pekbga32.exe

C:\Windows\SysWOW64\Phincl32.exe

C:\Windows\system32\Phincl32.exe

C:\Windows\SysWOW64\Pkhjph32.exe

C:\Windows\system32\Pkhjph32.exe

C:\Windows\SysWOW64\Pcobaedj.exe

C:\Windows\system32\Pcobaedj.exe

C:\Windows\SysWOW64\Pemomqcn.exe

C:\Windows\system32\Pemomqcn.exe

C:\Windows\SysWOW64\Qhlkilba.exe

C:\Windows\system32\Qhlkilba.exe

C:\Windows\SysWOW64\Qlggjk32.exe

C:\Windows\system32\Qlggjk32.exe

C:\Windows\SysWOW64\Qcaofebg.exe

C:\Windows\system32\Qcaofebg.exe

C:\Windows\SysWOW64\Qepkbpak.exe

C:\Windows\system32\Qepkbpak.exe

C:\Windows\SysWOW64\Qhngolpo.exe

C:\Windows\system32\Qhngolpo.exe

C:\Windows\SysWOW64\Qohpkf32.exe

C:\Windows\system32\Qohpkf32.exe

C:\Windows\SysWOW64\Qaflgago.exe

C:\Windows\system32\Qaflgago.exe

C:\Windows\SysWOW64\Allpejfe.exe

C:\Windows\system32\Allpejfe.exe

C:\Windows\SysWOW64\Acfhad32.exe

C:\Windows\system32\Acfhad32.exe

C:\Windows\SysWOW64\Ahcajk32.exe

C:\Windows\system32\Ahcajk32.exe

C:\Windows\SysWOW64\Aoofle32.exe

C:\Windows\system32\Aoofle32.exe

C:\Windows\SysWOW64\Akffafgg.exe

C:\Windows\system32\Akffafgg.exe

C:\Windows\SysWOW64\Afkknogn.exe

C:\Windows\system32\Afkknogn.exe

C:\Windows\SysWOW64\Ahjgjj32.exe

C:\Windows\system32\Ahjgjj32.exe

C:\Windows\SysWOW64\Aleckinj.exe

C:\Windows\system32\Aleckinj.exe

C:\Windows\SysWOW64\Akhcfe32.exe

C:\Windows\system32\Akhcfe32.exe

C:\Windows\SysWOW64\Acokhc32.exe

C:\Windows\system32\Acokhc32.exe

C:\Windows\SysWOW64\Bfngdn32.exe

C:\Windows\system32\Bfngdn32.exe

C:\Windows\SysWOW64\Bjicdmmd.exe

C:\Windows\system32\Bjicdmmd.exe

C:\Windows\SysWOW64\Blhpqhlh.exe

C:\Windows\system32\Blhpqhlh.exe

C:\Windows\SysWOW64\Bkkple32.exe

C:\Windows\system32\Bkkple32.exe

C:\Windows\SysWOW64\Bcahmb32.exe

C:\Windows\system32\Bcahmb32.exe

C:\Windows\SysWOW64\Bbdhiojo.exe

C:\Windows\system32\Bbdhiojo.exe

C:\Windows\SysWOW64\Bjlpjm32.exe

C:\Windows\system32\Bjlpjm32.exe

C:\Windows\SysWOW64\Bljlfh32.exe

C:\Windows\system32\Bljlfh32.exe

C:\Windows\SysWOW64\Bohibc32.exe

C:\Windows\system32\Bohibc32.exe

C:\Windows\SysWOW64\Bcddcbab.exe

C:\Windows\system32\Bcddcbab.exe

C:\Windows\SysWOW64\Bfbaonae.exe

C:\Windows\system32\Bfbaonae.exe

C:\Windows\SysWOW64\Bhamkipi.exe

C:\Windows\system32\Bhamkipi.exe

C:\Windows\SysWOW64\Bmofagfp.exe

C:\Windows\system32\Bmofagfp.exe

C:\Windows\SysWOW64\Bombmcec.exe

C:\Windows\system32\Bombmcec.exe

C:\Windows\SysWOW64\Bcinna32.exe

C:\Windows\system32\Bcinna32.exe

C:\Windows\SysWOW64\Bkdcbd32.exe

C:\Windows\system32\Bkdcbd32.exe

C:\Windows\SysWOW64\Cmcolgbj.exe

C:\Windows\system32\Cmcolgbj.exe

C:\Windows\SysWOW64\Cbphdn32.exe

C:\Windows\system32\Cbphdn32.exe

C:\Windows\SysWOW64\Cbbdjm32.exe

C:\Windows\system32\Cbbdjm32.exe

C:\Windows\SysWOW64\Cfqmpl32.exe

C:\Windows\system32\Cfqmpl32.exe

C:\Windows\SysWOW64\Cioilg32.exe

C:\Windows\system32\Cioilg32.exe

C:\Windows\SysWOW64\Ckmehb32.exe

C:\Windows\system32\Ckmehb32.exe

C:\Windows\SysWOW64\Ccdnjp32.exe

C:\Windows\system32\Ccdnjp32.exe

C:\Windows\SysWOW64\Ckpbnb32.exe

C:\Windows\system32\Ckpbnb32.exe

C:\Windows\SysWOW64\Coknoaic.exe

C:\Windows\system32\Coknoaic.exe

C:\Windows\SysWOW64\Djqblj32.exe

C:\Windows\system32\Djqblj32.exe

C:\Windows\SysWOW64\Dmoohe32.exe

C:\Windows\system32\Dmoohe32.exe

C:\Windows\SysWOW64\Dfgcakon.exe

C:\Windows\system32\Dfgcakon.exe

C:\Windows\SysWOW64\Dmalne32.exe

C:\Windows\system32\Dmalne32.exe

C:\Windows\SysWOW64\Dkdliame.exe

C:\Windows\system32\Dkdliame.exe

C:\Windows\SysWOW64\Dckdjomg.exe

C:\Windows\system32\Dckdjomg.exe

C:\Windows\SysWOW64\Dbndfl32.exe

C:\Windows\system32\Dbndfl32.exe

C:\Windows\SysWOW64\Dpbdopck.exe

C:\Windows\system32\Dpbdopck.exe

C:\Windows\SysWOW64\Dlieda32.exe

C:\Windows\system32\Dlieda32.exe

C:\Windows\SysWOW64\Dfoiaj32.exe

C:\Windows\system32\Dfoiaj32.exe

C:\Windows\SysWOW64\Dmhand32.exe

C:\Windows\system32\Dmhand32.exe

C:\Windows\SysWOW64\Eiobceef.exe

C:\Windows\system32\Eiobceef.exe

C:\Windows\SysWOW64\Elnoopdj.exe

C:\Windows\system32\Elnoopdj.exe

C:\Windows\SysWOW64\Ecefqnel.exe

C:\Windows\system32\Ecefqnel.exe

C:\Windows\SysWOW64\Emmkiclm.exe

C:\Windows\system32\Emmkiclm.exe

C:\Windows\SysWOW64\Efepbi32.exe

C:\Windows\system32\Efepbi32.exe

C:\Windows\SysWOW64\Eleepoob.exe

C:\Windows\system32\Eleepoob.exe

C:\Windows\SysWOW64\Efjimhnh.exe

C:\Windows\system32\Efjimhnh.exe

C:\Windows\SysWOW64\Elgaeolp.exe

C:\Windows\system32\Elgaeolp.exe

C:\Windows\SysWOW64\Ffmfchle.exe

C:\Windows\system32\Ffmfchle.exe

C:\Windows\SysWOW64\Fpejlmcf.exe

C:\Windows\system32\Fpejlmcf.exe

C:\Windows\SysWOW64\Fllkqn32.exe

C:\Windows\system32\Fllkqn32.exe

C:\Windows\SysWOW64\Fdepgkgj.exe

C:\Windows\system32\Fdepgkgj.exe

C:\Windows\SysWOW64\Fmpqfq32.exe

C:\Windows\system32\Fmpqfq32.exe

C:\Windows\SysWOW64\Gigaka32.exe

C:\Windows\system32\Gigaka32.exe

C:\Windows\SysWOW64\Gpqjglii.exe

C:\Windows\system32\Gpqjglii.exe

C:\Windows\SysWOW64\Giinpa32.exe

C:\Windows\system32\Giinpa32.exe

C:\Windows\SysWOW64\Gfmojenc.exe

C:\Windows\system32\Gfmojenc.exe

C:\Windows\SysWOW64\Gljgbllj.exe

C:\Windows\system32\Gljgbllj.exe

C:\Windows\SysWOW64\Gdaociml.exe

C:\Windows\system32\Gdaociml.exe

C:\Windows\SysWOW64\Gmiclo32.exe

C:\Windows\system32\Gmiclo32.exe

C:\Windows\SysWOW64\Ggahedjn.exe

C:\Windows\system32\Ggahedjn.exe

C:\Windows\SysWOW64\Hbhijepa.exe

C:\Windows\system32\Hbhijepa.exe

C:\Windows\SysWOW64\Hgfapd32.exe

C:\Windows\system32\Hgfapd32.exe

C:\Windows\SysWOW64\Hmbfbn32.exe

C:\Windows\system32\Hmbfbn32.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Iphioh32.exe

C:\Windows\system32\Iphioh32.exe

C:\Windows\SysWOW64\Icfekc32.exe

C:\Windows\system32\Icfekc32.exe

C:\Windows\SysWOW64\Iknmla32.exe

C:\Windows\system32\Iknmla32.exe

C:\Windows\SysWOW64\Inlihl32.exe

C:\Windows\system32\Inlihl32.exe

C:\Windows\SysWOW64\Ipjedh32.exe

C:\Windows\system32\Ipjedh32.exe

C:\Windows\SysWOW64\Iciaqc32.exe

C:\Windows\system32\Iciaqc32.exe

C:\Windows\SysWOW64\Ikpjbq32.exe

C:\Windows\system32\Ikpjbq32.exe

C:\Windows\SysWOW64\Ijcjmmil.exe

C:\Windows\system32\Ijcjmmil.exe

C:\Windows\SysWOW64\Innfnl32.exe

C:\Windows\system32\Innfnl32.exe

C:\Windows\SysWOW64\Ipmbjgpi.exe

C:\Windows\system32\Ipmbjgpi.exe

C:\Windows\SysWOW64\Icknfcol.exe

C:\Windows\system32\Icknfcol.exe

C:\Windows\SysWOW64\Ipoopgnf.exe

C:\Windows\system32\Ipoopgnf.exe

C:\Windows\SysWOW64\Jdmgfedl.exe

C:\Windows\system32\Jdmgfedl.exe

C:\Windows\SysWOW64\Jnelok32.exe

C:\Windows\system32\Jnelok32.exe

C:\Windows\SysWOW64\Jjlmclqa.exe

C:\Windows\system32\Jjlmclqa.exe

C:\Windows\SysWOW64\Jdaaaeqg.exe

C:\Windows\system32\Jdaaaeqg.exe

C:\Windows\SysWOW64\Jnjejjgh.exe

C:\Windows\system32\Jnjejjgh.exe

C:\Windows\SysWOW64\Jcgnbaeo.exe

C:\Windows\system32\Jcgnbaeo.exe

C:\Windows\SysWOW64\Jjafok32.exe

C:\Windows\system32\Jjafok32.exe

C:\Windows\SysWOW64\Jdfjld32.exe

C:\Windows\system32\Jdfjld32.exe

C:\Windows\SysWOW64\Jcikgacl.exe

C:\Windows\system32\Jcikgacl.exe

C:\Windows\SysWOW64\Kmaopfjm.exe

C:\Windows\system32\Kmaopfjm.exe

C:\Windows\SysWOW64\Kmdlffhj.exe

C:\Windows\system32\Kmdlffhj.exe

C:\Windows\SysWOW64\Kkeldnpi.exe

C:\Windows\system32\Kkeldnpi.exe

C:\Windows\SysWOW64\Knchpiom.exe

C:\Windows\system32\Knchpiom.exe

C:\Windows\SysWOW64\Kqbdldnq.exe

C:\Windows\system32\Kqbdldnq.exe

C:\Windows\SysWOW64\Kcpahpmd.exe

C:\Windows\system32\Kcpahpmd.exe

C:\Windows\SysWOW64\Kmieae32.exe

C:\Windows\system32\Kmieae32.exe

C:\Windows\SysWOW64\Kqdaadln.exe

C:\Windows\system32\Kqdaadln.exe

C:\Windows\SysWOW64\Knhakh32.exe

C:\Windows\system32\Knhakh32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Lcggio32.exe

C:\Windows\system32\Lcggio32.exe

C:\Windows\SysWOW64\Lcjcnoej.exe

C:\Windows\system32\Lcjcnoej.exe

C:\Windows\SysWOW64\Lnohlgep.exe

C:\Windows\system32\Lnohlgep.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Lmdemd32.exe

C:\Windows\system32\Lmdemd32.exe

C:\Windows\SysWOW64\Ljhefhha.exe

C:\Windows\system32\Ljhefhha.exe

C:\Windows\SysWOW64\Mkhapk32.exe

C:\Windows\system32\Mkhapk32.exe

C:\Windows\SysWOW64\Mmkkmc32.exe

C:\Windows\system32\Mmkkmc32.exe

C:\Windows\SysWOW64\Mnkggfkb.exe

C:\Windows\system32\Mnkggfkb.exe

C:\Windows\SysWOW64\Maiccajf.exe

C:\Windows\system32\Maiccajf.exe

C:\Windows\SysWOW64\Mchppmij.exe

C:\Windows\system32\Mchppmij.exe

C:\Windows\SysWOW64\Mmpdhboj.exe

C:\Windows\system32\Mmpdhboj.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Nelfeo32.exe

C:\Windows\system32\Nelfeo32.exe

C:\Windows\SysWOW64\Nmgjia32.exe

C:\Windows\system32\Nmgjia32.exe

C:\Windows\SysWOW64\Ncabfkqo.exe

C:\Windows\system32\Ncabfkqo.exe

C:\Windows\SysWOW64\Nlhkgi32.exe

C:\Windows\system32\Nlhkgi32.exe

C:\Windows\SysWOW64\Nnfgcd32.exe

C:\Windows\system32\Nnfgcd32.exe

C:\Windows\SysWOW64\Nlkgmh32.exe

C:\Windows\system32\Nlkgmh32.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Nmnqjp32.exe

C:\Windows\system32\Nmnqjp32.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Odhifjkg.exe

C:\Windows\system32\Odhifjkg.exe

C:\Windows\SysWOW64\Ojbacd32.exe

C:\Windows\system32\Ojbacd32.exe

C:\Windows\SysWOW64\Onnmdcjm.exe

C:\Windows\system32\Onnmdcjm.exe

C:\Windows\SysWOW64\Oeheqm32.exe

C:\Windows\system32\Oeheqm32.exe

C:\Windows\SysWOW64\Ohfami32.exe

C:\Windows\system32\Ohfami32.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Odmbaj32.exe

C:\Windows\system32\Odmbaj32.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Oaqbkn32.exe

C:\Windows\system32\Oaqbkn32.exe

C:\Windows\SysWOW64\Ohkkhhmh.exe

C:\Windows\system32\Ohkkhhmh.exe

C:\Windows\SysWOW64\Ojigdcll.exe

C:\Windows\system32\Ojigdcll.exe

C:\Windows\SysWOW64\Omgcpokp.exe

C:\Windows\system32\Omgcpokp.exe

C:\Windows\SysWOW64\Oeokal32.exe

C:\Windows\system32\Oeokal32.exe

C:\Windows\SysWOW64\Ohmhmh32.exe

C:\Windows\system32\Ohmhmh32.exe

C:\Windows\SysWOW64\Okkdic32.exe

C:\Windows\system32\Okkdic32.exe

C:\Windows\SysWOW64\Omjpeo32.exe

C:\Windows\system32\Omjpeo32.exe

C:\Windows\SysWOW64\Pahilmoc.exe

C:\Windows\system32\Pahilmoc.exe

C:\Windows\SysWOW64\Plpjoe32.exe

C:\Windows\system32\Plpjoe32.exe

C:\Windows\SysWOW64\Pehngkcg.exe

C:\Windows\system32\Pehngkcg.exe

C:\Windows\SysWOW64\Popbpqjh.exe

C:\Windows\system32\Popbpqjh.exe

C:\Windows\SysWOW64\Pejkmk32.exe

C:\Windows\system32\Pejkmk32.exe

C:\Windows\SysWOW64\Qmhlgmmm.exe

C:\Windows\system32\Qmhlgmmm.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Aknifq32.exe

C:\Windows\system32\Aknifq32.exe

C:\Windows\SysWOW64\Anmfbl32.exe

C:\Windows\system32\Anmfbl32.exe

C:\Windows\SysWOW64\Alpbecod.exe

C:\Windows\system32\Alpbecod.exe

C:\Windows\SysWOW64\Aaohcj32.exe

C:\Windows\system32\Aaohcj32.exe

C:\Windows\SysWOW64\Baadiiif.exe

C:\Windows\system32\Baadiiif.exe

C:\Windows\SysWOW64\Bhkmec32.exe

C:\Windows\system32\Bhkmec32.exe

C:\Windows\SysWOW64\Bnhenj32.exe

C:\Windows\system32\Bnhenj32.exe

C:\Windows\SysWOW64\Bnkbcj32.exe

C:\Windows\system32\Bnkbcj32.exe

C:\Windows\SysWOW64\Bedgjgkg.exe

C:\Windows\system32\Bedgjgkg.exe

C:\Windows\SysWOW64\Bkaobnio.exe

C:\Windows\system32\Bkaobnio.exe

C:\Windows\SysWOW64\Cnahdi32.exe

C:\Windows\system32\Cnahdi32.exe

C:\Windows\SysWOW64\Cdnmfclj.exe

C:\Windows\system32\Cdnmfclj.exe

C:\Windows\SysWOW64\Cbbnpg32.exe

C:\Windows\system32\Cbbnpg32.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Cbfgkffn.exe

C:\Windows\system32\Cbfgkffn.exe

C:\Windows\SysWOW64\Dkokcl32.exe

C:\Windows\system32\Dkokcl32.exe

C:\Windows\SysWOW64\Dnpdegjp.exe

C:\Windows\system32\Dnpdegjp.exe

C:\Windows\SysWOW64\Ddligq32.exe

C:\Windows\system32\Ddligq32.exe

C:\Windows\SysWOW64\Dndnpf32.exe

C:\Windows\system32\Dndnpf32.exe

C:\Windows\SysWOW64\Dmennnni.exe

C:\Windows\system32\Dmennnni.exe

C:\Windows\SysWOW64\Emhkdmlg.exe

C:\Windows\system32\Emhkdmlg.exe

C:\Windows\SysWOW64\Eiokinbk.exe

C:\Windows\system32\Eiokinbk.exe

C:\Windows\SysWOW64\Efblbbqd.exe

C:\Windows\system32\Efblbbqd.exe

C:\Windows\SysWOW64\Eokqkh32.exe

C:\Windows\system32\Eokqkh32.exe

C:\Windows\SysWOW64\Eblimcdf.exe

C:\Windows\system32\Eblimcdf.exe

C:\Windows\SysWOW64\Ebnfbcbc.exe

C:\Windows\system32\Ebnfbcbc.exe

C:\Windows\SysWOW64\Fneggdhg.exe

C:\Windows\system32\Fneggdhg.exe

C:\Windows\SysWOW64\Fijkdmhn.exe

C:\Windows\system32\Fijkdmhn.exe

C:\Windows\SysWOW64\Fbbpmb32.exe

C:\Windows\system32\Fbbpmb32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Fmkqpkla.exe

C:\Windows\system32\Fmkqpkla.exe

C:\Windows\SysWOW64\Flpmagqi.exe

C:\Windows\system32\Flpmagqi.exe

C:\Windows\SysWOW64\Gmojkj32.exe

C:\Windows\system32\Gmojkj32.exe

C:\Windows\SysWOW64\Gblbca32.exe

C:\Windows\system32\Gblbca32.exe

C:\Windows\SysWOW64\Gncchb32.exe

C:\Windows\system32\Gncchb32.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Gimqajgh.exe

C:\Windows\system32\Gimqajgh.exe

C:\Windows\SysWOW64\Gpgind32.exe

C:\Windows\system32\Gpgind32.exe

C:\Windows\SysWOW64\Hmkigh32.exe

C:\Windows\system32\Hmkigh32.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hoaojp32.exe

C:\Windows\system32\Hoaojp32.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Ifmqfm32.exe

C:\Windows\system32\Ifmqfm32.exe

C:\Windows\SysWOW64\Iliinc32.exe

C:\Windows\system32\Iliinc32.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Ipjoja32.exe

C:\Windows\system32\Ipjoja32.exe

C:\Windows\SysWOW64\Igdgglfl.exe

C:\Windows\system32\Igdgglfl.exe

C:\Windows\SysWOW64\Ilqoobdd.exe

C:\Windows\system32\Ilqoobdd.exe

C:\Windows\SysWOW64\Ipoheakj.exe

C:\Windows\system32\Ipoheakj.exe

C:\Windows\SysWOW64\Jocefm32.exe

C:\Windows\system32\Jocefm32.exe

C:\Windows\SysWOW64\Jofalmmp.exe

C:\Windows\system32\Jofalmmp.exe

C:\Windows\SysWOW64\Johnamkm.exe

C:\Windows\system32\Johnamkm.exe

C:\Windows\SysWOW64\Jjpode32.exe

C:\Windows\system32\Jjpode32.exe

C:\Windows\SysWOW64\Kjblje32.exe

C:\Windows\system32\Kjblje32.exe

C:\Windows\SysWOW64\Kjeiodek.exe

C:\Windows\system32\Kjeiodek.exe

C:\Windows\SysWOW64\Kgiiiidd.exe

C:\Windows\system32\Kgiiiidd.exe

C:\Windows\SysWOW64\Knenkbio.exe

C:\Windows\system32\Knenkbio.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Lomqcjie.exe

C:\Windows\system32\Lomqcjie.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lflbkcll.exe

C:\Windows\system32\Lflbkcll.exe

C:\Windows\SysWOW64\Mcpcdg32.exe

C:\Windows\system32\Mcpcdg32.exe

C:\Windows\SysWOW64\Mqdcnl32.exe

C:\Windows\system32\Mqdcnl32.exe

C:\Windows\SysWOW64\Mqfpckhm.exe

C:\Windows\system32\Mqfpckhm.exe

C:\Windows\SysWOW64\Mjodla32.exe

C:\Windows\system32\Mjodla32.exe

C:\Windows\SysWOW64\Mfeeabda.exe

C:\Windows\system32\Mfeeabda.exe

C:\Windows\SysWOW64\Mgeakekd.exe

C:\Windows\system32\Mgeakekd.exe

C:\Windows\SysWOW64\Nclbpf32.exe

C:\Windows\system32\Nclbpf32.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Nmfcok32.exe

C:\Windows\system32\Nmfcok32.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Njjdho32.exe

C:\Windows\system32\Njjdho32.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Ngndaccj.exe

C:\Windows\system32\Ngndaccj.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nceefd32.exe

C:\Windows\system32\Nceefd32.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Oaifpi32.exe

C:\Windows\system32\Oaifpi32.exe

C:\Windows\SysWOW64\Ogcnmc32.exe

C:\Windows\system32\Ogcnmc32.exe

C:\Windows\SysWOW64\Ompfej32.exe

C:\Windows\system32\Ompfej32.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Ojdgnn32.exe

C:\Windows\system32\Ojdgnn32.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Ofkgcobj.exe

C:\Windows\system32\Ofkgcobj.exe

C:\Windows\SysWOW64\Omdppiif.exe

C:\Windows\system32\Omdppiif.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Pmiikh32.exe

C:\Windows\system32\Pmiikh32.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Pagbaglh.exe

C:\Windows\system32\Pagbaglh.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Pdhkcb32.exe

C:\Windows\system32\Pdhkcb32.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Ppolhcnm.exe

C:\Windows\system32\Ppolhcnm.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Panhbfep.exe

C:\Windows\system32\Panhbfep.exe

C:\Windows\SysWOW64\Ppahmb32.exe

C:\Windows\system32\Ppahmb32.exe

C:\Windows\SysWOW64\Qjfmkk32.exe

C:\Windows\system32\Qjfmkk32.exe

C:\Windows\SysWOW64\Qpcecb32.exe

C:\Windows\system32\Qpcecb32.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Ahmjjoig.exe

C:\Windows\system32\Ahmjjoig.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aphnnafb.exe

C:\Windows\system32\Aphnnafb.exe

C:\Windows\SysWOW64\Afbgkl32.exe

C:\Windows\system32\Afbgkl32.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Agdcpkll.exe

C:\Windows\system32\Agdcpkll.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Aaldccip.exe

C:\Windows\system32\Aaldccip.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Aaoaic32.exe

C:\Windows\system32\Aaoaic32.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Boenhgdd.exe

C:\Windows\system32\Boenhgdd.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bklomh32.exe

C:\Windows\system32\Bklomh32.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bhpofl32.exe

C:\Windows\system32\Bhpofl32.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Bajqda32.exe

C:\Windows\system32\Bajqda32.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Cdkifmjq.exe

C:\Windows\system32\Cdkifmjq.exe

C:\Windows\SysWOW64\Coqncejg.exe

C:\Windows\system32\Coqncejg.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dojqjdbl.exe

C:\Windows\system32\Dojqjdbl.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 12460 -ip 12460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 12460 -s 228

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/216-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ehcfaboo.exe

MD5 a1704dcdeed22c339cd145b513263da7
SHA1 3b2b806f1650408c23c45a20c22a7c78a17cf46f
SHA256 a85fe3688cde438d847f13861feee5e494efce8b16059f9ebe4816b1cb587b23
SHA512 0aabb7bfb8ef67c7f2004a3e5f04c7086fa1a28e68b15c257d054ab85d6ecf676602fd6df1615a5fcfb415c1d7038177aee1d52b864ab40718434447639ce103

memory/2960-11-0x0000000000400000-0x0000000000442000-memory.dmp

memory/408-16-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ejbbmnnb.exe

MD5 3784b7343583c4178df066da3a2c151f
SHA1 9981460ed089e4b16527b1c852eb7d28729d242d
SHA256 a88fe0b5196d850017ced7abf0cfe10f9e7ee740b6cc92ce14d9497739530921
SHA512 15ff4dc7eb6df16982d76791002de6ece0ba0745345786c29e9abc6982c87252d56fc60714bbc2105cac856623fdd75f14a30ac95175802715631070acb5891f

C:\Windows\SysWOW64\Efhcbodf.exe

MD5 d65585d65af6632002aad76ee864c1a6
SHA1 9dad32326a78888108324d6ae1694056cd8b3956
SHA256 ef05be754d7c43b119fbc6389f146a89ff0fb14b0a2f760bdb0da7b4d690a4b7
SHA512 0898d4260f472ff7878f8f15157f7afe7e76f6c843a8f53faf6c8496de39357122a35ad8e43a06b8516777c525b50555567abe15a337c470b99f31b0042b7f5f

memory/3800-23-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Eangpgcl.exe

MD5 08daeaef5cd31e1e986127bbaa5530d7
SHA1 3d122fc9f9ab78338101cc7a59df8290107d4981
SHA256 3d28a1fbd22562820852b3626b584cbadba76aef9a6aa47c2a78808afd8c1ab5
SHA512 973ceed28408799eebb9df629d19cd4bb9d58f3764466e12308d9c0291f725f2355043ff0112c1bec4f815197f84d19e3cf5e79cf590b1a527613edbad88bf67

memory/3636-31-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Qnmghonf.dll

MD5 5ade067e9af68c2323a6558b4f63ea3a
SHA1 e6dfaf1d251e19e2af97bf8973569f3a20d34503
SHA256 1e426d421656d889f56195014ec84200efc4f4d6be45677ec6d79917de2635f8
SHA512 89ceaea4ef97605223296b7deeeb0028c27e5dfd88f2c12c2e9e7ffd438034618a0f40c30776a0019b77fd9f6255cdc26a091e4090a827909374b8992c01f516

C:\Windows\SysWOW64\Edmclccp.exe

MD5 0b9bcd1b35151fe7970993fe13a616b4
SHA1 4b241298fca5587923c00583987f570540403957
SHA256 bdb8511fff5a2072f820b83c21c9db8a63b913c03f986bbcefc29e0163a0ab64
SHA512 42223e5264a8d49a126a327d8f4021b5d06fa6f828912c5fa0d26deb8de47878fc9f35ec75ec97e302912a2bfe58465b6dd525ba61b35d7b9eeb5772091bfd9c

memory/4496-44-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ejflhm32.exe

MD5 68b1993dfc59b2852e58f7b578986c66
SHA1 5e823f3aeb387b9de8c8fe1b0182cdb5699b0522
SHA256 dd870f32044c5edb7ab84f6f097a80bbbf80b1e9e2022dddbfdc72b4d4102f00
SHA512 337b0889d61aaf170eb79b268518682415b2813e76fa7e51bc43f2e583b949e69e502f4811bf91945c7b1b0f567eceb05bf576c0f3c0fa76849eafbd8b654cb7

memory/1880-48-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Emehdh32.exe

MD5 b40e6ee5546d28b0209d6faab9449197
SHA1 66629238b5e6d49df9ca896b612325616ab3622a
SHA256 1b248274813e3515557115eab6133ae8f62ae9f3e119edd7cc44d71e35456d65
SHA512 f599110cf5ac1c01800f817ae03365ca855018f503807ca17f80530c0b3110d7bd665056b59b7f13431ebffa7c5a784d762802a720630d819198fc1c9505bd28

memory/4968-56-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fmgejhgn.exe

MD5 d72d6a5076ac2ca3558454d28e3da4f8
SHA1 81fa7e4fffb7305c4b729663371a81eadf356888
SHA256 2c61eb4549dc680595bd1aac8cdb74001ed6beb62c01d691f53844ead6682032
SHA512 4cfe68b2be112ad6aa740ac9beea510b9b324061eccf73506de380cd581e78b40b9c5562690aa043ab8f7f4369d7709c68b323dfdf37b7e8169c673c201ce7c7

memory/2304-64-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fhmigagd.exe

MD5 d6e4e4c02e71886f1ca7ba32272ff2f3
SHA1 f985c6d33d39009d080a921b1d452dfdc33c78d3
SHA256 cc769c11ef8cafea294b950dcc807f1f5d6d6f8998a5425e9eabefb21b64429e
SHA512 adad42c1efd6c44e3a9ee907dcead54831b63a19e344c43617d20f7d4ad597eb49453356613063b69673443cc2099dc67a1ae68da3e44bce59db9acd7045b0fa

memory/220-72-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fineoi32.exe

MD5 3c3d1bfb372eedc88ddfd43e26ed9d88
SHA1 3aabb8e2a549180cd605c39eacd6cdf7e78ba2d0
SHA256 7cf9d7299242ec66155c5a4e1d3222f119461a8a6574a46a2ed9124a4f8786c9
SHA512 7a95030fbc594a22b5d0e8a8857c933d565e4a270b94cb5d30a7f8ef24231dbf942c000a761b584a974092dce33fc9d291b61270d65c243deaadf4681d19ca21

memory/4668-80-0x0000000000400000-0x0000000000442000-memory.dmp

memory/216-79-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fgbfhmll.exe

MD5 f2ad67ef671395ceda011d38000e8f58
SHA1 d83c85c7a7ae26d65a1babc7b4c8cf32392bfa81
SHA256 c2f4c781b9797c95a25f73053af6f41dcabcd11523c19c814e80aa60411284a8
SHA512 6c2634a4dc9b4bfd5ad00730272fc86e68ce35ac4ac60ed7ae6fb2af9267260551cf9d5a5467e11222ea50cc1dcf5d031663e71a59904ed735ea71e2b159e81a

memory/2960-88-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2716-90-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fpjjac32.exe

MD5 2ca42155cafa4f47384ac7447f1e00ff
SHA1 b4a2cd0482a72f95db6333d13c1a53732ebc55c0
SHA256 c661e5e86eced334e5ad1999b95245bcabbfa0f25c84e5ca5791a314755d8a47
SHA512 f31c84fb2e005267f73e3f3fa0f58046700d6fe83067064900bba741f43e61d3ddf7a7daed916f14eaaf952fe2a4babc8df6d2d55ac0352435ba3a9cdc8f6bc0

memory/408-97-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2640-98-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fmnkkg32.exe

MD5 a03c3c4c139778a245f1e5849e20aa9d
SHA1 aab517ab62e265e2f694ae0d44bc5e10bdaf19bd
SHA256 b2ef349a19a468fac9beb55b9d473ab4045ba30901d0c4f1e51fd7c93218931e
SHA512 02b923c2ca7a7ade0192124772dcae96896f1ca83bf271eaff1bf8313e34402f5ea9b3a563c91054838b9003c8f5cd2d58099c35526c073c2f1150d50de54dc2

memory/3800-106-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2808-108-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3636-116-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3424-117-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fpmggb32.exe

MD5 2f9345418712e09af9eaab6c3674a54b
SHA1 77dae187c5fcde3e4049aaaf60aa46a3ce8915b3
SHA256 0b54a442cdd84af75ff6ffc42cf5643b91eb26577583417642a884e2417beb73
SHA512 006769a8230b8e60864ccf4a7d7b0cd66f64190f284b1c401bfa532c0a0735c529951dde05ac25e51821d363bcf161893b8edf3d4b3b6ff10eced3a04469537c

C:\Windows\SysWOW64\Fmqgpgoc.exe

MD5 145616b7c9bc0346eadf49d950a742d4
SHA1 c5ccfecc73043156c9e3847004eb6fb44b0fbf0e
SHA256 f6506c66e12894f86bc0de280a5b00899d45f277d0209cf694c2865b11af66e1
SHA512 47d4086ba2e2561de426aa228a54227202897a79186cb19496c42a1ed1a476a224cde0d5a6b97cd532cc6ccbcd4ca700f33b0f1161ba98dfbc5d4589f1030adc

memory/3880-125-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1880-132-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fpodlbng.exe

MD5 99e03eeccf09005b6b5138e79251aed1
SHA1 f4d07bed776c4eedd5d6a1b2753511f0668a31bc
SHA256 11bd85711b2ba7b06b56005922f44e6a094d9534057b108950c25f7ecc34a0cb
SHA512 0709d3ba75c2c835a0ae92e9ce69f63c79fc78fcef0a595318bdbc0d9d42e2b654432ced704fd0553e1396ba08a7599ef328cb7d046f1b9591d5bb10221d8f10

memory/3128-134-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gkdhjknm.exe

MD5 9f88cb4b69b7336f09b014365d4eaffd
SHA1 4f0f125d7c5eb46a1a5a95b9b7f84c2e8ccd5cb7
SHA256 2b8a2e4656e5d92eb74dba33dfcefddd2934f9f881d956d584eeeea9ab500174
SHA512 569245d07270c716a83055b4b0d4fbe8e4f73b1b90bc75b65e93de1bc6c8b3cd8fcd2338b493dce3296dd8dc17197e20834c5a2fc975f8814640c02eacc3f7ec

memory/5056-143-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4968-142-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gpaqbbld.exe

MD5 ccc1e46ead86773349a5a4547556b2ec
SHA1 cc7266e6228c63ceeae072c53f2ee320caa55901
SHA256 b93d4ba63a355e3b421a9fdb493a39f9f8166eee465e5ae2c9ee428b11cf5c55
SHA512 aff5766d3b490834ab087f2917038cae244d4604eebfae4c0d27c94011d0be9231536263d2e4ab2baae3afa4ff52f007f79c407d7de230f38f27912430d52278

memory/620-151-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gijekg32.exe

MD5 b26b349c42e85df91c6e452bf16ce33b
SHA1 97c733ead5636a17122bce178ed820bca30b3306
SHA256 b63fdba12f5f5265b72ca9ac07ec9e125927d30acf62e31ee4eeeaaedbf6610a
SHA512 09ed1b4a7b919ceb03d78788a791889623bceb6c358888d61eb8eadefc78967f9b21e0a00e3096cfaa865125b0ac79f63548195fd39a1f8d692e050c7f964936

C:\Windows\SysWOW64\Gaamlecg.exe

MD5 d892aa4f114a2fa6f2872984095cc112
SHA1 4ed4b8bda18392b8747fe19e6e4394f4e97ea476
SHA256 e1e02d2561763ae44f5b2016433323fefb68430a197e1866a1b634a5c7c78dd4
SHA512 ae82ef9c1ebb1412c09f9f5f1ade8948e060b435bb9bb8a0b98a2015faac4e1dd60e7eab4d5b2be157222f849932b4e3ebd82b1f73ab7c48163de83491981303

C:\Windows\SysWOW64\Ghkeio32.exe

MD5 87b2ba488513ba78d730239f5e069b60
SHA1 b1e97b468425e946164fd92d3e02250f23a56903
SHA256 c0eb0251d80b71134a95ece9a328c5e466a429c58f2d6bee3c5634ce3a3b0242
SHA512 f390240d2236e09b6be641a8029bb0a4dcca216ce80ce67e8282f070de190302a49a93af2e25c979c3a476e0095872d3842d93165be24d831e852b9664051021

C:\Windows\SysWOW64\Ggnedlao.exe

MD5 f8d91029290ea432a65f49f900d5e6c7
SHA1 61bddddaf909e6bdc624e777640ccb1b7bb63dac
SHA256 ab86b871854d405242e4677afddf2a8ffd8c33183e3255284bd7277193bc5b8f
SHA512 59bfec9e91177047c88ea5225862a5c1d99b7f25c3d055f1c94d27be988756dbba3395890ae06045898530de0ea30661fc971b4e321cd4570411873bf4546fe2

memory/2808-200-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3880-218-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ggpbjkpl.exe

MD5 e27f3888e4ec30dad7b5010e9e136a83
SHA1 c9f1e8a4c7c009e44b1d79a90a4e9f097c382e30
SHA256 3db11722d1aee08a80954edb6b4f4ae7d8a6c8756d9b6bc43b7a571bc580905c
SHA512 80245db19610a76f006d6b3d9a33b6a3b0f4a647dc59937182c1577c231cc30c06d7152db615f839c879cd856720cd5d8db24a64a31f76ffc9fe904fbf02bfb2

memory/1716-298-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2652-496-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3904-532-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3412-544-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2348-537-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3240-526-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4900-520-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4492-514-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3464-508-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4140-501-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4112-490-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2004-483-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4152-478-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4444-472-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3456-466-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1896-460-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3704-454-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3044-448-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4464-442-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3548-436-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4500-429-0x0000000000400000-0x0000000000442000-memory.dmp

memory/528-424-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3120-418-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4840-412-0x0000000000400000-0x0000000000442000-memory.dmp

memory/828-406-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4516-400-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3788-393-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3400-387-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4488-382-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4304-376-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2632-370-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2208-364-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4852-358-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2176-352-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2868-346-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1712-340-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4092-334-0x0000000000400000-0x0000000000442000-memory.dmp

memory/512-328-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2204-322-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1392-316-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3908-310-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1576-303-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4880-292-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2916-286-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1216-280-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gaefgd32.exe

MD5 6c9ec608dd7089cf094de568eabd7fc1
SHA1 013317372b1540cb0f841194a5c88bd396740f41
SHA256 b2cfe455af179f3f72e469cdca773a1b5ebb0af1de4f91a685c1124af508da75
SHA512 21802ca40602c4e63b2fa1528e068c885b0ab642ecd60357eddf2406d407c1eefc0e3c7db59e68e5b277d6e02e76bc077dc12182f5ad33e8627a0dbefc4b4d77

memory/1740-271-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gnjjfegi.exe

MD5 b8ad6a06c1c8d626bdb08ff1aee00ec0
SHA1 180a4394a445072aab48222a00cc86ccc8397b8b
SHA256 77f5c49f57289e81ccdab7f1e299e264499e9596627b3adfdafe4c5e5643c461
SHA512 df63b1e2ad1c7bc5488150c237615ff29b0ba83a2dd1c81324a28815b745ec9afb70356df5264d0a02583a6a876be48bc92797c59e4dfbf976a43a0e30dbded2

memory/1148-263-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3716-262-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ginnfgop.exe

MD5 92e7223802c408e5fe9244a7f3b5f4f9
SHA1 61701dc4f8e691dbae9a57c6806a95f7848cd073
SHA256 e2544a52e96e3389735f45d53732db5555a2b34fc75f8396704b4c6a6227c1f5
SHA512 2dde584be2a4c587b1a9f55e6fa73ba2a33c928580d24c03b8058fa9082ecf6c0ee71ec62f75a99479be2c4e003b9212b85bb0b2cd071590be8238670ae5eb77

memory/1244-255-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gklnjj32.exe

MD5 b4c77dda7c7fdab2429009a7a3d75bd1
SHA1 e27f687f750798687d3f202681bd795880521ab5
SHA256 6e17f5c5f022c72e0ab2473441bdeb12306c3da44cace836297b27b090a2f84d
SHA512 7aee4e1725e0544a8cdddebab8a9ec9509b4f92d8dfbad12d7c835b5a2dc854d86f4da6d60d9e7a334cea2d9ca6622bc348b7495bbdd92d0d8558851f841bf4b

memory/1560-246-0x0000000000400000-0x0000000000442000-memory.dmp

memory/620-245-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2236-237-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5056-236-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ghmbno32.exe

MD5 54faa466d6193e0d31c13c5997b957e8
SHA1 762894039f5403c6d3ec9bcf07a0ecfc49a1e8a0
SHA256 fffbfe7c6197b0bfcf65e20f6ad9d17997577f97cb35e029e7610a0efc54fcdb
SHA512 da9e8448ebdea397a673e0279e66e5471c47b718c8df3739f1635fa30d39cfe865a56dbb60e97b83542c9243344494435348ae074e57df4ad8e7681ec241a712

memory/4260-228-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3128-227-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gpfjma32.exe

MD5 8a378f5a25a2d8af05d1f78c0d26acbb
SHA1 bac3984b6e1bdfbd06f8ceb035bdd4175f728c10
SHA256 2eab7f57ae061321ef02702fd962dee7faa1428324316b937bb789eb111d632f
SHA512 69e527616f4780e554312007b81646ed04a6fe9126b2841aca0392d307a316ff1bb1d39af857ec009bcbdf7905bbe2f3b0ce29a3bf17025ffe6e7765383d40a7

memory/3392-219-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gacjadad.exe

MD5 0a51dbd61da3abe331634e986784a499
SHA1 1f8052a09a0a2f8a7a549f06e26fa221f29ac6d7
SHA256 312f7d684bc80b4e672b3515d3b9ba258660db94075307b01d8216b9e27a3c32
SHA512 ba2856f6b2145ec5a84ee08ec9723c7e87bc3e604a2c7380f5cd5835341da77f9be87f8c0b6d0251f0b685f1cf11a6d7b008c18e25815f6ca4d1cd3471a2fd8a

memory/5016-210-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3424-209-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gnhnaf32.exe

MD5 71444535c31eb6d49c357343c9cb1538
SHA1 d0acb86f8ab3b65c862b1ec762df33d4cd4cd436
SHA256 1a76d1f8438786b56d2ff546136233f60a3f74187ac2a5a2c0f9fa5a468ac14d
SHA512 7add566f99f24a657b3a7ba35f836b9552914e3ab7fdec0aeb02a68f7c2c078bd5aa3c01307382a5bed788a52a240576660d0e9f3f2a30bcfc904fcb917f2ae6

memory/1704-202-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gilapgqb.exe

MD5 21d69a046420f8cb8204630394996090
SHA1 78256488653c9298fdf14d95487edb6609949855
SHA256 cefd55a7a08b699a483c0f0e880a6f7da0b5eec5a696f77aa30aa1ed6f0f0efe
SHA512 2a5e9c890ded3366417f3cef74b3619e7fca6a6db88cfaf242bcc96885c3bda41983d89d21574f194536c3aca6bc64cf42794b4ff4f58700df9a34b568ad7501

memory/4080-193-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2640-191-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4472-184-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2716-182-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3716-170-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4668-169-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3232-166-0x0000000000400000-0x0000000000442000-memory.dmp

memory/220-164-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2304-150-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nijeec32.exe

MD5 36d25a6cd1a52b9c52a06ae8f45dcb14
SHA1 58e8643f0ccef8476d850efada4794ae934d3d91
SHA256 37f13cdd21281eb4093512443979f3518fa79e9272cbc50a2c6222ad4df4e97a
SHA512 c6fecf09711085759bb2e1f398a6923f103948fdbb73917d9ecfb85950f905a0783df3ad6e83fdb79198bea58166803824c42feb0c4fa65a55d2e9d581c552bb

C:\Windows\SysWOW64\Oaajed32.exe

MD5 0af3a2160fcac229df347c92ce0c9cf0
SHA1 0d79675572068cae2ccd202452c59eef1ddbd55c
SHA256 34c8434ddede71201fd2293a41a25da99b9638b3002c02ac6c92506c2bcd0ab8
SHA512 b086f19aca3b0af4da6bfedcf5e244cf38615b712f6ec9ed1f88b17c71f9008abc9e6ca5e9654ae622f7e4cf677fc25139c24dc64d08011837b5e3e812b2978f

C:\Windows\SysWOW64\Obafpg32.exe

MD5 b53d65d389c96ab32cc13aa337438144
SHA1 d152aab7ae9f7d5c7e8a70654d90b634bd995c0a
SHA256 363511ebdfb53be79be130fe0fe757a8e8bd261d3a2484e871c9eca604d8b2c6
SHA512 daee482299620f89d61c08029c1036816bdd3b0a1f8739369bcda66966a3917664f0c4a4fcc6d11e6ba5317cc9c89212c3599e467a886ba88b7b0169f3e0e5db

C:\Windows\SysWOW64\Pllgnl32.exe

MD5 68dce603a4d19c957fee38761e3db8a0
SHA1 71e8023145fbc506b78b0fa2d7d74b64678414cb
SHA256 d7596d2d912d34a01b2714b2a7449549b8d39b46bbe377e96b9bba49903123dc
SHA512 e743cef4661e55c2cbd94271de25de03013aafa1d5de2d9d360715ca0bc9980928b3aa09517a0b8328435e1471952598094f0b725fee6744b5379072a91c379b

C:\Windows\SysWOW64\Akffafgg.exe

MD5 7b0c2f905ec5b9e689d5af9977a2e955
SHA1 686e698ecad2c0a7cb67611f63e823c7b264465c
SHA256 71bbc28fe4c130bd7d906caa1f6d1dab5384e4e33b95f234e73851462c58b740
SHA512 0af31900c0a3bbef56f592aa18b4228125320156a45badfa51106259ab007b3232c58fb73b2f6183bce9161e2d3c93a1d2827c365b29818b4cd13bf54cb36554

C:\Windows\SysWOW64\Bkdcbd32.exe

MD5 594a559b70f8fcc1210f1f5270f1043b
SHA1 3efbc87bba222135fd54cee44145d1bb92ddb10f
SHA256 eaf6d05d800d8d0d4c32b074939b8a62411db0d5244ccdf2fc57056904f64460
SHA512 f01791a17e9f65ec8b72ddd47c95e1a4afc1a02be058b492a10f95f65a917b7ce92af8ab902a9300a86ecbeca8ca9acdf356ab023446685d115208e62f0e1962

C:\Windows\SysWOW64\Dmoohe32.exe

MD5 003240f4a139987c0a31238c72529d3d
SHA1 deca7ace65c7a08d100918ec1009c8fd37f31b3c
SHA256 62bacd2d06adf81333dbc2d23894cca90a8ee01729d3385880ddf3f183054062
SHA512 761cd4c666b1430d77edf4c7f0fa1a76fe68828220995a557e512c3c224aacf64fd7b8265991355f06c9b6a97d9bf29c17421e3120e29ecb7dc50b7902ca89b5

C:\Windows\SysWOW64\Dpbdopck.exe

MD5 96dced1cf685e1f56c79d3e67bb45c12
SHA1 4a1d08882fde2874d3f8ed7669ad3f7544301ff9
SHA256 c63d353365cd307b9baba63f51f99443685d18fb8721e5b2a196f66dbfdd7143
SHA512 ee21ebdb28cfdcf1e138756474fcce793f6cf0375319f68e606ceaf48470b7c0caebc45b03ceb19bfebde5bb4b0040c16a921507d7c41c0be667fcaebe3cff60

C:\Windows\SysWOW64\Gigaka32.exe

MD5 ba386fdf6bda12796774bffe21cd8288
SHA1 dc9f5c3017a2a27bf979b661726573292f2a9057
SHA256 9d95f415c34ceb4cc8613631dc74a6eb58fa3090fd1c7e29cec18ad43beacf2f
SHA512 e585f6008eada644f11b0fda8b60f362d8e7a9841cc4e177647fcca3176e723349b545095a4fcb8629090e76467d9da804a2f830bbf0754b21f5b3893ff398a0

C:\Windows\SysWOW64\Gfmojenc.exe

MD5 2dc6e46698a2409f7a1658d4d536a2f9
SHA1 b8acb99281b40434d165a26d4dc5f366c79218af
SHA256 274ba9b2c13ec6b1cb1429d3994143ae63ab90f0e9f6a9b1193a0d21100ed8d0
SHA512 c22403017469a10d7c5d5067347754eaa750d6871dfd90507350a4a8d851fd056be75e8c9c6f9ae95f01e894e1aa1bf58e344144e9caa298c4a499e5a6c3a9fb

C:\Windows\SysWOW64\Gdaociml.exe

MD5 b5b48029e426cccb498c897abffaaac1
SHA1 930ff29c999196c58a42d3a895c0aa11671c9f9d
SHA256 2ca7cef3fff3767efb405f8feb5553a976add2b32d20537d622b18b54a03e698
SHA512 8828ff3cb86ddc7fcecde330c82778201e0dd2b20b0a1abbb88d320ba253d7ce291de6e787094700440eb520c635b7d3bae30cfa645bd25d850fcd8b9ccb98cd

C:\Windows\SysWOW64\Hgmgqc32.exe

MD5 0b68d82e010203de8dcb98057a4a66a3
SHA1 28a3b216b702004685eaebf72b42557e1120e0ab
SHA256 355a93583a00fd0a15c06a94373874e0f8d76668d31a95a82907a8da7fd3eac5
SHA512 b12f90815ab0bef4d09624513407108fa52ba7fe4f0c27243e87627f2f79570bb31b98718ec8487bdba19bccb79947841420133d37df68acf7ad9ad5326b9307

C:\Windows\SysWOW64\Ipoopgnf.exe

MD5 0a89918aa450d5fc49ef9fb531f9ccb7
SHA1 7e6cd2461af36f031890b1c7f1df14ba83d1bb38
SHA256 6b06a6951432c89c99687c0a976beab78a6d997434ba131f28caf955be33c2f7
SHA512 9254c70633f363c09e2471c4091d5e44e8b2be67a18e3f96c89ddbf4616503a84555a816e08212b6c52ed27919f73f3b75ee836771268c99dd64e1658dda27a2

C:\Windows\SysWOW64\Jjlmclqa.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Jjafok32.exe

MD5 00ab96719415a092014c090f9f4246de
SHA1 02b1ccc9392e98a435882f41845c4f7a6d074a63
SHA256 8016f21f3d9aeefb175a72967179fd0ce34fff6e6dab28f0f64d9a2205c911f8
SHA512 6261d2c199a847351ec6a5ca5d69b71ffbfbb31b69eb0debcebcd1fb9dfb698f15362d554ed315fd0098c01cc306df792592d1343a754687fc2924bd2fa3f238

C:\Windows\SysWOW64\Kmaopfjm.exe

MD5 2bf76bfd5df2c7a41557cc752b3ab95a
SHA1 9993f5cde0f5248cc52ec263e442a39ba8d2891b
SHA256 3a3949dd3ddebcef32b103e263bb1496791a6fdc4fbcd7eb830ae7d490c1b7fb
SHA512 25d9814a9465d3e2d99854e787005bf2fa1ab0c62fe45763136b973d72842030b2ed69c45948f1f2c486774767cb29b5573a5431084cf627c5a36586ac54f097

C:\Windows\SysWOW64\Kcpahpmd.exe

MD5 03c13ac1efea5ba82b173a35fe1bb1ca
SHA1 3fe2210ff926a8fa3d821f486f77fc3c82af1dc8
SHA256 de48edfab7f1d03da4bae9f2e24fd7cf2994367ff6b90e1f5a66cd104f18ae12
SHA512 59328499f01f22f74404fec16b7ba2caa9c0247e1ac15ad163639a74f203e13d3b08ba2dee6efbe72921d7b6efb645d7e7cc04e6ce546799a3ac7a90a7863060

C:\Windows\SysWOW64\Kqfngd32.exe

MD5 a9409f77726fda71a380df53200d0948
SHA1 28b16bd46c44494513d001d44fe2e63b37b73075
SHA256 6283645c02cb857d5ec17d4b2ba762af23c6b2a278aa6848a39dbfa74832fde5
SHA512 16269dd578794851a1d3e652da39a5a6029de1592f5cdf11518183a8b6a55cf2d84f7730181ff88e24a7ce364fc5548f63ec90f648d17a18c0c00c958e52727a

C:\Windows\SysWOW64\Lggldm32.exe

MD5 2d9c27f1a53668ba22300cbbbf19963e
SHA1 c05c0bb3321c966a086ad1a3b130c9d2a7fccc25
SHA256 531fc531f09e0f12c3f780efa20b41f75104acc44f99fe9e873d61104fad3446
SHA512 cfbb2b320b615f76a97ea891f39007a29e414d7eb723acaaa9c4ac8c02fe147002024c74211946b0ca09558d6e84d507db4b0a56e0ae97662678141d90bb1823

C:\Windows\SysWOW64\Mmkkmc32.exe

MD5 bdce8bca092298306ed4458b072dcb22
SHA1 464809007a281980175a784263cc28a77d747565
SHA256 b196e3d8130e107709bc7f743fb0b07e40447baad23beb40ae803344eb80f0a4
SHA512 24e19241b949da100767a873dcc13dc31efe89150d09442c383b81156f74117185109025db556529d6fc59b65dfbeb686778b72f6369c4d62b388472f31b453a

C:\Windows\SysWOW64\Mmpdhboj.exe

MD5 3c8130591b52551dba1f5971cebb259d
SHA1 de51fc3b6d7288abaa5b1276cba41ed7cf9cd49e
SHA256 5c45319d09cfbeedbb7d5faff6c1f61bf52587f6f1975bb01760fe832631b6f9
SHA512 6176f35c25e9ce5c28701443497f2ee1639df53d6cb24dbc009ecc73173e49ea963210ca760c6b12c850c1007c0e8c9af265db0d91e6ff4100cb72be14ae27b1

C:\Windows\SysWOW64\Nelfeo32.exe

MD5 29a8a8d557320a54bc1358cd79886ea9
SHA1 ff4135e34767117f2ebf4f843f0d8e57ff27ab32
SHA256 0c824ccfa234e50d8b420fcf4c6d61c74cf07a701ec71d9664af3f3c440f7c42
SHA512 9af6ed4c5737c8b86b4f13616b9adfc4aed73023fd1fc11e8670798b4f3ff1f2838750094800909caddff2c2fef554a4aaf29b42a4bf349cd6bf10ec0dbf4bf5

C:\Windows\SysWOW64\Nnfgcd32.exe

MD5 b0f3e3f871172d5c2627eea6a04de3b0
SHA1 c1af745916c514b151ad8e7fb926e36b67e54e00
SHA256 56b05c34a9bfb0b4bd0b3b21c91474a2054244c1cc4aa70fa0bb900a0fd1df9e
SHA512 492e39b16355387b6482452c06b3a06e98b8b13de951aba59726142c4f5dffd6db2dcaaa18e4e96db68dece7a13e9b52ceb1e1adfe0c51c314ddd650915dc9e0

C:\Windows\SysWOW64\Odmbaj32.exe

MD5 337fb615acbb5d10244deb5262d76e31
SHA1 1fb6dc9bbfece47b4eb7a400450a3cf51a52017a
SHA256 03a979d7c42517e45963e5aca92ae7bb1df7e3fbb4f57f1919f442f8b76de70e
SHA512 90ecd5195badbce8e131608e6a900c4b898e917953e049937842415bb657ce9cf0e0c09412484553de83e828a405be8bd7efe4205966f630d4a25cc42bec4e56

C:\Windows\SysWOW64\Pahilmoc.exe

MD5 63f6d51ce5265541570932d321f9dc17
SHA1 b257935280ff9302ddd0920f4b140c6b83ba7697
SHA256 853a0670b0ac3dd51bd8995c52b693fb84c771cec216040824cbb3c0b257437c
SHA512 167f096f8fbb1707494a95e4a81f39ad6a4a1d011209ac5218d08ec0bb0d2e5e58eee7e3b0e9392952e2bab26845ed1d043bf5618c85a81cadb4df2679e53d4f

C:\Windows\SysWOW64\Qklmpalf.exe

MD5 8cea2ed59dfaf374ec51d8aea4718503
SHA1 e303d3a8120eee38ea5261efc8a9ef36d2a6152c
SHA256 f088c7f171109bc6a1d02c54b45b40444331ee5e51fb539bb156133322b5ed75
SHA512 512191088fd22ebcee80687cc44b0d4be0a2712311f1920712249dfa67bfcde838e68a14af264bf4516d33354ff27db107ca17172275ef05e868d49de3100b7d

C:\Windows\SysWOW64\Aaohcj32.exe

MD5 7fa65030383bd53e846f023cf07fd692
SHA1 bea7ef52d4e76d5d1645c4d909c373bd0936e726
SHA256 6219f4cca5a066622b7fb160854f244f5d65ef546390d6ba6acda89847f3a150
SHA512 d5a336c42fb044cb91bed02211d00b017075393a384f039e9db172dbba49b05c9c98af68dd81a6b9f5b34f0d8d5d6d803834ed146b852d8d16af1d5c46324742

C:\Windows\SysWOW64\Bnkbcj32.exe

MD5 34353ff1ba6fb713304f79f0057e2e41
SHA1 59076df3ec487e90f3d6636043bc95543b46bf56
SHA256 1ec5130c358d0b448d129c5a8078b614f952048ba7e7ab11b4251a84b17001f6
SHA512 b0f509958ef04563ecd00fe7636a1bcb5b38b607f2f1c0e4d80d3cc131bd8c9cd3d86a2337f0219879ade4c0b0d16669b86d54d3ab52d85b8548dd13604c84ea

C:\Windows\SysWOW64\Cnahdi32.exe

MD5 f5984308662ea13f4e1135498c07096a
SHA1 2e35bec3aca89188c46d1dd2cdc371f1454b9a02
SHA256 c257bc610ecb0434b37b52b7df87b78352ddfd434db0c69f42c796b547e27156
SHA512 04ed69fcccb0f470346e0171b03f412a6c5a5557d2092e498218b2b45e95ba5335506c16fc7daaa4b3163758a1bb7e13e6fbce94e944550ea88837367ae70fe9

C:\Windows\SysWOW64\Cbbnpg32.exe

MD5 14ad984b202d9b75c0ec926e79baffa5
SHA1 bdbd152ebeba66ee30f1de9321291a44675c5687
SHA256 c5a8542e6a76b3017d6a491c2b25e655ffbf0c82a66ba5cce8c8fbb80179dc2f
SHA512 0a5087d70820a53db8c10b4190027a8f446ceaadef3209d8f9ead17d4f955cc51f718fca0986a07ce6c96d62f7e4d8a6c135c80d324615a0522245255f04f6cc

C:\Windows\SysWOW64\Cbfgkffn.exe

MD5 248c861d71f50eb2c67577f935bf41e0
SHA1 29a27e09d395ef0843586026c54c2d63d25cb7a7
SHA256 44bf6b689b22c2958a0da889361b7d901b939640a4b2a0b11df995a5ddecad92
SHA512 387172a52af0d79778e456b3f92b94c2e2801f0c04ae6cf3613bf78bea6ace0264151b7863656dcecb31bcaf6aacbde0775e77bc3d74ec535bae139858038967

C:\Windows\SysWOW64\Dnpdegjp.exe

MD5 3e9553a534b764a4ee28823a7413868b
SHA1 5496192e6df599c11c750decd09f22b58b980165
SHA256 229749d815e71832e4ea4bb296fc5813cbaa35a25d0bb216cf2320c40e941913
SHA512 498368ad711e96875d7bc968a297cc88738ee3bb6c44fdf7842f660b8002fbf04a013b6b372a265c966043689fe4a83039de585b7482285b00869b82ff32d26d

C:\Windows\SysWOW64\Dndnpf32.exe

MD5 f50517d67a700af6dd737280e7fe6c9d
SHA1 732b2b5a42813040d9e9279e2eb320c6527bc90e
SHA256 27b70a6584acbef0b804cbd0b70549e912f7e686b8fcf4f4d7aa30976d7ed4df
SHA512 23c48f6062b6a37dbc376d54556a7afe77d57b53d3dd18c5951b3fc67e2df2a3b57b030e7f9e3a2504dce3bbfb4d19378ec3151f57387d353b7733e12ce336d4

C:\Windows\SysWOW64\Emhkdmlg.exe

MD5 6048f958502fc05d8d3f90a64878dc9f
SHA1 64679e8c5c57472aedaa954ae4ebf2178076dc48
SHA256 c87ce1bbfede219020b47da69c1be1e7d557b182fb23e67961eecbf3ee11a1c2
SHA512 4d1000a79a69e04a1d488efcc50a98ccd38f5c877fbdec5067e9a40dbf61a9f3aebec63d972c26e2cd89581f637b5af66bdf00202a6ff11030300753f618ccee

C:\Windows\SysWOW64\Eblimcdf.exe

MD5 ec0beae203050f8c968640fb2a3507a8
SHA1 05471325e0448ce1c0bbfddf6554049ed3fb883d
SHA256 ec6be0a83578d61a34338edf51dc9e17d01a32184f01fc1205c0e2054ab43d0f
SHA512 59c364205cb88577641c9762fa5fc594311eb18af5a623a60eb80c152fc8b333f5a3c4755ce69a6a2b21c5bbae42476de108efb8ece5fec6d58f754c058eaa04

C:\Windows\SysWOW64\Gncchb32.exe

MD5 37e4ef11f8e476fe3c8120d49f851795
SHA1 38848e6faf029f882093ece53b20428e843b018e
SHA256 53a1de43d4a64f0e595afc85e5b0da288520ecfaccf8e604559182d2ce603064
SHA512 78e7762b37cd97f70994a5fd9ec4cc71f7b175db7ee7af4dd32863274a4dfacb7507d048dbc376c8bdc69c150a06f1fab7594c189686f4c96139a8298bc30bff

C:\Windows\SysWOW64\Hoaojp32.exe

MD5 4af0eedd3abf6441d3547e9f70c16654
SHA1 2fd969ed5756f81c8f15b7b02d4dc40da4630485
SHA256 001ad72537a5bebd54c8257cbfda9e496cf68de675f11ffe65810cea595f1b84
SHA512 d95eee8c4b028c1d5963e02c5b6ded14518cff3f462c59a38ff9457d09e4e84599f8d929fb51227b82d22f00fb794611f2ce1626e3823be221727a2dc18627e2

C:\Windows\SysWOW64\Iliinc32.exe

MD5 e2aff3ffc5ee1769a4167808734b1ff7
SHA1 3536b867cf8d9b2b824088ae93a1d3d8d7411947
SHA256 9349f19770a3237dadbd94cd07287f499f90d8713d1ab48e6d4e44e855078c22
SHA512 dfa23c245818b82bad24c57b3f4ca553c4877ee40eba5c01b2befd1bcaf5f61ae0bb901b9c94bda9bedc0057a02ec9b7ae32f775eacb2838868b3a89375ef15d

C:\Windows\SysWOW64\Ilqoobdd.exe

MD5 54b6c3f96dd37e2c81dc9e3fb583f15c
SHA1 24c3f2067a7eb4fb319b1fef9052cf23332fe596
SHA256 6e3f2acdcee771fb8b777b13ad2c6f68f5e7bbdec15436f498ce919c1bf68dbb
SHA512 f7a9492e0fc756a68067be1e456d5e7e40bfe5aecd4752d323dcd75e6fb4040c84893d86ffdbe263b733124b437ca4d599071bac5800a8a27e911d80c845f576

C:\Windows\SysWOW64\Johnamkm.exe

MD5 693e386739e8389b32a96d82fbf239f7
SHA1 d578966cf724597404e758b9aa35452af78b0bed
SHA256 3e2bd7d7032f74deb26dbf52e7a26b7df438ad4612e049d837e012ce00e266e1
SHA512 f0d06185066ec36843c2e498827edbdeb88c3f3ef682eaab6fccfa65cc5dc379651ea70ff8491e84bc1e64792f0cb72549849f3689ec6ce8d5a0d43fdaca58eb

C:\Windows\SysWOW64\Kjblje32.exe

MD5 8befaf7008b9f99da2c6e1862bf5034d
SHA1 ac360bd2ca9915c14e84c6f170c4954b3ec6ebaf
SHA256 2ed73649bf9d5c8a2c16fa50f8101cf170b487fec77a405bc004c0e2bbbbcc03
SHA512 4ee916d5c09b7efb4170a00babfa388e01781864b7aeffc788122af1c803ade888cf66eafa532382bfc773f3fe69f3afceae0047ac206474c3eecdd2705b1bc1

C:\Windows\SysWOW64\Lopmii32.exe

MD5 d5a1d2705189a08e6770875a2ad6561b
SHA1 9cc662a43345c600e5711d4a9d4a2cce3497e02e
SHA256 8d6a7b011287114781160e495b67ea73d17d91c652f7f643af9df8e32af818ce
SHA512 82ca7f7e1d59144e0c848a09d4c624f36b731cd552c85368cb220f3fdb769b428ca0d55fea1c2d4124f9bd5133ecf46b5e3a072bcb241ce59997c811c790bcfb

C:\Windows\SysWOW64\Mcpcdg32.exe

MD5 33ad48432877761d724fc059e3d1e835
SHA1 d6d22e34087a73b50fcda20f93608cffb71079b3
SHA256 b622250190526aa8810699e60ebbfaff150f3a71547b7836f040c2d893243bdf
SHA512 87aa6a2e5efecafd0543de7910a37401f0512c55b9e6b2bb59daecf70f39eaf9309464786137b4cf8f8d6391eaa5960f4a1ceee692b40c5dfa9de32995c01bf2

C:\Windows\SysWOW64\Mqfpckhm.exe

MD5 037c6cc769a92bc2cfe48039e3882cc8
SHA1 a0ff7b2fb34688c3e7ef624d0a3ce185ac75ac5a
SHA256 3a0c54277ea46b245b42f02006699c9e6c57048cbad5a0deb90e757f283e8a7f
SHA512 d519edb40f4d2ae0a5f186027c50c4f2b9157b28838e888fe8561ad47c7631947cb004eefdb89a056ecce616100f6ff99f4eec3d3ba57140c261497271a7f9d0

C:\Windows\SysWOW64\Npbceggm.exe

MD5 7799a1a973b55a462f8ecb30cc6886ae
SHA1 3d7fc7bad30f57015697d09064663080bafb5d0d
SHA256 ac28f5f3c68c69a7cc2c6cad4d1bcbbb8ce55ef641e1aa8a85782f6dd5c107d8
SHA512 38695d84c081bfb104f6c0144bf5df82129ac4973a6fb4a9ec956e1059ff6053ab10d8abf77f14b96385c171159108af1bfd63791f00b746acb2afd45e591b69

C:\Windows\SysWOW64\Nnhmnn32.exe

MD5 96232c4aeb812bc9c03f6bbf81045da4
SHA1 76fbcc93581e871966649915ce2c16924fdc3edf
SHA256 d65a4407c625ce9f18d3878b282d42baaed259dfa63f10cc8cf9148f17ac8892
SHA512 86227a8e05620a2f2dc612cbcdd1ad6a137e03a883f35a3beb5fdb974c2f46d191e4010f6bcf52b857cacc05afc6b1fe787aa522effdaa84ec100e528f791523

C:\Windows\SysWOW64\Ogcnmc32.exe

MD5 8ee240c7550612d7d3620bcae506e9bb
SHA1 480307d0ea6ed76487569fb485323d43082e3a67
SHA256 a170c562cc4e820917ebc33925648274364c6c3cdd4115e7d6a6b585cae7bea9
SHA512 faca3fa02821b4b24a823f13ca088b8872d3dfc38b8771e52107ce4e0b86931e93f04520e1b125aa1793a130eb5d611f3c74dc012a4990cbece5647d47d66db1

C:\Windows\SysWOW64\Ofmdio32.exe

MD5 8345bbeae2229d2a758d116e3585301e
SHA1 c9713a42ddf60f0359a1afdace350814f5b08204
SHA256 56ea34e816f29f5e4f6d30ba51ca3bfb9dc5dbadadc6f178441dd0de169f01ab
SHA512 8bec53bfa69256229db30b16a74419aafe7490ff5190fbe8c54038ed01623cf235bf3ffbb7f854cb9c852e8fa63e88d5cddd459806915b493dbe33caef11a9da

C:\Windows\SysWOW64\Pnkbkk32.exe

MD5 f52656038485aac3a68a316a0b80b6b1
SHA1 7b0aa161df15a8e37fd2ed63636c6b3ba3d7c664
SHA256 60870819b319e4ca8200e49c0b01f08377fc61f881ca599f488d1c586f3bb5eb
SHA512 a88b0f249c3dde5833cc754a57334d668d209dcf09c5ebe5bbc6b9ec6870be8833e3b02ddda46e9bf968c04a879dff5d802d0ec23add8ad8f7c599cf2c3508a4

C:\Windows\SysWOW64\Ppolhcnm.exe

MD5 00648006c67037aca89d21cf5b8f5085
SHA1 702897d011986359e96872a33768dad7865d3da5
SHA256 bbe5d7d246626faf961cf87932d1f69c57049fa06b50806c722a49f4da70232b
SHA512 5dfd285bcff704cadc398c68e76a0e5e3de8407f0843601f90d3b9d57470e5cc895c0a481aad4ce7f616a8973dc82b0c5e0bb23919dd47d7f78bfcfedb4f9d1b

C:\Windows\SysWOW64\Qjfmkk32.exe

MD5 0dbcb9c036b182d616cb303615f1ebe7
SHA1 9ae2ed67f22592eb30dc1fa41ce4671f86f1c938
SHA256 b716e6f08dbf4fcd963981fa97106d5505054b138fa9b9d46d4c9a7f3035654a
SHA512 5806c686a61547b4b83031a771a3d766b956cf947c4e3aa9df9b8288691de6127cf9aec8e0cddc46eebfcc481e059d10854882a2645ef134ed7a6364b8c9fe52

C:\Windows\SysWOW64\Aagkhd32.exe

MD5 45b83a19537b1b3887fb9e29321a9afb
SHA1 3b964f18743ee4f3e0e02822d11dc433a1918191
SHA256 09eee2b530aa933c0eb53809dac705d2911e25a97b08c1c1f469279d291549e6
SHA512 6d1694f264ed96aaaf4f86401783641fa07c710b7d95e263d5daee1da2b525bc5f5966cedef1ecaaed98e18bc095bc7f07b7eb7487e127c1e6e0730ae178dfae

C:\Windows\SysWOW64\Bhhiemoj.exe

MD5 de8159735ea0885bd4a7211b8e0836dc
SHA1 0b794800b9c97e2eaa977a79edfff2c525ae0287
SHA256 d56b769f08539358d53ce6de6cb17866cd2b3a079cf9b99997aed00486c61c51
SHA512 98e9bfb215bc72402f2a096e00fc8b6b2cc25b74c9ed4f6f25f7f43e669310bfaf0bcd58c8a212e95bb49d85b11561dc59ae9dd3479e84ac3f147783a46b5fd3

C:\Windows\SysWOW64\Bnlhncgi.exe

MD5 dd284b7d9e2b9649cf3642472d6110f5
SHA1 6b23e8e38568a91185b457754a030f842672cfe9
SHA256 66e013a193be0e7aaaec1bc0fd473d3de451845c35f2dca66b52064552b2be2d
SHA512 aa8089fcf0e2e2367af9d765509f9ae7993a14be1bb3ae45ce5fb49467e9bc3c3dc04a955b2c6d9009153aa0b6fa7da7fa12b095526b99f5ef5ff1d1bb61e7d3

C:\Windows\SysWOW64\Bgelgi32.exe

MD5 6d963cf482e308b9edb191ba774a55ed
SHA1 ba2d1af1ff7eda2fb545b70152e9aeecc8c4766f
SHA256 efcbe0d5cb8e1dba244b6eabaa36916fe8973470c65d7beb4880d2d1af790360
SHA512 0d9af07b61ea6fe86e9794a11ecfa0bf916a69d2dffd267ae2577ac021da00638b7c2800077f6398d865b2e45c2619bf4ebf7df804543e0b8e0c1560dcf4eb2f

C:\Windows\SysWOW64\Ckgohf32.exe

MD5 d04fa68819bdd11dba6a9c7b66f6118c
SHA1 8c0c541329b0ea5eec732997b2ed75bffa4d6286
SHA256 cb8a4497bc4f9bba97b8474259eb05480d73673647f79e6ca2bd43fff1a62b3c
SHA512 eb00a8a7869f14f912452204bb3a11fc4b32228ff9a02f6f54d3c94c2b9ee1aa5949e3700396c19fd548b8e80fa9387d3ac6261423161de590ba13fd29b106bc

C:\Windows\SysWOW64\Ckjknfnh.exe

MD5 4bf921a7dbd74f0928027c5812061d6b
SHA1 ff3fcc600d4e8c557931f166f15daaf5f5721f27
SHA256 8972055b4d594c3814f99c0313eaff204256bc52841055047ed561aa33e11076
SHA512 4f2afd27765dd14a3c853052ceb294436ae6157e5371b2f63b2e60392119edb68c4bfbf3429aea6289c60c2402ff653007875e04bc36dc598d8924b0f6ec4823

C:\Windows\SysWOW64\Dhphmj32.exe

MD5 8a539a9b21c1fab16cbbc25c8de7f376
SHA1 6f82af3442c6344e14ce42f248aadf361e61bc25
SHA256 3f2b6dfe3a301183e6dacc746761c29492285547443d87d9f4f35a4f15acd42a
SHA512 53a83c6fa5a259375b9be14014c3c1fa7f1b37d323d5ae3c0022388a7b80a6f5e1fe25e6df1042cd13fa330e6f8a3620e0732b833bfa1cf2cc2507e0cb811dd7

C:\Windows\SysWOW64\Dkqaoe32.exe

MD5 fa10c44b9b0008273780508e9fe2b709
SHA1 264f81999f6bfdc28b8d2ec7d687bcd29f9059f4
SHA256 bf3bdf63e8bc9c8cecaaf66dc3ec4c56972a308759f8da4d0cfe9e65ea715593
SHA512 66b2f410171464390c52f63ff3fbeb92889a3d7794e78737bad28423a8c76693d90e31c46644d7b7a0b98cb912de0c5b95195a3da2cbf662b0b38c1a72c2ad4e

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:20

Reported

2024-11-10 01:22

Platform

win7-20241010-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Odjbdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odlojanh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agdjkogm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bejdiffp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olonpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfbelipa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Apoooa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Amcpie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cklfll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgbafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apoooa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beejng32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oappcfmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bbgnak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blkioa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pcibkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbnoliap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Becnhgmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Beejng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ocdmaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pbnoliap.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aijpnfif.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cddjebgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cddjebgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Olonpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pndpajgd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blobjaba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Blobjaba.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjldghjm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odjbdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Piekcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aijpnfif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Blkioa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbgnak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oappcfmb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Piekcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Becnhgmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nadpgggp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcibkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nadpgggp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pgbafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pfbelipa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pndpajgd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cklfll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocdmaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Okoafmkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Odlojanh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okoafmkm.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Nadpgggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocdmaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoafmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Olonpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjbdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odlojanh.exe N/A
N/A N/A C:\Windows\SysWOW64\Oappcfmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjldghjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbelipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbnoliap.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndpajgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Apoooa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amcpie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aijpnfif.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Blkioa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Becnhgmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgnak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beejng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blobjaba.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfcpb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bejdiffp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhpeafc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdoajb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cklfll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cddjebgb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbgjqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceegmj32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
N/A N/A C:\Windows\SysWOW64\Nadpgggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nadpgggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocdmaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocdmaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoafmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoafmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Olonpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olonpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjbdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjbdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odlojanh.exe N/A
N/A N/A C:\Windows\SysWOW64\Odlojanh.exe N/A
N/A N/A C:\Windows\SysWOW64\Oappcfmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Oappcfmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjldghjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjldghjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbelipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbelipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbnoliap.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbnoliap.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndpajgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndpajgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Apoooa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apoooa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amcpie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amcpie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aijpnfif.exe N/A
N/A N/A C:\Windows\SysWOW64\Aijpnfif.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Blkioa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blkioa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Becnhgmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Becnhgmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgnak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgnak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beejng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beejng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blobjaba.exe N/A
N/A N/A C:\Windows\SysWOW64\Blobjaba.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfcpb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfcpb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bejdiffp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bejdiffp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhpeafc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhpeafc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdoajb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdoajb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cklfll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cklfll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Pbnoliap.exe N/A
File created C:\Windows\SysWOW64\Apoooa32.exe C:\Windows\SysWOW64\Agdjkogm.exe N/A
File opened for modification C:\Windows\SysWOW64\Apoooa32.exe C:\Windows\SysWOW64\Agdjkogm.exe N/A
File created C:\Windows\SysWOW64\Cklfll32.exe C:\Windows\SysWOW64\Cdoajb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cklfll32.exe C:\Windows\SysWOW64\Cdoajb32.exe N/A
File created C:\Windows\SysWOW64\Eebghjja.dll C:\Windows\SysWOW64\Odlojanh.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pfbelipa.exe N/A
File created C:\Windows\SysWOW64\Nmmfff32.dll C:\Windows\SysWOW64\Bhfcpb32.exe N/A
File created C:\Windows\SysWOW64\Aheefb32.dll C:\Windows\SysWOW64\Cdoajb32.exe N/A
File created C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cbgjqo32.exe N/A
File created C:\Windows\SysWOW64\Mfbnoibb.dll C:\Windows\SysWOW64\Ocdmaj32.exe N/A
File created C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Odjbdb32.exe N/A
File created C:\Windows\SysWOW64\Blkioa32.exe C:\Windows\SysWOW64\Abbeflpf.exe N/A
File created C:\Windows\SysWOW64\Beejng32.exe C:\Windows\SysWOW64\Bbgnak32.exe N/A
File created C:\Windows\SysWOW64\Mlcpdacl.dll C:\Windows\SysWOW64\Blobjaba.exe N/A
File created C:\Windows\SysWOW64\Amcpie32.exe C:\Windows\SysWOW64\Apoooa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Aijpnfif.exe N/A
File opened for modification C:\Windows\SysWOW64\Cddjebgb.exe C:\Windows\SysWOW64\Cklfll32.exe N/A
File created C:\Windows\SysWOW64\Ipfhpoda.dll C:\Windows\SysWOW64\Okoafmkm.exe N/A
File created C:\Windows\SysWOW64\Ajcfjgdj.dll C:\Windows\SysWOW64\Olonpp32.exe N/A
File created C:\Windows\SysWOW64\Paenhpdh.dll C:\Windows\SysWOW64\Pgbafl32.exe N/A
File created C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Pndpajgd.exe N/A
File created C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Qgoapp32.exe N/A
File created C:\Windows\SysWOW64\Oilpcd32.dll C:\Windows\SysWOW64\Apoooa32.exe N/A
File created C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Aijpnfif.exe N/A
File opened for modification C:\Windows\SysWOW64\Becnhgmg.exe C:\Windows\SysWOW64\Blkioa32.exe N/A
File created C:\Windows\SysWOW64\Odjbdb32.exe C:\Windows\SysWOW64\Olonpp32.exe N/A
File created C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Oappcfmb.exe N/A
File opened for modification C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Piekcd32.exe N/A
File created C:\Windows\SysWOW64\Lclclfdi.dll C:\Windows\SysWOW64\Piekcd32.exe N/A
File created C:\Windows\SysWOW64\Agdjkogm.exe C:\Windows\SysWOW64\Acfaeq32.exe N/A
File created C:\Windows\SysWOW64\Bhhpeafc.exe C:\Windows\SysWOW64\Bejdiffp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cbgjqo32.exe N/A
File created C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Ocdmaj32.exe N/A
File created C:\Windows\SysWOW64\Napoohch.dll C:\Windows\SysWOW64\Acfaeq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bejdiffp.exe C:\Windows\SysWOW64\Bhfcpb32.exe N/A
File created C:\Windows\SysWOW64\Cdoajb32.exe C:\Windows\SysWOW64\Bhhpeafc.exe N/A
File created C:\Windows\SysWOW64\Eoqbnm32.dll C:\Windows\SysWOW64\Bbgnak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdoajb32.exe C:\Windows\SysWOW64\Bhhpeafc.exe N/A
File opened for modification C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Okoafmkm.exe N/A
File created C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pfbelipa.exe N/A
File opened for modification C:\Windows\SysWOW64\Piekcd32.exe C:\Windows\SysWOW64\Pcibkm32.exe N/A
File created C:\Windows\SysWOW64\Aobcmana.dll C:\Windows\SysWOW64\Pbnoliap.exe N/A
File opened for modification C:\Windows\SysWOW64\Amcpie32.exe C:\Windows\SysWOW64\Apoooa32.exe N/A
File created C:\Windows\SysWOW64\Lnhbfpnj.dll C:\Windows\SysWOW64\Oappcfmb.exe N/A
File created C:\Windows\SysWOW64\Aijpnfif.exe C:\Windows\SysWOW64\Amcpie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Blkioa32.exe C:\Windows\SysWOW64\Abbeflpf.exe N/A
File created C:\Windows\SysWOW64\Nadpgggp.exe C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
File opened for modification C:\Windows\SysWOW64\Nadpgggp.exe C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
File created C:\Windows\SysWOW64\Ocdmaj32.exe C:\Windows\SysWOW64\Nadpgggp.exe N/A
File opened for modification C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Ocdmaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Odjbdb32.exe N/A
File created C:\Windows\SysWOW64\Cddjebgb.exe C:\Windows\SysWOW64\Cklfll32.exe N/A
File created C:\Windows\SysWOW64\Bhdmagqq.dll C:\Windows\SysWOW64\Cklfll32.exe N/A
File created C:\Windows\SysWOW64\Cbgjqo32.exe C:\Windows\SysWOW64\Cddjebgb.exe N/A
File created C:\Windows\SysWOW64\Llaemaih.dll C:\Windows\SysWOW64\Cddjebgb.exe N/A
File created C:\Windows\SysWOW64\Hjphijco.dll C:\Windows\SysWOW64\Amcpie32.exe N/A
File created C:\Windows\SysWOW64\Becnhgmg.exe C:\Windows\SysWOW64\Blkioa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhfcpb32.exe C:\Windows\SysWOW64\Blobjaba.exe N/A
File created C:\Windows\SysWOW64\Ibafdk32.dll C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
File created C:\Windows\SysWOW64\Daekko32.dll C:\Windows\SysWOW64\Odjbdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oappcfmb.exe C:\Windows\SysWOW64\Odlojanh.exe N/A
File created C:\Windows\SysWOW64\Kjcceqko.dll C:\Windows\SysWOW64\Pjldghjm.exe N/A
File created C:\Windows\SysWOW64\Cdblnn32.dll C:\Windows\SysWOW64\Agdjkogm.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odjbdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pndpajgd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apoooa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbgnak32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blobjaba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aijpnfif.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blkioa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cddjebgb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Piekcd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbnoliap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Okoafmkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjldghjm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bejdiffp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcibkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceegmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfbelipa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beejng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nadpgggp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oappcfmb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgbafl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cklfll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocdmaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olonpp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odlojanh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amcpie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abbeflpf.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cdoajb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cddjebgb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nadpgggp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" C:\Windows\SysWOW64\Pfbelipa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Apoooa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll" C:\Windows\SysWOW64\Blkioa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Piekcd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" C:\Windows\SysWOW64\Aijpnfif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocdmaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Okoafmkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcceqko.dll" C:\Windows\SysWOW64\Pjldghjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll" C:\Windows\SysWOW64\Beejng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Olonpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pbnoliap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Okoafmkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odlojanh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ocdmaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" C:\Windows\SysWOW64\Ocdmaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibafdk32.dll" C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Becnhgmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pcibkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll" C:\Windows\SysWOW64\Pndpajgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pndpajgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amcpie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Becnhgmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daekko32.dll" C:\Windows\SysWOW64\Odjbdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll" C:\Windows\SysWOW64\Apoooa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Amcpie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cddjebgb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pgbafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bbgnak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Blkioa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Piekcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll" C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Odjbdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bejdiffp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Odlojanh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Beejng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cklfll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oappcfmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll" C:\Windows\SysWOW64\Agdjkogm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll" C:\Windows\SysWOW64\Blobjaba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfhpoda.dll" C:\Windows\SysWOW64\Okoafmkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll" C:\Windows\SysWOW64\Nadpgggp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll" C:\Windows\SysWOW64\Cklfll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aijpnfif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cklfll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhbfpnj.dll" C:\Windows\SysWOW64\Oappcfmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjldghjm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pndpajgd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe C:\Windows\SysWOW64\Nadpgggp.exe
PID 2996 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe C:\Windows\SysWOW64\Nadpgggp.exe
PID 2996 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe C:\Windows\SysWOW64\Nadpgggp.exe
PID 2996 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe C:\Windows\SysWOW64\Nadpgggp.exe
PID 2808 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Nadpgggp.exe C:\Windows\SysWOW64\Ocdmaj32.exe
PID 2808 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Nadpgggp.exe C:\Windows\SysWOW64\Ocdmaj32.exe
PID 2808 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Nadpgggp.exe C:\Windows\SysWOW64\Ocdmaj32.exe
PID 2808 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Nadpgggp.exe C:\Windows\SysWOW64\Ocdmaj32.exe
PID 3064 wrote to memory of 2644 N/A C:\Windows\SysWOW64\Ocdmaj32.exe C:\Windows\SysWOW64\Okoafmkm.exe
PID 3064 wrote to memory of 2644 N/A C:\Windows\SysWOW64\Ocdmaj32.exe C:\Windows\SysWOW64\Okoafmkm.exe
PID 3064 wrote to memory of 2644 N/A C:\Windows\SysWOW64\Ocdmaj32.exe C:\Windows\SysWOW64\Okoafmkm.exe
PID 3064 wrote to memory of 2644 N/A C:\Windows\SysWOW64\Ocdmaj32.exe C:\Windows\SysWOW64\Okoafmkm.exe
PID 2644 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Olonpp32.exe
PID 2644 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Olonpp32.exe
PID 2644 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Olonpp32.exe
PID 2644 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Olonpp32.exe
PID 2524 wrote to memory of 264 N/A C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Odjbdb32.exe
PID 2524 wrote to memory of 264 N/A C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Odjbdb32.exe
PID 2524 wrote to memory of 264 N/A C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Odjbdb32.exe
PID 2524 wrote to memory of 264 N/A C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Odjbdb32.exe
PID 264 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Odjbdb32.exe C:\Windows\SysWOW64\Odlojanh.exe
PID 264 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Odjbdb32.exe C:\Windows\SysWOW64\Odlojanh.exe
PID 264 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Odjbdb32.exe C:\Windows\SysWOW64\Odlojanh.exe
PID 264 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Odjbdb32.exe C:\Windows\SysWOW64\Odlojanh.exe
PID 1720 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Oappcfmb.exe
PID 1720 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Oappcfmb.exe
PID 1720 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Oappcfmb.exe
PID 1720 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Oappcfmb.exe
PID 2108 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Oappcfmb.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2108 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Oappcfmb.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2108 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Oappcfmb.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2108 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Oappcfmb.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 1608 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pfbelipa.exe
PID 1608 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pfbelipa.exe
PID 1608 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pfbelipa.exe
PID 1608 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pfbelipa.exe
PID 3036 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Pfbelipa.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 3036 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Pfbelipa.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 3036 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Pfbelipa.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 3036 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Pfbelipa.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2880 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 2880 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 2880 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 2880 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 1824 wrote to memory of 380 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Piekcd32.exe
PID 1824 wrote to memory of 380 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Piekcd32.exe
PID 1824 wrote to memory of 380 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Piekcd32.exe
PID 1824 wrote to memory of 380 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Piekcd32.exe
PID 380 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Piekcd32.exe C:\Windows\SysWOW64\Pbnoliap.exe
PID 380 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Piekcd32.exe C:\Windows\SysWOW64\Pbnoliap.exe
PID 380 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Piekcd32.exe C:\Windows\SysWOW64\Pbnoliap.exe
PID 380 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Piekcd32.exe C:\Windows\SysWOW64\Pbnoliap.exe
PID 2440 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Pndpajgd.exe
PID 2440 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Pndpajgd.exe
PID 2440 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Pndpajgd.exe
PID 2440 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Pndpajgd.exe
PID 1140 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Qgoapp32.exe
PID 1140 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Qgoapp32.exe
PID 1140 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Qgoapp32.exe
PID 1140 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Qgoapp32.exe
PID 1672 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 1672 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 1672 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 1672 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Acfaeq32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe

"C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe"

C:\Windows\SysWOW64\Nadpgggp.exe

C:\Windows\system32\Nadpgggp.exe

C:\Windows\SysWOW64\Ocdmaj32.exe

C:\Windows\system32\Ocdmaj32.exe

C:\Windows\SysWOW64\Okoafmkm.exe

C:\Windows\system32\Okoafmkm.exe

C:\Windows\SysWOW64\Olonpp32.exe

C:\Windows\system32\Olonpp32.exe

C:\Windows\SysWOW64\Odjbdb32.exe

C:\Windows\system32\Odjbdb32.exe

C:\Windows\SysWOW64\Odlojanh.exe

C:\Windows\system32\Odlojanh.exe

C:\Windows\SysWOW64\Oappcfmb.exe

C:\Windows\system32\Oappcfmb.exe

C:\Windows\SysWOW64\Pjldghjm.exe

C:\Windows\system32\Pjldghjm.exe

C:\Windows\SysWOW64\Pfbelipa.exe

C:\Windows\system32\Pfbelipa.exe

C:\Windows\SysWOW64\Pgbafl32.exe

C:\Windows\system32\Pgbafl32.exe

C:\Windows\SysWOW64\Pcibkm32.exe

C:\Windows\system32\Pcibkm32.exe

C:\Windows\SysWOW64\Piekcd32.exe

C:\Windows\system32\Piekcd32.exe

C:\Windows\SysWOW64\Pbnoliap.exe

C:\Windows\system32\Pbnoliap.exe

C:\Windows\SysWOW64\Pndpajgd.exe

C:\Windows\system32\Pndpajgd.exe

C:\Windows\SysWOW64\Qgoapp32.exe

C:\Windows\system32\Qgoapp32.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Agdjkogm.exe

C:\Windows\system32\Agdjkogm.exe

C:\Windows\SysWOW64\Apoooa32.exe

C:\Windows\system32\Apoooa32.exe

C:\Windows\SysWOW64\Amcpie32.exe

C:\Windows\system32\Amcpie32.exe

C:\Windows\SysWOW64\Aijpnfif.exe

C:\Windows\system32\Aijpnfif.exe

C:\Windows\SysWOW64\Abbeflpf.exe

C:\Windows\system32\Abbeflpf.exe

C:\Windows\SysWOW64\Blkioa32.exe

C:\Windows\system32\Blkioa32.exe

C:\Windows\SysWOW64\Becnhgmg.exe

C:\Windows\system32\Becnhgmg.exe

C:\Windows\SysWOW64\Bbgnak32.exe

C:\Windows\system32\Bbgnak32.exe

C:\Windows\SysWOW64\Beejng32.exe

C:\Windows\system32\Beejng32.exe

C:\Windows\SysWOW64\Blobjaba.exe

C:\Windows\system32\Blobjaba.exe

C:\Windows\SysWOW64\Bhfcpb32.exe

C:\Windows\system32\Bhfcpb32.exe

C:\Windows\SysWOW64\Bejdiffp.exe

C:\Windows\system32\Bejdiffp.exe

C:\Windows\SysWOW64\Bhhpeafc.exe

C:\Windows\system32\Bhhpeafc.exe

C:\Windows\SysWOW64\Cdoajb32.exe

C:\Windows\system32\Cdoajb32.exe

C:\Windows\SysWOW64\Cklfll32.exe

C:\Windows\system32\Cklfll32.exe

C:\Windows\SysWOW64\Cddjebgb.exe

C:\Windows\system32\Cddjebgb.exe

C:\Windows\SysWOW64\Cbgjqo32.exe

C:\Windows\system32\Cbgjqo32.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 140

Network

N/A

Files

memory/2996-0-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Nadpgggp.exe

MD5 81e8dda9b761bb889671784e39418619
SHA1 4dd2aef8a88b046572ce5a22abe81939504b9f8d
SHA256 a272f645de76a7287fc54037f72ac6b201b7e0e9985ac85e739908b959b91e4d
SHA512 e4e293982ee31804e2511a0559b1389d5070e32904dd34f1bfab653611acc7f99be00bcefc35eab1b8297a7d0e74310b5c9b39b4dc3a620544ac8b8d9dc99cbd

memory/2996-7-0x0000000000280000-0x00000000002C2000-memory.dmp

\Windows\SysWOW64\Ocdmaj32.exe

MD5 ca4f21228c9f23c51655643424e1cdbe
SHA1 74fdc1a9def929d9cac4d19495892ad96f6c9e15
SHA256 53f4139bf9ceaa3630fd54666ac5871f842b899b4e40760653d9dc7ca3ab90bd
SHA512 362f314ac11861b917652c79831c9010c2f04c61a454f187f6c04aa2b41ebbba4da717a1465e1d38470bfff8297dba3405f6f98696eecd61ba1dae82aeb9ca05

memory/3064-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2808-25-0x0000000000260000-0x00000000002A2000-memory.dmp

memory/3064-34-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Okoafmkm.exe

MD5 5c614aba482095330651b10b7a8f0e9e
SHA1 8cc7ae61c97b983cca0d0024fa5713f93bd5b7ed
SHA256 35cfbc832242732343e5d6b9bb1ae372015547cecc795dc7361a76e429c46a89
SHA512 b9c61c78088b4752181cce02be19a70da3cc091a12d9fa045bbacb8b8f0fe58e6c61e644567fedf1e29e9e0e76b0665373e84a0b5b86be55790e2c710901645d

memory/2644-40-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Olonpp32.exe

MD5 28b361cc91feeb2c9df63b6240407d89
SHA1 c099e6ca01fa6f06c44d15f8d1c7e10c0320aad3
SHA256 c5b65ff0cc107fa73a502ff3657c471d7e07fad1beac20180d53b2aedb58bcf9
SHA512 f7acc8795b131f6b8e0f81ab376523d253cec4fa86ac6a223b492c28752aa3ab45ecc0ba296f540781d9c609ffce671ece9e48502220f010073dc82477d5b8bc

memory/2996-52-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2524-54-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ajcfjgdj.dll

MD5 05fdda8879e2e3de5cf4ef493a8fafb7
SHA1 44673720833f650bd1b252b0c4164d2d7a194903
SHA256 786706b0602cac6e9458c8f81ef0e8fc6742cb310b58366d3cbee0916a8cb9d2
SHA512 610add54a32672d75c47ff1bc22c1bf072750b713be0dbc2e7ab9d73e66a0175a87ef425f2b8b6f5c4340264ae7c73da966dd72abade64bc1493a7acfbeb14e9

\Windows\SysWOW64\Odjbdb32.exe

MD5 fe8847e1ce8e75d6c08e3630905acfa9
SHA1 629751926f2a810660f5ef4b7543dbd84a5d6fa9
SHA256 3163454e6ae3115858809d7880e22d8a75d794acb10ae2f8d8e2353fc61b295f
SHA512 c65ea3ed86f09aece4e0761d86784de2f6921dfa01abf4dad911ada5cf7d51a652841ce17cb1576e7305ce411040485d1c6d0f2e7eb4540609ebe5a2fb28c540

memory/2524-61-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2808-67-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3064-75-0x0000000000400000-0x0000000000442000-memory.dmp

memory/264-77-0x0000000000300000-0x0000000000342000-memory.dmp

\Windows\SysWOW64\Odlojanh.exe

MD5 e1598d651bcaf2da5d7a12dd7781dfb1
SHA1 3bea2bc35c43f936337fd243a391583113e38a1a
SHA256 83e1396920a260a52792390f80b0ab7ee9045882353a3ae935b4da6bfcd4a9e6
SHA512 d9379b65f98878a3cbaed93fda8f993c398f68c5fae46a991f8e487608de8c79b85502bc7a3db558e3ac318e42c1cc93cf993646cdcd4b3a107b88745753e137

\Windows\SysWOW64\Oappcfmb.exe

MD5 dc4467560adaf8908bad8fd0ba1ec5d3
SHA1 791c6897c69b202680aa044e2be2797989058cd7
SHA256 8e8fdaf4bb1bf06f495fada7a2754e1203ac6ef38d36ab6f33d4c28118ad270e
SHA512 37ea66414813b152cc8bd3e4abd9f35f3398800660e7f757205c500c2c7172b0137e15c1d6c559393d33f7bc250b7f14988e86263514d8a33e7becd3bbf545af

memory/1720-91-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/2644-89-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2108-105-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/2524-104-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pjldghjm.exe

MD5 9c29287074b2d2d0d279c494f08de8c6
SHA1 4a76ceb3ce6e7d2643491b7d1f817b2e4c3a18cd
SHA256 4c56b74598523946d44c1145e7f44f6265a4bdfa409c554f1a674caa0a0c5285
SHA512 23c686eaa05499feaea536b547e33fb0f961e4478ca2f566f29f44a9c1a306f9b6c236042506821d533ba332f901b59ab8f5779f20f806008ae20e09c017d370

memory/2524-111-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Pfbelipa.exe

MD5 c4bdff749350bc0c39aa4b5cf2c6c94d
SHA1 7745dc5065ec0ad223ecf38781e61275e6f62bf0
SHA256 55ed195ffb210da65254ce5a02fd9e5368454563c72fedeb3900b234f5f9acca
SHA512 28255f2f54adeaa668555b32c311a24952a733f5d8d654edf2b7b557582e68a303f33116f97e7989ffc465b2af96b8b2c89ad141d5d13b044e4316c38ad0f1d2

memory/1608-124-0x0000000000450000-0x0000000000492000-memory.dmp

memory/264-119-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pgbafl32.exe

MD5 603d4552260715f90fff9b075da23b64
SHA1 22c617901d070f127f799d56a6851961fbf6aa7c
SHA256 4744ce238d20d56f98fb6057d22d17df10156d6c68d33ad66bf498786203fe44
SHA512 28f8b8bdbe6db0de667985195917c89b932b8b76336a6a8b1712afdd24d1bd982a45c9239c32dc3f1eef48162e4fec73dbfb308952ce959c7b5f25bc246d0368

memory/2880-141-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3036-139-0x0000000000250000-0x0000000000292000-memory.dmp

memory/3036-138-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1720-137-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2880-150-0x00000000002B0000-0x00000000002F2000-memory.dmp

memory/2108-148-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Pcibkm32.exe

MD5 50c946c1f31df56ba0bcf014915c29ea
SHA1 1927562fb9985d7ba96ea487456039ef14a9fbbc
SHA256 32687441913ad0dbdd4006e1c2a18b37a177d36d494b8df539f5314c87c22869
SHA512 8630be1bcb76b5a89f86d0c63c4b2f863a3aa1ea69458f7bd4a6b3b65deb39cae3cb1b3106b2736103d1454ddb79cd998a138fd2749b5b39612cbd3c360c398b

memory/2880-155-0x00000000002B0000-0x00000000002F2000-memory.dmp

C:\Windows\SysWOW64\Piekcd32.exe

MD5 22c00d4f93b60ddfdc77265375d421ce
SHA1 5b593f3adeae6fb7ede867625900bbc53a99b631
SHA256 864b59f9d13f662da80dc756931fa6b5f887a8b781933e1a0b977351df05e84e
SHA512 10b79fd40b23db9f94c4432d4623d4a80f0d3b1502a7c654e834e06f15fa155a854afceb0f30ca5145c0e105679e720c63b6fc3d3dc70a0c05ce16b04c1bd7ea

memory/1824-169-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1608-173-0x0000000000400000-0x0000000000442000-memory.dmp

memory/380-171-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1824-170-0x0000000000280000-0x00000000002C2000-memory.dmp

\Windows\SysWOW64\Pbnoliap.exe

MD5 2546738d9d0ed165d4dfdf84a93e21cf
SHA1 97209c9696a5389bdb39c199246679202c440936
SHA256 7488967d554a8f9a52caf4e722e0c437861b73b1caa509acf1e93340a9ea0d15
SHA512 1e9ce934fe94e6739cf99b1206579498c7eec2227569da4514bad3f39358310f9582b46a23e195f74cb1239239b479211b7796c482f92d7a61275e7be5a79600

memory/1608-184-0x0000000000450000-0x0000000000492000-memory.dmp

memory/2440-189-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3036-188-0x0000000000400000-0x0000000000442000-memory.dmp

memory/380-185-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/2440-197-0x0000000000260000-0x00000000002A2000-memory.dmp

memory/3036-196-0x0000000000250000-0x0000000000292000-memory.dmp

memory/3036-195-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Pndpajgd.exe

MD5 29aea1d7f725de8d71b889e42d550239
SHA1 39682e180c49f58ee985c5cb35b7dfb33932ad23
SHA256 1931a8b34b4540d60f06edfa17a67794e233e231c9035a6289bb9345dccaab5a
SHA512 a37970a078df0eea4a07641f76038b4cfec62b6d78784828b87aee8a874b94aa6877153c23cce17757fa64b6f144a7cdfade8239fd6128e267225960990c157b

memory/2880-204-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Qgoapp32.exe

MD5 363a4c58b65da3a6eef4b886c814a180
SHA1 0ac6b5aaadcf6ef724e3dfa1b83f251915bca87f
SHA256 b070df34d79849ffe64d84a857a4374b45ba20d8688015fef2941b52cf29e2e1
SHA512 612903be0f4db65c569f924f897f0035431d0b22e08819544d80c562393cc471b828e0a2fde404015646eb83c588ff78cb686fc7cb4674587f21752c7bd813e1

memory/1672-219-0x0000000000400000-0x0000000000442000-memory.dmp

memory/380-218-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1824-216-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Acfaeq32.exe

MD5 127daed11b900d7470927703d18e32fe
SHA1 089d49937888b92722d4f8a1c42d832802143dfb
SHA256 b5f8264237bb63bc3a5520e014c3c69f6372bcdea33f3dc251144f0f8720f960
SHA512 f3859c84a1ce4be5803e7532a874219b8b285ba69a60fc94b2fa13611837fab1356910830a0eca4d97d5b80d03f86f7d4798b1a0c1d7e0491b7ef25c5e80becd

memory/1368-234-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1672-232-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1672-231-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2440-241-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Agdjkogm.exe

MD5 c29056bf52f806658906178b51cc7bb1
SHA1 a78554fbd0331ae93141b241359229061162a4e2
SHA256 f0d0c060767ec80eb657bfe5bc3c5d9ccf33400a67a50c3e62c3f46ae796ca36
SHA512 436bcadcf02f9d8379f558246a821b2b3904ac320b004d89655108ca917140b2e7d61afd5c9499c77e43cb649435e2ca3eaacd26292e106f4b091c95fb8fc46d

memory/1552-245-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1140-256-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/892-257-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1552-255-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1140-254-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Apoooa32.exe

MD5 791e9849272f3cbb2d87baa793aafa54
SHA1 f2a9158861b4064f234b8e0857fe83bb9580b1d7
SHA256 c2708ef9d61af73bb27bbb13a0c5fac66e089dc5ab1f412aef25d3554d06b4df
SHA512 c4c3e86f9932051c5081327c59bcfcc33a664dd84edd5eaf30b02ee93afa3307fa499c91710d75b77d11478d109071d3d2494ccd1acef9261f84abf72636f690

memory/892-264-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1672-262-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Amcpie32.exe

MD5 be784132bd9b17bb484f3b3b139ae26f
SHA1 ea87adf8901ef308d8963b8a98ca2c8bf1b2a63f
SHA256 cabc8e742f185a8c08a94a2c48bd6ac4a261c4ccd7d521b2d42167f22902afa4
SHA512 abb8b7f09c24767fbede8dcfba550de32aee8a5045693c8e8e6e257db2feb413eb35fc82c22c2ca960c6678c1aec67255817845856c3f3c6bdc87a0ac91e07f5

memory/1672-269-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1672-268-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1368-278-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Aijpnfif.exe

MD5 ecdeb7a2701f69a4a5bb12dbb3a05be0
SHA1 190fbadd0e0a8b34cc27c517d15d640b69019a5b
SHA256 eb646123e32598fbb795a00edcd4caf294b41a8385b5bb56dc06b21751731bb6
SHA512 53e359da4b7e78d2ebeca7cf891b69ec66e8e51fe427f509669bd1c6edb57038e2cd4bc3c1c0d5c98167100fedb99ce6f7d53b562ca5823ae6ee637fbccc4d58

memory/2528-279-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1744-280-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1744-287-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/1552-285-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Abbeflpf.exe

MD5 8920caf802919bd66c7e015c4ae5789c
SHA1 696160892d06e3d1ad9e896739ac02c3b6c7e9e5
SHA256 98930b6389ad0342ca7404aa3006f862fde1f1c46c9913e60a250af2722452d0
SHA512 a7d8b2582cfed34f5a0a38ec1f197a04c0dfe889f77d4020a5e50eeda8f6821f89f9388db540bfb9a3e3fcad4bc491491daf7d3bfe39b4ec8d29d0d3d3f74081

memory/1552-291-0x0000000000250000-0x0000000000292000-memory.dmp

memory/892-297-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2760-301-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2760-302-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Blkioa32.exe

MD5 6fa5963b9bf4051dd97c64ed6edb597a
SHA1 748de9017d0135fb51ec623357a6984d092ae6f0
SHA256 0b6fb4694b830cb98c1332c4e7c92fcc2a2911fb4dff58fe062ed469b56af81f
SHA512 26cbf7834b71041fd21f9be64d1ff6bcd912384ddc7f08be6d38979c519c4f2b956ba5b1543da142b936cb15221651b653af95483dccd1d2283ef83d28d50352

memory/1620-309-0x0000000000450000-0x0000000000492000-memory.dmp

memory/2528-313-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2528-308-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Becnhgmg.exe

MD5 2f73734d48f601a616f15a66736bdec2
SHA1 bc8b1cfc7c8cf510b80172719ea551b80eec1e1c
SHA256 b0d69dd9458bdb20625062c11c50bc319d273ed384c09e93072f89e371c36972
SHA512 875dc1d6323de758983faafd7259febf314850ea17aeafb339d23c63d02c64654dd680b89813d4b24198d6d82ee49848fdae43da718da705926df7000f1c0ccd

memory/2756-315-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2528-314-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2156-325-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1744-324-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bbgnak32.exe

MD5 84a5e0218ac8a65e98c0103fc09316de
SHA1 da2ceb01b6f285d2818c404cf75ac2cb49d1a761
SHA256 5fbc3a93566e9392c604632a904e2f9bb844f9044ef95103fd9024026a08815b
SHA512 24473cbdbd433aa4b54ec9f96db40aa93e5219c4e3b3ef1857bbe233201d281368cc80062cab87da9a43ee03dadc4a4655cf8b9f9bc455cbf3b5ebdff311f264

memory/2760-335-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2156-334-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Beejng32.exe

MD5 d7e4bf8001f96d52734ec4198a2e90ae
SHA1 5255059e6abf6ff6e5c4c54bc0e94ab3d00e1a7f
SHA256 e9453e99040515f591f2e51206b87bd8beeb67a49b3003e84664968ac05fc52d
SHA512 a479023b9dffb775a84e65eddefd814daf32dad5989245fd5f1a9bade4c79da9bfe98c9f0a9ea09a87ffe7a66c9cb7c63699735a7e80608c355dc89a17be51b1

C:\Windows\SysWOW64\Blobjaba.exe

MD5 6c381a5772e13679b9ce6eb16353321c
SHA1 1a0a2aa792cc7eba1bd70263e1d66c8fa85a83d1
SHA256 c968ef6d9ca43ff044ff11c7995263b2fffc26bd2114f68b660321251946f1a3
SHA512 22e2d36da0f0f3d47c1ff8d515d14af84275f97937a61770d223b9adda7e4ffe9c9b9875ac3fdb34786fc56045cabfcacc7e8a4fcd1b4ebe2ad1999646e0e577

memory/2788-346-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2764-345-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2764-344-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2788-353-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1620-351-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bhfcpb32.exe

MD5 5c14f8db4c386e8e196b32feeb20b870
SHA1 34e40ac9684ca51a786693d81a01068d6046c575
SHA256 a39bdad0bdd0f4fc8aff0bd0a5dadc6dfa01bf542c44e037dda03f3d3ae83c12
SHA512 1eefbca3cc157ef1783ae5320265a64940f1b21ba003f523a5f61fe449d26d3d846b70c70ae0ae62694c77e058ab151300775a088bfdb85de5b82291c1c68dd6

memory/2788-357-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Bejdiffp.exe

MD5 46824f8a6a04d6b3d76b221d83d829d0
SHA1 25d8a915233915951905193fc242bc35c9bfa642
SHA256 9abb3f84acccbf682dc5483da132dd154df5fc4ced93e89cbea5d01e1c846295
SHA512 e5f51001a2319706e2a6193f33381c571e136c5411543ab8ec85bdf8c83475bdf8f19198fe0e9a6bdcdf39d61db99963ce6789af5ddec0a48b6750bc7f6ece93

memory/1944-370-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2156-369-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2756-368-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2756-367-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2756-366-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2156-376-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1944-382-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/3016-383-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2764-381-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1944-380-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Bhhpeafc.exe

MD5 f7f4e64446d602dedfc2c41ad35c6bc0
SHA1 dcb181be42a207d809ee1fc5f5136065a88c528b
SHA256 1fe1e3e6767ff0d93fcd450aaf6c2b525d802c022d86dff13721dac50557f7fb
SHA512 67c7550315a2d25723fcab8303caf606dc744056fdf11b792e98cf3d99594f657455c9ca950b8b6598ec93f6868653b09bc6af3d808c183c5c280da4418f504d

memory/2120-396-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2788-395-0x0000000000250000-0x0000000000292000-memory.dmp

memory/3016-394-0x0000000000450000-0x0000000000492000-memory.dmp

memory/2788-393-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2764-392-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Cdoajb32.exe

MD5 6841930f2b7033e1cc9fbc9fb91a70c8
SHA1 1f7c3d8cf5258a20fa1e31401390a369739daeed
SHA256 1a2a33587e36d56a85dc4d3ab7eb79e8e664389c497f7b0e0da77659b9bbcf3d
SHA512 7788a06fcfd4b2ae373b4951aae53511328c68278799f32ee76d21a7bb993552e77042350aa126256564bebaed35c065592b81419dc5629f21d75652aad6590a

memory/2120-403-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/1708-401-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1708-407-0x0000000000450000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\Cklfll32.exe

MD5 364c240160edca32efc7910ee58907d7
SHA1 dd7ffc66f39f0085ebf960b091d0c25650d3d040
SHA256 ec380158ba738ee7eaad80e441897facae3a573c7fe124b1130c380df88ce626
SHA512 9030f48c1d7ce994b07af6e761b97e4f92511b1b79af04b6634669d353d93f278bcdf6cf36e2f38540e34c9c4fcffc3c8e38d2fc286dd2a73216f373a400de85

C:\Windows\SysWOW64\Cddjebgb.exe

MD5 2d3ff9e46c340d2427e5ae715232fc4e
SHA1 aa09190cddf0b71f3ff13f4bcfd9f45ba61affdc
SHA256 44fa015b87fda2c08130e77aea04be39b6cfa44e66042801578719b7f0fc976d
SHA512 a4f0911bd89c6fcfc92f46b107ccfba58c30cb5f2ca02500832f933b08153614e36bb7efc6ca8edfff2377c7a001ae88a75f69b68238cbe44faa665cf9fc24b7

C:\Windows\SysWOW64\Cbgjqo32.exe

MD5 37028e5ceef1834203c89009595ebcca
SHA1 57ef27e7eaec562f5ce1100f6d789e1d6f7da8ab
SHA256 d2b18a48a7817fefaf4e708ab14aba7b3b2e36935729baf325638dc0bbea8912
SHA512 514daa371deab6b1f63ba7d708ef5dda71c2bf452658a7408b308562d1f583f52cad72d03849f0554abbd472e8df239735401aaf5684f534da6a8181dfdcd252

C:\Windows\SysWOW64\Ceegmj32.exe

MD5 4897cd4c0f1fce62f7fc692581b08f84
SHA1 9978471d2d28e99dc3fefdcc0c33c61c42fe5e53
SHA256 e120d4bd2148d703e3447b33b9d6884be24737484293c8be84222a658a9e1b90
SHA512 f5eee828507ab7bd11494bf2e81069d458a1cd44e7a7a3d1b0f71a44fe19fa3fbafc4034fa01578964092931e31648bc6fde09658c7c1c830fb449498b670232