Malware Analysis Report

2025-05-06 02:05

Sample ID 241110-recpmsycra
Target 73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N
SHA256 73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432

Threat Level: Known bad

The file 73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 14:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 14:05

Reported

2024-11-10 14:08

Platform

win7-20241023-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdlkiepd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poapfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnkbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhajdblk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnkbam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bonoflae.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Balkchpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Blaopqpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bonoflae.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeenochi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abphal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Balkchpi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abphal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhajdblk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baadng32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdlkiepd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blaopqpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baadng32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdlkiepd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdlkiepd.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeenochi.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeenochi.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abphal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abphal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnagk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnagk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhajdblk.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhajdblk.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnkbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnkbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bonoflae.exe N/A
N/A N/A C:\Windows\SysWOW64\Bonoflae.exe N/A
N/A N/A C:\Windows\SysWOW64\Balkchpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Balkchpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Blaopqpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Blaopqpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Baohhgnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Baohhgnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfkpqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfkpqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baadng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baadng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfnmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfnmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Poapfn32.exe N/A
File created C:\Windows\SysWOW64\Hocjoqin.dll C:\Windows\SysWOW64\Bonoflae.exe N/A
File opened for modification C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Balkchpi.exe N/A
File created C:\Windows\SysWOW64\Cfnmfn32.exe C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Imjcfnhk.dll C:\Windows\SysWOW64\Poapfn32.exe N/A
File created C:\Windows\SysWOW64\Mgjcep32.dll C:\Windows\SysWOW64\Abphal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bonoflae.exe C:\Windows\SysWOW64\Bnkbam32.exe N/A
File created C:\Windows\SysWOW64\Cfgheegc.dll C:\Windows\SysWOW64\Balkchpi.exe N/A
File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Blaopqpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File created C:\Windows\SysWOW64\Blkahecm.dll C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
File created C:\Windows\SysWOW64\Naaffn32.dll C:\Windows\SysWOW64\Qqeicede.exe N/A
File created C:\Windows\SysWOW64\Lfobiqka.dll C:\Windows\SysWOW64\Afgkfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afnagk32.exe C:\Windows\SysWOW64\Abphal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhajdblk.exe C:\Windows\SysWOW64\Afnagk32.exe N/A
File created C:\Windows\SysWOW64\Bnkbam32.exe C:\Windows\SysWOW64\Bhajdblk.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnkbam32.exe C:\Windows\SysWOW64\Bhajdblk.exe N/A
File created C:\Windows\SysWOW64\Lbbjgn32.dll C:\Windows\SysWOW64\Pdlkiepd.exe N/A
File created C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Aeenochi.exe N/A
File created C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Afgkfl32.exe N/A
File created C:\Windows\SysWOW64\Afnagk32.exe C:\Windows\SysWOW64\Abphal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdlkiepd.exe C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
File opened for modification C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Qqeicede.exe N/A
File opened for modification C:\Windows\SysWOW64\Balkchpi.exe C:\Windows\SysWOW64\Bonoflae.exe N/A
File created C:\Windows\SysWOW64\Ljacemio.dll C:\Windows\SysWOW64\Bfkpqn32.exe N/A
File created C:\Windows\SysWOW64\Nodmbemj.dll C:\Windows\SysWOW64\Bhajdblk.exe N/A
File created C:\Windows\SysWOW64\Bonoflae.exe C:\Windows\SysWOW64\Bnkbam32.exe N/A
File created C:\Windows\SysWOW64\Eignpade.dll C:\Windows\SysWOW64\Bnkbam32.exe N/A
File created C:\Windows\SysWOW64\Balkchpi.exe C:\Windows\SysWOW64\Bonoflae.exe N/A
File opened for modification C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Poapfn32.exe N/A
File created C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Qqeicede.exe N/A
File created C:\Windows\SysWOW64\Cophek32.dll C:\Windows\SysWOW64\Aeenochi.exe N/A
File opened for modification C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Afgkfl32.exe N/A
File created C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Balkchpi.exe N/A
File created C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Blaopqpo.exe N/A
File created C:\Windows\SysWOW64\Nfolbbmp.dll C:\Windows\SysWOW64\Blaopqpo.exe N/A
File created C:\Windows\SysWOW64\Fdlpjk32.dll C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File created C:\Windows\SysWOW64\Pkfaka32.dll C:\Windows\SysWOW64\Baohhgnf.exe N/A
File created C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Bfkpqn32.exe N/A
File created C:\Windows\SysWOW64\Mabanhgg.dll C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Pdlkiepd.exe C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
File created C:\Windows\SysWOW64\Cifmcd32.dll C:\Windows\SysWOW64\Afnagk32.exe N/A
File created C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Baohhgnf.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Baohhgnf.exe N/A
File opened for modification C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Bfkpqn32.exe N/A
File created C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Pdlkiepd.exe N/A
File opened for modification C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Pdlkiepd.exe N/A
File opened for modification C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Aeenochi.exe N/A
File created C:\Windows\SysWOW64\Bhajdblk.exe C:\Windows\SysWOW64\Afnagk32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Cacacg32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baadng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cacacg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdlkiepd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeenochi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abphal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhajdblk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bonoflae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Poapfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnkbam32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Balkchpi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqeicede.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blaopqpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afnagk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfkpqn32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bonoflae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll" C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdlkiepd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll" C:\Windows\SysWOW64\Bhajdblk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnkbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll" C:\Windows\SysWOW64\Balkchpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Balkchpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll" C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afnagk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll" C:\Windows\SysWOW64\Bnkbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Blaopqpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baohhgnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll" C:\Windows\SysWOW64\Qqeicede.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abphal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll" C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhajdblk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll" C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll" C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll" C:\Windows\SysWOW64\Bonoflae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Blaopqpo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhajdblk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll" C:\Windows\SysWOW64\Blaopqpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll" C:\Windows\SysWOW64\Pdlkiepd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qqeicede.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abphal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdlkiepd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baadng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnkbam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bonoflae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll" C:\Windows\SysWOW64\Abphal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Balkchpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfkpqn32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe C:\Windows\SysWOW64\Pdlkiepd.exe
PID 2876 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe C:\Windows\SysWOW64\Pdlkiepd.exe
PID 2876 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe C:\Windows\SysWOW64\Pdlkiepd.exe
PID 2876 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe C:\Windows\SysWOW64\Pdlkiepd.exe
PID 2636 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Pdlkiepd.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2636 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Pdlkiepd.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2636 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Pdlkiepd.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2636 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Pdlkiepd.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2652 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 2652 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 2652 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 2652 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 2648 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aeenochi.exe
PID 2648 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aeenochi.exe
PID 2648 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aeenochi.exe
PID 2648 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aeenochi.exe
PID 2304 wrote to memory of 296 N/A C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 2304 wrote to memory of 296 N/A C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 2304 wrote to memory of 296 N/A C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 2304 wrote to memory of 296 N/A C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 296 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Abphal32.exe
PID 296 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Abphal32.exe
PID 296 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Abphal32.exe
PID 296 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Abphal32.exe
PID 1780 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Afnagk32.exe
PID 1780 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Afnagk32.exe
PID 1780 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Afnagk32.exe
PID 1780 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Afnagk32.exe
PID 1992 wrote to memory of 1332 N/A C:\Windows\SysWOW64\Afnagk32.exe C:\Windows\SysWOW64\Bhajdblk.exe
PID 1992 wrote to memory of 1332 N/A C:\Windows\SysWOW64\Afnagk32.exe C:\Windows\SysWOW64\Bhajdblk.exe
PID 1992 wrote to memory of 1332 N/A C:\Windows\SysWOW64\Afnagk32.exe C:\Windows\SysWOW64\Bhajdblk.exe
PID 1992 wrote to memory of 1332 N/A C:\Windows\SysWOW64\Afnagk32.exe C:\Windows\SysWOW64\Bhajdblk.exe
PID 1332 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Bhajdblk.exe C:\Windows\SysWOW64\Bnkbam32.exe
PID 1332 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Bhajdblk.exe C:\Windows\SysWOW64\Bnkbam32.exe
PID 1332 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Bhajdblk.exe C:\Windows\SysWOW64\Bnkbam32.exe
PID 1332 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Bhajdblk.exe C:\Windows\SysWOW64\Bnkbam32.exe
PID 2948 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Bnkbam32.exe C:\Windows\SysWOW64\Bonoflae.exe
PID 2948 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Bnkbam32.exe C:\Windows\SysWOW64\Bonoflae.exe
PID 2948 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Bnkbam32.exe C:\Windows\SysWOW64\Bonoflae.exe
PID 2948 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Bnkbam32.exe C:\Windows\SysWOW64\Bonoflae.exe
PID 1856 wrote to memory of 2088 N/A C:\Windows\SysWOW64\Bonoflae.exe C:\Windows\SysWOW64\Balkchpi.exe
PID 1856 wrote to memory of 2088 N/A C:\Windows\SysWOW64\Bonoflae.exe C:\Windows\SysWOW64\Balkchpi.exe
PID 1856 wrote to memory of 2088 N/A C:\Windows\SysWOW64\Bonoflae.exe C:\Windows\SysWOW64\Balkchpi.exe
PID 1856 wrote to memory of 2088 N/A C:\Windows\SysWOW64\Bonoflae.exe C:\Windows\SysWOW64\Balkchpi.exe
PID 2088 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Balkchpi.exe C:\Windows\SysWOW64\Blaopqpo.exe
PID 2088 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Balkchpi.exe C:\Windows\SysWOW64\Blaopqpo.exe
PID 2088 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Balkchpi.exe C:\Windows\SysWOW64\Blaopqpo.exe
PID 2088 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Balkchpi.exe C:\Windows\SysWOW64\Blaopqpo.exe
PID 1800 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Baohhgnf.exe
PID 1800 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Baohhgnf.exe
PID 1800 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Baohhgnf.exe
PID 1800 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Baohhgnf.exe
PID 2188 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Bfkpqn32.exe
PID 2188 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Bfkpqn32.exe
PID 2188 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Bfkpqn32.exe
PID 2188 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Bfkpqn32.exe
PID 1360 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Baadng32.exe
PID 1360 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Baadng32.exe
PID 1360 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Baadng32.exe
PID 1360 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Baadng32.exe
PID 1260 wrote to memory of 1244 N/A C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Cfnmfn32.exe
PID 1260 wrote to memory of 1244 N/A C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Cfnmfn32.exe
PID 1260 wrote to memory of 1244 N/A C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Cfnmfn32.exe
PID 1260 wrote to memory of 1244 N/A C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Cfnmfn32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe

"C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe"

C:\Windows\SysWOW64\Pdlkiepd.exe

C:\Windows\system32\Pdlkiepd.exe

C:\Windows\SysWOW64\Poapfn32.exe

C:\Windows\system32\Poapfn32.exe

C:\Windows\SysWOW64\Qqeicede.exe

C:\Windows\system32\Qqeicede.exe

C:\Windows\SysWOW64\Aeenochi.exe

C:\Windows\system32\Aeenochi.exe

C:\Windows\SysWOW64\Afgkfl32.exe

C:\Windows\system32\Afgkfl32.exe

C:\Windows\SysWOW64\Abphal32.exe

C:\Windows\system32\Abphal32.exe

C:\Windows\SysWOW64\Afnagk32.exe

C:\Windows\system32\Afnagk32.exe

C:\Windows\SysWOW64\Bhajdblk.exe

C:\Windows\system32\Bhajdblk.exe

C:\Windows\SysWOW64\Bnkbam32.exe

C:\Windows\system32\Bnkbam32.exe

C:\Windows\SysWOW64\Bonoflae.exe

C:\Windows\system32\Bonoflae.exe

C:\Windows\SysWOW64\Balkchpi.exe

C:\Windows\system32\Balkchpi.exe

C:\Windows\SysWOW64\Blaopqpo.exe

C:\Windows\system32\Blaopqpo.exe

C:\Windows\SysWOW64\Baohhgnf.exe

C:\Windows\system32\Baohhgnf.exe

C:\Windows\SysWOW64\Bfkpqn32.exe

C:\Windows\system32\Bfkpqn32.exe

C:\Windows\SysWOW64\Baadng32.exe

C:\Windows\system32\Baadng32.exe

C:\Windows\SysWOW64\Cfnmfn32.exe

C:\Windows\system32\Cfnmfn32.exe

C:\Windows\SysWOW64\Cacacg32.exe

C:\Windows\system32\Cacacg32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 140

Network

N/A

Files

memory/2876-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Pdlkiepd.exe

MD5 23c2a40c28fef866c4b05688e33b70f6
SHA1 04109970ead9fec5cca389294429d8a2f1a1f981
SHA256 1f2b44501cf54f69481cd1e1efef12c4f6eb799cf0d351869c0d881f4b2e3e9f
SHA512 8a1d9a6fc1b6316063e2b9a8fc9a57bc2dcf7f40d5f19733fcaa6c57e4a103e7a53377ebaaa6bcb36b7cc7af7d4cb44f806979dbb21f24f9418b0d211c149c59

memory/2636-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2876-12-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2876-11-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2636-22-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Poapfn32.exe

MD5 ee2de353c999af9d9f69b28b609eef6f
SHA1 cc30d00d9806e0c1dbffd860afd7da054ca0130d
SHA256 753776a017ff3150cbebe42f271b538bfbed1a0c3511cf73c4bbaf105bd66303
SHA512 a02f03ffd80bc7e58e641116e612ceb80454b913643b3c61c7171afa667319d00ed6c26798597ca1c7d8b93f0909f88ca4befcf571f46f64239789144d2faf07

memory/2652-31-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2636-28-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Qqeicede.exe

MD5 6f469be3946a529a53c375d7b92c85a6
SHA1 7e75ad5dc1f761a1ad38e521169f4f63ca0eb176
SHA256 5f8a86972880d94db50ceb041d9e4c68cfc9196ed42df09dcf0a6c1afc9c1ebf
SHA512 23526735ac4053d85f02727a21f9e43e86e1775820c823113d39ad40b06edd375627ecdb8517016fc5742f8719cbff6f325b18255b254e0fd5730a7a42692d3d

memory/2648-43-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2652-41-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Aeenochi.exe

MD5 42f957b963828eef1007b712bf3bd85f
SHA1 36effa0f4ef9f9bc7dcc467543da1ce2ace7a355
SHA256 cd4a4261f419ed39c5e59c23c7d65026f86dca3bead0f714ef0b87c6cb25e481
SHA512 848cf792263b4a18936fe82c4d79c45930ffb84de9d71e8e70cae4c39d204a636a238873615dc45a393f9bca5fb02c9df9aad971619ecb4bb856a6bfc8703186

memory/2304-56-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Afgkfl32.exe

MD5 eeb54dab3b7ed50f05069d9d77ea6aac
SHA1 cd3ff0387df32cc42000ff9eb10f4410cb04e76c
SHA256 c5125add32e298deea7b9346a5f7bb91f5ede70fbf2764ed9fe6dbc32a35b3b4
SHA512 931d0c5abd59129572ea8f4d80a7b46fd622c94a8e245501c8f98e7e0237335d06d15daab1edc066d0a668c5b47f1eba69f06a2d5b90a94f8be81d6bf07fac20

memory/2304-64-0x0000000000440000-0x0000000000473000-memory.dmp

memory/296-70-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Abphal32.exe

MD5 85fa99e612cd731e73e126b6f435e969
SHA1 da3ef2b3a12a3ca077ffd65156ea47679057bf5c
SHA256 9f66b1e50a1d4403ec8ff4b3ba21b80cc2df53a31fc0610edf649156d7c4fd9d
SHA512 930b8731341b26f7da3b068c1974674db4f6462406a49177d384fc3632ddaab45ab06c38873a2fcea1f1e91b3e73927a46c78158381b2273e61915152a73117e

memory/296-77-0x0000000000260000-0x0000000000293000-memory.dmp

\Windows\SysWOW64\Afnagk32.exe

MD5 16f6c1b597e527cf060557e5c55d5a5a
SHA1 b54c2789d56e1754617cff6c80f6ea538176a651
SHA256 dc8d129396595a3e19816317699d09bbc208697776734f006ae5f4ba8cc705f7
SHA512 fcbd289da0ad98d79833b82eefa1ac371bb890a1f674eca6359ca994e03214326eb6961fdea5367bad0466f21e3a5388770959ca90929e2954b47cc193226efe

memory/1992-97-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1780-96-0x0000000000310000-0x0000000000343000-memory.dmp

\Windows\SysWOW64\Bhajdblk.exe

MD5 eb32ebdf6156c8153b10ecff34e7118a
SHA1 56df6f93483dd11aea9b2a53f762356295fe9319
SHA256 e7846cf3cf621cc531213fa20054cb2fec5c77de33ff3bb83cd5afa300ad2c1f
SHA512 0999bf29d3b5d40d860e920df35a93571480a14c57d7f9de5da05923a3c1c7f72a9d8887992747b14afa07b92a0e64f30b30b9b3f94733715410776cf1010ea1

memory/1992-110-0x0000000001F40000-0x0000000001F73000-memory.dmp

\Windows\SysWOW64\Bnkbam32.exe

MD5 baa7f941a906f8fc152c64cb882c2742
SHA1 51a9956ac130fd5d866d617b1f26a55809ed551d
SHA256 fb2749f4f2dcacaaf046e8e63b74ea7609a2886663c442e8109002b75685e2fb
SHA512 61a4b7278dd0625c688aba4a897be6ecc3b9b05594b86ccc6adfb259abc8944c03e2c69700ab59c4ea57c3bfbc0aeb402496c8429ab7d3de39047d8c28517b51

C:\Windows\SysWOW64\Bonoflae.exe

MD5 4086f90cc6d4b89b02ce261b3637f9fc
SHA1 9b6f2c3f5d2b6fd622ee83b86226d7615e0171da
SHA256 82228aeab0de9714116efed47cc21f74d527ab1be40450e541537fcddb3196f1
SHA512 45d0005a7596af52c8e7d5d6c428792977497d2e83fb02939f999bbcb70e2246e48445b04039abf172b008ba733261a62ea81ba9362d2f89c959c01512a33aca

C:\Windows\SysWOW64\Balkchpi.exe

MD5 48fefc482ea4081b31a8fc8e82f7cce7
SHA1 f6cb79b672fe56c9bde2ab27d8c959cf19d52fc3
SHA256 6b30979901a7d16e2ce49f0fdca8b73a8448386a17df84368c88ffd61e99f0ed
SHA512 11c888968565b94aebf0201b81cefe4ad8c979f0d740028c23d692df77e5950550b7cfab1c2b2aea8a3225fad4c0f058977dec86503459922f5cbaa5506b8007

\Windows\SysWOW64\Blaopqpo.exe

MD5 0eeea682e748b13b2e6be0744ae98959
SHA1 6ec16322e02369e12c1e2070c22acd4f47c56436
SHA256 af3ba10214d65a2ee3498838f64c0a2216088997b756530a29ea0c06ecb219f7
SHA512 b3fd53078651cdad04913e56b60df4f4b2077c0d40f393ee0c509951d9fecc994c29200fbc68dac49844bbe550b856182ae22cdd33dfbf69547f028f255e996f

C:\Windows\SysWOW64\Baohhgnf.exe

MD5 fe71466fa345845f625ca12fc0b7164f
SHA1 89282b95a03d719bdebcfd9799ce2eff0e3c09f2
SHA256 4c2cd5e8ba76dcc663411a9e60aa22f24e6a40d420bac149cabb37d92b1221ee
SHA512 94b69b1f757143cd7d55e090143cdb358a62fa79472e813e6dd3bb6fa1088e89b453ca9216bbfe3f30648fd1bc35ada4d21f293846df612a769759b48a6c757e

C:\Windows\SysWOW64\Bfkpqn32.exe

MD5 5947f24fb8a41a7f35b67cffb93b9eab
SHA1 555edfc1cd0c1044268326c50c16a93c550f8c79
SHA256 d7b6c1857b3929345a0e6fe22593e470f7cb8459e8c15fcbc0dfe6cbfabd73d4
SHA512 5cd069075510c832b27e66eb8f1cf039e43fe90b512ed28e0c4640946d35ef53f952a29584f49fd7eb120e5ed1b3ba41b7286dfa53600de6e771610b13053643

C:\Windows\SysWOW64\Baadng32.exe

MD5 16f834e7153e216c934745122d63c7d7
SHA1 dff95b896923f2a681328853924639ecaa214566
SHA256 48b07200246bc72108614fa89310d650ad83274870e3f269f3b77fe46969f98d
SHA512 62a9ae1275af534ec88a7feac2b073458d2ba1ee0a63dad6e5b576d7982ae10a3e2885701e419982ec9039d9678d7f62491824a0a731604e533a8d921fb41db7

C:\Windows\SysWOW64\Cacacg32.exe

MD5 e027dc1772b997058a2fc994509bd923
SHA1 6285428eb5f8773da76f9234db85be8b494bb135
SHA256 8c12ea58e568056165f91a3a8f9de3b239098d017ca488a848fd8adb9476bfc0
SHA512 f6b476194ada1d9f7c27f5962a91f756ff26888188296bb32120f805d2bc081830d4d48363ae747e64eb5499411c46db0bd72fb7ca349dab9cab43372ba5dbd2

C:\Windows\SysWOW64\Cfnmfn32.exe

MD5 901b77df757314b9a50f2b3210a1086f
SHA1 71f3014b5c31ee25690c2d6d406264a7202ca13e
SHA256 c82ec78d8b5d899ff23f02c162a3483ba05246a6a8bd12928f8b72d26b1b651c
SHA512 bfd594d83e76b1c39326b0563b158ad893ce85c72dc1be096eaa068414fe11f94dbfd10ac86ce99af73889241ba93b34d37f44e2a5f8f7388babcb2f0c286c7d

memory/2948-218-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1856-219-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1332-217-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1332-216-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2088-220-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1800-221-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2188-222-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1360-223-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3044-226-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1244-225-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1260-224-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2636-242-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2304-244-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2648-241-0x0000000000400000-0x0000000000433000-memory.dmp

memory/296-239-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2652-238-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1780-237-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1992-236-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1332-235-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2876-234-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 14:05

Reported

2024-11-10 14:08

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkaobnio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apodoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aoofle32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efafgifc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icdheded.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njinmf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdcliikj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gpelhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbhmbdle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiaoid32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdigadjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlnjbedi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilfennic.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ioolkncg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Khgbqkhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mlofcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olijhmgj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmdemd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgjijmin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gpbpbecj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jlhljhbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnmkfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njpdnedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjlalkmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhegig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbphglbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Injmcmej.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bedgjgkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gppcmeem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gpgind32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pedlgbkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hienlpel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlkbjqgm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpbmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oifppdpd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahjgjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilccoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jkimho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Finnef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnhmnn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doagjc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eomffaag.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiekog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbebbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhbcfbjk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbepme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahenokjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bombmcec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjafok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljhefhha.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfcnpn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nmipdk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Codhnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elpkep32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lddgmbpb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boeebnhp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiokinbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdjgha32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdaniq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oihmedma.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeddnp32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Niakfbpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlphbnoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Okchnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooqqdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaompd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohkbbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oadfkdgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Olijhmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Oohgdhfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oafcqcea.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohpkmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pojcjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pedlgbkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Phbhcmjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkadoiip.exe N/A
N/A N/A C:\Windows\SysWOW64\Pchlpfjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Phedhmhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcadhgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcjiff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Peieba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pidabppl.exe N/A
N/A N/A C:\Windows\SysWOW64\Plbmokop.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkenjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcmeke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pekbga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phincl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plejdkmm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pocfpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcobaedj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pemomqcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Piijno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlggjk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkjgegae.exe N/A
N/A N/A C:\Windows\SysWOW64\Qofcff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qadoba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qepkbpak.exe N/A
N/A N/A C:\Windows\SysWOW64\Qikgco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhngolpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkmdkgob.exe N/A
N/A N/A C:\Windows\SysWOW64\Qohpkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcclld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qebhhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajndioga.exe N/A
N/A N/A C:\Windows\SysWOW64\Allpejfe.exe N/A
N/A N/A C:\Windows\SysWOW64\Akoqpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aojlaeei.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaiimadl.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeddnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahcajk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alnmjjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\Akamff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Achegd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakebqbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbmdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahenokjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcjkfij.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoofle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ackbmcjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Afinioip.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahgjejhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Akffafgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoabad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abponp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkknogn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Djfoankj.dll C:\Windows\SysWOW64\Dmoohe32.exe N/A
File created C:\Windows\SysWOW64\Clgbhl32.dll C:\Windows\SysWOW64\Cdbfab32.exe N/A
File created C:\Windows\SysWOW64\Nnahhegq.dll C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
File created C:\Windows\SysWOW64\Qikgco32.exe C:\Windows\SysWOW64\Qepkbpak.exe N/A
File created C:\Windows\SysWOW64\Ecgcfm32.exe C:\Windows\SysWOW64\Elpkep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlcjhkdp.exe C:\Windows\SysWOW64\Hienlpel.exe N/A
File created C:\Windows\SysWOW64\Nhhlki32.dll C:\Windows\SysWOW64\Qpcecb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pidabppl.exe C:\Windows\SysWOW64\Peieba32.exe N/A
File created C:\Windows\SysWOW64\Gaocia32.dll C:\Windows\SysWOW64\Idkkpf32.exe N/A
File created C:\Windows\SysWOW64\Mimcmnpn.dll C:\Windows\SysWOW64\Adfnofpd.exe N/A
File created C:\Windows\SysWOW64\Bndfbikc.dll C:\Windows\SysWOW64\Bklfgo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Piijno32.exe C:\Windows\SysWOW64\Pemomqcn.exe N/A
File created C:\Windows\SysWOW64\Hgkkkcbc.exe C:\Windows\SysWOW64\Hdmoohbo.exe N/A
File opened for modification C:\Windows\SysWOW64\Ikpjbq32.exe C:\Windows\SysWOW64\Iciaqc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilphdlqh.exe C:\Windows\SysWOW64\Ipihpkkd.exe N/A
File created C:\Windows\SysWOW64\Bkgppbgc.dll C:\Windows\SysWOW64\Lepleocn.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjoppf32.exe C:\Windows\SysWOW64\Pafkgphl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahgjejhd.exe C:\Windows\SysWOW64\Afinioip.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnfihkqm.exe C:\Windows\SysWOW64\Ahippdbe.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcjiff32.exe C:\Windows\SysWOW64\Pkcadhgm.exe N/A
File opened for modification C:\Windows\SysWOW64\Gphphj32.exe C:\Windows\SysWOW64\Gmiclo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pififb32.exe C:\Windows\SysWOW64\Pfhmjf32.exe N/A
File created C:\Windows\SysWOW64\Ohfaap32.dll C:\Windows\SysWOW64\Okchnk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Geaepk32.exe C:\Windows\SysWOW64\Gbchdp32.exe N/A
File created C:\Windows\SysWOW64\Mpagaf32.dll C:\Windows\SysWOW64\Pjoppf32.exe N/A
File created C:\Windows\SysWOW64\Malpia32.exe C:\Windows\SysWOW64\Mnmdme32.exe N/A
File created C:\Windows\SysWOW64\Dcnqpo32.exe C:\Windows\SysWOW64\Dlghoa32.exe N/A
File created C:\Windows\SysWOW64\Lndagg32.exe C:\Windows\SysWOW64\Ljhefhha.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgflcifg.exe C:\Windows\SysWOW64\Koodbl32.exe N/A
File created C:\Windows\SysWOW64\Egcaod32.exe C:\Windows\SysWOW64\Ebfign32.exe N/A
File created C:\Windows\SysWOW64\Hpaoan32.dll C:\Windows\SysWOW64\Fnkfmm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pafkgphl.exe C:\Windows\SysWOW64\Pjlcjf32.exe N/A
File created C:\Windows\SysWOW64\Lmdemd32.exe C:\Windows\SysWOW64\Ljfhqh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ohhnbhok.exe C:\Windows\SysWOW64\Oanfen32.exe N/A
File created C:\Windows\SysWOW64\Lepleocn.exe C:\Windows\SysWOW64\Kofdhd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhhdnf32.exe C:\Windows\SysWOW64\Nbnlaldg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahenokjf.exe C:\Windows\SysWOW64\Ajbmdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lenicahg.exe C:\Windows\SysWOW64\Lndagg32.exe N/A
File created C:\Windows\SysWOW64\Kpbgeaba.dll C:\Windows\SysWOW64\Mohidbkl.exe N/A
File created C:\Windows\SysWOW64\Gkbofaoj.dll C:\Windows\SysWOW64\Eiaoid32.exe N/A
File opened for modification C:\Windows\SysWOW64\Igigla32.exe C:\Windows\SysWOW64\Idkkpf32.exe N/A
File created C:\Windows\SysWOW64\Cnffoibg.dll C:\Windows\SysWOW64\Ocohmc32.exe N/A
File created C:\Windows\SysWOW64\Pehbea32.dll C:\Windows\SysWOW64\Coiaiakf.exe N/A
File created C:\Windows\SysWOW64\Gapjhc32.dll C:\Windows\SysWOW64\Icdheded.exe N/A
File created C:\Windows\SysWOW64\Miepkipc.dll C:\Windows\SysWOW64\Iknmla32.exe N/A
File created C:\Windows\SysWOW64\Chlcgfff.dll C:\Windows\SysWOW64\Ohhnbhok.exe N/A
File created C:\Windows\SysWOW64\Kfpcoefj.exe C:\Windows\SysWOW64\Kofkbk32.exe N/A
File created C:\Windows\SysWOW64\Pfoann32.exe C:\Windows\SysWOW64\Oabhfg32.exe N/A
File created C:\Windows\SysWOW64\Jcoong32.dll C:\Windows\SysWOW64\Epndknin.exe N/A
File created C:\Windows\SysWOW64\Cnkkjh32.exe C:\Windows\SysWOW64\Cdbfab32.exe N/A
File created C:\Windows\SysWOW64\Hhjhdagb.dll C:\Windows\SysWOW64\Hblkjo32.exe N/A
File created C:\Windows\SysWOW64\Binlfp32.dll C:\Windows\SysWOW64\Njhgbp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdhkcb32.exe C:\Windows\SysWOW64\Pmnbfhal.exe N/A
File created C:\Windows\SysWOW64\Pnbddbhk.dll C:\Windows\SysWOW64\Aajhndkb.exe N/A
File created C:\Windows\SysWOW64\Hkjmbk32.dll C:\Windows\SysWOW64\Qadoba32.exe N/A
File created C:\Windows\SysWOW64\Kodoah32.dll C:\Windows\SysWOW64\Ncabfkqo.exe N/A
File opened for modification C:\Windows\SysWOW64\Pknqoc32.exe C:\Windows\SysWOW64\Paelfmaf.exe N/A
File created C:\Windows\SysWOW64\Gcmjja32.dll C:\Windows\SysWOW64\Jhifomdj.exe N/A
File created C:\Windows\SysWOW64\Lhjlnlii.dll C:\Windows\SysWOW64\Pojcjh32.exe N/A
File created C:\Windows\SysWOW64\Pdkjmfeo.dll C:\Windows\SysWOW64\Akffafgg.exe N/A
File created C:\Windows\SysWOW64\Blhpqhlh.exe C:\Windows\SysWOW64\Bfngdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiiggoaf.exe C:\Windows\SysWOW64\Hgkkkcbc.exe N/A
File created C:\Windows\SysWOW64\Adfokn32.dll C:\Windows\SysWOW64\Gflhoo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpfgmnfp.exe C:\Windows\SysWOW64\Kfpcoefj.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Pififb32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojhiogdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnmkfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apjkcadp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dimenegi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odoogi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfbaonae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkdcbd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcphab32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Naecop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlofcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fbfcmhpg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ikpjbq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Imnocf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdokdg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jdaaaeqg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdkdgchl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emanjldl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aahbbkaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mapppn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eklajcmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knchpiom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnplfj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lekmnajj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Poliea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hemdlj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgnffj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gjfnedho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljfhqh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hfcnpn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chfegk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocdnln32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfokoelp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pajeam32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lndagg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gbnoiqdq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdagpnbk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajbmdn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Igigla32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfbped32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iahgad32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmhijd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ecbjkngo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmikeaap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncabfkqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phfjcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmcclm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jblmgf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahenokjf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjnffjkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djhimica.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gemkelcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pchlpfjb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkenjh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gijmad32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oihmedma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gikkfqmf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hehkajig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnjnqh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fnipbc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koodbl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qikgco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aojlaeei.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flpmagqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obnehj32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dglkoeio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegaehem.dll" C:\Windows\SysWOW64\Bhbcfbjk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hekgfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmbphg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miepkipc.dll" C:\Windows\SysWOW64\Iknmla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgeihg.dll" C:\Windows\SysWOW64\Pbekii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Piijno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoepmnk.dll" C:\Windows\SysWOW64\Cjliajmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffmfchle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgflp32.dll" C:\Windows\SysWOW64\Fpbmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll" C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Igigla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iikmbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aleckinj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackhdo32.dll" C:\Windows\SysWOW64\Gfokoelp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiiggoaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfoann32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll" C:\Windows\SysWOW64\Pfoann32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmgn32.dll" C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lepleocn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jcbdgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgcme32.dll" C:\Windows\SysWOW64\Boeebnhp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kofkbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qepkbpak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjnkpdc.dll" C:\Windows\SysWOW64\Gpbpbecj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpidaqmj.dll" C:\Windows\SysWOW64\Jebfng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbgeaba.dll" C:\Windows\SysWOW64\Mohidbkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll" C:\Windows\SysWOW64\Oifppdpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohpkmn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoigi32.dll" C:\Windows\SysWOW64\Pedlgbkh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmcclm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiacacpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpgal32.dll" C:\Windows\SysWOW64\Hdhedh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgfapd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jngbjd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lohqnd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jdaaaeqg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Holfoqcm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbklgfdh.dll" C:\Windows\SysWOW64\Iikmbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ilphdlqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lekmnajj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhihhecc.dll" C:\Windows\SysWOW64\Bnkbcj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fpimlfke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jllokajf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Egcaod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lohqnd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbeejp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpgam32.dll" C:\Windows\SysWOW64\Lfbped32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eiekog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpnm32.dll" C:\Windows\SysWOW64\Ooqqdi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Codhnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecbjkngo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deqcbpld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpnoncim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbhmbdle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncbafoge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpnmbl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnjejjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapnbcqo.dll" C:\Windows\SysWOW64\Phdnngdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokmlmhl.dll" C:\Windows\SysWOW64\Hlcjhkdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mchppmij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Niojoeel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pocpfphe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4064 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe C:\Windows\SysWOW64\Niakfbpa.exe
PID 4064 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe C:\Windows\SysWOW64\Niakfbpa.exe
PID 4064 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe C:\Windows\SysWOW64\Niakfbpa.exe
PID 4620 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Niakfbpa.exe C:\Windows\SysWOW64\Nlphbnoe.exe
PID 4620 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Niakfbpa.exe C:\Windows\SysWOW64\Nlphbnoe.exe
PID 4620 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Niakfbpa.exe C:\Windows\SysWOW64\Nlphbnoe.exe
PID 1936 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Nlphbnoe.exe C:\Windows\SysWOW64\Okchnk32.exe
PID 1936 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Nlphbnoe.exe C:\Windows\SysWOW64\Okchnk32.exe
PID 1936 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Nlphbnoe.exe C:\Windows\SysWOW64\Okchnk32.exe
PID 2568 wrote to memory of 3864 N/A C:\Windows\SysWOW64\Okchnk32.exe C:\Windows\SysWOW64\Ooqqdi32.exe
PID 2568 wrote to memory of 3864 N/A C:\Windows\SysWOW64\Okchnk32.exe C:\Windows\SysWOW64\Ooqqdi32.exe
PID 2568 wrote to memory of 3864 N/A C:\Windows\SysWOW64\Okchnk32.exe C:\Windows\SysWOW64\Ooqqdi32.exe
PID 3864 wrote to memory of 4080 N/A C:\Windows\SysWOW64\Ooqqdi32.exe C:\Windows\SysWOW64\Oaompd32.exe
PID 3864 wrote to memory of 4080 N/A C:\Windows\SysWOW64\Ooqqdi32.exe C:\Windows\SysWOW64\Oaompd32.exe
PID 3864 wrote to memory of 4080 N/A C:\Windows\SysWOW64\Ooqqdi32.exe C:\Windows\SysWOW64\Oaompd32.exe
PID 4080 wrote to memory of 2436 N/A C:\Windows\SysWOW64\Oaompd32.exe C:\Windows\SysWOW64\Ohkbbn32.exe
PID 4080 wrote to memory of 2436 N/A C:\Windows\SysWOW64\Oaompd32.exe C:\Windows\SysWOW64\Ohkbbn32.exe
PID 4080 wrote to memory of 2436 N/A C:\Windows\SysWOW64\Oaompd32.exe C:\Windows\SysWOW64\Ohkbbn32.exe
PID 2436 wrote to memory of 3844 N/A C:\Windows\SysWOW64\Ohkbbn32.exe C:\Windows\SysWOW64\Oadfkdgd.exe
PID 2436 wrote to memory of 3844 N/A C:\Windows\SysWOW64\Ohkbbn32.exe C:\Windows\SysWOW64\Oadfkdgd.exe
PID 2436 wrote to memory of 3844 N/A C:\Windows\SysWOW64\Ohkbbn32.exe C:\Windows\SysWOW64\Oadfkdgd.exe
PID 3844 wrote to memory of 1200 N/A C:\Windows\SysWOW64\Oadfkdgd.exe C:\Windows\SysWOW64\Olijhmgj.exe
PID 3844 wrote to memory of 1200 N/A C:\Windows\SysWOW64\Oadfkdgd.exe C:\Windows\SysWOW64\Olijhmgj.exe
PID 3844 wrote to memory of 1200 N/A C:\Windows\SysWOW64\Oadfkdgd.exe C:\Windows\SysWOW64\Olijhmgj.exe
PID 1200 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Olijhmgj.exe C:\Windows\SysWOW64\Oohgdhfn.exe
PID 1200 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Olijhmgj.exe C:\Windows\SysWOW64\Oohgdhfn.exe
PID 1200 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Olijhmgj.exe C:\Windows\SysWOW64\Oohgdhfn.exe
PID 2920 wrote to memory of 4276 N/A C:\Windows\SysWOW64\Oohgdhfn.exe C:\Windows\SysWOW64\Oafcqcea.exe
PID 2920 wrote to memory of 4276 N/A C:\Windows\SysWOW64\Oohgdhfn.exe C:\Windows\SysWOW64\Oafcqcea.exe
PID 2920 wrote to memory of 4276 N/A C:\Windows\SysWOW64\Oohgdhfn.exe C:\Windows\SysWOW64\Oafcqcea.exe
PID 4276 wrote to memory of 4364 N/A C:\Windows\SysWOW64\Oafcqcea.exe C:\Windows\SysWOW64\Ohpkmn32.exe
PID 4276 wrote to memory of 4364 N/A C:\Windows\SysWOW64\Oafcqcea.exe C:\Windows\SysWOW64\Ohpkmn32.exe
PID 4276 wrote to memory of 4364 N/A C:\Windows\SysWOW64\Oafcqcea.exe C:\Windows\SysWOW64\Ohpkmn32.exe
PID 4364 wrote to memory of 4508 N/A C:\Windows\SysWOW64\Ohpkmn32.exe C:\Windows\SysWOW64\Pojcjh32.exe
PID 4364 wrote to memory of 4508 N/A C:\Windows\SysWOW64\Ohpkmn32.exe C:\Windows\SysWOW64\Pojcjh32.exe
PID 4364 wrote to memory of 4508 N/A C:\Windows\SysWOW64\Ohpkmn32.exe C:\Windows\SysWOW64\Pojcjh32.exe
PID 4508 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Pojcjh32.exe C:\Windows\SysWOW64\Pedlgbkh.exe
PID 4508 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Pojcjh32.exe C:\Windows\SysWOW64\Pedlgbkh.exe
PID 4508 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Pojcjh32.exe C:\Windows\SysWOW64\Pedlgbkh.exe
PID 3096 wrote to memory of 3368 N/A C:\Windows\SysWOW64\Pedlgbkh.exe C:\Windows\SysWOW64\Phbhcmjl.exe
PID 3096 wrote to memory of 3368 N/A C:\Windows\SysWOW64\Pedlgbkh.exe C:\Windows\SysWOW64\Phbhcmjl.exe
PID 3096 wrote to memory of 3368 N/A C:\Windows\SysWOW64\Pedlgbkh.exe C:\Windows\SysWOW64\Phbhcmjl.exe
PID 3368 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Phbhcmjl.exe C:\Windows\SysWOW64\Pkadoiip.exe
PID 3368 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Phbhcmjl.exe C:\Windows\SysWOW64\Pkadoiip.exe
PID 3368 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Phbhcmjl.exe C:\Windows\SysWOW64\Pkadoiip.exe
PID 3088 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Pkadoiip.exe C:\Windows\SysWOW64\Pchlpfjb.exe
PID 3088 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Pkadoiip.exe C:\Windows\SysWOW64\Pchlpfjb.exe
PID 3088 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Pkadoiip.exe C:\Windows\SysWOW64\Pchlpfjb.exe
PID 2900 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Pchlpfjb.exe C:\Windows\SysWOW64\Phedhmhi.exe
PID 2900 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Pchlpfjb.exe C:\Windows\SysWOW64\Phedhmhi.exe
PID 2900 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Pchlpfjb.exe C:\Windows\SysWOW64\Phedhmhi.exe
PID 2216 wrote to memory of 4324 N/A C:\Windows\SysWOW64\Phedhmhi.exe C:\Windows\SysWOW64\Pkcadhgm.exe
PID 2216 wrote to memory of 4324 N/A C:\Windows\SysWOW64\Phedhmhi.exe C:\Windows\SysWOW64\Pkcadhgm.exe
PID 2216 wrote to memory of 4324 N/A C:\Windows\SysWOW64\Phedhmhi.exe C:\Windows\SysWOW64\Pkcadhgm.exe
PID 4324 wrote to memory of 3984 N/A C:\Windows\SysWOW64\Pkcadhgm.exe C:\Windows\SysWOW64\Pcjiff32.exe
PID 4324 wrote to memory of 3984 N/A C:\Windows\SysWOW64\Pkcadhgm.exe C:\Windows\SysWOW64\Pcjiff32.exe
PID 4324 wrote to memory of 3984 N/A C:\Windows\SysWOW64\Pkcadhgm.exe C:\Windows\SysWOW64\Pcjiff32.exe
PID 3984 wrote to memory of 4312 N/A C:\Windows\SysWOW64\Pcjiff32.exe C:\Windows\SysWOW64\Peieba32.exe
PID 3984 wrote to memory of 4312 N/A C:\Windows\SysWOW64\Pcjiff32.exe C:\Windows\SysWOW64\Peieba32.exe
PID 3984 wrote to memory of 4312 N/A C:\Windows\SysWOW64\Pcjiff32.exe C:\Windows\SysWOW64\Peieba32.exe
PID 4312 wrote to memory of 184 N/A C:\Windows\SysWOW64\Peieba32.exe C:\Windows\SysWOW64\Pidabppl.exe
PID 4312 wrote to memory of 184 N/A C:\Windows\SysWOW64\Peieba32.exe C:\Windows\SysWOW64\Pidabppl.exe
PID 4312 wrote to memory of 184 N/A C:\Windows\SysWOW64\Peieba32.exe C:\Windows\SysWOW64\Pidabppl.exe
PID 184 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Pidabppl.exe C:\Windows\SysWOW64\Plbmokop.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe

"C:\Users\Admin\AppData\Local\Temp\73a2dc714ab5711b13c47c50c665c0e2be9164781d92bd2f0671e650df82f432N.exe"

C:\Windows\SysWOW64\Niakfbpa.exe

C:\Windows\system32\Niakfbpa.exe

C:\Windows\SysWOW64\Nlphbnoe.exe

C:\Windows\system32\Nlphbnoe.exe

C:\Windows\SysWOW64\Okchnk32.exe

C:\Windows\system32\Okchnk32.exe

C:\Windows\SysWOW64\Ooqqdi32.exe

C:\Windows\system32\Ooqqdi32.exe

C:\Windows\SysWOW64\Oaompd32.exe

C:\Windows\system32\Oaompd32.exe

C:\Windows\SysWOW64\Ohkbbn32.exe

C:\Windows\system32\Ohkbbn32.exe

C:\Windows\SysWOW64\Oadfkdgd.exe

C:\Windows\system32\Oadfkdgd.exe

C:\Windows\SysWOW64\Olijhmgj.exe

C:\Windows\system32\Olijhmgj.exe

C:\Windows\SysWOW64\Oohgdhfn.exe

C:\Windows\system32\Oohgdhfn.exe

C:\Windows\SysWOW64\Oafcqcea.exe

C:\Windows\system32\Oafcqcea.exe

C:\Windows\SysWOW64\Ohpkmn32.exe

C:\Windows\system32\Ohpkmn32.exe

C:\Windows\SysWOW64\Pojcjh32.exe

C:\Windows\system32\Pojcjh32.exe

C:\Windows\SysWOW64\Pedlgbkh.exe

C:\Windows\system32\Pedlgbkh.exe

C:\Windows\SysWOW64\Phbhcmjl.exe

C:\Windows\system32\Phbhcmjl.exe

C:\Windows\SysWOW64\Pkadoiip.exe

C:\Windows\system32\Pkadoiip.exe

C:\Windows\SysWOW64\Pchlpfjb.exe

C:\Windows\system32\Pchlpfjb.exe

C:\Windows\SysWOW64\Phedhmhi.exe

C:\Windows\system32\Phedhmhi.exe

C:\Windows\SysWOW64\Pkcadhgm.exe

C:\Windows\system32\Pkcadhgm.exe

C:\Windows\SysWOW64\Pcjiff32.exe

C:\Windows\system32\Pcjiff32.exe

C:\Windows\SysWOW64\Peieba32.exe

C:\Windows\system32\Peieba32.exe

C:\Windows\SysWOW64\Pidabppl.exe

C:\Windows\system32\Pidabppl.exe

C:\Windows\SysWOW64\Plbmokop.exe

C:\Windows\system32\Plbmokop.exe

C:\Windows\SysWOW64\Pkenjh32.exe

C:\Windows\system32\Pkenjh32.exe

C:\Windows\SysWOW64\Pcmeke32.exe

C:\Windows\system32\Pcmeke32.exe

C:\Windows\SysWOW64\Pekbga32.exe

C:\Windows\system32\Pekbga32.exe

C:\Windows\SysWOW64\Phincl32.exe

C:\Windows\system32\Phincl32.exe

C:\Windows\SysWOW64\Plejdkmm.exe

C:\Windows\system32\Plejdkmm.exe

C:\Windows\SysWOW64\Pocfpf32.exe

C:\Windows\system32\Pocfpf32.exe

C:\Windows\SysWOW64\Pcobaedj.exe

C:\Windows\system32\Pcobaedj.exe

C:\Windows\SysWOW64\Pemomqcn.exe

C:\Windows\system32\Pemomqcn.exe

C:\Windows\SysWOW64\Piijno32.exe

C:\Windows\system32\Piijno32.exe

C:\Windows\SysWOW64\Qlggjk32.exe

C:\Windows\system32\Qlggjk32.exe

C:\Windows\SysWOW64\Qkjgegae.exe

C:\Windows\system32\Qkjgegae.exe

C:\Windows\SysWOW64\Qofcff32.exe

C:\Windows\system32\Qofcff32.exe

C:\Windows\SysWOW64\Qadoba32.exe

C:\Windows\system32\Qadoba32.exe

C:\Windows\SysWOW64\Qepkbpak.exe

C:\Windows\system32\Qepkbpak.exe

C:\Windows\SysWOW64\Qikgco32.exe

C:\Windows\system32\Qikgco32.exe

C:\Windows\SysWOW64\Qhngolpo.exe

C:\Windows\system32\Qhngolpo.exe

C:\Windows\SysWOW64\Qkmdkgob.exe

C:\Windows\system32\Qkmdkgob.exe

C:\Windows\SysWOW64\Qohpkf32.exe

C:\Windows\system32\Qohpkf32.exe

C:\Windows\SysWOW64\Qcclld32.exe

C:\Windows\system32\Qcclld32.exe

C:\Windows\SysWOW64\Qebhhp32.exe

C:\Windows\system32\Qebhhp32.exe

C:\Windows\SysWOW64\Ajndioga.exe

C:\Windows\system32\Ajndioga.exe

C:\Windows\SysWOW64\Allpejfe.exe

C:\Windows\system32\Allpejfe.exe

C:\Windows\SysWOW64\Akoqpg32.exe

C:\Windows\system32\Akoqpg32.exe

C:\Windows\SysWOW64\Aojlaeei.exe

C:\Windows\system32\Aojlaeei.exe

C:\Windows\SysWOW64\Aaiimadl.exe

C:\Windows\system32\Aaiimadl.exe

C:\Windows\SysWOW64\Aeddnp32.exe

C:\Windows\system32\Aeddnp32.exe

C:\Windows\SysWOW64\Ahcajk32.exe

C:\Windows\system32\Ahcajk32.exe

C:\Windows\SysWOW64\Alnmjjdb.exe

C:\Windows\system32\Alnmjjdb.exe

C:\Windows\SysWOW64\Akamff32.exe

C:\Windows\system32\Akamff32.exe

C:\Windows\SysWOW64\Achegd32.exe

C:\Windows\system32\Achegd32.exe

C:\Windows\SysWOW64\Aakebqbj.exe

C:\Windows\system32\Aakebqbj.exe

C:\Windows\SysWOW64\Ajbmdn32.exe

C:\Windows\system32\Ajbmdn32.exe

C:\Windows\SysWOW64\Ahenokjf.exe

C:\Windows\system32\Ahenokjf.exe

C:\Windows\SysWOW64\Akcjkfij.exe

C:\Windows\system32\Akcjkfij.exe

C:\Windows\SysWOW64\Aoofle32.exe

C:\Windows\system32\Aoofle32.exe

C:\Windows\SysWOW64\Ackbmcjl.exe

C:\Windows\system32\Ackbmcjl.exe

C:\Windows\SysWOW64\Afinioip.exe

C:\Windows\system32\Afinioip.exe

C:\Windows\SysWOW64\Ahgjejhd.exe

C:\Windows\system32\Ahgjejhd.exe

C:\Windows\SysWOW64\Akffafgg.exe

C:\Windows\system32\Akffafgg.exe

C:\Windows\SysWOW64\Aoabad32.exe

C:\Windows\system32\Aoabad32.exe

C:\Windows\SysWOW64\Abponp32.exe

C:\Windows\system32\Abponp32.exe

C:\Windows\SysWOW64\Afkknogn.exe

C:\Windows\system32\Afkknogn.exe

C:\Windows\SysWOW64\Ahjgjj32.exe

C:\Windows\system32\Ahjgjj32.exe

C:\Windows\SysWOW64\Aleckinj.exe

C:\Windows\system32\Aleckinj.exe

C:\Windows\SysWOW64\Bfngdn32.exe

C:\Windows\system32\Bfngdn32.exe

C:\Windows\SysWOW64\Blhpqhlh.exe

C:\Windows\system32\Blhpqhlh.exe

C:\Windows\SysWOW64\Bfbaonae.exe

C:\Windows\system32\Bfbaonae.exe

C:\Windows\SysWOW64\Bkoigdom.exe

C:\Windows\system32\Bkoigdom.exe

C:\Windows\SysWOW64\Bcfahbpo.exe

C:\Windows\system32\Bcfahbpo.exe

C:\Windows\SysWOW64\Bfendmoc.exe

C:\Windows\system32\Bfendmoc.exe

C:\Windows\SysWOW64\Bmofagfp.exe

C:\Windows\system32\Bmofagfp.exe

C:\Windows\SysWOW64\Bombmcec.exe

C:\Windows\system32\Bombmcec.exe

C:\Windows\SysWOW64\Bfgjjm32.exe

C:\Windows\system32\Bfgjjm32.exe

C:\Windows\SysWOW64\Bheffh32.exe

C:\Windows\system32\Bheffh32.exe

C:\Windows\SysWOW64\Bkdcbd32.exe

C:\Windows\system32\Bkdcbd32.exe

C:\Windows\SysWOW64\Bbnkonbd.exe

C:\Windows\system32\Bbnkonbd.exe

C:\Windows\SysWOW64\Cjecpkcg.exe

C:\Windows\system32\Cjecpkcg.exe

C:\Windows\SysWOW64\Cmcolgbj.exe

C:\Windows\system32\Cmcolgbj.exe

C:\Windows\SysWOW64\Ccmgiaig.exe

C:\Windows\system32\Ccmgiaig.exe

C:\Windows\SysWOW64\Codhnb32.exe

C:\Windows\system32\Codhnb32.exe

C:\Windows\SysWOW64\Cfnqklgh.exe

C:\Windows\system32\Cfnqklgh.exe

C:\Windows\SysWOW64\Ckkiccep.exe

C:\Windows\system32\Ckkiccep.exe

C:\Windows\SysWOW64\Ccbadp32.exe

C:\Windows\system32\Ccbadp32.exe

C:\Windows\SysWOW64\Cjliajmo.exe

C:\Windows\system32\Cjliajmo.exe

C:\Windows\SysWOW64\Coiaiakf.exe

C:\Windows\system32\Coiaiakf.exe

C:\Windows\SysWOW64\Cjnffjkl.exe

C:\Windows\system32\Cjnffjkl.exe

C:\Windows\SysWOW64\Ckpbnb32.exe

C:\Windows\system32\Ckpbnb32.exe

C:\Windows\SysWOW64\Djqblj32.exe

C:\Windows\system32\Djqblj32.exe

C:\Windows\SysWOW64\Dmoohe32.exe

C:\Windows\system32\Dmoohe32.exe

C:\Windows\SysWOW64\Dcigeooj.exe

C:\Windows\system32\Dcigeooj.exe

C:\Windows\SysWOW64\Djcoai32.exe

C:\Windows\system32\Djcoai32.exe

C:\Windows\SysWOW64\Dmalne32.exe

C:\Windows\system32\Dmalne32.exe

C:\Windows\SysWOW64\Dckdjomg.exe

C:\Windows\system32\Dckdjomg.exe

C:\Windows\SysWOW64\Djelgied.exe

C:\Windows\system32\Djelgied.exe

C:\Windows\SysWOW64\Dmdhcddh.exe

C:\Windows\system32\Dmdhcddh.exe

C:\Windows\SysWOW64\Dlghoa32.exe

C:\Windows\system32\Dlghoa32.exe

C:\Windows\SysWOW64\Dcnqpo32.exe

C:\Windows\system32\Dcnqpo32.exe

C:\Windows\SysWOW64\Djhimica.exe

C:\Windows\system32\Djhimica.exe

C:\Windows\SysWOW64\Dmfeidbe.exe

C:\Windows\system32\Dmfeidbe.exe

C:\Windows\SysWOW64\Dpdaepai.exe

C:\Windows\system32\Dpdaepai.exe

C:\Windows\SysWOW64\Dfoiaj32.exe

C:\Windows\system32\Dfoiaj32.exe

C:\Windows\SysWOW64\Dimenegi.exe

C:\Windows\system32\Dimenegi.exe

C:\Windows\SysWOW64\Dlkbjqgm.exe

C:\Windows\system32\Dlkbjqgm.exe

C:\Windows\SysWOW64\Ecbjkngo.exe

C:\Windows\system32\Ecbjkngo.exe

C:\Windows\SysWOW64\Efafgifc.exe

C:\Windows\system32\Efafgifc.exe

C:\Windows\SysWOW64\Eiobceef.exe

C:\Windows\system32\Eiobceef.exe

C:\Windows\SysWOW64\Elnoopdj.exe

C:\Windows\system32\Elnoopdj.exe

C:\Windows\SysWOW64\Ecefqnel.exe

C:\Windows\system32\Ecefqnel.exe

C:\Windows\SysWOW64\Efccmidp.exe

C:\Windows\system32\Efccmidp.exe

C:\Windows\SysWOW64\Eiaoid32.exe

C:\Windows\system32\Eiaoid32.exe

C:\Windows\SysWOW64\Elpkep32.exe

C:\Windows\system32\Elpkep32.exe

C:\Windows\SysWOW64\Ecgcfm32.exe

C:\Windows\system32\Ecgcfm32.exe

C:\Windows\SysWOW64\Efepbi32.exe

C:\Windows\system32\Efepbi32.exe

C:\Windows\SysWOW64\Eidlnd32.exe

C:\Windows\system32\Eidlnd32.exe

C:\Windows\SysWOW64\Epndknin.exe

C:\Windows\system32\Epndknin.exe

C:\Windows\SysWOW64\Eblpgjha.exe

C:\Windows\system32\Eblpgjha.exe

C:\Windows\SysWOW64\Ejchhgid.exe

C:\Windows\system32\Ejchhgid.exe

C:\Windows\SysWOW64\Embddb32.exe

C:\Windows\system32\Embddb32.exe

C:\Windows\SysWOW64\Ejfeng32.exe

C:\Windows\system32\Ejfeng32.exe

C:\Windows\SysWOW64\Emdajb32.exe

C:\Windows\system32\Emdajb32.exe

C:\Windows\SysWOW64\Fpbmfn32.exe

C:\Windows\system32\Fpbmfn32.exe

C:\Windows\SysWOW64\Ffmfchle.exe

C:\Windows\system32\Ffmfchle.exe

C:\Windows\SysWOW64\Fikbocki.exe

C:\Windows\system32\Fikbocki.exe

C:\Windows\SysWOW64\Fpejlmcf.exe

C:\Windows\system32\Fpejlmcf.exe

C:\Windows\SysWOW64\Fjjnifbl.exe

C:\Windows\system32\Fjjnifbl.exe

C:\Windows\SysWOW64\Fmikeaap.exe

C:\Windows\system32\Fmikeaap.exe

C:\Windows\SysWOW64\Fpggamqc.exe

C:\Windows\system32\Fpggamqc.exe

C:\Windows\SysWOW64\Fbfcmhpg.exe

C:\Windows\system32\Fbfcmhpg.exe

C:\Windows\SysWOW64\Fjmkoeqi.exe

C:\Windows\system32\Fjmkoeqi.exe

C:\Windows\SysWOW64\Fipkjb32.exe

C:\Windows\system32\Fipkjb32.exe

C:\Windows\SysWOW64\Flngfn32.exe

C:\Windows\system32\Flngfn32.exe

C:\Windows\SysWOW64\Fdepgkgj.exe

C:\Windows\system32\Fdepgkgj.exe

C:\Windows\SysWOW64\Fmndpq32.exe

C:\Windows\system32\Fmndpq32.exe

C:\Windows\SysWOW64\Fdglmkeg.exe

C:\Windows\system32\Fdglmkeg.exe

C:\Windows\SysWOW64\Fideeaco.exe

C:\Windows\system32\Fideeaco.exe

C:\Windows\SysWOW64\Fmpqfq32.exe

C:\Windows\system32\Fmpqfq32.exe

C:\Windows\SysWOW64\Gpnmbl32.exe

C:\Windows\system32\Gpnmbl32.exe

C:\Windows\SysWOW64\Gbmingjo.exe

C:\Windows\system32\Gbmingjo.exe

C:\Windows\SysWOW64\Gjdaodja.exe

C:\Windows\system32\Gjdaodja.exe

C:\Windows\SysWOW64\Gmbmkpie.exe

C:\Windows\system32\Gmbmkpie.exe

C:\Windows\SysWOW64\Gpqjglii.exe

C:\Windows\system32\Gpqjglii.exe

C:\Windows\SysWOW64\Gbofcghl.exe

C:\Windows\system32\Gbofcghl.exe

C:\Windows\SysWOW64\Gjfnedho.exe

C:\Windows\system32\Gjfnedho.exe

C:\Windows\SysWOW64\Gmdjapgb.exe

C:\Windows\system32\Gmdjapgb.exe

C:\Windows\SysWOW64\Gpcfmkff.exe

C:\Windows\system32\Gpcfmkff.exe

C:\Windows\SysWOW64\Gbabigfj.exe

C:\Windows\system32\Gbabigfj.exe

C:\Windows\SysWOW64\Gikkfqmf.exe

C:\Windows\system32\Gikkfqmf.exe

C:\Windows\SysWOW64\Gpecbk32.exe

C:\Windows\system32\Gpecbk32.exe

C:\Windows\SysWOW64\Gbdoof32.exe

C:\Windows\system32\Gbdoof32.exe

C:\Windows\SysWOW64\Gfokoelp.exe

C:\Windows\system32\Gfokoelp.exe

C:\Windows\SysWOW64\Gingkqkd.exe

C:\Windows\system32\Gingkqkd.exe

C:\Windows\SysWOW64\Gmiclo32.exe

C:\Windows\system32\Gmiclo32.exe

C:\Windows\SysWOW64\Gphphj32.exe

C:\Windows\system32\Gphphj32.exe

C:\Windows\SysWOW64\Gdcliikj.exe

C:\Windows\system32\Gdcliikj.exe

C:\Windows\SysWOW64\Ggahedjn.exe

C:\Windows\system32\Ggahedjn.exe

C:\Windows\SysWOW64\Hmlpaoaj.exe

C:\Windows\system32\Hmlpaoaj.exe

C:\Windows\SysWOW64\Hpjmnjqn.exe

C:\Windows\system32\Hpjmnjqn.exe

C:\Windows\SysWOW64\Hdehni32.exe

C:\Windows\system32\Hdehni32.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hlambk32.exe

C:\Windows\system32\Hlambk32.exe

C:\Windows\SysWOW64\Hdhedh32.exe

C:\Windows\system32\Hdhedh32.exe

C:\Windows\SysWOW64\Hgfapd32.exe

C:\Windows\system32\Hgfapd32.exe

C:\Windows\SysWOW64\Hienlpel.exe

C:\Windows\system32\Hienlpel.exe

C:\Windows\SysWOW64\Hlcjhkdp.exe

C:\Windows\system32\Hlcjhkdp.exe

C:\Windows\SysWOW64\Hdjbiheb.exe

C:\Windows\system32\Hdjbiheb.exe

C:\Windows\SysWOW64\Hginecde.exe

C:\Windows\system32\Hginecde.exe

C:\Windows\SysWOW64\Hkdjfb32.exe

C:\Windows\system32\Hkdjfb32.exe

C:\Windows\SysWOW64\Hlegnjbm.exe

C:\Windows\system32\Hlegnjbm.exe

C:\Windows\SysWOW64\Hdmoohbo.exe

C:\Windows\system32\Hdmoohbo.exe

C:\Windows\SysWOW64\Hgkkkcbc.exe

C:\Windows\system32\Hgkkkcbc.exe

C:\Windows\SysWOW64\Hiiggoaf.exe

C:\Windows\system32\Hiiggoaf.exe

C:\Windows\SysWOW64\Hlhccj32.exe

C:\Windows\system32\Hlhccj32.exe

C:\Windows\SysWOW64\Hdokdg32.exe

C:\Windows\system32\Hdokdg32.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Hildmn32.exe

C:\Windows\system32\Hildmn32.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Ipflihfq.exe

C:\Windows\system32\Ipflihfq.exe

C:\Windows\SysWOW64\Icdheded.exe

C:\Windows\system32\Icdheded.exe

C:\Windows\SysWOW64\Ikkpgafg.exe

C:\Windows\system32\Ikkpgafg.exe

C:\Windows\SysWOW64\Injmcmej.exe

C:\Windows\system32\Injmcmej.exe

C:\Windows\SysWOW64\Iphioh32.exe

C:\Windows\system32\Iphioh32.exe

C:\Windows\SysWOW64\Idcepgmg.exe

C:\Windows\system32\Idcepgmg.exe

C:\Windows\SysWOW64\Iknmla32.exe

C:\Windows\system32\Iknmla32.exe

C:\Windows\SysWOW64\Iloidijb.exe

C:\Windows\system32\Iloidijb.exe

C:\Windows\SysWOW64\Iciaqc32.exe

C:\Windows\system32\Iciaqc32.exe

C:\Windows\SysWOW64\Ikpjbq32.exe

C:\Windows\system32\Ikpjbq32.exe

C:\Windows\SysWOW64\Innfnl32.exe

C:\Windows\system32\Innfnl32.exe

C:\Windows\SysWOW64\Idhnkf32.exe

C:\Windows\system32\Idhnkf32.exe

C:\Windows\SysWOW64\Ikbfgppo.exe

C:\Windows\system32\Ikbfgppo.exe

C:\Windows\SysWOW64\Ilccoh32.exe

C:\Windows\system32\Ilccoh32.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Igigla32.exe

C:\Windows\system32\Igigla32.exe

C:\Windows\SysWOW64\Jncoikmp.exe

C:\Windows\system32\Jncoikmp.exe

C:\Windows\SysWOW64\Jcphab32.exe

C:\Windows\system32\Jcphab32.exe

C:\Windows\SysWOW64\Jkgpbp32.exe

C:\Windows\system32\Jkgpbp32.exe

C:\Windows\SysWOW64\Jlhljhbg.exe

C:\Windows\system32\Jlhljhbg.exe

C:\Windows\SysWOW64\Jcbdgb32.exe

C:\Windows\system32\Jcbdgb32.exe

C:\Windows\SysWOW64\Jkimho32.exe

C:\Windows\system32\Jkimho32.exe

C:\Windows\SysWOW64\Jlkipgpe.exe

C:\Windows\system32\Jlkipgpe.exe

C:\Windows\SysWOW64\Jdaaaeqg.exe

C:\Windows\system32\Jdaaaeqg.exe

C:\Windows\SysWOW64\Jcdala32.exe

C:\Windows\system32\Jcdala32.exe

C:\Windows\SysWOW64\Jnjejjgh.exe

C:\Windows\system32\Jnjejjgh.exe

C:\Windows\SysWOW64\Jjafok32.exe

C:\Windows\system32\Jjafok32.exe

C:\Windows\SysWOW64\Jdfjld32.exe

C:\Windows\system32\Jdfjld32.exe

C:\Windows\SysWOW64\Knooej32.exe

C:\Windows\system32\Knooej32.exe

C:\Windows\SysWOW64\Kdigadjo.exe

C:\Windows\system32\Kdigadjo.exe

C:\Windows\SysWOW64\Kclgmq32.exe

C:\Windows\system32\Kclgmq32.exe

C:\Windows\SysWOW64\Kmdlffhj.exe

C:\Windows\system32\Kmdlffhj.exe

C:\Windows\SysWOW64\Kdkdgchl.exe

C:\Windows\system32\Kdkdgchl.exe

C:\Windows\SysWOW64\Kgipcogp.exe

C:\Windows\system32\Kgipcogp.exe

C:\Windows\SysWOW64\Knchpiom.exe

C:\Windows\system32\Knchpiom.exe

C:\Windows\SysWOW64\Kqbdldnq.exe

C:\Windows\system32\Kqbdldnq.exe

C:\Windows\SysWOW64\Kjjiej32.exe

C:\Windows\system32\Kjjiej32.exe

C:\Windows\SysWOW64\Kmieae32.exe

C:\Windows\system32\Kmieae32.exe

C:\Windows\SysWOW64\Kdpmbc32.exe

C:\Windows\system32\Kdpmbc32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Kjmfjj32.exe

C:\Windows\system32\Kjmfjj32.exe

C:\Windows\SysWOW64\Knhakh32.exe

C:\Windows\system32\Knhakh32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Kcejco32.exe

C:\Windows\system32\Kcejco32.exe

C:\Windows\SysWOW64\Lgqfdnah.exe

C:\Windows\system32\Lgqfdnah.exe

C:\Windows\SysWOW64\Lnjnqh32.exe

C:\Windows\system32\Lnjnqh32.exe

C:\Windows\SysWOW64\Lmmolepp.exe

C:\Windows\system32\Lmmolepp.exe

C:\Windows\SysWOW64\Lddgmbpb.exe

C:\Windows\system32\Lddgmbpb.exe

C:\Windows\SysWOW64\Lnmkfh32.exe

C:\Windows\system32\Lnmkfh32.exe

C:\Windows\SysWOW64\Lqkgbcff.exe

C:\Windows\system32\Lqkgbcff.exe

C:\Windows\SysWOW64\Lgepom32.exe

C:\Windows\system32\Lgepom32.exe

C:\Windows\SysWOW64\Ljclki32.exe

C:\Windows\system32\Ljclki32.exe

C:\Windows\SysWOW64\Lmbhgd32.exe

C:\Windows\system32\Lmbhgd32.exe

C:\Windows\SysWOW64\Ldipha32.exe

C:\Windows\system32\Ldipha32.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lmdemd32.exe

C:\Windows\system32\Lmdemd32.exe

C:\Windows\SysWOW64\Lekmnajj.exe

C:\Windows\system32\Lekmnajj.exe

C:\Windows\SysWOW64\Lgjijmin.exe

C:\Windows\system32\Lgjijmin.exe

C:\Windows\SysWOW64\Ljhefhha.exe

C:\Windows\system32\Ljhefhha.exe

C:\Windows\SysWOW64\Lndagg32.exe

C:\Windows\system32\Lndagg32.exe

C:\Windows\SysWOW64\Lenicahg.exe

C:\Windows\system32\Lenicahg.exe

C:\Windows\SysWOW64\Mcqjon32.exe

C:\Windows\system32\Mcqjon32.exe

C:\Windows\SysWOW64\Mkhapk32.exe

C:\Windows\system32\Mkhapk32.exe

C:\Windows\SysWOW64\Mminhceb.exe

C:\Windows\system32\Mminhceb.exe

C:\Windows\SysWOW64\Mepfiq32.exe

C:\Windows\system32\Mepfiq32.exe

C:\Windows\SysWOW64\Mkjnfkma.exe

C:\Windows\system32\Mkjnfkma.exe

C:\Windows\SysWOW64\Mjmoag32.exe

C:\Windows\system32\Mjmoag32.exe

C:\Windows\SysWOW64\Mmkkmc32.exe

C:\Windows\system32\Mmkkmc32.exe

C:\Windows\SysWOW64\Mebcop32.exe

C:\Windows\system32\Mebcop32.exe

C:\Windows\SysWOW64\Mgaokl32.exe

C:\Windows\system32\Mgaokl32.exe

C:\Windows\SysWOW64\Mmnhcb32.exe

C:\Windows\system32\Mmnhcb32.exe

C:\Windows\SysWOW64\Mchppmij.exe

C:\Windows\system32\Mchppmij.exe

C:\Windows\SysWOW64\Mnmdme32.exe

C:\Windows\system32\Mnmdme32.exe

C:\Windows\SysWOW64\Malpia32.exe

C:\Windows\system32\Malpia32.exe

C:\Windows\SysWOW64\Mjdebfnd.exe

C:\Windows\system32\Mjdebfnd.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Njfagf32.exe

C:\Windows\system32\Njfagf32.exe

C:\Windows\SysWOW64\Ncofplba.exe

C:\Windows\system32\Ncofplba.exe

C:\Windows\SysWOW64\Njinmf32.exe

C:\Windows\system32\Njinmf32.exe

C:\Windows\SysWOW64\Nabfjpak.exe

C:\Windows\system32\Nabfjpak.exe

C:\Windows\SysWOW64\Ncabfkqo.exe

C:\Windows\system32\Ncabfkqo.exe

C:\Windows\SysWOW64\Naecop32.exe

C:\Windows\system32\Naecop32.exe

C:\Windows\SysWOW64\Nlkgmh32.exe

C:\Windows\system32\Nlkgmh32.exe

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Odhifjkg.exe

C:\Windows\system32\Odhifjkg.exe

C:\Windows\SysWOW64\Ojbacd32.exe

C:\Windows\system32\Ojbacd32.exe

C:\Windows\SysWOW64\Olanmgig.exe

C:\Windows\system32\Olanmgig.exe

C:\Windows\SysWOW64\Oanfen32.exe

C:\Windows\system32\Oanfen32.exe

C:\Windows\SysWOW64\Ohhnbhok.exe

C:\Windows\system32\Ohhnbhok.exe

C:\Windows\SysWOW64\Omegjomb.exe

C:\Windows\system32\Omegjomb.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Ojigdcll.exe

C:\Windows\system32\Ojigdcll.exe

C:\Windows\SysWOW64\Omgcpokp.exe

C:\Windows\system32\Omgcpokp.exe

C:\Windows\SysWOW64\Odalmibl.exe

C:\Windows\system32\Odalmibl.exe

C:\Windows\SysWOW64\Ohmhmh32.exe

C:\Windows\system32\Ohmhmh32.exe

C:\Windows\SysWOW64\Oogpjbbb.exe

C:\Windows\system32\Oogpjbbb.exe

C:\Windows\SysWOW64\Paelfmaf.exe

C:\Windows\system32\Paelfmaf.exe

C:\Windows\SysWOW64\Pknqoc32.exe

C:\Windows\system32\Pknqoc32.exe

C:\Windows\SysWOW64\Pmlmkn32.exe

C:\Windows\system32\Pmlmkn32.exe

C:\Windows\SysWOW64\Pdfehh32.exe

C:\Windows\system32\Pdfehh32.exe

C:\Windows\SysWOW64\Pkpmdbfd.exe

C:\Windows\system32\Pkpmdbfd.exe

C:\Windows\SysWOW64\Poliea32.exe

C:\Windows\system32\Poliea32.exe

C:\Windows\SysWOW64\Pajeam32.exe

C:\Windows\system32\Pajeam32.exe

C:\Windows\SysWOW64\Phdnngdn.exe

C:\Windows\system32\Phdnngdn.exe

C:\Windows\SysWOW64\Ponfka32.exe

C:\Windows\system32\Ponfka32.exe

C:\Windows\SysWOW64\Pmaffnce.exe

C:\Windows\system32\Pmaffnce.exe

C:\Windows\SysWOW64\Pdkoch32.exe

C:\Windows\system32\Pdkoch32.exe

C:\Windows\SysWOW64\Phfjcf32.exe

C:\Windows\system32\Phfjcf32.exe

C:\Windows\SysWOW64\Pmcclm32.exe

C:\Windows\system32\Pmcclm32.exe

C:\Windows\SysWOW64\Pdmkhgho.exe

C:\Windows\system32\Pdmkhgho.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qemhbj32.exe

C:\Windows\system32\Qemhbj32.exe

C:\Windows\SysWOW64\Qhmqdemc.exe

C:\Windows\system32\Qhmqdemc.exe

C:\Windows\SysWOW64\Aafemk32.exe

C:\Windows\system32\Aafemk32.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Anobgl32.exe

C:\Windows\system32\Anobgl32.exe

C:\Windows\SysWOW64\Aamknj32.exe

C:\Windows\system32\Aamknj32.exe

C:\Windows\SysWOW64\Aoalgn32.exe

C:\Windows\system32\Aoalgn32.exe

C:\Windows\SysWOW64\Ahippdbe.exe

C:\Windows\system32\Ahippdbe.exe

C:\Windows\SysWOW64\Bnfihkqm.exe

C:\Windows\system32\Bnfihkqm.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Bepmoh32.exe

C:\Windows\system32\Bepmoh32.exe

C:\Windows\SysWOW64\Bhnikc32.exe

C:\Windows\system32\Bhnikc32.exe

C:\Windows\SysWOW64\Bklfgo32.exe

C:\Windows\system32\Bklfgo32.exe

C:\Windows\SysWOW64\Bnkbcj32.exe

C:\Windows\system32\Bnkbcj32.exe

C:\Windows\SysWOW64\Bebjdgmj.exe

C:\Windows\system32\Bebjdgmj.exe

C:\Windows\SysWOW64\Bhpfqcln.exe

C:\Windows\system32\Bhpfqcln.exe

C:\Windows\SysWOW64\Bkobmnka.exe

C:\Windows\system32\Bkobmnka.exe

C:\Windows\SysWOW64\Bnmoijje.exe

C:\Windows\system32\Bnmoijje.exe

C:\Windows\SysWOW64\Bedgjgkg.exe

C:\Windows\system32\Bedgjgkg.exe

C:\Windows\SysWOW64\Bhbcfbjk.exe

C:\Windows\system32\Bhbcfbjk.exe

C:\Windows\SysWOW64\Bkaobnio.exe

C:\Windows\system32\Bkaobnio.exe

C:\Windows\SysWOW64\Bffcpg32.exe

C:\Windows\system32\Bffcpg32.exe

C:\Windows\SysWOW64\Chglab32.exe

C:\Windows\system32\Chglab32.exe

C:\Windows\SysWOW64\Cbpajgmf.exe

C:\Windows\system32\Cbpajgmf.exe

C:\Windows\SysWOW64\Ckhecmcf.exe

C:\Windows\system32\Ckhecmcf.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Clgbmp32.exe

C:\Windows\system32\Clgbmp32.exe

C:\Windows\SysWOW64\Cbdjeg32.exe

C:\Windows\system32\Cbdjeg32.exe

C:\Windows\SysWOW64\Cdbfab32.exe

C:\Windows\system32\Cdbfab32.exe

C:\Windows\SysWOW64\Cnkkjh32.exe

C:\Windows\system32\Cnkkjh32.exe

C:\Windows\SysWOW64\Chqogq32.exe

C:\Windows\system32\Chqogq32.exe

C:\Windows\SysWOW64\Dhclmp32.exe

C:\Windows\system32\Dhclmp32.exe

C:\Windows\SysWOW64\Dmadco32.exe

C:\Windows\system32\Dmadco32.exe

C:\Windows\SysWOW64\Dbnmke32.exe

C:\Windows\system32\Dbnmke32.exe

C:\Windows\SysWOW64\Dfiildio.exe

C:\Windows\system32\Dfiildio.exe

C:\Windows\SysWOW64\Dmcain32.exe

C:\Windows\system32\Dmcain32.exe

C:\Windows\SysWOW64\Dmennnni.exe

C:\Windows\system32\Dmennnni.exe

C:\Windows\SysWOW64\Dodjjimm.exe

C:\Windows\system32\Dodjjimm.exe

C:\Windows\SysWOW64\Deqcbpld.exe

C:\Windows\system32\Deqcbpld.exe

C:\Windows\SysWOW64\Eecphp32.exe

C:\Windows\system32\Eecphp32.exe

C:\Windows\SysWOW64\Eiokinbk.exe

C:\Windows\system32\Eiokinbk.exe

C:\Windows\SysWOW64\Enkdaepb.exe

C:\Windows\system32\Enkdaepb.exe

C:\Windows\SysWOW64\Ebimgcfi.exe

C:\Windows\system32\Ebimgcfi.exe

C:\Windows\SysWOW64\Epmmqheb.exe

C:\Windows\system32\Epmmqheb.exe

C:\Windows\SysWOW64\Emanjldl.exe

C:\Windows\system32\Emanjldl.exe

C:\Windows\SysWOW64\Fngcmcfe.exe

C:\Windows\system32\Fngcmcfe.exe

C:\Windows\SysWOW64\Ffnknafg.exe

C:\Windows\system32\Ffnknafg.exe

C:\Windows\SysWOW64\Fmhdkknd.exe

C:\Windows\system32\Fmhdkknd.exe

C:\Windows\SysWOW64\Fnipbc32.exe

C:\Windows\system32\Fnipbc32.exe

C:\Windows\SysWOW64\Fpimlfke.exe

C:\Windows\system32\Fpimlfke.exe

C:\Windows\SysWOW64\Ffceip32.exe

C:\Windows\system32\Ffceip32.exe

C:\Windows\SysWOW64\Flpmagqi.exe

C:\Windows\system32\Flpmagqi.exe

C:\Windows\SysWOW64\Fbjena32.exe

C:\Windows\system32\Fbjena32.exe

C:\Windows\SysWOW64\Gmojkj32.exe

C:\Windows\system32\Gmojkj32.exe

C:\Windows\SysWOW64\Gnqfcbnj.exe

C:\Windows\system32\Gnqfcbnj.exe

C:\Windows\SysWOW64\Gejopl32.exe

C:\Windows\system32\Gejopl32.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gppcmeem.exe

C:\Windows\system32\Gppcmeem.exe

C:\Windows\SysWOW64\Gbnoiqdq.exe

C:\Windows\system32\Gbnoiqdq.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Gpbpbecj.exe

C:\Windows\system32\Gpbpbecj.exe

C:\Windows\SysWOW64\Gflhoo32.exe

C:\Windows\system32\Gflhoo32.exe

C:\Windows\SysWOW64\Gmfplibd.exe

C:\Windows\system32\Gmfplibd.exe

C:\Windows\SysWOW64\Gpelhd32.exe

C:\Windows\system32\Gpelhd32.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Geaepk32.exe

C:\Windows\system32\Geaepk32.exe

C:\Windows\SysWOW64\Gmimai32.exe

C:\Windows\system32\Gmimai32.exe

C:\Windows\SysWOW64\Gpgind32.exe

C:\Windows\system32\Gpgind32.exe

C:\Windows\SysWOW64\Gbeejp32.exe

C:\Windows\system32\Gbeejp32.exe

C:\Windows\SysWOW64\Hipmfjee.exe

C:\Windows\system32\Hipmfjee.exe

C:\Windows\SysWOW64\Hlnjbedi.exe

C:\Windows\system32\Hlnjbedi.exe

C:\Windows\SysWOW64\Holfoqcm.exe

C:\Windows\system32\Holfoqcm.exe

C:\Windows\SysWOW64\Hfcnpn32.exe

C:\Windows\system32\Hfcnpn32.exe

C:\Windows\SysWOW64\Hmmfmhll.exe

C:\Windows\system32\Hmmfmhll.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hehkajig.exe

C:\Windows\system32\Hehkajig.exe

C:\Windows\SysWOW64\Hpnoncim.exe

C:\Windows\system32\Hpnoncim.exe

C:\Windows\SysWOW64\Hblkjo32.exe

C:\Windows\system32\Hblkjo32.exe

C:\Windows\SysWOW64\Hekgfj32.exe

C:\Windows\system32\Hekgfj32.exe

C:\Windows\SysWOW64\Hmbphg32.exe

C:\Windows\system32\Hmbphg32.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Hbohpn32.exe

C:\Windows\system32\Hbohpn32.exe

C:\Windows\SysWOW64\Hemdlj32.exe

C:\Windows\system32\Hemdlj32.exe

C:\Windows\SysWOW64\Hmdlmg32.exe

C:\Windows\system32\Hmdlmg32.exe

C:\Windows\SysWOW64\Hpchib32.exe

C:\Windows\system32\Hpchib32.exe

C:\Windows\SysWOW64\Iikmbh32.exe

C:\Windows\system32\Iikmbh32.exe

C:\Windows\SysWOW64\Iohejo32.exe

C:\Windows\system32\Iohejo32.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Igajal32.exe

C:\Windows\system32\Igajal32.exe

C:\Windows\SysWOW64\Iomoenej.exe

C:\Windows\system32\Iomoenej.exe

C:\Windows\SysWOW64\Imnocf32.exe

C:\Windows\system32\Imnocf32.exe

C:\Windows\SysWOW64\Ioolkncg.exe

C:\Windows\system32\Ioolkncg.exe

C:\Windows\SysWOW64\Ilcldb32.exe

C:\Windows\system32\Ilcldb32.exe

C:\Windows\SysWOW64\Jekqmhia.exe

C:\Windows\system32\Jekqmhia.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jpcapp32.exe

C:\Windows\system32\Jpcapp32.exe

C:\Windows\SysWOW64\Jngbjd32.exe

C:\Windows\system32\Jngbjd32.exe

C:\Windows\SysWOW64\Jebfng32.exe

C:\Windows\system32\Jebfng32.exe

C:\Windows\SysWOW64\Jllokajf.exe

C:\Windows\system32\Jllokajf.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Jnlkedai.exe

C:\Windows\system32\Jnlkedai.exe

C:\Windows\SysWOW64\Kgdpni32.exe

C:\Windows\system32\Kgdpni32.exe

C:\Windows\SysWOW64\Koodbl32.exe

C:\Windows\system32\Koodbl32.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Knqepc32.exe

C:\Windows\system32\Knqepc32.exe

C:\Windows\SysWOW64\Kjgeedch.exe

C:\Windows\system32\Kjgeedch.exe

C:\Windows\SysWOW64\Kcpjnjii.exe

C:\Windows\system32\Kcpjnjii.exe

C:\Windows\SysWOW64\Kjjbjd32.exe

C:\Windows\system32\Kjjbjd32.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Kfpcoefj.exe

C:\Windows\system32\Kfpcoefj.exe

C:\Windows\SysWOW64\Lpfgmnfp.exe

C:\Windows\system32\Lpfgmnfp.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Lcgpni32.exe

C:\Windows\system32\Lcgpni32.exe

C:\Windows\SysWOW64\Lqkqhm32.exe

C:\Windows\system32\Lqkqhm32.exe

C:\Windows\SysWOW64\Lckiihok.exe

C:\Windows\system32\Lckiihok.exe

C:\Windows\SysWOW64\Lqojclne.exe

C:\Windows\system32\Lqojclne.exe

C:\Windows\SysWOW64\Lncjlq32.exe

C:\Windows\system32\Lncjlq32.exe

C:\Windows\SysWOW64\Modgdicm.exe

C:\Windows\system32\Modgdicm.exe

C:\Windows\SysWOW64\Mqdcnl32.exe

C:\Windows\system32\Mqdcnl32.exe

C:\Windows\SysWOW64\Mnhdgpii.exe

C:\Windows\system32\Mnhdgpii.exe

C:\Windows\SysWOW64\Mcelpggq.exe

C:\Windows\system32\Mcelpggq.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mokmdh32.exe

C:\Windows\system32\Mokmdh32.exe

C:\Windows\SysWOW64\Mmpmnl32.exe

C:\Windows\system32\Mmpmnl32.exe

C:\Windows\SysWOW64\Nnojho32.exe

C:\Windows\system32\Nnojho32.exe

C:\Windows\SysWOW64\Nggnadib.exe

C:\Windows\system32\Nggnadib.exe

C:\Windows\SysWOW64\Nqpcjj32.exe

C:\Windows\system32\Nqpcjj32.exe

C:\Windows\SysWOW64\Njhgbp32.exe

C:\Windows\system32\Njhgbp32.exe

C:\Windows\SysWOW64\Ncqlkemc.exe

C:\Windows\system32\Ncqlkemc.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Ombcji32.exe

C:\Windows\system32\Ombcji32.exe

C:\Windows\SysWOW64\Ojfcdnjc.exe

C:\Windows\system32\Ojfcdnjc.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Pccahbmn.exe

C:\Windows\system32\Pccahbmn.exe

C:\Windows\SysWOW64\Pagbaglh.exe

C:\Windows\system32\Pagbaglh.exe

C:\Windows\SysWOW64\Pmnbfhal.exe

C:\Windows\system32\Pmnbfhal.exe

C:\Windows\SysWOW64\Pdhkcb32.exe

C:\Windows\system32\Pdhkcb32.exe

C:\Windows\SysWOW64\Pffgom32.exe

C:\Windows\system32\Pffgom32.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Pdjgha32.exe

C:\Windows\system32\Pdjgha32.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qpcecb32.exe

C:\Windows\system32\Qpcecb32.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qdaniq32.exe

C:\Windows\system32\Qdaniq32.exe

C:\Windows\SysWOW64\Akkffkhk.exe

C:\Windows\system32\Akkffkhk.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Aoioli32.exe

C:\Windows\system32\Aoioli32.exe

C:\Windows\SysWOW64\Apjkcadp.exe

C:\Windows\system32\Apjkcadp.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Ahdpjn32.exe

C:\Windows\system32\Ahdpjn32.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Bobabg32.exe

C:\Windows\system32\Bobabg32.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bkphhgfc.exe

C:\Windows\system32\Bkphhgfc.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Cpbjkn32.exe

C:\Windows\system32\Cpbjkn32.exe

C:\Windows\SysWOW64\Chiblk32.exe

C:\Windows\system32\Chiblk32.exe

C:\Windows\SysWOW64\Cocjiehd.exe

C:\Windows\system32\Cocjiehd.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Cgnomg32.exe

C:\Windows\system32\Cgnomg32.exe

C:\Windows\SysWOW64\Cpfcfmlp.exe

C:\Windows\system32\Cpfcfmlp.exe

C:\Windows\SysWOW64\Cogddd32.exe

C:\Windows\system32\Cogddd32.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Dqnjgl32.exe

C:\Windows\system32\Dqnjgl32.exe

C:\Windows\SysWOW64\Doojec32.exe

C:\Windows\system32\Doojec32.exe

C:\Windows\SysWOW64\Dqpfmlce.exe

C:\Windows\system32\Dqpfmlce.exe

C:\Windows\SysWOW64\Dhgonidg.exe

C:\Windows\system32\Dhgonidg.exe

C:\Windows\SysWOW64\Doagjc32.exe

C:\Windows\system32\Doagjc32.exe

C:\Windows\SysWOW64\Dbocfo32.exe

C:\Windows\system32\Dbocfo32.exe

C:\Windows\SysWOW64\Dqbcbkab.exe

C:\Windows\system32\Dqbcbkab.exe

C:\Windows\SysWOW64\Dglkoeio.exe

C:\Windows\system32\Dglkoeio.exe

C:\Windows\SysWOW64\Egohdegl.exe

C:\Windows\system32\Egohdegl.exe

C:\Windows\SysWOW64\Eqgmmk32.exe

C:\Windows\system32\Eqgmmk32.exe

C:\Windows\SysWOW64\Eklajcmc.exe

C:\Windows\system32\Eklajcmc.exe

C:\Windows\SysWOW64\Ebfign32.exe

C:\Windows\system32\Ebfign32.exe

C:\Windows\SysWOW64\Egcaod32.exe

C:\Windows\system32\Egcaod32.exe

C:\Windows\SysWOW64\Edgbii32.exe

C:\Windows\system32\Edgbii32.exe

C:\Windows\SysWOW64\Eomffaag.exe

C:\Windows\system32\Eomffaag.exe

C:\Windows\SysWOW64\Eiekog32.exe

C:\Windows\system32\Eiekog32.exe

C:\Windows\SysWOW64\Ekcgkb32.exe

C:\Windows\system32\Ekcgkb32.exe

C:\Windows\SysWOW64\Fbmohmoh.exe

C:\Windows\system32\Fbmohmoh.exe

C:\Windows\SysWOW64\Fqppci32.exe

C:\Windows\system32\Fqppci32.exe

C:\Windows\SysWOW64\Foapaa32.exe

C:\Windows\system32\Foapaa32.exe

C:\Windows\SysWOW64\Fgmdec32.exe

C:\Windows\system32\Fgmdec32.exe

C:\Windows\SysWOW64\Fnfmbmbi.exe

C:\Windows\system32\Fnfmbmbi.exe

C:\Windows\SysWOW64\Fgoakc32.exe

C:\Windows\system32\Fgoakc32.exe

C:\Windows\SysWOW64\Fbdehlip.exe

C:\Windows\system32\Fbdehlip.exe

C:\Windows\SysWOW64\Finnef32.exe

C:\Windows\system32\Finnef32.exe

C:\Windows\SysWOW64\Fnkfmm32.exe

C:\Windows\system32\Fnkfmm32.exe

C:\Windows\SysWOW64\Fgcjfbed.exe

C:\Windows\system32\Fgcjfbed.exe

C:\Windows\SysWOW64\Gokbgpeg.exe

C:\Windows\system32\Gokbgpeg.exe

C:\Windows\SysWOW64\Gegkpf32.exe

C:\Windows\system32\Gegkpf32.exe

C:\Windows\SysWOW64\Gkaclqkk.exe

C:\Windows\system32\Gkaclqkk.exe

C:\Windows\SysWOW64\Gejhef32.exe

C:\Windows\system32\Gejhef32.exe

C:\Windows\SysWOW64\Gkdpbpih.exe

C:\Windows\system32\Gkdpbpih.exe

C:\Windows\SysWOW64\Geldkfpi.exe

C:\Windows\system32\Geldkfpi.exe

C:\Windows\SysWOW64\Glfmgp32.exe

C:\Windows\system32\Glfmgp32.exe

C:\Windows\SysWOW64\Gijmad32.exe

C:\Windows\system32\Gijmad32.exe

C:\Windows\SysWOW64\Giljfddl.exe

C:\Windows\system32\Giljfddl.exe

C:\Windows\SysWOW64\Hnibokbd.exe

C:\Windows\system32\Hnibokbd.exe

C:\Windows\SysWOW64\Hlmchoan.exe

C:\Windows\system32\Hlmchoan.exe

C:\Windows\SysWOW64\Hiacacpg.exe

C:\Windows\system32\Hiacacpg.exe

C:\Windows\SysWOW64\Hehdfdek.exe

C:\Windows\system32\Hehdfdek.exe

C:\Windows\SysWOW64\Hnphoj32.exe

C:\Windows\system32\Hnphoj32.exe

C:\Windows\SysWOW64\Hhimhobl.exe

C:\Windows\system32\Hhimhobl.exe

C:\Windows\SysWOW64\Hnbeeiji.exe

C:\Windows\system32\Hnbeeiji.exe

C:\Windows\SysWOW64\Ilfennic.exe

C:\Windows\system32\Ilfennic.exe

C:\Windows\SysWOW64\Ibqnkh32.exe

C:\Windows\system32\Ibqnkh32.exe

C:\Windows\SysWOW64\Ilibdmgp.exe

C:\Windows\system32\Ilibdmgp.exe

C:\Windows\SysWOW64\Ihpcinld.exe

C:\Windows\system32\Ihpcinld.exe

C:\Windows\SysWOW64\Iahgad32.exe

C:\Windows\system32\Iahgad32.exe

C:\Windows\SysWOW64\Ipihpkkd.exe

C:\Windows\system32\Ipihpkkd.exe

C:\Windows\SysWOW64\Ilphdlqh.exe

C:\Windows\system32\Ilphdlqh.exe

C:\Windows\SysWOW64\Ibjqaf32.exe

C:\Windows\system32\Ibjqaf32.exe

C:\Windows\SysWOW64\Jidinqpb.exe

C:\Windows\system32\Jidinqpb.exe

C:\Windows\SysWOW64\Jlbejloe.exe

C:\Windows\system32\Jlbejloe.exe

C:\Windows\SysWOW64\Jblmgf32.exe

C:\Windows\system32\Jblmgf32.exe

C:\Windows\SysWOW64\Jhifomdj.exe

C:\Windows\system32\Jhifomdj.exe

C:\Windows\SysWOW64\Jocnlg32.exe

C:\Windows\system32\Jocnlg32.exe

C:\Windows\SysWOW64\Jemfhacc.exe

C:\Windows\system32\Jemfhacc.exe

C:\Windows\SysWOW64\Jlgoek32.exe

C:\Windows\system32\Jlgoek32.exe

C:\Windows\SysWOW64\Joekag32.exe

C:\Windows\system32\Joekag32.exe

C:\Windows\SysWOW64\Jikoopij.exe

C:\Windows\system32\Jikoopij.exe

C:\Windows\SysWOW64\Jpegkj32.exe

C:\Windows\system32\Jpegkj32.exe

C:\Windows\SysWOW64\Jbccge32.exe

C:\Windows\system32\Jbccge32.exe

C:\Windows\SysWOW64\Jhplpl32.exe

C:\Windows\system32\Jhplpl32.exe

C:\Windows\SysWOW64\Jllhpkfk.exe

C:\Windows\system32\Jllhpkfk.exe

C:\Windows\SysWOW64\Jbepme32.exe

C:\Windows\system32\Jbepme32.exe

C:\Windows\SysWOW64\Khbiello.exe

C:\Windows\system32\Khbiello.exe

C:\Windows\SysWOW64\Kbhmbdle.exe

C:\Windows\system32\Kbhmbdle.exe

C:\Windows\SysWOW64\Kibeoo32.exe

C:\Windows\system32\Kibeoo32.exe

C:\Windows\SysWOW64\Koonge32.exe

C:\Windows\system32\Koonge32.exe

C:\Windows\SysWOW64\Khgbqkhj.exe

C:\Windows\system32\Khgbqkhj.exe

C:\Windows\SysWOW64\Kpnjah32.exe

C:\Windows\system32\Kpnjah32.exe

C:\Windows\SysWOW64\Kapfiqoj.exe

C:\Windows\system32\Kapfiqoj.exe

C:\Windows\SysWOW64\Kocgbend.exe

C:\Windows\system32\Kocgbend.exe

C:\Windows\SysWOW64\Kiikpnmj.exe

C:\Windows\system32\Kiikpnmj.exe

C:\Windows\SysWOW64\Kofdhd32.exe

C:\Windows\system32\Kofdhd32.exe

C:\Windows\SysWOW64\Lepleocn.exe

C:\Windows\system32\Lepleocn.exe

C:\Windows\SysWOW64\Lohqnd32.exe

C:\Windows\system32\Lohqnd32.exe

C:\Windows\SysWOW64\Lebijnak.exe

C:\Windows\system32\Lebijnak.exe

C:\Windows\SysWOW64\Lllagh32.exe

C:\Windows\system32\Lllagh32.exe

C:\Windows\SysWOW64\Lcfidb32.exe

C:\Windows\system32\Lcfidb32.exe

C:\Windows\SysWOW64\Lhcali32.exe

C:\Windows\system32\Lhcali32.exe

C:\Windows\SysWOW64\Lomjicei.exe

C:\Windows\system32\Lomjicei.exe

C:\Windows\SysWOW64\Legben32.exe

C:\Windows\system32\Legben32.exe

C:\Windows\SysWOW64\Llqjbhdc.exe

C:\Windows\system32\Llqjbhdc.exe

C:\Windows\SysWOW64\Lckboblp.exe

C:\Windows\system32\Lckboblp.exe

C:\Windows\SysWOW64\Ljdkll32.exe

C:\Windows\system32\Ljdkll32.exe

C:\Windows\SysWOW64\Lpochfji.exe

C:\Windows\system32\Lpochfji.exe

C:\Windows\SysWOW64\Mapppn32.exe

C:\Windows\system32\Mapppn32.exe

C:\Windows\SysWOW64\Mhjhmhhd.exe

C:\Windows\system32\Mhjhmhhd.exe

C:\Windows\SysWOW64\Modpib32.exe

C:\Windows\system32\Modpib32.exe

C:\Windows\SysWOW64\Mablfnne.exe

C:\Windows\system32\Mablfnne.exe

C:\Windows\SysWOW64\Mlhqcgnk.exe

C:\Windows\system32\Mlhqcgnk.exe

C:\Windows\SysWOW64\Mofmobmo.exe

C:\Windows\system32\Mofmobmo.exe

C:\Windows\SysWOW64\Mjlalkmd.exe

C:\Windows\system32\Mjlalkmd.exe

C:\Windows\SysWOW64\Mohidbkl.exe

C:\Windows\system32\Mohidbkl.exe

C:\Windows\SysWOW64\Mbgeqmjp.exe

C:\Windows\system32\Mbgeqmjp.exe

C:\Windows\SysWOW64\Mlljnf32.exe

C:\Windows\system32\Mlljnf32.exe

C:\Windows\SysWOW64\Mfenglqf.exe

C:\Windows\system32\Mfenglqf.exe

C:\Windows\SysWOW64\Mlofcf32.exe

C:\Windows\system32\Mlofcf32.exe

C:\Windows\SysWOW64\Nblolm32.exe

C:\Windows\system32\Nblolm32.exe

C:\Windows\SysWOW64\Nhegig32.exe

C:\Windows\system32\Nhegig32.exe

C:\Windows\SysWOW64\Nmaciefp.exe

C:\Windows\system32\Nmaciefp.exe

C:\Windows\SysWOW64\Nbnlaldg.exe

C:\Windows\system32\Nbnlaldg.exe

C:\Windows\SysWOW64\Nhhdnf32.exe

C:\Windows\system32\Nhhdnf32.exe

C:\Windows\SysWOW64\Noblkqca.exe

C:\Windows\system32\Noblkqca.exe

C:\Windows\SysWOW64\Nbphglbe.exe

C:\Windows\system32\Nbphglbe.exe

C:\Windows\SysWOW64\Njgqhicg.exe

C:\Windows\system32\Njgqhicg.exe

C:\Windows\SysWOW64\Ncpeaoih.exe

C:\Windows\system32\Ncpeaoih.exe

C:\Windows\SysWOW64\Nmhijd32.exe

C:\Windows\system32\Nmhijd32.exe

C:\Windows\SysWOW64\Ncbafoge.exe

C:\Windows\system32\Ncbafoge.exe

C:\Windows\SysWOW64\Nbebbk32.exe

C:\Windows\system32\Nbebbk32.exe

C:\Windows\SysWOW64\Niojoeel.exe

C:\Windows\system32\Niojoeel.exe

C:\Windows\SysWOW64\Ocdnln32.exe

C:\Windows\system32\Ocdnln32.exe

C:\Windows\SysWOW64\Ommceclc.exe

C:\Windows\system32\Ommceclc.exe

C:\Windows\SysWOW64\Ocgkan32.exe

C:\Windows\system32\Ocgkan32.exe

C:\Windows\SysWOW64\Oiccje32.exe

C:\Windows\system32\Oiccje32.exe

C:\Windows\SysWOW64\Oblhcj32.exe

C:\Windows\system32\Oblhcj32.exe

C:\Windows\SysWOW64\Oifppdpd.exe

C:\Windows\system32\Oifppdpd.exe

C:\Windows\SysWOW64\Oophlo32.exe

C:\Windows\system32\Oophlo32.exe

C:\Windows\SysWOW64\Obnehj32.exe

C:\Windows\system32\Obnehj32.exe

C:\Windows\SysWOW64\Oihmedma.exe

C:\Windows\system32\Oihmedma.exe

C:\Windows\SysWOW64\Obqanjdb.exe

C:\Windows\system32\Obqanjdb.exe

C:\Windows\SysWOW64\Ojhiogdd.exe

C:\Windows\system32\Ojhiogdd.exe

C:\Windows\SysWOW64\Pqbala32.exe

C:\Windows\system32\Pqbala32.exe

C:\Windows\SysWOW64\Pfojdh32.exe

C:\Windows\system32\Pfojdh32.exe

C:\Windows\SysWOW64\Padnaq32.exe

C:\Windows\system32\Padnaq32.exe

C:\Windows\SysWOW64\Pbekii32.exe

C:\Windows\system32\Pbekii32.exe

C:\Windows\SysWOW64\Pjlcjf32.exe

C:\Windows\system32\Pjlcjf32.exe

C:\Windows\SysWOW64\Pafkgphl.exe

C:\Windows\system32\Pafkgphl.exe

C:\Windows\SysWOW64\Pjoppf32.exe

C:\Windows\system32\Pjoppf32.exe

C:\Windows\SysWOW64\Paihlpfi.exe

C:\Windows\system32\Paihlpfi.exe

C:\Windows\SysWOW64\Pcgdhkem.exe

C:\Windows\system32\Pcgdhkem.exe

C:\Windows\SysWOW64\Pidlqb32.exe

C:\Windows\system32\Pidlqb32.exe

C:\Windows\SysWOW64\Pakdbp32.exe

C:\Windows\system32\Pakdbp32.exe

C:\Windows\SysWOW64\Pciqnk32.exe

C:\Windows\system32\Pciqnk32.exe

C:\Windows\SysWOW64\Pfhmjf32.exe

C:\Windows\system32\Pfhmjf32.exe

C:\Windows\SysWOW64\Pififb32.exe

C:\Windows\system32\Pififb32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 13868 -ip 13868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 13868 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/4064-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4064-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Niakfbpa.exe

MD5 0c9692b967da2476675597cebe483430
SHA1 c5c1505d977a906ad0fdb1345b8cb11326332c53
SHA256 c909ee7fb7a6e47919ca6d4ef10412e884a9508abebea686d5c1c0b66c1af52f
SHA512 eb79e57623f7a2e7515c7eaa3fe98169c04781d25b9a91eb1ebbd3b078abac55f199d741690b8bb50ba00a6f1551d0713136ece2b6ede0ee207430474ad3d24a

memory/4620-9-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nlphbnoe.exe

MD5 2a384194142d2ca8b8e6f6873ab04e15
SHA1 ecfa08073eb23687182fdb7bd7df4e20ee5e3d19
SHA256 8000f3048e6a99e0095608e340dafca5d7739dda8600af8dbc2dbecbfe60a4e7
SHA512 b42314f62a7bcc6dae3f72a96172262e1dc47448f81a39ff770666a45836f4c083695d7d936ae2666b596ff2d314efdd97d50c038f0409ec2f010d9850cc2817

memory/1936-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Okchnk32.exe

MD5 f78072d6b7207acf25eae5defa8c5dbb
SHA1 d76fcd5999a74df6e5f9cf4eb2642b7e9d2bf77e
SHA256 36beaad9eac1d65a331bb3338ff6e7040b7cb3e25a67d6de580810f36312d2ad
SHA512 50b7fc690af5cd7557223f6ec9b861f6fc4bae164e3d15238c8a1e6c47c8809464231ba4ee81273ca21e2305d35011d1f8406213d62930d60593fbf26a52a67f

memory/2568-24-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ooqqdi32.exe

MD5 04bbdfabf06b29a84e2396adbe49bdf7
SHA1 58365b7445d9eae228feba4365141c835ddec5e6
SHA256 4ad76f1d059a3148bdc7a0b357035dc70c2d19f69de141f54347c79ad8d58eb0
SHA512 db10857c8f71d22770ed69b90f8160e2506e2831bdbecb6e8e664f7519f95b7eb1f54f7e0a988bd26da5d63579b37bc475b000e7e42ef9839fc737b91017d55f

memory/3864-33-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oaompd32.exe

MD5 c5f49440adb779592173a7e86e0d961a
SHA1 713061e2ac6705a3189dc4739baacca1d0b1ee76
SHA256 34d5410332c856390a6be042e107060b50a346774f886d7ee925be2621064c48
SHA512 6687beeb94bd31b13a6a9ac7e8341e09337617fd9857f2f788c45bc4a5d6feb307c2a515b81b9308870632410011dbcd7ac137fd8c006be7cb32c80012f95c06

memory/4080-41-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ohkbbn32.exe

MD5 dd263b9b1a2a0eb29fff41fa46d56ca5
SHA1 be6cc8609e6d33e412c5b8a50b0d852e1ed15b56
SHA256 fd6da7a26c27261f9b4fb2306cbc61b92488e386d00688d6814507e1281ed8d7
SHA512 6556dc88e751b6b274b846d853f96c05416446e986820429103c731cde827dd72b7da2829e6c68ad8f8b3ed045a4b652d9880b316412f6e92577a80770a06ebe

memory/2436-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oadfkdgd.exe

MD5 c4fbca2d89e17dfe6bb6be8f3d4c1241
SHA1 6a0eec8ff3fdec729717eac75c587e4f7328a714
SHA256 18931b3239f314a545d4b9144a10dafa87f6d50d3f4b243502060ba2ba69bf56
SHA512 061e05b817dd4623ba35d521880ccc81d487497de9745629944a1bf3bbe8475585a5b4cc20f5644d088b3ff3d1f04c2144b70a6dcb36b4a7f7e654c41f5dce75

memory/3844-56-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Olijhmgj.exe

MD5 7da86f22778a7690657f420d0d213f27
SHA1 eb9f3209b9f9c802673035049c1cb04d30e7c991
SHA256 bbd438e47474303457ab5513e1172c6d618e8313d58ae903591f4df0adee442d
SHA512 22931b2ac7e601e875d134c66bb5813ae3156206c5565a7ed0225d51a040da4c35b027f14ff58a7e983261dc9dd6e6f742c31a27ac64d0b6d4a224be6ad8b761

C:\Windows\SysWOW64\Oohgdhfn.exe

MD5 9a5480622b1c93c4d0fd39f02fd551e2
SHA1 9d66c322e41aa300dfc6e0a0a0f80338a554b68d
SHA256 eac92a870dc75a96d73c5f1ab3d31dd596c47c4c10933c0f7c2515935d16144e
SHA512 4ba9568b8eb4f6efb0360218103df9983fbc96df203e8a991968cd8f26eb8d02f1e7ad11f9701f18338df237eab0b89902e3334b8448e47950c932487483817c

memory/2920-77-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oafcqcea.exe

MD5 adef8aa55979e7c914f94e63506ced31
SHA1 f9494a3a6e4b2580991a57956ebc845893c807cd
SHA256 92d99cf9a6078ff10f6614ebcb789215306ba5016986ba81984ef1457bd2f37b
SHA512 d99479b8d617141dd486bf408adffed56e89ab1d789d5f93cd8c434adaaa74e9f91f60f7f9dac1d7b1b2edbb13dbd882bf1d47fc4a00415379a7a9af85570c67

memory/4276-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4364-89-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ohpkmn32.exe

MD5 08c944ecc7b958084db81ab415e53d62
SHA1 a65cd249cba199c37ffb90f84e07efe8af1c150d
SHA256 1b0002fc77a49fc3d4f4a5c8f00e2410965cba20bb4f7ba4851734957de6fba2
SHA512 f4d0d43f3d5f75a545831bc28ae0891f347b431ee8c2b1ebf4c4868f33ce672db691a2191f1ef1dcddf211180e1cd6aee86957ccd0ca6f0559a23c3fe3f30ff8

C:\Windows\SysWOW64\Pojcjh32.exe

MD5 94d97b81b86b29f0992d06e5fad7c87e
SHA1 7dbbbcc455602b3dfe8ea07f31e4a90039a59158
SHA256 4f43799498ea26e434b653e21de786e576982bcb60c98638178665265362c3bc
SHA512 0cdf54e78fe123b1d0bbe7350d5a490eeb0aeac5bab589a9eb12a6718de0fa00b7e777f134fb12df3a7dae5aaf004b3f2da8ca7815189d08bef7fb79327b98f9

C:\Windows\SysWOW64\Pedlgbkh.exe

MD5 e7ec8791ed29e1213fcd751f61097250
SHA1 492614c5c332351b0e1f6e2422a905244f9ed342
SHA256 8319679a16aad2efaade9edadd7449923ef439cca7aa16744e7f130fbe53b070
SHA512 45625dcf9493b7fc319a5148765799ac84673ddacab7af81defb9bd240a5a6448472a628fe0a0c1609f4a3fefd12e3079d5619699c7e1754f11dbd48761b1189

C:\Windows\SysWOW64\Phbhcmjl.exe

MD5 961a74709088118f8c570d7d01f93b07
SHA1 42332ebaf257cc104cd1a8465b1e6eabeb301406
SHA256 c3a09daf07d068ee1e502df00fe20f52225581bbf1ebceff51812c434ddcc7c4
SHA512 bdcd6bd88b7afd5f337b3f99260bcb73400d2ed9576ea4cf850b578277df9a34e4fcb4c86aa2e19b2153d249de24ed72f0de891736aa236d50d9d062da50eb21

C:\Windows\SysWOW64\Pchlpfjb.exe

MD5 26fd9b23572b4e584e17a8e69f7b601b
SHA1 9b8ce5bfd08b14aa20e7bce51051919c5a7d4f0e
SHA256 288523994751ae47f7dc42ba6f5a1bece930a728455dfd80165dd270def7f052
SHA512 fbccc2c65c5593d68a75b3ffb7e84588ceac026b1a0b5cac00f1a181c20f62134dff68d5df659f62653927a7c685449d0a77c7a91e07ddac2585ef45ba12d643

memory/2900-129-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Phedhmhi.exe

MD5 98438a807a7bfd789c390b19ea1e763b
SHA1 dc8a9a377fbb03e7602af4dc2268ad8bf0988786
SHA256 ed30fdc1f9353510b8f27bad272086ece8499b772a81441265e1d21e86ae3dc2
SHA512 9bd16717f5bc3889dafeda8175f1c57d51c09243899c72c3a3221130b8c0398facb9ef6cbbb56cb324369aa6f14d539236f95f9a90aa181d5084556e514d3de5

C:\Windows\SysWOW64\Pkcadhgm.exe

MD5 7a9ef0cde72957c12abe8eab9bb07606
SHA1 467271030d2c7ba7893be3a4013ba2716100abdc
SHA256 aea5e871bbcb9e0e7dc0858ac8326d69b6ea5a92362c4b61286978f00308f51f
SHA512 f3c451a9b388c58a440025d821d2ed3bc94f8d1a52e8c8d56058e53e966b583225a1ad7dd381cea7b5e071541c9efda25fd87f9aad4157aa7c3ad87d9425aa3f

C:\Windows\SysWOW64\Peieba32.exe

MD5 4cf15be48010e0e4c2e7abc4c9b2e0c6
SHA1 df1a512d8e644c4c17cbfd7e74d55960c4104dfe
SHA256 e4cbefe9a9d7ae8e6688200882e5f659f0be06cfdab2d507d2e8caf74ab77b68
SHA512 33da79694568fe1161c1fff7127c548fb89a66ad6698acb44eafb66c4e0c41451f7465a2ed0cfce6beba3bfd04722464f5a93e6fb6ddacb62a2661c65639fa7f

C:\Windows\SysWOW64\Plbmokop.exe

MD5 af13ebbf1d85c8a7897887a62ec32906
SHA1 53994d3f5b928c2d5f248fecf898ee62ee17ac5b
SHA256 ca94d7dffea1a6cde51c8e7aeffebb1f0944acfecf3c261146690e5251802b3b
SHA512 01b3abf32c370fe83f7ac644dc703c0cb2e8454b2cc526b176511024c2c7a597421b117c42897ad6d6a45b6fb8600cd0d49c9b60c7b0577b53a95b39b25218a3

C:\Windows\SysWOW64\Pcmeke32.exe

MD5 25e730d0b4162600eea15a9357d65e17
SHA1 7aa87b16bffc190a9934be60efe4a34b4525e9b6
SHA256 4827e0f94b27c7a9eefe013e59a8fc873f86f48bceb63d1f52d47e03418ed7dd
SHA512 bdac91dcd709595d5f53e6a77933188b0e0d1270a263936adb8d8394c8eede0480e54e5fbeeaa82e577a1b3805a70dccae2d2bb64cbd873a63b0833d1cad37c0

C:\Windows\SysWOW64\Phincl32.exe

MD5 2c22364601d1b16fce885d711748b23e
SHA1 87794e65b33b87f6e8fe1412b9c5019e6825022c
SHA256 59e1a52a4a0dd37ed95bf7527ffd4cf78917020f8e127363d2bd45be612d5446
SHA512 26c51688a636e9a6b9000b107776111757d7d29e8eecb749df57e052ce9c664ae25c3fca32963c81c093e5e909c217714d672b8aa7af1f41bcaf3123eae8a2f8

C:\Windows\SysWOW64\Pocfpf32.exe

MD5 433bb405e90090fde63b2a4fff6f3ab1
SHA1 fae598908d479f19bff6827863d2ebadb9c0d633
SHA256 17fbd15aaa296a12712fc5d275de85f05b7711dcce8e0241b8440fac0e7758cc
SHA512 d72b735e60d3c9c7db9f046ad8d81cc5ae964161a53b893593af322255fd2843a34e3204c93eb24da5a8608bec7c4ffae1c275f6c5e4b09a4338e0049a981cda

memory/2716-415-0x0000000000400000-0x0000000000433000-memory.dmp

memory/456-449-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1592-450-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2400-461-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3116-471-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1676-490-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1916-508-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3580-526-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1832-538-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2324-544-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1080-550-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-562-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2176-551-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2736-563-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2264-532-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1812-520-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4720-514-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1268-574-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1940-575-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4592-502-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4860-496-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5004-484-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4984-473-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2376-470-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4324-469-0x0000000000400000-0x0000000000433000-memory.dmp

memory/464-468-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3356-467-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4392-466-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4536-465-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4000-464-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2612-463-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1036-462-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3448-460-0x0000000000400000-0x0000000000433000-memory.dmp

memory/524-455-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4484-454-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4444-453-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3208-452-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2452-451-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5044-446-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4288-445-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4384-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1612-439-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4820-438-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3568-437-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-436-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2628-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4940-434-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4924-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2300-433-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1632-432-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4428-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4368-430-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1384-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1396-428-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4548-427-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2152-426-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2160-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4932-424-0x0000000000400000-0x0000000000433000-memory.dmp

memory/832-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2872-422-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4328-421-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4124-420-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4272-419-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3644-417-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cjliajmo.exe

MD5 4bf28ef6f40b4463db5cc36aec04de84
SHA1 c29261ee750ce11bee29afe2231f3e0ad9172f57
SHA256 a469646dbc77a326a8a73b971278b871ed7dc5616fa6dd0d9a0385bb9e226b64
SHA512 3b42087e20cc329b749f254c01e25dd6de8d08e6c76bd5d306da6466f35cff53eb22f52053f568572c67484564545931104b7a41fb1a651f15c0edb9f2b82d99

memory/184-414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4312-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3984-412-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2216-411-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4220-418-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qlggjk32.exe

MD5 247fab0611267f5a1d3bbc9180e3b53c
SHA1 ab707152b1bfe77025e40e9e212a010c8a086953
SHA256 f59376dfd2f51d21b49f61a15a98c05134d99ae2c044dc23801c7f05c875f4a2
SHA512 6555b641d4c8299a03d8927a6601f8f78e7709b19f57ae98ee2155651874947c26858d34f79692e18e7a081def2f8f387244d52cc10ba1a6ac139d1bdf0ded12

C:\Windows\SysWOW64\Piijno32.exe

MD5 ade22cc3915d5ac291980f7559c0c0c2
SHA1 a835dbae883ad1aadf67c374784463630cdb5e1c
SHA256 a5bbe92b09b1dd20597fbd63436860046128dba7dc16f0d8aff1de973ab60dff
SHA512 19483e259aa29e237381aa41016d75554ef95fa27d7a4f23a8f926e8102c5bcc090875b594534a46604d1a70e375a40fb4315014e5d91dfc384f258dd73ca797

C:\Windows\SysWOW64\Pemomqcn.exe

MD5 8792f7d7d0d0242ac0fd5c7c3939eccd
SHA1 ccf22c78c1c13f1195303af11c056cfd32be929d
SHA256 41ad8940a5544ad967ede8ad3825a07b9428d23a4a87ffc744b260927e622865
SHA512 d79d9178442f25524eaf482230bc272de2d5e4addbfdc6a981ebad0068b985f584047e85ea53785c4ce92c478a76facbcb6108cde9fbd6937009090e37f35829

C:\Windows\SysWOW64\Pcobaedj.exe

MD5 dc45613feb673f2e32e9049e6c91c2fc
SHA1 383e53c8620e0884dd88f565046b0190b0edcc3b
SHA256 b770f735b9f23ebe76523be62611f707e8998f5bcbf8cc7a1f53668bbc2c7486
SHA512 5121e67eadbaf74166309a74c6dab5c5a7b1556cbe2bab2f989158566a6c986c31fb9b9b52d478bb432431265900093f271c0c33729983bbb8491bd2fab82224

C:\Windows\SysWOW64\Plejdkmm.exe

MD5 0aef400f89ea3d67c47972d4df69c7eb
SHA1 f6c7388063ce0787cfe7628c58bd783ca0f1f325
SHA256 20c6f1cc82001e75f7634a01e4b52526a8320685089764aa2ce8f37469ec2aa5
SHA512 d7f04b7ebd80ae218ea3aeed7360c3bfd462a71b3b7fa09843207b32c96d604320bc96acb800b16ab2205599dbb3fa17956c99c46ba414fe5623bf3821602835

memory/1364-581-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pekbga32.exe

MD5 a665ea33ed73a9e6b24c5250ffeb3cd6
SHA1 429cda55cd4c2a82c7e4c8f6cee867c2df6c2811
SHA256 e40554e9ce5cb10e80af980f32b0500f350335abc4b1fe545b67a626d3e3ac67
SHA512 4cf4fc3810c6ed373be8ca78ff50e95b6a13a64fea435b33b7de1f2004775ca42d0d342d1990118625e33c520ab4cc8e77637ee51281ef15d31dfddd99699c17

C:\Windows\SysWOW64\Pkenjh32.exe

MD5 594b7d4364f01dfdf8a9de5544801024
SHA1 13a03883b1f7dd6bbd8ddfda17b192bd3a9ad692
SHA256 e9f4179ae124698160b82978d7f6fa06608e7a8ddaaff5d3c041ba6796151df7
SHA512 08b3bfc1d718ef3fcb74719074f8aed7769cc98c7142c652921018d10efa1a5aea42b9de2bc27988f62ce93747ffb8f5bb12432ccbabdda264c50cb0320a17ee

C:\Windows\SysWOW64\Pidabppl.exe

MD5 f4e8b25050a2cf2e3959352f3489734f
SHA1 76ebd4c41429da28d76a81a905b4333ed629552e
SHA256 f75fbad76c354f1515aac04c1d0326076b8470716b6908963bab80885db651fd
SHA512 14029591d8a77f2fe14680e0912535e05e6c523e68512f91d4e3bdab21bec7dbecd951faec7d62be5eb55153e575c162c2c69720cf4e5e9110b05a86c32fd6dd

C:\Windows\SysWOW64\Pcjiff32.exe

MD5 493fc2f9cad08a7b0eb937f542edd6a6
SHA1 99f40d1170676cfcc91f6273559980db56b7020a
SHA256 b1593c76bf98e2a696691866ccdeab3ad7321843173351bceef5bf7ce3ee2d37
SHA512 3a34ea3f747677066a3fdd27c77f052cda06dd6d2c7783ff3d7deddf0faca9f5f29981a6e5b2a41d72f9a1d1983fe4bc5854c24e80c02f600a8cec655c5630fd

memory/3088-126-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pkadoiip.exe

MD5 299d66b8c4820570bb97d16d01482bbb
SHA1 8bee581a37a8c49f88d5f0d3bc95b6c6ed911a0c
SHA256 91c85654022eba1c7a8f796c56c9a5f44f361faf6c33e85bbed1cdad0ec2fd17
SHA512 1390bc5d2e176c7aaef10dc6ea2d18793547bbb681480123998941e515120c09e33333b62d5403dcdeee6389565b1f2cb7c67dc773e7f1b165677249059501d4

memory/3368-118-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3096-110-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4508-97-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1200-65-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3080-587-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4460-593-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ckpbnb32.exe

MD5 aa107e9b79ceb7ed15cefb58b4d55a89
SHA1 f9a6693cad2199f245b01475c6303fe054fcede3
SHA256 2bfc53633c31c6ac16349873572c978d242e7c69505853dcacc9cf63e4d318e6
SHA512 510251521c8145432115c6200684da6882fd9f71c94dbb180745761cb8a6aa1f96f9682e04f60c0594c222e1321ec7ff50e7391821012ee38041c1667901f1a3

memory/1092-599-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3076-605-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3444-611-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3012-617-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4084-623-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4564-629-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dckdjomg.exe

MD5 2c90afdaff9b19b81cea00f44721617a
SHA1 2ea7f794bc434bd3ae0be1a38917a07a14549006
SHA256 3cc88db5055933b2895662fe92f570e7269254099176ad5f7a0a31b073644c80
SHA512 0efb7eed4831616236015b3825b47aa4ea30f6b59c0e98c5f5161fa738501da6ff1b178851d570026c989701f5055afe6428b33f2876e803f99ff500a846075d

C:\Windows\SysWOW64\Dimenegi.exe

MD5 099af017ef6f9717ae79c3db09811c84
SHA1 ad9a2f787d4bac8e4be1bae836d5c31bd593d2ba
SHA256 7558aeec7e55d30ede832ecd5b44cb3c66755c78f67939589615047eb15d3b3a
SHA512 85a95a6707febd1b00b51e414a3a318f10d8ac00bd41cb123596470cab1d07af2d6bc2dbe790560fb63dac0090c6dd176fc254c11f1be9000d93de4399f017d0

C:\Windows\SysWOW64\Efccmidp.exe

MD5 afbc02619f45dda451172178e688184b
SHA1 a8a2c5f4a46a76246f0dbfa44c1a32f8f17a2790
SHA256 2a2cc76339ef2bc309b384c3959e7a66c5854cf45a4798cd00ee8b08f0f2a030
SHA512 7afe2778e2b042cb076e46d85cfffe903ca22ad2a8da1d63f1a0f73809e92ee418bf316ed85cb5131cc432af537943ed9941bcfd9f622f62fdd10bfd5d38c76c

C:\Windows\SysWOW64\Fdglmkeg.exe

MD5 434a48efd334f667af97594815fd711a
SHA1 3c8bd98f67903068c7c5630ce2f9a3cd416fce8e
SHA256 0860d78b5d3f6740df9a8c0b78b56d7ef09494dce7835fedf210994aa0fbc42b
SHA512 a41ea3badc45595fa3fdd169cd9a926e1997c442d08355ec73e7f22342a1e84616e5cb0ee165660cd62cdce18e8f19d1736cad30b1e6c87e5336222d8cc5607a

C:\Windows\SysWOW64\Gikkfqmf.exe

MD5 6392baca8d65a79e7ae3b74e040b4e96
SHA1 d1341b299cf2336f28b5632c7b59be5486dd698f
SHA256 8005cb091bfd0153187afb930fd389fe0159a35dfcb90e6b2847a7f14b7624c6
SHA512 0aa200d32c1b074250646a0bdd447945a4e67cb228d25c04c1f605d607d9d01665d619e70ab2b34c7795486cf7a199c7e171d06b38b575a7a95c30d7e9ffc88b

C:\Windows\SysWOW64\Jkgpbp32.exe

MD5 3e59545b8c28c5cc6f46e45852cac643
SHA1 df456368445a29124548e58d83ce5bee2cc9c3b1
SHA256 b6675794c668a76b3f3474d8901e9ee688bae4fcfd1b95931827795a8d3a9794
SHA512 ad45470c5eb724fa46832b00291c3c4aa13384e9aa1d26a3f64668281fb96c7e452b526c6e8ffe4261732a6cbde70f03460a0c44963f01278b72b386d2a64241

C:\Windows\SysWOW64\Jcdala32.exe

MD5 73c47ae43eb3b0046d71a18b21577986
SHA1 00d194868acdc320dd837b49786741e75b0ca1d5
SHA256 d79b5b311b9592b3f895793257b79a7342cca4c63c47d731bd62dbe951b816b4
SHA512 3edee293bde6ac61b50e7838bb007fff9a1f8d6fe89f6082f4a19e69b1c2df79a3a07de9c5e9b2d7bb6c35d91191e826884015043e2b8f96b7fbd2f1571aca0d

C:\Windows\SysWOW64\Jjafok32.exe

MD5 8d2be388b83c824c5ba187f5e9cb9931
SHA1 e9e2aad4a6bdcb94c68c7eec263607be26ab3998
SHA256 cf229cd2a8530c8e8fae4004d7b0bd424f08832928588416f3c2ed63503b00b8
SHA512 2df7bd60da6a8b4a242178212a88f8c840f33b79eb756cac18f483d20fca366ac75db9e0fb5c0f98c9a30d7abeccdff30dd9130a30edc804d7fbb10e164a9e78

C:\Windows\SysWOW64\Kclgmq32.exe

MD5 42f11ddc09b7576fece49bf72182707a
SHA1 44f68b037756f6a1445f6f0b11269dd45fdb8848
SHA256 d05b15bfc25367dbee5a16353cf999a5889efbb863ebbad7ed7c75b2cc579aad
SHA512 e2a4b8e8745aedfd26769a05e2f8ba004202152f558a50e8d55216c0cc9105cdb63073f1fae3e8d8e5e84d31273324094e4d112c7c44f66ea09fbeb445436708

C:\Windows\SysWOW64\Kgipcogp.exe

MD5 93dcc2a4cddfb6d6a9ff1cd64a31c696
SHA1 9b917e7dee6eba242f8d869415efa38162dec9e3
SHA256 640b487a816c5d55e69c33e4d765feec6dbe0cb3c345f9545733bb80510a95a2
SHA512 aec2a859d440db02015cb598ffd2c72aeee0094d8ccb4637cac0c50a9a642cc040f891417458a644b0747d2b2f9e9948639e7c842e1b0fc1321397383cfcebe4

C:\Windows\SysWOW64\Lddgmbpb.exe

MD5 3718b63d52741e5b65530d3ec2bfb96b
SHA1 3974edaceb12642ef5bfd0e462968cb2e8005def
SHA256 52da7dac35143d39c6023a266c1865adc1560e629bda2b1a645922a8146c215e
SHA512 0f0c711f5f48ed69ac60850cf12674a48cf1332d82ac97726d2a3bae89494c9af1179d385fbda5beb16078b5893f770fc30aff76073303523e7cc0b8f0a72d97

C:\Windows\SysWOW64\Lgepom32.exe

MD5 d2b36ea047f4f21e16c6ee9c17aeb187
SHA1 8867ee6f5423946e42ef5e30ae872a3615f2f72b
SHA256 4565e67a9e6b64e10d41ca89d3535839942ae994a53242fcff07745e0b1d356a
SHA512 8d40de42a0c1c8e64ebaf574510c04c1f0b416b69c9e82895393f4145208733dce120596fd4bf55df9316ae4bb0ccef8d7bbb385eb6351d08a5832d8cf2eb986

C:\Windows\SysWOW64\Mmnhcb32.exe

MD5 e47c72d0df10b8d6718cae676bf603f2
SHA1 9ca041a9842eb5314398d6ce801c75dca566abab
SHA256 b27ef5ea3e24e852b37f729074d63615bcf058121cb109886fe7f1a3a32d9620
SHA512 7fd44735c81fcbe55eacd16fc6111c6dcb587eec6cbf7a4c23f95a88b4274d821ca922acca8fb6dfe5371f77e5071121486935c4dfc6ce5896402a4843c52626

C:\Windows\SysWOW64\Mchppmij.exe

MD5 a85ab64d1d0e25be607d197aef58fc19
SHA1 8bbeea135ee3c9776d57ff2f5ddc058208215d43
SHA256 8bce91d3316802f96a349cdf652726d62803a83203ad461e2963044ebeb210f6
SHA512 3b2594b812680ce3504a615b20ad2a9701a0fd9aaf38cec959ca3a6c80eaf197839e7a1eff02d6d1458ed7e807a654780e6c9d5dcca5dfed64bde9e038dd1be3

C:\Windows\SysWOW64\Malpia32.exe

MD5 039b5a4038e8cfcab4309ad16ce829f2
SHA1 1f1a9dd6568b34fb790ea1543e4885008a5705bb
SHA256 5496756650f7ca3429740e142794f9061b15f803d44c941df660e0960a6c89ed
SHA512 09313a8bf9a869470cf1528bca935d0c739f5196c80c93ec40d934fe9eac8750c520fb79f36e78925c2970a5fd5907c01e72f8a32ddb13080f6939d22e09ed82

C:\Windows\SysWOW64\Ncabfkqo.exe

MD5 571320b73651ad640fe798f6c6ec069b
SHA1 3ba89e47711a2cd37da0b1c84b5c883d2fc22802
SHA256 6392c28fbc297b70e77aacd36947fea55918dc1bcd89f9db73e112bb03f0abf9
SHA512 841be2e3cf9d5e2de1454f2ee44cb998b3507fc7f165614c0157927d40590e628119b90d4e8759c5cc43482a27277707e52a405e69c744699e0bedeb68fec3c9

C:\Windows\SysWOW64\Nmlddqem.exe

MD5 6e65ddd9acca1ace0b1caa50edc63aac
SHA1 36e6f13d1e75727a9ad76bd1f18a31b7c80ea395
SHA256 8b72a9e505dfc920f991ad0f23c110738268dd5e462536fe72c04827ca167375
SHA512 8f76dea5f30bef8379b2641198634387d218cfae591b02b9d36309ef7b1fa8b5695879a77c1719b54933daca1b74f9906e1eaaf19409f87314863f83551f33c6

C:\Windows\SysWOW64\Odhifjkg.exe

MD5 2e7d06b312852398ed4af63a31215333
SHA1 bc3d529a13618a2c6ced19e476e79187ab7147f3
SHA256 657b7b35402538faf51186fc93827679711dad509bb5591e5c36bb2b8dc3f138
SHA512 3836baed1ee25d70c648a7dc5379786295c05722e59edd784b2bb179a8eda69e9b557c1495182fbabac73b876da4279ff50300b5e682abeab6f2abd7a3019a72

C:\Windows\SysWOW64\Oanfen32.exe

MD5 80bf6f3456be0800c9cca08e52d41fce
SHA1 7fa40d1022a2e89f7a5a9be4611479563ea6af89
SHA256 6ebd61a40d6d1bf52f2236d27ca456928a0d5465f1e01990fb1f544ed1e95969
SHA512 db8250682eb2e253a1fad5bb6a567bd6dd076f7d61a596cb1d4b5e2bd2b38589fda59a3fd642624f88d61ba9ebdf18c2fd867dcc36e78568e1814f9cda7ea247

C:\Windows\SysWOW64\Ohhnbhok.exe

MD5 05b775fc243ab85443b3520335e8647b
SHA1 3c6cc04378fd6b6d6b4d7b1138b52bb81f2f94bd
SHA256 665eeccf4ae08e1452390230a1d5ba2083547de9af20681826d72c8cae2fc04c
SHA512 74559798a7413e15ed89b9a2e877e11c8682a5ed71053c5e60decf6540b28dc1c96fb273d7b7894706b412189082bf0b588853a2c719a799d206cd695925ca4f

C:\Windows\SysWOW64\Odoogi32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Omgcpokp.exe

MD5 bae81ed243f917157d4c0c1fad139dfc
SHA1 30b9c7b0c82ac4497a85000b6b148e8cc8c29aca
SHA256 733d6e1941218c200e64df69b8493de00f26e298ca33636e93f6361f5842e498
SHA512 575c07dbbb71ff4cb46ca55975b9adbf0f428c2208b1906342818b3e6d53f960e53f0bf4e2decbef15089b8d724610ad5e34e91ac4610b17e8f92e0177cf5b51

C:\Windows\SysWOW64\Paelfmaf.exe

MD5 95ffe8e6c774095e8f36f34d22e24509
SHA1 6c10ac7ace390183a0bd8729dd7623608b838ebb
SHA256 9b6315e4fc6b9f9cbe48c67f35d09bcb6a6d5c85ed75168ece37749dfb03ce05
SHA512 d7c23f182773a36b6e1e0ffbdd93b9780bf3de7615905362ee2fdb525df96db877fd2005fc71c264875f85b8e8a28fda5985c210f8c2a0a925c3e3b4b3863365

C:\Windows\SysWOW64\Pajeam32.exe

MD5 75dddf319226167629ef332e1793c3fa
SHA1 22f95c1759591f9f0dc915c59332a1073edc5993
SHA256 47aebf86a2769261961e8dfe932220e21f5ee866b835e8f3990e516dee9ea88c
SHA512 e15c3e67ac8ce56faf9d53e3c010998c97afaeb36e4c32bf6b11a4f2bc5baac4169e80ead0f6f2cddc5a22f01d85fd3d378621e6c8e3d0a1816ff89cec830806

C:\Windows\SysWOW64\Pmaffnce.exe

MD5 11ad3a89a66bd899056fb7ba9037956a
SHA1 204b81a022a372b86bd0abaee06087f0f73715cb
SHA256 da7ad3ee84a3dfd35eceefdd68efd7ae3a92c609e367de6788aaa8e4d98629cb
SHA512 2aeb52c2c1276cb003bde83d15a5777bb8780366d91ec1834ee79f665471d9751a2be0c6faa127cf307f966d759e60c47dbde3c198b6c84f7858ef7808ca6483

C:\Windows\SysWOW64\Qemhbj32.exe

MD5 a11034219dd83f0ae6b23e0a62d88b84
SHA1 7cfb200ddb87fc15d5fb6b0dffe033534d27593c
SHA256 76888c75ffc4215fc6788385a6a98ebb085b54e7085181e40d8248172a740d67
SHA512 0a0ec7d956a4a82200c3500a18af9398f4a1cd203d88374831ea7d29c5f17d4e7e36f025760b64c3817596b3e1d260e66f106c940f2a307a165974ffb594d830

C:\Windows\SysWOW64\Anobgl32.exe

MD5 af6ad694b21b63f6b2f0b47416e727ba
SHA1 53ce1b47b6f296ba76bd8ef42426245c27f285d4
SHA256 8951ebada061336d92358315008314190d6975999f7c20cfa96844df4a9b880e
SHA512 62ddf116bd11975bac6f58e98fd937fc5f6ecd4843ea1d58a03f1727f549395be4cad7df88d129c5014ee88b124c5dba276a225f519645b245c5d689cf47bc22

C:\Windows\SysWOW64\Bnfihkqm.exe

MD5 8f5170c242add5aa489bcb85c330664f
SHA1 e5067db1b1eaac32da1164b33aa47156be9b5d16
SHA256 3a7c298cf19df4d8b2fdbba57b569e4887af10e7f412ebfc2aedfd1dc1314b5f
SHA512 27777c7fbc77c4efa345a0cfa2be76d746959b462fe804db260c994adad684dfcdbce3810df77622d480221c3efa6bd5943500b1c448d3cdd382e8c6f87adfca

C:\Windows\SysWOW64\Bffcpg32.exe

MD5 f85c0bda6c9c9a90d957c90eb09e1e80
SHA1 92a10d02c05554596f7015089333de04cd834a37
SHA256 42b0cbcd33a9aa8fbe7a9c8da8427ae7d85e22bf063a42a8d1072c586f37a3a7
SHA512 2d0d7d03af48c8feabf9a1437c870ee5ad17d982bb7e054f836dc2dc2ae4b8a890d90fc14cedd4982cf90dce7307cb36acf45d2d16919f3b5444d01b26e2f065

C:\Windows\SysWOW64\Cnkkjh32.exe

MD5 06956f6902ce1e395483f3b3020654d4
SHA1 d2d98a1ba20a1ecaa17f0f0ef771aa81ac8b4a38
SHA256 b37720a14894ca353c2e7b6e78be261fa49c69405c1a4c8f60da551579c07953
SHA512 d2f48b612be4e5069b0065a0ef5f8616d3a1fc7e78775dce3a95110ab5376b8bafa41b679f4720cf8742fc953a675e423ba51ffbf85ba8cba15b39927d174000

C:\Windows\SysWOW64\Chqogq32.exe

MD5 f365a7e21178caaa9f1920c42813d7be
SHA1 fb4baa19bbfa32fceab66ed871f3f9d9dd8bbe89
SHA256 8303ec3d75f76cd6a814fe08de224a11a33bcd25023632a69165da654e002ad7
SHA512 625f8bba361994cfb47b5c9327b2e048a4e19bc374b2f6593b3b24e59832456e69e621461eaf7dc174cc2e331ce114e9f5291e0806eb0c7bd27d2ae0e759e834

C:\Windows\SysWOW64\Dmcain32.exe

MD5 544f033894e855e8be4b098cd73bdc3f
SHA1 a3f4086d2e48cb905aa62c1e72f7084f324edfc6
SHA256 4f4563e9e547bbac18aa46a40a68a1b55f06c3311a31545894f83768005eb05e
SHA512 ade9f2f9814674bf8ec3ab2be62358acce7d068e1efdbfd4401b94bbbac6b6dfc85babf0ebb5d0e519d1f0e79856ded10ac2231b79d01466df82792f9e32fd5c

C:\Windows\SysWOW64\Dodjjimm.exe

MD5 8473be65bfbc5d1edbef7094a0658d65
SHA1 079c8647c5d0bf89cbd5dbca471ebfa5cbbf26a0
SHA256 1d1ec75e12a4309a2dddef218475c27ec92f1847cc9a5ed978ed4fbe39b3d70a
SHA512 d744cb4587b1e8db786eaa4dbc00e6db5db97d23e5f07e55f6af14311b2090707a7377198a186c86fd6d0815c83bc4151cd77dfa6119a8c7297e8a76bc0c74eb

C:\Windows\SysWOW64\Ebimgcfi.exe

MD5 cb3d1cd61b94952ea21b67f6e62ea5dc
SHA1 9ba970589778af875ea2638e1307f27f73e9eff2
SHA256 41a51f7534986c9ca56d80569fea58d55612a0cb601e9bbdbb7dfc6db335b951
SHA512 8f83ca9032a7e53fe7da4d57f7e441dff50869f725788c389df593038963a59645adc7c037c7f556f533e53db27987eb30043e70ed390d27f9d4a30baac1bd1d

C:\Windows\SysWOW64\Fmhdkknd.exe

MD5 cde7f53202d2de8fb36e6b9a9440ea7c
SHA1 be1bcde0c39b3a2bc107540c455980967af16003
SHA256 01723f7a9ec23662efd5686eada951bcef229f27d718650d10940437a9457d59
SHA512 eca0dd99f4a12252cae5b2d6ed8199c2cd593987f831a5423dd1d7a04ccd55d69d945d03b20dab429d2e99fddfc57d6991d68e5d65913f1abc6f3b7d264f16e8

C:\Windows\SysWOW64\Fnipbc32.exe

MD5 4d1c009d6ea6367559c5e6535f9c25fd
SHA1 b334758e1100be5d688cfc836f50d340f2695b5b
SHA256 89fafb41ec90f908c0edc65758219e125506d322538540ab0d86ff717993e5ff
SHA512 6f0b0fbd39ee9684d824a0f6d1270e818641d70b30454beba7474d97a57c727d3299c6af6dcbb5791680aeeb40a114d905a7ef86e888ce6abb16a91307222912

C:\Windows\SysWOW64\Flpmagqi.exe

MD5 e501eabe7222509ecfdf86bf260de612
SHA1 2dd3a21d46ee662b095a99a1ac5e1a0d21addaed
SHA256 f0a8e5157134a37bbf69d04322ecfd10592aae13de2ddf45781d313c8951c904
SHA512 1908a519817228a741ef94f679ca414f0f1665190b0c72fec91f63fffa79697a51b0471fef1be2c7e58c85f9ad0b7e40c12688893c43ea0fe12c187e817d71b9

C:\Windows\SysWOW64\Gemkelcd.exe

MD5 56d881f1ff607de960cb3c3385c13678
SHA1 8a440bfe313d1ab0952b560ae621f00898675018
SHA256 5d70065b86f6c9580789d8c82a99721304d1780fb097cf4c498910ee056540a7
SHA512 8c936d1c50e00d2ad1175c48ec0474d511fbf06d5c0e530427308c2039dabcc04cd6cf0a952451fc99c31490185c4363f8e8fb7e4e88df749b85fe828ab8f439

C:\Windows\SysWOW64\Hehkajig.exe

MD5 830e8dcaab33053bff8ae9b09c78dfcf
SHA1 689bffce45e20a0cd864d57c3c8befeaef703178
SHA256 e9da499d8e475552c5ee5920f83b85f7c16ef3faa940faae70478480fafbfbe9
SHA512 9ee74a81842e75d218b9a60e9665084fe4ec780658fd37603897845747493feafca9e17da328f729973b9c3e3e01b285604f7a8fe58e24f8cfb15f7681b8d50c

C:\Windows\SysWOW64\Jekqmhia.exe

MD5 1052c0a7575a669cb96732d793de7a4b
SHA1 95f01bc29c324172dc5a75d85e059e9af95678c7
SHA256 a19aa2a5d0e668cf6a2f6ab758a915666236c529b90821cfecb72c3b7a9acc31
SHA512 243af2eef469e7abc9d03612add463e6ca066dbe62b2205d2739e2b3a863bb75b255eca85bb46cccfa00f4efef810ee730793f6cd5cf6c94474acd09afe8d471

C:\Windows\SysWOW64\Jpcapp32.exe

MD5 2076f338462f88797d94addc6c561af5
SHA1 61d288aa4dd9804ac8a60e7e36834af50ab2e279
SHA256 4967d7c0ad0df8535442b82579e79fdf019b9f25b1901ccdedc78eb1d9ff00f2
SHA512 4a580ee18edefe62604b0d28b88dac3c008ef37e52cfd108b780ae766426b4e3c18059f2f8fb16ae1a7f6567971d5c3e635c6fafd47ba307766dab8774c03ffb

C:\Windows\SysWOW64\Jcfggkac.exe

MD5 b9914861e319be5acd3a2b30d2deccbf
SHA1 2c510f9ca328aae5790ab32ca214101c295ab057
SHA256 d3083ea463dcd6632222491ec4733d5d986ff79a8163fc3a26425b816967e0a1
SHA512 4873010682ce4ee44f79de7b7d21e8c773381b19cac0443c68c3a078c138a226f939bafdac8ee00470a3867532cd01da54ce3a8037c85faf932ef967ebd2cdb1

C:\Windows\SysWOW64\Kgdpni32.exe

MD5 0876ba5965be072d0be6ca99a6267f91
SHA1 e6a67b09b8ae1cf2705ec8ac19cfc941336a8204
SHA256 c13371ecec475369105f4d6f42dba98ee0f42bba353277327f236103b37705ab
SHA512 8fe301e4269f3fac5473d4ee107f3271b486964753456b53e94a266d4ae06f42eaafd993285898cc4dd9ef40cb7416653fb7d8bce9b1ab44f015031e890af9fd

C:\Windows\SysWOW64\Kjgeedch.exe

MD5 177aa9acc69e75f908f0a67b8873a24d
SHA1 3787d40b996a3d3f5d069485ef7714081434004f
SHA256 64cbe3da5ad8bc089584b5782ef79aa251919ebb3473ace159f59e9de74f7201
SHA512 d8f32b6be27f59d3e80719d16e4217ad2f0e5d53568d42e2e69e3607b476b6c3c8eb8cff912ad56c6f4d2db92aaf7c0b2f80dd445f36a5070d4874c86aaba457

C:\Windows\SysWOW64\Lfbped32.exe

MD5 f8c447fdcd2df3dc8c412ec5132a4cb4
SHA1 840d123a646fc1dc0dabd2069041b35075f1093b
SHA256 90cea902429a770ad294094cf675b0b40ea82e1d3fd2f414ba2b1b8e55342a84
SHA512 2a80786f12263b2a910d3118704519369d8549cc92b50a0f2f850dfdb89fa45bbd75299aaac11e1fc1ab75602ffe96d2c9a5e6d2cc0662a842ec8d11420c631e

C:\Windows\SysWOW64\Lqkqhm32.exe

MD5 d69a712d2f9d5784ebe14e728bfbf603
SHA1 76f0765a960c11573b3b4caab53ec8a20d24a03a
SHA256 3bca7dfedad8758badf4c23784db8b3eca6c9455e3b83d775dbd1fc3a3257377
SHA512 1e40058783102df8055acf6736239e3a85521b99446594fb7d774f6f48d64988249f4ed6afdccb929e8134b72b61584475db1b1deddf4ae0ab5779f4ed8ffb10

C:\Windows\SysWOW64\Modgdicm.exe

MD5 966fe63f41cba1bf6b622ee843386b26
SHA1 abd9980354a4fb65e598dcdc6bbc25074ff69a67
SHA256 12a111b8456b40c39b8963b61a399109981ca4573eb450fe0e8ee5fc41b39fc4
SHA512 6e95724ba55f232d662c620dad92cde49d32c0c8aa21ebaf5a4cc207b841f30dc0b23db83aeddee9141b10c438ee2215e759e9ad6be7e980b5f2792df445802b

C:\Windows\SysWOW64\Mgphpe32.exe

MD5 ab623a4dd5a70cb2b6a154b8a9381a29
SHA1 c22a96784e4a8bdec633cfa5c381e56505a29f4d
SHA256 2cf1f2cb73f3582b9fea0a2440866c76c2e92ffa187b3e14a11c6b3d55ddb408
SHA512 14b677c9d9bd45a426d9a414545dc0ae0c7e14480a0e9881e744d52e7a183b6b2ede35b4c34062de087f2f9b3f3d01877f6276e47887e740b7bad926914b1641

C:\Windows\SysWOW64\Nnojho32.exe

MD5 da34b51cda914a2d799b7f89e9d54cfc
SHA1 63c7530acd4b7fbca0f5b7262686d8587b010bb7
SHA256 c3cbeb98bc5d80089fff36dbc9c2508d8971f00c4986b16288d2e8a35643b07f
SHA512 0f5d9466ae58d892bdceb5681b8b2ad12befcd2a006be1f2cccbeac330747dfb7bbae57527b17e1ca10eadd1a92a86a4d39418706fbfe91b541024c84c60f279

C:\Windows\SysWOW64\Ncqlkemc.exe

MD5 90fbb501c2524ca82be4b3cbb85102a1
SHA1 dbd6e3adcd735ac865744a37f30ec4ccd1a2733f
SHA256 6c4dc6fa808320c4e42ab486c05e7e45137b60cb65296893412f93acda71c600
SHA512 69046385e37a3cfe2fcb05c09871a1e0a1dcb41ca313ee11654e5b6e44464ea616557a626e03fb78f43ecffa73983721dc97b0c5a98abc26eb147e6b49adce59

C:\Windows\SysWOW64\Nnhmnn32.exe

MD5 84e27c6463796d601f0d5f51e149744e
SHA1 4b9b2dad8df1d94d36e69b282042ff346a2cc942
SHA256 4e9c27694c12cfd3e5de2ab6a0b768c0ac3028b8c49c58f798f7121958feae39
SHA512 7f0b8b10de5cc9343dd8411685c45a42e620d9d1b1b11de0deb68c404d612e4e69d32e21930e1326e1051e15cdd1d05fa65849f59858e054add3e0ffffb0d087

C:\Windows\SysWOW64\Ngqagcag.exe

MD5 7d9ef8ca1e9d9e065780a961cd2b6e15
SHA1 cfb82c8b4eb8c109f863ebd6a222a2ead7631f7d
SHA256 f522a0e01553e7287acc98d01049ce77bb2a87ee5ab03848c32336c2949944f9
SHA512 f11c26bf19388bccb0054d0fc4edeb0927e44c111d8a1858caad90f13d24d095a0978b6a8c955ed403704214aef717b22b80932b846202d39db7d9495cc60433

C:\Windows\SysWOW64\Oakbehfe.exe

MD5 ef11a79372f6ac5d01a194aaa75eb954
SHA1 ab4a273869082ece7b1ccef31ab4267363a7f6d1
SHA256 eda024b62b65e71ef5e7101ed845ff3056f1537151e42a7d8327bef733cca916
SHA512 3ad12e49e7be63904fb5502b59ec589fa37f894c48680819fe77fce5d2ebdaad5ad2dad6352e2e617041156adf995dacb4fbdcdad3078f7105861f5f8c607f35

C:\Windows\SysWOW64\Ocohmc32.exe

MD5 ebc5c6eadbdb9f8a6441087887b8da80
SHA1 ccfafff7c25b0232e80549061e719fc7ea360666
SHA256 7a8f04337191a0e3ace03d4825d148eb2a2405a5c564b5f8ea6f028661674073
SHA512 6b514d851c12d039b66fefda7b36015df06f4be7c3c07a18b5bf2c5269aabffce9b31f68d0e7aeeb03a72c355839446247b608ebb09fdc97aaaf273fe00fa8a9

C:\Windows\SysWOW64\Pagbaglh.exe

MD5 6d29dda8a4a3c1a9e628801cc561d318
SHA1 0e783f29a4504fc31720351a3eb70e8b03cd859e
SHA256 db1b96613a2acd8e8b7ce92aff18ca8efcd2aa65ec1e5411f6b79d15bc907b25
SHA512 d86f65d18f5a8a3613a0b0a5925b9e6485cd32a47af1746189d07eb637b938b73ab525008b58934a71059be4defae75789762e9644be2f0f59eb806528f5e2a5

C:\Windows\SysWOW64\Pffgom32.exe

MD5 648ea9046250f2c4f823763a8fffd105
SHA1 9319152f445f4bc06c2c03369dd5179e352ce756
SHA256 3b61d98265b37564617a3b281a2bcefa9c7f452145f80ce034538d1d23e55074
SHA512 00aa8fc46b64298fa6c29d2f7d98a46214fe15e1d6f6f6e9a4cdb3a1b56448aebdacdfb40eef6bdb9f5bfe9610a26714a62379bed69a8fac9a0430b70d40121a

C:\Windows\SysWOW64\Qpcecb32.exe

MD5 a13a2fde823ebd2d017a9e82a74b7df0
SHA1 01cd6bd2eb1f894aa785cc304c8fdd02e03d994f
SHA256 afc1218ea9c36f4527419241272f6280db03005366deee7c98769e4b9c24a0c2
SHA512 7cb7ab3162918c01d66e4d2c9bd1f0ec114e25cc7b38ae2ea9b70323b034c50ed31166c9abe54bc16b90aece0f2652668d1a00989a3ea22f52f39dbc3690b453

C:\Windows\SysWOW64\Akkffkhk.exe

MD5 db5d5f67e2afaac415ea313f3256d1ee
SHA1 ff53a2ac41402c25672c28410a52348db40ede76
SHA256 79c6be14aafafba798641458abf76f52bc4a44e095904d1b3517355bd32122bc
SHA512 499d0872c3b36072ca6c0a4dab869a6a27c63c26472299c18307c6d2dca103429d4690effbb3ddf1f4cf6d56b78d28e2e5b82a9ade646accdd024182588c3037

C:\Windows\SysWOW64\Amcehdod.exe

MD5 8888fd0eaffe199c0bfc2ce15c0c22e3
SHA1 2e39703a9fa8b9114eef80dad895b44256cf56fc
SHA256 df74073a590bc19663202316ea6671419af8cdcae57cf92ec4d8063a2b00cad7
SHA512 c114fd78a0a6d095fcba00a7bea1c8670165e527e13e04d71386c165744df1bec1b2f7527d82b230031cf04800ec6104d5c22ca9642a8ffd00948ddf15533285

C:\Windows\SysWOW64\Bdagpnbk.exe

MD5 dcf903f39a2db96820370724ccafa9b3
SHA1 7b563618eee37be95a91b28034e9d73444c78131
SHA256 8ec037945aa0becaf648b357e403a0ded84aa4a7a63ab9832e5ba90ce98ef94d
SHA512 6a9a446e78e1958f7ae44d29194c8bed09134c9303aee0f819a24b55531b495538e28c1fa652bebc8a58589be84b98834c35506ea2d4fd35a0d3e9c5660ccad2

C:\Windows\SysWOW64\Bkphhgfc.exe

MD5 7498b7dcae5fb74d2a0b83627e7071d9
SHA1 6745925d892894ed52b6a270e1d89842bac9eb88
SHA256 77ff228243c4d53dfbce6dcc4bdf9d8a25db404dbf792416cd243bf0750cb603
SHA512 e3ddcfa48f193d70e22c8e1a23b99634aeb3f36b5abf02183740be38fa0454ebd200a606b346ab0be7ed6c69b7b5ddfdf90f992cea7eb365feb0557f515471a1

C:\Windows\SysWOW64\Cgnomg32.exe

MD5 2331090486f72c215514f9c3936c6840
SHA1 5599e200c68ab21a6923231967ef6f87b250489e
SHA256 39e2a29ad9cf6f8f0df086d9ae2ff0f79d7ef866d5e02d89c052b4b24b4f392d
SHA512 fc2c782449d5004373c10ae3e90d45389f3603177b8afb45160f55fd07d8d894ea30125cbd3c036c0b3624b352f29a1f0c514e5a5b76e9c888c903843de47c40

C:\Windows\SysWOW64\Dhphmj32.exe

MD5 6cebfbf09702ce9814c47e2e19e37dbb
SHA1 85a7ff786ed823e464a9369d2ed8b07261479702
SHA256 464c7a36f508312d7003561a74c46ce0a1a34d178c8c0052ff93fe4872dcf43d
SHA512 709d8abece111a98b9a8397104e5519c5fbdfe97cccfe0d2d3fa1b8a1fd1d5970d29fd09889bd722655d6b210b7b24fe077e4a5824dc665fb686cc1a67594667

C:\Windows\SysWOW64\Dglkoeio.exe

MD5 420beb2a0c971e987743849f106b857a
SHA1 1e470b64b288b5dfb8fae11a60bd1a1970a80238
SHA256 11cea1885271a129e2cd98ee374c5c8d3b1f1fd2ef55a2386e52c550629bf8da
SHA512 6132efe6ab2c7958302aa74a579ba02be8de019d69eb67252a070ffbee8ea1a57294a466829076cb8215fa8b1f3b36bfe0b55151b4eb841fda6109a921db19cb

C:\Windows\SysWOW64\Eqgmmk32.exe

MD5 dbda63b06340d8ee08c461a2bc144044
SHA1 9c810bf55a826e88a8556cdfdbec698180768a4c
SHA256 7b6791f41b18045d02a89529aceb7d0517467586dfe6ad467cc128f22aae507b
SHA512 76d0de2a4689b3eef1696645d590245ab33dffc0c8f30667ff44d0c6094163a8b1a0ee979361e5b4e60723e8deb06121f93544f68cab9e71c53edc5f3119e01e

C:\Windows\SysWOW64\Fbmohmoh.exe

MD5 716d8e40f06035ac7cb5ad333c4f52b7
SHA1 1fc4140ec4ffce2afad6a8866aa02f61380687a7
SHA256 f888a593def923f7b7ae26945b2c2bcf2853bb2ea8b8a250ba55693faca24a54
SHA512 481ebf3c2a7aeeb106cf395c063989e10359bfa345f7cb637cb4d69519c89f9929e9ce0e52fd4aae0dd22c87976729c5d896ced9800c5baac0f627cfd9569351

C:\Windows\SysWOW64\Fgoakc32.exe

MD5 d8ccbb2f55acbe079395a40150b1d579
SHA1 259c2c30c69db6c0ef2451e8f5a3e3582afec85d
SHA256 cb07f075191e6715fa579b2fceef5646efd90a86780898fb181628254df8454c
SHA512 60637bdbd9f4c9b858bf009c2894aed3136da664c0a9d64e2290e404f89d59f456f9a01738bcaf4c6eee4f8dc86e362b0ee84b9bfacb881c6f1b03ee4a7e7fb1

C:\Windows\SysWOW64\Fbdehlip.exe

MD5 55324038f628c4ffc718440e6eb3f124
SHA1 02e72a7103f0e6d539b79f7350e99a47643b47ab
SHA256 9ec6dfc3e257833b8e52804952ed16060caf77ce9c12229fb97e1044fcbc8f72
SHA512 3b62457a3301c6fe9f53996ba646d447925566fe5c702e4598b68cbb56a1f8394911c7bf60422c27de0f3a4052e93fbf50b5ac6ebdc59b5d957161eba8445e95

C:\Windows\SysWOW64\Glfmgp32.exe

MD5 932de875763baebeb2b26fbe3d2ce218
SHA1 cc89081f091dd2d055e5adaf48e362bf4a9cdd86
SHA256 703c18873c005aa4a70cfd2985fecad978e2ad0194960fe1f9e9d11dd2ac2f9d
SHA512 13bdf928f0a3cf1f2830232baa133cec0135b959217c16a3759067944ce0565aa43df1ebc76e99b78db05bd5da561edffb52fc104353fdf2f99cd614049b319a

C:\Windows\SysWOW64\Hlmchoan.exe

MD5 2eb298d27ada446123b344e93c506cb0
SHA1 20fb9f99ba2bc2d7c1f41584cff3cf1a2ada1d69
SHA256 4940dcd6436f832d5fedbd744cedd84eeaabaf48482d609a5a63a62d3a393ad5
SHA512 dd4f3fe2f0a4ec2600edd06d434104f1b1b7a8748931a119a1be39e8e9a5509c35a905d243c6fbe3c25e47d6dcfd8d6973b7a12ff464c65ebb6a75ea7c278274

C:\Windows\SysWOW64\Hnphoj32.exe

MD5 42d7791f56548ff2c81f73f4b72949b6
SHA1 ef8c918965f6d782f91d50fa1f16c29d8dd64335
SHA256 af6454ce345cf3e06269d503ac2b25a154862e1b1f713e34e600f33936cd8c09
SHA512 fa75e8434523f1de2d83bb602107f0e7bc99fccdacfd416956f0539c557b45ede3e1403be154189e88f378998a5996589bc5792f20205e38bd205e91f14febd9

C:\Windows\SysWOW64\Ilibdmgp.exe

MD5 168a343b302a8317fb217a1b320d7eec
SHA1 c45be56ee51b1b17c4dfc3d502c74917385412f1
SHA256 f574d89c34d7a97640c70bbee62913524c801731d9ecfcf37995c550d1423d29
SHA512 8434ce68712adc0843c93c75c8a95f7427cb7ca9c3ff55f71fc1daafd5d03c683c32d4dd4f9acdc111ee007f733554c0ab201d8501c883e261a4e0466198bc5a

C:\Windows\SysWOW64\Ilphdlqh.exe

MD5 ee307f5fec945f52586753aa8d03e51a
SHA1 5304f0db93b1eb7ac3be1ff1f2d6e15105be4021
SHA256 63f753f61c4ede5a9cc12734303e164c6195ab56a17e79bb9553721314130417
SHA512 c5107c6a2917a5d34749f42105b3b6e53d65fe66d40838c64fc480222d5d08d00b7a7ab01b7b10e78fcf03dc7bc3f18620d3943268acf558b7e9820331a4321d

C:\Windows\SysWOW64\Jblmgf32.exe

MD5 4f6e86a736d2c2f4e1d96cfa8a258ec5
SHA1 3f115eae8c9cf0c001a32ca0106b9f3c0c47efcb
SHA256 25349ea7bc94c42e779e264e7d5c0eb6430849307cbcaf5a60722831480b9eee
SHA512 9c5b1b0925d7f452c43691b865ec1946816282ed7e1bd513d8f93acf96d58af2d2f6ab6413e25149ffa2f0630104faff35cbce0df2f7d6847a871043b5db0383

C:\Windows\SysWOW64\Jlgoek32.exe

MD5 6f29ed4d745760318034d742d9952677
SHA1 b97fd3cc3606f76ee5b2102084b024d7279e9b0b
SHA256 9ce932f6563c6f673c370704545aab831dd68cbbd3494a9b80f6de7be2e17d6f
SHA512 8090fad2b8fabba82d35242511d7641c9fd527c076bb80ec4c50902ff48b0c1b7f3594c36ed706417ffcd2f4afde37abe1631a964bff1fffd583c0a30b39bbea

C:\Windows\SysWOW64\Jikoopij.exe

MD5 78173777ae4f67e5cb1cfdd9293b77a8
SHA1 a506b3bb0aabd65974c4a4bb221e3cfa8c0c0d3a
SHA256 67ea68bd4bdb791778ca49f922992d252443560fe4026342d40bddcb0f3195c2
SHA512 d687b55feda4e8c8821cbf1befa3e0e03be340ed13746edd78bdcab51d0fb32e2f156c38785a1c49d88be228d9dcd145c1b0d1e37548496bfa439bc0a306ddd6

C:\Windows\SysWOW64\Khbiello.exe

MD5 83d5ef0be66aedd3ebe33e07e052b856
SHA1 862c8e5fd88e28e41b6996c21930fbcf853daaf2
SHA256 72f0c27b37bc7eb35f466f59739c7a9699ce5b2ab7172b6cc64d6ce43a8d8691
SHA512 b5e79adca1b2e095513ce73c4f30aa89cc3f04cc7cb1715cd4fde9f43532435da1afeeade7fb3d7379d7383a879172e58dbc24ba33286d3f97a956747bf61800

C:\Windows\SysWOW64\Kibeoo32.exe

MD5 e8979bc5391d749beefe56f63bc0ad4b
SHA1 44f82f91a233c06cec0158652f267c6b8e77911b
SHA256 feb3453790bc43c029a03fa724c15e135dfb44050f4e9343dd12b23655bec5ed
SHA512 4d2dcef9651aa772389d359258eea43195cb744432c2438a955e81625a91ded5260d026d9a3db6da49afc3516d43447c94bdbb7a0088c3a9aeb1b5cd7c923641

C:\Windows\SysWOW64\Kapfiqoj.exe

MD5 c2e3125e40249e0b19b7516a37144876
SHA1 d4cd6159bbc132691346d0b70fc5e93478b4f66a
SHA256 18b831e4b5c836140e4c715d462becbbb0fd89304a2a0342e690063f7d8d5202
SHA512 ea2d5f2ba55efe0896d2f5026ed9d14f752834a5bbd75e8115707685beb2d19d27ddbaaaf10003a48e7f59c9b2eddc565278bf0411f9489803834feb044e7a47

C:\Windows\SysWOW64\Kofdhd32.exe

MD5 41c181fe5838cdf4aa3a89a74f793da5
SHA1 612c7389749a42ad5919479c7c9aec711f78db7e
SHA256 7d89dcab3805dc3ae3a5af3d28196b0e2bf61320daf6eb09d22951c82938fb0f
SHA512 c656d34927be379629652a4cc2693efe99c78650c1f0ba9efac9bab02a79ff8519dce5c3fd2ed5c976b85b2611932b7f18ca45e8ee55b19727b1000adfe9a894

C:\Windows\SysWOW64\Lepleocn.exe

MD5 083fb4309fe6ca1713e2c28c4ea41ec1
SHA1 ca8f3c2011dd2ae032511d868af4d420dbfb00d5
SHA256 02f67f6e0173750fd46280eaf6827155562c42c2b37a83c33082bccde489d044
SHA512 6cdcb15a8fd0860d4242d533d2f4147ed043596e65d4a84e9b7df3986e9388148c2cf0ed0752987c510e11d92b5bf8ca6f08912fd233e258f2ab6696d199826f

C:\Windows\SysWOW64\Lcfidb32.exe

MD5 97e5c42af705e8641c210154775e117b
SHA1 bbeae220095390339010234173af05efdae3b156
SHA256 01d1c09c21f621cbc07607450fd0fedee8eae697c8ab4e604d769b41201c7033
SHA512 937454f8635c303fce2bfd07e54dac6be68aba41f1366354a9ea81584298185757dfe6b3eb0e1a4f78bde11b59ba026261908390b664c1186557928aa40e9a80

C:\Windows\SysWOW64\Mlhqcgnk.exe

MD5 737e61e9a7f8375d8ff1616d322cbac8
SHA1 5f97ca60fe204080838e5881f4f90c538da7884e
SHA256 02f222bdedd66500b09a34e34f2d6d5652426b90dfc8824b12a98e7d7a14ec6a
SHA512 55f0d4644cb8afb6756d15088507a4f75e204e09b3e91b497d49647da2458c34450e7c7005cf35ca6150004fa711b8089a400b8a25bcf0d340bc17e53aef5bf8

C:\Windows\SysWOW64\Mjlalkmd.exe

MD5 7ff278e5a654261da45013d1a4cdca62
SHA1 06b5c79e1f6e7cd7af2421473bdc0d0f9338c7e5
SHA256 bfadc2013c8752ae9a17ae87ed62223067f03ba942ff9c98388c4a42bfbc4c97
SHA512 246af0a1b6b4aecc1fd90c2ea30fda0e702b0178301d19260532254b7ab12a7ff59c77bebaec47e51dcc9f20e3a708c826a8896ec56ca227fdcd054652bc727f

C:\Windows\SysWOW64\Mlljnf32.exe

MD5 fb4b5112ee5fef32bb815db917620efd
SHA1 a5e8a7c1451e42d746f60fb2896f21ade25aea12
SHA256 eef174bded507679a043119380c23df2abefe40fd675d7b9078610409d432114
SHA512 bfb74ce37cfa38b43fd3ad531a4d61370f812f25967d5458a3a078210f4e1f1d6476118d28b8c88b73181d9982742f20d32e373d81e2d1836e728a2ceb03cab9

C:\Windows\SysWOW64\Nmhijd32.exe

MD5 e67646cf60b5bbaebfc93064f30c4a20
SHA1 2a82add795a701737649b0933379b2737c447769
SHA256 e4b25cf7800b60646db30cb818d4ac21f246656b0ae9e8c14929ecea5a695bf4
SHA512 f41f23fa415a65a834e43ffa317276b88146f2d98b77f4a344807751527619ff7958338319924ca21cd2f5745c9fd9e4a52e81ebf5532a26559d56193b79359c

C:\Windows\SysWOW64\Ocdnln32.exe

MD5 2e81811689e98c7838616cffdd6eaa2a
SHA1 1d7bc1d3fd58c610eaa4ab46b63127f6ff3295be
SHA256 439cc97af6540be28211ebd261ba83681578971b1900208917802e83ddbbe8f1
SHA512 22f5e02f84452440dd6b3be3a80981ee009b3445725bc0d798fd5b8d5a2a5d6ac5bea563ef18ec02e6432d12389b1a991292178503101829f0780f769903a9dd

C:\Windows\SysWOW64\Oiccje32.exe

MD5 64e3c367fbd6ad190922405e5cefce3c
SHA1 b556bc15ff1a2077e7f8747e27531e1dba8cdd92
SHA256 23cbe9c0c28e14afdd5d28fbffc01fb00afc45ab8b6478625febf91370528045
SHA512 a74b8dcabc7b733b7b55e4cac29546a7e2c5ac63c5139c9b835a9c67520062d625a0181c222d4378c7417bb8b499b0cc7bdb89663feb6d3e9faf24a4bc2bbd9f

C:\Windows\SysWOW64\Pqbala32.exe

MD5 59bb572afde06625ef446727542e086c
SHA1 a456de56cbc3767f7383b4f8ddc8a7d79bbe8211
SHA256 57c267d5e6b51ae1f802269b6e6f59b7255d6ad756c610c2402ccb7be1f862e7
SHA512 98c7e06db4033c4816c6c6282ad54e5033bf174e3b228e94b805d9a55ea778a4633bca86e34af5bf04f93ecdc3902c381a40f337e11cc1b76eb5bf27c5e5bcfb

C:\Windows\SysWOW64\Pafkgphl.exe

MD5 570888866f514057bb5b6cf42d321f0d
SHA1 5bfdfb4caa71e8e0806b621a06954c5c27a3dc21
SHA256 00a0d5b15ee16e4ca11dfdd84548935168bd5cbc82d962683c5430f2da617b0a
SHA512 c59917d7e5b427d781e368d441962dce840b4f25a61fdec388e43bfb0b25752b689f51d9839c490004dc3a5c1e2a70b0ed876c76c33b1a415a095a4734166bee