Malware Analysis Report

2025-05-28 18:58

Sample ID 241110-tgqemazerp
Target 68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N
SHA256 68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932

Threat Level: Known bad

The file 68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 16:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 16:01

Reported

2024-11-10 16:04

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmigoagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hedafk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ihpcinld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nqfbpb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmpjoloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pcjiff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kqdaadln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jemfhacc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pidlqb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flinkojm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdgged32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ohiemobf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eifhdd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pimfpc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aaiqcnhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cmjemflb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bdfpkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgipcogp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdlqqcnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cncnob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iondqhpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dcphdqmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmoohe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kdkdgchl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kqmkae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lenicahg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blielbfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fjjjgh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbfldf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jjjpnlbd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhpofl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiekog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjjnifbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Adhdjpjf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Coiaiakf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmcclm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qadoba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Alnmjjdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gmfplibd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcmfnd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aomifecf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fefedmil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djqblj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Modpib32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Igdgglfl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekonpckp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gejhef32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qhngolpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fideeaco.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkokcl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gifkpknp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhphmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gegkpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieagmcmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lpgmhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgadgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kqbdldnq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ppgomnai.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poajkgnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dcigeooj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nlcalieg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hgelek32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Fhdohp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpodlbng.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggilil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdmmbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gijekg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpcmga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacjadad.exe N/A
N/A N/A C:\Windows\SysWOW64\Ginnfgop.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghpocngo.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpkchqdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgelek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjchaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkbdki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdkidohn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjhalefe.exe N/A
N/A N/A C:\Windows\SysWOW64\Hglaej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Haafcb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnhghcki.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihnkel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijogmdqm.exe N/A
N/A N/A C:\Windows\SysWOW64\Iddljmpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Iqklon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inomhbeq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihdafkdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikcmbfcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihgnkkbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijhjcchb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibobdqid.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhijqj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdpkflfe.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnhpoamf.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgadgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jqiipljg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgcamf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbiejoaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jibmgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnpfop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdinljnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkcfid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbmoen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kiggbhda.exe N/A
N/A N/A C:\Windows\SysWOW64\Kndojobi.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqbkfkal.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkhpdcab.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaehljpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjlic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbddfmgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kecabifp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjpijpdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgcjdd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lalnmiia.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgffic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lankbigo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lghcocol.exe N/A
N/A N/A C:\Windows\SysWOW64\Laqhhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgkpdcmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbpdblmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijlof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Maeachag.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhoipb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjneln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhafeb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnlnbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjbogmdb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Jebfng32.exe C:\Windows\SysWOW64\Johnamkm.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkhgod32.exe C:\Windows\SysWOW64\Dqbcbkab.exe N/A
File opened for modification C:\Windows\SysWOW64\Giljfddl.exe C:\Windows\SysWOW64\Gngeik32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aalmimfd.exe C:\Windows\SysWOW64\Adgmoigj.exe N/A
File created C:\Windows\SysWOW64\Bipecnkd.exe C:\Windows\SysWOW64\Baepolni.exe N/A
File created C:\Windows\SysWOW64\Oaajed32.exe C:\Windows\SysWOW64\Okgaijaj.exe N/A
File created C:\Windows\SysWOW64\Oqadgkdb.dll C:\Windows\SysWOW64\Cnkkjh32.exe N/A
File created C:\Windows\SysWOW64\Helbbkkj.dll C:\Windows\SysWOW64\Fkfcqb32.exe N/A
File created C:\Windows\SysWOW64\Ingcceof.dll C:\Windows\SysWOW64\Oampjeml.exe N/A
File created C:\Windows\SysWOW64\Geibhp32.dll C:\Windows\SysWOW64\Dcnqpo32.exe N/A
File created C:\Windows\SysWOW64\Ennioe32.dll C:\Windows\SysWOW64\Hpabni32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gncchb32.exe C:\Windows\SysWOW64\Gifkpknp.exe N/A
File created C:\Windows\SysWOW64\Bahdob32.exe C:\Windows\SysWOW64\Boihcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcnqpo32.exe C:\Windows\SysWOW64\Dmdhcddh.exe N/A
File created C:\Windows\SysWOW64\Keldkigj.dll C:\Windows\SysWOW64\Olanmgig.exe N/A
File created C:\Windows\SysWOW64\Pbbmemif.dll C:\Windows\SysWOW64\Bdgged32.exe N/A
File opened for modification C:\Windows\SysWOW64\Okgaijaj.exe C:\Windows\SysWOW64\Ohiemobf.exe N/A
File created C:\Windows\SysWOW64\Lghcocol.exe C:\Windows\SysWOW64\Lankbigo.exe N/A
File created C:\Windows\SysWOW64\Pkhjph32.exe C:\Windows\SysWOW64\Phincl32.exe N/A
File created C:\Windows\SysWOW64\Gmfplibd.exe C:\Windows\SysWOW64\Gncchb32.exe N/A
File created C:\Windows\SysWOW64\Hodbhp32.dll C:\Windows\SysWOW64\Nceefd32.exe N/A
File created C:\Windows\SysWOW64\Hnjjdmoc.dll C:\Windows\SysWOW64\Inomhbeq.exe N/A
File created C:\Windows\SysWOW64\Gncchb32.exe C:\Windows\SysWOW64\Gifkpknp.exe N/A
File opened for modification C:\Windows\SysWOW64\Onkidm32.exe C:\Windows\SysWOW64\Nceefd32.exe N/A
File created C:\Windows\SysWOW64\Jekjcaef.exe C:\Windows\SysWOW64\Jlbejloe.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpgmhg32.exe C:\Windows\SysWOW64\Likhem32.exe N/A
File created C:\Windows\SysWOW64\Qkdbgdbg.dll C:\Windows\SysWOW64\Ggilil32.exe N/A
File created C:\Windows\SysWOW64\Aglafhih.dll C:\Windows\SysWOW64\Iolhkh32.exe N/A
File created C:\Windows\SysWOW64\Mjjkejin.dll C:\Windows\SysWOW64\Jadgnb32.exe N/A
File created C:\Windows\SysWOW64\Afhfaddk.exe C:\Windows\SysWOW64\Aalmimfd.exe N/A
File created C:\Windows\SysWOW64\Mogcihaj.exe C:\Windows\SysWOW64\Mnegbp32.exe N/A
File created C:\Windows\SysWOW64\Ekcgkb32.exe C:\Windows\SysWOW64\Eiekog32.exe N/A
File created C:\Windows\SysWOW64\Pqnpfi32.dll C:\Windows\SysWOW64\Nlcalieg.exe N/A
File created C:\Windows\SysWOW64\Nmcpoedn.exe C:\Windows\SysWOW64\Nbnlaldg.exe N/A
File created C:\Windows\SysWOW64\Gebekb32.dll C:\Windows\SysWOW64\Gnnccl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdjblf32.exe C:\Windows\SysWOW64\Cmpjoloh.exe N/A
File created C:\Windows\SysWOW64\Ggqecq32.dll C:\Windows\SysWOW64\Dfnbgc32.exe N/A
File created C:\Windows\SysWOW64\Ljfhqh32.exe C:\Windows\SysWOW64\Lclpdncg.exe N/A
File created C:\Windows\SysWOW64\Qgdcdg32.dll C:\Windows\SysWOW64\Aalmimfd.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlkngo32.exe C:\Windows\SysWOW64\Neafjdkn.exe N/A
File created C:\Windows\SysWOW64\Cndeii32.exe C:\Windows\SysWOW64\Ckeimm32.exe N/A
File created C:\Windows\SysWOW64\Lfebfnqn.dll C:\Windows\SysWOW64\Gbeejp32.exe N/A
File created C:\Windows\SysWOW64\Fdflknog.dll C:\Windows\SysWOW64\Mapppn32.exe N/A
File created C:\Windows\SysWOW64\Ecgflaec.dll C:\Windows\SysWOW64\Gjdaodja.exe N/A
File created C:\Windows\SysWOW64\Malhfo32.dll C:\Windows\SysWOW64\Qlggjk32.exe N/A
File created C:\Windows\SysWOW64\Cdlqqcnl.exe C:\Windows\SysWOW64\Bheplb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Egohdegl.exe C:\Windows\SysWOW64\Edplhjhi.exe N/A
File opened for modification C:\Windows\SysWOW64\Ledepn32.exe C:\Windows\SysWOW64\Lpgmhg32.exe N/A
File created C:\Windows\SysWOW64\Lfqedp32.dll C:\Windows\SysWOW64\Lpgmhg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhafeb32.exe C:\Windows\SysWOW64\Mjneln32.exe N/A
File created C:\Windows\SysWOW64\Hlbpmd32.dll C:\Windows\SysWOW64\Jnhpoamf.exe N/A
File created C:\Windows\SysWOW64\Gpdbcaok.dll C:\Windows\SysWOW64\Kbhmbdle.exe N/A
File created C:\Windows\SysWOW64\Ofimgb32.dll C:\Windows\SysWOW64\Phganm32.exe N/A
File created C:\Windows\SysWOW64\Ehkaqc32.dll C:\Windows\SysWOW64\Iebngial.exe N/A
File created C:\Windows\SysWOW64\Klambq32.dll C:\Windows\SysWOW64\Fdlkdhnk.exe N/A
File opened for modification C:\Windows\SysWOW64\Niakfbpa.exe C:\Windows\SysWOW64\Nolgijpk.exe N/A
File opened for modification C:\Windows\SysWOW64\Dngjff32.exe C:\Windows\SysWOW64\Dflfac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aajhndkb.exe C:\Windows\SysWOW64\Aokkahlo.exe N/A
File opened for modification C:\Windows\SysWOW64\Fqgedh32.exe C:\Windows\SysWOW64\Fofilp32.exe N/A
File created C:\Windows\SysWOW64\Nlkppnab.dll C:\Windows\SysWOW64\Dphiaffa.exe N/A
File created C:\Windows\SysWOW64\Pnclimck.dll C:\Windows\SysWOW64\Qohpkf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djhimica.exe C:\Windows\SysWOW64\Dcnqpo32.exe N/A
File created C:\Windows\SysWOW64\Qkicbhla.dll C:\Windows\SysWOW64\Cncnob32.exe N/A
File created C:\Windows\SysWOW64\Dqbcbkab.exe C:\Windows\SysWOW64\Dqnjgl32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Gddgpqbe.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aalmimfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpdaepai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpjcgm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkohaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hibjli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fbplml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Likhem32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Haafcb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hcpojd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ingpmmgm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqfbpb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kndojobi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jgnqgqan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbebbk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjlopc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekonpckp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fqgedh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oklkdi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Codhnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhokljge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojigdcll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iondqhpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbepme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfokoelp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjhloj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmepam32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ieojgc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qppaclio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Piphgq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aomifecf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Epikpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lggejg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kcoccc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghpocngo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nognnj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgelek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neqopnhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkemfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glbjggof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnmmboed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnpfop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mldhfpib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Poajkgnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cndeii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebkbbmqj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjpijpdg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgffic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flinkojm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qohpkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeokal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocihgnam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnicid32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Offnhpfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmgelf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjcikejg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fjjjgh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qlggjk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hpabni32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlfpdh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkfcqb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Giljfddl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfgklkoc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcnjijoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oaplqh32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaigbkko.dll" C:\Windows\SysWOW64\Fplpll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pmkofa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pidlqb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdaleh32.dll" C:\Windows\SysWOW64\Enhifi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kaehljpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbefdijg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paplcg32.dll" C:\Windows\SysWOW64\Epikpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hglaej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piomhofd.dll" C:\Windows\SysWOW64\Ijogmdqm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ocihgnam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cijpahho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jddnfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anaomkdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdmmbq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ihgnkkbd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gegkpf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mjbogmdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgbhl32.dll" C:\Windows\SysWOW64\Ckmonl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Meiioonj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Glbjggof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Glfmgp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdmoafdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" C:\Windows\SysWOW64\Fbhpch32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lggejg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Banjnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifenan32.dll" C:\Windows\SysWOW64\Jcfggkac.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dhphmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mngegmbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Noppeaed.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gpcfmkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfcoqpl.dll" C:\Windows\SysWOW64\Mnmdme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpopgneq.dll" C:\Windows\SysWOW64\Niooqcad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Modpib32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aeddnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Neqopnhb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieijp32.dll" C:\Windows\SysWOW64\Jiglnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll" C:\Windows\SysWOW64\Aajhndkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Plpqil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jgnqgqan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dkokcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpban32.dll" C:\Windows\SysWOW64\Kqbkfkal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll" C:\Windows\SysWOW64\Hibjli32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fqgedh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gpolbo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bdpaeehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkoigdom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lqikmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oeehkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll" C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akcjkfij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Igdnabjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmnhcb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nagpeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll" C:\Windows\SysWOW64\Eqiibjlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dflfac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklcfhik.dll" C:\Windows\SysWOW64\Kdinljnk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcagd32.dll" C:\Windows\SysWOW64\Mgehfkop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oiagde32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Adfnofpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll" C:\Windows\SysWOW64\Ppolhcnm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jqiipljg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nbqmiinl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfnqklgh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ahgjejhd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe C:\Windows\SysWOW64\Fhdohp32.exe
PID 4556 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe C:\Windows\SysWOW64\Fhdohp32.exe
PID 4556 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe C:\Windows\SysWOW64\Fhdohp32.exe
PID 2436 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Fhdohp32.exe C:\Windows\SysWOW64\Fpodlbng.exe
PID 2436 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Fhdohp32.exe C:\Windows\SysWOW64\Fpodlbng.exe
PID 2436 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Fhdohp32.exe C:\Windows\SysWOW64\Fpodlbng.exe
PID 4876 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Fpodlbng.exe C:\Windows\SysWOW64\Ggilil32.exe
PID 4876 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Fpodlbng.exe C:\Windows\SysWOW64\Ggilil32.exe
PID 4876 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Fpodlbng.exe C:\Windows\SysWOW64\Ggilil32.exe
PID 4228 wrote to memory of 332 N/A C:\Windows\SysWOW64\Ggilil32.exe C:\Windows\SysWOW64\Gdmmbq32.exe
PID 4228 wrote to memory of 332 N/A C:\Windows\SysWOW64\Ggilil32.exe C:\Windows\SysWOW64\Gdmmbq32.exe
PID 4228 wrote to memory of 332 N/A C:\Windows\SysWOW64\Ggilil32.exe C:\Windows\SysWOW64\Gdmmbq32.exe
PID 332 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Gdmmbq32.exe C:\Windows\SysWOW64\Gijekg32.exe
PID 332 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Gdmmbq32.exe C:\Windows\SysWOW64\Gijekg32.exe
PID 332 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Gdmmbq32.exe C:\Windows\SysWOW64\Gijekg32.exe
PID 1148 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Gijekg32.exe C:\Windows\SysWOW64\Gpcmga32.exe
PID 1148 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Gijekg32.exe C:\Windows\SysWOW64\Gpcmga32.exe
PID 1148 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Gijekg32.exe C:\Windows\SysWOW64\Gpcmga32.exe
PID 1832 wrote to memory of 708 N/A C:\Windows\SysWOW64\Gpcmga32.exe C:\Windows\SysWOW64\Gacjadad.exe
PID 1832 wrote to memory of 708 N/A C:\Windows\SysWOW64\Gpcmga32.exe C:\Windows\SysWOW64\Gacjadad.exe
PID 1832 wrote to memory of 708 N/A C:\Windows\SysWOW64\Gpcmga32.exe C:\Windows\SysWOW64\Gacjadad.exe
PID 708 wrote to memory of 100 N/A C:\Windows\SysWOW64\Gacjadad.exe C:\Windows\SysWOW64\Ginnfgop.exe
PID 708 wrote to memory of 100 N/A C:\Windows\SysWOW64\Gacjadad.exe C:\Windows\SysWOW64\Ginnfgop.exe
PID 708 wrote to memory of 100 N/A C:\Windows\SysWOW64\Gacjadad.exe C:\Windows\SysWOW64\Ginnfgop.exe
PID 100 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Ginnfgop.exe C:\Windows\SysWOW64\Ghpocngo.exe
PID 100 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Ginnfgop.exe C:\Windows\SysWOW64\Ghpocngo.exe
PID 100 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Ginnfgop.exe C:\Windows\SysWOW64\Ghpocngo.exe
PID 1368 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Ghpocngo.exe C:\Windows\SysWOW64\Gpkchqdj.exe
PID 1368 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Ghpocngo.exe C:\Windows\SysWOW64\Gpkchqdj.exe
PID 1368 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Ghpocngo.exe C:\Windows\SysWOW64\Gpkchqdj.exe
PID 1456 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Gpkchqdj.exe C:\Windows\SysWOW64\Hgelek32.exe
PID 1456 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Gpkchqdj.exe C:\Windows\SysWOW64\Hgelek32.exe
PID 1456 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Gpkchqdj.exe C:\Windows\SysWOW64\Hgelek32.exe
PID 2948 wrote to memory of 3648 N/A C:\Windows\SysWOW64\Hgelek32.exe C:\Windows\SysWOW64\Hjchaf32.exe
PID 2948 wrote to memory of 3648 N/A C:\Windows\SysWOW64\Hgelek32.exe C:\Windows\SysWOW64\Hjchaf32.exe
PID 2948 wrote to memory of 3648 N/A C:\Windows\SysWOW64\Hgelek32.exe C:\Windows\SysWOW64\Hjchaf32.exe
PID 3648 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Hjchaf32.exe C:\Windows\SysWOW64\Hkbdki32.exe
PID 3648 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Hjchaf32.exe C:\Windows\SysWOW64\Hkbdki32.exe
PID 3648 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Hjchaf32.exe C:\Windows\SysWOW64\Hkbdki32.exe
PID 2824 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Hkbdki32.exe C:\Windows\SysWOW64\Hdkidohn.exe
PID 2824 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Hkbdki32.exe C:\Windows\SysWOW64\Hdkidohn.exe
PID 2824 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Hkbdki32.exe C:\Windows\SysWOW64\Hdkidohn.exe
PID 1540 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Hdkidohn.exe C:\Windows\SysWOW64\Hjhalefe.exe
PID 1540 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Hdkidohn.exe C:\Windows\SysWOW64\Hjhalefe.exe
PID 1540 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Hdkidohn.exe C:\Windows\SysWOW64\Hjhalefe.exe
PID 4184 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Hjhalefe.exe C:\Windows\SysWOW64\Hglaej32.exe
PID 4184 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Hjhalefe.exe C:\Windows\SysWOW64\Hglaej32.exe
PID 4184 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Hjhalefe.exe C:\Windows\SysWOW64\Hglaej32.exe
PID 4692 wrote to memory of 648 N/A C:\Windows\SysWOW64\Hglaej32.exe C:\Windows\SysWOW64\Haafcb32.exe
PID 4692 wrote to memory of 648 N/A C:\Windows\SysWOW64\Hglaej32.exe C:\Windows\SysWOW64\Haafcb32.exe
PID 4692 wrote to memory of 648 N/A C:\Windows\SysWOW64\Hglaej32.exe C:\Windows\SysWOW64\Haafcb32.exe
PID 648 wrote to memory of 4296 N/A C:\Windows\SysWOW64\Haafcb32.exe C:\Windows\SysWOW64\Hnhghcki.exe
PID 648 wrote to memory of 4296 N/A C:\Windows\SysWOW64\Haafcb32.exe C:\Windows\SysWOW64\Hnhghcki.exe
PID 648 wrote to memory of 4296 N/A C:\Windows\SysWOW64\Haafcb32.exe C:\Windows\SysWOW64\Hnhghcki.exe
PID 4296 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Hnhghcki.exe C:\Windows\SysWOW64\Ihnkel32.exe
PID 4296 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Hnhghcki.exe C:\Windows\SysWOW64\Ihnkel32.exe
PID 4296 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Hnhghcki.exe C:\Windows\SysWOW64\Ihnkel32.exe
PID 3224 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Ihnkel32.exe C:\Windows\SysWOW64\Ijogmdqm.exe
PID 3224 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Ihnkel32.exe C:\Windows\SysWOW64\Ijogmdqm.exe
PID 3224 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Ihnkel32.exe C:\Windows\SysWOW64\Ijogmdqm.exe
PID 2808 wrote to memory of 4564 N/A C:\Windows\SysWOW64\Ijogmdqm.exe C:\Windows\SysWOW64\Iddljmpc.exe
PID 2808 wrote to memory of 4564 N/A C:\Windows\SysWOW64\Ijogmdqm.exe C:\Windows\SysWOW64\Iddljmpc.exe
PID 2808 wrote to memory of 4564 N/A C:\Windows\SysWOW64\Ijogmdqm.exe C:\Windows\SysWOW64\Iddljmpc.exe
PID 4564 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Iddljmpc.exe C:\Windows\SysWOW64\Iqklon32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe

"C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe"

C:\Windows\SysWOW64\Fhdohp32.exe

C:\Windows\system32\Fhdohp32.exe

C:\Windows\SysWOW64\Fpodlbng.exe

C:\Windows\system32\Fpodlbng.exe

C:\Windows\SysWOW64\Ggilil32.exe

C:\Windows\system32\Ggilil32.exe

C:\Windows\SysWOW64\Gdmmbq32.exe

C:\Windows\system32\Gdmmbq32.exe

C:\Windows\SysWOW64\Gijekg32.exe

C:\Windows\system32\Gijekg32.exe

C:\Windows\SysWOW64\Gpcmga32.exe

C:\Windows\system32\Gpcmga32.exe

C:\Windows\SysWOW64\Gacjadad.exe

C:\Windows\system32\Gacjadad.exe

C:\Windows\SysWOW64\Ginnfgop.exe

C:\Windows\system32\Ginnfgop.exe

C:\Windows\SysWOW64\Ghpocngo.exe

C:\Windows\system32\Ghpocngo.exe

C:\Windows\SysWOW64\Gpkchqdj.exe

C:\Windows\system32\Gpkchqdj.exe

C:\Windows\SysWOW64\Hgelek32.exe

C:\Windows\system32\Hgelek32.exe

C:\Windows\SysWOW64\Hjchaf32.exe

C:\Windows\system32\Hjchaf32.exe

C:\Windows\SysWOW64\Hkbdki32.exe

C:\Windows\system32\Hkbdki32.exe

C:\Windows\SysWOW64\Hdkidohn.exe

C:\Windows\system32\Hdkidohn.exe

C:\Windows\SysWOW64\Hjhalefe.exe

C:\Windows\system32\Hjhalefe.exe

C:\Windows\SysWOW64\Hglaej32.exe

C:\Windows\system32\Hglaej32.exe

C:\Windows\SysWOW64\Haafcb32.exe

C:\Windows\system32\Haafcb32.exe

C:\Windows\SysWOW64\Hnhghcki.exe

C:\Windows\system32\Hnhghcki.exe

C:\Windows\SysWOW64\Ihnkel32.exe

C:\Windows\system32\Ihnkel32.exe

C:\Windows\SysWOW64\Ijogmdqm.exe

C:\Windows\system32\Ijogmdqm.exe

C:\Windows\SysWOW64\Iddljmpc.exe

C:\Windows\system32\Iddljmpc.exe

C:\Windows\SysWOW64\Iqklon32.exe

C:\Windows\system32\Iqklon32.exe

C:\Windows\SysWOW64\Inomhbeq.exe

C:\Windows\system32\Inomhbeq.exe

C:\Windows\SysWOW64\Ihdafkdg.exe

C:\Windows\system32\Ihdafkdg.exe

C:\Windows\SysWOW64\Ikcmbfcj.exe

C:\Windows\system32\Ikcmbfcj.exe

C:\Windows\SysWOW64\Ihgnkkbd.exe

C:\Windows\system32\Ihgnkkbd.exe

C:\Windows\SysWOW64\Ijhjcchb.exe

C:\Windows\system32\Ijhjcchb.exe

C:\Windows\SysWOW64\Ibobdqid.exe

C:\Windows\system32\Ibobdqid.exe

C:\Windows\SysWOW64\Jhijqj32.exe

C:\Windows\system32\Jhijqj32.exe

C:\Windows\SysWOW64\Jdpkflfe.exe

C:\Windows\system32\Jdpkflfe.exe

C:\Windows\SysWOW64\Jnhpoamf.exe

C:\Windows\system32\Jnhpoamf.exe

C:\Windows\SysWOW64\Jgadgf32.exe

C:\Windows\system32\Jgadgf32.exe

C:\Windows\SysWOW64\Jqiipljg.exe

C:\Windows\system32\Jqiipljg.exe

C:\Windows\SysWOW64\Jgcamf32.exe

C:\Windows\system32\Jgcamf32.exe

C:\Windows\SysWOW64\Jbiejoaj.exe

C:\Windows\system32\Jbiejoaj.exe

C:\Windows\SysWOW64\Jibmgi32.exe

C:\Windows\system32\Jibmgi32.exe

C:\Windows\SysWOW64\Jnpfop32.exe

C:\Windows\system32\Jnpfop32.exe

C:\Windows\SysWOW64\Kdinljnk.exe

C:\Windows\system32\Kdinljnk.exe

C:\Windows\SysWOW64\Kkcfid32.exe

C:\Windows\system32\Kkcfid32.exe

C:\Windows\SysWOW64\Kbmoen32.exe

C:\Windows\system32\Kbmoen32.exe

C:\Windows\SysWOW64\Kiggbhda.exe

C:\Windows\system32\Kiggbhda.exe

C:\Windows\SysWOW64\Kndojobi.exe

C:\Windows\system32\Kndojobi.exe

C:\Windows\SysWOW64\Kqbkfkal.exe

C:\Windows\system32\Kqbkfkal.exe

C:\Windows\SysWOW64\Kkhpdcab.exe

C:\Windows\system32\Kkhpdcab.exe

C:\Windows\SysWOW64\Kaehljpj.exe

C:\Windows\system32\Kaehljpj.exe

C:\Windows\SysWOW64\Kkjlic32.exe

C:\Windows\system32\Kkjlic32.exe

C:\Windows\SysWOW64\Kbddfmgl.exe

C:\Windows\system32\Kbddfmgl.exe

C:\Windows\SysWOW64\Kecabifp.exe

C:\Windows\system32\Kecabifp.exe

C:\Windows\SysWOW64\Kjpijpdg.exe

C:\Windows\system32\Kjpijpdg.exe

C:\Windows\SysWOW64\Lgcjdd32.exe

C:\Windows\system32\Lgcjdd32.exe

C:\Windows\SysWOW64\Lalnmiia.exe

C:\Windows\system32\Lalnmiia.exe

C:\Windows\SysWOW64\Lgffic32.exe

C:\Windows\system32\Lgffic32.exe

C:\Windows\SysWOW64\Lankbigo.exe

C:\Windows\system32\Lankbigo.exe

C:\Windows\SysWOW64\Lghcocol.exe

C:\Windows\system32\Lghcocol.exe

C:\Windows\SysWOW64\Laqhhi32.exe

C:\Windows\system32\Laqhhi32.exe

C:\Windows\SysWOW64\Lgkpdcmi.exe

C:\Windows\system32\Lgkpdcmi.exe

C:\Windows\SysWOW64\Lbpdblmo.exe

C:\Windows\system32\Lbpdblmo.exe

C:\Windows\SysWOW64\Lijlof32.exe

C:\Windows\system32\Lijlof32.exe

C:\Windows\SysWOW64\Mngegmbc.exe

C:\Windows\system32\Mngegmbc.exe

C:\Windows\SysWOW64\Maeachag.exe

C:\Windows\system32\Maeachag.exe

C:\Windows\SysWOW64\Mhoipb32.exe

C:\Windows\system32\Mhoipb32.exe

C:\Windows\SysWOW64\Mjneln32.exe

C:\Windows\system32\Mjneln32.exe

C:\Windows\SysWOW64\Mhafeb32.exe

C:\Windows\system32\Mhafeb32.exe

C:\Windows\SysWOW64\Mnlnbl32.exe

C:\Windows\system32\Mnlnbl32.exe

C:\Windows\SysWOW64\Mjbogmdb.exe

C:\Windows\system32\Mjbogmdb.exe

C:\Windows\SysWOW64\Mbighjdd.exe

C:\Windows\system32\Mbighjdd.exe

C:\Windows\SysWOW64\Mehcdfch.exe

C:\Windows\system32\Mehcdfch.exe

C:\Windows\SysWOW64\Mlbkap32.exe

C:\Windows\system32\Mlbkap32.exe

C:\Windows\SysWOW64\Mejpje32.exe

C:\Windows\system32\Mejpje32.exe

C:\Windows\SysWOW64\Mldhfpib.exe

C:\Windows\system32\Mldhfpib.exe

C:\Windows\SysWOW64\Nihipdhl.exe

C:\Windows\system32\Nihipdhl.exe

C:\Windows\SysWOW64\Nbqmiinl.exe

C:\Windows\system32\Nbqmiinl.exe

C:\Windows\SysWOW64\Nijeec32.exe

C:\Windows\system32\Nijeec32.exe

C:\Windows\SysWOW64\Nognnj32.exe

C:\Windows\system32\Nognnj32.exe

C:\Windows\SysWOW64\Neafjdkn.exe

C:\Windows\system32\Neafjdkn.exe

C:\Windows\SysWOW64\Nlkngo32.exe

C:\Windows\system32\Nlkngo32.exe

C:\Windows\SysWOW64\Nbefdijg.exe

C:\Windows\system32\Nbefdijg.exe

C:\Windows\SysWOW64\Niooqcad.exe

C:\Windows\system32\Niooqcad.exe

C:\Windows\SysWOW64\Nolgijpk.exe

C:\Windows\system32\Nolgijpk.exe

C:\Windows\SysWOW64\Niakfbpa.exe

C:\Windows\system32\Niakfbpa.exe

C:\Windows\SysWOW64\Oondnini.exe

C:\Windows\system32\Oondnini.exe

C:\Windows\SysWOW64\Oampjeml.exe

C:\Windows\system32\Oampjeml.exe

C:\Windows\SysWOW64\Olbdhn32.exe

C:\Windows\system32\Olbdhn32.exe

C:\Windows\SysWOW64\Oekiqccc.exe

C:\Windows\system32\Oekiqccc.exe

C:\Windows\SysWOW64\Ohiemobf.exe

C:\Windows\system32\Ohiemobf.exe

C:\Windows\SysWOW64\Okgaijaj.exe

C:\Windows\system32\Okgaijaj.exe

C:\Windows\SysWOW64\Oaajed32.exe

C:\Windows\system32\Oaajed32.exe

C:\Windows\SysWOW64\Olgncmim.exe

C:\Windows\system32\Olgncmim.exe

C:\Windows\SysWOW64\Ooejohhq.exe

C:\Windows\system32\Ooejohhq.exe

C:\Windows\SysWOW64\Oiknlagg.exe

C:\Windows\system32\Oiknlagg.exe

C:\Windows\SysWOW64\Oklkdi32.exe

C:\Windows\system32\Oklkdi32.exe

C:\Windows\SysWOW64\Obcceg32.exe

C:\Windows\system32\Obcceg32.exe

C:\Windows\SysWOW64\Oimkbaed.exe

C:\Windows\system32\Oimkbaed.exe

C:\Windows\SysWOW64\Pllgnl32.exe

C:\Windows\system32\Pllgnl32.exe

C:\Windows\SysWOW64\Pojcjh32.exe

C:\Windows\system32\Pojcjh32.exe

C:\Windows\SysWOW64\Pahpfc32.exe

C:\Windows\system32\Pahpfc32.exe

C:\Windows\SysWOW64\Piphgq32.exe

C:\Windows\system32\Piphgq32.exe

C:\Windows\SysWOW64\Pkadoiip.exe

C:\Windows\system32\Pkadoiip.exe

C:\Windows\SysWOW64\Pchlpfjb.exe

C:\Windows\system32\Pchlpfjb.exe

C:\Windows\SysWOW64\Pibdmp32.exe

C:\Windows\system32\Pibdmp32.exe

C:\Windows\SysWOW64\Plpqil32.exe

C:\Windows\system32\Plpqil32.exe

C:\Windows\SysWOW64\Pcjiff32.exe

C:\Windows\system32\Pcjiff32.exe

C:\Windows\SysWOW64\Peieba32.exe

C:\Windows\system32\Peieba32.exe

C:\Windows\SysWOW64\Phganm32.exe

C:\Windows\system32\Phganm32.exe

C:\Windows\SysWOW64\Poajkgnc.exe

C:\Windows\system32\Poajkgnc.exe

C:\Windows\SysWOW64\Pekbga32.exe

C:\Windows\system32\Pekbga32.exe

C:\Windows\SysWOW64\Phincl32.exe

C:\Windows\system32\Phincl32.exe

C:\Windows\SysWOW64\Pkhjph32.exe

C:\Windows\system32\Pkhjph32.exe

C:\Windows\SysWOW64\Pcobaedj.exe

C:\Windows\system32\Pcobaedj.exe

C:\Windows\SysWOW64\Piijno32.exe

C:\Windows\system32\Piijno32.exe

C:\Windows\SysWOW64\Qlggjk32.exe

C:\Windows\system32\Qlggjk32.exe

C:\Windows\SysWOW64\Qofcff32.exe

C:\Windows\system32\Qofcff32.exe

C:\Windows\SysWOW64\Qadoba32.exe

C:\Windows\system32\Qadoba32.exe

C:\Windows\SysWOW64\Qhngolpo.exe

C:\Windows\system32\Qhngolpo.exe

C:\Windows\SysWOW64\Qohpkf32.exe

C:\Windows\system32\Qohpkf32.exe

C:\Windows\SysWOW64\Qcclld32.exe

C:\Windows\system32\Qcclld32.exe

C:\Windows\SysWOW64\Qebhhp32.exe

C:\Windows\system32\Qebhhp32.exe

C:\Windows\SysWOW64\Allpejfe.exe

C:\Windows\system32\Allpejfe.exe

C:\Windows\SysWOW64\Aeddnp32.exe

C:\Windows\system32\Aeddnp32.exe

C:\Windows\SysWOW64\Alnmjjdb.exe

C:\Windows\system32\Alnmjjdb.exe

C:\Windows\SysWOW64\Aomifecf.exe

C:\Windows\system32\Aomifecf.exe

C:\Windows\SysWOW64\Ajbmdn32.exe

C:\Windows\system32\Ajbmdn32.exe

C:\Windows\SysWOW64\Akcjkfij.exe

C:\Windows\system32\Akcjkfij.exe

C:\Windows\SysWOW64\Aanbhp32.exe

C:\Windows\system32\Aanbhp32.exe

C:\Windows\SysWOW64\Ahgjejhd.exe

C:\Windows\system32\Ahgjejhd.exe

C:\Windows\SysWOW64\Akffafgg.exe

C:\Windows\system32\Akffafgg.exe

C:\Windows\SysWOW64\Abponp32.exe

C:\Windows\system32\Abponp32.exe

C:\Windows\SysWOW64\Ajggomog.exe

C:\Windows\system32\Ajggomog.exe

C:\Windows\SysWOW64\Aodogdmn.exe

C:\Windows\system32\Aodogdmn.exe

C:\Windows\SysWOW64\Bljlfh32.exe

C:\Windows\system32\Bljlfh32.exe

C:\Windows\SysWOW64\Bjnmpl32.exe

C:\Windows\system32\Bjnmpl32.exe

C:\Windows\SysWOW64\Bkoigdom.exe

C:\Windows\system32\Bkoigdom.exe

C:\Windows\SysWOW64\Bombmcec.exe

C:\Windows\system32\Bombmcec.exe

C:\Windows\SysWOW64\Bheffh32.exe

C:\Windows\system32\Bheffh32.exe

C:\Windows\SysWOW64\Cbphdn32.exe

C:\Windows\system32\Cbphdn32.exe

C:\Windows\SysWOW64\Cijpahho.exe

C:\Windows\system32\Cijpahho.exe

C:\Windows\SysWOW64\Codhnb32.exe

C:\Windows\system32\Codhnb32.exe

C:\Windows\SysWOW64\Cfnqklgh.exe

C:\Windows\system32\Cfnqklgh.exe

C:\Windows\SysWOW64\Cimmggfl.exe

C:\Windows\system32\Cimmggfl.exe

C:\Windows\SysWOW64\Ckkiccep.exe

C:\Windows\system32\Ckkiccep.exe

C:\Windows\SysWOW64\Ccbadp32.exe

C:\Windows\system32\Ccbadp32.exe

C:\Windows\SysWOW64\Cfqmpl32.exe

C:\Windows\system32\Cfqmpl32.exe

C:\Windows\SysWOW64\Cmjemflb.exe

C:\Windows\system32\Cmjemflb.exe

C:\Windows\SysWOW64\Coiaiakf.exe

C:\Windows\system32\Coiaiakf.exe

C:\Windows\SysWOW64\Cfcjfk32.exe

C:\Windows\system32\Cfcjfk32.exe

C:\Windows\SysWOW64\Cmmbbejp.exe

C:\Windows\system32\Cmmbbejp.exe

C:\Windows\SysWOW64\Coknoaic.exe

C:\Windows\system32\Coknoaic.exe

C:\Windows\SysWOW64\Dfefkkqp.exe

C:\Windows\system32\Dfefkkqp.exe

C:\Windows\SysWOW64\Djqblj32.exe

C:\Windows\system32\Djqblj32.exe

C:\Windows\SysWOW64\Dmoohe32.exe

C:\Windows\system32\Dmoohe32.exe

C:\Windows\SysWOW64\Dcigeooj.exe

C:\Windows\system32\Dcigeooj.exe

C:\Windows\SysWOW64\Dfgcakon.exe

C:\Windows\system32\Dfgcakon.exe

C:\Windows\SysWOW64\Difpmfna.exe

C:\Windows\system32\Difpmfna.exe

C:\Windows\SysWOW64\Dkdliame.exe

C:\Windows\system32\Dkdliame.exe

C:\Windows\SysWOW64\Dckdjomg.exe

C:\Windows\system32\Dckdjomg.exe

C:\Windows\SysWOW64\Djelgied.exe

C:\Windows\system32\Djelgied.exe

C:\Windows\SysWOW64\Dmdhcddh.exe

C:\Windows\system32\Dmdhcddh.exe

C:\Windows\SysWOW64\Dcnqpo32.exe

C:\Windows\system32\Dcnqpo32.exe

C:\Windows\SysWOW64\Djhimica.exe

C:\Windows\system32\Djhimica.exe

C:\Windows\SysWOW64\Dpdaepai.exe

C:\Windows\system32\Dpdaepai.exe

C:\Windows\SysWOW64\Dbcmakpl.exe

C:\Windows\system32\Dbcmakpl.exe

C:\Windows\SysWOW64\Dimenegi.exe

C:\Windows\system32\Dimenegi.exe

C:\Windows\SysWOW64\Efafgifc.exe

C:\Windows\system32\Efafgifc.exe

C:\Windows\SysWOW64\Epikpo32.exe

C:\Windows\system32\Epikpo32.exe

C:\Windows\SysWOW64\Ejoomhmi.exe

C:\Windows\system32\Ejoomhmi.exe

C:\Windows\SysWOW64\Ecgcfm32.exe

C:\Windows\system32\Ecgcfm32.exe

C:\Windows\SysWOW64\Eblpgjha.exe

C:\Windows\system32\Eblpgjha.exe

C:\Windows\SysWOW64\Eifhdd32.exe

C:\Windows\system32\Eifhdd32.exe

C:\Windows\SysWOW64\Efjimhnh.exe

C:\Windows\system32\Efjimhnh.exe

C:\Windows\SysWOW64\Flinkojm.exe

C:\Windows\system32\Flinkojm.exe

C:\Windows\SysWOW64\Fbcfhibj.exe

C:\Windows\system32\Fbcfhibj.exe

C:\Windows\SysWOW64\Fjjnifbl.exe

C:\Windows\system32\Fjjnifbl.exe

C:\Windows\SysWOW64\Fdccbl32.exe

C:\Windows\system32\Fdccbl32.exe

C:\Windows\SysWOW64\Fipkjb32.exe

C:\Windows\system32\Fipkjb32.exe

C:\Windows\SysWOW64\Fpjcgm32.exe

C:\Windows\system32\Fpjcgm32.exe

C:\Windows\SysWOW64\Fbhpch32.exe

C:\Windows\system32\Fbhpch32.exe

C:\Windows\SysWOW64\Fmndpq32.exe

C:\Windows\system32\Fmndpq32.exe

C:\Windows\SysWOW64\Fplpll32.exe

C:\Windows\system32\Fplpll32.exe

C:\Windows\SysWOW64\Fideeaco.exe

C:\Windows\system32\Fideeaco.exe

C:\Windows\SysWOW64\Gpnmbl32.exe

C:\Windows\system32\Gpnmbl32.exe

C:\Windows\SysWOW64\Gjdaodja.exe

C:\Windows\system32\Gjdaodja.exe

C:\Windows\SysWOW64\Glengm32.exe

C:\Windows\system32\Glengm32.exe

C:\Windows\SysWOW64\Gmdjapgb.exe

C:\Windows\system32\Gmdjapgb.exe

C:\Windows\SysWOW64\Gpcfmkff.exe

C:\Windows\system32\Gpcfmkff.exe

C:\Windows\SysWOW64\Gikkfqmf.exe

C:\Windows\system32\Gikkfqmf.exe

C:\Windows\SysWOW64\Gljgbllj.exe

C:\Windows\system32\Gljgbllj.exe

C:\Windows\SysWOW64\Gfokoelp.exe

C:\Windows\system32\Gfokoelp.exe

C:\Windows\SysWOW64\Gbfldf32.exe

C:\Windows\system32\Gbfldf32.exe

C:\Windows\SysWOW64\Hmlpaoaj.exe

C:\Windows\system32\Hmlpaoaj.exe

C:\Windows\SysWOW64\Hpjmnjqn.exe

C:\Windows\system32\Hpjmnjqn.exe

C:\Windows\SysWOW64\Hlambk32.exe

C:\Windows\system32\Hlambk32.exe

C:\Windows\SysWOW64\Hmpjmn32.exe

C:\Windows\system32\Hmpjmn32.exe

C:\Windows\SysWOW64\Hpofii32.exe

C:\Windows\system32\Hpofii32.exe

C:\Windows\SysWOW64\Hginecde.exe

C:\Windows\system32\Hginecde.exe

C:\Windows\SysWOW64\Higjaoci.exe

C:\Windows\system32\Higjaoci.exe

C:\Windows\SysWOW64\Hpabni32.exe

C:\Windows\system32\Hpabni32.exe

C:\Windows\SysWOW64\Hcpojd32.exe

C:\Windows\system32\Hcpojd32.exe

C:\Windows\SysWOW64\Hkfglb32.exe

C:\Windows\system32\Hkfglb32.exe

C:\Windows\SysWOW64\Hlhccj32.exe

C:\Windows\system32\Hlhccj32.exe

C:\Windows\SysWOW64\Hcblpdgg.exe

C:\Windows\system32\Hcblpdgg.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Idahjg32.exe

C:\Windows\system32\Idahjg32.exe

C:\Windows\SysWOW64\Igpdfb32.exe

C:\Windows\system32\Igpdfb32.exe

C:\Windows\SysWOW64\Iinqbn32.exe

C:\Windows\system32\Iinqbn32.exe

C:\Windows\SysWOW64\Idcepgmg.exe

C:\Windows\system32\Idcepgmg.exe

C:\Windows\SysWOW64\Iknmla32.exe

C:\Windows\system32\Iknmla32.exe

C:\Windows\SysWOW64\Igdnabjh.exe

C:\Windows\system32\Igdnabjh.exe

C:\Windows\SysWOW64\Ilccoh32.exe

C:\Windows\system32\Ilccoh32.exe

C:\Windows\SysWOW64\Igigla32.exe

C:\Windows\system32\Igigla32.exe

C:\Windows\SysWOW64\Jlfpdh32.exe

C:\Windows\system32\Jlfpdh32.exe

C:\Windows\SysWOW64\Jcphab32.exe

C:\Windows\system32\Jcphab32.exe

C:\Windows\SysWOW64\Jjjpnlbd.exe

C:\Windows\system32\Jjjpnlbd.exe

C:\Windows\SysWOW64\Jgnqgqan.exe

C:\Windows\system32\Jgnqgqan.exe

C:\Windows\SysWOW64\Jklinohd.exe

C:\Windows\system32\Jklinohd.exe

C:\Windows\SysWOW64\Jddnfd32.exe

C:\Windows\system32\Jddnfd32.exe

C:\Windows\SysWOW64\Jgbjbp32.exe

C:\Windows\system32\Jgbjbp32.exe

C:\Windows\SysWOW64\Jnlbojee.exe

C:\Windows\system32\Jnlbojee.exe

C:\Windows\SysWOW64\Kkpbin32.exe

C:\Windows\system32\Kkpbin32.exe

C:\Windows\SysWOW64\Kqmkae32.exe

C:\Windows\system32\Kqmkae32.exe

C:\Windows\SysWOW64\Kdkdgchl.exe

C:\Windows\system32\Kdkdgchl.exe

C:\Windows\SysWOW64\Kgipcogp.exe

C:\Windows\system32\Kgipcogp.exe

C:\Windows\SysWOW64\Kjhloj32.exe

C:\Windows\system32\Kjhloj32.exe

C:\Windows\SysWOW64\Kqbdldnq.exe

C:\Windows\system32\Kqbdldnq.exe

C:\Windows\SysWOW64\Kqdaadln.exe

C:\Windows\system32\Kqdaadln.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Lqikmc32.exe

C:\Windows\system32\Lqikmc32.exe

C:\Windows\SysWOW64\Lmbhgd32.exe

C:\Windows\system32\Lmbhgd32.exe

C:\Windows\SysWOW64\Lclpdncg.exe

C:\Windows\system32\Lclpdncg.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lmdemd32.exe

C:\Windows\system32\Lmdemd32.exe

C:\Windows\SysWOW64\Lqpamb32.exe

C:\Windows\system32\Lqpamb32.exe

C:\Windows\SysWOW64\Ljhefhha.exe

C:\Windows\system32\Ljhefhha.exe

C:\Windows\SysWOW64\Lenicahg.exe

C:\Windows\system32\Lenicahg.exe

C:\Windows\SysWOW64\Mepfiq32.exe

C:\Windows\system32\Mepfiq32.exe

C:\Windows\SysWOW64\Mnhkbfme.exe

C:\Windows\system32\Mnhkbfme.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mmnhcb32.exe

C:\Windows\system32\Mmnhcb32.exe

C:\Windows\SysWOW64\Meepdp32.exe

C:\Windows\system32\Meepdp32.exe

C:\Windows\SysWOW64\Mkohaj32.exe

C:\Windows\system32\Mkohaj32.exe

C:\Windows\SysWOW64\Mnmdme32.exe

C:\Windows\system32\Mnmdme32.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Manmoq32.exe

C:\Windows\system32\Manmoq32.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Nlcalieg.exe

C:\Windows\system32\Nlcalieg.exe

C:\Windows\SysWOW64\Nnbnhedj.exe

C:\Windows\system32\Nnbnhedj.exe

C:\Windows\SysWOW64\Ncofplba.exe

C:\Windows\system32\Ncofplba.exe

C:\Windows\SysWOW64\Nlfnaicd.exe

C:\Windows\system32\Nlfnaicd.exe

C:\Windows\SysWOW64\Njinmf32.exe

C:\Windows\system32\Njinmf32.exe

C:\Windows\SysWOW64\Nmgjia32.exe

C:\Windows\system32\Nmgjia32.exe

C:\Windows\SysWOW64\Nenbjo32.exe

C:\Windows\system32\Nenbjo32.exe

C:\Windows\SysWOW64\Nhmofj32.exe

C:\Windows\system32\Nhmofj32.exe

C:\Windows\SysWOW64\Njkkbehl.exe

C:\Windows\system32\Njkkbehl.exe

C:\Windows\SysWOW64\Nmigoagp.exe

C:\Windows\system32\Nmigoagp.exe

C:\Windows\SysWOW64\Neqopnhb.exe

C:\Windows\system32\Neqopnhb.exe

C:\Windows\SysWOW64\Nhokljge.exe

C:\Windows\system32\Nhokljge.exe

C:\Windows\SysWOW64\Nnicid32.exe

C:\Windows\system32\Nnicid32.exe

C:\Windows\SysWOW64\Nagpeo32.exe

C:\Windows\system32\Nagpeo32.exe

C:\Windows\SysWOW64\Nhahaiec.exe

C:\Windows\system32\Nhahaiec.exe

C:\Windows\SysWOW64\Nnkpnclp.exe

C:\Windows\system32\Nnkpnclp.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Ojbacd32.exe

C:\Windows\system32\Ojbacd32.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Odjeljhd.exe

C:\Windows\system32\Odjeljhd.exe

C:\Windows\SysWOW64\Olanmgig.exe

C:\Windows\system32\Olanmgig.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Oelolmnd.exe

C:\Windows\system32\Oelolmnd.exe

C:\Windows\SysWOW64\Ojigdcll.exe

C:\Windows\system32\Ojigdcll.exe

C:\Windows\SysWOW64\Oeokal32.exe

C:\Windows\system32\Oeokal32.exe

C:\Windows\SysWOW64\Oogpjbbb.exe

C:\Windows\system32\Oogpjbbb.exe

C:\Windows\SysWOW64\Pknqoc32.exe

C:\Windows\system32\Pknqoc32.exe

C:\Windows\SysWOW64\Pmoiqneg.exe

C:\Windows\system32\Pmoiqneg.exe

C:\Windows\SysWOW64\Ponfka32.exe

C:\Windows\system32\Ponfka32.exe

C:\Windows\SysWOW64\Pmcclm32.exe

C:\Windows\system32\Pmcclm32.exe

C:\Windows\SysWOW64\Qmepam32.exe

C:\Windows\system32\Qmepam32.exe

C:\Windows\SysWOW64\Ahpmjejp.exe

C:\Windows\system32\Ahpmjejp.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Aolblopj.exe

C:\Windows\system32\Aolblopj.exe

C:\Windows\SysWOW64\Anaomkdb.exe

C:\Windows\system32\Anaomkdb.exe

C:\Windows\SysWOW64\Aoalgn32.exe

C:\Windows\system32\Aoalgn32.exe

C:\Windows\SysWOW64\Ahippdbe.exe

C:\Windows\system32\Ahippdbe.exe

C:\Windows\SysWOW64\Bdpaeehj.exe

C:\Windows\system32\Bdpaeehj.exe

C:\Windows\SysWOW64\Blielbfi.exe

C:\Windows\system32\Blielbfi.exe

C:\Windows\SysWOW64\Bebjdgmj.exe

C:\Windows\system32\Bebjdgmj.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Bheplb32.exe

C:\Windows\system32\Bheplb32.exe

C:\Windows\SysWOW64\Cdlqqcnl.exe

C:\Windows\system32\Cdlqqcnl.exe

C:\Windows\SysWOW64\Ckeimm32.exe

C:\Windows\system32\Ckeimm32.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Chiigadc.exe

C:\Windows\system32\Chiigadc.exe

C:\Windows\SysWOW64\Cbbnpg32.exe

C:\Windows\system32\Cbbnpg32.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Ckmonl32.exe

C:\Windows\system32\Ckmonl32.exe

C:\Windows\SysWOW64\Cnkkjh32.exe

C:\Windows\system32\Cnkkjh32.exe

C:\Windows\SysWOW64\Dkokcl32.exe

C:\Windows\system32\Dkokcl32.exe

C:\Windows\SysWOW64\Dfdpad32.exe

C:\Windows\system32\Dfdpad32.exe

C:\Windows\SysWOW64\Dkahilkl.exe

C:\Windows\system32\Dkahilkl.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Dflfac32.exe

C:\Windows\system32\Dflfac32.exe

C:\Windows\SysWOW64\Dngjff32.exe

C:\Windows\system32\Dngjff32.exe

C:\Windows\SysWOW64\Dfnbgc32.exe

C:\Windows\system32\Dfnbgc32.exe

C:\Windows\SysWOW64\Enigke32.exe

C:\Windows\system32\Enigke32.exe

C:\Windows\SysWOW64\Eecphp32.exe

C:\Windows\system32\Eecphp32.exe

C:\Windows\SysWOW64\Eeelnp32.exe

C:\Windows\system32\Eeelnp32.exe

C:\Windows\SysWOW64\Ennqfenp.exe

C:\Windows\system32\Ennqfenp.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Enpmld32.exe

C:\Windows\system32\Enpmld32.exe

C:\Windows\SysWOW64\Flfkkhid.exe

C:\Windows\system32\Flfkkhid.exe

C:\Windows\SysWOW64\Fngcmcfe.exe

C:\Windows\system32\Fngcmcfe.exe

C:\Windows\SysWOW64\Fmkqpkla.exe

C:\Windows\system32\Fmkqpkla.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Gfeaopqo.exe

C:\Windows\system32\Gfeaopqo.exe

C:\Windows\SysWOW64\Glbjggof.exe

C:\Windows\system32\Glbjggof.exe

C:\Windows\SysWOW64\Gnqfcbnj.exe

C:\Windows\system32\Gnqfcbnj.exe

C:\Windows\SysWOW64\Gifkpknp.exe

C:\Windows\system32\Gifkpknp.exe

C:\Windows\SysWOW64\Gncchb32.exe

C:\Windows\system32\Gncchb32.exe

C:\Windows\SysWOW64\Gmfplibd.exe

C:\Windows\system32\Gmfplibd.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Gmimai32.exe

C:\Windows\system32\Gmimai32.exe

C:\Windows\SysWOW64\Gbeejp32.exe

C:\Windows\system32\Gbeejp32.exe

C:\Windows\SysWOW64\Hedafk32.exe

C:\Windows\system32\Hedafk32.exe

C:\Windows\SysWOW64\Hlnjbedi.exe

C:\Windows\system32\Hlnjbedi.exe

C:\Windows\SysWOW64\Hpiecd32.exe

C:\Windows\system32\Hpiecd32.exe

C:\Windows\SysWOW64\Hbhboolf.exe

C:\Windows\system32\Hbhboolf.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hoaojp32.exe

C:\Windows\system32\Hoaojp32.exe

C:\Windows\SysWOW64\Hbohpn32.exe

C:\Windows\system32\Hbohpn32.exe

C:\Windows\SysWOW64\Hmdlmg32.exe

C:\Windows\system32\Hmdlmg32.exe

C:\Windows\SysWOW64\Imgicgca.exe

C:\Windows\system32\Imgicgca.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Imiehfao.exe

C:\Windows\system32\Imiehfao.exe

C:\Windows\SysWOW64\Igajal32.exe

C:\Windows\system32\Igajal32.exe

C:\Windows\SysWOW64\Igdgglfl.exe

C:\Windows\system32\Igdgglfl.exe

C:\Windows\SysWOW64\Igfclkdj.exe

C:\Windows\system32\Igfclkdj.exe

C:\Windows\SysWOW64\Iidphgcn.exe

C:\Windows\system32\Iidphgcn.exe

C:\Windows\SysWOW64\Jiglnf32.exe

C:\Windows\system32\Jiglnf32.exe

C:\Windows\SysWOW64\Jenmcggo.exe

C:\Windows\system32\Jenmcggo.exe

C:\Windows\SysWOW64\Jpcapp32.exe

C:\Windows\system32\Jpcapp32.exe

C:\Windows\SysWOW64\Jepjhg32.exe

C:\Windows\system32\Jepjhg32.exe

C:\Windows\SysWOW64\Johnamkm.exe

C:\Windows\system32\Johnamkm.exe

C:\Windows\SysWOW64\Jebfng32.exe

C:\Windows\system32\Jebfng32.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Kpjgaoqm.exe

C:\Windows\system32\Kpjgaoqm.exe

C:\Windows\SysWOW64\Kjblje32.exe

C:\Windows\system32\Kjblje32.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Koaagkcb.exe

C:\Windows\system32\Koaagkcb.exe

C:\Windows\SysWOW64\Kcmmhj32.exe

C:\Windows\system32\Kcmmhj32.exe

C:\Windows\SysWOW64\Kjgeedch.exe

C:\Windows\system32\Kjgeedch.exe

C:\Windows\SysWOW64\Knenkbio.exe

C:\Windows\system32\Knenkbio.exe

C:\Windows\SysWOW64\Kjlopc32.exe

C:\Windows\system32\Kjlopc32.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Llodgnja.exe

C:\Windows\system32\Llodgnja.exe

C:\Windows\SysWOW64\Lggejg32.exe

C:\Windows\system32\Lggejg32.exe

C:\Windows\SysWOW64\Lgibpf32.exe

C:\Windows\system32\Lgibpf32.exe

C:\Windows\SysWOW64\Modgdicm.exe

C:\Windows\system32\Modgdicm.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Mqfpckhm.exe

C:\Windows\system32\Mqfpckhm.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Monjjgkb.exe

C:\Windows\system32\Monjjgkb.exe

C:\Windows\SysWOW64\Nopfpgip.exe

C:\Windows\system32\Nopfpgip.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Nceefd32.exe

C:\Windows\system32\Nceefd32.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Oaifpi32.exe

C:\Windows\system32\Oaifpi32.exe

C:\Windows\SysWOW64\Offnhpfo.exe

C:\Windows\system32\Offnhpfo.exe

C:\Windows\SysWOW64\Ocjoadei.exe

C:\Windows\system32\Ocjoadei.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Oaplqh32.exe

C:\Windows\system32\Oaplqh32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Ohlqcagj.exe

C:\Windows\system32\Ohlqcagj.exe

C:\Windows\SysWOW64\Pnfiplog.exe

C:\Windows\system32\Pnfiplog.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Ppolhcnm.exe

C:\Windows\system32\Ppolhcnm.exe

C:\Windows\SysWOW64\Panhbfep.exe

C:\Windows\system32\Panhbfep.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qmgelf32.exe

C:\Windows\system32\Qmgelf32.exe

C:\Windows\SysWOW64\Afpjel32.exe

C:\Windows\system32\Afpjel32.exe

C:\Windows\SysWOW64\Aaenbd32.exe

C:\Windows\system32\Aaenbd32.exe

C:\Windows\SysWOW64\Adfgdpmi.exe

C:\Windows\system32\Adfgdpmi.exe

C:\Windows\SysWOW64\Aokkahlo.exe

C:\Windows\system32\Aokkahlo.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Ahfmpnql.exe

C:\Windows\system32\Ahfmpnql.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bklomh32.exe

C:\Windows\system32\Bklomh32.exe

C:\Windows\SysWOW64\Bhpofl32.exe

C:\Windows\system32\Bhpofl32.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bahdob32.exe

C:\Windows\system32\Bahdob32.exe

C:\Windows\SysWOW64\Bdfpkm32.exe

C:\Windows\system32\Bdfpkm32.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Cncnob32.exe

C:\Windows\system32\Cncnob32.exe

C:\Windows\SysWOW64\Cnfkdb32.exe

C:\Windows\system32\Cnfkdb32.exe

C:\Windows\SysWOW64\Coegoe32.exe

C:\Windows\system32\Coegoe32.exe

C:\Windows\SysWOW64\Cdbpgl32.exe

C:\Windows\system32\Cdbpgl32.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dgeenfog.exe

C:\Windows\system32\Dgeenfog.exe

C:\Windows\SysWOW64\Dqnjgl32.exe

C:\Windows\system32\Dqnjgl32.exe

C:\Windows\SysWOW64\Dqbcbkab.exe

C:\Windows\system32\Dqbcbkab.exe

C:\Windows\SysWOW64\Dkhgod32.exe

C:\Windows\system32\Dkhgod32.exe

C:\Windows\SysWOW64\Edplhjhi.exe

C:\Windows\system32\Edplhjhi.exe

C:\Windows\SysWOW64\Egohdegl.exe

C:\Windows\system32\Egohdegl.exe

C:\Windows\SysWOW64\Eqgmmk32.exe

C:\Windows\system32\Eqgmmk32.exe

C:\Windows\SysWOW64\Eqiibjlj.exe

C:\Windows\system32\Eqiibjlj.exe

C:\Windows\SysWOW64\Ehpadhll.exe

C:\Windows\system32\Ehpadhll.exe

C:\Windows\SysWOW64\Ekonpckp.exe

C:\Windows\system32\Ekonpckp.exe

C:\Windows\SysWOW64\Edgbii32.exe

C:\Windows\system32\Edgbii32.exe

C:\Windows\SysWOW64\Ebkbbmqj.exe

C:\Windows\system32\Ebkbbmqj.exe

C:\Windows\SysWOW64\Eiekog32.exe

C:\Windows\system32\Eiekog32.exe

C:\Windows\SysWOW64\Ekcgkb32.exe

C:\Windows\system32\Ekcgkb32.exe

C:\Windows\SysWOW64\Fdlkdhnk.exe

C:\Windows\system32\Fdlkdhnk.exe

C:\Windows\SysWOW64\Fkfcqb32.exe

C:\Windows\system32\Fkfcqb32.exe

C:\Windows\SysWOW64\Foapaa32.exe

C:\Windows\system32\Foapaa32.exe

C:\Windows\SysWOW64\Fbplml32.exe

C:\Windows\system32\Fbplml32.exe

C:\Windows\SysWOW64\Fdnhih32.exe

C:\Windows\system32\Fdnhih32.exe

C:\Windows\SysWOW64\Fqeioiam.exe

C:\Windows\system32\Fqeioiam.exe

C:\Windows\SysWOW64\Fofilp32.exe

C:\Windows\system32\Fofilp32.exe

C:\Windows\SysWOW64\Fqgedh32.exe

C:\Windows\system32\Fqgedh32.exe

C:\Windows\SysWOW64\Fganqbgg.exe

C:\Windows\system32\Fganqbgg.exe

C:\Windows\SysWOW64\Fkofga32.exe

C:\Windows\system32\Fkofga32.exe

C:\Windows\SysWOW64\Gnnccl32.exe

C:\Windows\system32\Gnnccl32.exe

C:\Windows\SysWOW64\Gegkpf32.exe

C:\Windows\system32\Gegkpf32.exe

C:\Windows\SysWOW64\Gpmomo32.exe

C:\Windows\system32\Gpmomo32.exe

C:\Windows\SysWOW64\Gejhef32.exe

C:\Windows\system32\Gejhef32.exe

C:\Windows\SysWOW64\Gpolbo32.exe

C:\Windows\system32\Gpolbo32.exe

C:\Windows\SysWOW64\Geldkfpi.exe

C:\Windows\system32\Geldkfpi.exe

C:\Windows\SysWOW64\Glfmgp32.exe

C:\Windows\system32\Glfmgp32.exe

C:\Windows\SysWOW64\Gacepg32.exe

C:\Windows\system32\Gacepg32.exe

C:\Windows\SysWOW64\Gngeik32.exe

C:\Windows\system32\Gngeik32.exe

C:\Windows\SysWOW64\Giljfddl.exe

C:\Windows\system32\Giljfddl.exe

C:\Windows\SysWOW64\Hbenoi32.exe

C:\Windows\system32\Hbenoi32.exe

C:\Windows\SysWOW64\Hajkqfoe.exe

C:\Windows\system32\Hajkqfoe.exe

C:\Windows\SysWOW64\Hhdcmp32.exe

C:\Windows\system32\Hhdcmp32.exe

C:\Windows\SysWOW64\Hbihjifh.exe

C:\Windows\system32\Hbihjifh.exe

C:\Windows\SysWOW64\Hehdfdek.exe

C:\Windows\system32\Hehdfdek.exe

C:\Windows\SysWOW64\Hpmhdmea.exe

C:\Windows\system32\Hpmhdmea.exe

C:\Windows\SysWOW64\Hbldphde.exe

C:\Windows\system32\Hbldphde.exe

C:\Windows\SysWOW64\Hppeim32.exe

C:\Windows\system32\Hppeim32.exe

C:\Windows\SysWOW64\Hemmac32.exe

C:\Windows\system32\Hemmac32.exe

C:\Windows\SysWOW64\Ihkjno32.exe

C:\Windows\system32\Ihkjno32.exe

C:\Windows\SysWOW64\Inebjihf.exe

C:\Windows\system32\Inebjihf.exe

C:\Windows\SysWOW64\Ieojgc32.exe

C:\Windows\system32\Ieojgc32.exe

C:\Windows\SysWOW64\Ilibdmgp.exe

C:\Windows\system32\Ilibdmgp.exe

C:\Windows\SysWOW64\Ibcjqgnm.exe

C:\Windows\system32\Ibcjqgnm.exe

C:\Windows\SysWOW64\Ieagmcmq.exe

C:\Windows\system32\Ieagmcmq.exe

C:\Windows\SysWOW64\Ihpcinld.exe

C:\Windows\system32\Ihpcinld.exe

C:\Windows\SysWOW64\Ibegfglj.exe

C:\Windows\system32\Ibegfglj.exe

C:\Windows\SysWOW64\Ihbponja.exe

C:\Windows\system32\Ihbponja.exe

C:\Windows\SysWOW64\Iolhkh32.exe

C:\Windows\system32\Iolhkh32.exe

C:\Windows\SysWOW64\Iialhaad.exe

C:\Windows\system32\Iialhaad.exe

C:\Windows\SysWOW64\Iondqhpl.exe

C:\Windows\system32\Iondqhpl.exe

C:\Windows\SysWOW64\Jlbejloe.exe

C:\Windows\system32\Jlbejloe.exe

C:\Windows\SysWOW64\Jekjcaef.exe

C:\Windows\system32\Jekjcaef.exe

C:\Windows\SysWOW64\Jldbpl32.exe

C:\Windows\system32\Jldbpl32.exe

C:\Windows\SysWOW64\Jemfhacc.exe

C:\Windows\system32\Jemfhacc.exe

C:\Windows\SysWOW64\Jadgnb32.exe

C:\Windows\system32\Jadgnb32.exe

C:\Windows\SysWOW64\Johggfha.exe

C:\Windows\system32\Johggfha.exe

C:\Windows\SysWOW64\Jafdcbge.exe

C:\Windows\system32\Jafdcbge.exe

C:\Windows\SysWOW64\Jhplpl32.exe

C:\Windows\system32\Jhplpl32.exe

C:\Windows\SysWOW64\Jbepme32.exe

C:\Windows\system32\Jbepme32.exe

C:\Windows\SysWOW64\Kiphjo32.exe

C:\Windows\system32\Kiphjo32.exe

C:\Windows\SysWOW64\Kbhmbdle.exe

C:\Windows\system32\Kbhmbdle.exe

C:\Windows\SysWOW64\Kheekkjl.exe

C:\Windows\system32\Kheekkjl.exe

C:\Windows\SysWOW64\Koonge32.exe

C:\Windows\system32\Koonge32.exe

C:\Windows\SysWOW64\Kcjjhdjb.exe

C:\Windows\system32\Kcjjhdjb.exe

C:\Windows\SysWOW64\Kidben32.exe

C:\Windows\system32\Kidben32.exe

C:\Windows\SysWOW64\Klbnajqc.exe

C:\Windows\system32\Klbnajqc.exe

C:\Windows\SysWOW64\Kcmfnd32.exe

C:\Windows\system32\Kcmfnd32.exe

C:\Windows\SysWOW64\Klekfinp.exe

C:\Windows\system32\Klekfinp.exe

C:\Windows\SysWOW64\Kcoccc32.exe

C:\Windows\system32\Kcoccc32.exe

C:\Windows\SysWOW64\Klggli32.exe

C:\Windows\system32\Klggli32.exe

C:\Windows\SysWOW64\Likhem32.exe

C:\Windows\system32\Likhem32.exe

C:\Windows\SysWOW64\Lpgmhg32.exe

C:\Windows\system32\Lpgmhg32.exe

C:\Windows\SysWOW64\Ledepn32.exe

C:\Windows\system32\Ledepn32.exe

C:\Windows\SysWOW64\Lchfib32.exe

C:\Windows\system32\Lchfib32.exe

C:\Windows\SysWOW64\Lplfcf32.exe

C:\Windows\system32\Lplfcf32.exe

C:\Windows\SysWOW64\Ljdkll32.exe

C:\Windows\system32\Ljdkll32.exe

C:\Windows\SysWOW64\Mapppn32.exe

C:\Windows\system32\Mapppn32.exe

C:\Windows\SysWOW64\Mpapnfhg.exe

C:\Windows\system32\Mpapnfhg.exe

C:\Windows\SysWOW64\Modpib32.exe

C:\Windows\system32\Modpib32.exe

C:\Windows\SysWOW64\Mfnhfm32.exe

C:\Windows\system32\Mfnhfm32.exe

C:\Windows\SysWOW64\Mhldbh32.exe

C:\Windows\system32\Mhldbh32.exe

C:\Windows\SysWOW64\Mcaipa32.exe

C:\Windows\system32\Mcaipa32.exe

C:\Windows\SysWOW64\Mhoahh32.exe

C:\Windows\system32\Mhoahh32.exe

C:\Windows\SysWOW64\Mcdeeq32.exe

C:\Windows\system32\Mcdeeq32.exe

C:\Windows\SysWOW64\Mlljnf32.exe

C:\Windows\system32\Mlljnf32.exe

C:\Windows\SysWOW64\Mbibfm32.exe

C:\Windows\system32\Mbibfm32.exe

C:\Windows\SysWOW64\Mlofcf32.exe

C:\Windows\system32\Mlofcf32.exe

C:\Windows\SysWOW64\Nfgklkoc.exe

C:\Windows\system32\Nfgklkoc.exe

C:\Windows\SysWOW64\Nmaciefp.exe

C:\Windows\system32\Nmaciefp.exe

C:\Windows\SysWOW64\Noppeaed.exe

C:\Windows\system32\Noppeaed.exe

C:\Windows\SysWOW64\Nbnlaldg.exe

C:\Windows\system32\Nbnlaldg.exe

C:\Windows\SysWOW64\Nmcpoedn.exe

C:\Windows\system32\Nmcpoedn.exe

C:\Windows\SysWOW64\Ncmhko32.exe

C:\Windows\system32\Ncmhko32.exe

C:\Windows\SysWOW64\Nodiqp32.exe

C:\Windows\system32\Nodiqp32.exe

C:\Windows\SysWOW64\Nfnamjhk.exe

C:\Windows\system32\Nfnamjhk.exe

C:\Windows\SysWOW64\Nqcejcha.exe

C:\Windows\system32\Nqcejcha.exe

C:\Windows\SysWOW64\Nbebbk32.exe

C:\Windows\system32\Nbebbk32.exe

C:\Windows\SysWOW64\Nmjfodne.exe

C:\Windows\system32\Nmjfodne.exe

C:\Windows\SysWOW64\Nqfbpb32.exe

C:\Windows\system32\Nqfbpb32.exe

C:\Windows\SysWOW64\Obgohklm.exe

C:\Windows\system32\Obgohklm.exe

C:\Windows\SysWOW64\Oiagde32.exe

C:\Windows\system32\Oiagde32.exe

C:\Windows\SysWOW64\Ocgkan32.exe

C:\Windows\system32\Ocgkan32.exe

C:\Windows\SysWOW64\Oiccje32.exe

C:\Windows\system32\Oiccje32.exe

C:\Windows\SysWOW64\Ocihgnam.exe

C:\Windows\system32\Ocihgnam.exe

C:\Windows\SysWOW64\Ojcpdg32.exe

C:\Windows\system32\Ojcpdg32.exe

C:\Windows\SysWOW64\Ockdmmoj.exe

C:\Windows\system32\Ockdmmoj.exe

C:\Windows\SysWOW64\Oqoefand.exe

C:\Windows\system32\Oqoefand.exe

C:\Windows\SysWOW64\Oikjkc32.exe

C:\Windows\system32\Oikjkc32.exe

C:\Windows\SysWOW64\Ppdbgncl.exe

C:\Windows\system32\Ppdbgncl.exe

C:\Windows\SysWOW64\Pimfpc32.exe

C:\Windows\system32\Pimfpc32.exe

C:\Windows\SysWOW64\Ppgomnai.exe

C:\Windows\system32\Ppgomnai.exe

C:\Windows\SysWOW64\Pfagighf.exe

C:\Windows\system32\Pfagighf.exe

C:\Windows\SysWOW64\Pmkofa32.exe

C:\Windows\system32\Pmkofa32.exe

C:\Windows\SysWOW64\Ppikbm32.exe

C:\Windows\system32\Ppikbm32.exe

C:\Windows\SysWOW64\Piapkbeg.exe

C:\Windows\system32\Piapkbeg.exe

C:\Windows\SysWOW64\Pplhhm32.exe

C:\Windows\system32\Pplhhm32.exe

C:\Windows\SysWOW64\Pfepdg32.exe

C:\Windows\system32\Pfepdg32.exe

C:\Windows\SysWOW64\Pidlqb32.exe

C:\Windows\system32\Pidlqb32.exe

C:\Windows\SysWOW64\Pakdbp32.exe

C:\Windows\system32\Pakdbp32.exe

C:\Windows\SysWOW64\Pjcikejg.exe

C:\Windows\system32\Pjcikejg.exe

C:\Windows\SysWOW64\Qppaclio.exe

C:\Windows\system32\Qppaclio.exe

C:\Windows\SysWOW64\Qjffpe32.exe

C:\Windows\system32\Qjffpe32.exe

C:\Windows\SysWOW64\Qapnmopa.exe

C:\Windows\system32\Qapnmopa.exe

C:\Windows\SysWOW64\Qcnjijoe.exe

C:\Windows\system32\Qcnjijoe.exe

C:\Windows\SysWOW64\Qjhbfd32.exe

C:\Windows\system32\Qjhbfd32.exe

C:\Windows\SysWOW64\Aabkbono.exe

C:\Windows\system32\Aabkbono.exe

C:\Windows\SysWOW64\Abcgjg32.exe

C:\Windows\system32\Abcgjg32.exe

C:\Windows\SysWOW64\Amikgpcc.exe

C:\Windows\system32\Amikgpcc.exe

C:\Windows\SysWOW64\Afappe32.exe

C:\Windows\system32\Afappe32.exe

C:\Windows\SysWOW64\Ajohfcpj.exe

C:\Windows\system32\Ajohfcpj.exe

C:\Windows\SysWOW64\Aaiqcnhg.exe

C:\Windows\system32\Aaiqcnhg.exe

C:\Windows\SysWOW64\Adgmoigj.exe

C:\Windows\system32\Adgmoigj.exe

C:\Windows\SysWOW64\Aalmimfd.exe

C:\Windows\system32\Aalmimfd.exe

C:\Windows\SysWOW64\Afhfaddk.exe

C:\Windows\system32\Afhfaddk.exe

C:\Windows\SysWOW64\Banjnm32.exe

C:\Windows\system32\Banjnm32.exe

C:\Windows\SysWOW64\Bboffejp.exe

C:\Windows\system32\Bboffejp.exe

C:\Windows\SysWOW64\Bjfogbjb.exe

C:\Windows\system32\Bjfogbjb.exe

C:\Windows\SysWOW64\Bpcgpihi.exe

C:\Windows\system32\Bpcgpihi.exe

C:\Windows\SysWOW64\Bbaclegm.exe

C:\Windows\system32\Bbaclegm.exe

C:\Windows\SysWOW64\Bmggingc.exe

C:\Windows\system32\Bmggingc.exe

C:\Windows\SysWOW64\Bbdpad32.exe

C:\Windows\system32\Bbdpad32.exe

C:\Windows\SysWOW64\Baepolni.exe

C:\Windows\system32\Baepolni.exe

C:\Windows\SysWOW64\Bipecnkd.exe

C:\Windows\system32\Bipecnkd.exe

C:\Windows\SysWOW64\Bpjmph32.exe

C:\Windows\system32\Bpjmph32.exe

C:\Windows\SysWOW64\Cibain32.exe

C:\Windows\system32\Cibain32.exe

C:\Windows\SysWOW64\Cpljehpo.exe

C:\Windows\system32\Cpljehpo.exe

C:\Windows\SysWOW64\Cgfbbb32.exe

C:\Windows\system32\Cgfbbb32.exe

C:\Windows\SysWOW64\Cmpjoloh.exe

C:\Windows\system32\Cmpjoloh.exe

C:\Windows\SysWOW64\Cdjblf32.exe

C:\Windows\system32\Cdjblf32.exe

C:\Windows\SysWOW64\Ckdkhq32.exe

C:\Windows\system32\Ckdkhq32.exe

C:\Windows\SysWOW64\Cdmoafdb.exe

C:\Windows\system32\Cdmoafdb.exe

C:\Windows\SysWOW64\Caqpkjcl.exe

C:\Windows\system32\Caqpkjcl.exe

C:\Windows\SysWOW64\Ccblbb32.exe

C:\Windows\system32\Ccblbb32.exe

C:\Windows\SysWOW64\Cildom32.exe

C:\Windows\system32\Cildom32.exe

C:\Windows\SysWOW64\Cacmpj32.exe

C:\Windows\system32\Cacmpj32.exe

C:\Windows\SysWOW64\Cdaile32.exe

C:\Windows\system32\Cdaile32.exe

C:\Windows\SysWOW64\Dphiaffa.exe

C:\Windows\system32\Dphiaffa.exe

C:\Windows\SysWOW64\Dgbanq32.exe

C:\Windows\system32\Dgbanq32.exe

C:\Windows\SysWOW64\Dnljkk32.exe

C:\Windows\system32\Dnljkk32.exe

C:\Windows\SysWOW64\Dgdncplk.exe

C:\Windows\system32\Dgdncplk.exe

C:\Windows\SysWOW64\Dpmcmf32.exe

C:\Windows\system32\Dpmcmf32.exe

C:\Windows\SysWOW64\Dnqcfjae.exe

C:\Windows\system32\Dnqcfjae.exe

C:\Windows\SysWOW64\Ddklbd32.exe

C:\Windows\system32\Ddklbd32.exe

C:\Windows\SysWOW64\Djgdkk32.exe

C:\Windows\system32\Djgdkk32.exe

C:\Windows\SysWOW64\Dcphdqmj.exe

C:\Windows\system32\Dcphdqmj.exe

C:\Windows\SysWOW64\Enemaimp.exe

C:\Windows\system32\Enemaimp.exe

C:\Windows\SysWOW64\Enhifi32.exe

C:\Windows\system32\Enhifi32.exe

C:\Windows\SysWOW64\Ecdbop32.exe

C:\Windows\system32\Ecdbop32.exe

C:\Windows\SysWOW64\Ekljpm32.exe

C:\Windows\system32\Ekljpm32.exe

C:\Windows\SysWOW64\Eddnic32.exe

C:\Windows\system32\Eddnic32.exe

C:\Windows\SysWOW64\Egbken32.exe

C:\Windows\system32\Egbken32.exe

C:\Windows\SysWOW64\Ejagaj32.exe

C:\Windows\system32\Ejagaj32.exe

C:\Windows\SysWOW64\Eahobg32.exe

C:\Windows\system32\Eahobg32.exe

C:\Windows\SysWOW64\Enopghee.exe

C:\Windows\system32\Enopghee.exe

C:\Windows\SysWOW64\Fnalmh32.exe

C:\Windows\system32\Fnalmh32.exe

C:\Windows\SysWOW64\Fkemfl32.exe

C:\Windows\system32\Fkemfl32.exe

C:\Windows\SysWOW64\Fboecfii.exe

C:\Windows\system32\Fboecfii.exe

C:\Windows\SysWOW64\Fdmaoahm.exe

C:\Windows\system32\Fdmaoahm.exe

C:\Windows\SysWOW64\Fjjjgh32.exe

C:\Windows\system32\Fjjjgh32.exe

C:\Windows\SysWOW64\Fjmfmh32.exe

C:\Windows\system32\Fjmfmh32.exe

C:\Windows\SysWOW64\Fdbkja32.exe

C:\Windows\system32\Fdbkja32.exe

C:\Windows\SysWOW64\Fnjocf32.exe

C:\Windows\system32\Fnjocf32.exe

C:\Windows\SysWOW64\Gddgpqbe.exe

C:\Windows\system32\Gddgpqbe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 5852 -ip 5852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 420

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4556-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Fhdohp32.exe

MD5 e41b1fe19c92c627d6cc7aaace1582b0
SHA1 24207551adc6ac146f7888a81b10f6954cc0c6b6
SHA256 08bc83b9a6c14e5dd5d6e02aeb6b7e9d2475193d1c7db839503bcece4dd62217
SHA512 c597e75ba10939596a55d32b897ea006ae5e6ee184956e5cc0e4ebba283b6f26db3460cbfb3c841d0b44094a67ab3761b9f17bc9363a923cb8e7459d610a88ba

memory/2436-7-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Fpodlbng.exe

MD5 bc96812b513fc227de0de3d4ef95a93e
SHA1 9610fca460db4c7593e1af32349bf4a52b888ac3
SHA256 98af0ba301585a6d905c55173961a3734e5c98e1df8912799652cbbda513f2f3
SHA512 91c1e7cc47f6804dd2a288215a7394b5597e53b80c135458b617f846693b934795c3e0060875411abb214ae9842854dcd1006683088fb48ac70d51ca07636556

memory/4876-16-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ggilil32.exe

MD5 87143d76739ef21d0ffff721fcbce54e
SHA1 8aae513b21631851f29a748186de52d15b2ba6ba
SHA256 aafcdaf5c6de56abb7a60f3c465d3379bffa180e0cae7bae0459afda5ac78169
SHA512 e61ff00caf63455c3ecf9911cbfbe96b5289423564dc8e45ca3c827800181ce394d6b5bd2fcf70762f4a2e2a7b27248c1ff1b06009ba98f466e701ca6cc241f6

memory/4228-24-0x0000000000400000-0x000000000043D000-memory.dmp

memory/332-31-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Gdmmbq32.exe

MD5 9e550bae61440452af5285581a0092c5
SHA1 d61f3d962e04f4a71dcc97f83dfecccae523d02d
SHA256 8a3fa35607788b22bd1f83c85a1521531e79ae18e94470fa8e9832089bfc4feb
SHA512 0c545dfaef6df0c692a69f286184fce214685d7cbc1bdb6e87e5d7824f8ff36ce7ee4a2468cbe6d85c216262ad2beee9f1fa312480af5a6e927682efdcc9807a

C:\Windows\SysWOW64\Hepfdc32.dll

MD5 e824b46372f35ca70169da30d3e32574
SHA1 959d7cde383f3b4770f647d876a4dc3ea04c0fac
SHA256 b2f6507a8be77bc93578e62f58fe8d8fce9b0ad62af0b1dd0b9e77a035d29751
SHA512 fd6b5aabf0c86e321b63f113570b441023c042105bd399c523d594c8fedfcdc1355267ff4cf8cd4e0223ebd3dbe779de6891ecf7ce2fa4383fc3500bb7108574

C:\Windows\SysWOW64\Gijekg32.exe

MD5 4a1e3ac3b62fa66332a7a3acef999a1f
SHA1 90171706755df280637a7e64bc365ceac18dc583
SHA256 890640e5328d78558bb606fb0e5d2bada4ecd1498687d1dc7ea975972a609075
SHA512 57fb9a6be8f5fd8f9b97026fccd05a6a4ae049d1d79d4f6d7e09d1cd695915774b3b2ba1346b20136a3cdac620b839a30412c1dad82c0dd6778413bf3752b0f1

memory/1148-39-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1832-47-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Gpcmga32.exe

MD5 6cf519158a9cb0fb6737e3ad8298fbeb
SHA1 b2918247a62c2f427446fd114471e0f1cbe36852
SHA256 9f87cc51127613645fedb6aab149a3ee6f32c59b57e6ff2e118fc3fff87f844b
SHA512 bdae76c58a05be08fed04d9945a91829cc77766afef0efc5e704f19882d2ed177bd7909e9d65dd1e07a0014cb15ec027e28a6a50288e3ad8192a66f36013cd7f

C:\Windows\SysWOW64\Gacjadad.exe

MD5 e3e37e859432be3008cf83329d856f3b
SHA1 bdb2586de612bc44a99574719024cd1fad41673d
SHA256 313738322b53c39218f400efbd05a3a23b60f67bb843d62afaebc0ce977e2be2
SHA512 e4767ce85609c3fef0cd9c677a36dae50dafd184cf480b0571a3b580ffd723492e59f3aca34adf6e663bde36d0c0057388ae20155ca1895d763b1b4b21fb6222

memory/708-55-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ginnfgop.exe

MD5 c271fad65281c6dfa40328f2a326c38b
SHA1 4d86bce60f93edec1f425e9cd121eabd8e679c1c
SHA256 7afc38bdee9376c30586edbbb03f29abdfc5597eb53d194d8f66029d148270a4
SHA512 a218429dc0b47a51626c9acbb0eadfb46276b04871643d0924aafb7dad0ba0f1d94a742970d0bf018c1d4ec1262887a30bf4b615a225c7180718fd27703d2691

memory/100-63-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ghpocngo.exe

MD5 94386648e61a22c8336086c149b2dcd2
SHA1 41627442a1a0a94f5e4ddcac698c805655c748ee
SHA256 80f3411a30bfd62f07a707882fe36854f60a60d881bee93868c74625f4f84937
SHA512 b3f6561d90b521827c1d066fbbe6e72342ad20ab7847f03698c18162a05bb562b9ff954b72617129ce14af3859fae66cb2a01ebe3f7e2afaf56cf9c70e104ba8

memory/1368-71-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1456-79-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Gpkchqdj.exe

MD5 5571420f6f11811d12abd9906fb50b0b
SHA1 1818a7f85064ca946d50b3319f2469535802170c
SHA256 9f3e15bc00c3549eae10f8bbf813ae3f488a5d21d9462bc9e97bfe6ff639304a
SHA512 fd26a39b88cef8f86e51155ae9a1c6f4c33b57dfc1ada2fb46aa0c3504b994ee2f8d686fd10669e98eed659e64debc9ac3df1e867950fce026a8bd57d514c251

C:\Windows\SysWOW64\Hgelek32.exe

MD5 6143a2c126043df6c6fff3474c947ca7
SHA1 a7869102331cf1769cfc44f801289b0fb3e80a4e
SHA256 fb3a2b9f2f064c1c6fb62002b268c5d6003fe4f2164a4685d095890900839f12
SHA512 5e13a219c8d686ee3af92dd670d014778bac7d8a2b2b771e93913a0b14c7833ef67ea880a59e3f485882bac8b5baee095772b31945fff046b95efc7c029535e8

memory/2948-88-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Hjchaf32.exe

MD5 2846b6b4c6732cdd3ebe725e46bf7d7f
SHA1 1aa0ed8f3b9e7df5a71ee68798147efd73d547b0
SHA256 26029703076a958f45d73cfdbbd00491dd566f40506e7668d91bd4d533df2eee
SHA512 ceb79239b9b33307f3d7b8e5664b3042d96ce346626b11939e0cae4012ede0eb51a30d0011242bd7a610c82104c0f9ac584444928b44d1622fb438fe21287d79

memory/3648-95-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Hkbdki32.exe

MD5 052c60e7fe4a17bc5dd288ae5171d1d2
SHA1 2dc2819ab386a10a157ef1a2e20749435e824d03
SHA256 f86e739712df38c52bf6d3206b9d198349ec4dda6a2dd6c86b7bbdb54cd82fb0
SHA512 d9f34e173fbcdcee1aadf174e7eaae5fdf9c8a985ad6af837a4cdf41e0080e4bc5004e652f88c5af1f6177ce6a604e9e0bb6534a7ef6cca250e3a98de5c35882

memory/2824-103-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Hdkidohn.exe

MD5 cd88e1d05ec5916474b36f1b12c396e6
SHA1 b6b6aeb5689dc8341497df93fda2a97f48bef9f0
SHA256 43bd30e29fc7234e208cda220b3e8dbee4bb19b60cff6d658b95d9670fb54693
SHA512 bbdf7bd04fc99ff12edc36995e195ad87971308bc9d9459bba988c1bda3104af26bff2484bfb68aacea3b7dc65db25187ba24ebb5ecb3c2fd0cbdfbc17fab1ea

memory/1540-111-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Hjhalefe.exe

MD5 54e781bcc5726697a1a0eb2245601d42
SHA1 7d59e31c8fcd65162fc97177ce1c119947edab82
SHA256 5ece460728d913cd6d75a65a56e9c019914d62af7a178390a29330c2d2fee4a9
SHA512 ede43c5b1591065005d4cf3d3d953d50c77fb369d4a141e1a107893ef05013bfadf67643fd1c9b3655613589bb22c40d1ba1ed79cb46f9d6a8913f19a3cedb98

memory/4184-119-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Hglaej32.exe

MD5 e8a74a970cfa6bc9158d1daaacaced2b
SHA1 c2d9ae968489c373a208a4dd606bd1eb3934baaf
SHA256 79307373b42b54d42435faa394f7fb8a2f8be85fd13dfd7e17c3b352fdab0c79
SHA512 97bdbacf9d4fe8035804af6d21431490b6955a963ebc3364060d4ddffc2b6f29bc8de0e28abd46d14d9788773c0f4e6ff9f64972e29313aaf408c39408eb71df

memory/4692-128-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Haafcb32.exe

MD5 18045beff529ce735b7b3bb1a4f500f2
SHA1 2619c0612f2bddf19f4cabd853bc8b10fcde3689
SHA256 99da746fcfe2ae94176af3c7d12876fbebacdfba448dc600c0e44c93317792dd
SHA512 309cd8442dd20183a586fe7441df68fb2f4f9e59d036c06acef634cce53b6ce9a0c7450a0d0cb0c4889a8b265d8bfcee0eb7b09b7e42fcc70f50dc8828c5c246

memory/648-136-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Hnhghcki.exe

MD5 0f9329ba6dd9745bad9b280a734be7ff
SHA1 9d56a8f1216f0a050bf7331206200f8d750fc25c
SHA256 88bd5b7d4b02048dcb5ce147d41e09e1949141539d0aa187428f45e4c7dbd69c
SHA512 f4c2c82a05529de3f310b183b0d92dc1fbd7887e1d64c247d6a95cb3fcd0b5798e5961a3b8ac300c82b1777c43f7e229e4466e9f8706b42d4546b7fa2db63fab

memory/4296-144-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ihnkel32.exe

MD5 2e7673b05f0fc2974a41d12882ea5473
SHA1 7c823f99af8bfdbaabcbdf1dafc67538245faa6d
SHA256 5fbcc1a2371ff2649a4f60cacf56c6ba91c8ff3b683c85711bd2e855d59c62a2
SHA512 f3bb7e9ff9cde817d789e2d546eb3880c21529ad688157bd5a4d1143b150d0167899344638b3a6902110b51d80965008640ff693ffb62a0d480288e39fc868ef

memory/3224-156-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2808-159-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ijogmdqm.exe

MD5 26e5436ac05408b976c3c782e5dc9971
SHA1 ea5cf33b6688485cd7bc6ad059aa15ab998d100a
SHA256 7d3ba6a88377b444286a26f92a23b570b7bc3544e6630aaa2862cf8ffb98713f
SHA512 b753d7a95527120b8eb94980084932a8a60e916d371150978d9831f89699b13575dacf4c97a9459713288c77d31292968540dbf48a75def2a808c488fa78ba72

C:\Windows\SysWOW64\Iddljmpc.exe

MD5 8a5bb9a58488876552d7f9f103f5e128
SHA1 9cbbc9d532755bb26a7f951596a9cf77b2138b7b
SHA256 95f79a8e5ca83bc095c9c05f91ceb519cca3601845b8e9a580164c8e5b9869e8
SHA512 6b84a3ceb5558f4c479f7c8285681161dd556f186d0b64093fa56c77dd7f7e249f95f5f168f0bb908efae3ab5e9aa11c5c3e4603ca9f57be1257d4cded5b8ffa

memory/4564-167-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Iqklon32.exe

MD5 d4143f2bd6aa1f0ba087c4671aacf9d2
SHA1 9fe2f2c92a3d1e2ae0b5062712318f775666084f
SHA256 27b0af4c0a2610ddc938289e78629e941d953cf7fa6eff134282ffe801d9a062
SHA512 99ff8a8db1934210bb3328e311fd59ee5b45279296bd26db962b5907af91f26ec2aab6156e2b4855629b25ae9737a106d6fbaa0ad88b039d50e987fd4c50e801

memory/4452-175-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Inomhbeq.exe

MD5 316a2fa25aeba2052209fec0c060140b
SHA1 e14e801608306d89cd15f36cb779a3ad01e6dbcd
SHA256 b6673aec9c523dbd50a245461d2b4da2d59abe010906741a89fa5a6fac1eeaf7
SHA512 8284dd59c134a1863e223ce279bc36a04b6bfd8782a9bf24d6a7df312dda6f56b77af98c0b6740d496a7a5dd9eae7a9b4b4a6fa620d8e4bda9dbbb979616b155

memory/4764-183-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ihdafkdg.exe

MD5 d460c0281689d371bc95c1fb7f108c33
SHA1 20305e105c1ecc5b84524014bb6804f5a78a1676
SHA256 ed6a01d88f1a4789d0bec67e788b069469eb8eb3b8ca0f2caec305d3f87736b5
SHA512 7d476ee9e8aba7fcae766d53bb19eacc27f27959f2cea41e8562d87a552b746990926dc5694bacfb093aebaa8835aac1940a2297927b2e4f6bbfe848cba75279

memory/4680-192-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ikcmbfcj.exe

MD5 9e929f1727286bcd2186e1ce20ac98cc
SHA1 df0b5a9ea03a47fb40244e2de482143c228219b2
SHA256 ae37e89cffaf1ae4b2f15d117e0c1a9a5db36dd7670212cca2179115b7eede28
SHA512 05c457bc936ebc68c61fc7eba4eafc4de4c9beeadfc6bb515e8245b8bca02445da707fba5763d2dd61dace577b0fd290c4a578fb99bc05d6166c60f007e50671

memory/3256-200-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ihgnkkbd.exe

MD5 0780e30ad30532f2138bcbd3c1f8c973
SHA1 58def650f2f25337042bbea9acb8cc0d058d6c0b
SHA256 2f972408b93838d9f7bee65b0c9b7db6111f523d37abf62509ad2e67f7ad259a
SHA512 be66dc469a855ac1a0751e54b705c7565c314909ee30df5d87c8440654d5e273528aed40c63b1c6b9b383e247d3573985f341457355381ddf245d7a36f190a9d

memory/4248-207-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ijhjcchb.exe

MD5 e575bd0b3f7770953b2522e5a98ecad1
SHA1 548a1f36c0335fc073d0b5b8c9c57d07cf5cdd41
SHA256 00aac99286786c99f6173596d472b85df2b1715f0b988852051615c97a856b08
SHA512 d3abacbac57f8f568885a596e5d206c209219cabb4a76aa4714504c889cfba64db569a79232dc328872891e23941fe98f62c4a2365691764eee8d8484689ea6c

memory/3916-220-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ibobdqid.exe

MD5 a3a2a5ceb55b2fa672e7fffe69ec12a6
SHA1 80bf7034bb3c96246ad2112a228015ce5f573b5b
SHA256 5658415f57e635b447936c95b197d8491ba772dc1541ee51b84054a9ff2c4053
SHA512 666f1d957fc12268b63138ad402420af98493a0e37b994710b17a6b0246063a872a5220365ae51853e1c79b163455e1f7f7a3680e5c247cac30c3733770fabd2

memory/4896-224-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Jhijqj32.exe

MD5 ccfe8573515be5307aff20e039ea24a0
SHA1 50ea43eef10697b69da75ef19f95f29966c13f2f
SHA256 ed812a09032c805ca2f16d0a636881d02faa53a742a65fdb22e427f37d83c25f
SHA512 faf55f9f50381efc6b5cc8327e66676e0dc0085c600095bad259d19497ba5f9777f3ccab28fe3960a875214aec80d724400e8dd5ec4e563eb642e7406514e235

memory/2904-231-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Jdpkflfe.exe

MD5 6cf5fdb8cf236fe730a6b998907022bd
SHA1 ef70889485fbce90fda1cf140363d1a3c42d448d
SHA256 267f32530727cef1c0d021df0f0728c2c128d7cb2313c4707992b9217c748aa4
SHA512 d18c27e987e9bd5f00e004f0c75028e30b6b7a003917a75c9902e80748d2f84052d77184d19ae5afc0e42a8be74da44212d96cf0348e8bf124ed5c3650fd3912

memory/2332-239-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Jnhpoamf.exe

MD5 f3f41162694795db8c76d09b611a20e1
SHA1 782f9d353d7aff147d94f854fadba04d24757794
SHA256 8a0dd871566e54a912f8be73f608a5214385130ab08dbffc422e8c6123ece117
SHA512 f22f383125f83edaca55e325722e3760317260d39f93d2cf36690ed447d3488671351935ef4f1983f5b12228fc66966fe5172607d9b9b09bc90dbeae83767c3a

memory/4288-247-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Jgadgf32.exe

MD5 107effe3c6486d3bcf517efc216c9f13
SHA1 48fa8739ab216a5d23ec4246f48c151dc96abf4d
SHA256 824a930999fbb26f82b6a83723f4f6f82edc72b0c7be7427827b8897612c5694
SHA512 b9909d4a795a358825b0d1a4c73494ae501cbeb65ad00793f8b5fd2215a0972890874a5d3348bc86c1bb066546a3a6f41a93848e43ef180bc8fa6fd9b554b528

memory/1248-255-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4608-262-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4580-268-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1132-274-0x0000000000400000-0x000000000043D000-memory.dmp

memory/972-280-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4268-286-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2388-292-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2492-298-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1016-304-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1452-310-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2940-316-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4568-322-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3376-328-0x0000000000400000-0x000000000043D000-memory.dmp

memory/860-334-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3168-340-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1952-346-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2568-352-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4996-358-0x0000000000400000-0x000000000043D000-memory.dmp

memory/924-364-0x0000000000400000-0x000000000043D000-memory.dmp

memory/348-370-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4712-376-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1144-382-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4904-388-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3860-394-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Lgkpdcmi.exe

MD5 52fa1ac4f4e1a9d0591a74d1391d636b
SHA1 505dbd6f0be7006e65c205a0a892c2d8a3868fac
SHA256 4478be1dbedf70af88cbb5fa5842a044736d7b7f6cc23f34b4d83aea536e609b
SHA512 d605efbe7361d1405ecaeefe75fb3a08804c42f250740a2a38d68abc206acc4c6ee32b1210b4d4cb7fcc97d6dab78853c7178168ed5b63a248fc50f4094c65a2

memory/2144-400-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1484-406-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3360-412-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4612-413-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3332-424-0x0000000000400000-0x000000000043D000-memory.dmp

memory/436-425-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4572-431-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2252-437-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1560-443-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5000-453-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3748-455-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4364-461-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4724-467-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1172-473-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3964-479-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3112-485-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Nbqmiinl.exe

MD5 eea5fe97b363e74a2c0e9db48d00929f
SHA1 701dfe6247d93824012cc3cd81feee636ed59731
SHA256 8d31d143552ed7c3d3d171554f8bfc9105a96e0f6dad4980251f08a20b80d5ac
SHA512 c9b73c273916a1e7ef58a97c98b908ab94433d6c29b6e20eb31a9581a73d640458d5f5f3eb6d5eb9f5364cb06badcfb46c66c40cf2dc1806a0e320e41de1b45c

memory/3188-491-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2880-497-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4544-503-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1472-509-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1732-515-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1336-526-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2912-527-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1588-533-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4556-539-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4028-540-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2436-546-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4016-547-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1608-558-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4876-553-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4228-560-0x0000000000400000-0x000000000043D000-memory.dmp

memory/780-565-0x0000000000400000-0x000000000043D000-memory.dmp

memory/332-567-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1148-574-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3464-573-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1832-581-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5188-582-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5148-580-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5240-593-0x0000000000400000-0x000000000043D000-memory.dmp

memory/708-588-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Pchlpfjb.exe

MD5 7a7fcb6180f586704b6b9dee3e7c8c17
SHA1 7532b3def18b9588517bc7af70eb46d27988ccf3
SHA256 be480d19386cc44723790b68dc0afd0a5f5ac9b7b7ca1e8d8bf15df805d1323e
SHA512 e4faadf93fbd92a39d2087f252fbb80749224453d7d0b8cb64c2178ae1e44a714b7a1585476243514b4fb639000c7ee2e4ffccd99c408205cdaf1e7b92e2eb33

C:\Windows\SysWOW64\Aomifecf.exe

MD5 375781ddc362cffeba06f66233176d1e
SHA1 6b98906659f0b97e8f1e869ee6e3b938ad90b177
SHA256 7690b69cdbd53b4b4769e26447f530c270ec75a7e7e204fde803c89ab79e812c
SHA512 09fd199a1aaaec67297e91ea4a6ea61b9926cf0d5571322e0430a42d643f0a4241ac5386305fb398820ec68b61b1238d5a85a558d7855589d32840f5c5679e1f

C:\Windows\SysWOW64\Ajbmdn32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Aanbhp32.exe

MD5 7c2b197bd44a7dec69f8eabc57915e9b
SHA1 5fa862edee3dc677f399e5fadfa4542124331061
SHA256 9648f86b96f5f99acdc19113801212d5eae104dd6f7b2c44c12c5766fbfc7c8d
SHA512 8b37a7835319d7ce901d75e39413e6b2ce2668ecddb1fc3aaefcef9a20126e14626d7c72ab7ea92d48cb94f3b41ba8572ae583c9af034d9a45afe6afc37b4714

C:\Windows\SysWOW64\Bljlfh32.exe

MD5 8edbc9a0249af808c130ab2e61258800
SHA1 c34669372da3d802f47a48b1c97a9330e905bc19
SHA256 1bc1f2069037b381569baf36d37b8d8ddbd33ac38e2612a1526d35a6b1ecd592
SHA512 79058c5b5e399d1e84c5664791919597d4f16c70afd8bc9365d706e560c5664173cbbfc1112305c9e996c52687826b492a72d253d6066721b23f8af0a36a1775

C:\Windows\SysWOW64\Dmoohe32.exe

MD5 8c8679d0e7fc120250cc96d6d0501b94
SHA1 e00331a2947f27767df4025d85756f3a459c50c6
SHA256 482ef9807be8ebd1349511c90afa6ece409225444fcaa15e40187b3ffcab249a
SHA512 aa05e86b1f2b408dd4f9739f9a7b81099f574cc80e1645e2128f00583b23a8315dbf98aa8bf3f8ed1d88729119c8fd33839de6d0933c440705be17e15a903899

C:\Windows\SysWOW64\Dimenegi.exe

MD5 17cd9e3bb3c57252cb2555e6420aa11b
SHA1 dd406f1d5488edbac5bd067502e28bcd328dbda3
SHA256 d04b75f66a596338bc904d01a7813459924b37f9ddfaa0ed6bf03e1cef41d908
SHA512 1a89e4e72f3642a9b72d17dab8e886248aa2e3148e10c94c22afebbaf76a01002b387add7fa545f7f6e323b43acdfcdd7318f75c066114d3c2ab702d578d98be

C:\Windows\SysWOW64\Ecgcfm32.exe

MD5 fd0a037a8aba61bb3bae434d5482c693
SHA1 4600cb72da47eb941dcf8c8a5fb780e45cb9baaa
SHA256 f74e4dd54cb47db37e71a3a8c8d207b22b55263b7897f5001a92af630ae4dab6
SHA512 31346c2916932d5da3940b11825fb827ac198154d7e19abad1790b3a16a92d46bfa5de38937066321859b7c4fd07feb0750b923fef83d0b27e5bef0550f1fbf3

C:\Windows\SysWOW64\Eifhdd32.exe

MD5 43947b5f3849df01c5e6dc52f37840dd
SHA1 84878c692fa5d98233ddf9e9e3c8e595f69fa855
SHA256 89b86b5e7f1f1345a1b3d6ce6cca549d0e46374bf2f5724045b0cec9bfa25b94
SHA512 9b9ba714aa0ead8c23b96cd8b9d4a22154109862777a109f37039fa4c408937ae71cff936033b2cac4eff9d03a76377ba62c3a4c3db499baf9b45508af529de6

C:\Windows\SysWOW64\Fbhpch32.exe

MD5 e4d7a7747452020bb99d38b6a6eb0a8c
SHA1 6cf8f54b0a79e46d85e2ff377640df584d39911e
SHA256 5023ef975d6469152be6f1dcdc947147efa575bb7e034524b9dbb732d28b13b5
SHA512 a96d64d4810bf5617e643e99af239c966c9f04f072fd880d53be6e88766de1a1381232decf9584f0c7f601e18ae0470430b143cce96ffea70ffd8f2f65baa34d

C:\Windows\SysWOW64\Gmdjapgb.exe

MD5 f850d4d522698499205a469e595f094c
SHA1 3135148991d851d5ef7e5db38ac264ba3f4c52fb
SHA256 1b6f4617a3bef1b51d486d37f3e083f1a360ba468c484e6c0453e2edbe78c638
SHA512 06cb458d295c9d0f2f977be077d8890c99a5d714f0184ff08b481c46622a4680193fc293069e1b2e29f821de911a7ffd27d68e88e35e1366c6ace49d6ab94e14

C:\Windows\SysWOW64\Gljgbllj.exe

MD5 9364a89922643d99d92e49425afe8803
SHA1 abb3ce7d9c14d3f240e33f68bb0a6ebc01730590
SHA256 3edac25ab3fb8f9bc31c93fad2cec42e61f9019a00853e4d93587d07691ade2d
SHA512 0cd138851fa0276166c40f5ea245031551bbc5f1735aa33b8165c43bf816bc758a1c1f7727a9fdc512707f3086b6ad9ab3ec0d2c89ae6ddcc0755bfdfe949eec

C:\Windows\SysWOW64\Hmlpaoaj.exe

MD5 7d6fcb64e895090da369e2fddfd34c2b
SHA1 c4ae90892ed20cf9cd27525a4afc8dea7e9cff55
SHA256 fcaf7a42f278dc4e2f6e17fd4cf69baa639c3c89f79a8b0f17559cde721c0571
SHA512 31c4710292598ff33bd16a6012c843c744290e51224bfb1a2d91809fd894e87eefd7239ffea185854669a8a20fe10de52ac400dc13557c5f8a12002e4865eec0

C:\Windows\SysWOW64\Hlhccj32.exe

MD5 c8e63afd0f3222db320f52e2b29d6a6b
SHA1 8b46dd970a58c6bc35b662f20633a4461d421e4e
SHA256 3f4632bcc313be1568e49e977a21261426cc598a6d0f59a26961296bad95d8fd
SHA512 42f13998c7b7a58680e29c87b19cd6ae0bbafca784c1dc397e7cb35d7cbe90937a032123527f723b85df730815d7bbbc69891f50b17de9f5241352f3276b1727

C:\Windows\SysWOW64\Igdnabjh.exe

MD5 1c415c3d1573d9ff361a0530052fe610
SHA1 033fe7dc3ea2bd61dac88874f971ad0a9848ee5f
SHA256 6a614da0e76db6fb8c1caf7b69df198b51757a1d946e9bd90fe847862a09a1d6
SHA512 ccd7860e3a0706bc870f5f0769f549094ce77d68f19f2abf624c6f3488cd057fff314ba9919c29daf83bf4e96167f7f41ea69e95a80600cc248d6df9b5f0286f

C:\Windows\SysWOW64\Jgnqgqan.exe

MD5 6412d7604a483c2e196016ad7abdb3d1
SHA1 67a2da8abaf8461279cc1db269a7bcbd4b14f32d
SHA256 a8db8370004e27f0c23201c4f0f412a37b524eab9d9b7b3055d975e653c869cc
SHA512 f049438bb80a8d7b9f977faa9875977668d69c617e31432f7c26a60e80852699451f88d90cb455df5a90b6edb8cb75a9cfec6809bcdc02275e8b64123b3aafc1

C:\Windows\SysWOW64\Jklinohd.exe

MD5 2e37e22a6aa834cc0a9a800d889324a3
SHA1 a05c22a587fc621504a98f9c352966af416ee570
SHA256 aea82e162583250b55c30ae2988882ebeeb2c0f6cfc250614f7c55fada99c6b7
SHA512 441a2ac9223b92246093af926758956e6e2d840d3a4ae18b3758d66f1f606ea9174e04b620f6404cf613be6a1459bcfca8eba8fe66a62738d94af8b012cfaff3

C:\Windows\SysWOW64\Kqmkae32.exe

MD5 7646ae31567cd3a7f990d4a816d8cc66
SHA1 df4e4eb89bc007d38e35c6eb107965942452fd88
SHA256 ac89eb6d35a67d26211ceb5500bbf063fa494625cc60f15bd19b72e81c7c05c7
SHA512 506db2f12270546f361f41170f5dfc080339033d23c4d61df1e99ff71eea71f51268ecd174ddb217d44971a59f6f39250b5bb8cb418ca2d457c7a12aacc2f6de

C:\Windows\SysWOW64\Lmbhgd32.exe

MD5 2661b4dbc49774e9044d5fdbf6ed6651
SHA1 cce7cfa6e57b75a8c862ade36b639f30ff8ef454
SHA256 93255c47c656e90ec9331affa20ca5d1f00d29bcbf95eef0f44b674dd9bd10ab
SHA512 6c004770bb2821f91ae8fb73e4d481021b78f3a79d74ccd7f7b5bb212cf90e1640d49de7c134e3dcb874fec0bdf3d773db23dc22c24b4a4dbab36c4bf053ba88

C:\Windows\SysWOW64\Mkmkkjko.exe

MD5 4292a9fee869517d39d968aa751d80a5
SHA1 c04e9231eef0d5b11c6f99690090bf4a60763a1a
SHA256 982441a46a0152838104f0991f215a2b15a2ae8500d63d5b7d3df70fa8664051
SHA512 c048bc62c28cbe433761c571290f4883f1041eaca6cb18afa11be1f0a8a3afc8d2e89e4157256c8c8b33f58399f3191f5c95138034bc57585d3a5af3f398962c

C:\Windows\SysWOW64\Nagpeo32.exe

MD5 9d3bddfb613db3918da6dbaeab60918f
SHA1 803aedd8ec25c8d510c9d19c4fb870ad8b7582ce
SHA256 9f23d86318abb1863ae15371dc4f6b8d358ef08e28d433b99f447a8717ba9c2f
SHA512 c4e10f8d28eae50932d2a405ac405e409d774b66fc25c99560d6523cf88918ca603cb7540203ad542d7fc4076007560f166ff57b55588df53c90cb3eac722f06

C:\Windows\SysWOW64\Omqmop32.exe

MD5 699c295abb1df91aa31e02ea5e8a68d5
SHA1 cabe8500f0d158ccdfa82ca202c49404d4a8f015
SHA256 bc4106750e7e460e8876935c492f29a2963fcb543a7f435c26b2fae7ff67f817
SHA512 f833ed8c008240d2a01daf030093df4e011ee1ff76834dbe18239fdb48a7b04e0f523dc91b9e099f7e620b587e396d8856f0c0bd2c16d9118c336dc7ae0e86ef

C:\Windows\SysWOW64\Olanmgig.exe

MD5 adb276cf1df396d33a7ecc83047ffa58
SHA1 9e7e57e7ec4686dcc0e72e65e3968573389234f1
SHA256 5d643997079c0705bda13781ae2760b757f2ae1eccc0866abe5584e28e7a4c8a
SHA512 7fdffa614fb10ba501a862ea6862cd6de787d141818d72145e96a79a6801d5aaf5ff1fd5bc9bfdb64b74d5bff426bd5cbce54ecdacd4dfaccd93030bb8739977

C:\Windows\SysWOW64\Oeokal32.exe

MD5 97ee182e713d1e26d00ac18bf5d7533d
SHA1 16ddd0504ad1e946fe731e95d944845065bb8124
SHA256 78da48e49483962f92faf81a39e322e03463d62b2af7f5b8df365271302af83a
SHA512 b84d3f565d94747ff32fbc21847906ed7d9f92e582c4c65e6ebebb81f16751ab13e01a3baead65e8b5df6f488103a2c0e1f1933b0bf918b8ed5abfc6247eecf6

C:\Windows\SysWOW64\Qmepam32.exe

MD5 53014569c3cdedf52b5aaacbda95edc2
SHA1 53371b284403bba9f8a4658f5c121a364817950c
SHA256 46d6f89ae00adb3b6c90363f0fdd49090a761d78ae89022c4f4cea583b1cd91a
SHA512 784ff91eca58144f5fee4ef3c553390d1c124d7f688a134bc312bcc629fb84a47aa2029bee9013a859cf35a746dbcc8ee796049f05e4314d2347b563087d2979

C:\Windows\SysWOW64\Ahippdbe.exe

MD5 439516d02c775e6cc524c76be757233f
SHA1 af16007ec3e09da2623d345348a49ce73cf35ae4
SHA256 371506eb5f9186ffca51e67eda97603c0c65300bf2e6fe7b6f05d717c4de60f8
SHA512 596d118df3b645df74a8ffd9dfcfd304698ee0c3a8af75672a55880bf62df9d7fe7823611f0bed55a61fe18c545ceaee23ee5e7d0d8cdb88a4411aabb7fc8479

C:\Windows\SysWOW64\Bdpaeehj.exe

MD5 98b11939f7497f65aa7aa9a6b6c265f2
SHA1 25dabeef00a668a02eb147ca743d019189bbb591
SHA256 3f79fa13936d9fb99e0edde66a0765629366d7f1401146bc550d7eea7142a1e2
SHA512 6e30fc3511afb16dbc0fd98a2f8a854b21450618ecb9c3a61126b3e2b1df253b122051f74c9dcba21810dad51edd4b22c83f4c4c4b5377580453c354cbde2d24

C:\Windows\SysWOW64\Cofnik32.exe

MD5 b35b67976f179e39d9460745f4865840
SHA1 874ab29f8bf59d172563093395d23c006dada667
SHA256 1867100c98a1119ea91358924a0184b30994dd757de20777d198ac37343e91a5
SHA512 e9e29d97edbb5b1062ee12d342a779ed946fac0260722720a681fe3d8e888d3cbcd3cb00bc98d9dbe6386449bcd6e99d331a3946fd9329506b9afa6f30caae93

C:\Windows\SysWOW64\Dfdpad32.exe

MD5 d890dcbb1bdca58bdfd6853fa86106fc
SHA1 47b70019e3dda461871b1209c717d59e94f64823
SHA256 e14ead88ae664b0e0ba514fc0b93354fb56ff3581a7bedd85c6cbd3792040970
SHA512 9703125de231f492c6e572df3f4cd1d74b73191ada0b78d87d931905b44d627a86c135d3deb85ef4d4544c29e16f4dc5262c353646517ffb7b3d5db3842bdd6e

C:\Windows\SysWOW64\Eeelnp32.exe

MD5 0664352ff817b1cd2144d3659e5ff991
SHA1 dce350af45e3dfc21183a1787fef98d4c5b725a1
SHA256 5e0cdfc672af6b1fd349f858d58c776bea4cc3b96b383c655366787724dc2dba
SHA512 19915b9479f649a380de19c8bb382d8adf4d67aec7ee62eb52d57d253a77805933f9b4aaae9fb08afb8bc6187a3289a07fed86d9a2f2aaa0594506d9e3784221

C:\Windows\SysWOW64\Enpmld32.exe

MD5 a8fea7d8aee24139c264f99a4da0345f
SHA1 6fc8dd66f16dfcab7f1fdd835f9d6a070a35b0d8
SHA256 1482fa77ded5b9e22f29617f76795e99ea8ebf69729bba3dae4cdbf3afea2d1c
SHA512 a030e25dbf232837dda20b36e392e563b03d46eca1d2b2c4437d30eb5970144a119515e8799b33694c59c9c3ca1b3fd0a899ae869657a4f9b0a02d407dd4029a

C:\Windows\SysWOW64\Glbjggof.exe

MD5 24c2d6abdf723cc960f30ad40a662471
SHA1 06ef0237d666da68df92e9a283cf0f4a1a715dd9
SHA256 85f40f9b0f6c8553871bd75549ea05c6ea581ccc2377c359ed61c72c62488648
SHA512 66aa82aa86b65529e574a7c80df2f9c05ad18dde57048df16362c1be52c3ee6621cf63a07bf7f49d313bd8e3cf3de4992d10f4f71e306dd96958b6800023acec

C:\Windows\SysWOW64\Gncchb32.exe

MD5 be2c280996f2d22878d5e2b381eb137c
SHA1 5017cc89db0733ac0c9c215c73aa91d54f2ee3ae
SHA256 a8ae37b95d77e47d9e8554e753950c6a704739e1e3d7d212e661884090735f8c
SHA512 3526ab587fa39edb1e36b5677fb8f717f1c4eb28d9269b3571d122ff74b72d3a316490b261901cd91ea7334a2b89cfa075f60a4cef1eb0eea19af5a7eb1630ac

C:\Windows\SysWOW64\Hibjli32.exe

MD5 2f2b34fd21a8b19df922801d9c72e9f2
SHA1 c4c07fd22615335dcdce7a37a707a2a1c82902fa
SHA256 5e5250e393ddfb33bec05128d472177ae7c229071ec3428f775802d642452914
SHA512 8cc551669f9edcb86b9fe4c1038633368c9701991101523287c2a3711f92d1cf409050a9b0fff38ce3fff7394ee760a9485691ca50856a1a21e51ccde7d633f2

C:\Windows\SysWOW64\Hoaojp32.exe

MD5 c00ae40a29b4948f91596828977affdf
SHA1 194407a5a489a869fa253f894da2fffa6b99c062
SHA256 6f204c55ed42bfadff1f5c0247c9dfe9694dd903eca8f32b66af0d52338e312b
SHA512 fd3ba22fe08946415ecc47975b96163f75f2755cfeb089da9b053795d1090c369f44c65781f5c453e4295bd4488e20d2c711bb119a3491d971ae3e27721a3e04

C:\Windows\SysWOW64\Hmdlmg32.exe

MD5 095a8b375b92a6a193e7c795d2f6a94d
SHA1 310e4930ac174d2b8f89cb3930a6b8d2e1f6e5e2
SHA256 d199873c661f1e8acd60d671a239c0556719f38c13e236c11eae53dcc51462eb
SHA512 26468f57b48ab7a5497a76c9c08fb2c57eabf673891acaf07b99518c101c33b90955412ab40a1ca8357d290442a14280aea85f3ee8573f50db09ff0c7e9bb89b

C:\Windows\SysWOW64\Imgicgca.exe

MD5 feaef3c54758977c8c15f1fd2c19b560
SHA1 a51248a512e07fa5955bf3dbfb7a4bbb3eb862e2
SHA256 9875fb0870ae5fc90fff04fb240b5b8919ec6b7edf407a3da8759ed773b0d2f2
SHA512 1aadb4281a791926fbc88bd68d1ecd0ec5934df8b73a842a5d96fb926dbdff8639b2d5c31fd322aff2f0e686a9111b44734cb7ee70136211f9e8965242767f2b

C:\Windows\SysWOW64\Igajal32.exe

MD5 e2abc3955ddbf4a17f0b3287dacb13ad
SHA1 f1471ff9b2bf4373cacc15976ad650b1e8cb49fe
SHA256 068dd0c731cc9d6ecc02f8ca24ac59137d7e4fdce1e050e854c605e822792116
SHA512 e0b22d78435c61a888ff4dbdc2638f1030b0469505e4e08a6ab8ea5cd2461426b15c39125c5ff41f0ae6b35f45e1a95518fb73e4aa4ed4e89267197b4fd48c5c

C:\Windows\SysWOW64\Iidphgcn.exe

MD5 59136f7ae227dd2fd8c7fb4bce495691
SHA1 f93c497ef87dafd7b47746cc13ef9f4ade8b7e98
SHA256 51961cff3aa0c5a9c15f5e2f8270492ad4840a0c03ff6130f987b88f96a3f0d2
SHA512 3d415024eeb1a13eae278a6f5049da95dbc661155fda595c6b1ead8ff15e418be5f161089f2307dc82e4fe654e0387406549fd4a98b3ab2e1cfc5503ca3c87a6

C:\Windows\SysWOW64\Jpcapp32.exe

MD5 99c7a22ae644a797b34d556e8a0b5342
SHA1 5ba547bb9a63f81e0911933319e5a65396ed0eb9
SHA256 194236820a9bcb59998a9bfb0161266375cd5b4585fe45cb2aeba75da5c11c3f
SHA512 39080c481ae92ff4bd85c77d41e429ff6812598f52d0e2976399a88b279d2767e316b826c2bd94930efa25a0bd72ec952755b6f3131f4d5a320b1ab0c4752823

C:\Windows\SysWOW64\Jcfggkac.exe

MD5 023389182d6ba0284c83ef946ca6576c
SHA1 3d49e75f9a51c3276a40b86c307ecdf16bfa33e3
SHA256 0b703564f8116c69c8e93efd2b7999b7893d23a4ca07d941f1506b99cdc678b3
SHA512 ecd2575c8cebeb8e790db46a9934b3555eac44f785d4597354c1c9673bbd7279efd527608a30cbd1585a0a14b61284644d052f3db64268a5e412b1da5f0b9534

C:\Windows\SysWOW64\Kgflcifg.exe

MD5 f5e596a5e081fb24ef93d4aa433ab435
SHA1 b9921e1837d1c46c6ef5277c81f0178a906498d1
SHA256 3d0ced33a23ffcbb7f99b3fb2da305f32ca36e67a879c76c47e279c0bbcd84b7
SHA512 bbe036c6b7dd0bf95851d1b4d2dce931dc9d2e9e13afc5b56c2987fba49279387ad41ef12bb3c4edaa8cabf6ece0a6eb5aef8807e242d02c6446290024b03926

C:\Windows\SysWOW64\Kjlopc32.exe

MD5 417618df37632901b065ee364834a417
SHA1 b9cd10ca62c52643bb02ebfdd2c5c6b1b9f9d2ee
SHA256 2fc82f6c71fdc2bf1c59e32113c704180a6d77063cf0a543585c1555e0a10ca3
SHA512 1f71457083a19c0cde228c53c0a608e3c46501c5c8fe763bac70ca5117e8097dd0929b03b8e9c5907704a2208e56b3463a009de22d83738738664b217e16fec9

C:\Windows\SysWOW64\Llodgnja.exe

MD5 ace4311950a0fa5e176fa1a6c8b40a2b
SHA1 e5091fb22084d69b23417f23d36cd5db5de488ed
SHA256 a904035b720b322c6c610c8561ef35a997bcc263aadf58ba690de901534dc062
SHA512 be332aa88683b3a5e2b1acd757d67082de4e18c45d3c478bef71ef1d3e982849e2fe5117fd7783b51e4d0fdfd65121f6171d623b53563c7253d8382042566480

C:\Windows\SysWOW64\Mqfpckhm.exe

MD5 2be99d1464c7460f0b4e7c9f48d45834
SHA1 722072aee7eb15a2159ad054dd8f77d9299c3cf9
SHA256 fda0d5fb556b73056476a79ebfdf1eebf895ffcd869c1b6e6ddc70c344f864f1
SHA512 e94ace0e3c74ae9f11ddd055e074884f1a5a4ab0d0d2e87260a0357b0dff53ae28af302227314daecc41aa37fa4100b0cbf3dfc51e07e9953d8f14839cdcf867

C:\Windows\SysWOW64\Monjjgkb.exe

MD5 a44ae68ae54f1582c71d557a6bdb01ba
SHA1 52a0d2045c729b27aba0b380c203d7d391439285
SHA256 582a87fc8daa719bcf78696f5fe267026bc58341067f08ccd1471884d3d674a6
SHA512 49c373e5d8bc0eede05c816df34a98599a2f72e92fa223ac2b39a7b50c04d19bdd1d6c648fc3d0db972431eb5bacc9f877cf409d2eaf033f7184654304a10c30

C:\Windows\SysWOW64\Ncchae32.exe

MD5 e927fe658d9a6206776af3bf8c4bd3b4
SHA1 0f537f6db5207981eba39bcb261a61ad2e133556
SHA256 6b235582c9339d00b40bdbf41d0153d9def4156893d44d1273fbc72bfdf69566
SHA512 0f243c7f1034fb5b2d300c0c5f79c0150994fcd8b36ec58cc0c7906a33f4d1eb27ea67ca4378ab94323fea406625cee4d85c10da81bc6b51106d9f1ba6ca0569

C:\Windows\SysWOW64\Onkidm32.exe

MD5 bda3d76d1e2d0c4f16d082e6d7b5efc8
SHA1 f1087d2549eacad609a736aee7b1f50a2811b670
SHA256 a3d1ff176cce9e1b65252d9193a8ec77e1c16bfb6808b7efb8451359decf58ca
SHA512 4b4db2a48d47d528c1af75cc0cf9a22ea884c1e7744a5074ff2ac7bd946b35ea9321a0e7383c74eb7189f32db8b86fab2e72e4f5a703fa29066c8ee933ce6d7a

C:\Windows\SysWOW64\Ofmdio32.exe

MD5 80b27f54d5f4b458f76e8c35522ba118
SHA1 2224f84cc4bfcc4124d2c79ad7359aae116459da
SHA256 34f06413768e68a7e8f99aa867b1b86d460d32f0c0be04c31822ae3238041ea9
SHA512 a9bb9a84e271fdab9894168016e4249fbb252aff89f20c94c0010b17946e7520add16be10cdaab97cbbe029ed1b61bb583f95c2ee529a422a2bb00822e89b165

C:\Windows\SysWOW64\Pnfiplog.exe

MD5 f69ac3bd811b4c937831fb923013de2e
SHA1 e43120ea5c1874de710b75983f40aff76e22a60c
SHA256 49d724de49acc552f522e154636b8899b1f5bac0ab8e04724d974fb86e4d4708
SHA512 e7ebc7abb9a70e0214eb814739334d7d22ca46ff821eb6b0d6080c84a4f80b575748a8d4fb161a3f02de59ccd95b178b5ec527e23c0548f6eb53106b06e6f2ee

C:\Windows\SysWOW64\Panhbfep.exe

MD5 f62a13b763a44806281204ce14b52527
SHA1 6fbb08b008a00bf3618f7a447bc168a3184acab2
SHA256 5ce35fd35c15bf6df16446121f343f2b60dd9428a6d3412f5bdfe8143bacbbca
SHA512 6d2887ee1d3ce871a31726777019a5d83371c7dc8a9971a31224234569c9c6778eb831e08513928a62e6308af35bd3e07ed88fb8e53522a648093facef5b2c6a

C:\Windows\SysWOW64\Qobhkjdi.exe

MD5 0c506dd2f24c18ca45b18342015d9f35
SHA1 162b1b336f875f1806a18e11e492bb9d272d6fea
SHA256 68afbeba4fa3e27a5267a8268514ff0821bda60ca049faf8e00373c7ec638ff7
SHA512 bd6047fe4204597d61ab7db5f17047efd0876565423690ebac75bc3de85cacf0c71f1bd8f06ce2e93272dfc7b96e7d2b75c70de744423a585300926b454cae6c

C:\Windows\SysWOW64\Adfgdpmi.exe

MD5 693a677c0df5f71407f773553570cb27
SHA1 af24b006f08221c5c2c18c1da5471cc6dae22c59
SHA256 874631f5e394960dacde5353f0fb68ffb4f7f141718b94d286ebff3b3cffe326
SHA512 4b42a552c0a685b90e432d92922236325d2e0658655745a35ba1bd60f21a060e4d6e0221bb34908af4115c7a4c132191854aa87ed0605162242ea35bbfb1f7b3

C:\Windows\SysWOW64\Akdilipp.exe

MD5 47fa3c7b9fa9d6720ecb2a8dbf00d59b
SHA1 adfcb190311fe1990ba983acdf69b7fdbfd3b8bc
SHA256 e7b206ba4cd9f9683a2a827a9de22152fed4410eb7ca92b1088d8f1e8487ec73
SHA512 d62f242f12402240e5eb3fa48a116e4166915ce206558c20d8ebab263b687e825b31873204437955b926141f054a3c52d46863daa70f5cb5393e8cca6f1a9516

C:\Windows\SysWOW64\Bdfpkm32.exe

MD5 845537135fca486950622bae71f8da58
SHA1 6f4168fea2880c135cb15e8aac291665d985af67
SHA256 c48013baaf50c6d5beba3c5ae3feee81b933ec23121c7d05e860f528434f28c6
SHA512 cb92cfbd8373c660420f268da2ba8dc07fc01fbe86c3b75f8ace458c7e0d65068183c371f1f4469433826d4763ad9286b3c506bd2febb93b7811040565b54056

C:\Windows\SysWOW64\Dhphmj32.exe

MD5 5abfad8026357494f3c4c1ce8fd3ade5
SHA1 c9b4e10372a6e47ee1a0ba3418068804377326dc
SHA256 5c803cacf4910cd2304567b84170b6a48c6cd9112ac2abee527831e5bdaf6a00
SHA512 cb638ccc9c2ec861891f66eb559664d25acd0bfa0ae870e0d260febc103506008fe7aaee3596ea6b80ea21df0fa3f33670defc0c6dcdb850b6c20bffaa09006b

C:\Windows\SysWOW64\Eqgmmk32.exe

MD5 4e82c0eaee466a02c1663a2d608adae6
SHA1 e753a4d247eecd02a8884f7b5b2c9dd19ddb5f8e
SHA256 9ab87a9f2077e86f1c4a09b65f451a5e3afaea006292ed264e9f6192ef241912
SHA512 7c7c18b7cb54f6d894a21d6fbece0226caa697ea0391f5c4d7b570155b4a9738680f89a2cdff8b56abd8caca7f97f20ca6fa89492590a52c07610134214c539d

C:\Windows\SysWOW64\Edgbii32.exe

MD5 3a280c0bdfb13c20c7ee926ad2a82042
SHA1 eaffcc46b5dbaf1ae3eec09e047429cc8c290270
SHA256 d953e6d4779a4ec0ffa9fe7ae3460514f4aef87db81adbc56e768e5b37ec2ea5
SHA512 fce0a7266318542d130fa0bf4972c319fb9304e5f141705e3269f207086d1e9f5e33dce58ec440990866961bc03aaeb3a4fec97ed2baff0f32ec7712f0f03449

C:\Windows\SysWOW64\Ekcgkb32.exe

MD5 0cc042d4e95adaaacbb400a5e5040a55
SHA1 fbec3871c6bcd9c89e911193430f54bc01326504
SHA256 a5dc4f6f219f9b54d9fc45b811690a0396113c275b755789d251ffba867ce0ca
SHA512 7cd5c0b09bc42ca69afba6ebd2a9d67c09f39e12a5e4826a9cf8c8889b4ed49424f60afcb887b666665480f0a7c6346f0b141d10e931dc05e9df591385e8a456

C:\Windows\SysWOW64\Fdnhih32.exe

MD5 81f140764da15d9177274131c14e8023
SHA1 7db08cfcddebd8a43d90df1c27ab92e2a725c6a7
SHA256 721e7b1808cb7ac5818078bf3f49c74da13ff8d36e5188ed45f2f6f6291b6abf
SHA512 c27ea709c4489d3727fc679285140fa1988ee2be2f2a17c9c08a551bda47474bd55885fa1c5d20ef27f9a1d11175494fc5fb4f032be15b7dadde980d40940d6d

C:\Windows\SysWOW64\Gnnccl32.exe

MD5 d7771c8055a0867788e38935db700bd1
SHA1 4e3099f196c7afeb4a3092664293ffca779ce4fe
SHA256 23c42d306a5155ea3049be61486600a2e3cc6d328a29b3adf18bcb55b8bc16d3
SHA512 555c665fbb29a67d09dbe5a345a286ebefb9465bd3a69f8fe88f926b0d94037ab15e64420d0c54865dd6518ec24d4254afb10df16de6dced5f6a5f6608226db6

C:\Windows\SysWOW64\Gegkpf32.exe

MD5 46c204192d3b98edf028ae81cceb9ef0
SHA1 a91bac53eb31493966e4ab2038adcf899dd2af30
SHA256 783ca6796d392a837114e3d219de232f014791cce89bdc8a1acc10f804fe83e4
SHA512 2187862ec63ce1eb9f7c727aef35417cb005858d3c9e1eb123f4ab30a44f4c1b8bd1f33b0d5ea5c2e0a8bd0e476ca8c8eb1626407dddc6b58351a1decdca5ea9

C:\Windows\SysWOW64\Jlbejloe.exe

MD5 19ed161f221c0ac55ca1298e70ac1b38
SHA1 53fa985073cb1cba2d69b82ce7e86bd9e5871f43
SHA256 0e42973ac0964d91a8d3ea63434cd8fe20d338fc232dd7a80ed30a88cbf2a631
SHA512 754e623996055fadc05acb83bee929cdf98a83743cd7db9a0f3e9d50046cd3a1666805559160b610055445429840deb0628b4aa9ddbefc9af6bddfa3ee81ef2e

C:\Windows\SysWOW64\Jldbpl32.exe

MD5 febba4109de187b2520d2bb7c573c626
SHA1 b81b49fa1b0759a8a22841c9dc535bd5a49cf714
SHA256 8972e4f93c0661b525f15a7b4e3f8e2badb2ca9b8919e593f3fcf7ffcd64e175
SHA512 f209d0ed392229f62e2b9cc7dfe4b0cf6218c2aaa8a3306f4e00d88a7eb2c872e61cd13f3ba1ee12f219cfbb4828926055b92616ab117b5b42723958a65a0ef4

C:\Windows\SysWOW64\Jadgnb32.exe

MD5 ad2b1e035cf13479284bc9a593335a3c
SHA1 4ae067d686c02187105ebb6fa22047a5e72bebbd
SHA256 802266e82f44e04bacc83f1b0c01020b06d33ba76c457d9a67eb53992e4bf010
SHA512 c162036a2d652303a50d42f91ddab9485db13cd0a662b9943a6c685e2c3666bdcdc384e93ab5fef3816792a619dc5e5b96ca2e146d85bbb48c75dba3f4e06844

C:\Windows\SysWOW64\Kiphjo32.exe

MD5 bc2ab41b421a0f11a83af85b43bf469c
SHA1 944b008b42bcb2a424a09234cee269fa58bf7633
SHA256 a36b8cddb21ca471c61d2c16b8f0ceecd91bdf758d03326c334196aeafd1a3cf
SHA512 aeeb1d6d96df0b932c2d2b8bf6913a8521451556b0ce157b3cb6ac80e40c3e8a3463fc45690e51a2911f3b04609e2d019859d2fb4232143f71fb9ca53fdec17d

C:\Windows\SysWOW64\Kheekkjl.exe

MD5 43f87b3517ee42c09352ea28d19b42a1
SHA1 a658145256c482572e595d3c444956f602b6d35e
SHA256 55af4da00d51afff2e4e724e122eb702a6c1ea325d158be284cb1c862ab8e7d3
SHA512 1e1c86fcbe053811026905e986c5850bbf0b6f4d9ab2833c2ba55292faa4610dd89c5177b1a495dca20e509309e5e99c60795a87684854c0977d6718c5d61021

C:\Windows\SysWOW64\Klekfinp.exe

MD5 aab8d552c6ad26c457cfd875efd0d61d
SHA1 c62a12fdee4976c7c3667be4f41216b861b7a3c6
SHA256 362fd8e73b2a7294791cd55e0b6bac0d054cf15ee761f031bf418a08f1417758
SHA512 5ec7f7e8b67fd248d6e5d53188d20b03a8a7ec2c6ee8d78fe2d07661c9e46c4ec40ceb0ebc74cabb77e8c639ea28a0f167ec9850b8765a97cacb92d9c172c1ac

C:\Windows\SysWOW64\Mapppn32.exe

MD5 d9be9da6109687f776190aa9af64cac6
SHA1 aab7a30576a28d22b1f7f02750e8c8cb859e4fda
SHA256 a65c6fff332220ce1b07afa70169beadf396dfe8bce349a75791c614fcf7ef67
SHA512 f131a97f67b55d343f4d227fad464e13e0ff1c0cf171816e8255948d206e49dd55b4a569fe8774be554458a81bd99ab6e4c24ddcaae48153cc2218dc7012e1c1

C:\Windows\SysWOW64\Mcaipa32.exe

MD5 0077ef4cb09e352efd98e29beb7e330c
SHA1 af586d9b64ad4427f186a821d139368b0c103bfa
SHA256 6d9888143459e80dbbbe02922a703756e40ba79d521868675373a9388c05273b
SHA512 577fd186740ec1c0cf784fea2f3dfb7fba7fa8d8db2976f82da547402c2a90c0894f4e6925e3bf2d738dd0a7a991d1e1cd651072eb8bc704934e43eb5222b6a1

C:\Windows\SysWOW64\Nbebbk32.exe

MD5 a77dd59d7b431f8fe829c958005bb156
SHA1 64e0d34931e23c9726cba45038102b4f7e2cbd49
SHA256 78231455aa130bf9d16c4613314d02b5246c5bc663cd326f088e7eb4ff140385
SHA512 772532382c733c82ecd9ed668a88c4d429570952c0af1dae15eb64773d07df32fa9f764c1c58cc7cef7a0caefc9ba133267a9dc3bd87fa6e6941f380ed59f760

C:\Windows\SysWOW64\Ocgkan32.exe

MD5 24854abcf994476611c0b6f44a0ef475
SHA1 c958bb9c194fbf709ec62c750b0ea10dbda8d903
SHA256 51a7bdc7ba6ca1ec5ab60efc45c7b8a9a33c4cb5a46ac9b5a34c97b934a6bffe
SHA512 fdf1df13e50d09dab571ab16a20eaf2096ea2fc038af2014d648a363a88fa8ed5049eb66f605d6f4ea3797071c67df33cba9abd1da93314a77cafb55d994dd39

C:\Windows\SysWOW64\Ppgomnai.exe

MD5 ac9049274d1813b99e035b62df701909
SHA1 233483449799a9c609b88c73ad157c80f53b9169
SHA256 9d5d40eb5bc4d2952df7e47a4a30e35f8c6fa49b2ff9bffa61f10852cde7e15c
SHA512 7adf9ff1ffd163e013c42cfb46c507921e7ddb300c425c72461af3c11ee50afb885a3c425c5f43665a396e45b17e8d61a45c26d600292f6db04e824745e7cc0e

C:\Windows\SysWOW64\Qapnmopa.exe

MD5 cfd848a10cbd5024763f71e756c187f0
SHA1 1e5a639b60cbb7bfefbf87950d7f2a280d0611eb
SHA256 bfd9eeb383abf2235d9bbe44f5d990b040f79e6f061e6d2ddfdc97b160e8d674
SHA512 cad4faa5b19d0db4302ebdb4cd2506ee8a5fc123b361bc583501131055f7adc7147749b2b227449361b31772ca9016f2af8206bb7f68220f1bd4e80562e7a144

C:\Windows\SysWOW64\Bipecnkd.exe

MD5 4c7fb76c3d5d1872ffdaf8ba2c582175
SHA1 666cb02dea3fec7073f7a7e5847da34331de65d3
SHA256 5ed69eb5761fe3faf05c17d703ce24159bac4b29042b8e73fc99dbc33aab8393
SHA512 206c2ad10125a9579503a056e40c7ad5ee4e60244ef16c72d098f0db22cc686478f265804fc5d70fddecdccc6b7b04064b4e4d9f8d0d6c0094c623c5caae4787

C:\Windows\SysWOW64\Cmpjoloh.exe

MD5 6f2ea29733ffe8acfda3ae23131cb989
SHA1 f46ef9849d02b2916c9c38d4f3abe7a9cf33ef0a
SHA256 3d7c39abdfd5d83176e8df2206e308f9c394442e54ca9ebb41fcf9c2f5a43b9f
SHA512 772d15267d748cf194a31085647046ff3aaf9754113a74290cf0eca0e125cd0ed5679dc3cc1fbcacbaba3005aa3cda24cd93b067b5b3eccdf649bf9d71c07bed

C:\Windows\SysWOW64\Cdmoafdb.exe

MD5 043cc10050dbff239ee371dd77472302
SHA1 1818b6e7f0aa7ead7ee7887faf6b16ddf4931e4f
SHA256 d924168b14af1884ba8af447867a9e05e67ad4959fdc3a04515f725723ee050a
SHA512 523441026036aa86e6155a99c7672ce3c914712db075b16cb129bfec029cbd9290b63611aca9b8ddb3a9031662e814c62f18106a584d47ae621021338f5ba3f2

C:\Windows\SysWOW64\Dpmcmf32.exe

MD5 a2ad05aaa5ab8ebb6b0d7c6fc38a9e04
SHA1 c4e294e1289d403ecd9bbd102e6403152397d9d2
SHA256 0a86fed4288fdadd3ac2c38e3a5c16bc57bbb899f0b00df5592fcd3e0e6b6f1f
SHA512 3a6af46638c2c9e151610c572ce8d1f712a1695a3621b432fde1752b6d51700d70e55ab82147a7b06a231f2c43f025c1baf5e379f4fee4a72009b0087a321183

C:\Windows\SysWOW64\Enemaimp.exe

MD5 e069bb126f2b1f62f1584ceb717849d2
SHA1 090c2dcfcf45f3b9447e600cebc3db4d07d5a5a5
SHA256 e4ed102a7c042cd4c80b6316d3c205af5a2010bbbecbbd0402dc052e421a356d
SHA512 9b17e777d6fbc18539b8f3a1290d9aceca3192a5ee71332bc20851eabfc893d1adae4e1514ae094351e66efaa0a71e397c828cfd9fa3af21ed5c31e48f41d786

C:\Windows\SysWOW64\Enopghee.exe

MD5 4551d020cc9525c8c04b5967e25d43c1
SHA1 13916d6f6eb6abbd4e717e37154b6865ae668635
SHA256 9b50859e76192259d7e493f4e04cbc2eb4738e2918fa4eb9532a5d827462d8e5
SHA512 ee51ef13f7a3b154623764868f9d8afff127b46e3c5ae40b116f01a5ff65c8b09bd2e027113caf665351f0bd5a045f2ced0340c8bf39851778710b0c868484b0

C:\Windows\SysWOW64\Fdmaoahm.exe

MD5 bc5721868105ceb081d09640d504bb5c
SHA1 4ddec9b7116c8618e08d1c4b2dec6448bd24977d
SHA256 7d513b59f8fc32616490d00e599b49f9855513302fee8859e306f21e9b294294
SHA512 ab271edb9cbc25d9b33879b444b763478c38dfdd0c39fe8443b25ce52f947b0e604dd0fe3e3e25f89734383aeecdfd0d85df553d15cef6d322118337168a6aab

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 16:01

Reported

2024-11-10 16:04

Platform

win7-20241010-en

Max time kernel

14s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imdjlida.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncggifep.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gocnjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iceiibef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Opcaiggo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ggncop32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijjgkmqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gmbagf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lkccob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nqbdllld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fgnfpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Foqadnpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nbmcjc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ijhkembk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lhpmhgbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hjfbaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnknqpgi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdbgia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kbjbibli.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mffgfo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcnhcdkp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mogene32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gcgpiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hbccklmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jhndcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oiglfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fdbgia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jhlgnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ldndng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mogene32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obopobhe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpfggeai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaieai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kaieai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lcnhcdkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hbepplkh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iadphghe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbccklmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnlqemal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kdincdcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nqgngk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnknqpgi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fondonbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggncop32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opcaiggo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbooen32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqgngk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gqkqbe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbepplkh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdincdcl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhpigk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oiglfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jhndcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mjkmfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jehbfjia.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Khnqbhdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mhpigk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ijjgkmqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gqkqbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nmpkal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laknfmgd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkccob32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Fgnfpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdbgia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fondonbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Foqadnpq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gocnjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggncop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpfggeai.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcgpiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqkqbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmbagf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfbaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbccklmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbepplkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnlqemal.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgeenb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieiegf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imdjlida.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijhkembk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijjgkmqh.exe N/A
N/A N/A C:\Windows\SysWOW64\Iadphghe.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiodliep.exe N/A
N/A N/A C:\Windows\SysWOW64\Iceiibef.exe N/A
N/A N/A C:\Windows\SysWOW64\Jehbfjia.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbooen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhlgnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jadlgjjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhndcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaieai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbjbibli.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdincdcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kocodbpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Khnqbhdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpmhgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lednal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laknfmgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkccob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcnhcdkp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldndng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjkmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mogene32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhpigk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffgfo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqbdllld.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbaafocg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqgngk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnknqpgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncggifep.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmpkal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbmcjc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiglfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opcaiggo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohnemidj.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgnfpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgnfpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdbgia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdbgia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fondonbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fondonbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Foqadnpq.exe N/A
N/A N/A C:\Windows\SysWOW64\Foqadnpq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gocnjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gocnjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggncop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggncop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpfggeai.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpfggeai.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcgpiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcgpiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqkqbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqkqbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmbagf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmbagf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfbaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfbaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbccklmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbccklmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbepplkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbepplkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnlqemal.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnlqemal.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgeenb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgeenb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieiegf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieiegf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imdjlida.exe N/A
N/A N/A C:\Windows\SysWOW64\Imdjlida.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijhkembk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijhkembk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijjgkmqh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijjgkmqh.exe N/A
N/A N/A C:\Windows\SysWOW64\Iadphghe.exe N/A
N/A N/A C:\Windows\SysWOW64\Iadphghe.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiodliep.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiodliep.exe N/A
N/A N/A C:\Windows\SysWOW64\Iceiibef.exe N/A
N/A N/A C:\Windows\SysWOW64\Iceiibef.exe N/A
N/A N/A C:\Windows\SysWOW64\Jehbfjia.exe N/A
N/A N/A C:\Windows\SysWOW64\Jehbfjia.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbooen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbooen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhlgnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhlgnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jadlgjjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Jadlgjjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhndcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhndcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaieai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaieai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbjbibli.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbjbibli.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdincdcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdincdcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kocodbpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kocodbpk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mffgfo32.exe C:\Windows\SysWOW64\Mhpigk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieiegf32.exe C:\Windows\SysWOW64\Hgeenb32.exe N/A
File created C:\Windows\SysWOW64\Jbooen32.exe C:\Windows\SysWOW64\Jehbfjia.exe N/A
File opened for modification C:\Windows\SysWOW64\Kaieai32.exe C:\Windows\SysWOW64\Jhndcd32.exe N/A
File created C:\Windows\SysWOW64\Lhpmhgbf.exe C:\Windows\SysWOW64\Khnqbhdi.exe N/A
File opened for modification C:\Windows\SysWOW64\Lkccob32.exe C:\Windows\SysWOW64\Laknfmgd.exe N/A
File created C:\Windows\SysWOW64\Mjkmfn32.exe C:\Windows\SysWOW64\Ldndng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjkmfn32.exe C:\Windows\SysWOW64\Ldndng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnknqpgi.exe C:\Windows\SysWOW64\Nqgngk32.exe N/A
File created C:\Windows\SysWOW64\Feiefo32.dll C:\Windows\SysWOW64\Nqgngk32.exe N/A
File created C:\Windows\SysWOW64\Hbpccf32.dll C:\Windows\SysWOW64\Hbccklmj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhlgnd32.exe C:\Windows\SysWOW64\Jbooen32.exe N/A
File created C:\Windows\SysWOW64\Gqkqbe32.exe C:\Windows\SysWOW64\Gcgpiq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mogene32.exe C:\Windows\SysWOW64\Mjkmfn32.exe N/A
File created C:\Windows\SysWOW64\Nmpkal32.exe C:\Windows\SysWOW64\Ncggifep.exe N/A
File created C:\Windows\SysWOW64\Anbnkfdj.dll C:\Windows\SysWOW64\Hgeenb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iiodliep.exe C:\Windows\SysWOW64\Iadphghe.exe N/A
File created C:\Windows\SysWOW64\Jehbfjia.exe C:\Windows\SysWOW64\Iceiibef.exe N/A
File created C:\Windows\SysWOW64\Jhlgnd32.exe C:\Windows\SysWOW64\Jbooen32.exe N/A
File created C:\Windows\SysWOW64\Eelgce32.dll C:\Windows\SysWOW64\Jbooen32.exe N/A
File created C:\Windows\SysWOW64\Icgpcjpo.dll C:\Windows\SysWOW64\Khnqbhdi.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbaafocg.exe C:\Windows\SysWOW64\Nqbdllld.exe N/A
File created C:\Windows\SysWOW64\Ieiegf32.exe C:\Windows\SysWOW64\Hgeenb32.exe N/A
File created C:\Windows\SysWOW64\Opcaiggo.exe C:\Windows\SysWOW64\Obopobhe.exe N/A
File created C:\Windows\SysWOW64\Iceiibef.exe C:\Windows\SysWOW64\Iiodliep.exe N/A
File created C:\Windows\SysWOW64\Hpmjno32.dll C:\Windows\SysWOW64\Foqadnpq.exe N/A
File created C:\Windows\SysWOW64\Fbjpjphf.dll C:\Windows\SysWOW64\Ggncop32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gqkqbe32.exe C:\Windows\SysWOW64\Gcgpiq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjfbaj32.exe C:\Windows\SysWOW64\Gmbagf32.exe N/A
File created C:\Windows\SysWOW64\Hnlqemal.exe C:\Windows\SysWOW64\Hbepplkh.exe N/A
File created C:\Windows\SysWOW64\Kmlbeoba.dll C:\Windows\SysWOW64\Ieiegf32.exe N/A
File created C:\Windows\SysWOW64\Iadphghe.exe C:\Windows\SysWOW64\Ijjgkmqh.exe N/A
File created C:\Windows\SysWOW64\Dmmjim32.dll C:\Windows\SysWOW64\Gcgpiq32.exe N/A
File created C:\Windows\SysWOW64\Gmbagf32.exe C:\Windows\SysWOW64\Gqkqbe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbjbibli.exe C:\Windows\SysWOW64\Kaieai32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lhpmhgbf.exe C:\Windows\SysWOW64\Khnqbhdi.exe N/A
File opened for modification C:\Windows\SysWOW64\Laknfmgd.exe C:\Windows\SysWOW64\Lednal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhpigk32.exe C:\Windows\SysWOW64\Mogene32.exe N/A
File created C:\Windows\SysWOW64\Nqbdllld.exe C:\Windows\SysWOW64\Mffgfo32.exe N/A
File created C:\Windows\SysWOW64\Nmjkbjpm.dll C:\Windows\SysWOW64\Nqbdllld.exe N/A
File created C:\Windows\SysWOW64\Fdbgia32.exe C:\Windows\SysWOW64\Fgnfpm32.exe N/A
File created C:\Windows\SysWOW64\Fondonbc.exe C:\Windows\SysWOW64\Fdbgia32.exe N/A
File created C:\Windows\SysWOW64\Hgeenb32.exe C:\Windows\SysWOW64\Hnlqemal.exe N/A
File created C:\Windows\SysWOW64\Iiodliep.exe C:\Windows\SysWOW64\Iadphghe.exe N/A
File created C:\Windows\SysWOW64\Kdincdcl.exe C:\Windows\SysWOW64\Kbjbibli.exe N/A
File created C:\Windows\SysWOW64\Laknfmgd.exe C:\Windows\SysWOW64\Lednal32.exe N/A
File created C:\Windows\SysWOW64\Lkffpabj.dll C:\Windows\SysWOW64\Mhpigk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Opcaiggo.exe C:\Windows\SysWOW64\Obopobhe.exe N/A
File created C:\Windows\SysWOW64\Hbccklmj.exe C:\Windows\SysWOW64\Hjfbaj32.exe N/A
File created C:\Windows\SysWOW64\Dbeghn32.dll C:\Windows\SysWOW64\Hjfbaj32.exe N/A
File created C:\Windows\SysWOW64\Ihefej32.dll C:\Windows\SysWOW64\Ijjgkmqh.exe N/A
File created C:\Windows\SysWOW64\Kocodbpk.exe C:\Windows\SysWOW64\Kdincdcl.exe N/A
File created C:\Windows\SysWOW64\Nnoaan32.dll C:\Windows\SysWOW64\Kocodbpk.exe N/A
File created C:\Windows\SysWOW64\Lednal32.exe C:\Windows\SysWOW64\Lhpmhgbf.exe N/A
File created C:\Windows\SysWOW64\Mafibkqg.dll C:\Windows\SysWOW64\Fgnfpm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpfggeai.exe C:\Windows\SysWOW64\Ggncop32.exe N/A
File created C:\Windows\SysWOW64\Ijhkembk.exe C:\Windows\SysWOW64\Imdjlida.exe N/A
File created C:\Windows\SysWOW64\Ghdehmnj.dll C:\Windows\SysWOW64\Imdjlida.exe N/A
File opened for modification C:\Windows\SysWOW64\Ijjgkmqh.exe C:\Windows\SysWOW64\Ijhkembk.exe N/A
File opened for modification C:\Windows\SysWOW64\Fondonbc.exe C:\Windows\SysWOW64\Fdbgia32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ggncop32.exe C:\Windows\SysWOW64\Gocnjn32.exe N/A
File created C:\Windows\SysWOW64\Nhkddaih.dll C:\Windows\SysWOW64\Ijhkembk.exe N/A
File opened for modification C:\Windows\SysWOW64\Khnqbhdi.exe C:\Windows\SysWOW64\Kocodbpk.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqbdllld.exe C:\Windows\SysWOW64\Mffgfo32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ohnemidj.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fgnfpm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iiodliep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Foqadnpq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kocodbpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hbccklmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mffgfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmpkal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ggncop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ijhkembk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjkmfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnknqpgi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fondonbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpfggeai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gcgpiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Imdjlida.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Laknfmgd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hjfbaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lednal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbmcjc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gocnjn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gqkqbe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hbepplkh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgeenb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iceiibef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldndng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhpigk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oiglfm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ieiegf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iadphghe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbooen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kaieai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkccob32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbjbibli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obopobhe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jehbfjia.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdincdcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khnqbhdi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opcaiggo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ijjgkmqh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcnhcdkp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mogene32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fdbgia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hnlqemal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhpmhgbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncggifep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohnemidj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gmbagf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhlgnd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqbdllld.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqgngk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jadlgjjq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhndcd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbaafocg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieiegf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kaieai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmoai32.dll" C:\Windows\SysWOW64\Nnknqpgi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmjno32.dll" C:\Windows\SysWOW64\Foqadnpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbeghn32.dll" C:\Windows\SysWOW64\Hjfbaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nqbdllld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkmkh32.dll" C:\Windows\SysWOW64\Gmbagf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelgce32.dll" C:\Windows\SysWOW64\Jbooen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoakai32.dll" C:\Windows\SysWOW64\Kaieai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcckc32.dll" C:\Windows\SysWOW64\Oiglfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gocnjn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ggncop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gqkqbe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hgeenb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Foqadnpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lhpmhgbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdjfie32.dll" C:\Windows\SysWOW64\Lcnhcdkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbmcjc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlodea32.dll" C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fdbgia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fondonbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Khnqbhdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lkccob32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gpfggeai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hnlqemal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkjfeka.dll" C:\Windows\SysWOW64\Iadphghe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Laknfmgd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lkccob32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mjkmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmolej32.dll" C:\Windows\SysWOW64\Jadlgjjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kocodbpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lednal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jhndcd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mhpigk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oiglfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll" C:\Windows\SysWOW64\Opcaiggo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fondonbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ijhkembk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iiodliep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Imdjlida.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clllno32.dll" C:\Windows\SysWOW64\Iiodliep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hnlqemal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjldnpp.dll" C:\Windows\SysWOW64\Iceiibef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqbdllld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gocnjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbinloge.dll" C:\Windows\SysWOW64\Gqkqbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hbccklmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbjbibli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnknqpgi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmabknal.dll" C:\Windows\SysWOW64\Fdbgia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbpccf32.dll" C:\Windows\SysWOW64\Hbccklmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jhlgnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefcdgnb.dll" C:\Windows\SysWOW64\Nbaafocg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gqkqbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojdod32.dll" C:\Windows\SysWOW64\Hnlqemal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mhpigk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddifg32.dll" C:\Windows\SysWOW64\Hbepplkh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iceiibef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icgpcjpo.dll" C:\Windows\SysWOW64\Khnqbhdi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lhpmhgbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jehbfjia.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe C:\Windows\SysWOW64\Fgnfpm32.exe
PID 2104 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe C:\Windows\SysWOW64\Fgnfpm32.exe
PID 2104 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe C:\Windows\SysWOW64\Fgnfpm32.exe
PID 2104 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe C:\Windows\SysWOW64\Fgnfpm32.exe
PID 2028 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Fgnfpm32.exe C:\Windows\SysWOW64\Fdbgia32.exe
PID 2028 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Fgnfpm32.exe C:\Windows\SysWOW64\Fdbgia32.exe
PID 2028 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Fgnfpm32.exe C:\Windows\SysWOW64\Fdbgia32.exe
PID 2028 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Fgnfpm32.exe C:\Windows\SysWOW64\Fdbgia32.exe
PID 2528 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Fdbgia32.exe C:\Windows\SysWOW64\Fondonbc.exe
PID 2528 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Fdbgia32.exe C:\Windows\SysWOW64\Fondonbc.exe
PID 2528 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Fdbgia32.exe C:\Windows\SysWOW64\Fondonbc.exe
PID 2528 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Fdbgia32.exe C:\Windows\SysWOW64\Fondonbc.exe
PID 2896 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Fondonbc.exe C:\Windows\SysWOW64\Foqadnpq.exe
PID 2896 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Fondonbc.exe C:\Windows\SysWOW64\Foqadnpq.exe
PID 2896 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Fondonbc.exe C:\Windows\SysWOW64\Foqadnpq.exe
PID 2896 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Fondonbc.exe C:\Windows\SysWOW64\Foqadnpq.exe
PID 2160 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Foqadnpq.exe C:\Windows\SysWOW64\Gocnjn32.exe
PID 2160 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Foqadnpq.exe C:\Windows\SysWOW64\Gocnjn32.exe
PID 2160 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Foqadnpq.exe C:\Windows\SysWOW64\Gocnjn32.exe
PID 2160 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Foqadnpq.exe C:\Windows\SysWOW64\Gocnjn32.exe
PID 2884 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Gocnjn32.exe C:\Windows\SysWOW64\Ggncop32.exe
PID 2884 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Gocnjn32.exe C:\Windows\SysWOW64\Ggncop32.exe
PID 2884 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Gocnjn32.exe C:\Windows\SysWOW64\Ggncop32.exe
PID 2884 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Gocnjn32.exe C:\Windows\SysWOW64\Ggncop32.exe
PID 2732 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Ggncop32.exe C:\Windows\SysWOW64\Gpfggeai.exe
PID 2732 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Ggncop32.exe C:\Windows\SysWOW64\Gpfggeai.exe
PID 2732 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Ggncop32.exe C:\Windows\SysWOW64\Gpfggeai.exe
PID 2732 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Ggncop32.exe C:\Windows\SysWOW64\Gpfggeai.exe
PID 2756 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Gpfggeai.exe C:\Windows\SysWOW64\Gcgpiq32.exe
PID 2756 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Gpfggeai.exe C:\Windows\SysWOW64\Gcgpiq32.exe
PID 2756 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Gpfggeai.exe C:\Windows\SysWOW64\Gcgpiq32.exe
PID 2756 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Gpfggeai.exe C:\Windows\SysWOW64\Gcgpiq32.exe
PID 1656 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Gcgpiq32.exe C:\Windows\SysWOW64\Gqkqbe32.exe
PID 1656 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Gcgpiq32.exe C:\Windows\SysWOW64\Gqkqbe32.exe
PID 1656 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Gcgpiq32.exe C:\Windows\SysWOW64\Gqkqbe32.exe
PID 1656 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Gcgpiq32.exe C:\Windows\SysWOW64\Gqkqbe32.exe
PID 2780 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Gqkqbe32.exe C:\Windows\SysWOW64\Gmbagf32.exe
PID 2780 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Gqkqbe32.exe C:\Windows\SysWOW64\Gmbagf32.exe
PID 2780 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Gqkqbe32.exe C:\Windows\SysWOW64\Gmbagf32.exe
PID 2780 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Gqkqbe32.exe C:\Windows\SysWOW64\Gmbagf32.exe
PID 1264 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Gmbagf32.exe C:\Windows\SysWOW64\Hjfbaj32.exe
PID 1264 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Gmbagf32.exe C:\Windows\SysWOW64\Hjfbaj32.exe
PID 1264 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Gmbagf32.exe C:\Windows\SysWOW64\Hjfbaj32.exe
PID 1264 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Gmbagf32.exe C:\Windows\SysWOW64\Hjfbaj32.exe
PID 1208 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Hjfbaj32.exe C:\Windows\SysWOW64\Hbccklmj.exe
PID 1208 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Hjfbaj32.exe C:\Windows\SysWOW64\Hbccklmj.exe
PID 1208 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Hjfbaj32.exe C:\Windows\SysWOW64\Hbccklmj.exe
PID 1208 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Hjfbaj32.exe C:\Windows\SysWOW64\Hbccklmj.exe
PID 2308 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Hbccklmj.exe C:\Windows\SysWOW64\Hbepplkh.exe
PID 2308 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Hbccklmj.exe C:\Windows\SysWOW64\Hbepplkh.exe
PID 2308 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Hbccklmj.exe C:\Windows\SysWOW64\Hbepplkh.exe
PID 2308 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Hbccklmj.exe C:\Windows\SysWOW64\Hbepplkh.exe
PID 1408 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Hbepplkh.exe C:\Windows\SysWOW64\Hnlqemal.exe
PID 1408 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Hbepplkh.exe C:\Windows\SysWOW64\Hnlqemal.exe
PID 1408 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Hbepplkh.exe C:\Windows\SysWOW64\Hnlqemal.exe
PID 1408 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Hbepplkh.exe C:\Windows\SysWOW64\Hnlqemal.exe
PID 2508 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Hnlqemal.exe C:\Windows\SysWOW64\Hgeenb32.exe
PID 2508 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Hnlqemal.exe C:\Windows\SysWOW64\Hgeenb32.exe
PID 2508 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Hnlqemal.exe C:\Windows\SysWOW64\Hgeenb32.exe
PID 2508 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Hnlqemal.exe C:\Windows\SysWOW64\Hgeenb32.exe
PID 1996 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Hgeenb32.exe C:\Windows\SysWOW64\Ieiegf32.exe
PID 1996 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Hgeenb32.exe C:\Windows\SysWOW64\Ieiegf32.exe
PID 1996 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Hgeenb32.exe C:\Windows\SysWOW64\Ieiegf32.exe
PID 1996 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Hgeenb32.exe C:\Windows\SysWOW64\Ieiegf32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe

"C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe"

C:\Windows\SysWOW64\Fgnfpm32.exe

C:\Windows\system32\Fgnfpm32.exe

C:\Windows\SysWOW64\Fdbgia32.exe

C:\Windows\system32\Fdbgia32.exe

C:\Windows\SysWOW64\Fondonbc.exe

C:\Windows\system32\Fondonbc.exe

C:\Windows\SysWOW64\Foqadnpq.exe

C:\Windows\system32\Foqadnpq.exe

C:\Windows\SysWOW64\Gocnjn32.exe

C:\Windows\system32\Gocnjn32.exe

C:\Windows\SysWOW64\Ggncop32.exe

C:\Windows\system32\Ggncop32.exe

C:\Windows\SysWOW64\Gpfggeai.exe

C:\Windows\system32\Gpfggeai.exe

C:\Windows\SysWOW64\Gcgpiq32.exe

C:\Windows\system32\Gcgpiq32.exe

C:\Windows\SysWOW64\Gqkqbe32.exe

C:\Windows\system32\Gqkqbe32.exe

C:\Windows\SysWOW64\Gmbagf32.exe

C:\Windows\system32\Gmbagf32.exe

C:\Windows\SysWOW64\Hjfbaj32.exe

C:\Windows\system32\Hjfbaj32.exe

C:\Windows\SysWOW64\Hbccklmj.exe

C:\Windows\system32\Hbccklmj.exe

C:\Windows\SysWOW64\Hbepplkh.exe

C:\Windows\system32\Hbepplkh.exe

C:\Windows\SysWOW64\Hnlqemal.exe

C:\Windows\system32\Hnlqemal.exe

C:\Windows\SysWOW64\Hgeenb32.exe

C:\Windows\system32\Hgeenb32.exe

C:\Windows\SysWOW64\Ieiegf32.exe

C:\Windows\system32\Ieiegf32.exe

C:\Windows\SysWOW64\Imdjlida.exe

C:\Windows\system32\Imdjlida.exe

C:\Windows\SysWOW64\Ijhkembk.exe

C:\Windows\system32\Ijhkembk.exe

C:\Windows\SysWOW64\Ijjgkmqh.exe

C:\Windows\system32\Ijjgkmqh.exe

C:\Windows\SysWOW64\Iadphghe.exe

C:\Windows\system32\Iadphghe.exe

C:\Windows\SysWOW64\Iiodliep.exe

C:\Windows\system32\Iiodliep.exe

C:\Windows\SysWOW64\Iceiibef.exe

C:\Windows\system32\Iceiibef.exe

C:\Windows\SysWOW64\Jehbfjia.exe

C:\Windows\system32\Jehbfjia.exe

C:\Windows\SysWOW64\Jbooen32.exe

C:\Windows\system32\Jbooen32.exe

C:\Windows\SysWOW64\Jhlgnd32.exe

C:\Windows\system32\Jhlgnd32.exe

C:\Windows\SysWOW64\Jadlgjjq.exe

C:\Windows\system32\Jadlgjjq.exe

C:\Windows\SysWOW64\Jhndcd32.exe

C:\Windows\system32\Jhndcd32.exe

C:\Windows\SysWOW64\Kaieai32.exe

C:\Windows\system32\Kaieai32.exe

C:\Windows\SysWOW64\Kbjbibli.exe

C:\Windows\system32\Kbjbibli.exe

C:\Windows\SysWOW64\Kdincdcl.exe

C:\Windows\system32\Kdincdcl.exe

C:\Windows\SysWOW64\Kocodbpk.exe

C:\Windows\system32\Kocodbpk.exe

C:\Windows\SysWOW64\Khnqbhdi.exe

C:\Windows\system32\Khnqbhdi.exe

C:\Windows\SysWOW64\Lhpmhgbf.exe

C:\Windows\system32\Lhpmhgbf.exe

C:\Windows\SysWOW64\Lednal32.exe

C:\Windows\system32\Lednal32.exe

C:\Windows\SysWOW64\Laknfmgd.exe

C:\Windows\system32\Laknfmgd.exe

C:\Windows\SysWOW64\Lkccob32.exe

C:\Windows\system32\Lkccob32.exe

C:\Windows\SysWOW64\Lcnhcdkp.exe

C:\Windows\system32\Lcnhcdkp.exe

C:\Windows\SysWOW64\Ldndng32.exe

C:\Windows\system32\Ldndng32.exe

C:\Windows\SysWOW64\Mjkmfn32.exe

C:\Windows\system32\Mjkmfn32.exe

C:\Windows\SysWOW64\Mogene32.exe

C:\Windows\system32\Mogene32.exe

C:\Windows\SysWOW64\Mhpigk32.exe

C:\Windows\system32\Mhpigk32.exe

C:\Windows\SysWOW64\Mffgfo32.exe

C:\Windows\system32\Mffgfo32.exe

C:\Windows\SysWOW64\Nqbdllld.exe

C:\Windows\system32\Nqbdllld.exe

C:\Windows\SysWOW64\Nbaafocg.exe

C:\Windows\system32\Nbaafocg.exe

C:\Windows\SysWOW64\Nqgngk32.exe

C:\Windows\system32\Nqgngk32.exe

C:\Windows\SysWOW64\Nnknqpgi.exe

C:\Windows\system32\Nnknqpgi.exe

C:\Windows\SysWOW64\Ncggifep.exe

C:\Windows\system32\Ncggifep.exe

C:\Windows\SysWOW64\Nmpkal32.exe

C:\Windows\system32\Nmpkal32.exe

C:\Windows\SysWOW64\Nbmcjc32.exe

C:\Windows\system32\Nbmcjc32.exe

C:\Windows\SysWOW64\Oiglfm32.exe

C:\Windows\system32\Oiglfm32.exe

C:\Windows\SysWOW64\Obopobhe.exe

C:\Windows\system32\Obopobhe.exe

C:\Windows\SysWOW64\Opcaiggo.exe

C:\Windows\system32\Opcaiggo.exe

C:\Windows\SysWOW64\Ohnemidj.exe

C:\Windows\system32\Ohnemidj.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 140

Network

N/A

Files

memory/2104-0-0x0000000000400000-0x000000000043D000-memory.dmp

\Windows\SysWOW64\Fgnfpm32.exe

MD5 b9ac5c2743cc6dd51cefe2a391082d80
SHA1 8f59b9341620b39900cf2385bfb59b47e0e6c4b0
SHA256 f1774731e60554b59fb39b72a83546dc0b1ede23d9f734f58eec05e79bbf9479
SHA512 64a0f8d6b56b6e8d988022c62115ea6a8ea7709fb6b2b173a839976bbb3d375ee14b68aac7feff1ef6577ce7d21ceba4f347da03dbf08d08dba197e3baef67fb

memory/2104-17-0x0000000000220000-0x000000000025D000-memory.dmp

memory/2028-19-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2104-18-0x0000000000220000-0x000000000025D000-memory.dmp

\Windows\SysWOW64\Fdbgia32.exe

MD5 3430c4f45ef26ab1b6d9d55aaff871b4
SHA1 97c2f8d0abcd4e567724358bf4025c6868d7f47c
SHA256 4255fdcd369feda1c9de4bab6da1872862ef4b0afa35e4a112ea7f94f014cdda
SHA512 96f0ca27dcd147fe6a08a7ca10a8cc90fe8eb7a6e0544decaac7fb53871d8c180259b5ce2d7d5d90595614595d8c40cf0cd7a02ae040cea1b350643e65481447

memory/2028-22-0x00000000002B0000-0x00000000002ED000-memory.dmp

\Windows\SysWOW64\Fondonbc.exe

MD5 0861e301b0e7b1988d99729ee92a76b7
SHA1 9ae871fe68e85b6bc26aa99386940fa103153f68
SHA256 6f11151477dd78b57705615d42e9d2c75093971d566fc7d9543cb8c8b82071da
SHA512 52ee0ab0b3d1073e59b28f50bdf334aad135794cff333976e5c224ac42e5d79de0cd77a19922738b80397735d592261a2b3bc007fe039cd7e20d69f9fdbac25d

memory/2528-35-0x0000000000220000-0x000000000025D000-memory.dmp

memory/2896-41-0x0000000000400000-0x000000000043D000-memory.dmp

\Windows\SysWOW64\Foqadnpq.exe

MD5 3cc0a369283545da8c94118be998234f
SHA1 d943574d2bf3088d59e3b20647a545ceac075de0
SHA256 c0515236e8b8b6a3e21531387b8485d64a075318f884be495b6cbec61fcaba08
SHA512 57ac5891faec40ddaf165a579c988e27ecc922f745638e6f7857c2841e71ff37c3d2f5c5b4d2f9a865f753bdd324e5071935d57005487b7d9c7fa9335f1c2ae9

memory/2896-50-0x0000000000230000-0x000000000026D000-memory.dmp

C:\Windows\SysWOW64\Hpmjno32.dll

MD5 68b0c6b950dd28a393e3f41e7dbfee8a
SHA1 9e7219bd1015cb17e2ada383078dccfb04570c68
SHA256 af3f0375c1086a723954accaaa029e1370ad6f7045bcc3d7c28010890273e7ef
SHA512 d48b370402308cd05c9d41900e79376e42bcad02fb9f2e5f5a705602592de8ece6b3568d3b8369a406261dc32c413bf66abb381c26bd8de4c7072439f044437f

\Windows\SysWOW64\Gocnjn32.exe

MD5 8b0dfb7b949a9ba74a9e1cd49e91e07b
SHA1 d74a78edf9b5367f54b4ec7ba0dc111d53bc0195
SHA256 4c6916c5ac422f1be0bfaad0ac5512bc7b80716be5d02d1ed03f0584f4221e50
SHA512 5177f90456dc5bc72dcb85c89bf5ba31d46f7572e18c8d1af01790edd3d3b9aec8b3a5e82a9dc50a4bce1cc95640b2ae940dc22982246262969005fc50c3353b

memory/2160-62-0x00000000002B0000-0x00000000002ED000-memory.dmp

\Windows\SysWOW64\Ggncop32.exe

MD5 2daa83fa8c59066831dfebc7c37f2483
SHA1 cb97fc989371dedc4545a59f1fe88ab554598f7d
SHA256 78024a7d2869beb92881effe33aa6fd23652e14dd022432c21bd6fd22c261f5e
SHA512 186aeaf0bb8820d401b9341e2a07ec93b3e21cebc0f1be6848f68274c54b07bc4a43497f9390de887a43b4f11a5fa9152b22b552c8f93386db209f55a285f7c8

memory/2884-75-0x0000000000220000-0x000000000025D000-memory.dmp

\Windows\SysWOW64\Gpfggeai.exe

MD5 498bd2dc1532f9cb41e4b6813e9c0d46
SHA1 ccf3e2d886f9375eff3ba3d106de3f2895907cbf
SHA256 70e74b860874148bc2fe437b22113a3ef63d6e20286e5c70f2bf509ebc9568a9
SHA512 e556d2801b47dbf3c1884a3678e744195b78d4e1df29e5a3fcc24c36e281bdf9d44636c7827b2c9f3d6b160beee4bf6aa2faa7375159586ede07522f3f6c9111

memory/2732-88-0x0000000000330000-0x000000000036D000-memory.dmp

memory/2756-94-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2756-102-0x00000000003C0000-0x00000000003FD000-memory.dmp

\Windows\SysWOW64\Gcgpiq32.exe

MD5 a0f58f6ea546300f6b570256702470fb
SHA1 4d30a7e291ae3eca158fb9dd2df444f48fa895a7
SHA256 7154fb147995f508b20648ae5dc60f24ed681bd0be9654d041e3c3bda0692c89
SHA512 105e64722efeff23e38b3fac76ccc04457705b3f2c9a63d3944d23ee71cdd1624408032945d4a3d6c660232eaa208150de6bd4732be0fe621c00a45f97ecb7eb

\Windows\SysWOW64\Gqkqbe32.exe

MD5 db0780fd37388acc4707573af4e43728
SHA1 00a25fa2510ed44cb7cc8cc330a72766a69c370e
SHA256 ce4c01bca87900bb3ebe088195fddb58f9791ee51bff38013b6ee99cf2b7af4d
SHA512 51fd8ae2cd7a3528fae4fe1a23b846ed46f8e9c34445eaf3470836fa9f1bc445d25bc087e00ce3461c5a59a2b0a5d6632248da09da926a4ef71ab6cc93dae786

memory/1656-115-0x0000000000220000-0x000000000025D000-memory.dmp

\Windows\SysWOW64\Gmbagf32.exe

MD5 29cbbf6d73f97b983d2fa22dd63845fe
SHA1 45cd26e750690fb85f56ee7a4c79eeef09c642fe
SHA256 03e7a43b13f22ceaf0802b81a2d990386c8c648a3bba9c8effef85ad04750cc2
SHA512 290f280c9f0c9e7dc320767f61afe674958af6820d32a4846d8036164eac5df89de677aad444cf4cd48dfad94d06ef3b63a875673fdb2d978679919213b4ee7a

memory/2780-132-0x0000000000220000-0x000000000025D000-memory.dmp

\Windows\SysWOW64\Hjfbaj32.exe

MD5 2efb535fe78302fd5e3ef1bd6b28042d
SHA1 db7d0ac1eda991ac95cc9e5f1254a49bd06c0f14
SHA256 299f88d0cb52310ad4aa7cf8f2b4849c003c35408f1c00d9caeb0dab8a388593
SHA512 2eac77a90383d972fd0b8fb71c02ac3ba6d7829bc2579154fe93252d2d81c3b2d36b4f90975ca5cca3db122d883f957c60baa243ce243cc6d6f7def876734d95

memory/1208-147-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1264-146-0x0000000000440000-0x000000000047D000-memory.dmp

\Windows\SysWOW64\Hbccklmj.exe

MD5 4e92172014e1b761b230fc882e414bcb
SHA1 b7e8b0c641dc6bc30122f532ca2c0f459b865360
SHA256 f036865b86174d96a04cd6518502050a48a9cdada76d4fa6fbb641bd191637f0
SHA512 2afefa3f5833219b9314ecfb8c0455ce01e52c2fa073a18076a4291b26390cf2955c121619910a7ca2b2f354db0497b878b5990400173f9fe27526fbeebe272d

memory/1208-155-0x0000000000220000-0x000000000025D000-memory.dmp

memory/2308-161-0x0000000000400000-0x000000000043D000-memory.dmp

\Windows\SysWOW64\Hbepplkh.exe

MD5 8470001cae1a111a309e893e4e075700
SHA1 c1d220b4850224429f1238ec44aba2a12c6a84bc
SHA256 e6419525dcf1602d746d98df0576790dca87286615026fbc3b301cafdaefb2bc
SHA512 a5c50991780317a647093fc928d90429c5d420a619f11229e60a24befb03169fbf6f0cc543ff075882f5e6dc2d79cb33aa9130f7096fc47567beda9dc1c75dde

memory/1408-174-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1408-182-0x0000000000220000-0x000000000025D000-memory.dmp

\Windows\SysWOW64\Hnlqemal.exe

MD5 ac91fc4ca4bc655bce0d173f8a7c8c8d
SHA1 aab99993132dad702d534fde62144571184b87bd
SHA256 e3d1da03c1d5bfbe6626f399a4af6090a902878d16994a5cb14299740324909f
SHA512 62f72d5fd48546bb1ea56853fddfea2b654c6ec7cdeeb0e101f2a3c10b583848c831f9cd7fee95a529ed64e575dd877bf2bfabb54c53c1575553f70078089094

\Windows\SysWOW64\Hgeenb32.exe

MD5 55e6ff9628fdc15a5d0c1b815bcc2fdf
SHA1 fb8d3242db311619fa02c7dd4404209be9be20cb
SHA256 8273aa3fe9fb688788201a7680ffa2eb0dafa1f6cf1e9417754fc9bf65d75c3a
SHA512 749072777eda00f86beabd0a7ae72e436fee10b5f8b7d5bfdc0217787aaf5e3ae7a0314e7f24c5cd250a7237e36bc14f9fb87e5e0067615979fae5a6c8b12718

memory/2508-195-0x0000000000440000-0x000000000047D000-memory.dmp

memory/1996-208-0x0000000000220000-0x000000000025D000-memory.dmp

\Windows\SysWOW64\Ieiegf32.exe

MD5 5c3cd6b795bbf7e4be26b6a3e3eb7b39
SHA1 5c18694a658029ea39a706f2f7115434af34cdb4
SHA256 e74e14ee4b4bb0e242a4215800a1dea4cd7eb9aa230b0dd329690cc378eb7960
SHA512 eeabc3b0f67f6eeb606e28f805f1c4a209cf41f3f068397c61cf61794c95f11c29fb1f061f2422277544ac82123b8d09038614bf9f67ae72b163500c95944324

memory/2788-220-0x0000000000230000-0x000000000026D000-memory.dmp

C:\Windows\SysWOW64\Imdjlida.exe

MD5 a9206d8e26ddceea4c1ae3619d814480
SHA1 df38d387628afee5b089879423fb9cf84cde79b7
SHA256 94febcdf9513e9912a76ef820d7ee1ada39b1549e42293ce95f4aed56b9e7b5d
SHA512 ccad261ee394e8cc767e0568efbbbfced62a74c59950c83ae3b90523b6b09e5d5d2b93662cedd422d6c15b0ebdcca51c159ee7f3fcb11f2ad5ed04ff5e2fb371

memory/1128-224-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2272-234-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1128-233-0x00000000002A0000-0x00000000002DD000-memory.dmp

C:\Windows\SysWOW64\Ijhkembk.exe

MD5 faeed9f741291a17d317960e3c3a1920
SHA1 0963d675f4da25700b712895849e0a3f9264b2fd
SHA256 4bd537740ec892ec4c6e75ad5283647e1a711f451267ee0ed4d72244e1e5f897
SHA512 9f44d9150425b6aeeee0d1ad0a5679d0bc9e4a212c85e08271fe20c0af5107e2e957cd38d2a4b20039e9448020981f94d76b7c50497abcff70769d62fbafa2b5

C:\Windows\SysWOW64\Ijjgkmqh.exe

MD5 4350a928e814425f6e0332cd2565fbfb
SHA1 275b55acfc34d81607b31f0ca0967ba2a6326dfe
SHA256 2ab63252115829a49f78f8a6df0cd59c16599fdd03b40045c076624e0408fa96
SHA512 ff85a2b00a0b92f28978ff7c6619716afdc6ea93465c29373b3e899a8b35618506dad8b63183d3cf021993a5e8b4b44045a71e1cc3c8c3308a3c944cb7cb76e9

memory/1888-243-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1888-249-0x0000000000220000-0x000000000025D000-memory.dmp

C:\Windows\SysWOW64\Iadphghe.exe

MD5 e3cfe4ec85480f4a4cfb19dfe10cea5c
SHA1 f725ea8ba0baebfcdf932fdb38984881afda2379
SHA256 bf375da5fc524f468c24637b454f616b5480c96b55f738d235c807137ecea7b1
SHA512 7a6931dce7fde39c560b2f2f7e8f8c01668351a7a4a76f74e49d6f37f3844290a54f231adf426ad65a5ed042b77319cf783cb17b02b492db0c8d67e0387eeb6e

memory/1888-253-0x0000000000220000-0x000000000025D000-memory.dmp

C:\Windows\SysWOW64\Iiodliep.exe

MD5 afe25bca73fdea795bd9fe510139d39c
SHA1 5a4d4f1a43f0f2d483bac612612cddd35ef67463
SHA256 aab45070954aecb5f293c78ecc815be1ec44a434db7d907ca4ce6eeb3959280c
SHA512 d25232352df2d0754445d8364af41faa6999327e757643acfdaf1eae5a23d7d91cfec5de6326028bfcc893e340ec6a99aa2ddbb66a2127ec4b3eb9ba65c964d9

memory/1416-264-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1900-263-0x0000000000320000-0x000000000035D000-memory.dmp

memory/1900-262-0x0000000000320000-0x000000000035D000-memory.dmp

memory/1416-270-0x0000000000440000-0x000000000047D000-memory.dmp

C:\Windows\SysWOW64\Iceiibef.exe

MD5 715b46bbb5b0dec450b2c8d77554dbfa
SHA1 9b9406f749bb79038c5be31e42a14339508f27bd
SHA256 09bf57c00b6e15561625534cbdf8b16d2020c1848b665ad0a67af5f3917128d9
SHA512 6ecd8249723062351eb05eec6ad1425b8eccb1840b717d1825741d36d201db59925bd468425a3644097a9b0b58e0c244d267f4385d80e364f82b5dc892b251e0

memory/2220-275-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1416-274-0x0000000000440000-0x000000000047D000-memory.dmp

memory/2220-281-0x00000000001B0000-0x00000000001ED000-memory.dmp

C:\Windows\SysWOW64\Jehbfjia.exe

MD5 9e2df01ddfc03e62368804ceeb4fbf64
SHA1 c48028ff38f693f7e6e53c2f2363317cee328c00
SHA256 20d17bd8b7b7e4e06e232e52583733646287c347f603db82e7480480780efe66
SHA512 cc833e706b1b598916732de3399f6f2c6bc6801582da01d7b7e0bdd69d853bc8699605e71c4437c2da706fa2b27c1e98a60f3ebf0720803d46ce0de81aef9241

memory/2220-285-0x00000000001B0000-0x00000000001ED000-memory.dmp

memory/1512-286-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2572-297-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1512-296-0x0000000000260000-0x000000000029D000-memory.dmp

memory/1512-295-0x0000000000260000-0x000000000029D000-memory.dmp

C:\Windows\SysWOW64\Jbooen32.exe

MD5 3cd242fa4448b2528b1a79187a999e41
SHA1 f9f5f71a7f2fea19bf84dede425badd2aa21f299
SHA256 33f07863237c23f013d25232a2f97f2a6dd20c853cb1a4e28419944b85996fa1
SHA512 4ed64c320f74b08fd2438f272de9eff72897019d53dea427cf3cc61ec42d6f2105aebd6a3c31e00b21992d1b5687e96cb90fa38bbbbb3915a20c42d1da551777

C:\Windows\SysWOW64\Jhlgnd32.exe

MD5 1cff1d0ef1eb9144e010fe3f109667d3
SHA1 cb69d32bef406407ccbe8725b6ce381b3668106e
SHA256 aa2ff21343f1454fc22f9920b11e33c532dafaff951cd68e94c9739145bcc493
SHA512 95be7dd649b3ef47087f888f2260c98279d2f04f2dac50daf487a0a0ed2bae9eac05c88bf245b3a61c0606225b880bfc443cbcf25b7ecc684c9a14fb4608a384

memory/2572-306-0x0000000000250000-0x000000000028D000-memory.dmp

memory/2572-312-0x0000000000250000-0x000000000028D000-memory.dmp

memory/2352-318-0x0000000000220000-0x000000000025D000-memory.dmp

memory/2352-317-0x0000000000220000-0x000000000025D000-memory.dmp

C:\Windows\SysWOW64\Jadlgjjq.exe

MD5 10d652905054bfec8f334a0d78af36c3
SHA1 bde28a08ceb0971132a622a00ea05dc2ae1551e9
SHA256 fa09877dc5c395d8b40f8c8ea8c174fe87519472dce5b45ffb3c8692941c7c68
SHA512 3c7442d2ddfba45c7b73fb62e093bced47a25188b3290af4935038b91bd49d9c881323507d91544cb045aae7ab8d5e0c13329b29915c3e1c2c441a5ba952559f

memory/2532-325-0x0000000000220000-0x000000000025D000-memory.dmp

memory/2532-324-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2352-310-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Jhndcd32.exe

MD5 3b0999c86e6ab42381e7f118fae53703
SHA1 6fa281cd54e7d7a8426821cd85bee1d99d616a8f
SHA256 0be4a999ccb17f97de632c506d5af9ef2f5b31a89ff18cb13e1b2896c75aaa96
SHA512 188356fdaa47632134af84813b7f0e33133e15656b4e671514639665c959374ee91e3c84fc2ec0e38a6da26c4e6566f73c18e0bbb8806bffd5721e6be1b416e2

memory/2532-329-0x0000000000220000-0x000000000025D000-memory.dmp

memory/2776-330-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2188-341-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2776-340-0x00000000003A0000-0x00000000003DD000-memory.dmp

memory/2776-339-0x00000000003A0000-0x00000000003DD000-memory.dmp

C:\Windows\SysWOW64\Kaieai32.exe

MD5 4d6055df2ff2b3fa73bd91e3cd029830
SHA1 0cf32a1be950cb1c866dbef85f33b637d86cd8ea
SHA256 e35a9b63c603e07c5c9bba5a00d12b4a45cc694a7808e15edaf47381278bf916
SHA512 3557731cf3ced724eab75d5271a63ac41d2beadd4b11ec89555279683b1d505b928c77247af28c682f76d65d37af7281b0a6bb094a3a53ba15060c0993649ba8

memory/2104-346-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2104-352-0x0000000000220000-0x000000000025D000-memory.dmp

memory/2908-353-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2188-351-0x00000000003A0000-0x00000000003DD000-memory.dmp

C:\Windows\SysWOW64\Kbjbibli.exe

MD5 262b926104f63e54d159b7af8cb37cbb
SHA1 2b3879249aa980eaee321cc49dc9bbb4b6ffc9fb
SHA256 e03e80bfc9e1024bbcceb2b50108d2f9607d0f4e753a096838b269c9c7be6f55
SHA512 6c246a81ff7a17d1f1639e87c008b260a9c7c69b86cabb3fd2d4c251e37539cf14802c6e70cfd4fecb1cae779ef8ffe8359a45bc6be1e19431fecd9a353be052

memory/2528-362-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Kdincdcl.exe

MD5 f34fbef310c490d84d3f62d5bec81dbc
SHA1 789de3c0c765b29f04e0ac0cfaab15274d9dfa99
SHA256 c9ec5231bbd6762992248308f067962508d31b6f57237a6370d58cf4bed9ce4d
SHA512 0bf902d7f6d2fbfd5325ee8f3c89b3baec45f65523263d19eb66d5cfaa45a92745aaec155d6e5c1c6c5878e2c86ad4020947c29c89f05843208ae7be7dd018db

memory/2808-363-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2808-369-0x0000000000220000-0x000000000025D000-memory.dmp

C:\Windows\SysWOW64\Kocodbpk.exe

MD5 d6831b7afa0ea36d1d4c6f420d83a5a3
SHA1 4cad67177483b0dc033e60e7517790bfc5884e1f
SHA256 446ab4216b1f455ea793fc6a7bbd27e9828e4c05ab284ed575ccf4378a504e5a
SHA512 8a724a5b1d6736e4c2c176c989aff51c64507cc8c441fce9d66eeead9c35e854d5cce9b149edf54c7389de09592ea64c3a7dca09a27249f4f28fa00a503e5bff

memory/2528-373-0x0000000000220000-0x000000000025D000-memory.dmp

memory/2860-374-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2896-380-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2860-381-0x0000000000440000-0x000000000047D000-memory.dmp

C:\Windows\SysWOW64\Khnqbhdi.exe

MD5 9ff5526c4ea657c99618c6dcb44c1227
SHA1 07c232e0f3e8cbd00c973ead59142f9e76ae4c41
SHA256 d0ffa5835d07b7616ce949b93039607677821db534b01ff31207f6f301c8ef8e
SHA512 3d28c7fe288bfe2cbf935581e3485df2d5634961797f2cd52bce2bc658c7fd13b179dfbc7298133f63f5670c6e1c80fe42bfdee81f9818e940b97d28547f98ee

memory/2864-386-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2860-385-0x0000000000440000-0x000000000047D000-memory.dmp

memory/2864-393-0x0000000000220000-0x000000000025D000-memory.dmp

C:\Windows\SysWOW64\Lhpmhgbf.exe

MD5 d5773c8162f290168f1169f81e3fd313
SHA1 695fbfd4d7b6c7a2480cecd824519d22ad2f3a49
SHA256 16b3e7f87b121cfc5a46631ecebfbcf919c92beff89c6cfd05e2ebb4016d2399
SHA512 e57761abfce18229e5b240231c6103acc309f89a2ed3196bb56e160ca75f59266bd15cda48cba12b3597c5e0ce37d6a4542150626de037d277a21c1c76448e53

memory/1636-401-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2160-392-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2884-403-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1620-411-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Lednal32.exe

MD5 6603e136113a09090aec96510872ae09
SHA1 bc55019c76aa9741db37a4429f0263e815eade77
SHA256 62222f0bf79502f793e32e5882a22686bab31ff91168994359420baf5861f28b
SHA512 1db4daee0b0d4db2ac2d94b2b44f4c219c55ab9aa321729772727f0d6b9030387af42d5b6dc6ad40d627e716e6430b7ec407edbcc9358ce0b171d613e54b6c0a

C:\Windows\SysWOW64\Laknfmgd.exe

MD5 24ddaa4b679cf9e0ceb8a9711745ff3b
SHA1 db333c4c15764b8aea76e8c8d198b97366fcd1e6
SHA256 af60e0d58cec479240de3c3a99d170fa039f618123ac6f23616c7bd056115beb
SHA512 c2abae72a42c2a3658d041303083cd0a748ad58e178e425e75321b65aad19231df7ab1502dc4bbe4e7e128df00351cf8bf3710ac841fa43bcd0f9d5b419f51f3

memory/2732-413-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2756-422-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2032-417-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2032-424-0x0000000000280000-0x00000000002BD000-memory.dmp

memory/1656-428-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Lkccob32.exe

MD5 e3b8d2c212c4767575fc4be1dc7c7380
SHA1 75c34879c28a5283eaef4ebda38feb021023a17d
SHA256 fc27f81ccdd7ed1e2ba961bb0a4ed60278d9f7d9925397fea923f3afe38cc0a6
SHA512 26bdc1c5b137487b3a4fd3d5241cc25b7c43c866550bb2bf26a7278ee1511908422bcfa4c59dd03658955f7154b0a0997d0bca7fef7dd4cafc1fca9b4c32962b

C:\Windows\SysWOW64\Lcnhcdkp.exe

MD5 db43e848f03d7e88e140bf99b71f1d74
SHA1 f1787d3caab11af01f4b4dcfe364afadd16d401f
SHA256 e2d4334da765da8165ef32086ba9e10c049f06116a25d80f5cc6add5ee057545
SHA512 6c4858e861f590c95ee2599bff81d7575ede36d90e2bfa337e152fd0b145f265d2aacf62e2b8b4922b4e31519699035e8096ecc45dc3bfb98bce4f48c95da736

memory/872-434-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Ldndng32.exe

MD5 b2e97f98feb5d042d600bb16cabe3c25
SHA1 72e9cc318e9edbf979633219faa3d9b5c59b4741
SHA256 d7984598e9c7d45009050a2681d0969cee931aa1167134d066da34787ccb206d
SHA512 3b6a7d4458aa0cdd11669c1901171eab6abb2c14463199c189d331cdf2e77b7bd56345cb0d8ef553dfcdd1be4462622adfb815a8081935b9c4dbb902565a256e

memory/2992-442-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2992-447-0x0000000000220000-0x000000000025D000-memory.dmp

memory/1020-452-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Mjkmfn32.exe

MD5 5d18252216557e95f7fba00d5a003ed1
SHA1 d3756e9530ea7260d55ad23d125fb5ada6e30d8e
SHA256 f57b2039447df446591133b5c2e33515c1c7c346b52d2ddcf80635c3563bfe05
SHA512 8672d0997d74e5b32cf3a320abb475e1142a4b48ca4b3271324adc082dc10bdc84759f9d11996704021f6d5cc005df97ca8b3f88963415297e3eb84ec703780c

memory/2780-454-0x0000000000400000-0x000000000043D000-memory.dmp

memory/652-462-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1264-464-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1264-472-0x0000000000440000-0x000000000047D000-memory.dmp

memory/1208-473-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1264-471-0x0000000000440000-0x000000000047D000-memory.dmp

memory/320-470-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Mhpigk32.exe

MD5 d680c2fcca935fac8a788289631b2d41
SHA1 899d5f55cca99e20980e9b749ebe35847ed4756a
SHA256 e9a2972020b790ac264ebf47eb8a356fd5a30a19605c12fa8cd38ce41c567db9
SHA512 e297fdf28b51f58f2241d7fcf20ee39b2cefff3e6bb0499aa0f629bce3bb6216613cd2cdd2d922d8206b93dac6f3858d6fa7b302fd004eaf15b2b1c2f941bfa9

memory/652-469-0x00000000002C0000-0x00000000002FD000-memory.dmp

C:\Windows\SysWOW64\Mogene32.exe

MD5 d8b350c7963c2b2a51a64027e4a51cd0
SHA1 f62b759e46d3b4339423b92b3b036797c8fa581f
SHA256 960f72e73186d1a9eaaa17076660ac5c5e0cca487a17a6052a9b77b1b28c187c
SHA512 23b75bd3024a349f6e70fd6ec634d1fe4615c297f45a4181f0452a2101dac5fc5d7f5f7e5ea6849bc3d8a175565eb2d0fb9f16c49dddece2c2c3041ddeb1131b

memory/652-468-0x00000000002C0000-0x00000000002FD000-memory.dmp

memory/2540-482-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2308-491-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Mffgfo32.exe

MD5 d804c18021e34208d33c521364668d34
SHA1 3bdd32629c57ad47e5fb8a98cf14d34b8d8e5513
SHA256 5eff93b34876fc96a0fea23977f5ee6c6bbe5f2c61189178713bdbbada5805b3
SHA512 d8b8a7821cece89bdc51fa07e2e0430f8f3863717034283daa752360c304b7bdd8dd0fee6d3a0e12ecb8685896d469d7f53f5cbc5191185e7143350cdfd275c7

memory/2180-492-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2180-501-0x0000000000270000-0x00000000002AD000-memory.dmp

memory/1408-502-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Nqbdllld.exe

MD5 d7f75a6dc271877acf4be84e68883211
SHA1 8264d0adb036ef93889f871d12502eaee9177c43
SHA256 52f5c2336aa213ef346511e35e785e1e489784438aff5eae4b2f476328903b52
SHA512 e0f6f7b0c22bea522a8eccc3d9f3ba86f2eeb9c87c9afc6858202b929450c977b9198c64502d6547e1968508692f53d16be9d10b5cf17f3b9bcf0b829b784bd2

memory/1144-507-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\SysWOW64\Nbaafocg.exe

MD5 a297179aaebb75693488694eef46cb3b
SHA1 0653f57f83013a9673da4bd99f1975e9b55d2789
SHA256 6899a0f875f159bc912ef4773fe91677e408c7a8e460b8c04e5929f0fa25d4a1
SHA512 83f0425a97a66dbfe1d994962c6e91fcc6bcb52f2c8e14a29fe641bb7929bd2391a7918dc90ff0b47a256f9df2d312662726d8bcde7fe15729105ed64f705b87

C:\Windows\SysWOW64\Nqgngk32.exe

MD5 3e1ebd6150da2e113f1fc3a995097df3
SHA1 812bb27678d1d42f142cccece7ff32bf4d1ff3c7
SHA256 263c69fcc5294055459e54d179521e6a5d904419141e6b409f160ea5bf967775
SHA512 0f8ff26bec1086ff3c537d25ffe7ef083ccd53000cad8f243c39a18205cd1afd7b66b682d58b181bdac49fee32cfd0552e46491d158c5ec9923cbd08c4050ade

C:\Windows\SysWOW64\Nnknqpgi.exe

MD5 52be70573c80c29e8cb113a5030e6796
SHA1 f81c4b091283572d10cb78209790e58eb6f32c0d
SHA256 87fcb910c7933aab6baeedc0d3d616404d96b6b95cab40a94d0bc4cff12f19ef
SHA512 f80b2f653b689adbe01769d9f465d8b0358e85e93954b6a6939117da8724332627f63b6c5b35a812c7c2e5e80db55bf23382190840255de3a612312484c6f59f

C:\Windows\SysWOW64\Ncggifep.exe

MD5 9627e09b366cbbb24ec457975e57a4c8
SHA1 d9b309b5e329c3d936af7a6ade4c0ecad6d0c880
SHA256 7992ff43af4661a30fbcbccafa08e6d87166c7f33ebc34fa7b5ccfcc97561724
SHA512 44e51de703e6b335242a0070d4866b1e7dd2dc7bf33e8055083c8afb89458e9f0d91c98a6e2eb3f3faaea5066097db095a7efe6bca2c00291e59309942ec0588

C:\Windows\SysWOW64\Nmpkal32.exe

MD5 32770a1ee335b9d53bdbf85bc09e9432
SHA1 ea5e5937fd9fc2fe77c4b80edfb12284fd6360b2
SHA256 330b3f212352c2fd0792ac40b7d16ecf145754c441b4bdf46f2f54f4fcfc3987
SHA512 625c16a80ae435c89cff9f220f88bf6c29431bfda7e2b00957c51c9526021d7c6a739fc8a0c6ee73485b94a93b9273e6920b8d63ffc61788f86b11f4e10b88c2

C:\Windows\SysWOW64\Nbmcjc32.exe

MD5 48ad16c613ddb953ec35dd96e73badc6
SHA1 31dd85d87269189d9cd63725344665ce444c560e
SHA256 e0ab47c9947e9ec20c7dc98f885f98646ed8972bbd642a440855a9212539dd52
SHA512 64fba08f62c7c5f9ed3a8044ad0399464e49ca70a13a8f33037b0080bac41b6a898716cb9ac4ba41c7181c9fc5743eb0fe633649bff8b9ed2e06934162d67a67

C:\Windows\SysWOW64\Oiglfm32.exe

MD5 9edb7916c04e54d34bd58d11032ff188
SHA1 439b122a9fb21171181121a3f0739d94c95b4b49
SHA256 d8aef58306c7df304f3cb320287aa55fb57cc6ea5b373ae83f6505e978569fce
SHA512 ea153d417d1dffbbe714fe329fdfd4f7be4c169ffd5f65987c2302d0fba50968178395f6ff0da932f5fbfd04e17112defb2b5fffae6167b7139ae25ce622a04b

C:\Windows\SysWOW64\Opcaiggo.exe

MD5 1f0d65ee674db660a59a589f587e64ca
SHA1 b23c61335a1afdfb5d63b8f0a817580765d95c05
SHA256 e11a264aa452cd082e5a07f1c0ce45a12f4df2d536a6fd486b4f990928dded05
SHA512 f7aad9dc72569dc06b7b786d4ccb6db47a674dfb457a44b8042dce70753c2cfd4d93f23fc24f0d448ef4e33d72450de42b07d24466d87eeb2e2c135c572407bc

C:\Windows\SysWOW64\Ohnemidj.exe

MD5 3bfe48937780781293d719d864522a70
SHA1 44e34e85ab3d538ba6884f8abb4513ab1a57de0a
SHA256 64b80896fccdb634418f46f51c31282f4cf973e3c013245323ff83afb8fd69b3
SHA512 0752d90d4f611cd3bf488dbdee6648741c86dc9686cc94be789a8832692b3d17182d84705f9d99bcc16c488ac24b3ff03c2c83f6bae8aada20256e7a9f414330

memory/2656-606-0x00000000778B0000-0x00000000779AA000-memory.dmp

memory/2656-605-0x0000000077790000-0x00000000778AF000-memory.dmp