Malware Analysis Report

2025-05-28 18:58

Sample ID 241110-tj8nzszhme
Target e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN
SHA256 e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dc
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dc

Threat Level: Known bad

The file e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 16:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 16:06

Reported

2024-11-10 16:08

Platform

win7-20241023-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Allefimb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbjpom32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbdiia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Koaqcn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qiioon32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Coacbfii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cchbgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Khghgchk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmfbpk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdbdqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pohhna32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qiioon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbdiia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cchbgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kaompi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Coacbfii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnoiio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bieopm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpfmmf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfjann32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnoiio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Koaqcn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaompi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nmfbpk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Khghgchk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgjnhaco.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ciihklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbjpom32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdnild32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdnild32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lddlkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgjnhaco.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfjann32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Offmipej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Allefimb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bieopm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lddlkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akcomepg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akfkbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akfkbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfdenafn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpfmmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Offmipej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdbdqh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pohhna32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akcomepg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfdenafn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkhhhd32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbjpom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbjpom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khghgchk.exe N/A
N/A N/A C:\Windows\SysWOW64\Khghgchk.exe N/A
N/A N/A C:\Windows\SysWOW64\Koaqcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Koaqcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaompi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaompi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdnild32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdnild32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddlkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddlkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Offmipej.exe N/A
N/A N/A C:\Windows\SysWOW64\Offmipej.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdbdqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdbdqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pohhna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pohhna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiioon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiioon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Allefimb.exe N/A
N/A N/A C:\Windows\SysWOW64\Allefimb.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcomepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcomepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Akfkbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akfkbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkhhhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkhhhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdqlajbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdqlajbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdcifi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdcifi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfdenafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfdenafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bchfhfeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bchfhfeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bieopm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bieopm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Coacbfii.exe N/A
N/A N/A C:\Windows\SysWOW64\Coacbfii.exe N/A
N/A N/A C:\Windows\SysWOW64\Ciihklpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ciihklpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpfmmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpfmmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbdiia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbdiia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cchbgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cchbgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjakccop.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjakccop.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Coacbfii.exe N/A
File created C:\Windows\SysWOW64\Lddlkg32.exe C:\Windows\SysWOW64\Kdnild32.exe N/A
File created C:\Windows\SysWOW64\Qiioon32.exe C:\Windows\SysWOW64\Pohhna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qiioon32.exe C:\Windows\SysWOW64\Pohhna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bchfhfeh.exe C:\Windows\SysWOW64\Bfdenafn.exe N/A
File opened for modification C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Jbjpom32.exe N/A
File created C:\Windows\SysWOW64\Allefimb.exe C:\Windows\SysWOW64\Qiioon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdqlajbb.exe C:\Windows\SysWOW64\Bkhhhd32.exe N/A
File created C:\Windows\SysWOW64\Oaoplfhc.dll C:\Windows\SysWOW64\Bdqlajbb.exe N/A
File created C:\Windows\SysWOW64\Bieopm32.exe C:\Windows\SysWOW64\Bchfhfeh.exe N/A
File opened for modification C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Koaqcn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nmfbpk32.exe C:\Windows\SysWOW64\Nnoiio32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Nmfbpk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Offmipej.exe C:\Windows\SysWOW64\Ofcqcp32.exe N/A
File created C:\Windows\SysWOW64\Ogdjhp32.dll C:\Windows\SysWOW64\Bieopm32.exe N/A
File created C:\Windows\SysWOW64\Koaqcn32.exe C:\Windows\SysWOW64\Khghgchk.exe N/A
File created C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Mfjann32.exe N/A
File created C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Mgjnhaco.exe N/A
File created C:\Windows\SysWOW64\Pdbdqh32.exe C:\Windows\SysWOW64\Offmipej.exe N/A
File created C:\Windows\SysWOW64\Pohhna32.exe C:\Windows\SysWOW64\Pdbdqh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdcifi32.exe C:\Windows\SysWOW64\Bdqlajbb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Coacbfii.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbdiia32.exe C:\Windows\SysWOW64\Cpfmmf32.exe N/A
File created C:\Windows\SysWOW64\Coacbfii.exe C:\Windows\SysWOW64\Bieopm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpfmmf32.exe C:\Windows\SysWOW64\Ciihklpj.exe N/A
File created C:\Windows\SysWOW64\Fhgpia32.dll C:\Windows\SysWOW64\Cpfmmf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Mfjann32.exe N/A
File created C:\Windows\SysWOW64\Binbknik.dll C:\Windows\SysWOW64\Allefimb.exe N/A
File created C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Akfkbd32.exe N/A
File created C:\Windows\SysWOW64\Bdcifi32.exe C:\Windows\SysWOW64\Bdqlajbb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjakccop.exe C:\Windows\SysWOW64\Cchbgi32.exe N/A
File created C:\Windows\SysWOW64\Kdnild32.exe C:\Windows\SysWOW64\Kaompi32.exe N/A
File created C:\Windows\SysWOW64\Fffjig32.dll C:\Windows\SysWOW64\Kaompi32.exe N/A
File created C:\Windows\SysWOW64\Bdqlajbb.exe C:\Windows\SysWOW64\Bkhhhd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe C:\Windows\SysWOW64\Bdcifi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pohhna32.exe C:\Windows\SysWOW64\Pdbdqh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Akcomepg.exe C:\Windows\SysWOW64\Allefimb.exe N/A
File created C:\Windows\SysWOW64\Cpfmmf32.exe C:\Windows\SysWOW64\Ciihklpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Cbdiia32.exe N/A
File created C:\Windows\SysWOW64\Jbjpom32.exe C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
File created C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Koaqcn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Mgjnhaco.exe N/A
File created C:\Windows\SysWOW64\Okhdnm32.dll C:\Windows\SysWOW64\Nmfbpk32.exe N/A
File created C:\Windows\SysWOW64\Gpajfg32.dll C:\Windows\SysWOW64\Cchbgi32.exe N/A
File created C:\Windows\SysWOW64\Jpebhied.dll C:\Windows\SysWOW64\Bchfhfeh.exe N/A
File opened for modification C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Gcighi32.dll C:\Windows\SysWOW64\Jbjpom32.exe N/A
File created C:\Windows\SysWOW64\Nmfbpk32.exe C:\Windows\SysWOW64\Nnoiio32.exe N/A
File created C:\Windows\SysWOW64\Akfkbd32.exe C:\Windows\SysWOW64\Akcomepg.exe N/A
File created C:\Windows\SysWOW64\Dnbamjbm.dll C:\Windows\SysWOW64\Bdcifi32.exe N/A
File created C:\Windows\SysWOW64\Offmipej.exe C:\Windows\SysWOW64\Ofcqcp32.exe N/A
File created C:\Windows\SysWOW64\Gggpgo32.dll C:\Windows\SysWOW64\Akcomepg.exe N/A
File created C:\Windows\SysWOW64\Bchfhfeh.exe C:\Windows\SysWOW64\Bfdenafn.exe N/A
File created C:\Windows\SysWOW64\Acnenl32.dll C:\Windows\SysWOW64\Cbdiia32.exe N/A
File created C:\Windows\SysWOW64\Doempm32.dll C:\Windows\SysWOW64\Khghgchk.exe N/A
File created C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Lddlkg32.exe N/A
File created C:\Windows\SysWOW64\Ippbdn32.dll C:\Windows\SysWOW64\Mgjnhaco.exe N/A
File created C:\Windows\SysWOW64\Ieocod32.dll C:\Windows\SysWOW64\Nnoiio32.exe N/A
File created C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Cjakccop.exe N/A
File created C:\Windows\SysWOW64\Pdkefp32.dll C:\Windows\SysWOW64\Cjakccop.exe N/A
File created C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdbdqh32.exe C:\Windows\SysWOW64\Offmipej.exe N/A
File created C:\Windows\SysWOW64\Lmdlck32.dll C:\Windows\SysWOW64\Bkhhhd32.exe N/A
File created C:\Windows\SysWOW64\Gmkame32.dll C:\Windows\SysWOW64\Bfdenafn.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdbdqh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbdiia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koaqcn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnoiio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lddlkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akcomepg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akfkbd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdnild32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmfbpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Offmipej.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pohhna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpfmmf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjakccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khghgchk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qiioon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Allefimb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Coacbfii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfjann32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbjpom32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfdenafn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bieopm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kaompi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgjnhaco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkhhhd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpfmmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgjnhaco.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Akcomepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll" C:\Windows\SysWOW64\Akcomepg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbjpom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kaompi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll" C:\Windows\SysWOW64\Mfjann32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnoiio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" C:\Windows\SysWOW64\Nmfbpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pohhna32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll" C:\Windows\SysWOW64\Ciihklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ciihklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcighi32.dll" C:\Windows\SysWOW64\Jbjpom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciffggmh.dll" C:\Windows\SysWOW64\Lddlkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" C:\Windows\SysWOW64\Offmipej.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Allefimb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjpijfl.dll" C:\Windows\SysWOW64\Kdnild32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll" C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll" C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" C:\Windows\SysWOW64\Allefimb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akcomepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfdenafn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bieopm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbjpom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lddlkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll" C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll" C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doempm32.dll" C:\Windows\SysWOW64\Khghgchk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnoiio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdbdqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll" C:\Windows\SysWOW64\Akfkbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll" C:\Windows\SysWOW64\Bieopm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbdiia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndoim32.dll" C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdnild32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfaflol.dll" C:\Windows\SysWOW64\Pohhna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll" C:\Windows\SysWOW64\Qiioon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdcifi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjakccop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Khghgchk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbellj32.dll" C:\Windows\SysWOW64\Koaqcn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lddlkg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mfjann32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmfbpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Offmipej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" C:\Windows\SysWOW64\Pdbdqh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pohhna32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe C:\Windows\SysWOW64\Jbjpom32.exe
PID 1628 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe C:\Windows\SysWOW64\Jbjpom32.exe
PID 1628 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe C:\Windows\SysWOW64\Jbjpom32.exe
PID 1628 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe C:\Windows\SysWOW64\Jbjpom32.exe
PID 2056 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Jbjpom32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 2056 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Jbjpom32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 2056 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Jbjpom32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 2056 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Jbjpom32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 2632 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Koaqcn32.exe
PID 2632 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Koaqcn32.exe
PID 2632 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Koaqcn32.exe
PID 2632 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Koaqcn32.exe
PID 2152 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Koaqcn32.exe C:\Windows\SysWOW64\Kaompi32.exe
PID 2152 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Koaqcn32.exe C:\Windows\SysWOW64\Kaompi32.exe
PID 2152 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Koaqcn32.exe C:\Windows\SysWOW64\Kaompi32.exe
PID 2152 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Koaqcn32.exe C:\Windows\SysWOW64\Kaompi32.exe
PID 2900 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Kdnild32.exe
PID 2900 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Kdnild32.exe
PID 2900 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Kdnild32.exe
PID 2900 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Kdnild32.exe
PID 2548 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Kdnild32.exe C:\Windows\SysWOW64\Lddlkg32.exe
PID 2548 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Kdnild32.exe C:\Windows\SysWOW64\Lddlkg32.exe
PID 2548 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Kdnild32.exe C:\Windows\SysWOW64\Lddlkg32.exe
PID 2548 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Kdnild32.exe C:\Windows\SysWOW64\Lddlkg32.exe
PID 2948 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Lddlkg32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2948 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Lddlkg32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2948 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Lddlkg32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2948 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Lddlkg32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2352 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mgjnhaco.exe
PID 2352 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mgjnhaco.exe
PID 2352 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mgjnhaco.exe
PID 2352 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mgjnhaco.exe
PID 1948 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Nnoiio32.exe
PID 1948 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Nnoiio32.exe
PID 1948 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Nnoiio32.exe
PID 1948 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Nnoiio32.exe
PID 2432 wrote to memory of 908 N/A C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Nmfbpk32.exe
PID 2432 wrote to memory of 908 N/A C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Nmfbpk32.exe
PID 2432 wrote to memory of 908 N/A C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Nmfbpk32.exe
PID 2432 wrote to memory of 908 N/A C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Nmfbpk32.exe
PID 908 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Nmfbpk32.exe C:\Windows\SysWOW64\Ofcqcp32.exe
PID 908 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Nmfbpk32.exe C:\Windows\SysWOW64\Ofcqcp32.exe
PID 908 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Nmfbpk32.exe C:\Windows\SysWOW64\Ofcqcp32.exe
PID 908 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Nmfbpk32.exe C:\Windows\SysWOW64\Ofcqcp32.exe
PID 2784 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Offmipej.exe
PID 2784 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Offmipej.exe
PID 2784 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Offmipej.exe
PID 2784 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Offmipej.exe
PID 1432 wrote to memory of 3012 N/A C:\Windows\SysWOW64\Offmipej.exe C:\Windows\SysWOW64\Pdbdqh32.exe
PID 1432 wrote to memory of 3012 N/A C:\Windows\SysWOW64\Offmipej.exe C:\Windows\SysWOW64\Pdbdqh32.exe
PID 1432 wrote to memory of 3012 N/A C:\Windows\SysWOW64\Offmipej.exe C:\Windows\SysWOW64\Pdbdqh32.exe
PID 1432 wrote to memory of 3012 N/A C:\Windows\SysWOW64\Offmipej.exe C:\Windows\SysWOW64\Pdbdqh32.exe
PID 3012 wrote to memory of 1244 N/A C:\Windows\SysWOW64\Pdbdqh32.exe C:\Windows\SysWOW64\Pohhna32.exe
PID 3012 wrote to memory of 1244 N/A C:\Windows\SysWOW64\Pdbdqh32.exe C:\Windows\SysWOW64\Pohhna32.exe
PID 3012 wrote to memory of 1244 N/A C:\Windows\SysWOW64\Pdbdqh32.exe C:\Windows\SysWOW64\Pohhna32.exe
PID 3012 wrote to memory of 1244 N/A C:\Windows\SysWOW64\Pdbdqh32.exe C:\Windows\SysWOW64\Pohhna32.exe
PID 1244 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Pohhna32.exe C:\Windows\SysWOW64\Qiioon32.exe
PID 1244 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Pohhna32.exe C:\Windows\SysWOW64\Qiioon32.exe
PID 1244 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Pohhna32.exe C:\Windows\SysWOW64\Qiioon32.exe
PID 1244 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Pohhna32.exe C:\Windows\SysWOW64\Qiioon32.exe
PID 1020 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Qiioon32.exe C:\Windows\SysWOW64\Allefimb.exe
PID 1020 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Qiioon32.exe C:\Windows\SysWOW64\Allefimb.exe
PID 1020 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Qiioon32.exe C:\Windows\SysWOW64\Allefimb.exe
PID 1020 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Qiioon32.exe C:\Windows\SysWOW64\Allefimb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe

"C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe"

C:\Windows\SysWOW64\Jbjpom32.exe

C:\Windows\system32\Jbjpom32.exe

C:\Windows\SysWOW64\Khghgchk.exe

C:\Windows\system32\Khghgchk.exe

C:\Windows\SysWOW64\Koaqcn32.exe

C:\Windows\system32\Koaqcn32.exe

C:\Windows\SysWOW64\Kaompi32.exe

C:\Windows\system32\Kaompi32.exe

C:\Windows\SysWOW64\Kdnild32.exe

C:\Windows\system32\Kdnild32.exe

C:\Windows\SysWOW64\Lddlkg32.exe

C:\Windows\system32\Lddlkg32.exe

C:\Windows\SysWOW64\Mfjann32.exe

C:\Windows\system32\Mfjann32.exe

C:\Windows\SysWOW64\Mgjnhaco.exe

C:\Windows\system32\Mgjnhaco.exe

C:\Windows\SysWOW64\Nnoiio32.exe

C:\Windows\system32\Nnoiio32.exe

C:\Windows\SysWOW64\Nmfbpk32.exe

C:\Windows\system32\Nmfbpk32.exe

C:\Windows\SysWOW64\Ofcqcp32.exe

C:\Windows\system32\Ofcqcp32.exe

C:\Windows\SysWOW64\Offmipej.exe

C:\Windows\system32\Offmipej.exe

C:\Windows\SysWOW64\Pdbdqh32.exe

C:\Windows\system32\Pdbdqh32.exe

C:\Windows\SysWOW64\Pohhna32.exe

C:\Windows\system32\Pohhna32.exe

C:\Windows\SysWOW64\Qiioon32.exe

C:\Windows\system32\Qiioon32.exe

C:\Windows\SysWOW64\Allefimb.exe

C:\Windows\system32\Allefimb.exe

C:\Windows\SysWOW64\Akcomepg.exe

C:\Windows\system32\Akcomepg.exe

C:\Windows\SysWOW64\Akfkbd32.exe

C:\Windows\system32\Akfkbd32.exe

C:\Windows\SysWOW64\Bkhhhd32.exe

C:\Windows\system32\Bkhhhd32.exe

C:\Windows\SysWOW64\Bdqlajbb.exe

C:\Windows\system32\Bdqlajbb.exe

C:\Windows\SysWOW64\Bdcifi32.exe

C:\Windows\system32\Bdcifi32.exe

C:\Windows\SysWOW64\Bfdenafn.exe

C:\Windows\system32\Bfdenafn.exe

C:\Windows\SysWOW64\Bchfhfeh.exe

C:\Windows\system32\Bchfhfeh.exe

C:\Windows\SysWOW64\Bieopm32.exe

C:\Windows\system32\Bieopm32.exe

C:\Windows\SysWOW64\Coacbfii.exe

C:\Windows\system32\Coacbfii.exe

C:\Windows\SysWOW64\Ciihklpj.exe

C:\Windows\system32\Ciihklpj.exe

C:\Windows\SysWOW64\Cpfmmf32.exe

C:\Windows\system32\Cpfmmf32.exe

C:\Windows\SysWOW64\Cbdiia32.exe

C:\Windows\system32\Cbdiia32.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Cjakccop.exe

C:\Windows\system32\Cjakccop.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 144

Network

N/A

Files

memory/1628-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jbjpom32.exe

MD5 96e59ad7f0b0c6181f328f40f36235a1
SHA1 21d443bebbfcceb1fbc35dba645cdfbb37da3745
SHA256 9d7840e11dc396e529f2a92a9149b9c6c9211fd0b96717d9d4185fabe298ef0d
SHA512 104068d3f72db4e1e028fd008ebcbc40ca1022dfdc0009275c3a7dfae2e05a66d54771e613ee55e24fb7db2ad2222b728fb64bf757bc30b591bd9bd9e83deb76

memory/2056-17-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1628-13-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Khghgchk.exe

MD5 1308db2d8a860635b6656472f18eeba2
SHA1 6a903c59dade4b57141e70d6b6aebcb24407230c
SHA256 ebc33c693a30ca36c07b6b383cb78d069d23936d74ccf7eaf6e1f634cafcf938
SHA512 d579862aa6e5ae87c226fd62b14fc42317c552927a797f4a621f7b58a789807656a201cdcbfcfde903e466d3268678513c21ba04b57598aacd94e875ce86e0a7

\Windows\SysWOW64\Koaqcn32.exe

MD5 a11c067835d9bb297c4434f0cfb1bdc3
SHA1 d949f69916cf41175b7895fc1cf0f32b8fdd9a66
SHA256 bd61d1d02a046271635ac68584e03670b5b87a9848654a56ae9b3944c6036aa2
SHA512 17bcf38442a97bb5ab3a722809abac1ea9efa01b4958c2e1fce1e7c565e19affbc0941d663aeec808915ba5194535bec26a466a2685b1d5d804bdde41fcaf2f3

memory/2152-44-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kaompi32.exe

MD5 2f5cd0fbb3cfb28f3ad4843aa4d9c39a
SHA1 bb9bd00d2dabf986866dda8bd410afd4d330db4c
SHA256 5c7e4b13c7bc6dca211e48d76eceba07764a69790cc1dc817aae8e0d6a368d5b
SHA512 fe1313ee875f5e4a6e45762cf0d7e9a3918170f2858e0717d0ed6534d07994ad3bde35634493addc88a5d7468335000c4d0cb7df891a98e4ad5c6f7053132b63

memory/2900-53-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2632-27-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1628-12-0x0000000000270000-0x00000000002A3000-memory.dmp

\Windows\SysWOW64\Kdnild32.exe

MD5 9a5453fa3c8f904f0b17720d7868edbd
SHA1 48039510e5fb1b34ed51391eadabfb013fa0ae89
SHA256 8be9fa3fd3e981dc6f49f777d4d1ba7f8ea291509a4710d31c7a00999fe4daa1
SHA512 58b1d1c420dd39384f96129d4dd10f4cbb68e02166a5e79c4934f1a565a760bc464b76c141f97c29409c2dbd044459c1fa48b2aa5f1bbfd2cad3396d13b42442

memory/2900-61-0x0000000000280000-0x00000000002B3000-memory.dmp

\Windows\SysWOW64\Lddlkg32.exe

MD5 9b98c007b70b3d653072e0f576511014
SHA1 8fe3a20c0f2f91c0ac3fc21ba9f29671924bb832
SHA256 7186b196b7789ab91b2e3cd1b265f3da6e3f7046402cc025e7e356030e606826
SHA512 061d522c0e7cc8ae7c337f0a7a6f5585ba0e0875b230d53f2f5ec9e85327f574d2cb7a39d4f9093fdaded3f8336e79395a0e02eee58acbc52dd27c03fbb453ef

memory/2548-78-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2948-80-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Mfjann32.exe

MD5 fc507f3526d8342dea788307690541af
SHA1 fb0f25b42252913d567558d9f22cff756e8f44d2
SHA256 686c44443b512835c990afc709614cf8204a58cf8835c8147875d90dce433b86
SHA512 fc8cec9c1c7deb720f96383b9ebb2424837fb48b62a68e78c4a4273389b673dc74cc94a9b783a24d53d0623206db3f33d87c423b57faaf975bfb149ec8a1fc5e

memory/2352-95-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2948-88-0x0000000000310000-0x0000000000343000-memory.dmp

memory/1948-107-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mgjnhaco.exe

MD5 2e587f2fe5a6f2f9ad67128dcf6cbe0e
SHA1 11c318b10c3b01991b89934d48dc270ba2fb4eb2
SHA256 f747b498a8aa0906fda85487dfa5822b874b5e1bdce6870e869422635adebc6b
SHA512 d7c464c3da5954638c40d079b9512f92a9eeeeda41b841f917cb770ed8cdfac5a6ddf0336f9efd6a91263197e1338128a361e987344b720cc3161d07b82d7b04

memory/1948-115-0x0000000001F30000-0x0000000001F63000-memory.dmp

C:\Windows\SysWOW64\Nnoiio32.exe

MD5 49a4d66f4fb197afe7b50a1a6c7ca854
SHA1 60f97763f6e531ad09eb653b54ab5276403e0a4f
SHA256 121f137f785c7298bcdb7bc5388da64a83cced33bbcc545c3885c616a6697248
SHA512 5dc857baec9921ebb59df93b2adbb9f1cd4b09ecdcb8d8d2cdffd58d7428cda04dcadc03fe7fdab5edc54f71cce9fcd3518c0f21868dfad90ff5ed58712cc396

memory/2432-122-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1948-120-0x0000000001F30000-0x0000000001F63000-memory.dmp

memory/908-135-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nmfbpk32.exe

MD5 804b42e86fc9796c6e3fdc3125a179f9
SHA1 ee56d1a58dd7aa286182c24f68b5573afff67106
SHA256 303335de886d4def88da15cbfa12b6691ef79630b85f6022ceb71873d94f53a2
SHA512 2374255db30f6b032b1aa1eeb813c88d99fdf9e4e0275aa7fdbfbc996b4cca4abd23b927318fad97f213d18d7803e4869114f43d6d080f5ca86db850574659e6

\Windows\SysWOW64\Ofcqcp32.exe

MD5 74fffc61fd687c386120e2d869976ccd
SHA1 c33445bf8d468217de4241d8edea68e753f9ecdf
SHA256 5d9daf83d2ecc84311684a2ccdfa10faf4bd5f94e3ddb0cd49c3c2e974f6503f
SHA512 aff89d65e0dd93c633c3c6d332c514f89d06e78202d4d05506bda3cf06abb8d53b379dcba015d92d187512b3b34031ca9d20b0078ac7760bc1ad3203f1f71d52

memory/908-143-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2784-153-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Offmipej.exe

MD5 0b87fca0e8e4b5b0a45ba4def93e085a
SHA1 6bae2ce026cb02d4fb7f7b663f292b89ee5a4c51
SHA256 1722597ecf8f9cee3a53c379eca07a963fcc5752a84a5d54344f9000e521295d
SHA512 42afe278bc414389f147c8871d7b06dba0f16aba5a318b6c3decc4637b26fac0be8047d2c5d30a6e9f271679f5260fb67148ba87f0ee1751dd14b4cd7d266b9c

memory/1432-162-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Pdbdqh32.exe

MD5 afe604aa20577d7287c83fb5e35abb30
SHA1 290f0cdf28054f6ad0f0bba231f666e3388bc16f
SHA256 96258e26696ad3d9d63643db070af6131594420674aecdb6710777bd67013d0f
SHA512 626501cf0e873674a6f041251a04348b656abd1ecd27923fba055cdc0d04081081bf982319c1466635ae7f284bffecda6696b73384e80260d0789faa119dde72

memory/1432-174-0x0000000000260000-0x0000000000293000-memory.dmp

memory/1244-188-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pohhna32.exe

MD5 abbfb1edf4685a81036f103f2c7e0735
SHA1 d3f779d68fd235d46c0ee79db361fbfebf8d2f04
SHA256 6273b03cf844d89ef410773ade28111c9ba2cc8e9b12f06929df4c86291cc316
SHA512 f417c33f0dbaec33775fa37f767840aaa98b29bc6672e34146e74fc01c26e3a995d7487fb664a994ccdf180b858b4ac21336dfe15358d516d6c494bf1e719fe0

\Windows\SysWOW64\Qiioon32.exe

MD5 781314f5d4629b22826dadddfa398bf9
SHA1 03aa11d89c3e27e933bbb293322f447829acef9f
SHA256 2257d92da76d3b4d3cce1bbe3662123d47459d6bbc9323886a0ccd76cc3704d0
SHA512 faa74652e3d8869650399ba52fb45bbc5ebf8e9d2318674b55311406acffc9773dbeeb44732d65317a4f9b1d289b48987ad2e6e8379a1fab2e93cceb08acd5cb

memory/1244-200-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1020-202-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Allefimb.exe

MD5 58350b8eef3e5d30f68f9fe7729ac418
SHA1 03ecf575a24b1eba3e783f222f756299a4c1d8f0
SHA256 f3271988c4ca864036e36a1826c52564d4af4804e5613d280d428c42c0159001
SHA512 61285d3cf4245e1e27f7e9d1ffff1508e0de959fbc5967ac779b4c52f77e54c5ba28e5c07efdeb057c032fcd76f8ade25fa05561d1102f98fdcf6f2bf148c81f

memory/1692-215-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1692-222-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Akcomepg.exe

MD5 66cc5b7fe81801e482d960f4b181e7b7
SHA1 7215f745e2eddfd0d50e4bbfeb7d1ad8b36f441d
SHA256 13bd53e80a831b8efbcf6814fefb08ff6f9c29aea38c703edcc3ef97062b43c2
SHA512 8d7ab9ea088d599c78cc51a10056c38dd480737d3a4015458db5e168f5ffb32871ee5127548f1a7b789f2488fa4c25bb85bb7b5f263febb1148051e840339c42

memory/380-230-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1280-235-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Akfkbd32.exe

MD5 16011a7f40101ab2ad3d3e5e5f0bd3cc
SHA1 8cb2e7222bcdd34dcd3ec82c14f3a1e97d2d99d6
SHA256 fbde45572b90aca5c69c832af327ffcafe847821458c97bc0c37366564c3172f
SHA512 f49212b1007a29c9f3beabb267fa64fa27b8bf342951ffb2eff7b12c776eada512d932fab716c79a023d33a4a0eb87cd5ad7336e8633766e4ea559d31b572c8a

C:\Windows\SysWOW64\Bkhhhd32.exe

MD5 0fc423ae3cfdc784fa61a172bfff38b0
SHA1 4eef8d75140cb39d35b88561515d9fab6feb457c
SHA256 6a99e98c3ee0715a8cd2cd65912b2b02c5fa57c1b44ec4be3b8d1657beb3f326
SHA512 f4e7e4a51288c2629a2ba4d1b310b91aaa46cf865156aa0dd44058c013313749aa432c0a2ac57f337d739705bc318f026f15b7c991fad5b11fd889ec308308d8

memory/956-248-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bdqlajbb.exe

MD5 27fd6251ea4d2e10d2e728d5079b045d
SHA1 82c282ea05180810c2758aef3402034827e0364b
SHA256 0a87e9b31b2dfe526c3f475e5ff4cc90be101303e9f99b7d1464622bcd1158f1
SHA512 a7817e399e7c1d24cdc76dbff2a169ea1ee6bb62a4c0d21874ec53c9e5a87283c77f2b6020c3ab0cc64e9a380f53e1b17ede0a98c3e76ddfecc95c1e9a5009d9

memory/2496-253-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2496-262-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Bdcifi32.exe

MD5 04c2e2ae2894d25a9e97bd43ddb61e47
SHA1 13682f4cd669bc942d903d2f5167e2b9b00b4322
SHA256 f50d00a585c9072a30e6471821ee949a335543cb5ff726a39988c52602df57a7
SHA512 0eabc601602c5b3646add364dddf53e176e5ac6814738ae35ee436204d88ae501525ca04deb0e92d4d7b9798a6cd06bfda36c5486931982d839afa8d1f1f0ea4

memory/820-265-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bfdenafn.exe

MD5 165cbcc24045f9201cdf86a5643c288c
SHA1 14c0a6568c8dd960d1afd0e727dcfca091ea1a6c
SHA256 9cde40b0b2ac02c0ad6cd8ff0699d1a0b43832a8c4df9c23518f502847988a2a
SHA512 fa6c365307aa368531f0a393a9358b1ee56a7c51354c6e6592ee48345939507628aa1879d73c6bafd3b59df4b35d685cbb9d9c8458e84adb5c505d7d30485373

memory/1160-272-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bchfhfeh.exe

MD5 f3f6067f5923b04a2a30799e9159546d
SHA1 5e2296b82d10c68a37754a650d1dd59c93c2cb16
SHA256 28742225a1c793856c546701321fcffca1dd5ee3dd35bf11cb90838ec9c256fc
SHA512 40577c92c601aa459bd984ab16b83349175b6c4932e0f8665c75ead501cf43ac93c5f94a15e460bdf9513356d7657f19d5032595ebee44eab6403c74cbcd6bb4

memory/304-282-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1160-281-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Bieopm32.exe

MD5 46539b7f46eb35e8f2b8498db11d6595
SHA1 007dc866cb5acd2dc7dea0bcd3fa46dbca158656
SHA256 9949b5a3e2c6ea7472cfe45be3949f32e0005da2c4b6342754f21bd005a43daa
SHA512 8d3d2c3db02c1ee338b981447c2ae541591b7d977e299293b2b6f03ce53261ea8ddf7ac6ea2ebb353d1e7e4d0f6abc456fa06b8ccc4d6952b6379bc4c2d1600d

memory/1668-293-0x0000000000400000-0x0000000000433000-memory.dmp

memory/304-292-0x0000000000250000-0x0000000000283000-memory.dmp

memory/304-291-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1668-303-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/1668-302-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2540-305-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Coacbfii.exe

MD5 86465ba2c6780a6cc55f5b9c3f7ec0da
SHA1 e9f978595bfba4e878b8256eae197888a477e65f
SHA256 28f042b2ffade534c9aa881c1cfe7e3a908d5b3abbdedf9458f70740c330e918
SHA512 e5c259697889ba6403c80afcd16ea086f2b4513aa2f62cd6296dd888a931ee1d375015962398cfc6883d73c77bf8efd0d2289a50291521877d984ebeff962912

C:\Windows\SysWOW64\Ciihklpj.exe

MD5 4dfa1a9d22f8bf0553451ecea09be065
SHA1 1ea7d6cce4907d0b74dc75e8e81e27acec2062a1
SHA256 6e0d0471c995641d3481676cb5bdc77fdc0404a0b17a7e805bd43ab9a14866b6
SHA512 3371d05774963169e0c7401fc7994e978cc47ec3660388f203698a593fa92e8a5dddebe0c9ecbd8978a1a9b0ed8354790344db0a28ed15e6da288af7ae658f89

memory/2512-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2540-314-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2540-313-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Cpfmmf32.exe

MD5 11d997aed568049cf5291a6cd78974f3
SHA1 377109788e6f7837fd7152162e54b8fd07cd3778
SHA256 3012f2b5cf6837a7898993ce8c434fde9efced5fdd9e79bedc85efd33d35dc18
SHA512 27b05374ab564cafe23928527224c59c18fe7a47703b0164af8e2940f559f6f823c5b500a5b275c700abfba933caaf31764f4cdfd9d0a7eb736a00920e8d4c21

memory/1628-327-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1028-328-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2056-326-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2512-325-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2512-324-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2916-337-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cbdiia32.exe

MD5 d0ab17d1736a248b8e12b78dc1f8c123
SHA1 ab698715c3c131129f3fcb0d31366106f1ca7a73
SHA256 34fd9f7f610da646481275632fa2c16bf907034a7ff4fb3e6b5fa66958abe234
SHA512 f909d8e3ae0e8eb8d8356c6f9a0003b99ea3170b20b0eb00139780b62f4b397257c095d4d0e62685748413123c0cd21db0170dfa27d482de40d9afcf845703c4

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 49650472531af7c1a6ce1c9c595cdfc0
SHA1 cfef8a71c7bea7861e685959d2aa55af654ae8d0
SHA256 7d94c9f9e63af3200d25a58d162dcc9f58ba9891940e453207a805622347d155
SHA512 6a390422d24edcbf2c7511e7cc8830f6bf679ad7e477818f2f94cf3e28ad1655d84308661d55649fbfbb1f8fb7712d32b679cbd1175f23426fc0b3f1e5b9d987

memory/2632-347-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2896-352-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2916-346-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2104-360-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2896-359-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2152-358-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2896-357-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Cjakccop.exe

MD5 69f1ce7943966feeedd80775c7598b92
SHA1 e44a7a312747b0c2660b859317f5d41c02a27e85
SHA256 cb644f104b3cdee3d2b341b25c6fa541f10b5e92e01f938ec651f696c7d07f08
SHA512 5898c9ad64b94501b15a1c500f315615fc47404042d61e78ba37f0c51184021df085f7998182ebcd991211200f6f72318ae24ebc593971d6f67925c0cab34b27

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 4a2194ccf1af29bd4a10998515d2a67a
SHA1 7dc7de6584b522c513437fea96d6bdcba40b873f
SHA256 4a98e0bcf47c0a6aa2f6c18599ab5fd6241eb1ad9bc4ffac97c4a2aeb8846690
SHA512 17a92e2a63d6028a8e9cbe3718611612a713f15f77e33896fd33190422a184f5f187a60cd8269bcc99ffd1061b3a347d1bbe16755045b45c3225f5c129859533

memory/2104-371-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2900-374-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2900-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2912-375-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2104-369-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2900-376-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2548-377-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2916-380-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2784-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1028-384-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2104-391-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1244-406-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2948-430-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2352-422-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1948-421-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2432-418-0x0000000000400000-0x0000000000433000-memory.dmp

memory/908-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1280-414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1432-411-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1020-409-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3012-405-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1692-402-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2496-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/820-396-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2912-432-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1160-395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2540-392-0x0000000000400000-0x0000000000433000-memory.dmp

memory/304-390-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2512-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1668-388-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 16:06

Reported

2024-11-10 16:08

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkhpdcab.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nimbkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Boflmdkk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oejbfmpg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocmconhk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhlpqc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjchaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbiejoaj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blielbfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkphhgfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpnoncim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emehdh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Miaboe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejalcgkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfodeohd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpcodihc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adhdjpjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Embkoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gnjjfegi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ciafbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efjimhnh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Milidebi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiloco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhhiemoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ccqkigkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjahlgpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odjeljhd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpgeee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bokehc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Flpmagqi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogekbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ogekbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alkijdci.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbpchb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmfgek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llmhaold.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcdala32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Domdjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgnbdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phcgcqab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncchae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dannij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbhpch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icnklbmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgclpkac.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hacbhb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbhpch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iinqbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alelqb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afgacokc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eifhdd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmkgkapm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfigpm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oelolmnd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qmeigg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiloco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fefedmil.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejflhm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahenokjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adkgje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bddjpd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaiimadl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekdnei32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncchae32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Nemcjk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngmpcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npedmdab.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngomin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olckbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocmconhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiihahme.exe N/A
N/A N/A C:\Windows\SysWOW64\Oepifi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oljaccjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjbkgfej.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckppl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plcdiabk.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcmlfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjgebf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhakoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahchda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acilajpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhniccb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqaffn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnnnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqfoamfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcelmhen.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqkill32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cqpbglno.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccqkigkp.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgndoeag.exe N/A
N/A N/A C:\Windows\SysWOW64\Cibmlmeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjaifp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpnbog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgejpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Diffglam.exe N/A
N/A N/A C:\Windows\SysWOW64\Dannij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhhfedil.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfmcfp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dikpbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dabhdinj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddadpdmn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhlpqc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djklmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmihij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpgeee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhomfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djmibn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emlenj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epjajeqo.exe N/A
N/A N/A C:\Windows\SysWOW64\Efdjgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efffmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehfcfb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Embkoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Edmclccp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejflhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emehdh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efmmmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filiii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpeafcfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpicn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjaphek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgbfhmll.exe N/A
N/A N/A C:\Windows\SysWOW64\Fipbdikp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdffbake.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgdbnmji.exe N/A
N/A N/A C:\Windows\SysWOW64\Fajgkfio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhdohp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmqgpgoc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Clfabmda.dll C:\Windows\SysWOW64\Emehdh32.exe N/A
File created C:\Windows\SysWOW64\Gfodeohd.exe C:\Windows\SysWOW64\Glipgf32.exe N/A
File created C:\Windows\SysWOW64\Lblldc32.dll C:\Windows\SysWOW64\Illfdc32.exe N/A
File created C:\Windows\SysWOW64\Hidkle32.dll C:\Windows\SysWOW64\Fmndpq32.exe N/A
File created C:\Windows\SysWOW64\Hankellh.dll C:\Windows\SysWOW64\Ilafiihp.exe N/A
File opened for modification C:\Windows\SysWOW64\Mngegmbc.exe C:\Windows\SysWOW64\Lijlof32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djcoai32.exe C:\Windows\SysWOW64\Dpnkdq32.exe N/A
File created C:\Windows\SysWOW64\Dkfadkgf.exe C:\Windows\SysWOW64\Digehphc.exe N/A
File created C:\Windows\SysWOW64\Aqaffn32.exe C:\Windows\SysWOW64\Ajhniccb.exe N/A
File created C:\Windows\SysWOW64\Kilpmh32.exe C:\Windows\SysWOW64\Kbbhqn32.exe N/A
File created C:\Windows\SysWOW64\Fpjcgm32.exe C:\Windows\SysWOW64\Fmkgkapm.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmgabcge.exe C:\Windows\SysWOW64\Lgjijmin.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkmkkjko.exe C:\Windows\SysWOW64\Mcecjmkl.exe N/A
File created C:\Windows\SysWOW64\Mjahlgpf.exe C:\Windows\SysWOW64\Mgclpkac.exe N/A
File created C:\Windows\SysWOW64\Cdbijb32.dll C:\Windows\SysWOW64\Neclenfo.exe N/A
File created C:\Windows\SysWOW64\Qnmghonf.dll C:\Windows\SysWOW64\Embkoi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhijqj32.exe C:\Windows\SysWOW64\Ibobdqid.exe N/A
File created C:\Windows\SysWOW64\Njoddaaj.dll C:\Windows\SysWOW64\Cbgnemjj.exe N/A
File created C:\Windows\SysWOW64\Pofkjd32.dll C:\Windows\SysWOW64\Gfkbde32.exe N/A
File created C:\Windows\SysWOW64\Dngjff32.exe C:\Windows\SysWOW64\Dbpjaeoc.exe N/A
File created C:\Windows\SysWOW64\Fqehjpfj.dll C:\Windows\SysWOW64\Eiloco32.exe N/A
File created C:\Windows\SysWOW64\Ngomin32.exe C:\Windows\SysWOW64\Npedmdab.exe N/A
File created C:\Windows\SysWOW64\Fgdbnmji.exe C:\Windows\SysWOW64\Fdffbake.exe N/A
File created C:\Windows\SysWOW64\Qkicbhla.dll C:\Windows\SysWOW64\Cglbhhga.exe N/A
File created C:\Windows\SysWOW64\Dhbebj32.exe C:\Windows\SysWOW64\Dojqjdbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngomin32.exe C:\Windows\SysWOW64\Npedmdab.exe N/A
File created C:\Windows\SysWOW64\Gddmgi32.dll C:\Windows\SysWOW64\Hmlpaoaj.exe N/A
File created C:\Windows\SysWOW64\Badanigc.exe C:\Windows\SysWOW64\Boeebnhp.exe N/A
File created C:\Windows\SysWOW64\Hmkigh32.exe C:\Windows\SysWOW64\Hedafk32.exe N/A
File created C:\Windows\SysWOW64\Jdedak32.exe C:\Windows\SysWOW64\Jklphekp.exe N/A
File created C:\Windows\SysWOW64\Kpbodmjl.dll C:\Windows\SysWOW64\Ahcajk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmfhkf32.exe C:\Windows\SysWOW64\Kqphfe32.exe N/A
File created C:\Windows\SysWOW64\Coqncejg.exe C:\Windows\SysWOW64\Cgifbhid.exe N/A
File created C:\Windows\SysWOW64\Fmqgpgoc.exe C:\Windows\SysWOW64\Fhdohp32.exe N/A
File created C:\Windows\SysWOW64\Jcdala32.exe C:\Windows\SysWOW64\Jjlmclqa.exe N/A
File created C:\Windows\SysWOW64\Inagcf32.dll C:\Windows\SysWOW64\Llflea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cobkhb32.exe C:\Windows\SysWOW64\Cfigpm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fbhpch32.exe C:\Windows\SysWOW64\Fpjcgm32.exe N/A
File created C:\Windows\SysWOW64\Fmjhedep.dll C:\Windows\SysWOW64\Lmgabcge.exe N/A
File created C:\Windows\SysWOW64\Gpnfge32.exe C:\Windows\SysWOW64\Gfeaopqo.exe N/A
File created C:\Windows\SysWOW64\Efffmo32.exe C:\Windows\SysWOW64\Efdjgo32.exe N/A
File created C:\Windows\SysWOW64\Ihgnkkbd.exe C:\Windows\SysWOW64\Ikcmbfcj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjbogmdb.exe C:\Windows\SysWOW64\Miaboe32.exe N/A
File created C:\Windows\SysWOW64\Klhhpnaf.dll C:\Windows\SysWOW64\Gfheof32.exe N/A
File created C:\Windows\SysWOW64\Lhlgfb32.dll C:\Windows\SysWOW64\Hpcodihc.exe N/A
File created C:\Windows\SysWOW64\Hhcmlj32.dll C:\Windows\SysWOW64\Iciaqc32.exe N/A
File created C:\Windows\SysWOW64\Cndeii32.exe C:\Windows\SysWOW64\Chglab32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhlpqc32.exe C:\Windows\SysWOW64\Ddadpdmn.exe N/A
File created C:\Windows\SysWOW64\Jbiejoaj.exe C:\Windows\SysWOW64\Jjamia32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eifhdd32.exe C:\Windows\SysWOW64\Eciplm32.exe N/A
File created C:\Windows\SysWOW64\Pjdhhc32.dll C:\Windows\SysWOW64\Pkpmdbfd.exe N/A
File opened for modification C:\Windows\SysWOW64\Phfjcf32.exe C:\Windows\SysWOW64\Phdnngdn.exe N/A
File created C:\Windows\SysWOW64\Cofnik32.exe C:\Windows\SysWOW64\Cfnjpfcl.exe N/A
File created C:\Windows\SysWOW64\Ddjmba32.exe C:\Windows\SysWOW64\Domdjj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnkbkk32.exe C:\Windows\SysWOW64\Phajna32.exe N/A
File created C:\Windows\SysWOW64\Jhndljll.exe C:\Windows\SysWOW64\Jqglkmlj.exe N/A
File created C:\Windows\SysWOW64\Bjmped32.dll C:\Windows\SysWOW64\Kbmoen32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlphbnoe.exe C:\Windows\SysWOW64\Nkqkhk32.exe N/A
File created C:\Windows\SysWOW64\Hmcldf32.dll C:\Windows\SysWOW64\Dpgnjo32.exe N/A
File created C:\Windows\SysWOW64\Alelqb32.exe C:\Windows\SysWOW64\Aekddhcb.exe N/A
File created C:\Windows\SysWOW64\Ghcjeh32.dll C:\Windows\SysWOW64\Ekmhejao.exe N/A
File created C:\Windows\SysWOW64\Oglbla32.dll C:\Windows\SysWOW64\Ogcnmc32.exe N/A
File created C:\Windows\SysWOW64\Ocmconhk.exe C:\Windows\SysWOW64\Olckbd32.exe N/A
File created C:\Windows\SysWOW64\Gacjadad.exe C:\Windows\SysWOW64\Gkiaej32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipeeobbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhndljll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbiejoaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfeaopqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jqglkmlj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgclpkac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baegibae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjjghcfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dngjff32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iedjmioj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcifkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjkmomfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Diffglam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibobdqid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhijqj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jqknkedi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lenicahg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iinjhh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngomin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdkidohn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjpbam32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgnbdh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmhgmmbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phonha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Malgcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neclenfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcdjbk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phfjcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hbjoeojc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Licfngjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qlggjk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpgnjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfnjpfcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfcabp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccqkigkp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ingpmmgm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chiigadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ihgnkkbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajndioga.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfigpm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdfehh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmkigh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgbloglj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aoioli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chglab32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cglbhhga.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqaffn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jdedak32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnfnlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aleckinj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iinqbn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pibdmp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qoelkp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klcekpdo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cobkhb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmkgkapm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adikdfna.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oldjcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gmimai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jgbchj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opnbae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dannij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjbogmdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Noeahkfc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emkndc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpmapodj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmjfa32.dll" C:\Windows\SysWOW64\Cjaifp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndchiip.dll" C:\Windows\SysWOW64\Micoed32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlljcfl.dll" C:\Windows\SysWOW64\Efjimhnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmkgkapm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfamlc32.dll" C:\Windows\SysWOW64\Jjlmclqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oelolmnd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ljhnlb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckbemgcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgolif32.dll" C:\Windows\SysWOW64\Ajhniccb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdmein32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekdnei32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ipeeobbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqbpojnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bokehc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddjmba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiagakg.dll" C:\Windows\SysWOW64\Eifhdd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amjillkj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Domdjj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmkqpkla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmodnoo.dll" C:\Windows\SysWOW64\Nfohgqlg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Apodoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabbod32.dll" C:\Windows\SysWOW64\Ejflhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndigcej.dll" C:\Windows\SysWOW64\Iqmidndd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgifbhid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Embkoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmfkjol.dll" C:\Windows\SysWOW64\Akamff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmafajfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgflcifg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cglbhhga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pckppl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afnnnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkkceedp.dll" C:\Windows\SysWOW64\Eppqqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpcodihc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhokljge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kngkqbgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mqkiok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnhmnn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbgeno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafhkhce.dll" C:\Windows\SysWOW64\Efccmidp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll" C:\Windows\SysWOW64\Bnlhncgi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhbebj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll" C:\Windows\SysWOW64\Dhphmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iddljmpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peaggfjj.dll" C:\Windows\SysWOW64\Mqafhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnjmc32.dll" C:\Windows\SysWOW64\Lddgmbpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnojho32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oadfkdgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdcojj.dll" C:\Windows\SysWOW64\Gljgbllj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmbhoeid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npedmdab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhglpo32.dll" C:\Windows\SysWOW64\Chglab32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcnfohmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chnlgjlb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiooia32.dll" C:\Windows\SysWOW64\Mngegmbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effkpc32.dll" C:\Windows\SysWOW64\Cndeii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopnfa32.dll" C:\Windows\SysWOW64\Phdnngdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqqpck32.dll" C:\Windows\SysWOW64\Flpmagqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll" C:\Windows\SysWOW64\Lcnfohmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlgcp32.dll" C:\Windows\SysWOW64\Opeiadfg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmblagmf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qfmmplad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Poomegpf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe C:\Windows\SysWOW64\Nemcjk32.exe
PID 2648 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe C:\Windows\SysWOW64\Nemcjk32.exe
PID 2648 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe C:\Windows\SysWOW64\Nemcjk32.exe
PID 4424 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Nemcjk32.exe C:\Windows\SysWOW64\Ngmpcn32.exe
PID 4424 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Nemcjk32.exe C:\Windows\SysWOW64\Ngmpcn32.exe
PID 4424 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Nemcjk32.exe C:\Windows\SysWOW64\Ngmpcn32.exe
PID 2216 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Ngmpcn32.exe C:\Windows\SysWOW64\Npedmdab.exe
PID 2216 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Ngmpcn32.exe C:\Windows\SysWOW64\Npedmdab.exe
PID 2216 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Ngmpcn32.exe C:\Windows\SysWOW64\Npedmdab.exe
PID 4984 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Npedmdab.exe C:\Windows\SysWOW64\Ngomin32.exe
PID 4984 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Npedmdab.exe C:\Windows\SysWOW64\Ngomin32.exe
PID 4984 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Npedmdab.exe C:\Windows\SysWOW64\Ngomin32.exe
PID 1160 wrote to memory of 4900 N/A C:\Windows\SysWOW64\Ngomin32.exe C:\Windows\SysWOW64\Olckbd32.exe
PID 1160 wrote to memory of 4900 N/A C:\Windows\SysWOW64\Ngomin32.exe C:\Windows\SysWOW64\Olckbd32.exe
PID 1160 wrote to memory of 4900 N/A C:\Windows\SysWOW64\Ngomin32.exe C:\Windows\SysWOW64\Olckbd32.exe
PID 4900 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Olckbd32.exe C:\Windows\SysWOW64\Ocmconhk.exe
PID 4900 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Olckbd32.exe C:\Windows\SysWOW64\Ocmconhk.exe
PID 4900 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Olckbd32.exe C:\Windows\SysWOW64\Ocmconhk.exe
PID 5044 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Ocmconhk.exe C:\Windows\SysWOW64\Oiihahme.exe
PID 5044 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Ocmconhk.exe C:\Windows\SysWOW64\Oiihahme.exe
PID 5044 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Ocmconhk.exe C:\Windows\SysWOW64\Oiihahme.exe
PID 1724 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Oiihahme.exe C:\Windows\SysWOW64\Oepifi32.exe
PID 1724 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Oiihahme.exe C:\Windows\SysWOW64\Oepifi32.exe
PID 1724 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Oiihahme.exe C:\Windows\SysWOW64\Oepifi32.exe
PID 1960 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Oepifi32.exe C:\Windows\SysWOW64\Oljaccjf.exe
PID 1960 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Oepifi32.exe C:\Windows\SysWOW64\Oljaccjf.exe
PID 1960 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Oepifi32.exe C:\Windows\SysWOW64\Oljaccjf.exe
PID 2444 wrote to memory of 4352 N/A C:\Windows\SysWOW64\Oljaccjf.exe C:\Windows\SysWOW64\Pjbkgfej.exe
PID 2444 wrote to memory of 4352 N/A C:\Windows\SysWOW64\Oljaccjf.exe C:\Windows\SysWOW64\Pjbkgfej.exe
PID 2444 wrote to memory of 4352 N/A C:\Windows\SysWOW64\Oljaccjf.exe C:\Windows\SysWOW64\Pjbkgfej.exe
PID 4352 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Pjbkgfej.exe C:\Windows\SysWOW64\Pckppl32.exe
PID 4352 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Pjbkgfej.exe C:\Windows\SysWOW64\Pckppl32.exe
PID 4352 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Pjbkgfej.exe C:\Windows\SysWOW64\Pckppl32.exe
PID 2732 wrote to memory of 3164 N/A C:\Windows\SysWOW64\Pckppl32.exe C:\Windows\SysWOW64\Plcdiabk.exe
PID 2732 wrote to memory of 3164 N/A C:\Windows\SysWOW64\Pckppl32.exe C:\Windows\SysWOW64\Plcdiabk.exe
PID 2732 wrote to memory of 3164 N/A C:\Windows\SysWOW64\Pckppl32.exe C:\Windows\SysWOW64\Plcdiabk.exe
PID 3164 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Plcdiabk.exe C:\Windows\SysWOW64\Pcmlfl32.exe
PID 3164 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Plcdiabk.exe C:\Windows\SysWOW64\Pcmlfl32.exe
PID 3164 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Plcdiabk.exe C:\Windows\SysWOW64\Pcmlfl32.exe
PID 1876 wrote to memory of 3340 N/A C:\Windows\SysWOW64\Pcmlfl32.exe C:\Windows\SysWOW64\Pjgebf32.exe
PID 1876 wrote to memory of 3340 N/A C:\Windows\SysWOW64\Pcmlfl32.exe C:\Windows\SysWOW64\Pjgebf32.exe
PID 1876 wrote to memory of 3340 N/A C:\Windows\SysWOW64\Pcmlfl32.exe C:\Windows\SysWOW64\Pjgebf32.exe
PID 3340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Pjgebf32.exe C:\Windows\SysWOW64\Qhakoa32.exe
PID 3340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Pjgebf32.exe C:\Windows\SysWOW64\Qhakoa32.exe
PID 3340 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Pjgebf32.exe C:\Windows\SysWOW64\Qhakoa32.exe
PID 1668 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Qhakoa32.exe C:\Windows\SysWOW64\Ahchda32.exe
PID 1668 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Qhakoa32.exe C:\Windows\SysWOW64\Ahchda32.exe
PID 1668 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Qhakoa32.exe C:\Windows\SysWOW64\Ahchda32.exe
PID 2740 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Ahchda32.exe C:\Windows\SysWOW64\Acilajpk.exe
PID 2740 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Ahchda32.exe C:\Windows\SysWOW64\Acilajpk.exe
PID 2740 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Ahchda32.exe C:\Windows\SysWOW64\Acilajpk.exe
PID 2172 wrote to memory of 3716 N/A C:\Windows\SysWOW64\Acilajpk.exe C:\Windows\SysWOW64\Ajhniccb.exe
PID 2172 wrote to memory of 3716 N/A C:\Windows\SysWOW64\Acilajpk.exe C:\Windows\SysWOW64\Ajhniccb.exe
PID 2172 wrote to memory of 3716 N/A C:\Windows\SysWOW64\Acilajpk.exe C:\Windows\SysWOW64\Ajhniccb.exe
PID 3716 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Ajhniccb.exe C:\Windows\SysWOW64\Aqaffn32.exe
PID 3716 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Ajhniccb.exe C:\Windows\SysWOW64\Aqaffn32.exe
PID 3716 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Ajhniccb.exe C:\Windows\SysWOW64\Aqaffn32.exe
PID 2908 wrote to memory of 3112 N/A C:\Windows\SysWOW64\Aqaffn32.exe C:\Windows\SysWOW64\Afnnnd32.exe
PID 2908 wrote to memory of 3112 N/A C:\Windows\SysWOW64\Aqaffn32.exe C:\Windows\SysWOW64\Afnnnd32.exe
PID 2908 wrote to memory of 3112 N/A C:\Windows\SysWOW64\Aqaffn32.exe C:\Windows\SysWOW64\Afnnnd32.exe
PID 3112 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Afnnnd32.exe C:\Windows\SysWOW64\Bqfoamfj.exe
PID 3112 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Afnnnd32.exe C:\Windows\SysWOW64\Bqfoamfj.exe
PID 3112 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Afnnnd32.exe C:\Windows\SysWOW64\Bqfoamfj.exe
PID 4592 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Bqfoamfj.exe C:\Windows\SysWOW64\Bcelmhen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe

"C:\Users\Admin\AppData\Local\Temp\e13edcb667934d0c521d913854c6ebd6dfe4a1a0085acd87843885e2a8a1a7dcN.exe"

C:\Windows\SysWOW64\Nemcjk32.exe

C:\Windows\system32\Nemcjk32.exe

C:\Windows\SysWOW64\Ngmpcn32.exe

C:\Windows\system32\Ngmpcn32.exe

C:\Windows\SysWOW64\Npedmdab.exe

C:\Windows\system32\Npedmdab.exe

C:\Windows\SysWOW64\Ngomin32.exe

C:\Windows\system32\Ngomin32.exe

C:\Windows\SysWOW64\Olckbd32.exe

C:\Windows\system32\Olckbd32.exe

C:\Windows\SysWOW64\Ocmconhk.exe

C:\Windows\system32\Ocmconhk.exe

C:\Windows\SysWOW64\Oiihahme.exe

C:\Windows\system32\Oiihahme.exe

C:\Windows\SysWOW64\Oepifi32.exe

C:\Windows\system32\Oepifi32.exe

C:\Windows\SysWOW64\Oljaccjf.exe

C:\Windows\system32\Oljaccjf.exe

C:\Windows\SysWOW64\Pjbkgfej.exe

C:\Windows\system32\Pjbkgfej.exe

C:\Windows\SysWOW64\Pckppl32.exe

C:\Windows\system32\Pckppl32.exe

C:\Windows\SysWOW64\Plcdiabk.exe

C:\Windows\system32\Plcdiabk.exe

C:\Windows\SysWOW64\Pcmlfl32.exe

C:\Windows\system32\Pcmlfl32.exe

C:\Windows\SysWOW64\Pjgebf32.exe

C:\Windows\system32\Pjgebf32.exe

C:\Windows\SysWOW64\Qhakoa32.exe

C:\Windows\system32\Qhakoa32.exe

C:\Windows\SysWOW64\Ahchda32.exe

C:\Windows\system32\Ahchda32.exe

C:\Windows\SysWOW64\Acilajpk.exe

C:\Windows\system32\Acilajpk.exe

C:\Windows\SysWOW64\Ajhniccb.exe

C:\Windows\system32\Ajhniccb.exe

C:\Windows\SysWOW64\Aqaffn32.exe

C:\Windows\system32\Aqaffn32.exe

C:\Windows\SysWOW64\Afnnnd32.exe

C:\Windows\system32\Afnnnd32.exe

C:\Windows\SysWOW64\Bqfoamfj.exe

C:\Windows\system32\Bqfoamfj.exe

C:\Windows\SysWOW64\Bcelmhen.exe

C:\Windows\system32\Bcelmhen.exe

C:\Windows\SysWOW64\Bqkill32.exe

C:\Windows\system32\Bqkill32.exe

C:\Windows\SysWOW64\Cqpbglno.exe

C:\Windows\system32\Cqpbglno.exe

C:\Windows\SysWOW64\Ccqkigkp.exe

C:\Windows\system32\Ccqkigkp.exe

C:\Windows\SysWOW64\Cgndoeag.exe

C:\Windows\system32\Cgndoeag.exe

C:\Windows\SysWOW64\Cibmlmeb.exe

C:\Windows\system32\Cibmlmeb.exe

C:\Windows\SysWOW64\Cjaifp32.exe

C:\Windows\system32\Cjaifp32.exe

C:\Windows\SysWOW64\Dpnbog32.exe

C:\Windows\system32\Dpnbog32.exe

C:\Windows\SysWOW64\Dgejpd32.exe

C:\Windows\system32\Dgejpd32.exe

C:\Windows\SysWOW64\Diffglam.exe

C:\Windows\system32\Diffglam.exe

C:\Windows\SysWOW64\Dannij32.exe

C:\Windows\system32\Dannij32.exe

C:\Windows\SysWOW64\Dhhfedil.exe

C:\Windows\system32\Dhhfedil.exe

C:\Windows\SysWOW64\Dfmcfp32.exe

C:\Windows\system32\Dfmcfp32.exe

C:\Windows\SysWOW64\Dikpbl32.exe

C:\Windows\system32\Dikpbl32.exe

C:\Windows\SysWOW64\Dabhdinj.exe

C:\Windows\system32\Dabhdinj.exe

C:\Windows\SysWOW64\Ddadpdmn.exe

C:\Windows\system32\Ddadpdmn.exe

C:\Windows\SysWOW64\Dhlpqc32.exe

C:\Windows\system32\Dhlpqc32.exe

C:\Windows\SysWOW64\Djklmo32.exe

C:\Windows\system32\Djklmo32.exe

C:\Windows\SysWOW64\Dmihij32.exe

C:\Windows\system32\Dmihij32.exe

C:\Windows\SysWOW64\Dpgeee32.exe

C:\Windows\system32\Dpgeee32.exe

C:\Windows\SysWOW64\Dhomfc32.exe

C:\Windows\system32\Dhomfc32.exe

C:\Windows\SysWOW64\Djmibn32.exe

C:\Windows\system32\Djmibn32.exe

C:\Windows\SysWOW64\Emlenj32.exe

C:\Windows\system32\Emlenj32.exe

C:\Windows\SysWOW64\Epjajeqo.exe

C:\Windows\system32\Epjajeqo.exe

C:\Windows\SysWOW64\Efdjgo32.exe

C:\Windows\system32\Efdjgo32.exe

C:\Windows\SysWOW64\Efffmo32.exe

C:\Windows\system32\Efffmo32.exe

C:\Windows\SysWOW64\Ehfcfb32.exe

C:\Windows\system32\Ehfcfb32.exe

C:\Windows\SysWOW64\Embkoi32.exe

C:\Windows\system32\Embkoi32.exe

C:\Windows\SysWOW64\Edmclccp.exe

C:\Windows\system32\Edmclccp.exe

C:\Windows\SysWOW64\Ejflhm32.exe

C:\Windows\system32\Ejflhm32.exe

C:\Windows\SysWOW64\Emehdh32.exe

C:\Windows\system32\Emehdh32.exe

C:\Windows\SysWOW64\Efmmmn32.exe

C:\Windows\system32\Efmmmn32.exe

C:\Windows\SysWOW64\Filiii32.exe

C:\Windows\system32\Filiii32.exe

C:\Windows\SysWOW64\Fpeafcfa.exe

C:\Windows\system32\Fpeafcfa.exe

C:\Windows\SysWOW64\Ffpicn32.exe

C:\Windows\system32\Ffpicn32.exe

C:\Windows\SysWOW64\Fmjaphek.exe

C:\Windows\system32\Fmjaphek.exe

C:\Windows\SysWOW64\Fgbfhmll.exe

C:\Windows\system32\Fgbfhmll.exe

C:\Windows\SysWOW64\Fipbdikp.exe

C:\Windows\system32\Fipbdikp.exe

C:\Windows\SysWOW64\Fdffbake.exe

C:\Windows\system32\Fdffbake.exe

C:\Windows\SysWOW64\Fgdbnmji.exe

C:\Windows\system32\Fgdbnmji.exe

C:\Windows\SysWOW64\Fajgkfio.exe

C:\Windows\system32\Fajgkfio.exe

C:\Windows\SysWOW64\Fhdohp32.exe

C:\Windows\system32\Fhdohp32.exe

C:\Windows\SysWOW64\Fmqgpgoc.exe

C:\Windows\system32\Fmqgpgoc.exe

C:\Windows\SysWOW64\Fdkpma32.exe

C:\Windows\system32\Fdkpma32.exe

C:\Windows\SysWOW64\Gaopfe32.exe

C:\Windows\system32\Gaopfe32.exe

C:\Windows\SysWOW64\Ghhhcomg.exe

C:\Windows\system32\Ghhhcomg.exe

C:\Windows\SysWOW64\Gmeakf32.exe

C:\Windows\system32\Gmeakf32.exe

C:\Windows\SysWOW64\Gdoihpbk.exe

C:\Windows\system32\Gdoihpbk.exe

C:\Windows\SysWOW64\Gkiaej32.exe

C:\Windows\system32\Gkiaej32.exe

C:\Windows\SysWOW64\Gacjadad.exe

C:\Windows\system32\Gacjadad.exe

C:\Windows\SysWOW64\Ghmbno32.exe

C:\Windows\system32\Ghmbno32.exe

C:\Windows\SysWOW64\Gnjjfegi.exe

C:\Windows\system32\Gnjjfegi.exe

C:\Windows\SysWOW64\Gphgbafl.exe

C:\Windows\system32\Gphgbafl.exe

C:\Windows\SysWOW64\Ggbook32.exe

C:\Windows\system32\Ggbook32.exe

C:\Windows\SysWOW64\Gnlgleef.exe

C:\Windows\system32\Gnlgleef.exe

C:\Windows\SysWOW64\Hjchaf32.exe

C:\Windows\system32\Hjchaf32.exe

C:\Windows\SysWOW64\Hjedffig.exe

C:\Windows\system32\Hjedffig.exe

C:\Windows\SysWOW64\Hdkidohn.exe

C:\Windows\system32\Hdkidohn.exe

C:\Windows\SysWOW64\Hdmein32.exe

C:\Windows\system32\Hdmein32.exe

C:\Windows\SysWOW64\Hnfjbdmk.exe

C:\Windows\system32\Hnfjbdmk.exe

C:\Windows\SysWOW64\Hacbhb32.exe

C:\Windows\system32\Hacbhb32.exe

C:\Windows\SysWOW64\Iddljmpc.exe

C:\Windows\system32\Iddljmpc.exe

C:\Windows\SysWOW64\Ikndgg32.exe

C:\Windows\system32\Ikndgg32.exe

C:\Windows\SysWOW64\Ihbdplfi.exe

C:\Windows\system32\Ihbdplfi.exe

C:\Windows\SysWOW64\Iqmidndd.exe

C:\Windows\system32\Iqmidndd.exe

C:\Windows\SysWOW64\Ikcmbfcj.exe

C:\Windows\system32\Ikcmbfcj.exe

C:\Windows\SysWOW64\Ihgnkkbd.exe

C:\Windows\system32\Ihgnkkbd.exe

C:\Windows\SysWOW64\Ibobdqid.exe

C:\Windows\system32\Ibobdqid.exe

C:\Windows\SysWOW64\Jhijqj32.exe

C:\Windows\system32\Jhijqj32.exe

C:\Windows\SysWOW64\Jjjghcfp.exe

C:\Windows\system32\Jjjghcfp.exe

C:\Windows\SysWOW64\Jbaojpgb.exe

C:\Windows\system32\Jbaojpgb.exe

C:\Windows\SysWOW64\Jdpkflfe.exe

C:\Windows\system32\Jdpkflfe.exe

C:\Windows\SysWOW64\Jkjcbe32.exe

C:\Windows\system32\Jkjcbe32.exe

C:\Windows\SysWOW64\Jnhpoamf.exe

C:\Windows\system32\Jnhpoamf.exe

C:\Windows\SysWOW64\Jqglkmlj.exe

C:\Windows\system32\Jqglkmlj.exe

C:\Windows\SysWOW64\Jhndljll.exe

C:\Windows\system32\Jhndljll.exe

C:\Windows\SysWOW64\Jklphekp.exe

C:\Windows\system32\Jklphekp.exe

C:\Windows\SysWOW64\Jdedak32.exe

C:\Windows\system32\Jdedak32.exe

C:\Windows\SysWOW64\Jgcamf32.exe

C:\Windows\system32\Jgcamf32.exe

C:\Windows\SysWOW64\Jjamia32.exe

C:\Windows\system32\Jjamia32.exe

C:\Windows\SysWOW64\Jbiejoaj.exe

C:\Windows\system32\Jbiejoaj.exe

C:\Windows\SysWOW64\Jkaicd32.exe

C:\Windows\system32\Jkaicd32.exe

C:\Windows\SysWOW64\Jnpfop32.exe

C:\Windows\system32\Jnpfop32.exe

C:\Windows\SysWOW64\Kghjhemo.exe

C:\Windows\system32\Kghjhemo.exe

C:\Windows\SysWOW64\Kbmoen32.exe

C:\Windows\system32\Kbmoen32.exe

C:\Windows\SysWOW64\Kelkaj32.exe

C:\Windows\system32\Kelkaj32.exe

C:\Windows\SysWOW64\Kkfcndce.exe

C:\Windows\system32\Kkfcndce.exe

C:\Windows\SysWOW64\Kenggi32.exe

C:\Windows\system32\Kenggi32.exe

C:\Windows\SysWOW64\Kkhpdcab.exe

C:\Windows\system32\Kkhpdcab.exe

C:\Windows\SysWOW64\Kbbhqn32.exe

C:\Windows\system32\Kbbhqn32.exe

C:\Windows\SysWOW64\Kilpmh32.exe

C:\Windows\system32\Kilpmh32.exe

C:\Windows\SysWOW64\Kjmmepfj.exe

C:\Windows\system32\Kjmmepfj.exe

C:\Windows\SysWOW64\Kinmcg32.exe

C:\Windows\system32\Kinmcg32.exe

C:\Windows\SysWOW64\Lajagj32.exe

C:\Windows\system32\Lajagj32.exe

C:\Windows\SysWOW64\Liqihglg.exe

C:\Windows\system32\Liqihglg.exe

C:\Windows\SysWOW64\Ljbfpo32.exe

C:\Windows\system32\Ljbfpo32.exe

C:\Windows\SysWOW64\Licfngjd.exe

C:\Windows\system32\Licfngjd.exe

C:\Windows\SysWOW64\Ljdceo32.exe

C:\Windows\system32\Ljdceo32.exe

C:\Windows\SysWOW64\Lghcocol.exe

C:\Windows\system32\Lghcocol.exe

C:\Windows\SysWOW64\Ljgpkonp.exe

C:\Windows\system32\Ljgpkonp.exe

C:\Windows\SysWOW64\Lihpif32.exe

C:\Windows\system32\Lihpif32.exe

C:\Windows\SysWOW64\Llflea32.exe

C:\Windows\system32\Llflea32.exe

C:\Windows\SysWOW64\Lijlof32.exe

C:\Windows\system32\Lijlof32.exe

C:\Windows\SysWOW64\Mngegmbc.exe

C:\Windows\system32\Mngegmbc.exe

C:\Windows\SysWOW64\Maeachag.exe

C:\Windows\system32\Maeachag.exe

C:\Windows\SysWOW64\Milidebi.exe

C:\Windows\system32\Milidebi.exe

C:\Windows\SysWOW64\Miofjepg.exe

C:\Windows\system32\Miofjepg.exe

C:\Windows\SysWOW64\Mjpbam32.exe

C:\Windows\system32\Mjpbam32.exe

C:\Windows\SysWOW64\Mbgjbkfg.exe

C:\Windows\system32\Mbgjbkfg.exe

C:\Windows\SysWOW64\Miaboe32.exe

C:\Windows\system32\Miaboe32.exe

C:\Windows\SysWOW64\Mjbogmdb.exe

C:\Windows\system32\Mjbogmdb.exe

C:\Windows\SysWOW64\Malgcg32.exe

C:\Windows\system32\Malgcg32.exe

C:\Windows\SysWOW64\Micoed32.exe

C:\Windows\system32\Micoed32.exe

C:\Windows\SysWOW64\Maodigil.exe

C:\Windows\system32\Maodigil.exe

C:\Windows\SysWOW64\Nbnpcj32.exe

C:\Windows\system32\Nbnpcj32.exe

C:\Windows\SysWOW64\Nemmoe32.exe

C:\Windows\system32\Nemmoe32.exe

C:\Windows\SysWOW64\Noeahkfc.exe

C:\Windows\system32\Noeahkfc.exe

C:\Windows\SysWOW64\Nhmeapmd.exe

C:\Windows\system32\Nhmeapmd.exe

C:\Windows\SysWOW64\Nimbkc32.exe

C:\Windows\system32\Nimbkc32.exe

C:\Windows\SysWOW64\Nahgoe32.exe

C:\Windows\system32\Nahgoe32.exe

C:\Windows\SysWOW64\Nkqkhk32.exe

C:\Windows\system32\Nkqkhk32.exe

C:\Windows\SysWOW64\Nlphbnoe.exe

C:\Windows\system32\Nlphbnoe.exe

C:\Windows\SysWOW64\Ohghgodi.exe

C:\Windows\system32\Ohghgodi.exe

C:\Windows\SysWOW64\Ohiemobf.exe

C:\Windows\system32\Ohiemobf.exe

C:\Windows\SysWOW64\Oihagaji.exe

C:\Windows\system32\Oihagaji.exe

C:\Windows\SysWOW64\Oadfkdgd.exe

C:\Windows\system32\Oadfkdgd.exe

C:\Windows\SysWOW64\Olijhmgj.exe

C:\Windows\system32\Olijhmgj.exe

C:\Windows\SysWOW64\Obcceg32.exe

C:\Windows\system32\Obcceg32.exe

C:\Windows\SysWOW64\Pojcjh32.exe

C:\Windows\system32\Pojcjh32.exe

C:\Windows\SysWOW64\Plndcl32.exe

C:\Windows\system32\Plndcl32.exe

C:\Windows\SysWOW64\Pibdmp32.exe

C:\Windows\system32\Pibdmp32.exe

C:\Windows\SysWOW64\Poomegpf.exe

C:\Windows\system32\Poomegpf.exe

C:\Windows\SysWOW64\Peieba32.exe

C:\Windows\system32\Peieba32.exe

C:\Windows\SysWOW64\Plbmokop.exe

C:\Windows\system32\Plbmokop.exe

C:\Windows\SysWOW64\Poajkgnc.exe

C:\Windows\system32\Poajkgnc.exe

C:\Windows\SysWOW64\Pabblb32.exe

C:\Windows\system32\Pabblb32.exe

C:\Windows\SysWOW64\Qlggjk32.exe

C:\Windows\system32\Qlggjk32.exe

C:\Windows\SysWOW64\Qcaofebg.exe

C:\Windows\system32\Qcaofebg.exe

C:\Windows\SysWOW64\Qhngolpo.exe

C:\Windows\system32\Qhngolpo.exe

C:\Windows\SysWOW64\Qohpkf32.exe

C:\Windows\system32\Qohpkf32.exe

C:\Windows\SysWOW64\Ajndioga.exe

C:\Windows\system32\Ajndioga.exe

C:\Windows\SysWOW64\Akoqpg32.exe

C:\Windows\system32\Akoqpg32.exe

C:\Windows\SysWOW64\Aaiimadl.exe

C:\Windows\system32\Aaiimadl.exe

C:\Windows\SysWOW64\Ahcajk32.exe

C:\Windows\system32\Ahcajk32.exe

C:\Windows\SysWOW64\Akamff32.exe

C:\Windows\system32\Akamff32.exe

C:\Windows\SysWOW64\Afgacokc.exe

C:\Windows\system32\Afgacokc.exe

C:\Windows\SysWOW64\Ahenokjf.exe

C:\Windows\system32\Ahenokjf.exe

C:\Windows\SysWOW64\Afinioip.exe

C:\Windows\system32\Afinioip.exe

C:\Windows\SysWOW64\Alcfei32.exe

C:\Windows\system32\Alcfei32.exe

C:\Windows\SysWOW64\Afkknogn.exe

C:\Windows\system32\Afkknogn.exe

C:\Windows\SysWOW64\Aleckinj.exe

C:\Windows\system32\Aleckinj.exe

C:\Windows\SysWOW64\Bfngdn32.exe

C:\Windows\system32\Bfngdn32.exe

C:\Windows\SysWOW64\Boflmdkk.exe

C:\Windows\system32\Boflmdkk.exe

C:\Windows\SysWOW64\Bkmmaeap.exe

C:\Windows\system32\Bkmmaeap.exe

C:\Windows\SysWOW64\Bbgeno32.exe

C:\Windows\system32\Bbgeno32.exe

C:\Windows\SysWOW64\Bokehc32.exe

C:\Windows\system32\Bokehc32.exe

C:\Windows\SysWOW64\Bfendmoc.exe

C:\Windows\system32\Bfendmoc.exe

C:\Windows\SysWOW64\Bhcjqinf.exe

C:\Windows\system32\Bhcjqinf.exe

C:\Windows\SysWOW64\Bheffh32.exe

C:\Windows\system32\Bheffh32.exe

C:\Windows\SysWOW64\Bopocbcq.exe

C:\Windows\system32\Bopocbcq.exe

C:\Windows\SysWOW64\Cfigpm32.exe

C:\Windows\system32\Cfigpm32.exe

C:\Windows\SysWOW64\Cobkhb32.exe

C:\Windows\system32\Cobkhb32.exe

C:\Windows\SysWOW64\Cbphdn32.exe

C:\Windows\system32\Cbphdn32.exe

C:\Windows\SysWOW64\Cimmggfl.exe

C:\Windows\system32\Cimmggfl.exe

C:\Windows\SysWOW64\Cioilg32.exe

C:\Windows\system32\Cioilg32.exe

C:\Windows\SysWOW64\Cbgnemjj.exe

C:\Windows\system32\Cbgnemjj.exe

C:\Windows\SysWOW64\Ciafbg32.exe

C:\Windows\system32\Ciafbg32.exe

C:\Windows\SysWOW64\Ccgjopal.exe

C:\Windows\system32\Ccgjopal.exe

C:\Windows\SysWOW64\Dpnkdq32.exe

C:\Windows\system32\Dpnkdq32.exe

C:\Windows\SysWOW64\Djcoai32.exe

C:\Windows\system32\Djcoai32.exe

C:\Windows\SysWOW64\Dckdjomg.exe

C:\Windows\system32\Dckdjomg.exe

C:\Windows\SysWOW64\Djelgied.exe

C:\Windows\system32\Djelgied.exe

C:\Windows\SysWOW64\Djhimica.exe

C:\Windows\system32\Djhimica.exe

C:\Windows\SysWOW64\Dcpmen32.exe

C:\Windows\system32\Dcpmen32.exe

C:\Windows\SysWOW64\Dpgnjo32.exe

C:\Windows\system32\Dpgnjo32.exe

C:\Windows\SysWOW64\Ebejfk32.exe

C:\Windows\system32\Ebejfk32.exe

C:\Windows\SysWOW64\Emkndc32.exe

C:\Windows\system32\Emkndc32.exe

C:\Windows\SysWOW64\Efccmidp.exe

C:\Windows\system32\Efccmidp.exe

C:\Windows\SysWOW64\Emmkiclm.exe

C:\Windows\system32\Emmkiclm.exe

C:\Windows\SysWOW64\Ejalcgkg.exe

C:\Windows\system32\Ejalcgkg.exe

C:\Windows\SysWOW64\Eciplm32.exe

C:\Windows\system32\Eciplm32.exe

C:\Windows\SysWOW64\Eifhdd32.exe

C:\Windows\system32\Eifhdd32.exe

C:\Windows\SysWOW64\Eppqqn32.exe

C:\Windows\system32\Eppqqn32.exe

C:\Windows\SysWOW64\Efjimhnh.exe

C:\Windows\system32\Efjimhnh.exe

C:\Windows\SysWOW64\Elgaeolp.exe

C:\Windows\system32\Elgaeolp.exe

C:\Windows\SysWOW64\Fjhacf32.exe

C:\Windows\system32\Fjhacf32.exe

C:\Windows\SysWOW64\Flinkojm.exe

C:\Windows\system32\Flinkojm.exe

C:\Windows\SysWOW64\Ffobhg32.exe

C:\Windows\system32\Ffobhg32.exe

C:\Windows\SysWOW64\Fllkqn32.exe

C:\Windows\system32\Fllkqn32.exe

C:\Windows\SysWOW64\Fdccbl32.exe

C:\Windows\system32\Fdccbl32.exe

C:\Windows\SysWOW64\Fjmkoeqi.exe

C:\Windows\system32\Fjmkoeqi.exe

C:\Windows\SysWOW64\Fmkgkapm.exe

C:\Windows\system32\Fmkgkapm.exe

C:\Windows\SysWOW64\Fpjcgm32.exe

C:\Windows\system32\Fpjcgm32.exe

C:\Windows\SysWOW64\Fbhpch32.exe

C:\Windows\system32\Fbhpch32.exe

C:\Windows\SysWOW64\Fjohde32.exe

C:\Windows\system32\Fjohde32.exe

C:\Windows\SysWOW64\Fmndpq32.exe

C:\Windows\system32\Fmndpq32.exe

C:\Windows\SysWOW64\Flqdlnde.exe

C:\Windows\system32\Flqdlnde.exe

C:\Windows\SysWOW64\Fdglmkeg.exe

C:\Windows\system32\Fdglmkeg.exe

C:\Windows\SysWOW64\Fmpqfq32.exe

C:\Windows\system32\Fmpqfq32.exe

C:\Windows\SysWOW64\Gdjibj32.exe

C:\Windows\system32\Gdjibj32.exe

C:\Windows\SysWOW64\Gfheof32.exe

C:\Windows\system32\Gfheof32.exe

C:\Windows\SysWOW64\Gfkbde32.exe

C:\Windows\system32\Gfkbde32.exe

C:\Windows\SysWOW64\Giinpa32.exe

C:\Windows\system32\Giinpa32.exe

C:\Windows\SysWOW64\Gpcfmkff.exe

C:\Windows\system32\Gpcfmkff.exe

C:\Windows\SysWOW64\Gljgbllj.exe

C:\Windows\system32\Gljgbllj.exe

C:\Windows\SysWOW64\Glldgljg.exe

C:\Windows\system32\Glldgljg.exe

C:\Windows\SysWOW64\Gbfldf32.exe

C:\Windows\system32\Gbfldf32.exe

C:\Windows\SysWOW64\Ggahedjn.exe

C:\Windows\system32\Ggahedjn.exe

C:\Windows\SysWOW64\Hmlpaoaj.exe

C:\Windows\system32\Hmlpaoaj.exe

C:\Windows\SysWOW64\Hdehni32.exe

C:\Windows\system32\Hdehni32.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hckeoeno.exe

C:\Windows\system32\Hckeoeno.exe

C:\Windows\SysWOW64\Hpofii32.exe

C:\Windows\system32\Hpofii32.exe

C:\Windows\SysWOW64\Higjaoci.exe

C:\Windows\system32\Higjaoci.exe

C:\Windows\SysWOW64\Hdmoohbo.exe

C:\Windows\system32\Hdmoohbo.exe

C:\Windows\SysWOW64\Hpcodihc.exe

C:\Windows\system32\Hpcodihc.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Iinqbn32.exe

C:\Windows\system32\Iinqbn32.exe

C:\Windows\SysWOW64\Iknmla32.exe

C:\Windows\system32\Iknmla32.exe

C:\Windows\SysWOW64\Iciaqc32.exe

C:\Windows\system32\Iciaqc32.exe

C:\Windows\SysWOW64\Ilafiihp.exe

C:\Windows\system32\Ilafiihp.exe

C:\Windows\SysWOW64\Icknfcol.exe

C:\Windows\system32\Icknfcol.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Icnklbmj.exe

C:\Windows\system32\Icnklbmj.exe

C:\Windows\SysWOW64\Jgkdbacp.exe

C:\Windows\system32\Jgkdbacp.exe

C:\Windows\SysWOW64\Jjlmclqa.exe

C:\Windows\system32\Jjlmclqa.exe

C:\Windows\SysWOW64\Jcdala32.exe

C:\Windows\system32\Jcdala32.exe

C:\Windows\SysWOW64\Jqhafffk.exe

C:\Windows\system32\Jqhafffk.exe

C:\Windows\SysWOW64\Jknfcofa.exe

C:\Windows\system32\Jknfcofa.exe

C:\Windows\SysWOW64\Jqknkedi.exe

C:\Windows\system32\Jqknkedi.exe

C:\Windows\SysWOW64\Kdigadjo.exe

C:\Windows\system32\Kdigadjo.exe

C:\Windows\SysWOW64\Kqphfe32.exe

C:\Windows\system32\Kqphfe32.exe

C:\Windows\SysWOW64\Kmfhkf32.exe

C:\Windows\system32\Kmfhkf32.exe

C:\Windows\SysWOW64\Kcbnnpka.exe

C:\Windows\system32\Kcbnnpka.exe

C:\Windows\SysWOW64\Lgqfdnah.exe

C:\Windows\system32\Lgqfdnah.exe

C:\Windows\SysWOW64\Lddgmbpb.exe

C:\Windows\system32\Lddgmbpb.exe

C:\Windows\SysWOW64\Lgccinoe.exe

C:\Windows\system32\Lgccinoe.exe

C:\Windows\SysWOW64\Lcjcnoej.exe

C:\Windows\system32\Lcjcnoej.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lekmnajj.exe

C:\Windows\system32\Lekmnajj.exe

C:\Windows\SysWOW64\Lgjijmin.exe

C:\Windows\system32\Lgjijmin.exe

C:\Windows\SysWOW64\Lmgabcge.exe

C:\Windows\system32\Lmgabcge.exe

C:\Windows\SysWOW64\Lenicahg.exe

C:\Windows\system32\Lenicahg.exe

C:\Windows\SysWOW64\Mnfnlf32.exe

C:\Windows\system32\Mnfnlf32.exe

C:\Windows\SysWOW64\Mgobel32.exe

C:\Windows\system32\Mgobel32.exe

C:\Windows\SysWOW64\Mnhkbfme.exe

C:\Windows\system32\Mnhkbfme.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mgclpkac.exe

C:\Windows\system32\Mgclpkac.exe

C:\Windows\SysWOW64\Mjahlgpf.exe

C:\Windows\system32\Mjahlgpf.exe

C:\Windows\SysWOW64\Manmoq32.exe

C:\Windows\system32\Manmoq32.exe

C:\Windows\SysWOW64\Nnbnhedj.exe

C:\Windows\system32\Nnbnhedj.exe

C:\Windows\SysWOW64\Ngjbaj32.exe

C:\Windows\system32\Ngjbaj32.exe

C:\Windows\SysWOW64\Nabfjpak.exe

C:\Windows\system32\Nabfjpak.exe

C:\Windows\SysWOW64\Nhokljge.exe

C:\Windows\system32\Nhokljge.exe

C:\Windows\SysWOW64\Neclenfo.exe

C:\Windows\system32\Neclenfo.exe

C:\Windows\SysWOW64\Odhifjkg.exe

C:\Windows\system32\Odhifjkg.exe

C:\Windows\SysWOW64\Odjeljhd.exe

C:\Windows\system32\Odjeljhd.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Oldjcg32.exe

C:\Windows\system32\Oldjcg32.exe

C:\Windows\SysWOW64\Oelolmnd.exe

C:\Windows\system32\Oelolmnd.exe

C:\Windows\SysWOW64\Omgcpokp.exe

C:\Windows\system32\Omgcpokp.exe

C:\Windows\SysWOW64\Pddhbipj.exe

C:\Windows\system32\Pddhbipj.exe

C:\Windows\SysWOW64\Pmlmkn32.exe

C:\Windows\system32\Pmlmkn32.exe

C:\Windows\SysWOW64\Pdfehh32.exe

C:\Windows\system32\Pdfehh32.exe

C:\Windows\SysWOW64\Pkpmdbfd.exe

C:\Windows\system32\Pkpmdbfd.exe

C:\Windows\SysWOW64\Phdnngdn.exe

C:\Windows\system32\Phdnngdn.exe

C:\Windows\SysWOW64\Phfjcf32.exe

C:\Windows\system32\Phfjcf32.exe

C:\Windows\SysWOW64\Pkgcea32.exe

C:\Windows\system32\Pkgcea32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qeodhjmo.exe

C:\Windows\system32\Qeodhjmo.exe

C:\Windows\SysWOW64\Amjillkj.exe

C:\Windows\system32\Amjillkj.exe

C:\Windows\SysWOW64\Alkijdci.exe

C:\Windows\system32\Alkijdci.exe

C:\Windows\SysWOW64\Akqfkp32.exe

C:\Windows\system32\Akqfkp32.exe

C:\Windows\SysWOW64\Adikdfna.exe

C:\Windows\system32\Adikdfna.exe

C:\Windows\SysWOW64\Anaomkdb.exe

C:\Windows\system32\Anaomkdb.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Alelqb32.exe

C:\Windows\system32\Alelqb32.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Badanigc.exe

C:\Windows\system32\Badanigc.exe

C:\Windows\SysWOW64\Blielbfi.exe

C:\Windows\system32\Blielbfi.exe

C:\Windows\SysWOW64\Bddjpd32.exe

C:\Windows\system32\Bddjpd32.exe

C:\Windows\SysWOW64\Bahkih32.exe

C:\Windows\system32\Bahkih32.exe

C:\Windows\SysWOW64\Bnoknihb.exe

C:\Windows\system32\Bnoknihb.exe

C:\Windows\SysWOW64\Blqllqqa.exe

C:\Windows\system32\Blqllqqa.exe

C:\Windows\SysWOW64\Chglab32.exe

C:\Windows\system32\Chglab32.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Chiigadc.exe

C:\Windows\system32\Chiigadc.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Cdbfab32.exe

C:\Windows\system32\Cdbfab32.exe

C:\Windows\SysWOW64\Cohkokgj.exe

C:\Windows\system32\Cohkokgj.exe

C:\Windows\SysWOW64\Chqogq32.exe

C:\Windows\system32\Chqogq32.exe

C:\Windows\SysWOW64\Dkokcl32.exe

C:\Windows\system32\Dkokcl32.exe

C:\Windows\SysWOW64\Dbicpfdk.exe

C:\Windows\system32\Dbicpfdk.exe

C:\Windows\SysWOW64\Domdjj32.exe

C:\Windows\system32\Domdjj32.exe

C:\Windows\SysWOW64\Ddjmba32.exe

C:\Windows\system32\Ddjmba32.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Dkfadkgf.exe

C:\Windows\system32\Dkfadkgf.exe

C:\Windows\SysWOW64\Dbpjaeoc.exe

C:\Windows\system32\Dbpjaeoc.exe

C:\Windows\SysWOW64\Dngjff32.exe

C:\Windows\system32\Dngjff32.exe

C:\Windows\SysWOW64\Dfnbgc32.exe

C:\Windows\system32\Dfnbgc32.exe

C:\Windows\SysWOW64\Eiloco32.exe

C:\Windows\system32\Eiloco32.exe

C:\Windows\SysWOW64\Efpomccg.exe

C:\Windows\system32\Efpomccg.exe

C:\Windows\SysWOW64\Ekmhejao.exe

C:\Windows\system32\Ekmhejao.exe

C:\Windows\SysWOW64\Eeelnp32.exe

C:\Windows\system32\Eeelnp32.exe

C:\Windows\SysWOW64\Ebimgcfi.exe

C:\Windows\system32\Ebimgcfi.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Enpmld32.exe

C:\Windows\system32\Enpmld32.exe

C:\Windows\SysWOW64\Eifaim32.exe

C:\Windows\system32\Eifaim32.exe

C:\Windows\SysWOW64\Ekdnei32.exe

C:\Windows\system32\Ekdnei32.exe

C:\Windows\SysWOW64\Felbnn32.exe

C:\Windows\system32\Felbnn32.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fmfgek32.exe

C:\Windows\system32\Fmfgek32.exe

C:\Windows\SysWOW64\Fpdcag32.exe

C:\Windows\system32\Fpdcag32.exe

C:\Windows\SysWOW64\Fealin32.exe

C:\Windows\system32\Fealin32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Fechomko.exe

C:\Windows\system32\Fechomko.exe

C:\Windows\SysWOW64\Fmkqpkla.exe

C:\Windows\system32\Fmkqpkla.exe

C:\Windows\SysWOW64\Fnlmhc32.exe

C:\Windows\system32\Fnlmhc32.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Flpmagqi.exe

C:\Windows\system32\Flpmagqi.exe

C:\Windows\SysWOW64\Gfeaopqo.exe

C:\Windows\system32\Gfeaopqo.exe

C:\Windows\SysWOW64\Gpnfge32.exe

C:\Windows\system32\Gpnfge32.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gppcmeem.exe

C:\Windows\system32\Gppcmeem.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Gnepna32.exe

C:\Windows\system32\Gnepna32.exe

C:\Windows\SysWOW64\Geohklaa.exe

C:\Windows\system32\Geohklaa.exe

C:\Windows\SysWOW64\Glipgf32.exe

C:\Windows\system32\Glipgf32.exe

C:\Windows\SysWOW64\Gfodeohd.exe

C:\Windows\system32\Gfodeohd.exe

C:\Windows\SysWOW64\Gmimai32.exe

C:\Windows\system32\Gmimai32.exe

C:\Windows\SysWOW64\Hedafk32.exe

C:\Windows\system32\Hedafk32.exe

C:\Windows\SysWOW64\Hmkigh32.exe

C:\Windows\system32\Hmkigh32.exe

C:\Windows\SysWOW64\Hfcnpn32.exe

C:\Windows\system32\Hfcnpn32.exe

C:\Windows\SysWOW64\Hmmfmhll.exe

C:\Windows\system32\Hmmfmhll.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hpnoncim.exe

C:\Windows\system32\Hpnoncim.exe

C:\Windows\SysWOW64\Hifcgion.exe

C:\Windows\system32\Hifcgion.exe

C:\Windows\SysWOW64\Hlepcdoa.exe

C:\Windows\system32\Hlepcdoa.exe

C:\Windows\SysWOW64\Hemdlj32.exe

C:\Windows\system32\Hemdlj32.exe

C:\Windows\SysWOW64\Hoeieolb.exe

C:\Windows\system32\Hoeieolb.exe

C:\Windows\SysWOW64\Iepaaico.exe

C:\Windows\system32\Iepaaico.exe

C:\Windows\SysWOW64\Ipeeobbe.exe

C:\Windows\system32\Ipeeobbe.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Iedjmioj.exe

C:\Windows\system32\Iedjmioj.exe

C:\Windows\SysWOW64\Ipjoja32.exe

C:\Windows\system32\Ipjoja32.exe

C:\Windows\SysWOW64\Ibhkfm32.exe

C:\Windows\system32\Ibhkfm32.exe

C:\Windows\SysWOW64\Ilqoobdd.exe

C:\Windows\system32\Ilqoobdd.exe

C:\Windows\SysWOW64\Igfclkdj.exe

C:\Windows\system32\Igfclkdj.exe

C:\Windows\SysWOW64\Joahqn32.exe

C:\Windows\system32\Joahqn32.exe

C:\Windows\SysWOW64\Jekqmhia.exe

C:\Windows\system32\Jekqmhia.exe

C:\Windows\SysWOW64\Jmbhoeid.exe

C:\Windows\system32\Jmbhoeid.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jmeede32.exe

C:\Windows\system32\Jmeede32.exe

C:\Windows\SysWOW64\Jofalmmp.exe

C:\Windows\system32\Jofalmmp.exe

C:\Windows\SysWOW64\Jepjhg32.exe

C:\Windows\system32\Jepjhg32.exe

C:\Windows\SysWOW64\Jngbjd32.exe

C:\Windows\system32\Jngbjd32.exe

C:\Windows\SysWOW64\Jcdjbk32.exe

C:\Windows\system32\Jcdjbk32.exe

C:\Windows\SysWOW64\Jniood32.exe

C:\Windows\system32\Jniood32.exe

C:\Windows\SysWOW64\Jokkgl32.exe

C:\Windows\system32\Jokkgl32.exe

C:\Windows\SysWOW64\Jgbchj32.exe

C:\Windows\system32\Jgbchj32.exe

C:\Windows\SysWOW64\Jlolpq32.exe

C:\Windows\system32\Jlolpq32.exe

C:\Windows\SysWOW64\Kgdpni32.exe

C:\Windows\system32\Kgdpni32.exe

C:\Windows\SysWOW64\Knnhjcog.exe

C:\Windows\system32\Knnhjcog.exe

C:\Windows\SysWOW64\Kpmdfonj.exe

C:\Windows\system32\Kpmdfonj.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Klcekpdo.exe

C:\Windows\system32\Klcekpdo.exe

C:\Windows\SysWOW64\Koaagkcb.exe

C:\Windows\system32\Koaagkcb.exe

C:\Windows\SysWOW64\Kflide32.exe

C:\Windows\system32\Kflide32.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kgkfnh32.exe

C:\Windows\system32\Kgkfnh32.exe

C:\Windows\SysWOW64\Kjjbjd32.exe

C:\Windows\system32\Kjjbjd32.exe

C:\Windows\SysWOW64\Kpcjgnhb.exe

C:\Windows\system32\Kpcjgnhb.exe

C:\Windows\SysWOW64\Kgnbdh32.exe

C:\Windows\system32\Kgnbdh32.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Lgpoihnl.exe

C:\Windows\system32\Lgpoihnl.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Lokdnjkg.exe

C:\Windows\system32\Lokdnjkg.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Lqkqhm32.exe

C:\Windows\system32\Lqkqhm32.exe

C:\Windows\SysWOW64\Lnoaaaad.exe

C:\Windows\system32\Lnoaaaad.exe

C:\Windows\SysWOW64\Lqmmmmph.exe

C:\Windows\system32\Lqmmmmph.exe

C:\Windows\SysWOW64\Lfjfecno.exe

C:\Windows\system32\Lfjfecno.exe

C:\Windows\SysWOW64\Lcnfohmi.exe

C:\Windows\system32\Lcnfohmi.exe

C:\Windows\SysWOW64\Ljhnlb32.exe

C:\Windows\system32\Ljhnlb32.exe

C:\Windows\SysWOW64\Mqafhl32.exe

C:\Windows\system32\Mqafhl32.exe

C:\Windows\SysWOW64\Mgloefco.exe

C:\Windows\system32\Mgloefco.exe

C:\Windows\SysWOW64\Mmhgmmbf.exe

C:\Windows\system32\Mmhgmmbf.exe

C:\Windows\SysWOW64\Mcbpjg32.exe

C:\Windows\system32\Mcbpjg32.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mmkdcm32.exe

C:\Windows\system32\Mmkdcm32.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mjodla32.exe

C:\Windows\system32\Mjodla32.exe

C:\Windows\SysWOW64\Mcgiefen.exe

C:\Windows\system32\Mcgiefen.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Mcifkf32.exe

C:\Windows\system32\Mcifkf32.exe

C:\Windows\SysWOW64\Nnojho32.exe

C:\Windows\system32\Nnojho32.exe

C:\Windows\SysWOW64\Nclbpf32.exe

C:\Windows\system32\Nclbpf32.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Nqpcjj32.exe

C:\Windows\system32\Nqpcjj32.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Nqbpojnp.exe

C:\Windows\system32\Nqbpojnp.exe

C:\Windows\SysWOW64\Nfohgqlg.exe

C:\Windows\system32\Nfohgqlg.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Oaifpi32.exe

C:\Windows\system32\Oaifpi32.exe

C:\Windows\SysWOW64\Ogcnmc32.exe

C:\Windows\system32\Ogcnmc32.exe

C:\Windows\SysWOW64\Opnbae32.exe

C:\Windows\system32\Opnbae32.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Oaplqh32.exe

C:\Windows\system32\Oaplqh32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Omgmeigd.exe

C:\Windows\system32\Omgmeigd.exe

C:\Windows\SysWOW64\Opeiadfg.exe

C:\Windows\system32\Opeiadfg.exe

C:\Windows\SysWOW64\Pjkmomfn.exe

C:\Windows\system32\Pjkmomfn.exe

C:\Windows\SysWOW64\Paeelgnj.exe

C:\Windows\system32\Paeelgnj.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pmlfqh32.exe

C:\Windows\system32\Pmlfqh32.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Pdjgha32.exe

C:\Windows\system32\Pdjgha32.exe

C:\Windows\SysWOW64\Pmblagmf.exe

C:\Windows\system32\Pmblagmf.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qmeigg32.exe

C:\Windows\system32\Qmeigg32.exe

C:\Windows\SysWOW64\Qfmmplad.exe

C:\Windows\system32\Qfmmplad.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Ahofoogd.exe

C:\Windows\system32\Ahofoogd.exe

C:\Windows\SysWOW64\Aoioli32.exe

C:\Windows\system32\Aoioli32.exe

C:\Windows\SysWOW64\Apjkcadp.exe

C:\Windows\system32\Apjkcadp.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Ahfmpnql.exe

C:\Windows\system32\Ahfmpnql.exe

C:\Windows\SysWOW64\Apaadpng.exe

C:\Windows\system32\Apaadpng.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Baannc32.exe

C:\Windows\system32\Baannc32.exe

C:\Windows\SysWOW64\Boenhgdd.exe

C:\Windows\system32\Boenhgdd.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bklomh32.exe

C:\Windows\system32\Bklomh32.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Bdfpkm32.exe

C:\Windows\system32\Bdfpkm32.exe

C:\Windows\SysWOW64\Bkphhgfc.exe

C:\Windows\system32\Bkphhgfc.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Ckbemgcp.exe

C:\Windows\system32\Ckbemgcp.exe

C:\Windows\SysWOW64\Cdkifmjq.exe

C:\Windows\system32\Cdkifmjq.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Coqncejg.exe

C:\Windows\system32\Coqncejg.exe

C:\Windows\SysWOW64\Cglbhhga.exe

C:\Windows\system32\Cglbhhga.exe

C:\Windows\SysWOW64\Cnfkdb32.exe

C:\Windows\system32\Cnfkdb32.exe

C:\Windows\SysWOW64\Cgnomg32.exe

C:\Windows\system32\Cgnomg32.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dojqjdbl.exe

C:\Windows\system32\Dojqjdbl.exe

C:\Windows\SysWOW64\Dhbebj32.exe

C:\Windows\system32\Dhbebj32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/2648-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2648-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Nemcjk32.exe

MD5 0df8663fe6ee302baa5d846315bf8b7b
SHA1 08674016b3e11eed2bb9d6edee57db071242c956
SHA256 0c0cbb4b0773dfca7bec5b19fca1108885ffc620cf5cc3243bc63e497e4e2abd
SHA512 d99eab2a81feb21d5e1fb37e496030181af4fe043c313d2d896318c9c23f3c5347846950acbdd9dfc557bef01d1a2b66f19997e16b7381e845fd5ba21da74414

memory/4424-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ngmpcn32.exe

MD5 a18cd359937ed117062540e034fdfcf5
SHA1 df06f649ef73dfdaff5beb6f64d23006d0f9bcde
SHA256 a4cdd70832e8d48e15dc51ac336c22b754f7a38690b0839ccbe369f191c0f720
SHA512 5724f8f2d894e7958e749bf9f3984427031780982ce414e9cbc295eaeafed73d78e437a4b4b50b844a02f3b6a83b06a21ac07e7646acc7a886c48c33452d5203

memory/2216-17-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Npedmdab.exe

MD5 7f83c75a73de996e18aa10ed40106065
SHA1 1d2597ddbe4c2f07b84e2109948601938a2871a0
SHA256 1084be3ed684d02317853f527f97f157b1fc9848041d79b118ca9a6f21ef2280
SHA512 73ea749378bee32163787d831037d56b25a6009757fc7da50cf3027c2ac325be8acaa08d8bf530841a74f7413e96894d2edeafae0565cd5f36e015e73926abe3

memory/4984-29-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ngomin32.exe

MD5 bfde58e8a52a851f557cff99915faeb7
SHA1 18ddb8266c575026ae82b19f6090b764db24fc1b
SHA256 033ddad512a216690b315aa4e9b8ce07a3951e17c86afb527e3a405508c28476
SHA512 4070632fd5f63f382891a92c1952fd316e036feaf11816b9c644f911b7709e82598f62e9bc1a1cf861d3d75b7b6167a6cd836879df70a6d49afbc425f045e12a

memory/1160-33-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Olckbd32.exe

MD5 e7036edb7029f6e53f6e02f7399f3098
SHA1 17e955c6a2d2faafbaade7645cf059a47789496a
SHA256 161bf22c584872b2754ef4fba3daea76cf00b37ad86d5ff575cf3d75204fd15c
SHA512 750a2e296d24809eb1aa2031f5bfd7747899178ae042122930c2028db29203119f0cb326fd2ecb37e4d25064b27c0bb13af582ffca7e727c9941b38f5fd358a2

memory/4900-41-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ocmconhk.exe

MD5 4ae4c07facb3415e79200a340854ab0f
SHA1 f0867828327015f10667014b6c5ce6996607fcd6
SHA256 3ea31b44d62a0dbc7ffd57314f9c0be7c98226a755cb0492fb38bdfaab186412
SHA512 81c4b675d852eba5350da8f2e3892dcc4cbe888f48413661dde239f2cf2b75c6ec5f04f17bc55f2eebb88669ae9d0c8c4543060212c62d3eb4995513e45fd750

memory/5044-49-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oiihahme.exe

MD5 f4269c887343870c598746d41328fe32
SHA1 664ca8194975a3474a1fc36e5e470a47b8fea8d1
SHA256 8f7e23342b92acf8720ec5363e276940f84a3dcec672a0b1f4875b76145feeca
SHA512 2bb69eb69b41159df9417d59bdb84b7ce3fff4f30f57d7401ec499cde0a7c0b20613441a7caa4c4576d2951f4543a983d31782e3c695b0ad1924af529a96d6aa

memory/1724-57-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oepifi32.exe

MD5 60ac7eafd2a9c020ea6e1c50c22fd98f
SHA1 77e041dd399c1233fcd3a2fc0a8571f28cc14003
SHA256 757a8462bf0e0a37c7f14a1143bd80e300f0bddb536a5af8f93b1940565f001a
SHA512 1cc58805837b83ae0ec685f7e3c7242223858e83757541611f484f0e26ae54d9709ab591c9255e126097e04ec7c552b6f483006f6b31b23b344fca4a8e5bcc70

memory/1960-65-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oljaccjf.exe

MD5 ac56ce3e4b3ac100e9f4c2c4d503c543
SHA1 5c5c857ea6838dfd6692ab3066e98db094d52e8f
SHA256 07ed5296569723a9080f3933ad8f7d18cfaeb7905de82b7b7893a42ece093eac
SHA512 2596fb3b17dfd84bb0b48ef5ae8e8850a0009de1e0bb182513165a9dbc0e1fc4aec17533b23b5e986bd2e310ea5c1f29979fa4bd2479a52b7d3526fa8d9d8550

memory/2444-72-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pjbkgfej.exe

MD5 f38c10e8ce6d90510ea635fe26adaadb
SHA1 d37085ae4b5f8293267621d0e8c2a7d1684394d7
SHA256 462caecd498537e93a50fd8f21ad029362a38862112fd5e954c482060d947fab
SHA512 3d3292502dd4a74baee55b9583eb4aa0403972d0d8dd5eecbe0315ceb5e14334d6f54802a65cfebbbda926f503ccc31593110081fef48b64af67957344534d88

memory/4352-80-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pckppl32.exe

MD5 faac270d4cf41d27a44f3f7b2eef06d2
SHA1 1ad6fa64246f5352032d73fc21d3c65b46702f1d
SHA256 f0a595fa79cb002620da23cfffbde75950cea7519d31cb6d8a7e5cb5fead7824
SHA512 fd73711060b7103d1a6877dc9214a5e32fa0ba0bbd4fec7d10435e544b17c2e3910e680717a78db8a0684544c1b576b86a3ca0c2204d49382496d1b2a05d6636

C:\Windows\SysWOW64\Plcdiabk.exe

MD5 9f6b3051c4bce9d25ec630f730a6f83f
SHA1 0dbc29ffecb214dc537cd2dd7e25844dbb9ed2d9
SHA256 a075186b3ca942b78c8b11fc3ffdead6f5ba6674cfbcbf7d7c983275119c0a41
SHA512 0a6039a979b5e5e2c0af83a92a66906a3c2e0ad1435870b0685895706c852a31877dce4a6b8aa08e9ac4e869a036ba9c559bb5ff22a569588041d943a4c6663d

memory/3164-101-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pcmlfl32.exe

MD5 8ffed08d4da77022e052dacdeb3a5371
SHA1 aecb87d81a571405581de27aeef1397875f82158
SHA256 3812c317edb5ee73d1352d7df78f32a8be14e268a81943e92ab09bc17ab6b54b
SHA512 e96722ee0c7ff2006e07a46badad30fbcc6b991c1a170661ba2c0bb1dd4f3d836f44417e89cdccc536963b6848814efe424d2861958a2cae5cc931111184c52e

memory/1876-105-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2732-89-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pjgebf32.exe

MD5 28ff52bafb11e62ec1bd2cb83d750718
SHA1 8afea6f3200ac3c16af984b1fa63b1edbf7d09f9
SHA256 3c178dc3e86721ef2c7bcf81a9b08890df5fe4f7563bf5f027bcbf1da1aa5281
SHA512 856c29d7d99611263a94302c7c914ed19c0404b9390a942c03775489db9a178e0a64f3b0600c33744a62c57a7fef2fb8f43cc89a5b8ad3f2f57b1431344899fb

memory/3340-112-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qhakoa32.exe

MD5 a05c075cf2181145c891168ceca0f9ee
SHA1 9b6d437392f44384ed2ba042bb2c9c74cbb37c87
SHA256 456fb0f9455688b815bad02059bfb35f3691005dffffbf53a3b2b680c085a10e
SHA512 74d2a713eebfe3b4032122a960f47851f89211a6132facdae9e0ea55f74ca98fb1d0546c0296914ab71fa64fc47ec993fade57926e8012c4c20c6bdae36a6c89

memory/1668-121-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ahchda32.exe

MD5 a9caddf0f5b9d00f27a73b92f662cf53
SHA1 d253bcbcd7e8bd4782ab14a6942f06a3fbc74ba0
SHA256 3bfae2e08a56202b2d04375217dc07a523563eaa2e068847972acc37bb2dbae0
SHA512 6db8099e0cbc0539135c6fd7bb322e16aaca450522a457c13721f0c1246d087b5ba73a44a34dc0e80b6432b0baac4fd2a70c059d128ea5acd71a8e995becab14

memory/2740-129-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2172-136-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Acilajpk.exe

MD5 d03fd777d12a13312d18392600ebc836
SHA1 f2e49b6123d731c1791e4b54e6532fec5641adc2
SHA256 c41fc450660a67ebfb11e294f02db5e26a8244d2b7c5e08d0e0d9d8f66ce8cf4
SHA512 032a976aa4a3e681fe5824104905d1298a716ac9f74babf8518f554ae7f643d0b0d160df4f008a22853ca66f2895b08bcebc83a7be63d5d26527538056b270e1

C:\Windows\SysWOW64\Ajhniccb.exe

MD5 5a96e8d81a281642547aa59bcc65da00
SHA1 b60470a1c68fca0da5443051af4f192b8583ec05
SHA256 4832d913577324e7acd68e50953de6c3a38efdd53f45590245b8eecec47f4baf
SHA512 35d73963afccdb6dbba84e31e2fa6c86d996b07dba92c357288c3568a89b879a337f0d369c7394772c8a2ef64aed8dd963cad76a5a4e66b0c6863fa4f5847e60

memory/3716-145-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2908-152-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aqaffn32.exe

MD5 c7d00a69792ecbfe627b72c1dee5ac3d
SHA1 4e5792f646da335d2ea93c5c35b8873cf6d2f8d2
SHA256 a4e4f736b8067872ff0708591289783ff4ecd9760a74ed81a2f875a613725e67
SHA512 90e6f4d96f93b0d979c87bd315de124b0d85db5f78d50956f8b97e358e554d54fc7f5a7a0a12a217912f6ce61009bb4f54b34ac13a66dc1409262106241350ea

memory/3112-160-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Afnnnd32.exe

MD5 985bee7f47f318648a50959e13c1a6b4
SHA1 54c091f6ed096ef95d01c3f1fa70d4346d09e031
SHA256 8c4e87acfc34e6aaa423633c7d8670de577196ac014a00f5acef2c08ac356444
SHA512 ba4d2c79c91eef863c9deb13bdd019d86a34f6024cc100e5c13529d84f9f5d92ca85b3f1e4e2757a3d3e777bd525b4b19afc55ed4d0e8d1d66eddf7921a9a84f

C:\Windows\SysWOW64\Bqfoamfj.exe

MD5 a8b4e78bb940d43e85938efdb4adf23c
SHA1 e78aceeaaba428f26dd22785b8524e58077f393f
SHA256 38a1a68e05e305a8dbd2bc206d4c8f2ce22e25deb05dd78a2d9df15b3d1b60fd
SHA512 8fdc0a9911e2959c8717e3fd63285e8ae7221eec68d3e18e3cd5c51e62aa68f64198518cdfda80f14416954f13573c2aef63552e6664724ec0c9c1f6f8daf6c7

memory/4592-169-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bcelmhen.exe

MD5 8b9d23fd461b5c8876786659c03277fb
SHA1 38d9f4cac66480e9d675d0ac5a449442a93cc10a
SHA256 34bbdcbe96a4bab93515f7b0dc270050e7d8a8cd08cd623cf5a3d7ad5fa05ef8
SHA512 03ea3084778f289f6672114f48ad9267fd0af849c4e23b2b303edb50ab822b92d9072ac9c4ffa362117b75627f28711d4cca2bc398d76ac4c2a2faf7c8d0c430

memory/1880-177-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1732-184-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bqkill32.exe

MD5 1b294ecba5105c004523dcd3a7d2eca9
SHA1 c60ccbf15c57a7aa9e2de78135fb222db96735fe
SHA256 872c638582f032659fc9d04de8453d5df35d0b2ca378ce2188566bffe8adc8d7
SHA512 3fa4e9be7700ee7da17acb37c827520f1192f3cd157bb0919e1b0faafa0c3a527d65d59cceaf1d0bc934a88a23cd1e2f77425b0fad79d094f17be8df3c90635b

C:\Windows\SysWOW64\Cqpbglno.exe

MD5 9be38854b9bff58d6ac8dd023110a6dd
SHA1 f51758c6c138705f7c676f27d91e85638f576fb8
SHA256 01a4203feee7520a6501a16768cd206dfe7de1dadfd040871732e1d321519138
SHA512 cf8c393a1aac2d06ac560e567bb895e9b2792904a554ea76f0f6910d57d15419100529ec6a3343beb546e3977f6403fb7805280ae8f8efe61bbc60e04317672d

memory/2356-192-0x0000000000400000-0x0000000000433000-memory.dmp

memory/468-200-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ccqkigkp.exe

MD5 c0e0c3a957ebd510cae99fae703d0669
SHA1 7e3ca28e125513814010527cc849afbb9c75db76
SHA256 6e70412ceb0629411d13b44645de9300ead724b77615429116dfc99d9ce83719
SHA512 b417316c128f134d0cb9c05a755c5a44da40863a0fdff39f37889ce8c05f24a5b628cc83145a1edd3c651966df19c091400ac115feb83f9af3c15e7072740f78

C:\Windows\SysWOW64\Cgndoeag.exe

MD5 ae375ef004226d3fb28bcb94e7bd9f88
SHA1 085643e871560204f9b246d118ad8ca3a5dbfdbc
SHA256 778890368f0887ff2a4659e9476ecdc4104992e67d8c68cc943de06c490e3e68
SHA512 a6b49504854bd743fd2f661c02fdfe91d28154e82ce5e76f34f9eba26b9504a0a325cd9803fa1eeb2e02bdd9156e45dcc5fcd1c2f924ccff2988b1e05c5444dd

memory/3520-209-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cibmlmeb.exe

MD5 377c36432a387e71f64edc8e72a508f1
SHA1 5ea549c12b1cbeda24137be1777ce67b14f35ffd
SHA256 afbc114985b4b5bdb4d4a81ad14e6a71435f775eced001ecc842eec3b23f337c
SHA512 578fe078eeb635c494e4615bd2ed5065282d1372dbad65a620ed9412818312a52a080623b58a15b68143dcde62756440234cdb4ad17afd4eff7e847f80b48d31

memory/4552-216-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cjaifp32.exe

MD5 e9b2f6dcd7b75e752efaa15f81cab440
SHA1 ad9c2559e1ef0e0a31d1adfc27f177826f9e7e26
SHA256 b7a05bd1c24891172fad401fdcca38bb7bd455a13288f75118195cab22a4ba87
SHA512 7f47811dcf8ebd5c8b0c1a8caa685555a0713835e0699cf242c1719a5cc0c5047051abee01cbe337af3d22c3b9978df82fc8a3bd7bf13d672574b6a7796523c2

memory/4412-224-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dpnbog32.exe

MD5 6b5cab6933055afd6fb91af6b83055b1
SHA1 6ae5c944bb67d161693fb173548ddbb4b085cdb6
SHA256 0d60e8bbb77857276762cf009e12e4c8a4a171e10e998ee18d0ba0f017f983aa
SHA512 a584899c4561c1c6bc0934a3ba849aff1b9142580ad09012a3927be5016dd0cbcddd6b0df15c7495ac284bf8943c9214d494d7b1d93b0fad4b9364248da71903

C:\Windows\SysWOW64\Diffglam.exe

MD5 22b3062df6fd74d3b60f837f21cd6e93
SHA1 d8dbf498927a342c49dfba54232808ae6e56b7d2
SHA256 4dcd8eb5463f7e946dfb8452ea49352ddb44e346f8702bfd1b6da0f5e06ff577
SHA512 92dbc24a880d85b36a2d220269468f297dbd1be3d11284da830589b745a3ca9b2b1530ecd6117db35b8d7d1f538cbc7b8dc812aee6d8d29a815412f49bb9d0fc

C:\Windows\SysWOW64\Dannij32.exe

MD5 4d65b3e7696f0488cec39f020f8a8555
SHA1 894901eed93b33c9c57fdc322e83951b483a65c4
SHA256 ab7d8702a41534c7c3b3864fc3ec7745948ca1ceb3bcd2e8cbfe8503494df67e
SHA512 5371d9cf7e8cc37049a69bea1a4717c51b8aae968080d34f929ea02d29fa16fe1cfcedb6820d30969cee0d4176338b63240940979225dafeccb9b26328b6af95

memory/4372-261-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1244-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2888-291-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1528-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1532-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/956-334-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1524-339-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4268-327-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3840-321-0x0000000000400000-0x0000000000433000-memory.dmp

memory/548-341-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4532-303-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-297-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1556-285-0x0000000000400000-0x0000000000433000-memory.dmp

memory/952-279-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5084-273-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1580-254-0x0000000000400000-0x0000000000433000-memory.dmp

memory/756-246-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dgejpd32.exe

MD5 25d2ffd5050e48a3ce2bd464f1678dce
SHA1 9f22b9d7b59787e77c2ce140cd814633d6369cc0
SHA256 e8114c74601652c4556f83a6bcc650aba35ee498736bc10bc2a38db8b467d2fe
SHA512 59b8de58250c5ba1218f6d316f7b9f29196fb3099c4f76bbcb7355c79fedf83aea1ad1000a3a60ce82b7e4eb7bcfbea87d82b041af13e77aa6f22495a9a1fec0

memory/2988-238-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Efffmo32.exe

MD5 aa379292c90b2deb32946fd324660d2b
SHA1 4f4c4823cc013bd5b01dab081194d06b41a7875c
SHA256 242f0b3ecb336bfb3b0c0111395cfebdf3b4c71f8777665a97ab0844945c7782
SHA512 a675f18c537e8663c3bdaacb0a4045b2868bc5fe11a7b31f64e96ed0d793c9cf6e22bc99e5a2994bd77a8725f2b3ca0947b97516fb8d851205c0d5e9b17b466a

memory/2684-347-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1712-353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2408-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3092-365-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3436-371-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Emehdh32.exe

MD5 d7000397ba113f08dc264b412a22ff75
SHA1 4c82bd412e7f00abdd83c998ee2aeb63bb18da8b
SHA256 602db9340036fcfc12f5e8a33532d11ecd82ff88a2bc2101db0d2fe712fb97b9
SHA512 22df22c29405e1bbe4e6b08fa8a3ae5d8b47ede54f09a62447e92f5178f5000d07ecf20f0541ff05ef3237721646a9f15fd3ca5eaa5ffd2322cbf5c6bfe7cb04

memory/1520-377-0x0000000000400000-0x0000000000433000-memory.dmp

memory/436-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3168-389-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fpeafcfa.exe

MD5 55e4fc8ec4fa47e6418c047657f73d47
SHA1 4c93c101b7a34a0eca38b3058c3cf8054223d658
SHA256 f86cfdf8d6ebb8d06679a736763402bdf83547801ff832fb9a6ebb3bbb09bee5
SHA512 dd16dceafc7399406cf2e21b985c9950327051b90185583c9a625facde50195ef5e1a9a4d79ddbb436a4489a41cb61a1f243fbedbc63e6dabc41653f31da1ec8

memory/2364-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2520-401-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fmjaphek.exe

MD5 b5486abc153b235abe7e9a991f823da1
SHA1 27bfec4d59fb0b84515fac46ebec213c05140ab2
SHA256 d945799de264d394012af65444c3eb4ea001eab33df0fa8f4b9b99d0302ca651
SHA512 6234b8b31a2e2b863ca64a4eb77e6ef24a211b498942c6e77f392a0051c9af24f47c8dbc5a0bcab042dd02d3bca8c7d26002d0deff2beab1cb349a7fe2b554c8

memory/692-407-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4448-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/400-419-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4980-425-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fgdbnmji.exe

MD5 e63e23a060cddca331195939daab56fc
SHA1 7ac8d7edc4f35dd243e393ac3a4de85aa723a2eb
SHA256 6b9a77ed5b308f28fd91bfde1a31fd0dd06c48a9b8c29a0c0b6eda39e4c7dff5
SHA512 8d417da69165434c5eecf4c0623da1a48799e9eec1cb2f755837b5a7e0d50116e84725c3e7afa1362453948ec9631f109cc5499adbde24c7064822848f0bcfde

memory/2872-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4796-437-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fhdohp32.exe

MD5 affb04791348c5db71e1782b360054ed
SHA1 be33bf8165a6de1ce7711e04af200982b6692c13
SHA256 cde9fbc2340e802b4ff72227702f78eb11425f36d1276ec0abab8b67652c992e
SHA512 09a36aafd778a1534ec3db071667ff37d7d0c1acbaf2016bb230759089e2cf64d09fb9af68573ed558cc571a1eae3f472962c19af13482a6d81a75d27190f569

memory/2652-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4480-449-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fdkpma32.exe

MD5 0facc0b2bea7e44337280a087c3dbb2f
SHA1 c1e9db9ca0a5f9e27ce63cff3727d025d985d524
SHA256 2965865ea35929bd490f42779ae5576929b0e7f148749196e43fcc717c9a0b72
SHA512 ebbcd2398fb372c4e2af9403aa0b812136d30743ab2f24da664f599f42e6f2b2f1ad5c2fb0dc14ecc1dba9dbd082a85b73b1c8409e0295703150da56cb59f3a4

memory/4076-455-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2152-461-0x0000000000400000-0x0000000000433000-memory.dmp

memory/936-467-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3444-473-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4528-479-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1784-485-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3652-495-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4328-497-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4988-504-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1128-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2120-515-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gnlgleef.exe

MD5 4a2e3324d080f39ac1f193d885101ad8
SHA1 b8935e10d820f41a6c5abfe91a423a87ef56176c
SHA256 e4c23192205731c4f8efde4d1f25bb44acc827499f81432cabce21ef9bcc8e38
SHA512 5d1c9423b1ebada2223ac71e6b4e7d34f6e2cf86b52838f6a7c30feaafb75e33c020e9bd5d19ab60afa135fbe6010e138fc7872871cba5531e78c0a64d90c288

memory/2760-521-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hjchaf32.exe

MD5 6ef40d30b07c87e96166306edac3bbf3
SHA1 98febc6a5b5cf5d3d7d1b03866b2070b16033203
SHA256 ef12af3641607cb3f1fc0cdee0bafcb2dc710fcd07e5b2db67b6848a24715910
SHA512 b1c039359c2a35b73839452e7d9338c9966838382350e87328ceff7dd314f325453764715a5d73e9445aaf47ef02b6647a96cc8bc2399a81d19e7c9eb150e3e8

memory/416-527-0x0000000000400000-0x0000000000433000-memory.dmp

memory/208-533-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1504-540-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2648-539-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2104-546-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hnfjbdmk.exe

MD5 5b65068d813b9799255e0dfe3523b9fe
SHA1 63688bf1c7525738ab52ae579d15ca1445bf0e8c
SHA256 c66d30c61f5dc442587dfe356d2b451842dcca1530f08ef4927c5c9d42edad93
SHA512 f9e12f9aa90356f547b538a3b4201591353c09a12f82bcfd2fd98e0efb8fa9ad0d65de71dc80894207ef2d5aac94418260d1ec063ed3ce2062eebc51feac9ec1

memory/4424-552-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3464-553-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2216-559-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4540-560-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4772-566-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ikndgg32.exe

MD5 c251e1db27e83fb1a322b85f9726691b
SHA1 a9cfbe572182b4b80722b93049848ae5008245ba
SHA256 d7b54104ca9b366bc751a76c91866def6ee8a8c4aea0f69a99728e1fc84dc12f
SHA512 9e4cc07e6651153de7134a1f4ee218d8ee65a1d5b1881f5834b68dee4e6eabb08343f4a0d0538141ee13ae54be9c4296c69e82a341c7f70a091aad2466a0681d

memory/1160-572-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4736-573-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4900-579-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2612-580-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5044-586-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1288-587-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1724-593-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1764-594-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ihgnkkbd.exe

MD5 bb8bee70e62e34bd1e33a1a4d2ba7cf0
SHA1 9bc498335e0383ea5d682c93fb6eed7ce4fb6895
SHA256 bc4810d3b832a30f0f46ba8b9b5d89a620a0700e7138e3a16c817c2722db0323
SHA512 5450bce1809aa1ab19869eee6917746de656a06d1ef851c9dea3b144521664c7136d93e3c4051babfa50008646b9460a1cbe4869ff5be1020526ec175e5957c1

C:\Windows\SysWOW64\Jklphekp.exe

MD5 de36b3b9684993748d619f26d8d8ac24
SHA1 1a10d918dcae186a9c0a1e3a66a8e7dcdaac760e
SHA256 19e0f60159428de0ea52f6feb344867577232bd30a14436acaa6b7c5b8eb050d
SHA512 515bedc09462ad7c26f334ba76291c23837a22fd0692a5d07ff73fe5a909cbed0e5ee187381fede2f08612893efc33b39b1018f6f789a4567a795575528ea698

C:\Windows\SysWOW64\Jbiejoaj.exe

MD5 937dd3e9cfcbbb05b9b2da348012b1dd
SHA1 6f295a2bb7cedd375e664bdd33079b1cd12128f8
SHA256 aaf23fcc7ae1728b137e7ed9a2d40b632d4a695c45dd24e17d844af0ec4b099c
SHA512 393f59f69d79acc381b937ecbf9d350c8ee5b6dfb4f5e5ac8976f421328b8ee2a82ddac50497e8955cc8876b58befa7918cdf254836ef0d38a6c1c83b8c0f496

C:\Windows\SysWOW64\Kkfcndce.exe

MD5 556b3ff720719522036d1649b3c770de
SHA1 147f283c3a215aa74509c69e36f74dafea6b3cb0
SHA256 0b919584d908332a0561517223c6d11614476c5468a18da43ee85d28571609ed
SHA512 40f0cee7cb1039fb05bf3fa17593768825d00dc878f0b538c5778c534f2a6035237a7966b7ffe012b2152a5b9471a3f90ab3a41e6f83c9063a0013beaf207078

C:\Windows\SysWOW64\Kjmmepfj.exe

MD5 7a4c55798c2a736f2d182c3a2f75fb4b
SHA1 ffcaf61941aa4e3ad09908a2a89bc31dd73a58a1
SHA256 2cc046e5e8adb0f831576b917bb0fa366513b78384e392ce8b2f6c89669b4c0b
SHA512 235e48c5a63519b83cd732cdfc1dffef1eaec9109b0c239bd12ef0b140c1c831887b30d954f3cdc84d000bc7dc9240aaccfb5d7dc394a5d8b7d90b4391e3d885

C:\Windows\SysWOW64\Kinmcg32.exe

MD5 79f164fe61de0620867903d477a7a7c9
SHA1 08c400f7c6e4d5b0f5b083edeea05a58ac2968df
SHA256 148de414245d5579378802a43426899af04fed01b2103c2ddd842c1bb6142538
SHA512 76c8e3664ea8dd3860893378ece2a77696aa01a85da1cfef71c6137986a5a61ba9b781bc26e73e795530bc7ebf436153f8057a54e72efee49ddc8edacd684d29

C:\Windows\SysWOW64\Ljdceo32.exe

MD5 901975e1472cd9a3acfc79b2369437a5
SHA1 b062eb43a537619e4b9ec5be5d568e829806adce
SHA256 7b42e8986521d81f384bd2d9f8a65e7a19ac3e368e98f3abe9fe5e8c3630d960
SHA512 d937f04c831cd53892da8ea73affc6bd708828645fe08c42a94ab3989e795d705b52574053f35f333eabcb9f239759d42c981eff1a9ae68c2a1a27a35ba984fd

C:\Windows\SysWOW64\Ljgpkonp.exe

MD5 c4a2acf33287b80139ab24e7feb798df
SHA1 bf467b31d187580a6ae442a075c0370a1c17e6d5
SHA256 da3ad3839a414bfd2971b8155dbe9dcd1f90fcfeea81aa554fa118b0a3fb0935
SHA512 4e57e23791cd292d91daab4d826bd8eef8a91d9cef19d66454b60c0b6f228f8751e7a111a83f8c8fec72df323b5e8e5112715a38b79e6094eaa38d5c372b9a3c

C:\Windows\SysWOW64\Lijlof32.exe

MD5 f075ff8addc441025a4e55f5714b9fd9
SHA1 b09e94a3342c91ca627c800d72cb21f6ab31fdc0
SHA256 99a81c07d1cf5fb4fe9dfc18876c0c32b7217ed0eca7c11166ede10c1b5a4232
SHA512 030869ffbe942db0b554ff3c111c6064cf5e7a405304ae0b01c2a4edee430ce145dffc5df6364f9472ac5046c2718380a39ee3cf32daa461b2cf83137f80afeb

C:\Windows\SysWOW64\Milidebi.exe

MD5 dcfe0b71fcf354f3ed62a85b1b32d19b
SHA1 73c0e6e496b80adfb49045a7e8085993c4558a20
SHA256 616f7d3aa0910506ea175d8e6b76f87c5dfc49d7218c206a3fb68b07cb3f433e
SHA512 f3a25fd447208b6da261a2636900d854864e09292f47aac78c45fd1f864c414fd03b6a96093ab2c6021f5a5d768448ce9a67fd6b0a12a9ce23c9fb12865e0fde

C:\Windows\SysWOW64\Micoed32.exe

MD5 ac5d621a9ee0958e5831eb33827954ea
SHA1 8478b1f32bffa80ed4f1169f290fee76607df2b6
SHA256 60d553cfad70253338e551e5e1d37a8c5d1b31d6cfd20484af847cf5b47492b8
SHA512 c598ec1c1e02d9e07d08a7f062d59d6a659e20ea49611afa84bb367e864eecd25150238be7f4fcf4e3bea24baa4ddf7619b624f4e77f9c155435208787cfa8df

C:\Windows\SysWOW64\Maodigil.exe

MD5 43a09e44f2f9b1630af95f7dd73e5eb6
SHA1 55734591bd42fcd1dff6c5f385f0028c3cbc2f88
SHA256 264c467a03dc22fde8018ac94d1464818a14a3105cbbad0c16435ce4e1d2c71f
SHA512 0a34d5c19602550a7d84301e797e0b176e459bd160f43f0f671e36cd3c6155de3373bc0ccd8d06ff5decbfa6bd75d4dc26117bb9af2e076794b278b00246db23

C:\Windows\SysWOW64\Nemmoe32.exe

MD5 325a7190a21afecf39aeaa6e5982645e
SHA1 695b8cf02aa11b407a222ee54a46971cee7f0cb1
SHA256 fc44e4c46cf158e2e4e3ae0510a81c1442de462cf10ea855ad2c5dd7293ed493
SHA512 397dfe52bd0b8d78379e701a36ffcfc4c1d5cd494a019b8b4f2899b7a8a3a6d61dad0bf19771f5142356d20ce7c0bffd685152ae5fa9bb17bd3d91f6f80cb98f

C:\Windows\SysWOW64\Nkqkhk32.exe

MD5 25e82dea728bc4a9675bb5b74abbbb5f
SHA1 09fe0df821c09c53a791a7a81956322b9b5f6fcb
SHA256 05c323305bd4e3b3025c799567b80a7b24014c262f8dc248f42d5e79b151c786
SHA512 a32861e36df9326d75ea2d559b6c7791d145fc332531458088e5d7fad429a8b7ba7877f5a896feda9d97bb874afd1e66e08e243421f87ad6713931f2204165db

C:\Windows\SysWOW64\Pojcjh32.exe

MD5 22bf5fb175276dd8568c829e7a9201c3
SHA1 402786fbbab71d964b155f11a08c32b7a54be80c
SHA256 4be90389dbe73b19c39f3b7a88862ca851bd12eb31ef0d74b06950d0f9bda390
SHA512 50b5967b85b34b11162800c28f97db0dcf1fd4b28216a95da2c03452b652ff0ec80ce8eeecd1dea1fbdb2102bbcae737021ed85230326c77b55a64e60eb73235

C:\Windows\SysWOW64\Poomegpf.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Poajkgnc.exe

MD5 2b60e5706fb755db715aa262639f8578
SHA1 89d7a6aba3c095cfd77a64a09a1a193a01ef02ec
SHA256 fbc894da9bc2ae96d867d523b092626df7f5b8dc34cdadfadcd0be265f578156
SHA512 4fbf003759e16657b9efcbb9a6a407ce418552ca8e887ad22d25bcfaeb42251bd54ab95941cac85ef5d909220a44c800f1ce64a7a1c09068a2d62a70b757fde2

C:\Windows\SysWOW64\Qcaofebg.exe

MD5 fad5ae0fd53e17762956ab5ed8f488e8
SHA1 cad85523f0a2307d7cb5e1208cf87e843fce752a
SHA256 e6c04a3b8ee7451dbbd26911a31ee6609f5cabd1ae91aa64435e4b9bfb4dbb2c
SHA512 d90d21e40f885bcd0368ae96635d35b5d03ffc08fe6b66501af21f5e438ee0da75d89dcfcf0b295d90cb6dee0e26b964a0766afe5d8d68b020dbf685134d5fe6

C:\Windows\SysWOW64\Ahenokjf.exe

MD5 382480d243bbfd71f440b9bc48f4bcae
SHA1 cdf3dad83a1168efb1d9e69e53733c25e41aa7bb
SHA256 dc7d953d685472198c5ae11682c53a11ef4c61e1dc5a5a8b4ef5272775a142e7
SHA512 eb835a5dafdd8682757a3cc2929884ba114e40b9f65939060a2fd353b821e092d568eae9791e129632952310e63827152eee668cb33a1fd418af8f670047e098

C:\Windows\SysWOW64\Alcfei32.exe

MD5 44f959f5b128b26a93611939cc60ff36
SHA1 ec70ea38026a4ae0437e45b154bb462ae0f95a0d
SHA256 d96b3c0a89cabde4f64b55a5f93b70bd15512811a23f42561d6cd3651035aa2d
SHA512 31bd3c71e427703c82039297157494ca17295e458ace9f8c4439371991bd3fc1fd0dbc8bddfff1bdc84f4b84e1a24845209964727360a0bd15f7f7037c20ca7b

C:\Windows\SysWOW64\Bfngdn32.exe

MD5 295666801b5710301f07056333d072a4
SHA1 6c37d32c435bd36a108f0177b5a817dd8d764275
SHA256 f58767f9521b633313c28308d178ea9740b7b9ddd02259fdfdb0e7360132105e
SHA512 b07c3a553f3b425e92e523c3862b616c99a734afe050836bb9ea671277c30e3753e912df5444e8d4dfc10eaff1cdc0fa2ce2c807b0b857854c7be284547c0363

C:\Windows\SysWOW64\Bbgeno32.exe

MD5 88c91574a58d9e2de35aa828c999ac46
SHA1 586d6353dec15d5ca648671cfc20668434f605cf
SHA256 b6910d6893ebd44341f1991da7fd58baff12e04fdbb5a0fce77bc96a9cf25544
SHA512 3c8d42351b4430b0f524ff3301b0b6606cfed61492d21f08366b009eacb47c4cfd40361ad7e6f4d91a99bef1cc26bae77043e614b5104cd23655a9c9bd56dc74

C:\Windows\SysWOW64\Bhcjqinf.exe

MD5 2a7012811bcfdbb95c8910845b4ee737
SHA1 a6f40a0a60f44cfdc60f146024d2be0ed656a36e
SHA256 840bbf9f626acaf58449ee884c9c919fe43ed288047879a5ec7c4fb5a84751b1
SHA512 7c30d9e9ead9daafba9407df5d6fe273f7e5e57860d01140d049fb9dd8857e53078283f90dff2268f5dd2c4f8e375079a61eae7a0aa66d153f74f33567213409

C:\Windows\SysWOW64\Cfigpm32.exe

MD5 e075ec63bd169d38c347c375797489d0
SHA1 d07ac652b6bf95516471432e623cbf41363870b6
SHA256 79e4b189eee5357c4f80ae7641628b19e2583c4f239e65a00d5783a2f8f5f2d0
SHA512 feae4187f628364907eaf2bfb7fa23817aeb61872a835733fcd5636fdb6ab16af6334b38f914545d0048fbe4c4907a446310c00a38c2002ffe69112c42ee3509

C:\Windows\SysWOW64\Cbphdn32.exe

MD5 3d76865da6d4e007c2252affc63118e3
SHA1 e376794fb32a45f36e26117e3f494386187bd75b
SHA256 4d8a60730ff52421fcb926ce4cdfc04b897b39b84d3f8478ae83673bb1d114b8
SHA512 0d27d5ec304a5280bd10bdf11b0ed9f31ddda1a75c7c5d125aad241661e5ffe7626101a6e4a526711bad371446560d7245a4ea0ea9aa6635c1729b224a6cee68

C:\Windows\SysWOW64\Ccgjopal.exe

MD5 ea2a9317a27caf421467c19214a09f1e
SHA1 6c9ec9d3dfc4621717dc0814775e97817c4e1862
SHA256 4b84ac39bf4faa3625cf756a6d4add7796c86ae8013b1b29f143e829b4568be2
SHA512 3e907c4205d2ec9db3672ba03fbf5a7b9cf0f37650fd69274492aacfb5eab93ea2343fb31cce0db11de941e094620d151102f1665e4aa75838c9e1d150bfade2

C:\Windows\SysWOW64\Djcoai32.exe

MD5 89f8f6505d8e460e4ca81a7820651ad2
SHA1 b47195e99ae4875a08c4b593fecc5d1cbfefcb99
SHA256 5fd787f6d368c76e36831e7ced8bd062a7a689b0e7ba2ef3a75e8c833c2b74df
SHA512 846e6f70a68a4e0cfe701245435285728050546f4d71a24dcba1a3d9d49e581c265b4045e77a42b98f51de2ccd37105113dc1989fd468651131906c94700f3fd

C:\Windows\SysWOW64\Djelgied.exe

MD5 5f5ad2f5f8e17a89091db55abe98087c
SHA1 f2f2ae0f6edb919751b8e810a3d2d3732fa41d03
SHA256 e28afe8c9adf19c09ec8939e74a4b4cf59afb79d4a8578e923031fc79ba1d972
SHA512 cf6c7092d780131e766023770a0e8bc463b622a6885564f28494d09ea8303c318a520d384f7adaf3870ed2cb5e925deb513c6c529a3c9e98990f911bb6aeb16e

C:\Windows\SysWOW64\Dcpmen32.exe

MD5 4a521d13506f1c3ac0a53627527358f2
SHA1 08082c71cae4b5d04acd6a63cf54e9850287ff2b
SHA256 c27f0320ea58a425e4edf58f14fd977218f2e96adb5da7852ad7df01028f1139
SHA512 3b19e85d80f1b3bebfd6ae7475166428d859681a65be90c41e978a40f20cf7223b2ff385ed0a16e54376a00186ff23780ec726cf21aea6a72f8b348213c0ed86

C:\Windows\SysWOW64\Emkndc32.exe

MD5 b0de6db110eb2231ffae7da6b152dead
SHA1 8acb9555ac6f9d3e5fceb39571a37315b18b8904
SHA256 2f0fe23d9ee8106ead2e507a5997d29eaaea89cfa6828af00c1c138af1e9ff8f
SHA512 2acb067aaac5e8f9aee5b80984273c2273340675273b5ef3d7ab354e357b78f6d8943f0e466940e36e640f7071cfce7f54b8b2b9391913c8bfb83020017f10a0

C:\Windows\SysWOW64\Emmkiclm.exe

MD5 3d1b084a967a095b1ab4b074355a864c
SHA1 1e6eb0ea5b29c07597b35b281266ba9d135b576b
SHA256 b13da17a29ca5269abf08a0abb34de520bcf9d69d392443cee4deaebeed7a9b8
SHA512 0d8ecdcbf7955810679ba25021ed73b5842118e5677ac67e43219de4904dd3cade67e298d0a1ba8dbb0fc88653997ad6bfe314ebdeaf201c478cf165e52d70e5

C:\Windows\SysWOW64\Eciplm32.exe

MD5 f47d0b5ed455a6bd7c7dc798a2126376
SHA1 f803c0ef9370b09dfc0d5bf4b37b197b49f92add
SHA256 605e9b4bf6e0e7ff9c811c72a4f47befc7c9aa7d6e7a9b880ea032d60abefeba
SHA512 90a8fe2b213934363182d1343f67bb8e0cccd54579ecdc0e0f4458e35fbd27c69c2772f04c5691c756464b2fe21e9d9db0a4cc69386611905d09c69c3752da4a

C:\Windows\SysWOW64\Ffobhg32.exe

MD5 c237c35a5c25d72c29546fc578efd899
SHA1 aa8eea7218c963f9e6eeced93a412f5857597892
SHA256 e71fd9bf7ec2664698359ab11cbb33ddd4da289921b50574f797b58715bf5531
SHA512 aaf313e2a713554fd34d5a4c37b3c4d7204bc455e84e82a8fd1c2ffd75a800ca0679e8d0e56e65359629e8b59a979da4b69f38c0e0ccd4c6660a2e87ff0cccb5

C:\Windows\SysWOW64\Fdglmkeg.exe

MD5 a1f9f32412520eec871a7b8c4f4ab1cd
SHA1 b2540165624b308efe5d46bdd1e8a7599bb0b3bf
SHA256 4dfff74a8b9fd8b6789256ae280f1cf77dea351cd7c678046b349ec14a330a67
SHA512 9657758336a7fc617878303bd63c9bdf808654f884341c54e1abcfa3161075fef9a1939bd2ff6f01c496960eaad69a816fca7d0872209575d45d6f258167ede5

C:\Windows\SysWOW64\Gfheof32.exe

MD5 744364efc7316b811cf1a1715dd8172b
SHA1 6f173144727bc8028c821790389d918dc0f7854a
SHA256 2b968ce41d646f24145be6afbc1e0f7cb2b906c7ec805efedc9381ee2a45ef09
SHA512 697b3ebbf1da2d4eb192e5a6614222341d7d473dc95caaa31a63270add556fe08eebb9a8d9e5fb31a9e1cacd4eae968a5cc7100a5f0758ccb7484df31189acc5

C:\Windows\SysWOW64\Gpcfmkff.exe

MD5 cb856ccd8d66342e984d457608191344
SHA1 f26ebb3f715fca8133bea00a687dc11182b399c3
SHA256 588e10c4561663c671845a9a6588b63dcdd87f6f9e1ec97f1fceb8efe93cebef
SHA512 949846f657bc2aa2751c122ec244421ff28afbffa4eb9e53834720ef3f20e26bc5aa1a8ea163c0c4a628f74519667d6f8f1a3abafff9fa95c6c86fc33356d7f9

C:\Windows\SysWOW64\Gljgbllj.exe

MD5 9f47955b7702d042b7ae173102a80189
SHA1 b8508cf7bc7f50e36a336104986c71629f9360d3
SHA256 c04f7320d6bf91f8e8594828902aad74bb12ba0c3a82cbafd5d7b117ee89f6f8
SHA512 4d27e15ea1d727552c508002d69cf2cda6c04a33ae8cf31243a63c31061a7d67fa9849f49f6c2d50e1ae064c1d79b163e7326ad16346c781b4f8e715e5432294

C:\Windows\SysWOW64\Hgdejd32.exe

MD5 821e106eb4677b32c554733aa4fe1fc5
SHA1 00bc0ccdcab34f49c18882b3df4a28ce9924c573
SHA256 2dcc65d6edca511c76fa0c29af17fe09f82869503370dad8493aa9d722bde8a5
SHA512 f8aab3fec78f1f79ec86f8c456cfd3f1f26a239670869daaf1e5efc53d5080a54387d4ac3221776cfd9e4da7e29f89b7155e007505d243725235872232ed35d6

C:\Windows\SysWOW64\Higjaoci.exe

MD5 fdf5a09b8dfbdb24b33efb33077a2baf
SHA1 081e8fd2f0ec35fcf7356a64412101aae99c0008
SHA256 172dc5d672e9f28cebfa08e8f6ae1ecbd3f1fa38b0b4f37741f887e7349df83d
SHA512 fd3da5f73f3a178f19b2e6adc118755f11eddb939b5f3598c6feb5bee967a11ed17f857c46776eb4422f271d452c49595aa970a9d46b36f111491596aa02fcc2

C:\Windows\SysWOW64\Ingpmmgm.exe

MD5 6d154982f2a1da07b9b75ab292605fb7
SHA1 c60ed67a148311bfedd6753b49ede6e133ee16e2
SHA256 4a48fff733041417e5d7ad3303c1757e1e6db48ba86cbb1aa82006d478a2346b
SHA512 71675001f56f21bb5f3f0ce00ffbaaef9f09cee3bb9e520009f8349c129c2de6e73a305b2044a041480a3267245586aa7472c10d3bdf5ff63656d5ac1cabc13b

C:\Windows\SysWOW64\Icknfcol.exe

MD5 a7461c328086a011307374e869292224
SHA1 7e01949edb36a0a586da7bc96d4591c61bffeac4
SHA256 6c1c836c96a1f3dfe23a95f971c3d302d9a5c32b84888b9abacce98e25690ee1
SHA512 52a302fd47036e283b362b751d0e39092ba66cdfe277361d5da8e3102b7444925212834b30dd9b255eb94aa0888f3158042236ffce2e1291a0794c28cff5cee5

C:\Windows\SysWOW64\Jgkdbacp.exe

MD5 77a2e0cf79fb3b25536497c2469912dd
SHA1 fa15f972ddb78f6f03baca9e7e5d9e4cce726a56
SHA256 bcdebf18aaa51c79350d561cfa0eaa48bebbd6792560eeb15b953ae689c9c42e
SHA512 466ac1e774a1b95bb6320a91f2ced29d75bc7fcd26656a4e565c061d6ad9c1ed5bb5936349c0c2145aded008d2cf82b98af944e4d092490a7db871dc152a0e8b

C:\Windows\SysWOW64\Jqknkedi.exe

MD5 d3e366412d421a21d6b911983a7864d9
SHA1 eefb7aa702071044337ddaf803e974db3ae902e8
SHA256 14b70ae99f0a283583f5f4d9ec49082c0e27e5fdffc5c0eb64c06e3d3a587b42
SHA512 0454600e03d4f844f483df8b195844d338e304e928b863fae81b6b1b0c112b7e511bb49af94b0a648849a22a968b2d2614b8151c813b7389218c2e70d3ae0b79

C:\Windows\SysWOW64\Kqphfe32.exe

MD5 c01f3f783dbdd11b930b2ad9db47bf0f
SHA1 c40437d30a1ef8125be1ac9f826a7574bb312699
SHA256 9f0825d3f34878f26305af61c0bad4204815e7b8cce242e6d7521c4fdad0ff48
SHA512 ddfc287e7a9ba1af6060d50f7baf832076026be51e5fad77d8fe9518b638e1ad60327a419faf80727f17b7fc7ef29608a5dce38301276090b33421896ce8cb15

C:\Windows\SysWOW64\Kcbnnpka.exe

MD5 8f5776d04373059e33045d188fe15578
SHA1 60e17907a89a152228b20d5bcae8a203e3d41182
SHA256 f35e42d7c70b08b6273a9ee5f60f36f17c5d2fa59e7a1f6d9d75fb0b0748ab10
SHA512 575d10afdf7a1be0fd6c38e80962c7c9462e869805728cc3cd37f9df0796ae7ccaeeb58b73b5b0063c8f2a59cf9fbcc608e7ac8cce7197152fa7b2ad94efd09a

C:\Windows\SysWOW64\Lgqfdnah.exe

MD5 05c5db63362ce5e252a5bc9a39eb6bf7
SHA1 4d8641468d8f15439c6722b56374351a063f0b7d
SHA256 9a10b8f2d87941d9ea24e8844d7a636cc704ae1f80f27db1f5759fb9be53784a
SHA512 dcbb497e61ce87c5e0bdf977a83604cce2855a397fb678c10a8e6582f0bc094f036f94f26233f9795e48666aa0a0929b1da6aca0266a156c19e33201beeca104

C:\Windows\SysWOW64\Lcjcnoej.exe

MD5 aa9f3ee654b35551071271b2df257e74
SHA1 f17c2014f8c454792f6b9d5153bd9f0092bb1b1f
SHA256 c8001096b72b12841652043b5ade74134717818c7131576c1f4b0c51a08fc116
SHA512 23e0570ff7818a9be835a5c7adcd9a9b8b13f9c348ffe9cf1cdad39dd15d814eb67a02465d781dae2d89c80df974cd3b2f3d38c2d1961a558514568927357a3d

C:\Windows\SysWOW64\Mnfnlf32.exe

MD5 f36fb14f63c8ad80f5bf473352a0697c
SHA1 4eba6c298de9568b24a3d42e880ab79ad3370cdf
SHA256 a1f91087b119aa1ff641c48338f70abc547eaca5a9f86a8165986b20457263c1
SHA512 546b09e319d0bc41e6fb2f7e10323d3f7ef123955d5eaac38302f8924882d3654bd6a6ec9558cfc0ec520c8d6d0b8eea720f53ce1792e96e2c2689e00aa277d3

C:\Windows\SysWOW64\Mnhkbfme.exe

MD5 02b0de689a630699b665144fd79d74e1
SHA1 15dd82f9c005e32ac1aefaa55fd3c6dbdcdf8e90
SHA256 05927324c0df0181d5048530b8aa278bd88dcbb9868521146472a5cca47698a7
SHA512 2d6885ac794f1906e027edd5c2aba259f029189b0a2a83b91e8c9dd71f218e857aff69f76ed97da7a40b32265ac3e6ba77f02b1b9f0173e8aab7b74b3ff14d61

C:\Windows\SysWOW64\Mkmkkjko.exe

MD5 17e7500a27e921e93b57c7f892f0f95a
SHA1 eb8bd96f29b18287ac8e5822ed1e2c352632efa1
SHA256 cd55a87c9bb1e1656e0d724d8d40514675a6d7def674cb057168d0fde1ee054a
SHA512 beab0683a7a8589eb55e09955b046b1107e3b647cf2ab3051610136a4000d821bc75b9447b78f02b4bb488b52ee4f857a56d411731266452824b1000dc6b3054

C:\Windows\SysWOW64\Manmoq32.exe

MD5 83bad05de4d77552d70221f2245909c4
SHA1 36b403f7012b5bfeec4c4cb760ad44cf501814de
SHA256 10a9472343342d0c8f2bad3807ea5a1651943d6b5e294b957afa8e593c851b4c
SHA512 a5cb5e120171c3a1c81ee4c8c373d60a13028576d179b2693075a7cdc2951b4e5c9a1e570b84dd5661d9f7b04ffec8e2e0564d0cde2074c6c10dd14dac21cd3c

C:\Windows\SysWOW64\Nabfjpak.exe

MD5 54fa118c4348ac02be15f4e43c505e83
SHA1 c59ea5270ebde75718f015e78c50177c102859ed
SHA256 1db826bbed5b8da23218b123237382ad2a8dc9ceb95958c6839c95dafefcabe9
SHA512 42add16eb47482fa3d1d58ad8f1a57934206d4d6f24a2c0dc2474c1058e5300b16f9efd9cf91357284d780df211de03348c86f5635d57cb838bde1329bc000f6

C:\Windows\SysWOW64\Neclenfo.exe

MD5 0b50b464f6c27044e33b6650f6d61d2e
SHA1 528905e127cedd97249862fd5afdd6eafea9ae47
SHA256 5d48e16dbce64588f3f920fc2e17bed0a33488b8ebf244be26533a64f55d41ff
SHA512 6a9524acb5884d8f643455fe3e708cae25d792e3ce3bda6572fac08159c543cf94c0b0095616a9b120baf87fc7fb2df3cf946aa20540f39162ba946abb863317

C:\Windows\SysWOW64\Odhifjkg.exe

MD5 692d5b89e2d11dd366a442d296d15bca
SHA1 53730514dc487203404c58ec5ca3e2385637d022
SHA256 6b2226cfcb1e1a5e55a9b8b579675c72ae9d2c0829dae13a4e1c7151deaf1f69
SHA512 5afd9a1866a2718611f2097fe3082ae8dd12a5c34bd0b04adbb18c19a059e20989ef580ee561790152b16b426bbf8a906af3cbe71b440c6028575074791cf3e2

C:\Windows\SysWOW64\Oelolmnd.exe

MD5 b409618cf4a46ff2c68c2bf5ba6e9eed
SHA1 f9c7971cf8b4f4f5c4e105919c3b8d2e865beecf
SHA256 630428af989c345110cfe6d83637ec0e46b018e1799f2c69b604d0c0c8e7665b
SHA512 bea7023a71af9d9e7dc04fee47352b0d3b2b2c7363644b954e7d4f3847162af5c8d6ec6e59cec1eaa808d4be925ff5fcf4dbe29663a306bd84ac1e931e9c8c38

C:\Windows\SysWOW64\Pddhbipj.exe

MD5 143c1075954fb4793d1d0b5e617d4b73
SHA1 2524c4521a89c77ab8ab15d748d8c1cd2cf96757
SHA256 f6204e6aec2be1c60cfec5dbedf95403bc4b867168b4019277db2f18016e5a61
SHA512 9ff22c17858ffe4f077c8a6e7f237ef8e58cf93bf8668bcbc9334159f26eea40f0f1792955dfbf455e2c28869fe115b8a0651d23cda4f70e6e238a6852ca5662

C:\Windows\SysWOW64\Pkpmdbfd.exe

MD5 e293da2a4acc2c1452066cefd13077ce
SHA1 eae010febcb69e691d7f2f9a7dc799e2083501ee
SHA256 740e19ca48494c750d282903c4e8dd16566c356e48f3ce51dbfd4051bff1a0fb
SHA512 8bad332bb1bb4bb799285698db08690d2d99026d93e69b4ce2d551454680cbc8f97967ffc7f1539cd941634eba2fe87cf769c36b509577b0b84d5c2fde0ce7d3

C:\Windows\SysWOW64\Alkijdci.exe

MD5 590dc133f523d75bc7431d6b35f52707
SHA1 a84e014f5b12819bdd0a9a9b9db43fcf7336efda
SHA256 32a4569039dfdd0451c26c068880909de2c6f95b68d2269b869e9e265ee0d0af
SHA512 319f57e588e6891bde9c0c5a430a93bafbb86d5147c8568e402cbe8735855aa71f01dcb8876fb9c22942a5abcd99a000e3fffa684ab82ad89865e2acc1e5e126

C:\Windows\SysWOW64\Adkgje32.exe

MD5 18f3c581ef78c3291f35c7cb5f668509
SHA1 d1bba6c87b814d75ae25a6ee337fa3bb730f1ac8
SHA256 513f7bc0b398095c114e01ad29cc77a47d277bf9def41dc74c34ed4782325275
SHA512 543bae5ba0704235fed51e3f1f05951cc4e090f3f5c74822ec7d61542136cc6047ca28409a8394be9af28c7f7c011fd4e92a4d1f6e7def4cadd6a8d891d9a43e

C:\Windows\SysWOW64\Alelqb32.exe

MD5 7aa95c8f7ed2fa984d82f9ae283d6b55
SHA1 fd41e17331ea16f2fa3c8becf62b6f941fb2f860
SHA256 2a75a8423fc6d7432ed5a95116eea0848ae5388a661e177c88e608f798023d49
SHA512 86e11bd0a5ce005b0da2f9e8c247277ece52057b15a9d046f2e8d08719e02b1b4b93631027936cb2581b45fc1331d04ed2e9ad1f7b0ead6f4b1fe193f318c838

C:\Windows\SysWOW64\Blielbfi.exe

MD5 cf770f6159b80dcf0045f3f8c28ec4ed
SHA1 f76aad4eb3565a686c1530f000ec065af0dff5f5
SHA256 267a2839974cf66a610e8b9284b3755e8696a9246667a8635349e3c8d410b683
SHA512 eaad8a45e19ef3166d7996ed0bdc6a6f10c475b0ffbb26089faef8a9dec2f67fbe4c47d16ce5cd18d51d78bac8386e07e52091effd3014c627fce035ced6998e

C:\Windows\SysWOW64\Bnoknihb.exe

MD5 4c81b8bb833cbc894d12ff8de842dee9
SHA1 375fe06344560d2136e49e16cf72f95385e5b9fb
SHA256 7b989376970c42ee430dc48a459d6aab3eca03d9fe9b3a0ab1b867acdef27e74
SHA512 fc2d7beafefd2a6ff1dc427da06b4cf2c1e8a49b9646bafa4f748b29b6aa41669d5de3dc5689142a9a22dafd2a5594959a7856a3ef7d28928a80b96329ea4a6e

C:\Windows\SysWOW64\Cndeii32.exe

MD5 a9b3a1994dadbe626bcb4afadd61be7a
SHA1 a5271315e11e709d3fd056502b73f5fbe14543c4
SHA256 019cbb44706eb54f08cb185aa467e072127d3610f75bdafc9bd8fd7dbc54bacd
SHA512 d84bdde59365c804c368bfb4c4cf9ea760f05b09f569fa03fb1f1ebde65c9fda1d6f7871a52e23cd43dde76bd621095c89993ca695cf0a51c266d36a0690acf6

C:\Windows\SysWOW64\Cofnik32.exe

MD5 364e7f9a8e327a5c1faa62fcc6724260
SHA1 135b8d126b3708c9bc8ddecf92e9ab32d0f707f7
SHA256 8ff6d6cf9a4dce59524a5c5e4baa645a822dc7cd39bab42462fb7a20bfd0662e
SHA512 2cb5f22e7fb6ef7672aff7dffd96639d74f82d9965ee729195b95ea4254708d6a07334da948d4f2f800637a7f57ae152ca0e16d16a6b4da931cd2c13d9a2b21e

C:\Windows\SysWOW64\Dbicpfdk.exe

MD5 88598e22d75629a46d00b5ce5ccb2a65
SHA1 eb44900eb63bf6f14c7d9c6b4f717a12ea85e132
SHA256 d225dc00e5e8b080a9a3e9ad6f3ea92d1bd2b6909c547a6103cf15bfdadfdb47
SHA512 8697e48ff3090c7d1e8b71fdca2daf3d76707a8df4b82b0791b6132ea5e802aeaf0df06802dd9baa0c5c3df4a2f0827a037d7de4b1865ddf174fa202e639078a

C:\Windows\SysWOW64\Dooaoj32.exe

MD5 177745480b5507825848814a99ebe478
SHA1 78ffa4782d72f45c60c2a03a3773c3c94861f207
SHA256 ef3cb5126800a31c5f134f92033eb131baf540b2292d8f71547f4bafa74b7b0c
SHA512 26c808763d03de87354957ede23c502d6caee84b053b77b67c1144cd7f8b23750d373d88cafcf6161a674420349c36ee98d7300dcfcc0b791d58bda49a9e2d34

C:\Windows\SysWOW64\Dbpjaeoc.exe

MD5 34d16918b6bbfbb2b81f6dcdab303833
SHA1 1c8e93c0c4255b97155216a964052efb299eba66
SHA256 e097a3d3771fed52134f0946ad00afc9f498bdad9291688b5e0e51e6791566d7
SHA512 7ee4e8614ec97b134f92ff1c55794ec72b08776f4269116d01826a1e2ec76f500ebd3f7a0d3db830c0d9f6e485abb0ffb68434d0a91e41f17cbe21ea4c62dc84

C:\Windows\SysWOW64\Efpomccg.exe

MD5 d381a07a2d5cbb01e1ec3daf5ef654fd
SHA1 ab99f5de6e1712cac8106ddafc274aef91d5d813
SHA256 08873b641f560b184be9016e4d65bc641d9d0f22c58c54167b839253ae90b83e
SHA512 68627d91a64820c0f1cfd388d537d9f00d0a1807dd16868c3156c274b5a97834d07cfa2515efa009ad3408935e23195150ff9e5bfe8dec5b59f2ffb9794fc64c

C:\Windows\SysWOW64\Eeelnp32.exe

MD5 73a03819eee23ba256bcf77c21b505b1
SHA1 b353f190d8dc7e891a35ce87be90be487ae7ebeb
SHA256 7bc1488ead94651a57e89d54cd15e17f76b7b80afcbf239d98f5a220b6aa8c6b
SHA512 0d4f9522c19a99766e9ad1d2c1348c86741de625916e2e52934cf97dcf48572af572577f88687b9d3cdad4aebc9e244822286786916919cc0767e57b3ab2c38f

C:\Windows\SysWOW64\Felbnn32.exe

MD5 1e5f2e7aa84b78660270edac5289ca96
SHA1 986eda55cc87bcea6fa1a94e664f3ef6efc83189
SHA256 a2a9faec6fc860cb5b492805b6fa2ff802d92d59a612ae2e4efebe32b8a2e7ec
SHA512 e24e3325360dd6c8517c95ac7e3434b59652a13c36f4d783b1a76f84eaab0b20dbdad105413808c07a0dd27e1dd650213a19976993e2715dbfcc71573038aa07

C:\Windows\SysWOW64\Fealin32.exe

MD5 92c138b4fe2e034a73d5e0b92bdb2c97
SHA1 810f8ee5c26010295a56eedc80c1aa32facdb075
SHA256 fedf45d8268421cdaae0a4866b808cb955f66de8a634526af6a5fe6d304bec0e
SHA512 1124b2913db12024d0af20aa990ac3bcde3806aed70e48c27b2188fcc851b0bfedfb0c74828ec87fb32f5e78adda36fa310bd1422738807811679aef0601922d

C:\Windows\SysWOW64\Gfeaopqo.exe

MD5 e688d0782ef5f25120165660d080bdae
SHA1 6fd49a658c6a1d5fb594042b498727fa75befb00
SHA256 3ab600e7f283d3da02cae0fd2754e215dc9ad5a179deb8df8a53a656bfc4a264
SHA512 88a3020bee015aac771e32638fd2625cfdefb98b117bf6adf3d4a7daee3c7a90412589badf320080261266619e184054a9a8527cc9cc67357fb23d4057e1c3b2

C:\Windows\SysWOW64\Gmimai32.exe

MD5 bb2ab5c35bfbd2b3cb12f3c942ec87f9
SHA1 5a420947ce4324ae9ed225de878f2c3431ce80d3
SHA256 cbf596e983bfbe96544452a757c04260cdd3d0dfa880de1b95b8f6a09b76367c
SHA512 204ddbd16d350be82abe9d24f6ef1fdc47364ba8fbb6f704aee6f0186082c4e6177b5e169f02fded217453cb207d1a053423d410788df81528b09e450667ef77

C:\Windows\SysWOW64\Hbjoeojc.exe

MD5 6ae73729e1796e4f35251b96d639af21
SHA1 f734b4491aa6abcd4be03c6e236f168bb2536d2c
SHA256 193ae99a453e203c125095f8fb98fc1eff682ab22d2bdfdd89b492b7d6335ab5
SHA512 e0d6cd58888048a52b12af3ea62f8c2d4788005667abad1a26ef635097f265f4b6d51d0b731440effa45c3e360a85a9a99d99bb85086ee89302d37441aafacce

C:\Windows\SysWOW64\Hemdlj32.exe

MD5 2e08744299c4c75f2e4a522078a70031
SHA1 d6d3193054f554e5e0e71139a00b9098cff97dc0
SHA256 d4aa11a99f57706ae085b7811f08bcbcc0eb6906c7187269bb709f4fa8ba973b
SHA512 bbc6dbb4ce6908b0fe6ebdf5c0c7ac59ae5a3e692e457bab8af756e762c5e897fc11e348be6fc05e8787d4f7f4aedc47c5cc727c6c1ea184167692acb9ec28e6

C:\Windows\SysWOW64\Ipeeobbe.exe

MD5 b50024980e968ae122aa840925a4b78f
SHA1 5489e514a69827fbc4de9768b41cf8f3bde97b49
SHA256 f99165d304c297854d6420d16759619d86715fe159fa00a48dc842015a82dbba
SHA512 d7399778b9e94b712320bd2de14d3ce7172bb10fadf7c728ba317ffefbf92c507215adf6fcec9e6a24a3dc39a6ef370c3f8d260948591811f4adcb9a626dad1d

C:\Windows\SysWOW64\Iedjmioj.exe

MD5 22f07ac94a27bc379385357b344e2e84
SHA1 effd523183f1b3102940863077d708d533796851
SHA256 29a92039533e50759c5d7c1589c69c322667318fc09ac7e5b3f379fa6b090235
SHA512 e93cafcc3312fdceda7c3d1375459309f51ff88827c601f21cb8484d0ccb5282f89aa6297d15965eed05e4be24791357536f01537be5aa5b7e8dc1e4fc2fd61f

C:\Windows\SysWOW64\Igfclkdj.exe

MD5 63d14571c144b22eb5ea89c380328efa
SHA1 f8a5d41a46dfdae658bca26c982a15bb02268064
SHA256 25b3839fd5cddb4ee56f01d2ab77aef71c9595b896dfe58d699e4aa5d8a5ddf9
SHA512 283bd41c637bc8f08a3d3e016d86a7eb305b7a278a048434241a124e7c4c8de4b99af4bd99d03e5afe686ca74a6c962483ea82bdc81e5d09a704392430aa69bb

C:\Windows\SysWOW64\Kngkqbgl.exe

MD5 a8fb718c47d450b88bf36e40ff465c48
SHA1 adf006283add01a3540017ac0123a0fc6511d382
SHA256 f8a518779459d6a5fe5321d26e93e999804fbfc76d56b4c66d9bfe8c52b408bc
SHA512 eb1313581ee47ed94def358bb9de56cf258bae5c0d1b83843f56bd1cd89ba5f4a3661bcbc4f92448f3b048dde081fca1b5b33b60ce272747c0365f7c6db07a77

C:\Windows\SysWOW64\Lqkqhm32.exe

MD5 53c09a060257fbff9a9f53130fa99de3
SHA1 fd6fff9ab71860a6ff152fbb65e8624ba4f26985
SHA256 a5a3aa9936ddbe4adf5a3ab05bb8c318f60dc3b63fee91308e753d700e044b03
SHA512 cface11be81f1d117aea1cfec8a4064b795910d3442540abaa7abb42fec8faf93ce010595b2414e8a4cbff8501d03bb9f59290c7e7d2c5696e28643de593d355

C:\Windows\SysWOW64\Lfjfecno.exe

MD5 2da032878c3f8f209289c516ccad62f8
SHA1 f1a271261def09b25df78bb739a0924bc41ee18d
SHA256 b2d2f9b2120b379b49b41a549c9ce903841de48cc6c160cedb7853e1c3153550
SHA512 25cd8993956297445b7ed8bb3e489e478797d00a775680963aad318ce891aadd187959241027ba77802b7e58820d6583f1d7ead9eb1176284481ba39534c4a5c

C:\Windows\SysWOW64\Moipoh32.exe

MD5 a3b8c6945511d876c94a4a2d6e62922e
SHA1 8127ebdd5becc64cbf4d6f65dad8960b6b18d9a5
SHA256 119c38fc4147afe49b8878b6538121c67392416e43b2d4ffaca497d4dfce6786
SHA512 9406294e80594dda218d6ddf920deb2749d52b26b6433420039796ba2011bcdf5ed89877944abe0c3d31fbbc0f4c9560b7b68cbca32640274b1fd065daa47637

C:\Windows\SysWOW64\Ncchae32.exe

MD5 29469548d6cc084ff767e5a669952478
SHA1 48fc2ab1a5d990e11026fcae768411840a0ceb93
SHA256 f125dd247c12e53e0abd158e6db6ae6f438a7b3b44cf42d5fdf1c16074269e1c
SHA512 8c92b04ad063dbbd817738fb618bdc88a6369b3a999faea06f1f6e154c7ebbf4ef9159e4b9c72ba401e3aa74c18c775a78e5578411bab8ce319d964a94872645

C:\Windows\SysWOW64\Ogcnmc32.exe

MD5 e1ae1683d36e173f6427e9408d252da0
SHA1 656528b8a365d75eb4063be913886c1918e3744e
SHA256 83e4ad47dd6db1a388abebeb1b6f890c282186d39e2756829edc1afbfeae918c
SHA512 f2541a21bfb2897dd22f5172ac46b919e2d0ee425f95ed6451c8ef3f10e5002f4df4bc2e21738288538206e31777773219c8c5d97544c490a1562678bee0f38c

C:\Windows\SysWOW64\Phcgcqab.exe

MD5 28373bf75e0d1193733f1c154aa28669
SHA1 adc35580f7f472a97a75ccdeef751cf284f5da8a
SHA256 ded23a74d016a87d69dcc2ba0b442692466f4f36b2640ced947ee6f417b226f5
SHA512 76e94a946f5dd543d31b3b94588eb4167e56946835aac5e8948583b9ebcbc7e7dead5e0798febe0b904998ed7a89a839a054fcbf6e57d6f7e9657238b5ef3bfc

C:\Windows\SysWOW64\Pmblagmf.exe

MD5 73915d2c5fb0f3d5cd0b6c15ca8148e9
SHA1 4a3ebbd73bca0874ad478d9ffe6269197452a3b7
SHA256 1ebcd168417ffa6dabcd9ed22ed31d367d5b906d583cedf3ab0dc158fa74b4e8
SHA512 b9a71d77f786e8e14ce81dddd7db3d993a7006622baa458f0cf6e56b113126551d1d2e7b8641e659cb24f8ae941820bd70087bd2919b5303f895b2aa849542b4

C:\Windows\SysWOW64\Qpeahb32.exe

MD5 03a747fcb1b6b90cc1dcd38706ef6861
SHA1 efb738f468541131ed45c3e125d494fff9fc8dc1
SHA256 41817e7b784a58ffa72adcf87559197c9d2b0cbededbbdf10f8f229bafc96b32
SHA512 70178608c91126f162b207c13732a07b179bd1cd76fcc8f058f092b371e2daf0a865b6fb95a594afc56661a891165d226606e8b14bd477213135b68b81bd68e3

C:\Windows\SysWOW64\Apjkcadp.exe

MD5 6da880934cbd005135d68ece2e4bef4b
SHA1 f767e6114c43c26d0a6956d46f73fcf0c1dcaf30
SHA256 ab98e6a2820827c17319d62e33543cbffc4d179513fe8b86450ef41e987d0ece
SHA512 0d84268da547b579dd4c1274abb9543144782fbce1c062535ba004a04d698daaa7a4d5c31bce7e359cf51322bd1c41edf31b7c3310da5cbd05182b023a16562f

C:\Windows\SysWOW64\Adhdjpjf.exe

MD5 aee1c36f6998a4fbd5c416586fe80ff8
SHA1 7ad302b04d586c8c6ff4dbbf281e0d06edd74853
SHA256 0c6ed41b5a4c8852380ba74fb4681a249378604d49b5f85a814fbc707796609e
SHA512 08b4bdfabafb318da0c7f3dc5386ae770b29ed1e684bb6410a2a2aee20139b5d5f195112d3a8159869665565f72ffcc0b83fcec3df2783864194910e7c726932

C:\Windows\SysWOW64\Ahfmpnql.exe

MD5 ea05eb76554614af0337ee3b1d9c36ef
SHA1 41ede4e5be405ff3d6fac77979f647abf108fb8a
SHA256 246e8af9d4b68f879ab5a5b61a0da249e2992c0dd8b593905d893ae1fef3ec40
SHA512 f2a13f56ef6f450e3784c7743f70a3f62a0de6efea7f694a41eeb16ecef297517449d94a95eb8ce25c741e22b2c266ddf4e5f7d666cfb8b8138c7e8329af7eac

C:\Windows\SysWOW64\Ckbemgcp.exe

MD5 748097c8a572e0921c22ee69797beda2
SHA1 e7a602d0247688da4226ab735df961b9612ced0e
SHA256 8c76cfb57a910dc0f4e68db799eab3d12dc70cf26589db26c01b22c25882fa89
SHA512 c08ee2124e641103186ed923880dd18437d6300c0b7e3f2f3686efb45893ef6c489369325aae58561f0675be7c1bd54e9ced42834bf4132e9289c696d63fe320

C:\Windows\SysWOW64\Chnlgjlb.exe

MD5 a97c0a24e77c27e6e67253b2c281993c
SHA1 6157148db931546957c5fc9cecce4b8cfc4a4751
SHA256 ceba0f684100b444db91f767d01df26a809d7cebc87ac3c74d3fec0428ec1753
SHA512 13dc9e5d38c4b7e932a92dd4c1f7387fe5cdb6537958a45835ec6a65052e26ebc12a6c4d0922612ed8a5774cc8a9b782616eb09292b77d3e3d2a798897029477

C:\Windows\SysWOW64\Dojqjdbl.exe

MD5 70e53b0117b4d8e1d7dffa81ad2c6dd9
SHA1 e4cead574b7ea797d92a61dc540abeb2ee53472f
SHA256 c0cecb0da486b308cd6b39b3ff29e5ee692897aa8146988ee99b37881fb0fd9a
SHA512 64bb8667f713ed22d6d5928fe79d76b30388b2706df2246243bb8c6cb0336783d8f4233fd9f84ed9230453f038fa1882ed76e80e8ac669d0ca468980e6435cb0