Malware Analysis Report

2025-08-11 08:28

Sample ID 241111-mxv7gs1rcq
Target af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN
SHA256 af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99b
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99b

Threat Level: Known bad

The file af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 10:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 10:51

Reported

2024-11-11 10:53

Platform

win7-20240903-en

Max time kernel

106s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ohncbdbd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alihaioe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pifbjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjpaop32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjpaop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jbcjnnpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jkchmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpdjaecc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pkoicb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpgffe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Oippjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qkfocaki.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbbpenco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boljgg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lhpglecl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Agolnbok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bgaebe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qkfocaki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bmnnkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Oidiekdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pcljmdmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cagienkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boogmgkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kpdjaecc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kpgffe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apgagg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Khghgchk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mkqqnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkoicb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Djdgic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbcjnnpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Boljgg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jimbkh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lhpglecl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkqqnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Padhdm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhjlli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Khghgchk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jbcjnnpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Jimbkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkchmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khghgchk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpdjaecc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgffe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kffldlne.exe N/A
N/A N/A C:\Windows\SysWOW64\Lldmleam.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkqqnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfmndn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohncbdbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oippjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Obmnna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Padhdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkoicb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmmeon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcljmdmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pifbjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkfocaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Aohdmdoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Agolnbok.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpifj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apgagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfmcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcomepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Andgop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqbdkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhjlli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjkhdacm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbbpenco.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdqlajbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkjdndjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjmeiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdcifi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgaebe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjpaop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmnnkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boljgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgcbhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqlfaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boogmgkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfioia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmbgfkje.exe N/A
N/A N/A C:\Windows\SysWOW64\Coacbfii.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmedlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cepipm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnimiblo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cagienkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgaaah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjonncab.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbcjnnpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbcjnnpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Jimbkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jimbkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkchmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkchmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khghgchk.exe N/A
N/A N/A C:\Windows\SysWOW64\Khghgchk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpdjaecc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpdjaecc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgffe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgffe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kffldlne.exe N/A
N/A N/A C:\Windows\SysWOW64\Kffldlne.exe N/A
N/A N/A C:\Windows\SysWOW64\Lldmleam.exe N/A
N/A N/A C:\Windows\SysWOW64\Lldmleam.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkqqnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkqqnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfmndn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfmndn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohncbdbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohncbdbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oippjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oippjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Obmnna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obmnna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Padhdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Padhdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkoicb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkoicb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmmeon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmmeon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcljmdmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcljmdmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pifbjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pifbjn32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Pifbjn32.exe C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File created C:\Windows\SysWOW64\Cofdbf32.dll C:\Windows\SysWOW64\Pcljmdmj.exe N/A
File created C:\Windows\SysWOW64\Lloeec32.dll C:\Windows\SysWOW64\Boogmgkl.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgaebe32.exe C:\Windows\SysWOW64\Bdcifi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lldmleam.exe N/A
File opened for modification C:\Windows\SysWOW64\Andgop32.exe C:\Windows\SysWOW64\Akcomepg.exe N/A
File created C:\Windows\SysWOW64\Bjmeiq32.exe C:\Windows\SysWOW64\Bkjdndjo.exe N/A
File opened for modification C:\Windows\SysWOW64\Boljgg32.exe C:\Windows\SysWOW64\Bmnnkl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lldmleam.exe C:\Windows\SysWOW64\Kffldlne.exe N/A
File created C:\Windows\SysWOW64\Pcljmdmj.exe C:\Windows\SysWOW64\Pmmeon32.exe N/A
File created C:\Windows\SysWOW64\Boogmgkl.exe C:\Windows\SysWOW64\Bqlfaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cepipm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Qkfocaki.exe N/A
File created C:\Windows\SysWOW64\Kpdjaecc.exe C:\Windows\SysWOW64\Khghgchk.exe N/A
File created C:\Windows\SysWOW64\Behjbjcf.dll C:\Windows\SysWOW64\Khghgchk.exe N/A
File created C:\Windows\SysWOW64\Mkqqnq32.exe C:\Windows\SysWOW64\Lhpglecl.exe N/A
File created C:\Windows\SysWOW64\Nhjjgd32.exe C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe C:\Windows\SysWOW64\Bfioia32.exe N/A
File created C:\Windows\SysWOW64\Lmajfk32.dll C:\Windows\SysWOW64\Coacbfii.exe N/A
File created C:\Windows\SysWOW64\Calcpm32.exe C:\Windows\SysWOW64\Cmpgpond.exe N/A
File created C:\Windows\SysWOW64\Pqbolhmg.dll C:\Windows\SysWOW64\Omnipjni.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdcifi32.exe C:\Windows\SysWOW64\Bjmeiq32.exe N/A
File created C:\Windows\SysWOW64\Dfefmpeo.dll C:\Windows\SysWOW64\Boljgg32.exe N/A
File created C:\Windows\SysWOW64\Acnenl32.dll C:\Windows\SysWOW64\Cjonncab.exe N/A
File created C:\Windows\SysWOW64\Agolnbok.exe C:\Windows\SysWOW64\Aohdmdoh.exe N/A
File created C:\Windows\SysWOW64\Doadcepg.dll C:\Windows\SysWOW64\Nmkplgnq.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkcbnanl.exe C:\Windows\SysWOW64\Pcljmdmj.exe N/A
File created C:\Windows\SysWOW64\Bhjlli32.exe C:\Windows\SysWOW64\Aqbdkk32.exe N/A
File created C:\Windows\SysWOW64\Bgcbhd32.exe C:\Windows\SysWOW64\Boljgg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Alihaioe.exe N/A
File created C:\Windows\SysWOW64\Kccllg32.dll C:\Windows\SysWOW64\Kffldlne.exe N/A
File opened for modification C:\Windows\SysWOW64\Oippjl32.exe C:\Windows\SysWOW64\Ofadnq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Coacbfii.exe C:\Windows\SysWOW64\Bmbgfkje.exe N/A
File created C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Kpgffe32.exe N/A
File created C:\Windows\SysWOW64\Gfblih32.dll C:\Windows\SysWOW64\Oidiekdn.exe N/A
File created C:\Windows\SysWOW64\Pkcbnanl.exe C:\Windows\SysWOW64\Pcljmdmj.exe N/A
File created C:\Windows\SysWOW64\Binbknik.dll C:\Windows\SysWOW64\Acfmcc32.exe N/A
File created C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cagienkb.exe N/A
File created C:\Windows\SysWOW64\Ofadnq32.exe C:\Windows\SysWOW64\Ohncbdbd.exe N/A
File opened for modification C:\Windows\SysWOW64\Cepipm32.exe C:\Windows\SysWOW64\Cmedlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cagienkb.exe C:\Windows\SysWOW64\Cnimiblo.exe N/A
File created C:\Windows\SysWOW64\Aacinhhc.dll C:\Windows\SysWOW64\Apgagg32.exe N/A
File created C:\Windows\SysWOW64\Omnipjni.exe C:\Windows\SysWOW64\Oippjl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oidiekdn.exe C:\Windows\SysWOW64\Omnipjni.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cgaaah32.exe N/A
File created C:\Windows\SysWOW64\Ogdjhp32.dll C:\Windows\SysWOW64\Bmbgfkje.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkoicb32.exe C:\Windows\SysWOW64\Padhdm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcljmdmj.exe C:\Windows\SysWOW64\Pmmeon32.exe N/A
File created C:\Windows\SysWOW64\Mfmndn32.exe C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
File created C:\Windows\SysWOW64\Jncnhl32.dll C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
File created C:\Windows\SysWOW64\Lmdlck32.dll C:\Windows\SysWOW64\Bbbpenco.exe N/A
File created C:\Windows\SysWOW64\Efeckm32.dll C:\Windows\SysWOW64\Cchbgi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Clojhf32.exe N/A
File created C:\Windows\SysWOW64\Ccofjipn.dll C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
File created C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lldmleam.exe N/A
File created C:\Windows\SysWOW64\Hnoefj32.dll C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
File opened for modification C:\Windows\SysWOW64\Akcomepg.exe C:\Windows\SysWOW64\Acfmcc32.exe N/A
File created C:\Windows\SysWOW64\Bmbgfkje.exe C:\Windows\SysWOW64\Bfioia32.exe N/A
File created C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cgaaah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kjmnjkjd.exe C:\Windows\SysWOW64\Kpdjaecc.exe N/A
File opened for modification C:\Windows\SysWOW64\Obmnna32.exe C:\Windows\SysWOW64\Oidiekdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahpifj32.exe C:\Windows\SysWOW64\Agolnbok.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmdjkhdh.exe C:\Windows\SysWOW64\Mkqqnq32.exe N/A
File created C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Mfmndn32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jimbkh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kffldlne.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhpglecl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apgagg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohncbdbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Padhdm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calcpm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acfmcc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhjlli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boljgg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cagienkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djdgic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpdjaecc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pifbjn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cepipm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjonncab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmnnkl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhknaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omnipjni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkjphcff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clojhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oippjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkoicb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbbpenco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boogmgkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfmndn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alihaioe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfioia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Coacbfii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oidiekdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jkchmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmkplgnq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khghgchk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obmnna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agolnbok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akcomepg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbcjnnpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpgffe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkqqnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhlgmd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkfocaki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahpifj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lldmleam.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccllg32.dll" C:\Windows\SysWOW64\Kffldlne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll" C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqbolhmg.dll" C:\Windows\SysWOW64\Omnipjni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll" C:\Windows\SysWOW64\Qkfocaki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgnph32.dll" C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pkoicb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Padhdm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjpaop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll" C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Behjbjcf.dll" C:\Windows\SysWOW64\Khghgchk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Djdgic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cepipm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Andgop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Boogmgkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" C:\Windows\SysWOW64\Calcpm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" C:\Windows\SysWOW64\Ahpifj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll" C:\Windows\SysWOW64\Agolnbok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphgph32.dll" C:\Windows\SysWOW64\Jbcjnnpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahlae32.dll" C:\Windows\SysWOW64\Jimbkh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhapci32.dll" C:\Windows\SysWOW64\Obmnna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jkchmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnhjmjc.dll" C:\Windows\SysWOW64\Lhknaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgaebe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Calcpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncnhl32.dll" C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pifbjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oidiekdn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Acfmcc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nmkplgnq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oippjl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" C:\Windows\SysWOW64\Cepipm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcighi32.dll" C:\Windows\SysWOW64\Jkchmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njpeip32.dll" C:\Windows\SysWOW64\Kpdjaecc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Omnipjni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Calcpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kffldlne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohncbdbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" C:\Windows\SysWOW64\Pcljmdmj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bbbpenco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll" C:\Windows\SysWOW64\Bgaebe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbaab32.dll" C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nhlgmd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe C:\Windows\SysWOW64\Jbcjnnpl.exe
PID 2132 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe C:\Windows\SysWOW64\Jbcjnnpl.exe
PID 2132 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe C:\Windows\SysWOW64\Jbcjnnpl.exe
PID 2132 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe C:\Windows\SysWOW64\Jbcjnnpl.exe
PID 3012 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Jbcjnnpl.exe C:\Windows\SysWOW64\Jimbkh32.exe
PID 3012 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Jbcjnnpl.exe C:\Windows\SysWOW64\Jimbkh32.exe
PID 3012 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Jbcjnnpl.exe C:\Windows\SysWOW64\Jimbkh32.exe
PID 3012 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Jbcjnnpl.exe C:\Windows\SysWOW64\Jimbkh32.exe
PID 2188 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Jimbkh32.exe C:\Windows\SysWOW64\Jkchmo32.exe
PID 2188 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Jimbkh32.exe C:\Windows\SysWOW64\Jkchmo32.exe
PID 2188 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Jimbkh32.exe C:\Windows\SysWOW64\Jkchmo32.exe
PID 2188 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Jimbkh32.exe C:\Windows\SysWOW64\Jkchmo32.exe
PID 2896 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Jkchmo32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 2896 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Jkchmo32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 2896 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Jkchmo32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 2896 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Jkchmo32.exe C:\Windows\SysWOW64\Khghgchk.exe
PID 3024 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Kpdjaecc.exe
PID 3024 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Kpdjaecc.exe
PID 3024 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Kpdjaecc.exe
PID 3024 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Khghgchk.exe C:\Windows\SysWOW64\Kpdjaecc.exe
PID 2640 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Kpdjaecc.exe C:\Windows\SysWOW64\Kjmnjkjd.exe
PID 2640 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Kpdjaecc.exe C:\Windows\SysWOW64\Kjmnjkjd.exe
PID 2640 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Kpdjaecc.exe C:\Windows\SysWOW64\Kjmnjkjd.exe
PID 2640 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Kpdjaecc.exe C:\Windows\SysWOW64\Kjmnjkjd.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Kjmnjkjd.exe C:\Windows\SysWOW64\Kpgffe32.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Kjmnjkjd.exe C:\Windows\SysWOW64\Kpgffe32.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Kjmnjkjd.exe C:\Windows\SysWOW64\Kpgffe32.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Kjmnjkjd.exe C:\Windows\SysWOW64\Kpgffe32.exe
PID 2648 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Kpgffe32.exe C:\Windows\SysWOW64\Kffldlne.exe
PID 2648 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Kpgffe32.exe C:\Windows\SysWOW64\Kffldlne.exe
PID 2648 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Kpgffe32.exe C:\Windows\SysWOW64\Kffldlne.exe
PID 2648 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Kpgffe32.exe C:\Windows\SysWOW64\Kffldlne.exe
PID 2036 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Lldmleam.exe
PID 2036 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Lldmleam.exe
PID 2036 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Lldmleam.exe
PID 2036 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Lldmleam.exe
PID 2144 wrote to memory of 1872 N/A C:\Windows\SysWOW64\Lldmleam.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 2144 wrote to memory of 1872 N/A C:\Windows\SysWOW64\Lldmleam.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 2144 wrote to memory of 1872 N/A C:\Windows\SysWOW64\Lldmleam.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 2144 wrote to memory of 1872 N/A C:\Windows\SysWOW64\Lldmleam.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 1872 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 1872 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 1872 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 1872 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 2672 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Lhpglecl.exe C:\Windows\SysWOW64\Mkqqnq32.exe
PID 2672 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Lhpglecl.exe C:\Windows\SysWOW64\Mkqqnq32.exe
PID 2672 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Lhpglecl.exe C:\Windows\SysWOW64\Mkqqnq32.exe
PID 2672 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Lhpglecl.exe C:\Windows\SysWOW64\Mkqqnq32.exe
PID 2808 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Mkqqnq32.exe C:\Windows\SysWOW64\Mmdjkhdh.exe
PID 2808 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Mkqqnq32.exe C:\Windows\SysWOW64\Mmdjkhdh.exe
PID 2808 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Mkqqnq32.exe C:\Windows\SysWOW64\Mmdjkhdh.exe
PID 2808 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Mkqqnq32.exe C:\Windows\SysWOW64\Mmdjkhdh.exe
PID 1036 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Mmdjkhdh.exe C:\Windows\SysWOW64\Mfmndn32.exe
PID 1036 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Mmdjkhdh.exe C:\Windows\SysWOW64\Mfmndn32.exe
PID 1036 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Mmdjkhdh.exe C:\Windows\SysWOW64\Mfmndn32.exe
PID 1036 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Mmdjkhdh.exe C:\Windows\SysWOW64\Mfmndn32.exe
PID 2140 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Mfmndn32.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 2140 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Mfmndn32.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 2140 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Mfmndn32.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 2140 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Mfmndn32.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 2588 wrote to memory of 940 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2588 wrote to memory of 940 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2588 wrote to memory of 940 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2588 wrote to memory of 940 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Nbhhdnlh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe

"C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe"

C:\Windows\SysWOW64\Jbcjnnpl.exe

C:\Windows\system32\Jbcjnnpl.exe

C:\Windows\SysWOW64\Jimbkh32.exe

C:\Windows\system32\Jimbkh32.exe

C:\Windows\SysWOW64\Jkchmo32.exe

C:\Windows\system32\Jkchmo32.exe

C:\Windows\SysWOW64\Khghgchk.exe

C:\Windows\system32\Khghgchk.exe

C:\Windows\SysWOW64\Kpdjaecc.exe

C:\Windows\system32\Kpdjaecc.exe

C:\Windows\SysWOW64\Kjmnjkjd.exe

C:\Windows\system32\Kjmnjkjd.exe

C:\Windows\SysWOW64\Kpgffe32.exe

C:\Windows\system32\Kpgffe32.exe

C:\Windows\SysWOW64\Kffldlne.exe

C:\Windows\system32\Kffldlne.exe

C:\Windows\SysWOW64\Lldmleam.exe

C:\Windows\system32\Lldmleam.exe

C:\Windows\SysWOW64\Lhknaf32.exe

C:\Windows\system32\Lhknaf32.exe

C:\Windows\SysWOW64\Lhpglecl.exe

C:\Windows\system32\Lhpglecl.exe

C:\Windows\SysWOW64\Mkqqnq32.exe

C:\Windows\system32\Mkqqnq32.exe

C:\Windows\SysWOW64\Mmdjkhdh.exe

C:\Windows\system32\Mmdjkhdh.exe

C:\Windows\SysWOW64\Mfmndn32.exe

C:\Windows\system32\Mfmndn32.exe

C:\Windows\SysWOW64\Nmkplgnq.exe

C:\Windows\system32\Nmkplgnq.exe

C:\Windows\SysWOW64\Nbhhdnlh.exe

C:\Windows\system32\Nbhhdnlh.exe

C:\Windows\SysWOW64\Nhjjgd32.exe

C:\Windows\system32\Nhjjgd32.exe

C:\Windows\SysWOW64\Nhlgmd32.exe

C:\Windows\system32\Nhlgmd32.exe

C:\Windows\SysWOW64\Ohncbdbd.exe

C:\Windows\system32\Ohncbdbd.exe

C:\Windows\SysWOW64\Ofadnq32.exe

C:\Windows\system32\Ofadnq32.exe

C:\Windows\SysWOW64\Oippjl32.exe

C:\Windows\system32\Oippjl32.exe

C:\Windows\SysWOW64\Omnipjni.exe

C:\Windows\system32\Omnipjni.exe

C:\Windows\SysWOW64\Oidiekdn.exe

C:\Windows\system32\Oidiekdn.exe

C:\Windows\SysWOW64\Obmnna32.exe

C:\Windows\system32\Obmnna32.exe

C:\Windows\SysWOW64\Pkjphcff.exe

C:\Windows\system32\Pkjphcff.exe

C:\Windows\SysWOW64\Padhdm32.exe

C:\Windows\system32\Padhdm32.exe

C:\Windows\SysWOW64\Pkoicb32.exe

C:\Windows\system32\Pkoicb32.exe

C:\Windows\SysWOW64\Pmmeon32.exe

C:\Windows\system32\Pmmeon32.exe

C:\Windows\SysWOW64\Pcljmdmj.exe

C:\Windows\system32\Pcljmdmj.exe

C:\Windows\SysWOW64\Pkcbnanl.exe

C:\Windows\system32\Pkcbnanl.exe

C:\Windows\SysWOW64\Pifbjn32.exe

C:\Windows\system32\Pifbjn32.exe

C:\Windows\SysWOW64\Qkfocaki.exe

C:\Windows\system32\Qkfocaki.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Aohdmdoh.exe

C:\Windows\system32\Aohdmdoh.exe

C:\Windows\SysWOW64\Agolnbok.exe

C:\Windows\system32\Agolnbok.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Apgagg32.exe

C:\Windows\system32\Apgagg32.exe

C:\Windows\SysWOW64\Acfmcc32.exe

C:\Windows\system32\Acfmcc32.exe

C:\Windows\SysWOW64\Akcomepg.exe

C:\Windows\system32\Akcomepg.exe

C:\Windows\SysWOW64\Andgop32.exe

C:\Windows\system32\Andgop32.exe

C:\Windows\SysWOW64\Aqbdkk32.exe

C:\Windows\system32\Aqbdkk32.exe

C:\Windows\SysWOW64\Bhjlli32.exe

C:\Windows\system32\Bhjlli32.exe

C:\Windows\SysWOW64\Bjkhdacm.exe

C:\Windows\system32\Bjkhdacm.exe

C:\Windows\SysWOW64\Bbbpenco.exe

C:\Windows\system32\Bbbpenco.exe

C:\Windows\SysWOW64\Bdqlajbb.exe

C:\Windows\system32\Bdqlajbb.exe

C:\Windows\SysWOW64\Bkjdndjo.exe

C:\Windows\system32\Bkjdndjo.exe

C:\Windows\SysWOW64\Bjmeiq32.exe

C:\Windows\system32\Bjmeiq32.exe

C:\Windows\SysWOW64\Bdcifi32.exe

C:\Windows\system32\Bdcifi32.exe

C:\Windows\SysWOW64\Bgaebe32.exe

C:\Windows\system32\Bgaebe32.exe

C:\Windows\SysWOW64\Bjpaop32.exe

C:\Windows\system32\Bjpaop32.exe

C:\Windows\SysWOW64\Bmnnkl32.exe

C:\Windows\system32\Bmnnkl32.exe

C:\Windows\SysWOW64\Boljgg32.exe

C:\Windows\system32\Boljgg32.exe

C:\Windows\SysWOW64\Bgcbhd32.exe

C:\Windows\system32\Bgcbhd32.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Boogmgkl.exe

C:\Windows\system32\Boogmgkl.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Bmbgfkje.exe

C:\Windows\system32\Bmbgfkje.exe

C:\Windows\SysWOW64\Coacbfii.exe

C:\Windows\system32\Coacbfii.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cepipm32.exe

C:\Windows\system32\Cepipm32.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cagienkb.exe

C:\Windows\system32\Cagienkb.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Cjonncab.exe

C:\Windows\system32\Cjonncab.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Clojhf32.exe

C:\Windows\system32\Clojhf32.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Calcpm32.exe

C:\Windows\system32\Calcpm32.exe

C:\Windows\SysWOW64\Cgfkmgnj.exe

C:\Windows\system32\Cgfkmgnj.exe

C:\Windows\SysWOW64\Djdgic32.exe

C:\Windows\system32\Djdgic32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

Network

N/A

Files

memory/2132-0-0x0000000000400000-0x000000000049E000-memory.dmp

\Windows\SysWOW64\Jbcjnnpl.exe

MD5 461c9e0dcc8ebccf93e1ed76232b53e7
SHA1 8a28852fa43c444675bcc5c231c8a9e4bcd6d7eb
SHA256 9a4aa4640f8ce3ee46f405657b7c4c529c9546318882e1c1da9ed9142544e8ae
SHA512 c75061ad8d609c07ce6acc65d23f75ee5371fcb15d1539ef2b9e4276d437a2136be6fb5a2991757d46005da441ecb7f123c66c3b08893df15c0af17c8bf6f4f2

memory/2132-11-0x0000000000510000-0x00000000005AE000-memory.dmp

memory/3012-14-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2132-13-0x0000000000510000-0x00000000005AE000-memory.dmp

memory/2188-29-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Jimbkh32.exe

MD5 79bd6fcb24016955e82e4cb67bfdef8e
SHA1 4b5a1199d82478bd9ac01aea78b8654b1bd3d01a
SHA256 e3e2cccad9cd3fa8f90e254a6cc08d6e888981b05f789de762e3d47fec042b44
SHA512 240bf6bded5cee2fdf2acf9f7128eba4876dd263bd144d283df4876cbebff2b02e6bcd4344dba3c29b3d7f4d749b9d53553ae8a4f120e0ff3aa4622c2f985a0a

memory/3012-27-0x0000000000510000-0x00000000005AE000-memory.dmp

memory/3012-26-0x0000000000510000-0x00000000005AE000-memory.dmp

\Windows\SysWOW64\Jkchmo32.exe

MD5 65a9852f1a04ef2972fb152d0caa3ef7
SHA1 6b5cb584aad70849d6ed175031a2ae05586e3465
SHA256 5377ced8c39722489bd6da04635104efeeb860bd04770194dc0e88b6ba81d228
SHA512 0bc5db9b56bb0140605da2582742c669cd3d2de0c7ed96964999eb252a368fee588b0c12aac57ffab3cd28040747ec339e614351fa37e24c7945935216125ad1

memory/2188-37-0x0000000000250000-0x00000000002EE000-memory.dmp

memory/2896-48-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3024-56-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Khghgchk.exe

MD5 1a3ceda102507746f789467490a499ec
SHA1 b192ee1e365f29cc1c4ad2419f94e9dec4705daf
SHA256 5890c4e623f022f22455505110347123800edee2e5ed37abd719a812aca0cf6e
SHA512 848c7bb05360d0756ba2c5add823044c6fa5c80e4e7b33b1e1f535e1150f45ba9885a960ca2eb65ed405055a1edcacf529475f24205e6f2850c0f5fceb34b818

C:\Windows\SysWOW64\Behjbjcf.dll

MD5 923fc4739b3d6754ead24026396ea1f2
SHA1 d8edbe7a13907abbeff63f16a9c9bc17d9824791
SHA256 ac8c9415679545abc3f2b04a377ba959dc5b861853cfa8a3231d8b6b0aa1cc8b
SHA512 df2e7db5359a3e11b551c32700cc8041af9f50a13345a2cec355104c9eda58548c46b460732db93e5388cbfcbb138a8943f6079729095206d5485892f295f89a

\Windows\SysWOW64\Kpdjaecc.exe

MD5 6cde862782d1ae4c3bf7d57364cd82f0
SHA1 617238e8484577ce7540b625ecffec391277c2be
SHA256 ed4a2089f72ff37a505f53d6dbbc9dd6da5eb8ee41a449a3b3b3cf38bcf760fe
SHA512 877267bae05940df40ddd4ef9244ab20eae57aedede6ea0b0d392e245bc429d94fdaf7a0b5f6b68946d96af56f0ef63664e3e44dc7e1858b5618eb402eb6214c

memory/3024-63-0x00000000002E0000-0x000000000037E000-memory.dmp

memory/2640-74-0x0000000000400000-0x000000000049E000-memory.dmp

\Windows\SysWOW64\Kjmnjkjd.exe

MD5 0f46f63ef5df5f90085eee01dc9d9c2f
SHA1 1608e0e76ebe0332004d908d4dfc6a17b71b76a1
SHA256 7079f58a1cf0b5f3988115bca4044a576569c2e1a99783d4d53ea0567e05d821
SHA512 43a2aaba8e61706847a142086e0b9c7e5dd674d7ff91e345c967b6c449f15c4b52129d16b2a9799b90f409a73e10b0a5df1218291ad84c8c4051a665dc4c141d

memory/2720-85-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2640-82-0x0000000000510000-0x00000000005AE000-memory.dmp

\Windows\SysWOW64\Kpgffe32.exe

MD5 0fa1b2fb17825ebb0b80176028c44679
SHA1 f3559e02c8b95c63ac936703db33025022f13022
SHA256 7541a7ef72d18033f9128f8ffc721af8b44be218a518ad6b538e439edb4adf0f
SHA512 3c3644784874a3399177259c7925a7a8c4047be041f523e45d7f969ad6d3da73381f8caf8a0932940517de9cb6f28f4540e040f75db09966cf4f38de40460df5

memory/2648-99-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2720-92-0x00000000020B0000-0x000000000214E000-memory.dmp

\Windows\SysWOW64\Kffldlne.exe

MD5 e60b894461dd662cf34f610114055031
SHA1 24c7dd43e26b6f50fdbc60693057df70bd86a15d
SHA256 4126ab2c4f153811c7a0e12fb7108c8e772a80dab9f5559c2644bd1b5e58fdb9
SHA512 3aa79ef42981b3a8d6b38bdf4f787da3b1a43df1ea747ddfdcdb94e47c230c5a2ac953ec1230020534063f28bc90ebc8151c0f9b2cb48631e41f492a0acc98d1

memory/2648-105-0x0000000000250000-0x00000000002EE000-memory.dmp

memory/2036-112-0x0000000000400000-0x000000000049E000-memory.dmp

\Windows\SysWOW64\Lldmleam.exe

MD5 9ea4867346edc41f17a81d874200b62f
SHA1 72c7f96d8ee6f814f15d4538dc17651568887dcb
SHA256 aaf6e859535c61353d2690b12dd30060769b3ff108fbc379effa457c7480de6c
SHA512 2c06facecb1fe318b2e39e2136f16a3f04ded429ff7e4a1ceab4d486467509e8daf309385b5d131d4d389d17a5aa5ba660a160b67c12a4edb03fd90a92f38b5a

memory/2036-119-0x0000000000330000-0x00000000003CE000-memory.dmp

memory/2144-128-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2036-125-0x0000000000330000-0x00000000003CE000-memory.dmp

\Windows\SysWOW64\Lhknaf32.exe

MD5 8fd677b3450d02d84b5948ac0771fb37
SHA1 7162d62091e8b1024782e91c102c04b678b16145
SHA256 bbfd35989602c7660c9aa10892d22f9df51cf9547a64a49a749aee155d7cd51f
SHA512 973c209244dbabe71f6dab306d4c850fa144ec16c5d45aa6bb1e0fe3bd43719ee606c6e470528aff14126556995693ab80f42ecc91ad440b320af0b65dce85dd

memory/1872-142-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2144-141-0x0000000000560000-0x00000000005FE000-memory.dmp

memory/2144-139-0x0000000000560000-0x00000000005FE000-memory.dmp

\Windows\SysWOW64\Lhpglecl.exe

MD5 bddafcc6b23e45f89f019ef266f46d58
SHA1 0ca00f55a32bb83398c26c6e52dac70e359b8f0c
SHA256 c3201e9695960e503260811839ba92d2f0c51d3103ff56aad7c8f8f3de70429f
SHA512 70db6cfdd48673002941a9bc3318bbc6c12a30bcf70c3a4e063c12be59eca037191a96fd669708843ebabc3261f646b687c9ff4d74b67cc0357d286b6d8482e5

memory/1872-149-0x00000000004A0000-0x000000000053E000-memory.dmp

memory/2672-157-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1872-155-0x00000000004A0000-0x000000000053E000-memory.dmp

C:\Windows\SysWOW64\Mkqqnq32.exe

MD5 ca19926d7d8904518553c3d5351a257c
SHA1 5624127374df69ff232af0f42105ab8ae6e956ab
SHA256 392cf7fa8d023fce293dfd9f4734e98c67192da678f438a706dd0b625b88dd72
SHA512 c12663d311e953616b170235fb9f3f0d3c7cfb196a19c3632526b5fb015c478d4a5a5ade7e21de1cb67a25e156c5adea7173d677f4dd6f9812f291d2f6730d34

memory/2808-172-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2672-170-0x00000000004A0000-0x000000000053E000-memory.dmp

memory/2672-169-0x00000000004A0000-0x000000000053E000-memory.dmp

\Windows\SysWOW64\Mmdjkhdh.exe

MD5 03c1cb1b380a295338d404403da492d8
SHA1 96b2b99111975ebfd86abe5b4565428343f70d86
SHA256 6d4f9c66d1856225c174218dd22d7ab5f561a2f0b1d0d66c9bf7437a2cabbbb2
SHA512 238eca2ed713c88ea1b2ef37e0feca33fa61dfc7024bc08bea671103c39c9ee0c91c69fb8e4ae40dfb55a8756585f73e5ca3e6db1471549abcf92e4f2783ecf4

memory/2808-179-0x0000000000320000-0x00000000003BE000-memory.dmp

memory/1036-191-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2808-185-0x0000000000320000-0x00000000003BE000-memory.dmp

memory/1036-195-0x0000000000360000-0x00000000003FE000-memory.dmp

\Windows\SysWOW64\Mfmndn32.exe

MD5 80670d65781721b6ebe13cca5b9c2f1f
SHA1 c1776a2b16041b4beb2da9b3449a4b3d04f9e7f5
SHA256 6b2f97576facfa783276d30ac9ffda95fc6041789259284f53535683240f9599
SHA512 5266439b0bea9410438e5e92f3578eaf3faf56404af4e90629f1284e5424054f654e7a017e0228aa2813b2962e64e56097f418ac4fd692b3315816be2c7e23a6

memory/2140-202-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1036-200-0x0000000000360000-0x00000000003FE000-memory.dmp

\Windows\SysWOW64\Nmkplgnq.exe

MD5 358db168cd23e3ffaee9076a71ec7de5
SHA1 59848966a8b2718a23f1b6c14966b4d5cea0ab6c
SHA256 06baf7b888ac814fa82896f385c8b30d1119d06b6cdff8a2f7381f5ece999d2f
SHA512 988530b671a12cefb93881ef43cbdadbf2fdd94834a42300799ccbadc5dd03988fd08a5c9650a9eb93d0427373e46cf450a0b4bb265f59aaf04c3051568d41f6

memory/2140-210-0x00000000004A0000-0x000000000053E000-memory.dmp

memory/2588-222-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2140-215-0x00000000004A0000-0x000000000053E000-memory.dmp

memory/940-232-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Nbhhdnlh.exe

MD5 f1371c6c67e5e2ed0eef4219c94b0526
SHA1 1013d347ca26d481b94cd28e4ca9ee018d76609f
SHA256 90e72ea03bd11686bc8cf23cc657457abcdfa33daac79094e7737e4af9860c13
SHA512 95de72e833dd544ad93e2efbe6f1f15140039a6700bd7758ceff55076cd959af1e709fae0119ce31e25a8bb0d01bfed8dce47cd57396a31d865d74c63b2a5ea7

memory/2588-230-0x0000000000320000-0x00000000003BE000-memory.dmp

memory/2588-229-0x0000000000320000-0x00000000003BE000-memory.dmp

memory/940-239-0x0000000002020000-0x00000000020BE000-memory.dmp

C:\Windows\SysWOW64\Nhjjgd32.exe

MD5 f0cbb8cab71e7b319ac48f43e14af4d1
SHA1 621f2ed0dcb1c6b8c85532c375cbddb9d75f736d
SHA256 7771b3f5916aad8268232e285f91a279b6edfc3d4a43958b59c0acdb05b5a420
SHA512 aa4db6ea9e45d07b1609495364d23a1264850a352bae0aec399816113c18784ba37e8a06d1085fb3cf3dc65da114944b679ff96b0709b4f5f06c9d07f13af755

memory/940-243-0x0000000002020000-0x00000000020BE000-memory.dmp

memory/1948-244-0x0000000000400000-0x000000000049E000-memory.dmp

memory/344-255-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1948-254-0x0000000000250000-0x00000000002EE000-memory.dmp

memory/1948-253-0x0000000000250000-0x00000000002EE000-memory.dmp

C:\Windows\SysWOW64\Nhlgmd32.exe

MD5 420297e0195c1c91a63239e8a5fd99fb
SHA1 c307018cd12083439ebeb129fede77cb54d80995
SHA256 31af6caa0d0f011d242428ee78ff9c26a8b02613b7724be1661a80954f519595
SHA512 9d78f1a37e3d75506c454e152d4efba6b82a1322b89566fdca3ff282f9df860bb3a53079af0f65dd9e2b5d44a68ce12513b551d3f88bc9909a3d88f70b4f684c

memory/344-261-0x0000000002000000-0x000000000209E000-memory.dmp

C:\Windows\SysWOW64\Ohncbdbd.exe

MD5 91812341e638df067368047e7036b4b4
SHA1 b3aa48b8ba83d8059627b3586290840c28483c3b
SHA256 f8ba893d6a912cc38f07857820f2d88f85d16296ffd04f02659e62a178f237f1
SHA512 d13e4f2fecf4a87846c6339f8b5fb0a87642f37c391bc02a37ac2e71c4a47789b51a7f04bc9e6c74bd2eb9c473aa6b887a64bee1f3e3c64e89eb4d92f998c3b6

memory/344-265-0x0000000002000000-0x000000000209E000-memory.dmp

memory/1460-266-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Ofadnq32.exe

MD5 3ec19b2288ae047223dbaaea32dfdbfd
SHA1 77c353ca13c8f2e72b73dc1ccaca5f69df2e8c9d
SHA256 a8080fa7e85492d748fcd089008fa2b15b7d7a2104b4d40b6092fc17f17bd5c6
SHA512 a77383fe1712513c2eb885ad227c29a0dc0a56d688f61f8f5c090ba1a892c524a9f2af3f638e058ba64471cc41b43277727b716198fda52a3f36652e4c9f9d55

memory/2280-279-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1460-276-0x00000000002E0000-0x000000000037E000-memory.dmp

memory/1460-275-0x00000000002E0000-0x000000000037E000-memory.dmp

memory/2280-287-0x00000000004A0000-0x000000000053E000-memory.dmp

memory/2280-286-0x00000000004A0000-0x000000000053E000-memory.dmp

C:\Windows\SysWOW64\Oippjl32.exe

MD5 306a3732e59113ee47c06cdc065bb970
SHA1 300646fb83e2ec3d0227cb449b676059ebeabfa1
SHA256 2226f19df7118f4f5346e8d660408d3bea20079461a7c2622f727a3abcbefc09
SHA512 7c13e7d49fa5483da5dab7b946b41f3f69e377f74a41516b99e0b62bdaa7ef78fdb63193a308b58f1261c072707a17ec61c7196373ac95e289d6b0193d750ed2

C:\Windows\SysWOW64\Omnipjni.exe

MD5 3cf8a0ae1c035d573bb626ceca3b2ecb
SHA1 154fc9b92ed8ccda9d4b2ccb3f96789251ab6624
SHA256 47657b86f6187372da345c940e61ad52d1e41606288b54f3099e0d7a63ca8794
SHA512 edd3cb1f61a60a72f478210f31e94b3f29d1a644d455084f5cf322e3572c241a26dc270cd1b4549456251d35885a168b407884a74e9e2ead0437bc64ad9c45fd

memory/2476-296-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2476-303-0x0000000002110000-0x00000000021AE000-memory.dmp

memory/564-301-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2476-297-0x0000000002110000-0x00000000021AE000-memory.dmp

memory/564-309-0x00000000004A0000-0x000000000053E000-memory.dmp

memory/800-314-0x0000000000400000-0x000000000049E000-memory.dmp

memory/564-308-0x00000000004A0000-0x000000000053E000-memory.dmp

C:\Windows\SysWOW64\Oidiekdn.exe

MD5 28c22450a5df919bca4b5937bf838020
SHA1 94bf941633390e381ac15018ae90e3481e18ade0
SHA256 167521f8861ae54fbf8b1794d200c5a62ed6f14bcdc375fb3b626d3446380a7d
SHA512 19da25e5af84900f09182848154310f461c24206d7c7f4f291793199ad36f917b55e945e0d458ef0740977138cda11c659a58bb25451d348b7e74e0aa60c34f8

memory/2520-320-0x0000000000400000-0x000000000049E000-memory.dmp

memory/800-319-0x0000000000330000-0x00000000003CE000-memory.dmp

C:\Windows\SysWOW64\Obmnna32.exe

MD5 b405259212c703d7b767709988b1e267
SHA1 596181b91280be1364c6c2cacd9ea6ff3336e422
SHA256 5d468bc5c0e1db549551c1e2fbd5c7b17a541d94199756c856c1a4010d50b530
SHA512 ccdc91c5346fe01d2528c767b0f3a5992d34ccc67aa136d415437e5328c9730091e2e17b875c6392c66df1ed1c71060526481b66168a9db855e1b37ba125d532

memory/2520-330-0x0000000000550000-0x00000000005EE000-memory.dmp

memory/2520-329-0x0000000000550000-0x00000000005EE000-memory.dmp

C:\Windows\SysWOW64\Pkjphcff.exe

MD5 80a5dd6338aeaa122d109f38b8d88bda
SHA1 57eb88116fcf2fdcbcd4e7509624ab9b71f1b4a9
SHA256 08ddff5ee2b05f04bffd6d42407b176656c417dc72865247062fc5c6a4910fbf
SHA512 33a519ef87196f0b672e638aba536630d28b300cf8ca1b23a0376ae6b6843830f2931d241b4c649d3a7cd7950aedfa1b5db26c4e3f282d228f289c07c245d0b9

memory/1816-341-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2148-340-0x0000000000340000-0x00000000003DE000-memory.dmp

memory/2148-339-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Padhdm32.exe

MD5 d9439a6ec59de3c36127203663ee144b
SHA1 21d5f5f2b26c0002ed229e5f10448c2e6ff3fe70
SHA256 98696719c2efe50da87c8206be956022d4c5236a75a3fdaa209e3308fecc915f
SHA512 130f9e20fc3606522a0bdec7254a720fcd59ff01ca6022f8f3381cb419fbf57c4e7be26c18434117f7e101ee23c74c188a0ff7f755f059c8e878af1f36496c11

C:\Windows\SysWOW64\Pkoicb32.exe

MD5 01e708975616f4dc21a7168ba6b2b131
SHA1 b977a9b3761e10aea9eba5bccc5b5f381e04bf09
SHA256 77b7c5898d53ec9092803130c9fd25b6e4248a4ffec6bb956082c1d6a8465f3b
SHA512 f9d2c83c753421467c865963991a59aac001fb786b1e376a4180f08e4f5c222203a5ff42649620bb836f0b1899b4d3132a0a249987a5847121e43268cff578ff

memory/1816-350-0x00000000002A0000-0x000000000033E000-memory.dmp

memory/1816-351-0x00000000002A0000-0x000000000033E000-memory.dmp

C:\Windows\SysWOW64\Pmmeon32.exe

MD5 084e5ae0acb03051a428930f05b58503
SHA1 439a87639d4527cebabb513c31c791c28894f41b
SHA256 021ef9df5c726ba635d2c2c3ab0fdb7df01b024edbe3a8b2f9c65d8341d10853
SHA512 ad5bda18c78f040d101674ca0d59289de352501e54b9d7a2f326904121e9dc5291915cb2b564d2645a7a79326d369627e51cdabbde7b46a65676bef0befd2872

memory/2756-362-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2748-361-0x00000000002C0000-0x000000000035E000-memory.dmp

memory/2748-360-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Pcljmdmj.exe

MD5 e69dc7d2e468e26e89646d8dcf145b1d
SHA1 b35e6aea1ab31f1664740c741e2422cbc68d4d21
SHA256 7b043f8c49537fa9faf17886c28bde593cd6a12bfaf2553afc638cb183d3512f
SHA512 48f747d6cb16befb6468a163d1a34e745474e2bb2cddadcb2c6b94472060e71b6e9c3138fe101d154b5558faa8288f70d352fe73d2dc16fb403c6ba960eb0454

memory/2132-371-0x0000000000510000-0x00000000005AE000-memory.dmp

C:\Windows\SysWOW64\Pkcbnanl.exe

MD5 1951ff3bd309eb25ac7e3ee03fecdb93
SHA1 2b824095b318065a1c56e527ea66dc657c7d85fe
SHA256 4e5d975e5c85c7b60a33baa7f86114b1f67e8171fc44c93a8d5fe6225dadddd6
SHA512 58b8393ef021950b6c6acf2249c4911842ef1b63554f3dd0458fd0e8db7ae5b20ed17f3d2c3669f18d4dd28c23564615f8917163d07a6db59901525ca4f49902

memory/2856-385-0x0000000000250000-0x00000000002EE000-memory.dmp

memory/2644-380-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Pifbjn32.exe

MD5 5224ff4b5d724c8978cc3b6eb2708f2b
SHA1 30e1b485a2ca314f4397a9317699fce6758ec6b7
SHA256 58b383719608a3d6ef4eb70c3ec51c0eb39795a6c7f0a647404fc3e0e746bfa0
SHA512 070dfbe3f7e62f626b53bdb4c6ec211652b18439e7c94b27820dbaabdaf0e23686b6bb0de91ebc4a8f1948bb93198e4b84ccdf488dedd7e1bca2a303fcc78bfb

memory/3012-390-0x0000000000510000-0x00000000005AE000-memory.dmp

memory/2608-402-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2188-401-0x0000000000250000-0x00000000002EE000-memory.dmp

memory/2680-400-0x00000000004A0000-0x000000000053E000-memory.dmp

memory/2680-399-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Qkfocaki.exe

MD5 e26bd4c9fe469d93ca9fb880a0b8d40d
SHA1 304208d9bb24ba0c2275fe01ff42f850555c71a2
SHA256 81abd5f41aa701ad03be83942509e3ddef6b14c1b5aef343a899c433ffd288d7
SHA512 4e59db6c25dc81fc828982fa2573e88f70b16fd0e934756190a2d30f27eb6a105e93035d218961babc632c56665e71eb6e3e62acb6c3903448454379b5056938

C:\Windows\SysWOW64\Alihaioe.exe

MD5 c9ef802975fdd388fc41096b6286d40a
SHA1 8086910634c3db9d96be5524600718ff95e742ae
SHA256 1caff5f23fc368a10e88f5a13d17411559ad93b5c4a9b96a3a1a1bc3e7e61c0b
SHA512 7f1c91b110c5bebf988c70434215339c19a9e7c334f95d73b9cabc3d8199ca2d462a2462176814e320df9b9f24f32bd1a4ca32d9a663af55a56c44f1c2da9833

memory/2188-408-0x0000000000250000-0x00000000002EE000-memory.dmp

C:\Windows\SysWOW64\Aohdmdoh.exe

MD5 0d354ffdfba2bc797ab6237315afa64b
SHA1 0dc1433c5df93d0b494e1366698cf3cd6102bcc8
SHA256 752a3997bac2fafe4f0b594c642acd93631eeae846378d914720c72ab735113a
SHA512 92e2c712e920e2f4dfba7014fac38bf442d6985afe587611ce636bc543533b978b4bdc723b99006d45dd3f78b6bafa61c77fee1e9685b8b7e9a9ac475b7bc985

C:\Windows\SysWOW64\Agolnbok.exe

MD5 4d210027051316fadbeca67f63313997
SHA1 395a56135d183512115727047bc33e5356f8800c
SHA256 980a405e375c4948a2c08ce1cd7e1fcf2baaff7c8d88ffc292f2728eb3fa179b
SHA512 ef5139c90bb976b7a6649990154618631e30e11b56f7cc401ea73e5e815b90be65efdeab8efb07be1b8554a64ee98582fd4fa2e146cc5809c0eaf8742b0688c4

memory/1704-425-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2020-424-0x00000000002F0000-0x000000000038E000-memory.dmp

memory/1660-439-0x0000000000300000-0x000000000039E000-memory.dmp

memory/1660-438-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Apgagg32.exe

MD5 67b94e89d2ddcc346bf71e953f088f24
SHA1 0d55761e6ff0ffb24e221bc57311c4662f712b86
SHA256 07c6dd8a0f89355bd8272af325b4b5075c3dd17e95be32d03fbe80dce6a1eda2
SHA512 887f6313f1940a29654b56cd83b70e3e815595dd72fbbf6513fae8b28165fa5c512822593269fbaf8ee3aa96472d05c4d6f0e99516decddfcb8b22af87e339ae

memory/1360-448-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Ahpifj32.exe

MD5 5918c2c8baf2fc29157e5681971f73f7
SHA1 20cea773674a60cbce4258c4567f9376dd85a11e
SHA256 a3ec5449f79e6dffd26650c1a4b8f2345160efca19c30cffbffc74186f5a04d0
SHA512 eb7906c637a51d104f2f4979fa4ec7a599c88d4f16128d9647a01af95312cee4d96ecf55d9fae3c256af9a3e4ae8125ac1ae8920c4eeb63d9cc0f9b1d3b3f319

memory/1360-455-0x00000000002E0000-0x000000000037E000-memory.dmp

memory/2648-454-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Acfmcc32.exe

MD5 b7961faab0454bf767e00e3d79a8dae0
SHA1 9f60e7cf6e9f214d2fc4051f5efeecbe34b91035
SHA256 7d161e3becbddb252b204bcc0dc4cf32d0258aee51bf7b7ffaf38aa7ff28234a
SHA512 e6638c2c79d82ed684d00f735641ef895142c67253c13ff253951e3de544d6aade9808adf734164575db85e8d7bc23ee2fe09eb7e1e9a6671edef4e672dc7334

memory/2816-462-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2648-461-0x0000000000250000-0x00000000002EE000-memory.dmp

memory/1360-460-0x00000000002E0000-0x000000000037E000-memory.dmp

memory/2648-459-0x0000000000250000-0x00000000002EE000-memory.dmp

C:\Windows\SysWOW64\Akcomepg.exe

MD5 0df81e3c28d0a2664a3923ee707ff3c6
SHA1 0fa4f7d08f3bc0dae9e695142e742cf6645f22bb
SHA256 46536b7480cd0b97959f9f071a13c778a3bef409fd326a693d6c26bd72290adf
SHA512 bcb0ca73027f8cf2b3b16cf60b3548aae65d9a29b7b402002523f3de10deb699cea112b474a0b0dc45c48cca916937e4462b3ae55f10cee3ce027a18be220beb

memory/2036-468-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Andgop32.exe

MD5 2800cc448b2bd33528eeb0350b850e74
SHA1 e23c2737514070cf918a329f4a530327392f5dd5
SHA256 7ce98327a39301dda0062b0d4d6d5b5ff8df880f14c14181799265dd435b1f80
SHA512 e45fa7a8e612c2b16b74659c6ae8f8b5333e2b0bad9cde600b424c97b461ed940d1ed50e2a33b2bd90e450dbf7ae0d7d755e5533113a4945bc400ab82d9baf8c

C:\Windows\SysWOW64\Aqbdkk32.exe

MD5 9f99c598cecf45d08e2d26e5a75814fe
SHA1 8fe4612ca80f67c6fde970c015b6d556e29090d8
SHA256 0dc21246baa805a0b04d41a95d806be75e7f189d2ab7a0d15963f7392a225f5d
SHA512 21cd2b19e9bfc1167013323e33211dd80febdd73bcda0aea4b365213ecddcc01d1250d9934f0c8c362188c8425f01bc12e82f32f7a4d594d1dd37e77b7ca0f92

C:\Windows\SysWOW64\Bhjlli32.exe

MD5 c84163f6ce07793cb276990a07119356
SHA1 235e48e67390d64c1d54d9d27c5c82a1faa0d0aa
SHA256 b25f625c8f8587660d47c5785f5c66468396fdf176f527d55df2d96d3b9dc3d8
SHA512 b6f7abf92306374af6b17673033a09665138eba58b14f53b5f39e33ea196e4e90c6fffb8ce7a0782c5903460f885034b44cead414ee799dfe11d344b738622b4

C:\Windows\SysWOW64\Bjkhdacm.exe

MD5 a8cc7490290b7e8df030d558e1388491
SHA1 6357c6eb01d01ae0de7443202b2618971953c003
SHA256 ba6f099f8484571e954f0c8b3f3aaa7a4ae580090bd6d2439e03e20978f2c4fc
SHA512 00a509ada245ea1bef4761daf433f95626f2ef837bd4cc05daf696dba1eb8afeea9708ea8f3a46795c94d31c841af1cc4a53f904911350dc1c8a3c08c8a7488c

C:\Windows\SysWOW64\Bbbpenco.exe

MD5 f26963d2bfd0815dc02256f3d17cfc13
SHA1 46e8ff7e59b732f1302d868916c76624e9f79006
SHA256 f905216a8be84d45274858000bb7121541887ec9e2d2f24401988d3dc2c6d5d0
SHA512 890af25dcdef32704b5da28aeb4d0963c44648ae32e40620a96e43efafd508a983003368241289ed1dcc98ed421f4f0b405c67a002d8542d7c1150273532b42d

C:\Windows\SysWOW64\Bdqlajbb.exe

MD5 9e40912293637686b537efa9b16d950b
SHA1 dbee762c46fee563db995eae5d2239f926b061c2
SHA256 85be6e197d695fb75bcc42e12d707ef1e1d4111778bc7616ccffeaaa257cd389
SHA512 88c587472ba350a9b69b39b9e52aea7596d5e05e2064964f79baea03b8305db132ed02d27c11defcd43a9928f7b2ae8031e0812e52279eecd6bb19ce5fdded9f

C:\Windows\SysWOW64\Bkjdndjo.exe

MD5 8458b324a9c100d3316a67e1a0609481
SHA1 f2cec6b2ddd2376c99dd4144488914ba656aca06
SHA256 be73a8dad888ac2ab83949bca398738339afec1ad6294b61cf362a8602d86a3b
SHA512 0ccfd6351bb454dfa83c7af374b488978b983435dbc279ed4610dd6515b0cd59032e4c50513f4306ae6e828527509f60ac86c02386cb40e4d8e6b710778b5e5b

C:\Windows\SysWOW64\Bjmeiq32.exe

MD5 51ec78c2e5486dacfd422030f0d53615
SHA1 5de74bad41352e3c8318ad3d04aea3a2841e4d2b
SHA256 1924a5693a298348e713eec5cdf13e9e2526aac0f93a21a087a2e43e0fb18842
SHA512 256d81f89b9417b93d6407499c2b4cb0fd4fc7beb11932ec61c77370427891acf94b7b8270d522617397d74ade24c2d646c31953e5259ddfc5df871f78e20b77

C:\Windows\SysWOW64\Bdcifi32.exe

MD5 081bf3b4d84b4bd4f1b2b6840926720b
SHA1 6848a991dbafe523206b460471aed7d593d610dd
SHA256 6a1ea991f5eebc7c8505ef559d1fa399c7f25c3dc61e673dfbc035a0b60bb06c
SHA512 3d3806a85e1f7f7cf0ea704317ce852567dec54cce6e2e875b0891925885d6de9780fa1e97dbd149addfb61be65570a69a5b85934911d8acedbf358205c5946c

C:\Windows\SysWOW64\Bgaebe32.exe

MD5 96ef6cee0929eb1b5a55c5fffdc93e44
SHA1 3005d521978a6f7d283d0345fb956c147ad6ebda
SHA256 a5fa1f33557e01f58034f8044e971d7e7f08409c53ab7642aa146d9e5876946f
SHA512 6cd3b685b79286f4f9e98315baa42ab6b5ae08e288074ce745bbd5ddcf59be62778df3e54aa021bbb145ad8c219f4b1a4f29032d78434124bf8cde623c21c4ab

C:\Windows\SysWOW64\Bjpaop32.exe

MD5 a2872fda7c26093667b8209a10ee4b09
SHA1 5da122fea02298e6c0755d496b9eba9c0a0ecb16
SHA256 509316df6c4cb5c8df2a58e4a0ac1f49235ab1632c0b5608435257886689335a
SHA512 2fe694e1f1b33234537b29e446b2e14a853115d74da999a675c7ef378fb100fb6378f62c3e92f43faa1fb9a8da0d861dcbcd5e72fd3f6472fe6a84ce3690f61c

C:\Windows\SysWOW64\Bmnnkl32.exe

MD5 07d87fb370730d383fd293c82530bccb
SHA1 dcce5e445a0c6b240cbefc24e44958bfbe4a6fb7
SHA256 7d34afcc91e81a455d0e219bb2900fb3228572f4f8c0cf2898d41d4c27ada77b
SHA512 e6b834baa458005d0505bfb5d668ac93000f995e0c654af316ac435ceb0f5f46ff2ef2f4b7d94800d1d75e33bfedc95e4079cfd3f2ac25ccab9081b5d4c820b6

C:\Windows\SysWOW64\Boljgg32.exe

MD5 f5616d35996f48cbba91850921aeffae
SHA1 7fec081628c73768a16de6345ee055e05713b45b
SHA256 2f48620e2c78471357e2c652fb00a4665a5f00b9efccce07553cdc1b2da83813
SHA512 5c83f102373ba92374693a1dd00911461b0d6560ea30cd745b80df759aa96fb16a2f0d4a821dfc6ca8213c4831ec834182858c7fb599d05354e4f7dfeba34f6b

C:\Windows\SysWOW64\Bgcbhd32.exe

MD5 b07cd8959a32c3b04b7187c9bb2bbbb5
SHA1 79f80083e25f1ecb79f45afe09edcfd85036d9fd
SHA256 40fe476d9cc0e7cc27cc122cc1d8dd7c639bedfac4c546277b28cde9d74f1674
SHA512 f9140b6eab18c6f0e23290113094bb92cc23efcedb873dfe834ad71d46bd5458db1b3b29d3e35d5fc869d8848bd3639ad07e741b00e541cc8dccb95beffbf073

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 c40952ecd9125461d3bdd2b884c03fa7
SHA1 2717c1b5721f2936a50a072556de92aaf2605813
SHA256 bcfdc8c3e5adacea4866eaf85249167db6cf0592bb4fe27dbe4164464ce6f817
SHA512 96e8cc2f45599ca251b4ce767b27bcd22aaadc475cbf88e87ef4febc97dcf8cceb3c11d9fdff4f244b2609873a37ad65d512f633d1284ad0fe48dc419742e746

C:\Windows\SysWOW64\Boogmgkl.exe

MD5 e9a429122323f23712979ec080fb38dc
SHA1 9dc386e00d6157c025d122991aa82d57cc7e1a22
SHA256 0d50c3c219386f1a149a2e95834c341a73bbe198f2df7ca6c11e9ab88176bd34
SHA512 371884ce91a442de1db24b1593d74ef078181251011bba4e8b6c1c1b802ff9c4f26d525899ec2239979a04b7917f4a4844ad19b6d96ace30b73e56f844c9cf51

C:\Windows\SysWOW64\Bfioia32.exe

MD5 1fc85ae8cf632772aa44299001105d19
SHA1 f8893f408b437119c123b8e10e233bcd35b19b4d
SHA256 2a6e38c8285c91d8854a763e22aaa5ce2f55340e41c2dcac40868e9cb53ae5e6
SHA512 bed8afce7a28de51fcf9b362ad304692c23ac23c00bba8d251c0060c6db5703114e68047c011406db55a632571778c7ff20f5a9a326965b05f883b2e9afe3371

C:\Windows\SysWOW64\Bmbgfkje.exe

MD5 bca47c00831237928d8bf32c71160ec5
SHA1 f8b5868a250c54d2bad2195dd5c0ab6eb6e1564c
SHA256 c8ef125010c14a446e5c7858410324e8506b5e9d10518eca9b8125b833d81222
SHA512 5f17053408aa255dabdb97bbc33aa7f756e1c088f3266c5eb3482c666a8a6b831baab04988b52a58857b0ea22f152fd30c62b0c23bf4ecc08bb181c3cd723b58

C:\Windows\SysWOW64\Coacbfii.exe

MD5 cc757c2b9efe8865ea0c73849514cd05
SHA1 2ac137a82942308ce8848f5380a5cd96d689d0a7
SHA256 e6af277c7f251c4bb15aaa1b54d0713475353bdd604cbd671621a027f676226d
SHA512 0bef662d727b4f9a496e19840dce4f3af999d6d6455a7586f8903a70ac84df767100114cb59ff607df07b5a7753d4a0f15cc42f2df8a14f81b3ba2254b3e694c

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 e012fcfb03d9826c35d5d0e3dcd198e5
SHA1 826f1ff6f647b376904d3634da7e8e492f8bcd22
SHA256 68782878c4fe4755dc5db89ae9b3bd3b16fcf42668e743d92899760266bfac92
SHA512 6fad23730ffbe631030e098f4c372f47a74f36fd672548904fed8ae202030a312184880054b84d3049e5eb5aa7df00df068d3c721498ee88afa1891bb29d2b44

C:\Windows\SysWOW64\Cepipm32.exe

MD5 3a8a61a30b8ae830a3834cca9ec37766
SHA1 91add39b876990466db213decee80c599ffd4aab
SHA256 2f2a369ad84563d3c4536e40bcc47e87e7d8f7f664e949e9f7c0f5bb38749c1a
SHA512 3fd90cd1e02ecace932637b91f524e72ed38ef97a1b34a95a062d864fe29abeb71d74553274a474dcd95d4b981541f3f0b608002671a837ec3f0f9ce29dd471b

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 8d30398ba9df7af72e4471d4755c6c78
SHA1 11ea522cba7f2fab849803746e29bcb12fed6940
SHA256 637abecc4ab524414f4ce7b8d7230671b96f7a30c5b2d61d9f50ab9aece0a48f
SHA512 413e9b555d379b062589ee165dfe80de3291e523feb8e2940f84deb6a59fbf5a1fbde486b00188b3f80283894a4b95ee1210f1e4bd9599e9e4407fa3699580fb

C:\Windows\SysWOW64\Cagienkb.exe

MD5 9c0566b8e041756a8e5f203d32d00938
SHA1 1fa1720293ef8a417972a2e86c25e0d373e4d3e0
SHA256 c747f302fef4f77fc9f141304d872df589ae8332fc6c8f11d7846296f5b26171
SHA512 5ff7cb10aaf45920bed6be932c6bd773e0722145ed9ca67304ba34c1f277f2859adbce675777887b19bf1412d71bd388595e9df04f357b4207acba120b00c0bc

C:\Windows\SysWOW64\Cgaaah32.exe

MD5 06ef048531ba3e9e753e37b23ad77da8
SHA1 bd120da129c258be1f678b5d7ceefb9a621d6e13
SHA256 5acf37fe7118c77e551e2083fd04b3e4873f8bfe3652974449583380cbcbd542
SHA512 17f712ad6c41cae69cd75617358354f9beb5e5600fd3513b59f696251c580c9c7901e06bfefc8cf9281ee680a5355d12bcc7525bd9513da2d5e951c8eab7b274

C:\Windows\SysWOW64\Cjonncab.exe

MD5 298a57c936c4eb184902ceb1c5ace6fa
SHA1 4e737ba7c7d8f02cc4be3a1dc82178dab997c806
SHA256 6e6d97cc7c908a02cbe9745d2d5cf97b7badecf3cbcc0a9ccb10c3dc4fb1a97f
SHA512 ea626a7c32da66f90f6656fa83d5cbcc35992b6c336d1bb7b224dca33abd78d197d7b92c197c6bed2fd6958988056151e787676b5a09cb5ad7c4913bf910e948

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 b36964d76b1a1f5607d4a5c09e84f269
SHA1 3daa7f8066846b735f3ba34bbc0b39fa2054dd9a
SHA256 070aa39b13827d6bd56975f326548bf9b4512186843d65e95a0a7437276923b0
SHA512 57aa6436e665352b81038581320b4fcdb0a6a3059c50c1b0cef968b26adbe99fa29a22293b14d5b5446c42d8a7379bbac150ba8971a3afd54946ce0c1d0d8e8e

C:\Windows\SysWOW64\Clojhf32.exe

MD5 fdef739bc2e80a8994507a82912903a4
SHA1 1f30db89f71635e7ffa642ae2f488a5a58d1dbef
SHA256 df0dd32dcfae395747a3482e30cc9dbee449c2086d5d662a906cc8a8073dadd5
SHA512 3d9d19b4c025e235e8e7af55b1da394ced2550cf79b0066b412cedc0cef98b9bb12c7184881361daf01eb93f9a48974c857fdad31745731234c1658c7ad14011

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 28df839007cde594c67d60e04ed45dd5
SHA1 114de9745f1dae9dbfd9657a816f84a39bc12c78
SHA256 68e8a61d01badceae6528d34285db3edd6338ef796ebd6011696f39610e15596
SHA512 814d7955991764f1d63b4ed9f53332ccfa6b158de5c61182a22e78b496ac776c436cd4f46c95ed5c7ec6a7a835818dbf518218b3a6c064706a36b0a6f6d602d7

C:\Windows\SysWOW64\Calcpm32.exe

MD5 b39ff3a21e8435131ac7ec9cdcfad708
SHA1 55345136d4f515beaf21cce5cc142f53858c4a5d
SHA256 0a74b41664899f3169b9c6afdd23cd9b093a8e5c601c7cfea137af6d5aee4e4f
SHA512 b890409f993482e6ab7b3a7203d40ece6f499dc30f7e026da5371cb928aa91021c8fbda8922da5878582ca04f3c58fd73d8c58bb0931aa3d480c818f365d76f0

C:\Windows\SysWOW64\Cgfkmgnj.exe

MD5 430b1a579de24e32722346f1dbe656cd
SHA1 c7d3ce22f599dab7f0fd0a3f587d5b95ae8a6e23
SHA256 315c7d6a4ee11e95a0b26c4da39820c73bdb4663cc6e629057514f3c2b333807
SHA512 c07145fc94b3a9de11eb2c52acd6c9d55b686d3fc1e580406f24485273c48a47340817067562ed3281e470e25018f87b5a41ace771ac553f7b9e775b5e0489cc

C:\Windows\SysWOW64\Djdgic32.exe

MD5 3c5203f1e7c61712a0d5f8e6bb1267b8
SHA1 2baa1835377dac4cb0f6b607709e55d8835e5604
SHA256 201c165c9b762b262496bbd801cd253a739ccfe334f09ee3e24b463b29e0f2b5
SHA512 73eda8541c819e85378ad85ef3b80f7b9f760db9f76822a7edba61de62f659081946b291362fcab84e000bca275569c1a886dba4470add404eb81072e6d554bf

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 8308351753ceb558e7fc36ab6beb0589
SHA1 1aa67bcaf49203c1399633f96457fe228e7d94f8
SHA256 cba9e64fea3d02b7f4be32563e692c664ebf1d85396dc1dd9c7af52a972ed235
SHA512 76f70b8f4a455f7dbd8e303216b50a5692379e68e867f6f1f7bd08a738b93eee44d0e2eeb3e6fef108a3d2e8bcad8be704906bd8d5aa99465622dc631861507b

memory/1852-844-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1528-811-0x0000000077AA0000-0x0000000077BBF000-memory.dmp

memory/2140-905-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2588-904-0x0000000000400000-0x000000000049E000-memory.dmp

memory/940-902-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2280-892-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2608-870-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2020-869-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1528-812-0x00000000779A0000-0x0000000077A9A000-memory.dmp

memory/2672-913-0x0000000000400000-0x000000000049E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 10:51

Reported

2024-11-11 10:53

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Amcmpodi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lnbklm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjneln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aomifecf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iliinc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Palklf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjjahe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Filiii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Najmjokc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibaeen32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lqkqhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hbldphde.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emkndc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aaenbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Djfcaohp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohcegi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Akqfkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kedlip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aihaoqlp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkkeclfh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Phincl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Madjhb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oklkdi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jjgchm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hlkfbocp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Paihlpfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ehailbaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jbiejoaj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Palbgl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bedgjgkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jppnpjel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jnmijq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Opqofe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lohqnd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjlgdc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eangpgcl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlghoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jnjejjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kofdhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Oekiqccc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cimmggfl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgelgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klhnfo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Paeelgnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggfglb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jekjcaef.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddadpdmn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lankbigo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cbpajgmf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggilil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gldglf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Damfao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eqiibjlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qfbobf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bfchidda.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfcqpa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jdgafjpn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jlhljhbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fkofga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fimhjl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Geoapenf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nodiqp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhhfedil.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmcdffmq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pjjahe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcdbfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qfbobf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqhcpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aokcklid.exe N/A
N/A N/A C:\Windows\SysWOW64\Agbkmijg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahchda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqkpeopg.exe N/A
N/A N/A C:\Windows\SysWOW64\Aompak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdhbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afghneoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahfdjanb.exe N/A
N/A N/A C:\Windows\SysWOW64\Amaqjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aopmfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ackigjmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Afjeceml.exe N/A
N/A N/A C:\Windows\SysWOW64\Aihaoqlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Amcmpodi.exe N/A
N/A N/A C:\Windows\SysWOW64\Aobilkcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Acnemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aflaie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhniccb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aijnep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amfjeobf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqaffn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acpbbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aglnbhal.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnnnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajjjocap.exe N/A
N/A N/A C:\Windows\SysWOW64\Amhfkopc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bogcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcbohigp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfqkddfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjlgdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmkcqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqfoamfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Boipmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgpgng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfchidda.exe N/A
N/A N/A C:\Windows\SysWOW64\Biadeoce.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmmpfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boklbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgbdcgld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bidqko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqkill32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bciehh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjcmebie.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmbiamhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bclang32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjfjka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmdfgm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccnncgmc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cflkpblf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cikglnkj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cabomkll.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpeohh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cglgjeci.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfogeb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjjcfabm.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmipblaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cadlbk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccchof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgndoeag.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjmpkqqj.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Eangpgcl.exe C:\Windows\SysWOW64\Embkoi32.exe N/A
File created C:\Windows\SysWOW64\Emihhjna.dll C:\Windows\SysWOW64\Ohcegi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddkbmj32.exe C:\Windows\SysWOW64\Damfao32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oikjkc32.exe C:\Windows\SysWOW64\Opbean32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhhdnf32.exe C:\Windows\SysWOW64\Nqmojd32.exe N/A
File created C:\Windows\SysWOW64\Bqfoamfj.exe C:\Windows\SysWOW64\Bmkcqn32.exe N/A
File created C:\Windows\SysWOW64\Oipoad32.dll C:\Windows\SysWOW64\Bmmpfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccnncgmc.exe C:\Windows\SysWOW64\Cmdfgm32.exe N/A
File created C:\Windows\SysWOW64\Hffpdd32.dll C:\Windows\SysWOW64\Palbgl32.exe N/A
File created C:\Windows\SysWOW64\Aqkpeopg.exe C:\Windows\SysWOW64\Ahchda32.exe N/A
File created C:\Windows\SysWOW64\Oeoblb32.exe C:\Windows\SysWOW64\Ooejohhq.exe N/A
File created C:\Windows\SysWOW64\Lacaea32.dll C:\Windows\SysWOW64\Damfao32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gldglf32.exe C:\Windows\SysWOW64\Gnqfcbnj.exe N/A
File created C:\Windows\SysWOW64\Oplfkeob.exe C:\Windows\SysWOW64\Ngqagcag.exe N/A
File created C:\Windows\SysWOW64\Nlhego32.dll C:\Windows\SysWOW64\Nodiqp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qmeigg32.exe C:\Windows\SysWOW64\Ppahmb32.exe N/A
File created C:\Windows\SysWOW64\Ocfgbfdm.dll C:\Windows\SysWOW64\Fdlkdhnk.exe N/A
File opened for modification C:\Windows\SysWOW64\Ggfglb32.exe C:\Windows\SysWOW64\Fkofga32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmkcqn32.exe C:\Windows\SysWOW64\Bjlgdc32.exe N/A
File created C:\Windows\SysWOW64\Cpchnbbb.dll C:\Windows\SysWOW64\Llhikacp.exe N/A
File created C:\Windows\SysWOW64\Headjohq.dll C:\Windows\SysWOW64\Mahnhhod.exe N/A
File created C:\Windows\SysWOW64\Mohjdmko.dll C:\Windows\SysWOW64\Mkjnfkma.exe N/A
File opened for modification C:\Windows\SysWOW64\Mngegmbc.exe C:\Windows\SysWOW64\Llhikacp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibjqaf32.exe C:\Windows\SysWOW64\Ipihpkkd.exe N/A
File created C:\Windows\SysWOW64\Boipmj32.exe C:\Windows\SysWOW64\Bqfoamfj.exe N/A
File created C:\Windows\SysWOW64\Bclang32.exe C:\Windows\SysWOW64\Bmbiamhi.exe N/A
File created C:\Windows\SysWOW64\Lejgch32.exe C:\Windows\SysWOW64\Lankbigo.exe N/A
File opened for modification C:\Windows\SysWOW64\Igigla32.exe C:\Windows\SysWOW64\Idkkpf32.exe N/A
File created C:\Windows\SysWOW64\Jngbjd32.exe C:\Windows\SysWOW64\Jiiicf32.exe N/A
File created C:\Windows\SysWOW64\Bqkill32.exe C:\Windows\SysWOW64\Bidqko32.exe N/A
File created C:\Windows\SysWOW64\Ibgpcd32.dll C:\Windows\SysWOW64\Lajagj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dlghoa32.exe C:\Windows\SysWOW64\Dckdjomg.exe N/A
File created C:\Windows\SysWOW64\Njinmf32.exe C:\Windows\SysWOW64\Nelfeo32.exe N/A
File created C:\Windows\SysWOW64\Ggilil32.exe C:\Windows\SysWOW64\Fhflnpoi.exe N/A
File created C:\Windows\SysWOW64\Jgnqgqan.exe C:\Windows\SysWOW64\Jpdhkf32.exe N/A
File created C:\Windows\SysWOW64\Laqhhi32.exe C:\Windows\SysWOW64\Lnbklm32.exe N/A
File created C:\Windows\SysWOW64\Ekpped32.dll C:\Windows\SysWOW64\Qkipkani.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpanan32.exe C:\Windows\SysWOW64\Kgiiiidd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bciehh32.exe C:\Windows\SysWOW64\Bqkill32.exe N/A
File created C:\Windows\SysWOW64\Dpnbog32.exe C:\Windows\SysWOW64\Dmpfbk32.exe N/A
File created C:\Windows\SysWOW64\Ipgbdbqb.exe C:\Windows\SysWOW64\Ifomll32.exe N/A
File created C:\Windows\SysWOW64\Mgehfkop.exe C:\Windows\SysWOW64\Malpia32.exe N/A
File opened for modification C:\Windows\SysWOW64\Klhnfo32.exe C:\Windows\SysWOW64\Kpanan32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqbpojnp.exe C:\Windows\SysWOW64\Njfkmphe.exe N/A
File created C:\Windows\SysWOW64\Fbdehlip.exe C:\Windows\SysWOW64\Fkjmlaac.exe N/A
File created C:\Windows\SysWOW64\Dhjckcgi.exe C:\Windows\SysWOW64\Dcogje32.exe N/A
File created C:\Windows\SysWOW64\Hnhmla32.dll C:\Windows\SysWOW64\Nefped32.exe N/A
File opened for modification C:\Windows\SysWOW64\Akoqpg32.exe C:\Windows\SysWOW64\Ahqddk32.exe N/A
File created C:\Windows\SysWOW64\Fcgeilmb.dll C:\Windows\SysWOW64\Dimenegi.exe N/A
File created C:\Windows\SysWOW64\Kamjda32.exe C:\Windows\SysWOW64\Kibeoo32.exe N/A
File created C:\Windows\SysWOW64\Bkgppbgc.dll C:\Windows\SysWOW64\Kofdhd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oifppdpd.exe C:\Windows\SysWOW64\Oqklkbbi.exe N/A
File created C:\Windows\SysWOW64\Cgqqdeod.exe C:\Windows\SysWOW64\Cpihcgoa.exe N/A
File opened for modification C:\Windows\SysWOW64\Akqfkp32.exe C:\Windows\SysWOW64\Aednci32.exe N/A
File created C:\Windows\SysWOW64\Clahmb32.dll C:\Windows\SysWOW64\Lfjfecno.exe N/A
File created C:\Windows\SysWOW64\Pfdjinjo.exe C:\Windows\SysWOW64\Pdenmbkk.exe N/A
File created C:\Windows\SysWOW64\Dannij32.exe C:\Windows\SysWOW64\Dmbbhkjf.exe N/A
File created C:\Windows\SysWOW64\Fgaemg32.dll C:\Windows\SysWOW64\Knfeeimj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpclce32.exe C:\Windows\SysWOW64\Mcoljagj.exe N/A
File created C:\Windows\SysWOW64\Egneae32.dll C:\Windows\SysWOW64\Cmdfgm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dckdjomg.exe C:\Windows\SysWOW64\Dblgpl32.exe N/A
File created C:\Windows\SysWOW64\Mnpabe32.exe C:\Windows\SysWOW64\Mgehfkop.exe N/A
File created C:\Windows\SysWOW64\Ohfkgknc.dll C:\Windows\SysWOW64\Mhjhmhhd.exe N/A
File created C:\Windows\SysWOW64\Nklbmllg.exe C:\Windows\SysWOW64\Neoieenp.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Pififb32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cadlbk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djmibn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpodlbng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbpajgmf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cippgm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnbgc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gnblnlhl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efhcbodf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Epagkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plpqil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kcejco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gidnkkpc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgflcifg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lqkqhm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bombmcec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lqkgbcff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afghneoo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmqgpgoc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jddnfd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djklmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebdcld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdaniq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilkoim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpnakk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gdmmbq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kiejmi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmaamn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egened32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmipblaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfamapjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgamnded.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebjcajjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kqphfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgpoihnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njfkmphe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aihaoqlp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddcqedkk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gacjadad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhjhmhhd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqaffn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqfoamfj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lejgch32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oidhlb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alnmjjdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpoalo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hejqldci.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmpqfq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpaleglc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohcegi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pocpfphe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kofdhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mljmhflh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amhfkopc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boklbi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhhfedil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgclpkac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ggfglb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcogje32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnfcia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlmfeg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfogeb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ijegcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fbgihaji.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmidl32.dll" C:\Windows\SysWOW64\Acpbbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfogeb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jecffa32.dll" C:\Windows\SysWOW64\Milidebi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oafcqcea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lenicahg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headjohq.dll" C:\Windows\SysWOW64\Mahnhhod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhmmpnk.dll" C:\Windows\SysWOW64\Mlbkap32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ahcajk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnhommq.dll" C:\Windows\SysWOW64\Jllhpkfk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lhgkgijg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Biadeoce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eipinkib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobkhf32.dll" C:\Windows\SysWOW64\Akqfkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll" C:\Windows\SysWOW64\Hoaojp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmqgpgoc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Falcae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hehdfdek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncmhko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gijekg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdgafjpn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" C:\Windows\SysWOW64\Fmpqfq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ibaeen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpeiqdc.dll" C:\Windows\SysWOW64\Djfcaohp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlfelogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahqkaaa.dll" C:\Windows\SysWOW64\Bnhenj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faaigehd.dll" C:\Windows\SysWOW64\Mblcnj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nlhkgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Maiccajf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jghpbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" C:\Windows\SysWOW64\Qodeajbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ohiemobf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedobm32.dll" C:\Windows\SysWOW64\Bfendmoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpank32.dll" C:\Windows\SysWOW64\Baadiiif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll" C:\Windows\SysWOW64\Klhnfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Feqeog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pblajhje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbekbm32.dll" C:\Windows\SysWOW64\Lgcjdd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lddgmbpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Phganm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cocacl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dgejpd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ggilil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opqofe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdclcbj.dll" C:\Windows\SysWOW64\Edopabqn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mjneln32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Efdjgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpchnbbb.dll" C:\Windows\SysWOW64\Llhikacp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jencdebl.dll" C:\Windows\SysWOW64\Lgibpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqbpojnp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kidben32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Legjmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdmqp32.dll" C:\Windows\SysWOW64\Lejgch32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kpanan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmeandma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqnjgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejahqlpp.dll" C:\Windows\SysWOW64\Ajjjocap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eiildjag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pifnhpmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fimhjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklcfhik.dll" C:\Windows\SysWOW64\Kiejmi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhdcii.dll" C:\Windows\SysWOW64\Mjpjgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kamjda32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aobilkcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpihjd.dll" C:\Windows\SysWOW64\Dcjnoece.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe C:\Windows\SysWOW64\Pjjahe32.exe
PID 4060 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe C:\Windows\SysWOW64\Pjjahe32.exe
PID 4060 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe C:\Windows\SysWOW64\Pjjahe32.exe
PID 1840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Pjjahe32.exe C:\Windows\SysWOW64\Qcdbfk32.exe
PID 1840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Pjjahe32.exe C:\Windows\SysWOW64\Qcdbfk32.exe
PID 1840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Pjjahe32.exe C:\Windows\SysWOW64\Qcdbfk32.exe
PID 2856 wrote to memory of 3144 N/A C:\Windows\SysWOW64\Qcdbfk32.exe C:\Windows\SysWOW64\Qfbobf32.exe
PID 2856 wrote to memory of 3144 N/A C:\Windows\SysWOW64\Qcdbfk32.exe C:\Windows\SysWOW64\Qfbobf32.exe
PID 2856 wrote to memory of 3144 N/A C:\Windows\SysWOW64\Qcdbfk32.exe C:\Windows\SysWOW64\Qfbobf32.exe
PID 3144 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Qfbobf32.exe C:\Windows\SysWOW64\Qqhcpo32.exe
PID 3144 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Qfbobf32.exe C:\Windows\SysWOW64\Qqhcpo32.exe
PID 3144 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Qfbobf32.exe C:\Windows\SysWOW64\Qqhcpo32.exe
PID 4832 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Qqhcpo32.exe C:\Windows\SysWOW64\Aokcklid.exe
PID 4832 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Qqhcpo32.exe C:\Windows\SysWOW64\Aokcklid.exe
PID 4832 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Qqhcpo32.exe C:\Windows\SysWOW64\Aokcklid.exe
PID 1880 wrote to memory of 216 N/A C:\Windows\SysWOW64\Aokcklid.exe C:\Windows\SysWOW64\Agbkmijg.exe
PID 1880 wrote to memory of 216 N/A C:\Windows\SysWOW64\Aokcklid.exe C:\Windows\SysWOW64\Agbkmijg.exe
PID 1880 wrote to memory of 216 N/A C:\Windows\SysWOW64\Aokcklid.exe C:\Windows\SysWOW64\Agbkmijg.exe
PID 216 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Agbkmijg.exe C:\Windows\SysWOW64\Ahchda32.exe
PID 216 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Agbkmijg.exe C:\Windows\SysWOW64\Ahchda32.exe
PID 216 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Agbkmijg.exe C:\Windows\SysWOW64\Ahchda32.exe
PID 2288 wrote to memory of 684 N/A C:\Windows\SysWOW64\Ahchda32.exe C:\Windows\SysWOW64\Aqkpeopg.exe
PID 2288 wrote to memory of 684 N/A C:\Windows\SysWOW64\Ahchda32.exe C:\Windows\SysWOW64\Aqkpeopg.exe
PID 2288 wrote to memory of 684 N/A C:\Windows\SysWOW64\Ahchda32.exe C:\Windows\SysWOW64\Aqkpeopg.exe
PID 684 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Aqkpeopg.exe C:\Windows\SysWOW64\Aompak32.exe
PID 684 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Aqkpeopg.exe C:\Windows\SysWOW64\Aompak32.exe
PID 684 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Aqkpeopg.exe C:\Windows\SysWOW64\Aompak32.exe
PID 1884 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Aompak32.exe C:\Windows\SysWOW64\Agdhbi32.exe
PID 1884 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Aompak32.exe C:\Windows\SysWOW64\Agdhbi32.exe
PID 1884 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Aompak32.exe C:\Windows\SysWOW64\Agdhbi32.exe
PID 2936 wrote to memory of 4052 N/A C:\Windows\SysWOW64\Agdhbi32.exe C:\Windows\SysWOW64\Afghneoo.exe
PID 2936 wrote to memory of 4052 N/A C:\Windows\SysWOW64\Agdhbi32.exe C:\Windows\SysWOW64\Afghneoo.exe
PID 2936 wrote to memory of 4052 N/A C:\Windows\SysWOW64\Agdhbi32.exe C:\Windows\SysWOW64\Afghneoo.exe
PID 4052 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Afghneoo.exe C:\Windows\SysWOW64\Ahfdjanb.exe
PID 4052 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Afghneoo.exe C:\Windows\SysWOW64\Ahfdjanb.exe
PID 4052 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Afghneoo.exe C:\Windows\SysWOW64\Ahfdjanb.exe
PID 5092 wrote to memory of 4072 N/A C:\Windows\SysWOW64\Ahfdjanb.exe C:\Windows\SysWOW64\Amaqjp32.exe
PID 5092 wrote to memory of 4072 N/A C:\Windows\SysWOW64\Ahfdjanb.exe C:\Windows\SysWOW64\Amaqjp32.exe
PID 5092 wrote to memory of 4072 N/A C:\Windows\SysWOW64\Ahfdjanb.exe C:\Windows\SysWOW64\Amaqjp32.exe
PID 4072 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Amaqjp32.exe C:\Windows\SysWOW64\Aopmfk32.exe
PID 4072 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Amaqjp32.exe C:\Windows\SysWOW64\Aopmfk32.exe
PID 4072 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Amaqjp32.exe C:\Windows\SysWOW64\Aopmfk32.exe
PID 2800 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Aopmfk32.exe C:\Windows\SysWOW64\Ackigjmh.exe
PID 2800 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Aopmfk32.exe C:\Windows\SysWOW64\Ackigjmh.exe
PID 2800 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Aopmfk32.exe C:\Windows\SysWOW64\Ackigjmh.exe
PID 2320 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Ackigjmh.exe C:\Windows\SysWOW64\Afjeceml.exe
PID 2320 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Ackigjmh.exe C:\Windows\SysWOW64\Afjeceml.exe
PID 2320 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Ackigjmh.exe C:\Windows\SysWOW64\Afjeceml.exe
PID 1220 wrote to memory of 740 N/A C:\Windows\SysWOW64\Afjeceml.exe C:\Windows\SysWOW64\Aihaoqlp.exe
PID 1220 wrote to memory of 740 N/A C:\Windows\SysWOW64\Afjeceml.exe C:\Windows\SysWOW64\Aihaoqlp.exe
PID 1220 wrote to memory of 740 N/A C:\Windows\SysWOW64\Afjeceml.exe C:\Windows\SysWOW64\Aihaoqlp.exe
PID 740 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Aihaoqlp.exe C:\Windows\SysWOW64\Amcmpodi.exe
PID 740 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Aihaoqlp.exe C:\Windows\SysWOW64\Amcmpodi.exe
PID 740 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Aihaoqlp.exe C:\Windows\SysWOW64\Amcmpodi.exe
PID 4576 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Amcmpodi.exe C:\Windows\SysWOW64\Aobilkcl.exe
PID 4576 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Amcmpodi.exe C:\Windows\SysWOW64\Aobilkcl.exe
PID 4576 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Amcmpodi.exe C:\Windows\SysWOW64\Aobilkcl.exe
PID 2944 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Aobilkcl.exe C:\Windows\SysWOW64\Acnemi32.exe
PID 2944 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Aobilkcl.exe C:\Windows\SysWOW64\Acnemi32.exe
PID 2944 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Aobilkcl.exe C:\Windows\SysWOW64\Acnemi32.exe
PID 2308 wrote to memory of 1272 N/A C:\Windows\SysWOW64\Acnemi32.exe C:\Windows\SysWOW64\Aflaie32.exe
PID 2308 wrote to memory of 1272 N/A C:\Windows\SysWOW64\Acnemi32.exe C:\Windows\SysWOW64\Aflaie32.exe
PID 2308 wrote to memory of 1272 N/A C:\Windows\SysWOW64\Acnemi32.exe C:\Windows\SysWOW64\Aflaie32.exe
PID 1272 wrote to memory of 980 N/A C:\Windows\SysWOW64\Aflaie32.exe C:\Windows\SysWOW64\Ajhniccb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe

"C:\Users\Admin\AppData\Local\Temp\af4e1b843477d6b22f3c63cb56651701cf9dcefbec611dbe9ce538ec0aebc99bN.exe"

C:\Windows\SysWOW64\Pjjahe32.exe

C:\Windows\system32\Pjjahe32.exe

C:\Windows\SysWOW64\Qcdbfk32.exe

C:\Windows\system32\Qcdbfk32.exe

C:\Windows\SysWOW64\Qfbobf32.exe

C:\Windows\system32\Qfbobf32.exe

C:\Windows\SysWOW64\Qqhcpo32.exe

C:\Windows\system32\Qqhcpo32.exe

C:\Windows\SysWOW64\Aokcklid.exe

C:\Windows\system32\Aokcklid.exe

C:\Windows\SysWOW64\Agbkmijg.exe

C:\Windows\system32\Agbkmijg.exe

C:\Windows\SysWOW64\Ahchda32.exe

C:\Windows\system32\Ahchda32.exe

C:\Windows\SysWOW64\Aqkpeopg.exe

C:\Windows\system32\Aqkpeopg.exe

C:\Windows\SysWOW64\Aompak32.exe

C:\Windows\system32\Aompak32.exe

C:\Windows\SysWOW64\Agdhbi32.exe

C:\Windows\system32\Agdhbi32.exe

C:\Windows\SysWOW64\Afghneoo.exe

C:\Windows\system32\Afghneoo.exe

C:\Windows\SysWOW64\Ahfdjanb.exe

C:\Windows\system32\Ahfdjanb.exe

C:\Windows\SysWOW64\Amaqjp32.exe

C:\Windows\system32\Amaqjp32.exe

C:\Windows\SysWOW64\Aopmfk32.exe

C:\Windows\system32\Aopmfk32.exe

C:\Windows\SysWOW64\Ackigjmh.exe

C:\Windows\system32\Ackigjmh.exe

C:\Windows\SysWOW64\Afjeceml.exe

C:\Windows\system32\Afjeceml.exe

C:\Windows\SysWOW64\Aihaoqlp.exe

C:\Windows\system32\Aihaoqlp.exe

C:\Windows\SysWOW64\Amcmpodi.exe

C:\Windows\system32\Amcmpodi.exe

C:\Windows\SysWOW64\Aobilkcl.exe

C:\Windows\system32\Aobilkcl.exe

C:\Windows\SysWOW64\Acnemi32.exe

C:\Windows\system32\Acnemi32.exe

C:\Windows\SysWOW64\Aflaie32.exe

C:\Windows\system32\Aflaie32.exe

C:\Windows\SysWOW64\Ajhniccb.exe

C:\Windows\system32\Ajhniccb.exe

C:\Windows\SysWOW64\Aijnep32.exe

C:\Windows\system32\Aijnep32.exe

C:\Windows\SysWOW64\Amfjeobf.exe

C:\Windows\system32\Amfjeobf.exe

C:\Windows\SysWOW64\Aqaffn32.exe

C:\Windows\system32\Aqaffn32.exe

C:\Windows\SysWOW64\Acpbbi32.exe

C:\Windows\system32\Acpbbi32.exe

C:\Windows\SysWOW64\Aglnbhal.exe

C:\Windows\system32\Aglnbhal.exe

C:\Windows\SysWOW64\Afnnnd32.exe

C:\Windows\system32\Afnnnd32.exe

C:\Windows\SysWOW64\Ajjjocap.exe

C:\Windows\system32\Ajjjocap.exe

C:\Windows\SysWOW64\Amhfkopc.exe

C:\Windows\system32\Amhfkopc.exe

C:\Windows\SysWOW64\Bogcgj32.exe

C:\Windows\system32\Bogcgj32.exe

C:\Windows\SysWOW64\Bcbohigp.exe

C:\Windows\system32\Bcbohigp.exe

C:\Windows\SysWOW64\Bfqkddfd.exe

C:\Windows\system32\Bfqkddfd.exe

C:\Windows\SysWOW64\Bjlgdc32.exe

C:\Windows\system32\Bjlgdc32.exe

C:\Windows\SysWOW64\Bmkcqn32.exe

C:\Windows\system32\Bmkcqn32.exe

C:\Windows\SysWOW64\Bqfoamfj.exe

C:\Windows\system32\Bqfoamfj.exe

C:\Windows\SysWOW64\Boipmj32.exe

C:\Windows\system32\Boipmj32.exe

C:\Windows\SysWOW64\Bgpgng32.exe

C:\Windows\system32\Bgpgng32.exe

C:\Windows\SysWOW64\Bfchidda.exe

C:\Windows\system32\Bfchidda.exe

C:\Windows\SysWOW64\Biadeoce.exe

C:\Windows\system32\Biadeoce.exe

C:\Windows\SysWOW64\Bmmpfn32.exe

C:\Windows\system32\Bmmpfn32.exe

C:\Windows\SysWOW64\Boklbi32.exe

C:\Windows\system32\Boklbi32.exe

C:\Windows\SysWOW64\Bgbdcgld.exe

C:\Windows\system32\Bgbdcgld.exe

C:\Windows\SysWOW64\Bidqko32.exe

C:\Windows\system32\Bidqko32.exe

C:\Windows\SysWOW64\Bqkill32.exe

C:\Windows\system32\Bqkill32.exe

C:\Windows\SysWOW64\Bciehh32.exe

C:\Windows\system32\Bciehh32.exe

C:\Windows\SysWOW64\Bjcmebie.exe

C:\Windows\system32\Bjcmebie.exe

C:\Windows\SysWOW64\Bmbiamhi.exe

C:\Windows\system32\Bmbiamhi.exe

C:\Windows\SysWOW64\Bclang32.exe

C:\Windows\system32\Bclang32.exe

C:\Windows\SysWOW64\Bjfjka32.exe

C:\Windows\system32\Bjfjka32.exe

C:\Windows\SysWOW64\Cmdfgm32.exe

C:\Windows\system32\Cmdfgm32.exe

C:\Windows\SysWOW64\Ccnncgmc.exe

C:\Windows\system32\Ccnncgmc.exe

C:\Windows\SysWOW64\Cflkpblf.exe

C:\Windows\system32\Cflkpblf.exe

C:\Windows\SysWOW64\Cikglnkj.exe

C:\Windows\system32\Cikglnkj.exe

C:\Windows\SysWOW64\Cabomkll.exe

C:\Windows\system32\Cabomkll.exe

C:\Windows\SysWOW64\Cpeohh32.exe

C:\Windows\system32\Cpeohh32.exe

C:\Windows\SysWOW64\Cglgjeci.exe

C:\Windows\system32\Cglgjeci.exe

C:\Windows\SysWOW64\Cfogeb32.exe

C:\Windows\system32\Cfogeb32.exe

C:\Windows\SysWOW64\Cjjcfabm.exe

C:\Windows\system32\Cjjcfabm.exe

C:\Windows\SysWOW64\Cmipblaq.exe

C:\Windows\system32\Cmipblaq.exe

C:\Windows\SysWOW64\Cadlbk32.exe

C:\Windows\system32\Cadlbk32.exe

C:\Windows\SysWOW64\Ccchof32.exe

C:\Windows\system32\Ccchof32.exe

C:\Windows\SysWOW64\Cgndoeag.exe

C:\Windows\system32\Cgndoeag.exe

C:\Windows\SysWOW64\Cjmpkqqj.exe

C:\Windows\system32\Cjmpkqqj.exe

C:\Windows\SysWOW64\Cippgm32.exe

C:\Windows\system32\Cippgm32.exe

C:\Windows\SysWOW64\Caghhk32.exe

C:\Windows\system32\Caghhk32.exe

C:\Windows\SysWOW64\Cpihcgoa.exe

C:\Windows\system32\Cpihcgoa.exe

C:\Windows\SysWOW64\Cgqqdeod.exe

C:\Windows\system32\Cgqqdeod.exe

C:\Windows\SysWOW64\Cfcqpa32.exe

C:\Windows\system32\Cfcqpa32.exe

C:\Windows\SysWOW64\Cibmlmeb.exe

C:\Windows\system32\Cibmlmeb.exe

C:\Windows\SysWOW64\Cmniml32.exe

C:\Windows\system32\Cmniml32.exe

C:\Windows\SysWOW64\Caienjfd.exe

C:\Windows\system32\Caienjfd.exe

C:\Windows\SysWOW64\Ccgajfeh.exe

C:\Windows\system32\Ccgajfeh.exe

C:\Windows\SysWOW64\Cgcmjd32.exe

C:\Windows\system32\Cgcmjd32.exe

C:\Windows\SysWOW64\Cffmfadl.exe

C:\Windows\system32\Cffmfadl.exe

C:\Windows\SysWOW64\Cidjbmcp.exe

C:\Windows\system32\Cidjbmcp.exe

C:\Windows\SysWOW64\Dmpfbk32.exe

C:\Windows\system32\Dmpfbk32.exe

C:\Windows\SysWOW64\Dpnbog32.exe

C:\Windows\system32\Dpnbog32.exe

C:\Windows\SysWOW64\Dcjnoece.exe

C:\Windows\system32\Dcjnoece.exe

C:\Windows\SysWOW64\Dgejpd32.exe

C:\Windows\system32\Dgejpd32.exe

C:\Windows\SysWOW64\Djdflp32.exe

C:\Windows\system32\Djdflp32.exe

C:\Windows\SysWOW64\Dmbbhkjf.exe

C:\Windows\system32\Dmbbhkjf.exe

C:\Windows\SysWOW64\Dannij32.exe

C:\Windows\system32\Dannij32.exe

C:\Windows\SysWOW64\Dpqodfij.exe

C:\Windows\system32\Dpqodfij.exe

C:\Windows\SysWOW64\Dhhfedil.exe

C:\Windows\system32\Dhhfedil.exe

C:\Windows\SysWOW64\Dfjgaq32.exe

C:\Windows\system32\Dfjgaq32.exe

C:\Windows\SysWOW64\Djfcaohp.exe

C:\Windows\system32\Djfcaohp.exe

C:\Windows\SysWOW64\Dmdonkgc.exe

C:\Windows\system32\Dmdonkgc.exe

C:\Windows\SysWOW64\Dapkni32.exe

C:\Windows\system32\Dapkni32.exe

C:\Windows\SysWOW64\Dcogje32.exe

C:\Windows\system32\Dcogje32.exe

C:\Windows\SysWOW64\Dhjckcgi.exe

C:\Windows\system32\Dhjckcgi.exe

C:\Windows\SysWOW64\Dfmcfp32.exe

C:\Windows\system32\Dfmcfp32.exe

C:\Windows\SysWOW64\Dikpbl32.exe

C:\Windows\system32\Dikpbl32.exe

C:\Windows\SysWOW64\Dmglcj32.exe

C:\Windows\system32\Dmglcj32.exe

C:\Windows\SysWOW64\Dpehof32.exe

C:\Windows\system32\Dpehof32.exe

C:\Windows\SysWOW64\Ddadpdmn.exe

C:\Windows\system32\Ddadpdmn.exe

C:\Windows\SysWOW64\Dhlpqc32.exe

C:\Windows\system32\Dhlpqc32.exe

C:\Windows\SysWOW64\Djklmo32.exe

C:\Windows\system32\Djklmo32.exe

C:\Windows\SysWOW64\Dinmhkke.exe

C:\Windows\system32\Dinmhkke.exe

C:\Windows\SysWOW64\Daediilg.exe

C:\Windows\system32\Daediilg.exe

C:\Windows\SysWOW64\Dpgeee32.exe

C:\Windows\system32\Dpgeee32.exe

C:\Windows\SysWOW64\Ddcqedkk.exe

C:\Windows\system32\Ddcqedkk.exe

C:\Windows\SysWOW64\Dfamapjo.exe

C:\Windows\system32\Dfamapjo.exe

C:\Windows\SysWOW64\Djmibn32.exe

C:\Windows\system32\Djmibn32.exe

C:\Windows\SysWOW64\Eipinkib.exe

C:\Windows\system32\Eipinkib.exe

C:\Windows\SysWOW64\Eagaoh32.exe

C:\Windows\system32\Eagaoh32.exe

C:\Windows\SysWOW64\Epjajeqo.exe

C:\Windows\system32\Epjajeqo.exe

C:\Windows\SysWOW64\Ehailbaa.exe

C:\Windows\system32\Ehailbaa.exe

C:\Windows\SysWOW64\Efdjgo32.exe

C:\Windows\system32\Efdjgo32.exe

C:\Windows\SysWOW64\Eibfck32.exe

C:\Windows\system32\Eibfck32.exe

C:\Windows\SysWOW64\Emnbdioi.exe

C:\Windows\system32\Emnbdioi.exe

C:\Windows\SysWOW64\Eaindh32.exe

C:\Windows\system32\Eaindh32.exe

C:\Windows\SysWOW64\Edhjqc32.exe

C:\Windows\system32\Edhjqc32.exe

C:\Windows\SysWOW64\Ehcfaboo.exe

C:\Windows\system32\Ehcfaboo.exe

C:\Windows\SysWOW64\Ejbbmnnb.exe

C:\Windows\system32\Ejbbmnnb.exe

C:\Windows\SysWOW64\Eidbij32.exe

C:\Windows\system32\Eidbij32.exe

C:\Windows\SysWOW64\Empoiimf.exe

C:\Windows\system32\Empoiimf.exe

C:\Windows\SysWOW64\Epokedmj.exe

C:\Windows\system32\Epokedmj.exe

C:\Windows\SysWOW64\Ehfcfb32.exe

C:\Windows\system32\Ehfcfb32.exe

C:\Windows\SysWOW64\Efhcbodf.exe

C:\Windows\system32\Efhcbodf.exe

C:\Windows\SysWOW64\Ejdocm32.exe

C:\Windows\system32\Ejdocm32.exe

C:\Windows\SysWOW64\Embkoi32.exe

C:\Windows\system32\Embkoi32.exe

C:\Windows\SysWOW64\Eangpgcl.exe

C:\Windows\system32\Eangpgcl.exe

C:\Windows\SysWOW64\Epagkd32.exe

C:\Windows\system32\Epagkd32.exe

C:\Windows\SysWOW64\Ehhpla32.exe

C:\Windows\system32\Ehhpla32.exe

C:\Windows\SysWOW64\Efkphnbd.exe

C:\Windows\system32\Efkphnbd.exe

C:\Windows\SysWOW64\Eiildjag.exe

C:\Windows\system32\Eiildjag.exe

C:\Windows\SysWOW64\Edopabqn.exe

C:\Windows\system32\Edopabqn.exe

C:\Windows\SysWOW64\Filiii32.exe

C:\Windows\system32\Filiii32.exe

C:\Windows\SysWOW64\Facqkg32.exe

C:\Windows\system32\Facqkg32.exe

C:\Windows\SysWOW64\Fhmigagd.exe

C:\Windows\system32\Fhmigagd.exe

C:\Windows\SysWOW64\Fkkeclfh.exe

C:\Windows\system32\Fkkeclfh.exe

C:\Windows\SysWOW64\Fineoi32.exe

C:\Windows\system32\Fineoi32.exe

C:\Windows\SysWOW64\Fmjaphek.exe

C:\Windows\system32\Fmjaphek.exe

C:\Windows\SysWOW64\Fphnlcdo.exe

C:\Windows\system32\Fphnlcdo.exe

C:\Windows\SysWOW64\Fdcjlb32.exe

C:\Windows\system32\Fdcjlb32.exe

C:\Windows\SysWOW64\Fgbfhmll.exe

C:\Windows\system32\Fgbfhmll.exe

C:\Windows\SysWOW64\Fknbil32.exe

C:\Windows\system32\Fknbil32.exe

C:\Windows\SysWOW64\Fmlneg32.exe

C:\Windows\system32\Fmlneg32.exe

C:\Windows\SysWOW64\Fagjfflb.exe

C:\Windows\system32\Fagjfflb.exe

C:\Windows\SysWOW64\Fpjjac32.exe

C:\Windows\system32\Fpjjac32.exe

C:\Windows\SysWOW64\Fhabbp32.exe

C:\Windows\system32\Fhabbp32.exe

C:\Windows\SysWOW64\Fgdbnmji.exe

C:\Windows\system32\Fgdbnmji.exe

C:\Windows\SysWOW64\Fibojhim.exe

C:\Windows\system32\Fibojhim.exe

C:\Windows\SysWOW64\Fmnkkg32.exe

C:\Windows\system32\Fmnkkg32.exe

C:\Windows\SysWOW64\Fajgkfio.exe

C:\Windows\system32\Fajgkfio.exe

C:\Windows\SysWOW64\Fdhcgaic.exe

C:\Windows\system32\Fdhcgaic.exe

C:\Windows\SysWOW64\Fhdohp32.exe

C:\Windows\system32\Fhdohp32.exe

C:\Windows\SysWOW64\Fkbkdkpp.exe

C:\Windows\system32\Fkbkdkpp.exe

C:\Windows\SysWOW64\Fmqgpgoc.exe

C:\Windows\system32\Fmqgpgoc.exe

C:\Windows\SysWOW64\Falcae32.exe

C:\Windows\system32\Falcae32.exe

C:\Windows\SysWOW64\Fpodlbng.exe

C:\Windows\system32\Fpodlbng.exe

C:\Windows\SysWOW64\Fhflnpoi.exe

C:\Windows\system32\Fhflnpoi.exe

C:\Windows\SysWOW64\Ggilil32.exe

C:\Windows\system32\Ggilil32.exe

C:\Windows\SysWOW64\Gigheh32.exe

C:\Windows\system32\Gigheh32.exe

C:\Windows\SysWOW64\Gmcdffmq.exe

C:\Windows\system32\Gmcdffmq.exe

C:\Windows\SysWOW64\Gaopfe32.exe

C:\Windows\system32\Gaopfe32.exe

C:\Windows\SysWOW64\Gdmmbq32.exe

C:\Windows\system32\Gdmmbq32.exe

C:\Windows\SysWOW64\Ghhhcomg.exe

C:\Windows\system32\Ghhhcomg.exe

C:\Windows\SysWOW64\Gkgeoklj.exe

C:\Windows\system32\Gkgeoklj.exe

C:\Windows\SysWOW64\Gijekg32.exe

C:\Windows\system32\Gijekg32.exe

C:\Windows\SysWOW64\Gpcmga32.exe

C:\Windows\system32\Gpcmga32.exe

C:\Windows\SysWOW64\Ghkeio32.exe

C:\Windows\system32\Ghkeio32.exe

C:\Windows\SysWOW64\Ggnedlao.exe

C:\Windows\system32\Ggnedlao.exe

C:\Windows\SysWOW64\Gkiaej32.exe

C:\Windows\system32\Gkiaej32.exe

C:\Windows\SysWOW64\Gilapgqb.exe

C:\Windows\system32\Gilapgqb.exe

C:\Windows\SysWOW64\Gacjadad.exe

C:\Windows\system32\Gacjadad.exe

C:\Windows\SysWOW64\Gpfjma32.exe

C:\Windows\system32\Gpfjma32.exe

C:\Windows\SysWOW64\Gklnjj32.exe

C:\Windows\system32\Gklnjj32.exe

C:\Windows\SysWOW64\Inomhbeq.exe

C:\Windows\system32\Inomhbeq.exe

C:\Windows\SysWOW64\Iggaah32.exe

C:\Windows\system32\Iggaah32.exe

C:\Windows\SysWOW64\Indfca32.exe

C:\Windows\system32\Indfca32.exe

C:\Windows\SysWOW64\Jnfcia32.exe

C:\Windows\system32\Jnfcia32.exe

C:\Windows\SysWOW64\Jdpkflfe.exe

C:\Windows\system32\Jdpkflfe.exe

C:\Windows\SysWOW64\Jgogbgei.exe

C:\Windows\system32\Jgogbgei.exe

C:\Windows\SysWOW64\Jkjcbe32.exe

C:\Windows\system32\Jkjcbe32.exe

C:\Windows\SysWOW64\Jnhpoamf.exe

C:\Windows\system32\Jnhpoamf.exe

C:\Windows\SysWOW64\Jbdlop32.exe

C:\Windows\system32\Jbdlop32.exe

C:\Windows\SysWOW64\Jdbhkk32.exe

C:\Windows\system32\Jdbhkk32.exe

C:\Windows\SysWOW64\Jgadgf32.exe

C:\Windows\system32\Jgadgf32.exe

C:\Windows\SysWOW64\Jklphekp.exe

C:\Windows\system32\Jklphekp.exe

C:\Windows\SysWOW64\Jdedak32.exe

C:\Windows\system32\Jdedak32.exe

C:\Windows\SysWOW64\Jnmijq32.exe

C:\Windows\system32\Jnmijq32.exe

C:\Windows\SysWOW64\Jbiejoaj.exe

C:\Windows\system32\Jbiejoaj.exe

C:\Windows\SysWOW64\Jdgafjpn.exe

C:\Windows\system32\Jdgafjpn.exe

C:\Windows\SysWOW64\Jgenbfoa.exe

C:\Windows\system32\Jgenbfoa.exe

C:\Windows\SysWOW64\Jkaicd32.exe

C:\Windows\system32\Jkaicd32.exe

C:\Windows\SysWOW64\Jjdjoane.exe

C:\Windows\system32\Jjdjoane.exe

C:\Windows\SysWOW64\Jbkbpoog.exe

C:\Windows\system32\Jbkbpoog.exe

C:\Windows\SysWOW64\Kqnbkl32.exe

C:\Windows\system32\Kqnbkl32.exe

C:\Windows\SysWOW64\Kiejmi32.exe

C:\Windows\system32\Kiejmi32.exe

C:\Windows\SysWOW64\Kkcfid32.exe

C:\Windows\system32\Kkcfid32.exe

C:\Windows\SysWOW64\Kbddfmgl.exe

C:\Windows\system32\Kbddfmgl.exe

C:\Windows\SysWOW64\Kgamnded.exe

C:\Windows\system32\Kgamnded.exe

C:\Windows\SysWOW64\Kjpijpdg.exe

C:\Windows\system32\Kjpijpdg.exe

C:\Windows\SysWOW64\Lajagj32.exe

C:\Windows\system32\Lajagj32.exe

C:\Windows\SysWOW64\Liqihglg.exe

C:\Windows\system32\Liqihglg.exe

C:\Windows\SysWOW64\Lgcjdd32.exe

C:\Windows\system32\Lgcjdd32.exe

C:\Windows\SysWOW64\Ljbfpo32.exe

C:\Windows\system32\Ljbfpo32.exe

C:\Windows\SysWOW64\Lbinam32.exe

C:\Windows\system32\Lbinam32.exe

C:\Windows\SysWOW64\Legjmh32.exe

C:\Windows\system32\Legjmh32.exe

C:\Windows\SysWOW64\Lgffic32.exe

C:\Windows\system32\Lgffic32.exe

C:\Windows\SysWOW64\Lkabjbih.exe

C:\Windows\system32\Lkabjbih.exe

C:\Windows\SysWOW64\Lnpofnhk.exe

C:\Windows\system32\Lnpofnhk.exe

C:\Windows\SysWOW64\Lankbigo.exe

C:\Windows\system32\Lankbigo.exe

C:\Windows\SysWOW64\Lejgch32.exe

C:\Windows\system32\Lejgch32.exe

C:\Windows\SysWOW64\Lghcocol.exe

C:\Windows\system32\Lghcocol.exe

C:\Windows\SysWOW64\Ljgpkonp.exe

C:\Windows\system32\Ljgpkonp.exe

C:\Windows\SysWOW64\Lnbklm32.exe

C:\Windows\system32\Lnbklm32.exe

C:\Windows\SysWOW64\Laqhhi32.exe

C:\Windows\system32\Laqhhi32.exe

C:\Windows\SysWOW64\Lihpif32.exe

C:\Windows\system32\Lihpif32.exe

C:\Windows\SysWOW64\Ljilqnlm.exe

C:\Windows\system32\Ljilqnlm.exe

C:\Windows\SysWOW64\Lbpdblmo.exe

C:\Windows\system32\Lbpdblmo.exe

C:\Windows\SysWOW64\Leopnglc.exe

C:\Windows\system32\Leopnglc.exe

C:\Windows\SysWOW64\Lijlof32.exe

C:\Windows\system32\Lijlof32.exe

C:\Windows\SysWOW64\Llhikacp.exe

C:\Windows\system32\Llhikacp.exe

C:\Windows\SysWOW64\Mngegmbc.exe

C:\Windows\system32\Mngegmbc.exe

C:\Windows\SysWOW64\Maeachag.exe

C:\Windows\system32\Maeachag.exe

C:\Windows\SysWOW64\Milidebi.exe

C:\Windows\system32\Milidebi.exe

C:\Windows\SysWOW64\Mhoipb32.exe

C:\Windows\system32\Mhoipb32.exe

C:\Windows\SysWOW64\Mjneln32.exe

C:\Windows\system32\Mjneln32.exe

C:\Windows\SysWOW64\Mbenmk32.exe

C:\Windows\system32\Mbenmk32.exe

C:\Windows\SysWOW64\Mahnhhod.exe

C:\Windows\system32\Mahnhhod.exe

C:\Windows\SysWOW64\Mhafeb32.exe

C:\Windows\system32\Mhafeb32.exe

C:\Windows\SysWOW64\Mnlnbl32.exe

C:\Windows\system32\Mnlnbl32.exe

C:\Windows\SysWOW64\Majjng32.exe

C:\Windows\system32\Majjng32.exe

C:\Windows\SysWOW64\Miaboe32.exe

C:\Windows\system32\Miaboe32.exe

C:\Windows\SysWOW64\Mlpokp32.exe

C:\Windows\system32\Mlpokp32.exe

C:\Windows\SysWOW64\Mnnkgl32.exe

C:\Windows\system32\Mnnkgl32.exe

C:\Windows\SysWOW64\Malgcg32.exe

C:\Windows\system32\Malgcg32.exe

C:\Windows\SysWOW64\Mlbkap32.exe

C:\Windows\system32\Mlbkap32.exe

C:\Windows\SysWOW64\Mblcnj32.exe

C:\Windows\system32\Mblcnj32.exe

C:\Windows\SysWOW64\Mifljdjo.exe

C:\Windows\system32\Mifljdjo.exe

C:\Windows\SysWOW64\Naaqofgj.exe

C:\Windows\system32\Naaqofgj.exe

C:\Windows\SysWOW64\Nlfelogp.exe

C:\Windows\system32\Nlfelogp.exe

C:\Windows\SysWOW64\Neoieenp.exe

C:\Windows\system32\Neoieenp.exe

C:\Windows\SysWOW64\Nklbmllg.exe

C:\Windows\system32\Nklbmllg.exe

C:\Windows\SysWOW64\Nbcjnilj.exe

C:\Windows\system32\Nbcjnilj.exe

C:\Windows\SysWOW64\Neafjdkn.exe

C:\Windows\system32\Neafjdkn.exe

C:\Windows\SysWOW64\Nhpbfpka.exe

C:\Windows\system32\Nhpbfpka.exe

C:\Windows\SysWOW64\Nojjcj32.exe

C:\Windows\system32\Nojjcj32.exe

C:\Windows\SysWOW64\Neccpd32.exe

C:\Windows\system32\Neccpd32.exe

C:\Windows\SysWOW64\Nhbolp32.exe

C:\Windows\system32\Nhbolp32.exe

C:\Windows\SysWOW64\Nolgijpk.exe

C:\Windows\system32\Nolgijpk.exe

C:\Windows\SysWOW64\Nefped32.exe

C:\Windows\system32\Nefped32.exe

C:\Windows\SysWOW64\Nhdlao32.exe

C:\Windows\system32\Nhdlao32.exe

C:\Windows\SysWOW64\Okchnk32.exe

C:\Windows\system32\Okchnk32.exe

C:\Windows\SysWOW64\Oampjeml.exe

C:\Windows\system32\Oampjeml.exe

C:\Windows\SysWOW64\Oidhlb32.exe

C:\Windows\system32\Oidhlb32.exe

C:\Windows\SysWOW64\Olbdhn32.exe

C:\Windows\system32\Olbdhn32.exe

C:\Windows\SysWOW64\Ooqqdi32.exe

C:\Windows\system32\Ooqqdi32.exe

C:\Windows\SysWOW64\Oekiqccc.exe

C:\Windows\system32\Oekiqccc.exe

C:\Windows\SysWOW64\Ohiemobf.exe

C:\Windows\system32\Ohiemobf.exe

C:\Windows\SysWOW64\Okgaijaj.exe

C:\Windows\system32\Okgaijaj.exe

C:\Windows\SysWOW64\Oboijgbl.exe

C:\Windows\system32\Oboijgbl.exe

C:\Windows\SysWOW64\Oemefcap.exe

C:\Windows\system32\Oemefcap.exe

C:\Windows\SysWOW64\Olgncmim.exe

C:\Windows\system32\Olgncmim.exe

C:\Windows\SysWOW64\Ooejohhq.exe

C:\Windows\system32\Ooejohhq.exe

C:\Windows\SysWOW64\Oeoblb32.exe

C:\Windows\system32\Oeoblb32.exe

C:\Windows\SysWOW64\Ohnohn32.exe

C:\Windows\system32\Ohnohn32.exe

C:\Windows\SysWOW64\Oklkdi32.exe

C:\Windows\system32\Oklkdi32.exe

C:\Windows\SysWOW64\Obcceg32.exe

C:\Windows\system32\Obcceg32.exe

C:\Windows\SysWOW64\Oafcqcea.exe

C:\Windows\system32\Oafcqcea.exe

C:\Windows\SysWOW64\Oimkbaed.exe

C:\Windows\system32\Oimkbaed.exe

C:\Windows\SysWOW64\Pkogiikb.exe

C:\Windows\system32\Pkogiikb.exe

C:\Windows\SysWOW64\Pojcjh32.exe

C:\Windows\system32\Pojcjh32.exe

C:\Windows\SysWOW64\Pahpfc32.exe

C:\Windows\system32\Pahpfc32.exe

C:\Windows\SysWOW64\Pkadoiip.exe

C:\Windows\system32\Pkadoiip.exe

C:\Windows\SysWOW64\Pchlpfjb.exe

C:\Windows\system32\Pchlpfjb.exe

C:\Windows\SysWOW64\Pefhlaie.exe

C:\Windows\system32\Pefhlaie.exe

C:\Windows\SysWOW64\Plpqil32.exe

C:\Windows\system32\Plpqil32.exe

C:\Windows\SysWOW64\Poomegpf.exe

C:\Windows\system32\Poomegpf.exe

C:\Windows\SysWOW64\Pamiaboj.exe

C:\Windows\system32\Pamiaboj.exe

C:\Windows\SysWOW64\Pidabppl.exe

C:\Windows\system32\Pidabppl.exe

C:\Windows\SysWOW64\Phganm32.exe

C:\Windows\system32\Phganm32.exe

C:\Windows\SysWOW64\Poajkgnc.exe

C:\Windows\system32\Poajkgnc.exe

C:\Windows\SysWOW64\Papfgbmg.exe

C:\Windows\system32\Papfgbmg.exe

C:\Windows\SysWOW64\Pifnhpmi.exe

C:\Windows\system32\Pifnhpmi.exe

C:\Windows\SysWOW64\Phincl32.exe

C:\Windows\system32\Phincl32.exe

C:\Windows\SysWOW64\Pcobaedj.exe

C:\Windows\system32\Pcobaedj.exe

C:\Windows\SysWOW64\Pemomqcn.exe

C:\Windows\system32\Pemomqcn.exe

C:\Windows\SysWOW64\Qhlkilba.exe

C:\Windows\system32\Qhlkilba.exe

C:\Windows\SysWOW64\Qkjgegae.exe

C:\Windows\system32\Qkjgegae.exe

C:\Windows\SysWOW64\Qepkbpak.exe

C:\Windows\system32\Qepkbpak.exe

C:\Windows\SysWOW64\Qhngolpo.exe

C:\Windows\system32\Qhngolpo.exe

C:\Windows\SysWOW64\Qcclld32.exe

C:\Windows\system32\Qcclld32.exe

C:\Windows\SysWOW64\Qebhhp32.exe

C:\Windows\system32\Qebhhp32.exe

C:\Windows\SysWOW64\Ahqddk32.exe

C:\Windows\system32\Ahqddk32.exe

C:\Windows\SysWOW64\Akoqpg32.exe

C:\Windows\system32\Akoqpg32.exe

C:\Windows\SysWOW64\Acfhad32.exe

C:\Windows\system32\Acfhad32.exe

C:\Windows\SysWOW64\Aeddnp32.exe

C:\Windows\system32\Aeddnp32.exe

C:\Windows\SysWOW64\Ahcajk32.exe

C:\Windows\system32\Ahcajk32.exe

C:\Windows\SysWOW64\Alnmjjdb.exe

C:\Windows\system32\Alnmjjdb.exe

C:\Windows\SysWOW64\Aomifecf.exe

C:\Windows\system32\Aomifecf.exe

C:\Windows\SysWOW64\Ahenokjf.exe

C:\Windows\system32\Ahenokjf.exe

C:\Windows\SysWOW64\Akcjkfij.exe

C:\Windows\system32\Akcjkfij.exe

C:\Windows\SysWOW64\Afinioip.exe

C:\Windows\system32\Afinioip.exe

C:\Windows\SysWOW64\Afkknogn.exe

C:\Windows\system32\Afkknogn.exe

C:\Windows\SysWOW64\Bjicdmmd.exe

C:\Windows\system32\Bjicdmmd.exe

C:\Windows\SysWOW64\Bbdhiojo.exe

C:\Windows\system32\Bbdhiojo.exe

C:\Windows\SysWOW64\Bkmmaeap.exe

C:\Windows\system32\Bkmmaeap.exe

C:\Windows\SysWOW64\Bcddcbab.exe

C:\Windows\system32\Bcddcbab.exe

C:\Windows\SysWOW64\Bfbaonae.exe

C:\Windows\system32\Bfbaonae.exe

C:\Windows\SysWOW64\Bmlilh32.exe

C:\Windows\system32\Bmlilh32.exe

C:\Windows\SysWOW64\Bfendmoc.exe

C:\Windows\system32\Bfendmoc.exe

C:\Windows\SysWOW64\Bombmcec.exe

C:\Windows\system32\Bombmcec.exe

C:\Windows\SysWOW64\Bckkca32.exe

C:\Windows\system32\Bckkca32.exe

C:\Windows\SysWOW64\Ckfphc32.exe

C:\Windows\system32\Ckfphc32.exe

C:\Windows\SysWOW64\Cijpahho.exe

C:\Windows\system32\Cijpahho.exe

C:\Windows\SysWOW64\Ccpdoqgd.exe

C:\Windows\system32\Ccpdoqgd.exe

C:\Windows\SysWOW64\Cimmggfl.exe

C:\Windows\system32\Cimmggfl.exe

C:\Windows\SysWOW64\Cofecami.exe

C:\Windows\system32\Cofecami.exe

C:\Windows\SysWOW64\Cmjemflb.exe

C:\Windows\system32\Cmjemflb.exe

C:\Windows\SysWOW64\Cfcjfk32.exe

C:\Windows\system32\Cfcjfk32.exe

C:\Windows\SysWOW64\Cmmbbejp.exe

C:\Windows\system32\Cmmbbejp.exe

C:\Windows\SysWOW64\Dfefkkqp.exe

C:\Windows\system32\Dfefkkqp.exe

C:\Windows\SysWOW64\Dblgpl32.exe

C:\Windows\system32\Dblgpl32.exe

C:\Windows\SysWOW64\Dckdjomg.exe

C:\Windows\system32\Dckdjomg.exe

C:\Windows\SysWOW64\Dlghoa32.exe

C:\Windows\system32\Dlghoa32.exe

C:\Windows\SysWOW64\Dflmlj32.exe

C:\Windows\system32\Dflmlj32.exe

C:\Windows\SysWOW64\Dmfeidbe.exe

C:\Windows\system32\Dmfeidbe.exe

C:\Windows\SysWOW64\Dcpmen32.exe

C:\Windows\system32\Dcpmen32.exe

C:\Windows\SysWOW64\Dimenegi.exe

C:\Windows\system32\Dimenegi.exe

C:\Windows\SysWOW64\Ecbjkngo.exe

C:\Windows\system32\Ecbjkngo.exe

C:\Windows\SysWOW64\Efafgifc.exe

C:\Windows\system32\Efafgifc.exe

C:\Windows\SysWOW64\Emkndc32.exe

C:\Windows\system32\Emkndc32.exe

C:\Windows\SysWOW64\Ebjcajjd.exe

C:\Windows\system32\Ebjcajjd.exe

C:\Windows\SysWOW64\Ebommi32.exe

C:\Windows\system32\Ebommi32.exe

C:\Windows\SysWOW64\Flinkojm.exe

C:\Windows\system32\Flinkojm.exe

C:\Windows\SysWOW64\Fipkjb32.exe

C:\Windows\system32\Fipkjb32.exe

C:\Windows\SysWOW64\Fjohde32.exe

C:\Windows\system32\Fjohde32.exe

C:\Windows\SysWOW64\Fjadje32.exe

C:\Windows\system32\Fjadje32.exe

C:\Windows\SysWOW64\Fmpqfq32.exe

C:\Windows\system32\Fmpqfq32.exe

C:\Windows\SysWOW64\Gmbmkpie.exe

C:\Windows\system32\Gmbmkpie.exe

C:\Windows\SysWOW64\Gikkfqmf.exe

C:\Windows\system32\Gikkfqmf.exe

C:\Windows\SysWOW64\Gingkqkd.exe

C:\Windows\system32\Gingkqkd.exe

C:\Windows\SysWOW64\Hdehni32.exe

C:\Windows\system32\Hdehni32.exe

C:\Windows\SysWOW64\Hplicjok.exe

C:\Windows\system32\Hplicjok.exe

C:\Windows\SysWOW64\Hkbmqb32.exe

C:\Windows\system32\Hkbmqb32.exe

C:\Windows\SysWOW64\Hdjbiheb.exe

C:\Windows\system32\Hdjbiheb.exe

C:\Windows\SysWOW64\Hmechmip.exe

C:\Windows\system32\Hmechmip.exe

C:\Windows\SysWOW64\Hkicaahi.exe

C:\Windows\system32\Hkicaahi.exe

C:\Windows\SysWOW64\Igbalblk.exe

C:\Windows\system32\Igbalblk.exe

C:\Windows\SysWOW64\Iciaqc32.exe

C:\Windows\system32\Iciaqc32.exe

C:\Windows\SysWOW64\Innfnl32.exe

C:\Windows\system32\Innfnl32.exe

C:\Windows\SysWOW64\Ijegcm32.exe

C:\Windows\system32\Ijegcm32.exe

C:\Windows\SysWOW64\Ilccoh32.exe

C:\Windows\system32\Ilccoh32.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Igigla32.exe

C:\Windows\system32\Igigla32.exe

C:\Windows\SysWOW64\Jjgchm32.exe

C:\Windows\system32\Jjgchm32.exe

C:\Windows\SysWOW64\Jpaleglc.exe

C:\Windows\system32\Jpaleglc.exe

C:\Windows\SysWOW64\Jcphab32.exe

C:\Windows\system32\Jcphab32.exe

C:\Windows\SysWOW64\Jgkdbacp.exe

C:\Windows\system32\Jgkdbacp.exe

C:\Windows\SysWOW64\Jjjpnlbd.exe

C:\Windows\system32\Jjjpnlbd.exe

C:\Windows\SysWOW64\Jnelok32.exe

C:\Windows\system32\Jnelok32.exe

C:\Windows\SysWOW64\Jlhljhbg.exe

C:\Windows\system32\Jlhljhbg.exe

C:\Windows\SysWOW64\Jpdhkf32.exe

C:\Windows\system32\Jpdhkf32.exe

C:\Windows\SysWOW64\Jgnqgqan.exe

C:\Windows\system32\Jgnqgqan.exe

C:\Windows\SysWOW64\Jpfepf32.exe

C:\Windows\system32\Jpfepf32.exe

C:\Windows\SysWOW64\Jnjejjgh.exe

C:\Windows\system32\Jnjejjgh.exe

C:\Windows\SysWOW64\Jlmfeg32.exe

C:\Windows\system32\Jlmfeg32.exe

C:\Windows\SysWOW64\Jddnfd32.exe

C:\Windows\system32\Jddnfd32.exe

C:\Windows\SysWOW64\Kjccdkki.exe

C:\Windows\system32\Kjccdkki.exe

C:\Windows\SysWOW64\Kclgmq32.exe

C:\Windows\system32\Kclgmq32.exe

C:\Windows\SysWOW64\Kqphfe32.exe

C:\Windows\system32\Kqphfe32.exe

C:\Windows\SysWOW64\Kqbdldnq.exe

C:\Windows\system32\Kqbdldnq.exe

C:\Windows\SysWOW64\Knfeeimj.exe

C:\Windows\system32\Knfeeimj.exe

C:\Windows\SysWOW64\Kmkbfeab.exe

C:\Windows\system32\Kmkbfeab.exe

C:\Windows\SysWOW64\Kcejco32.exe

C:\Windows\system32\Kcejco32.exe

C:\Windows\SysWOW64\Lmmolepp.exe

C:\Windows\system32\Lmmolepp.exe

C:\Windows\SysWOW64\Lddgmbpb.exe

C:\Windows\system32\Lddgmbpb.exe

C:\Windows\SysWOW64\Lqkgbcff.exe

C:\Windows\system32\Lqkgbcff.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Lkeekk32.exe

C:\Windows\system32\Lkeekk32.exe

C:\Windows\SysWOW64\Lndagg32.exe

C:\Windows\system32\Lndagg32.exe

C:\Windows\SysWOW64\Lqbncb32.exe

C:\Windows\system32\Lqbncb32.exe

C:\Windows\SysWOW64\Lenicahg.exe

C:\Windows\system32\Lenicahg.exe

C:\Windows\SysWOW64\Mglfplgk.exe

C:\Windows\system32\Mglfplgk.exe

C:\Windows\SysWOW64\Mjkblhfo.exe

C:\Windows\system32\Mjkblhfo.exe

C:\Windows\SysWOW64\Mnfnlf32.exe

C:\Windows\system32\Mnfnlf32.exe

C:\Windows\SysWOW64\Madjhb32.exe

C:\Windows\system32\Madjhb32.exe

C:\Windows\SysWOW64\Mepfiq32.exe

C:\Windows\system32\Mepfiq32.exe

C:\Windows\SysWOW64\Mkjnfkma.exe

C:\Windows\system32\Mkjnfkma.exe

C:\Windows\SysWOW64\Maggnali.exe

C:\Windows\system32\Maggnali.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mjokgg32.exe

C:\Windows\system32\Mjokgg32.exe

C:\Windows\SysWOW64\Maiccajf.exe

C:\Windows\system32\Maiccajf.exe

C:\Windows\SysWOW64\Mgclpkac.exe

C:\Windows\system32\Mgclpkac.exe

C:\Windows\SysWOW64\Mnmdme32.exe

C:\Windows\system32\Mnmdme32.exe

C:\Windows\SysWOW64\Malpia32.exe

C:\Windows\system32\Malpia32.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Mnpabe32.exe

C:\Windows\system32\Mnpabe32.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Nelfeo32.exe

C:\Windows\system32\Nelfeo32.exe

C:\Windows\SysWOW64\Njinmf32.exe

C:\Windows\system32\Njinmf32.exe

C:\Windows\SysWOW64\Nlhkgi32.exe

C:\Windows\system32\Nlhkgi32.exe

C:\Windows\SysWOW64\Nagpeo32.exe

C:\Windows\system32\Nagpeo32.exe

C:\Windows\SysWOW64\Nhahaiec.exe

C:\Windows\system32\Nhahaiec.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Nnkpnclp.exe

C:\Windows\system32\Nnkpnclp.exe

C:\Windows\SysWOW64\Najmjokc.exe

C:\Windows\system32\Najmjokc.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Ohcegi32.exe

C:\Windows\system32\Ohcegi32.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Oeheqm32.exe

C:\Windows\system32\Oeheqm32.exe

C:\Windows\SysWOW64\Ohfami32.exe

C:\Windows\system32\Ohfami32.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Oeokal32.exe

C:\Windows\system32\Oeokal32.exe

C:\Windows\SysWOW64\Paelfmaf.exe

C:\Windows\system32\Paelfmaf.exe

C:\Windows\SysWOW64\Pahilmoc.exe

C:\Windows\system32\Pahilmoc.exe

C:\Windows\SysWOW64\Pkpmdbfd.exe

C:\Windows\system32\Pkpmdbfd.exe

C:\Windows\SysWOW64\Ponfka32.exe

C:\Windows\system32\Ponfka32.exe

C:\Windows\SysWOW64\Palbgl32.exe

C:\Windows\system32\Palbgl32.exe

C:\Windows\SysWOW64\Pmcclm32.exe

C:\Windows\system32\Pmcclm32.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qkipkani.exe

C:\Windows\system32\Qkipkani.exe

C:\Windows\SysWOW64\Amjillkj.exe

C:\Windows\system32\Amjillkj.exe

C:\Windows\SysWOW64\Aednci32.exe

C:\Windows\system32\Aednci32.exe

C:\Windows\SysWOW64\Akqfkp32.exe

C:\Windows\system32\Akqfkp32.exe

C:\Windows\SysWOW64\Aonoao32.exe

C:\Windows\system32\Aonoao32.exe

C:\Windows\SysWOW64\Aoalgn32.exe

C:\Windows\system32\Aoalgn32.exe

C:\Windows\SysWOW64\Akglloai.exe

C:\Windows\system32\Akglloai.exe

C:\Windows\SysWOW64\Bnfihkqm.exe

C:\Windows\system32\Bnfihkqm.exe

C:\Windows\SysWOW64\Baadiiif.exe

C:\Windows\system32\Baadiiif.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Bnhenj32.exe

C:\Windows\system32\Bnhenj32.exe

C:\Windows\SysWOW64\Blielbfi.exe

C:\Windows\system32\Blielbfi.exe

C:\Windows\SysWOW64\Bllbaa32.exe

C:\Windows\system32\Bllbaa32.exe

C:\Windows\SysWOW64\Bedgjgkg.exe

C:\Windows\system32\Bedgjgkg.exe

C:\Windows\SysWOW64\Blqllqqa.exe

C:\Windows\system32\Blqllqqa.exe

C:\Windows\SysWOW64\Cbpajgmf.exe

C:\Windows\system32\Cbpajgmf.exe

C:\Windows\SysWOW64\Cocacl32.exe

C:\Windows\system32\Cocacl32.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Cbfgkffn.exe

C:\Windows\system32\Cbfgkffn.exe

C:\Windows\SysWOW64\Ddjmba32.exe

C:\Windows\system32\Ddjmba32.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Dflfac32.exe

C:\Windows\system32\Dflfac32.exe

C:\Windows\SysWOW64\Dfnbgc32.exe

C:\Windows\system32\Dfnbgc32.exe

C:\Windows\SysWOW64\Eofgpikj.exe

C:\Windows\system32\Eofgpikj.exe

C:\Windows\SysWOW64\Ebdcld32.exe

C:\Windows\system32\Ebdcld32.exe

C:\Windows\SysWOW64\Eeelnp32.exe

C:\Windows\system32\Eeelnp32.exe

C:\Windows\SysWOW64\Ekodjiol.exe

C:\Windows\system32\Ekodjiol.exe

C:\Windows\SysWOW64\Epmmqheb.exe

C:\Windows\system32\Epmmqheb.exe

C:\Windows\SysWOW64\Eppjfgcp.exe

C:\Windows\system32\Eppjfgcp.exe

C:\Windows\SysWOW64\Fneggdhg.exe

C:\Windows\system32\Fneggdhg.exe

C:\Windows\SysWOW64\Fimhjl32.exe

C:\Windows\system32\Fimhjl32.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Fbgihaji.exe

C:\Windows\system32\Fbgihaji.exe

C:\Windows\SysWOW64\Fnnjmbpm.exe

C:\Windows\system32\Fnnjmbpm.exe

C:\Windows\SysWOW64\Gidnkkpc.exe

C:\Windows\system32\Gidnkkpc.exe

C:\Windows\SysWOW64\Gnqfcbnj.exe

C:\Windows\system32\Gnqfcbnj.exe

C:\Windows\SysWOW64\Gldglf32.exe

C:\Windows\system32\Gldglf32.exe

C:\Windows\SysWOW64\Gflhoo32.exe

C:\Windows\system32\Gflhoo32.exe

C:\Windows\SysWOW64\Gojiiafp.exe

C:\Windows\system32\Gojiiafp.exe

C:\Windows\SysWOW64\Hmkigh32.exe

C:\Windows\system32\Hmkigh32.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hoobdp32.exe

C:\Windows\system32\Hoobdp32.exe

C:\Windows\SysWOW64\Hoaojp32.exe

C:\Windows\system32\Hoaojp32.exe

C:\Windows\SysWOW64\Hifcgion.exe

C:\Windows\system32\Hifcgion.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Ibaeen32.exe

C:\Windows\system32\Ibaeen32.exe

C:\Windows\SysWOW64\Iliinc32.exe

C:\Windows\system32\Iliinc32.exe

C:\Windows\SysWOW64\Ifomll32.exe

C:\Windows\system32\Ifomll32.exe

C:\Windows\SysWOW64\Ipgbdbqb.exe

C:\Windows\system32\Ipgbdbqb.exe

C:\Windows\SysWOW64\Imkbnf32.exe

C:\Windows\system32\Imkbnf32.exe

C:\Windows\SysWOW64\Ieidhh32.exe

C:\Windows\system32\Ieidhh32.exe

C:\Windows\SysWOW64\Jghpbk32.exe

C:\Windows\system32\Jghpbk32.exe

C:\Windows\SysWOW64\Jiiicf32.exe

C:\Windows\system32\Jiiicf32.exe

C:\Windows\SysWOW64\Jngbjd32.exe

C:\Windows\system32\Jngbjd32.exe

C:\Windows\SysWOW64\Jgbchj32.exe

C:\Windows\system32\Jgbchj32.exe

C:\Windows\SysWOW64\Jjpode32.exe

C:\Windows\system32\Jjpode32.exe

C:\Windows\SysWOW64\Kegpifod.exe

C:\Windows\system32\Kegpifod.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Kpoalo32.exe

C:\Windows\system32\Kpoalo32.exe

C:\Windows\SysWOW64\Kgiiiidd.exe

C:\Windows\system32\Kgiiiidd.exe

C:\Windows\SysWOW64\Kpanan32.exe

C:\Windows\system32\Kpanan32.exe

C:\Windows\SysWOW64\Klhnfo32.exe

C:\Windows\system32\Klhnfo32.exe

C:\Windows\SysWOW64\Lgpoihnl.exe

C:\Windows\system32\Lgpoihnl.exe

C:\Windows\SysWOW64\Lokdnjkg.exe

C:\Windows\system32\Lokdnjkg.exe

C:\Windows\SysWOW64\Lqkqhm32.exe

C:\Windows\system32\Lqkqhm32.exe

C:\Windows\SysWOW64\Lmaamn32.exe

C:\Windows\system32\Lmaamn32.exe

C:\Windows\SysWOW64\Lfjfecno.exe

C:\Windows\system32\Lfjfecno.exe

C:\Windows\SysWOW64\Lgibpf32.exe

C:\Windows\system32\Lgibpf32.exe

C:\Windows\SysWOW64\Mmfkhmdi.exe

C:\Windows\system32\Mmfkhmdi.exe

C:\Windows\SysWOW64\Mqdcnl32.exe

C:\Windows\system32\Mqdcnl32.exe

C:\Windows\SysWOW64\Mgnlkfal.exe

C:\Windows\system32\Mgnlkfal.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mnjqmpgg.exe

C:\Windows\system32\Mnjqmpgg.exe

C:\Windows\SysWOW64\Mfeeabda.exe

C:\Windows\system32\Mfeeabda.exe

C:\Windows\SysWOW64\Mfhbga32.exe

C:\Windows\system32\Mfhbga32.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Nqbpojnp.exe

C:\Windows\system32\Nqbpojnp.exe

C:\Windows\SysWOW64\Nadleilm.exe

C:\Windows\system32\Nadleilm.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Ocjoadei.exe

C:\Windows\system32\Ocjoadei.exe

C:\Windows\SysWOW64\Opqofe32.exe

C:\Windows\system32\Opqofe32.exe

C:\Windows\SysWOW64\Ogjdmbil.exe

C:\Windows\system32\Ogjdmbil.exe

C:\Windows\SysWOW64\Opeiadfg.exe

C:\Windows\system32\Opeiadfg.exe

C:\Windows\SysWOW64\Paeelgnj.exe

C:\Windows\system32\Paeelgnj.exe

C:\Windows\SysWOW64\Pccahbmn.exe

C:\Windows\system32\Pccahbmn.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Pdenmbkk.exe

C:\Windows\system32\Pdenmbkk.exe

C:\Windows\SysWOW64\Pfdjinjo.exe

C:\Windows\system32\Pfdjinjo.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Pplobcpp.exe

C:\Windows\system32\Pplobcpp.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Ppahmb32.exe

C:\Windows\system32\Ppahmb32.exe

C:\Windows\SysWOW64\Qmeigg32.exe

C:\Windows\system32\Qmeigg32.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Qdaniq32.exe

C:\Windows\system32\Qdaniq32.exe

C:\Windows\SysWOW64\Aaenbd32.exe

C:\Windows\system32\Aaenbd32.exe

C:\Windows\SysWOW64\Ahofoogd.exe

C:\Windows\system32\Ahofoogd.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Ahaceo32.exe

C:\Windows\system32\Ahaceo32.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Akblfj32.exe

C:\Windows\system32\Akblfj32.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Dqnjgl32.exe

C:\Windows\system32\Dqnjgl32.exe

C:\Windows\SysWOW64\Damfao32.exe

C:\Windows\system32\Damfao32.exe

C:\Windows\SysWOW64\Ddkbmj32.exe

C:\Windows\system32\Ddkbmj32.exe

C:\Windows\SysWOW64\Doagjc32.exe

C:\Windows\system32\Doagjc32.exe

C:\Windows\SysWOW64\Dglkoeio.exe

C:\Windows\system32\Dglkoeio.exe

C:\Windows\SysWOW64\Ebaplnie.exe

C:\Windows\system32\Ebaplnie.exe

C:\Windows\SysWOW64\Egohdegl.exe

C:\Windows\system32\Egohdegl.exe

C:\Windows\SysWOW64\Eohmkb32.exe

C:\Windows\system32\Eohmkb32.exe

C:\Windows\SysWOW64\Enkmfolf.exe

C:\Windows\system32\Enkmfolf.exe

C:\Windows\SysWOW64\Eqiibjlj.exe

C:\Windows\system32\Eqiibjlj.exe

C:\Windows\SysWOW64\Edeeci32.exe

C:\Windows\system32\Edeeci32.exe

C:\Windows\SysWOW64\Ehpadhll.exe

C:\Windows\system32\Ehpadhll.exe

C:\Windows\SysWOW64\Ekonpckp.exe

C:\Windows\system32\Ekonpckp.exe

C:\Windows\SysWOW64\Eojiqb32.exe

C:\Windows\system32\Eojiqb32.exe

C:\Windows\SysWOW64\Enmjlojd.exe

C:\Windows\system32\Enmjlojd.exe

C:\Windows\SysWOW64\Ebifmm32.exe

C:\Windows\system32\Ebifmm32.exe

C:\Windows\SysWOW64\Edgbii32.exe

C:\Windows\system32\Edgbii32.exe

C:\Windows\SysWOW64\Ehbnigjj.exe

C:\Windows\system32\Ehbnigjj.exe

C:\Windows\SysWOW64\Egened32.exe

C:\Windows\system32\Egened32.exe

C:\Windows\SysWOW64\Eomffaag.exe

C:\Windows\system32\Eomffaag.exe

C:\Windows\SysWOW64\Enpfan32.exe

C:\Windows\system32\Enpfan32.exe

C:\Windows\SysWOW64\Eghkjdoa.exe

C:\Windows\system32\Eghkjdoa.exe

C:\Windows\SysWOW64\Fbmohmoh.exe

C:\Windows\system32\Fbmohmoh.exe

C:\Windows\SysWOW64\Fdlkdhnk.exe

C:\Windows\system32\Fdlkdhnk.exe

C:\Windows\SysWOW64\Fgjhpcmo.exe

C:\Windows\system32\Fgjhpcmo.exe

C:\Windows\SysWOW64\Fqbliicp.exe

C:\Windows\system32\Fqbliicp.exe

C:\Windows\SysWOW64\Fnfmbmbi.exe

C:\Windows\system32\Fnfmbmbi.exe

C:\Windows\SysWOW64\Feqeog32.exe

C:\Windows\system32\Feqeog32.exe

C:\Windows\SysWOW64\Fkjmlaac.exe

C:\Windows\system32\Fkjmlaac.exe

C:\Windows\SysWOW64\Fbdehlip.exe

C:\Windows\system32\Fbdehlip.exe

C:\Windows\SysWOW64\Fganqbgg.exe

C:\Windows\system32\Fganqbgg.exe

C:\Windows\SysWOW64\Fkofga32.exe

C:\Windows\system32\Fkofga32.exe

C:\Windows\SysWOW64\Ggfglb32.exe

C:\Windows\system32\Ggfglb32.exe

C:\Windows\SysWOW64\Ganldgib.exe

C:\Windows\system32\Ganldgib.exe

C:\Windows\SysWOW64\Gnblnlhl.exe

C:\Windows\system32\Gnblnlhl.exe

C:\Windows\SysWOW64\Glfmgp32.exe

C:\Windows\system32\Glfmgp32.exe

C:\Windows\SysWOW64\Geoapenf.exe

C:\Windows\system32\Geoapenf.exe

C:\Windows\SysWOW64\Gpdennml.exe

C:\Windows\system32\Gpdennml.exe

C:\Windows\SysWOW64\Geanfelc.exe

C:\Windows\system32\Geanfelc.exe

C:\Windows\SysWOW64\Hlkfbocp.exe

C:\Windows\system32\Hlkfbocp.exe

C:\Windows\SysWOW64\Hbenoi32.exe

C:\Windows\system32\Hbenoi32.exe

C:\Windows\SysWOW64\Hlmchoan.exe

C:\Windows\system32\Hlmchoan.exe

C:\Windows\SysWOW64\Hbgkei32.exe

C:\Windows\system32\Hbgkei32.exe

C:\Windows\SysWOW64\Hehdfdek.exe

C:\Windows\system32\Hehdfdek.exe

C:\Windows\SysWOW64\Hbldphde.exe

C:\Windows\system32\Hbldphde.exe

C:\Windows\SysWOW64\Hejqldci.exe

C:\Windows\system32\Hejqldci.exe

C:\Windows\SysWOW64\Hnbeeiji.exe

C:\Windows\system32\Hnbeeiji.exe

C:\Windows\SysWOW64\Iacngdgj.exe

C:\Windows\system32\Iacngdgj.exe

C:\Windows\SysWOW64\Ipdndloi.exe

C:\Windows\system32\Ipdndloi.exe

C:\Windows\SysWOW64\Ilkoim32.exe

C:\Windows\system32\Ilkoim32.exe

C:\Windows\SysWOW64\Ipihpkkd.exe

C:\Windows\system32\Ipihpkkd.exe

C:\Windows\SysWOW64\Ibjqaf32.exe

C:\Windows\system32\Ibjqaf32.exe

C:\Windows\SysWOW64\Jpnakk32.exe

C:\Windows\system32\Jpnakk32.exe

C:\Windows\SysWOW64\Jekjcaef.exe

C:\Windows\system32\Jekjcaef.exe

C:\Windows\SysWOW64\Jppnpjel.exe

C:\Windows\system32\Jppnpjel.exe

C:\Windows\SysWOW64\Jlgoek32.exe

C:\Windows\system32\Jlgoek32.exe

C:\Windows\SysWOW64\Jlikkkhn.exe

C:\Windows\system32\Jlikkkhn.exe

C:\Windows\SysWOW64\Jllhpkfk.exe

C:\Windows\system32\Jllhpkfk.exe

C:\Windows\SysWOW64\Kedlip32.exe

C:\Windows\system32\Kedlip32.exe

C:\Windows\SysWOW64\Kpiqfima.exe

C:\Windows\system32\Kpiqfima.exe

C:\Windows\SysWOW64\Kibeoo32.exe

C:\Windows\system32\Kibeoo32.exe

C:\Windows\SysWOW64\Kamjda32.exe

C:\Windows\system32\Kamjda32.exe

C:\Windows\SysWOW64\Kidben32.exe

C:\Windows\system32\Kidben32.exe

C:\Windows\SysWOW64\Koajmepf.exe

C:\Windows\system32\Koajmepf.exe

C:\Windows\SysWOW64\Khiofk32.exe

C:\Windows\system32\Khiofk32.exe

C:\Windows\SysWOW64\Kabcopmg.exe

C:\Windows\system32\Kabcopmg.exe

C:\Windows\SysWOW64\Kofdhd32.exe

C:\Windows\system32\Kofdhd32.exe

C:\Windows\SysWOW64\Lohqnd32.exe

C:\Windows\system32\Lohqnd32.exe

C:\Windows\SysWOW64\Lebijnak.exe

C:\Windows\system32\Lebijnak.exe

C:\Windows\SysWOW64\Lcfidb32.exe

C:\Windows\system32\Lcfidb32.exe

C:\Windows\SysWOW64\Ljbnfleo.exe

C:\Windows\system32\Ljbnfleo.exe

C:\Windows\SysWOW64\Lckboblp.exe

C:\Windows\system32\Lckboblp.exe

C:\Windows\SysWOW64\Lhgkgijg.exe

C:\Windows\system32\Lhgkgijg.exe

C:\Windows\SysWOW64\Loacdc32.exe

C:\Windows\system32\Loacdc32.exe

C:\Windows\SysWOW64\Mhjhmhhd.exe

C:\Windows\system32\Mhjhmhhd.exe

C:\Windows\SysWOW64\Mcoljagj.exe

C:\Windows\system32\Mcoljagj.exe

C:\Windows\SysWOW64\Mpclce32.exe

C:\Windows\system32\Mpclce32.exe

C:\Windows\SysWOW64\Mljmhflh.exe

C:\Windows\system32\Mljmhflh.exe

C:\Windows\SysWOW64\Mbgeqmjp.exe

C:\Windows\system32\Mbgeqmjp.exe

C:\Windows\SysWOW64\Mqhfoebo.exe

C:\Windows\system32\Mqhfoebo.exe

C:\Windows\SysWOW64\Mjpjgj32.exe

C:\Windows\system32\Mjpjgj32.exe

C:\Windows\SysWOW64\Momcpa32.exe

C:\Windows\system32\Momcpa32.exe

C:\Windows\SysWOW64\Njbgmjgl.exe

C:\Windows\system32\Njbgmjgl.exe

C:\Windows\SysWOW64\Nqmojd32.exe

C:\Windows\system32\Nqmojd32.exe

C:\Windows\SysWOW64\Nhhdnf32.exe

C:\Windows\system32\Nhhdnf32.exe

C:\Windows\SysWOW64\Ncmhko32.exe

C:\Windows\system32\Ncmhko32.exe

C:\Windows\SysWOW64\Nodiqp32.exe

C:\Windows\system32\Nodiqp32.exe

C:\Windows\SysWOW64\Nofefp32.exe

C:\Windows\system32\Nofefp32.exe

C:\Windows\SysWOW64\Obgohklm.exe

C:\Windows\system32\Obgohklm.exe

C:\Windows\SysWOW64\Ommceclc.exe

C:\Windows\system32\Ommceclc.exe

C:\Windows\SysWOW64\Ofegni32.exe

C:\Windows\system32\Ofegni32.exe

C:\Windows\SysWOW64\Oqklkbbi.exe

C:\Windows\system32\Oqklkbbi.exe

C:\Windows\SysWOW64\Oifppdpd.exe

C:\Windows\system32\Oifppdpd.exe

C:\Windows\SysWOW64\Ofjqihnn.exe

C:\Windows\system32\Ofjqihnn.exe

C:\Windows\SysWOW64\Opbean32.exe

C:\Windows\system32\Opbean32.exe

C:\Windows\SysWOW64\Oikjkc32.exe

C:\Windows\system32\Oikjkc32.exe

C:\Windows\SysWOW64\Pjjfdfbb.exe

C:\Windows\system32\Pjjfdfbb.exe

C:\Windows\SysWOW64\Pmhbqbae.exe

C:\Windows\system32\Pmhbqbae.exe

C:\Windows\SysWOW64\Pjlcjf32.exe

C:\Windows\system32\Pjlcjf32.exe

C:\Windows\SysWOW64\Pcegclgp.exe

C:\Windows\system32\Pcegclgp.exe

C:\Windows\SysWOW64\Paihlpfi.exe

C:\Windows\system32\Paihlpfi.exe

C:\Windows\SysWOW64\Pjaleemj.exe

C:\Windows\system32\Pjaleemj.exe

C:\Windows\SysWOW64\Pblajhje.exe

C:\Windows\system32\Pblajhje.exe

C:\Windows\SysWOW64\Pififb32.exe

C:\Windows\system32\Pififb32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4060-0-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1840-7-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Pjjahe32.exe

MD5 541b7498838fa93e5c1878214a2a2dae
SHA1 8d4cea6fa2350ec05737b228b001aefab9d4333d
SHA256 0a816a7463ce14731bc5032fce6b29711915080da85441cbaf7fa8291d7d99dd
SHA512 a6acb96d0c5b91aa65eda93e3c1bd7830205ab870b3294c19b26911cadfe340d74e33428816959d08c2391311d4d91ccef92085efc563ea4217e193295c3da92

C:\Windows\SysWOW64\Qcdbfk32.exe

MD5 fe737ef568e02264c7c6a604a0934659
SHA1 434e46ee2a74d8f912618f04e3109dca1573ec8c
SHA256 d308e2df83fb59191c74a5a6bb340ec0699223e4b61f025aecf83e8ad657c784
SHA512 b1e82d4a9c8d8753bc5ba2ed95d646199f517b924592cb08019cbba083cef412f3bf8359577b0baaa4ba17bc96e229277f602baa81fa879f7c0d7787b26714da

memory/2856-16-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Qqhcpo32.exe

MD5 fea3e416dce7c794836c3d2c6ef4a4c8
SHA1 a08d7e9d1fb4edb6397f716042e8ac9eeed72a9e
SHA256 6421ee59cacf9c43bde7b96c7f0718d5eb9acd928cfe815bf99ab252f9f8e6b3
SHA512 a4869b9a2c641270ddf07e9e9a1b2d9ff394f7c138ce61c7fab6a82d1db6ed61cfc9b8895f9711b6103f326212bd7fb40782af920e17b1d8bf8a58d5ada373e3

memory/4832-36-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Ahchda32.exe

MD5 ba904cd9e3606d8be519bb3198feb21d
SHA1 cf755339f43a673d05a8407ce9feeb868f2ce84f
SHA256 c8ab5bb51e63b0fe936652fbe8f5f1a5ca40dc7aa3e21307eddd79c15add56bb
SHA512 517e34defbf51d3655b79b12b1d1a08c005eb4002e6271baec79886676e4f90b1d433c3860634c56983e6418dc916193fc37273576559b28600e06f86e33cb94

C:\Windows\SysWOW64\Aompak32.exe

MD5 87d8d72f80e9d52a5ba845c38bbcfc45
SHA1 78f67de82248e73dc55a15d5bb9b027da6b6130b
SHA256 33387ce120951f78139063ec7bf6b1733176df8506691939b21dae001f16bf9c
SHA512 e47d5f5d6b93f9bbc626e734174d7360b82a12d5b52f38018b6fee2ccee4138b65ac8f493235c88828886521562ad516247c0168a4ef81df3c9b0b43b552c6c2

C:\Windows\SysWOW64\Afghneoo.exe

MD5 d0405ae593f44bf403ddb6f0515a86a5
SHA1 627b789fcfd36f849b2dcc72f029ed6af1d08822
SHA256 2108e69d12f903b00a4eab0bf1ecd23b206431531a1842dc497d353e13ead02e
SHA512 56a5c8ec836423ad05fb5701fa7f0ea092adf1097edc3b58e049e8531f79e8b97d51724392ff3a196e9fa0e199a66753988604eefd335a9daace3914c58ae330

C:\Windows\SysWOW64\Aopmfk32.exe

MD5 684a62d7fc8bcd39ed5b835b2ab9659a
SHA1 e4c33ded67c5e67f4699ed5c27f555e3fe976405
SHA256 cf7d1e7f3397e55c1e2d572b784d666fe813eea7ec5f401581b9e7101ac49e8d
SHA512 06eba27b01dfde9caa3569728f95581d03f9abe511448d5db2aeec8efeaf6d15ae463a4749be496e700c18958db774fe24a0aa616df958f716e3d9a82eedf34e

C:\Windows\SysWOW64\Aihaoqlp.exe

MD5 60cd09b21f258d40579a1956a5c850fb
SHA1 929d27c3b5522b76f12bf9480fa2edaedce82746
SHA256 cc30a303fe675ea85572904468ac455637f95381a38d0f180516a1c55f24b586
SHA512 23e448c50b96f47aa606a7a9e88ad8f8d4b264a1e96211bec1c90362521f5fcec003db1b280a4513e586e51152a7d6be4a4ca54db6c10bdf134b8ee3710956e7

C:\Windows\SysWOW64\Afnnnd32.exe

MD5 8bfd9064d9ff2390da4dc49064ad1be0
SHA1 f9de9162a4faefb61fe41406439d5fc61b7109ec
SHA256 9951a2b9142abc45d8f481c0859e9eb778ebb58c51f2c23a58a67ccd9175bdea
SHA512 064bf713e189d83eb587580104160859cf7a2f2a97c565b2e7fea10083271d072e2df6a629caec585273c5e1c1da5b98abbfc0198ea4d227d955d86b1b55b6dc

C:\Windows\SysWOW64\Bcbohigp.exe

MD5 c56f8d6753c153cca01a6a4fcb24a9fb
SHA1 37840fccca3604e374f29fb82e2e36490823020c
SHA256 b90bb4127fd99328364618d21b780b719eb917c948faa943ae1f2274579383e9
SHA512 55601a6d5544e63576845bf82789dfd60a7ee28d838c2176e8eccc49a70a4059cdb43ff5a64a247b607931127dcd484673bcda4958054d4a8e0607e922144e51

C:\Windows\SysWOW64\Bogcgj32.exe

MD5 bda5a96d0fa908ef6857d6a0d503715f
SHA1 d6941548f127c640b1daaae426ca78ce300866c2
SHA256 3788b8f59fa5d2b0ef6b2ec65b93f11bcfeead9e8cc67f3fde3f865b919a79cc
SHA512 c3e10e4e8a92bd0dd67272914b2544b4d4865bf07e3ff41d035ad17c8f71ae49d97c6650f41c328c82d31191dfcfea16c2a6e517af3633a6cc34c41c3fb410c7

C:\Windows\SysWOW64\Amhfkopc.exe

MD5 87f55eb2b5b4a5cf8494c1e0a2499615
SHA1 69e13769dc69343cd10fa6569bd0be9b6c36e5bb
SHA256 8beba34de586897f6d2d878f1586ff8e76ec8407d19c4e59b8c400395a2a9812
SHA512 70f26fb7ba3915ee8f2141ccd74d5f92fc43efeeb2f888e223480b49b28fc984b252080cf663df141f04fdde2c5918c6f28d7e3413614ee8f25a0bc3801f8c05

C:\Windows\SysWOW64\Ajjjocap.exe

MD5 2175b95ab0ad6cb83aa11927f28302a8
SHA1 d1de16d87a73800132137225d3283066400e7d11
SHA256 5596702387d96716e7c9bd1f67f95471395b6fcea42393dedb64e313156bd85c
SHA512 5fb27f055c500b48c260969dcb2d84e889aad03501a5ff569f0852b91a5b49f4c8876946b4454077df13295d3cddc14144d5de3d18114128ee8398a6974013af

C:\Windows\SysWOW64\Aglnbhal.exe

MD5 a922e1b9ff53d8d0880f06d6f8144bc3
SHA1 63ef62115dde93aa57b8496a43d627608f970b15
SHA256 c5db535d534deca6fbe88519c8b56ad624adb30771857d875ccd02e18cb5274e
SHA512 29b1f9f9f13637fbbbfedfbc923f3eb8d2e4b66e1df242b14d61849d21ac2cfe7d11f4b38cd64b07a1820a8e51a7e8e70f29d0e5c48f20788bf3280fbc515d2c

C:\Windows\SysWOW64\Acpbbi32.exe

MD5 3facc2edf3db2060672fea520c18eef2
SHA1 716b4515a2a56563c56fe78e5837fb72d61aa559
SHA256 4c338420203d4997361a30593e73aa762b48150657be36abc05029656d555241
SHA512 b2d28cdde26279dbe20cf936bb5ef3ff7ca81df03e4619c7c6d41c27ede7cdc7b00bd563244ff6bd83006b138d5a754fb6096d7107dad5dcb05aae7752a03ac0

C:\Windows\SysWOW64\Aqaffn32.exe

MD5 4036b04bad9232429a3a48a1981abbfb
SHA1 6c385b4e9ddeca1ab89e9dcc39d31cb247ee961b
SHA256 34d013977b347f57192ed8da3053c83ad42f65540fe29edb196bdbe3d03b062e
SHA512 4dd539c00d7df200c62bf91e6525ef967b47702cb956e5e641eb7843954c993d489ee87ec0d8e0ca0e68675d97a6a35a57cb3d6dca543396678acb7886239544

C:\Windows\SysWOW64\Amfjeobf.exe

MD5 654e33afa73fe284569d37da09c0e28e
SHA1 546081766cb2e1b644bc105782c3c18df8e88560
SHA256 347e1101f8e47faad5fa21d25eda214ff4ffe99d3eae464dba23832bdd0a167a
SHA512 e8da769bb8f4236f58e3cae76915d3433e2e8372ca5509a68941882124205afe8037be6b37d960c5b84f071705ce57c47bc0b6c660ce94c76691f4f4b3e92df7

C:\Windows\SysWOW64\Aijnep32.exe

MD5 81945d976abec33b63dc4ebc90654910
SHA1 858f952ab5df7af828a04162e2b088ca6ce0c81b
SHA256 ba269fc7484e60690909c9a786bca00f7c9a5ac1e0d56111a1d8e6df98104c44
SHA512 8d4874d07b1d1d7249dd159a8786fca9d0f4c999d15e1cc34312e9b39d93ea5d4c95abd5c5158f26af81efc59647bfefb0de82cbcb633676fdac4c6e45c46ddd

C:\Windows\SysWOW64\Ajhniccb.exe

MD5 0fd19401d923b9dee95cf9d02d33631c
SHA1 82ac271128429dd2048fd8c1a0616546687adc35
SHA256 c3519e99ba8e47db96cfdeebccd9ac8f29e15d5f59ef2f876473add87f1296a8
SHA512 0d97533505a719274fc430a71d5bdb69aebc5d6e083151b4cb66edaa8250e5131e40890b482192c761302246bc2a26799185ffeeda0dc67ac3236c9d2636dc3c

C:\Windows\SysWOW64\Aflaie32.exe

MD5 85b02a79c4635d2a664964bcf8202134
SHA1 5553efb6649b45bbee4d812d098feefabfbecf2f
SHA256 e2820beef5fcd16ce48569ade3e5fb6721e2d7e791c644cd3c8177f7c627f4fe
SHA512 c54b1bf8512955ca68a433a97c1be3c04535afad654244b4409f41b6176e45ffd23d8ed67715e7abcc39f5f1c2b60163239c220898dd6c4babf271a0280a05ec

C:\Windows\SysWOW64\Acnemi32.exe

MD5 c4a576c4721fdd58d37ca112fe0a6992
SHA1 a1e7da5a17d09203ec3b30bbe75e60c25b762711
SHA256 d692278ac422a62edd342d7519065ebccfce9bd8df86c0ecb550d21ae1727ffc
SHA512 1cfaba2d7e07f4488514efd46e5bc4aacc8a841fa6ab42bce7d04b7f8f3aaf5006ef78fb8b1bd05245b741ba356208ca370e3a5367a9ef99bdef5f2134be682d

C:\Windows\SysWOW64\Aobilkcl.exe

MD5 1647337cecdd7d9ba9ce5a035b4f57ae
SHA1 dd14fc5ddc61abc23d7481656be5aca8ab5cc221
SHA256 eb6e8f93ddb8a656d0fd0d04d788543757e72e7cb0d82d41ea51faa47b4c844d
SHA512 31535523c7072819ebac95e382ed2da7603f83d1a9c2cb77e8c49469222fd14c6399679695287bbaab94610224ee3c6ddb840e5c2c5b52d3cf5d8c16359753cc

C:\Windows\SysWOW64\Amcmpodi.exe

MD5 6ecc15dde893c19f0e4d2e857e939914
SHA1 d923158b5d85c26f533dca725bf02145450d039f
SHA256 d93bdc6254c78842a94230f5b6ab86c34976d13849a7c78ed71c04c5823267d4
SHA512 da17b60e15c3c05e1749066d8cc6291da204186d1ab86ab2f43e508becc66c188c20229d750a87b75c4fff4ff29dd04bd3f173cc49169d2b444b476cf98c145e

C:\Windows\SysWOW64\Afjeceml.exe

MD5 b22286651757ecc1d25bffb711f6b44f
SHA1 b9378e6971333f9b52a6abce5ca11647cadcf75a
SHA256 31910840a37286a01dde94fa3eb43472156a718c9e06688e9a3f15ca72fc2f2f
SHA512 619a50df34b88b1ad359b0387fb78d5e246e4106f17587ed574f6077fe4889bd599bc6288f40802cfb20ca3bfd6cbeab8c9d1ad83ebad072852370471d93a404

C:\Windows\SysWOW64\Ackigjmh.exe

MD5 8195ded3c07af452eab09a8307ea428c
SHA1 5dd4df0f4baf3dd992a79a3838634c3f2efb0567
SHA256 7f66d19ee517f570cacaf58154785a81852a76418296ccd4cbfc4ec93f37a463
SHA512 4b606c07882d444436c63ff18ed56343736cc83bf55ced51a67f1f201fd448037609685f3d21472258fe5a59dfa2154e9307756edd99738b834d53b994f5847d

C:\Windows\SysWOW64\Amaqjp32.exe

MD5 0191a356c2f29ab87510e37aed8cb049
SHA1 6b320432266d4d9aa56034052fd74f929abb4d38
SHA256 98c3e382a7762fadde565e34750f2f32d9a33cf09655923510d1813cc53ee0c1
SHA512 76060eda8e2ad83b285a2e26bb0ef69514bf7a77e3b65ca579aaee606bee526acb153a47bce244e14de2b55a649355eaffaebb88e3e9ad2cb4c37c3a7672e5d5

C:\Windows\SysWOW64\Ahfdjanb.exe

MD5 882b33702ea353c317a2860e0ff22a3f
SHA1 3c50184a4ebe5595d1004334403c61d13b7a53e9
SHA256 144e1d2f76f607ddc07c592e334438f793b145aa93f82bf8752a052728b9c39f
SHA512 8d49d616536db20c605b7c8dca5f5985dae8100a84893f6ba00679525c6bd87789679394d2644bfd0bce81b4a95a0599526df0990c525f9df15bea59f9ff104c

C:\Windows\SysWOW64\Agdhbi32.exe

MD5 8d889f75acf23a70b9e0b817829a9245
SHA1 fe55f0a8dddfeef4933d0944753f8233d5198f7d
SHA256 88c628d6d80cfc74fe3ca7e782fd35581d680ad32a0389ed6452dca5ad730981
SHA512 bf2aef154631378b8af53aecfd41745d2c33e7928d0da19f110eb5aa7fa89e72974296e0b78d9eef6f2617412606bb4955cfad1551e194748334b36a785da725

C:\Windows\SysWOW64\Aqkpeopg.exe

MD5 55dc8b23a3221ae10599523a51f371eb
SHA1 d27a1f71e43fb128f440031b23702e1f5ba09d93
SHA256 4e11376e0c0f6588ad6801348af760e862386299f3d77c178e7505dec16feb85
SHA512 46e230acc6445ed93155993cae8d63c6226167ac72756e7d352a56e144bc0d01eef5eb4269811bf86d616e747b17a3f87da2307a4b0e2dbb6cf2c77f8ebb844e

C:\Windows\SysWOW64\Agbkmijg.exe

MD5 0c508fc56d35a00898cb4d4f7388d6de
SHA1 943ab32bb02acab930cbe69180c7932d47154a15
SHA256 534f150050619eecf42b75afd54ae10c358e8e703cf33a6b52b433943c35515d
SHA512 302a478207a474554f7dfd0d569761ce37926be4f1ffd811eed5645206ac89ef1d3c42fca387533fb360b0ca780bf725aef667a81cc1f9410eb2f5d2fd7091ec

C:\Windows\SysWOW64\Aokcklid.exe

MD5 3c926cfaf325de1d4126f98b4f11c0b1
SHA1 fe66e82d870b5440aabeae094900a088a4760d12
SHA256 f6839a0ec40beec040cfe0f36c88dd979754e022d78ffa29b10a8246a157a39e
SHA512 8e35d75869b5933390ae63301cf55111bb7ad0d1fead95549f1103e3a882ad691cbea97a1fb179bedc3782b5ee3371ac87f923eea82b38b870cf9ecb525b15f2

memory/3144-35-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Omhebonp.dll

MD5 4b23e1c670bb47b08fa5fbfa50e27545
SHA1 ed36ab7c2e114f34acbca70cdb27a5dedb69f5dc
SHA256 2a90ad6e6a948cdb42dfd8491011e83bcd80a096f63760572efd37b6a3bcf462
SHA512 2a80ff7175824a45b15d0faf62b4f9fcd1130c16392a42048e762ff067a8eec03d92e9b77c5827f0584d9f17bd19a4159919ce843d80e89066f314281297c157

C:\Windows\SysWOW64\Qfbobf32.exe

MD5 7e924dad606af5b1ae992eefaefcd1ae
SHA1 598c65b80c1d5ccb373c1d561005e0da5fd4785c
SHA256 9f31ffee415b2bbf35b120f968ba38931a4f03b92b5a6e42c173d668e97bf388
SHA512 7a9cce4f44efdebc4396a18782934c2a97244437e6064e448f6b4d3ab0f9b366df5e922f1bb5500cd28a6d91f898a5aad0819a717d1273f7d9804758149c78ab

memory/2320-713-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2308-718-0x0000000000400000-0x000000000049E000-memory.dmp

memory/980-725-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1272-723-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2944-717-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4576-716-0x0000000000400000-0x000000000049E000-memory.dmp

memory/740-715-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1220-714-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2800-712-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4072-711-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5092-710-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4052-709-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2936-708-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1884-707-0x0000000000400000-0x000000000049E000-memory.dmp

memory/684-706-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2288-705-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1880-703-0x0000000000400000-0x000000000049E000-memory.dmp

memory/560-936-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2184-939-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1068-938-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1232-937-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4456-935-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2280-934-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3720-933-0x0000000000400000-0x000000000049E000-memory.dmp

memory/844-932-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4964-931-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3112-930-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4520-929-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1868-928-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1668-927-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2224-925-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3664-944-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3340-947-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1620-946-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3780-945-0x0000000000400000-0x000000000049E000-memory.dmp

memory/964-948-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4996-949-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2804-950-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3236-955-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4696-954-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2108-953-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1796-952-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3876-951-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5880-962-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5912-967-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1580-976-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5456-980-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5392-979-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5320-978-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1624-977-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4136-975-0x0000000000400000-0x000000000049E000-memory.dmp

memory/6132-973-0x0000000000400000-0x000000000049E000-memory.dmp

memory/6096-972-0x0000000000400000-0x000000000049E000-memory.dmp

memory/6056-971-0x0000000000400000-0x000000000049E000-memory.dmp

memory/6024-970-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5988-969-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5952-968-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2964-1086-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1360-1091-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5464-1093-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5360-1092-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5176-1090-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1704-1089-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4924-1088-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5028-1087-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Lihpif32.exe

MD5 ed9fd1f8f8c65e8e9811e66e68a76825
SHA1 0242386cf4859479e1066f6057a08e26d1087c15
SHA256 d4833fe05a9e657fe4f1d80c67013a0322ec627922f14bca7a91ca11d3253073
SHA512 158fb0c64c48b1fe4534d7ec581d39d41082b20c21fbd9eef2844ad4b78e17e25751a7d7a8f4cdd2f37909e06bc73468d1f1e8c52d662bdb8f69c8649622bf24

C:\Windows\SysWOW64\Mhafeb32.exe

MD5 0083c0a274a3daa96fbac9edf261d7d0
SHA1 afebc91354201b7f493571555aa432dac5836bbb
SHA256 da8744d7f56b031d47e11a4f8fa9e2312725df0a8bd3120c8e77e37e79ce9d5c
SHA512 3e79583134fa6db821fcd3e043105dd7dffa04b35921c99d411380e986228fe1d8110b3044a8d378cbf598dc09689c85d5d04b7dd311a68e5a0aaa894a5a773e

C:\Windows\SysWOW64\Nlfelogp.exe

MD5 f314dd05a2d4d9a352c74025da508dd4
SHA1 58d6c57293cfb99f708cac28b6ddbbce4b85affa
SHA256 a1192aa7c3a7c71924d4ab6eb94cfd8635e5a66d523567e17c350c2a127f66e1
SHA512 cec0398bf97d61184eebb3abbc708143881e97bc3a18aff740c67182bc0ab629afa9994774f218311d8d21fd23b8bdf18098db2683f7fd6d660a93b75aa0ced1

C:\Windows\SysWOW64\Nhdlao32.exe

MD5 4f52e5601f76a66a1660b97f40bcf39e
SHA1 be3362f7be4871627c90aea6474918ce5775b79d
SHA256 8f2c6ce9a3230c3cdc95721d98b6b98db2823c34a2b012bd7811c6773c138656
SHA512 02fea5095fa922b8cd11f0f6d1078da95c4ada409e502427929ed42437f7a8983459e5476ed442d3b32470928bc519ab7a9201699c25f9840c8db4ea485d491f

C:\Windows\SysWOW64\Ooejohhq.exe

MD5 a792162f77828382dfd6ec24d314dee2
SHA1 c1d1799e3dcd4adc23432b323d31d6c7cb28acb5
SHA256 a96f45d745be540511666e92155e79678acb9c1231991374633491dd8a72fbb2
SHA512 bdf5ebbd072b108b734c77d6ed1e029689b76f27171fcab41e1a23c9d8b0e08d727a6564d50cc6d53ff4082876d22ac68df5ef7b5d8463d26ef0ecf29dc6e3db

C:\Windows\SysWOW64\Pahpfc32.exe

MD5 3fb5f960fa45ffb7d8a9da4548bae31f
SHA1 8c3227ef27de1aa6774396b5cffe41863fba4964
SHA256 ee35e44208eb059507ea75fee1a08ce4b8d16b24b119937dfab671db5dc1b29b
SHA512 c0be1bd3a5691df590262df65c79edb5148e92c897f95fc0e48132cc70b4befec2476f663caa9ce3eab5c6a0b64d9423775261c332255be21a194932ec58b67d

C:\Windows\SysWOW64\Plpqil32.exe

MD5 cfb8cc60e5c151893722850cbd7362be
SHA1 c9385f14a13f1c16d1fd79b8ada8cf1a90d10b6d
SHA256 5590c6a06535377087babfb40e3333f2cc62bb3ac75035ee718b6f83dc849da2
SHA512 c6649740ee19199f69d705caacdf66b49d7f9cd9968f055b932136e9e48c00b337e84daf7f6139e879fc86183143967113e3c9b3c4080eda29ea8fafee0f7c00

C:\Windows\SysWOW64\Phincl32.exe

MD5 49cb53d49adce102dbbe88e4a8b1f893
SHA1 11d7b6c3db3fe76cbaa2e0142ba9d452744c3074
SHA256 d52db965ac4124eb1c530ca63c3bc4a3b94fb74121d362bc113a1fe1e88a27f1
SHA512 af836afd43d500842f18d211736aa2721fd9afa730d5d5b1a432acace63c6459b7f92c863c3bb8dbfa0280575427694350beefccd9385e619e2cd1e539abc32b

C:\Windows\SysWOW64\Qkjgegae.exe

MD5 99690a3c861d4662f0195a14baf31706
SHA1 ee3f3d616b84b27577c6d5c26e696e93c88fcbe5
SHA256 2fd3ccb35df61b6d63d4ae40d6d638857d7b8f4e945ce15b888e41e777f7e0d0
SHA512 5df5ddef2f895e5063504d846aeba83a7195c8a53a72ad00277341cfbbdf911be3ec68b75539eaaecb30cf3676e9617e012b150fb8f4a67ee737c8d668fc5441

C:\Windows\SysWOW64\Qhngolpo.exe

MD5 5e9708fbd5071e12fe52e8c3a2481245
SHA1 5be66c237350fd51f6244c6715cc4a4548edd141
SHA256 837599526a192c2a6adfb71ab84d98da772f3c9ba9b53e1f8af5eb6dc52a0ce4
SHA512 3f8ee1f3f2539c5196cca70b546eeb63c4cf5ba1d75eef1d11b2d2c5a98fecc585e653f86bd5c6b8ae1bbe551739e698cb5727e43cdd0b8216688587aba2a710

C:\Windows\SysWOW64\Cmjemflb.exe

MD5 ae8f2176865f006a41e681f792c9e736
SHA1 6abe60acf3a68845d391105de2287c63afcfacf2
SHA256 1463c0a2b1a705b0f42ab8a9c88e98dc1195441ba9c2e72c50b23c4fd38728ca
SHA512 70f9929dbae30621f716d42d7248ced314a1c2a7f774f30c7a2ec10b76d58dd6eecd5e8a4dbfffa457aab816b9946decbadad8c9aad6f6a51e0af10c50b89647

C:\Windows\SysWOW64\Dfefkkqp.exe

MD5 11053bbc234a1004f54369423b95a45b
SHA1 2612dbd0c11747c19b84d365d5721132e1ccd481
SHA256 6abce6fe78b014295810250bf4f1a9a075b0671413f12706eca97910252442b6
SHA512 9c158bac0b3bd3f11a36443fbac1ed25bed09a717bd26cec75fa85665273a9f36cb39c8615dd2d8c40bbfcd06860e98e7df483fd87ce8e3efc5ad1616ef9fccf

C:\Windows\SysWOW64\Dckdjomg.exe

MD5 537b6f2cef7abd7fa1c2d90ade894caf
SHA1 4a13a7b5a6772dcafb9abec9bc2d814882dc6adc
SHA256 05a75dfa6a6f0f0411a389eb42a12108cef48d8cffd82161a664ada0af5e67b1
SHA512 48d59a32afec643eb3c6a605d1514a8096fe00e6e09e62140bac25637c1e56dc214ddb2c0ffda8df0adfa362ebb54e9a0e085bb5123bd5d02f3a72a12d335c04

C:\Windows\SysWOW64\Dimenegi.exe

MD5 7f98a3607f00d3372db4c3f8a3666094
SHA1 f5a98868340846994f0bd5498888eb242a111ec0
SHA256 2d4f1c83b0c3d203d4b01c080fce7c853902ea04907be4daa986db5414fbe49b
SHA512 596568a4c09b20a9205b3b500907bd93a43d2e6504e6b2ecd9465b7c90a33017cb754554bfda1dfc69d527b9abc492adee41303873b74b6cf5d9ece949ca795b

C:\Windows\SysWOW64\Ebjcajjd.exe

MD5 2b03882d887804508e9b34eb6b819bfd
SHA1 6008fc3fc379b825a2c24265c4f356d3852d69fa
SHA256 c4457ed92e3cb0c31ecaf6f4f1bf357bcf86cdf56b7b068b7a7dd92bcf73a221
SHA512 0e02487365f1dca1f754f6e070b51aaf1887d27407d7f3dc07fee2e640f4945be119002888c1294bc60aa7c6c623abdeead63e3c13ce7090b659141bfbc68de8

C:\Windows\SysWOW64\Gmbmkpie.exe

MD5 0c3552120c9e9a215eec39cd99372d0d
SHA1 df7ca4d44d165c51b7425704237f2e4bd38c757c
SHA256 f1daa33ace2dd92e32521a15b26bddc30423870d243eb4fdc69e6689ba299d61
SHA512 d80d8b5edf5c94693318d053427bbfad033389b495b47db39d6b2bfff5a3eeff775560ba178537c9f6bdec7094b213d0cc4d6743faed5dca6c9f93ff7d3d4232

C:\Windows\SysWOW64\Gingkqkd.exe

MD5 0cfab99b1975735da3971d8a2b848f85
SHA1 95ed899a539247fe49729f1eac6b2f6a2d07a7ba
SHA256 b1bd6683dba9bafd2e058ebcee61212e7d192a20443458be423c18a58c53dbd0
SHA512 596819d41925833b08b5dcfeeef7fbaf2f14e07105517db7d2ca20194495ac62b24e57828650ca92637a035c88df48e601f607ae59f632b205c8e8ceec821b6d

C:\Windows\SysWOW64\Hkicaahi.exe

MD5 6b940e13e53d2d6935fe39f28bf4ed77
SHA1 56e226d3a134ba458ef884bd52c7ff6edcd508fe
SHA256 26dfd6d4fb7debf2fe5c2c60c62c1837c1c0137c494dc5859fd78346e56bb2bb
SHA512 f1fec9527edc29412715bcc99215f3c81e082ac5b199991d1c45961b5dff7c81b045243233b8045a7e432822119d6f7fca96b1a8407ea5d922d60568f67d677e

C:\Windows\SysWOW64\Jpfepf32.exe

MD5 4dcb35484c9ad2ba4342a9194bc4fe7c
SHA1 843b66a7cb07c975987545d6152fd98512521343
SHA256 93c87ce8f973fb33c8daf7750a6076863f3cb7a3b3a9cf99f1970ebaab852c13
SHA512 a5958306cdd9b529de72d0b3fd463e2305adf73167274c8b828fb4c625931c52213520a76d95d5e27738b4e38e40c1d66449e67563613e6672fc5de5281af3de

C:\Windows\SysWOW64\Jddnfd32.exe

MD5 b3b2552b8006794f5e2968589de21ff8
SHA1 370ff608f6f47752b9d49d37e9a3e0ce8d4a0767
SHA256 86e1d2fedfc651b7d9043877f917b10205dc3e6b24bc9cb9795378c3c3b42806
SHA512 fe7f0f26042e2139b022657c1e970ce5b2cacfe8e2ac0bcdca1078db42e91a8d7fd4128960d424f9c2b9c85f1db4339302394b068ef35b032580bc9316503d83

C:\Windows\SysWOW64\Kqphfe32.exe

MD5 538d5065740895c30eaaaad537942f38
SHA1 206e5ac53da312c302cba12dbd7e7aeb6dd2a7e1
SHA256 7232855700dec744f5f9729234124ba84ad96a3477195e8b736c1f3001a26137
SHA512 6df4a6e4fef5fc9e04d46e4f36e0cfab98919b876e76edceafeea5b870880e6a3a413d4d0cbe8817d8e3d92d0cd003233965689b7f3dc4ee3aa34d48c609577a

C:\Windows\SysWOW64\Lggldm32.exe

MD5 4cfda4ed287740cfcf5b428c9376777a
SHA1 51fdb1512a97e9d9512498093c49b3187947a5f2
SHA256 8a159ae73d26f98d735208d04f34981dbb0fa1698bd0186ce6b7e9b4613cb14c
SHA512 f938739490774b1fcbb88f074ba1d79e4fdc56fed7caf935c3459b54255eda182dea8e4c6e89ccc6b729a09038ad61722e0f06179e143436850f1f0cbc688cdc

C:\Windows\SysWOW64\Mkjnfkma.exe

MD5 423e38f036498ed0bd27bb5d6fb260ff
SHA1 24aed3a195ef29a3387f7c6f1fb29ec12528878e
SHA256 4fd6f3aed21c0ca5c511d59c8b8895f4419b84743ae06b53cde68c729b786e3f
SHA512 732356b7542c04faed9e64f15aca630566d904818727bee3ebd8c83870e895070ada37c9528c1a85add029e22956b22e9cb99f2abae6a3d6368382c12eb033e0

C:\Windows\SysWOW64\Mnpabe32.exe

MD5 938795636442247d925a11fb7cf56818
SHA1 a8f662413d9a72bb7372c0d6324cc996ec95c75e
SHA256 add29cee85687dfc54d30bf5f9bd4acd6ba2072ba761e3217eaf70e6a81f5d97
SHA512 d3b10ad4bac792a951e838cbb5e28c31b4c85739efa266acc0205283dabaa10f144486baf986459e7e3f66a6ed369c573cdcc7fabf947514656fbd01d38cd6a0

C:\Windows\SysWOW64\Nlhkgi32.exe

MD5 322c36df2daf260070e311c49ff6000d
SHA1 cb9727b03183848111c92d0dc857a52f8a49ba4d
SHA256 b93a488c9f471b3be62b8c0aef08bb27369542f180536917f5def783ad1b0772
SHA512 d37f934d3466a32c3c6cd08e186dbd0d3cfb03f78f36ea07075870f7f65f5f0a2dcc2dde77959acdc13b6f264596df76e3c14a01d06c865a7d57c7792238e9ac

C:\Windows\SysWOW64\Ojgjndno.exe

MD5 d38228cf21852e9454ae7e12b651ae98
SHA1 f27c2c83586519e4e7e576d2a0328826368625ae
SHA256 7b9a9a13bf346a6b505f97b8dd89423cae31d835c263233cb606578783ad10cc
SHA512 7d1acfd24a3c4c799cb8539c9edad604af7a9487297a76e5e3fed187e90b662ac107dc0ea7e9e08f5b2d91894ca03a941b2c5c1002f670bb5a24e21100dbe993

C:\Windows\SysWOW64\Paelfmaf.exe

MD5 b723e66f4ea3cdc2f0f8c3a42ca4eb21
SHA1 d1555a96d909b50f2605305b867143b66bebe43e
SHA256 aae9697c5b662649b967e5ea364bef5c90d60672bb2c22d3480990d1798beada
SHA512 160494aea99ac52b0835cb70fcd6047cd2d1aed8294f6a289096a203077abdd7a32a97984f908cb5befe5a8d78b9db713d192c2afc9e34c0f99ef50a226ca2c5

C:\Windows\SysWOW64\Pkpmdbfd.exe

MD5 95ffbb9c0203087323a375032bce7e76
SHA1 5a5cd85fd2ba0ef25b5e19e8421a13d0a74679ea
SHA256 3345c3b9cea00ee0ed0f8f674beea997cc5f97609c3557b4162963d13d4998ce
SHA512 81a5e4b58852df2abbc14d0ee4f2a0e472e3a4bbf2d69cb83ee22d16ca6ec017e710d5c055882f629bd801566eddb32dc818264bf842305abffc9d3a2b8f5bf5

C:\Windows\SysWOW64\Qkipkani.exe

MD5 5046e2d77f05fba7815e353b319c16df
SHA1 be8dbec16ac5b55992d5d698f18a980929c9269f
SHA256 4c0c1ee34904293312270cc1d058c6883c7553d83b3085c70071b286c8032315
SHA512 ac8fcb7d5f14b6a409cc52e95ade69e5d63656b6f18863bd9e5f9c603091e9eb3be5a0f1922f51e9ad1a27055bd24e79d8afe06a77f770f875d49efb02bbbe7f

C:\Windows\SysWOW64\Aoalgn32.exe

MD5 016ad5b7b50406809f62bad970b00de0
SHA1 d0ad8ec8404747671f0477a570cc445e21f94bd5
SHA256 172a661065496d4e1ce00860ce9e79d5a469e432929640f27e90230199946d6b
SHA512 6c5f969d88e6d006b4a6efe010d20cf33d8e220a8a99e978da412a262cea6f06b8cc87c3b6dd17c8387d55ffe0d588d49bbe799d552b5318ad8027d5c02e32b5

C:\Windows\SysWOW64\Blielbfi.exe

MD5 b99c9b7f2b8ded56cb338e50cd376760
SHA1 088c654121c411cf086305086c5c54a90d8be2d3
SHA256 f2a6da649a69954370a210182dcd831447c8a47c694e57e88b37013952f39d13
SHA512 103509c7d3c3afa1ab84602a7a3a2f457bce7c0ce9971516c93c4b5a438d71af2d2f5586224d922f1388022a1c8d1f8512dec464bfa1c2200eebb95b64701ad1

C:\Windows\SysWOW64\Cbpajgmf.exe

MD5 a1a5c6a7aa55ac7ceda230447bb8aafb
SHA1 9b1d687e0092fe75ffdfa094f176313d6841ed97
SHA256 938f51093e8aa20153502aab5999bd81e0483aff329aea58c7b37979d80fa7a6
SHA512 97597c79c5adfe30d953f1be4a4cfa70e43f49fff3ebf66806a294d984b6021eb9089c9c9fe9071f372635a58ba839ba23291c15f741068234dba1d17d229dbb

C:\Windows\SysWOW64\Ebdcld32.exe

MD5 d1f920c42e2934e64a44bf2db2e2290b
SHA1 37e7ea701e206761fa7166d2f1053296b5e72f3f
SHA256 f8a5410313390992853a40aaeb15d582b0a80718c83157779512825bbc1c6fc7
SHA512 9684bbc6a213cc9d5b5c6193cccdd892a2292ee19e808755c10f5881df105baca9fd4b50efc1660098279c9bb1fdab7c6fd665afc3d686cd072318d9dd5a5e81

C:\Windows\SysWOW64\Ekodjiol.exe

MD5 34c76880521cec5931987ad55f34eef7
SHA1 366cc4a076842cfebb68a2b2aa4a5e04693285cb
SHA256 1f6d19e681fbdf4c346d754421f20aab27b81e43df21f6fe1f99c05ec1e5a978
SHA512 0616652e7770ba4eb0e65c1f8cd9a71459c6e79b5515e4a7c680f1b1e93a73ea4db02867627bfd18bbe730b909fe039eba03db75553ccf31104e6299ca722686

C:\Windows\SysWOW64\Gojiiafp.exe

MD5 7cd1e32f2b3576879c2a3767b867461c
SHA1 8af4b90ae4762ed2f7b90634b12c7f1a264097ed
SHA256 2524f9a4e29f802c11f4833f1159c3c20a424e07562e8ba22ae491d1e3a646b2
SHA512 e1111187aac0577c30da2cf537d03a34e343e10ddc114c1c6e244f963ccc19cf836d18d981fda0083c002cb9ce1c650a613293db3e680ec8fa971d3695c5f523

C:\Windows\SysWOW64\Hoobdp32.exe

MD5 f333c8ece7a0b41579dcc6b88201b47e
SHA1 7ee7dc38feb15794fc36fd04fd4ab78529ec97fe
SHA256 4884ea516960e74e90aebbee6c54f5e427515176d71ba8ab23c980faa8567001
SHA512 97df8d4513fd17e9f75d3ca5d71ac5a1f804e66aa66928f6876669adbd3f14c51a8f32b535b065afb3610bd83a8f759edaed4cf709933aca842d1a7149a7e506

C:\Windows\SysWOW64\Ipgbdbqb.exe

MD5 e66fb490ff703724ca794efbc8b27089
SHA1 f700be0d06dc457f8c316d5de10a899a9dcf9787
SHA256 6ad1d90266725ed0480aad7f7180a993085352b6b9466e1d9e74c27309c14e9e
SHA512 c53e2bbdc3faaf50367d53a5aa7561384c78f1cc2b226ef94cf13ae16adcb43e29f94a3393a33ce4743806ebf0e9eb4d8159966e0cf761b4acdcbf3f0f18ec3b

C:\Windows\SysWOW64\Jngbjd32.exe

MD5 71f8f21f10a369df56e51c102b441631
SHA1 ee6fad8fab5d9949e80d83073361e8794d47193f
SHA256 25052b2df7bf591a575b1720a36e06183e5d46f8aff394aa760398cc334c468f
SHA512 ffe9ab906fa7496e1e19ab31c04d164b3c2a5d678d95dea69836e8337ca75d25cae10ea5a292dd57d8bdf6a020d3fc617ff59e3fc9903a8cd0ebf6da3e207929

C:\Windows\SysWOW64\Jjpode32.exe

MD5 a7f5cbbe09ff12d5b35dc2c8cc2bd3cc
SHA1 481817dff13eb16144869b6236608b91420edfad
SHA256 7ed2c749478a60b74a8b31ad6a35a0a968effb6dbcc90f10d5d7b668a34167ad
SHA512 7aa3aab953eb330ebd9d005964b78404c3ce9a585f8b0bfcfe33e2c914b6a6530e777a1f22179c8d2350d0a17fca4fc1e585c2665f1285e3949558e1d97730fe

C:\Windows\SysWOW64\Kgiiiidd.exe

MD5 809e6286f69687709c9916aefd0199aa
SHA1 36cc76de2cb62c701bb8008620d353cf1a01032f
SHA256 61793e13e889c24a6315cc0f4dd93bcb97c6499ccd895d793f3ae169db9f2a8f
SHA512 8e761a85358b23c6ea8e25bcda27889d5db08fd8d7c16256e8d11183a825cbc38d962164a475af6d8cd242af0c45fd8909ed1a0e71628d5b51c4c5398afc5f16

C:\Windows\SysWOW64\Klhnfo32.exe

MD5 13e3631d6eb93f78a9ad7fad765823e3
SHA1 cd5608865358d19e4c45e344592236cdad202575
SHA256 1482c6cc28eafa076ea4787ecc6652c8df1dcb76c184cfcf6fdc284a8d96476d
SHA512 d6c10a944a41bcaea103818033d8a8bae4795c871238c66bbdc102aa2126fd0262314a905269694d5f85624a24cb235bc3783e8b47dc3b8887f8e093ce446bca

C:\Windows\SysWOW64\Njfkmphe.exe

MD5 3a97afa6702c214b7275f3c35a4d57a6
SHA1 d3633b3ad285fd9667247e520788312ce5019239
SHA256 48e7fbe97c4a6e7065989f9294e7fdf122d4a041fafc5041b375a4e38e600021
SHA512 7e5e945486829040bc06345fc2d56482c4a8ddbd28422de5f50ddfe1af89266766877c469800b6bf30fe89e629b31d88d38bb042ec8cbe8a5d102b1944a23cc5

C:\Windows\SysWOW64\Nadleilm.exe

MD5 1bdcedd1202cfbd33649d4ca34a2bc2b
SHA1 c9f2a0ef4e6af7e93fbc569c8a749abeae7a04ef
SHA256 e9211cd1467e66d760c3bc5bd7519cd911717bbff52ae5b8301a0d0e3d84c241
SHA512 b4174661e54f9d10a1405597a40308eebd2c7f50c5123585c315657997bbc5d20e8d8cd0ec0e5707ad73b18ec7f308a4a26e23d0cdad2d324f9e824e4ecefdfe

C:\Windows\SysWOW64\Oplfkeob.exe

MD5 2099f340848bd6b559bea604bed38afc
SHA1 e3a9c4f0b67685662b26c80fe8061ea16ebe0fd8
SHA256 854e0df2ad02a04764bb45f2a13d4dc2711da902f8fc0c6a9761d8bf945a528c
SHA512 22f41d81278082503e51ca1b9b0f9f215164c759765de540dadf3f97fa831a5107d6852846c9339ef7a4e95349c85affc02746f01551b2bf038be11ace34689a

C:\Windows\SysWOW64\Opqofe32.exe

MD5 d6c3510470054679479b8a070deeb945
SHA1 53e38bd8da95f83dbfa713d2878a46605fe04022
SHA256 5d708396e8ee77e1ced12886ecf1084d6a3271fb27f75e4bc77f7718828cdaa4
SHA512 97c2e6b7f03cc5bb822642c3e69188f342b232cba663ede155fdb518aceb50083bf6181e093add232423897e34ba911fe934049eb378ab10430c1778e14cebd0

C:\Windows\SysWOW64\Opeiadfg.exe

MD5 bc8cb8eccc5ea3d812c3c2542f793700
SHA1 32acc99eb658599cfbd8ec0085e74349d933604c
SHA256 8ff45fe6bc3fd9f1ccc877d6e5faea4147d3d05bb0c3f10e40e92cf82cc1cbb6
SHA512 f5deafd10eef3b6c8bc577911aabbeb289c6eb683f77e36e0fe062462be95fb88311d73a78d5c66159f48e50cdcb0fd106e1fdcacc7ad2bfa5dc8bb6c9fc9d0e

C:\Windows\SysWOW64\Qmeigg32.exe

MD5 0ff1e341bf4333412b2d93229508e41e
SHA1 4cba08c391ea3459ba513df39eac6f0389b32ee2
SHA256 793b7ac72ea10018df87043f4ee893ed777f538c3114333a45af8e8243f3f1c0
SHA512 81c4df59941831f03c075d0d09ccfdcb80bb7ecb2c0cca46a89a88f6e0b03c1f9968aaef6951ac8d4b557bafb094281cd9ac3733c1cf9e230662cc7c06751ef0

memory/4060-2775-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Ahaceo32.exe

MD5 1f8a20a041986241628b5745efec1501
SHA1 e7a2f97c0b1d43428f5d4e1b1999297c19a4bb3d
SHA256 5065166ed89f295db224978474dc81ee409180467c025e27880af9ec29a069c1
SHA512 91af05d18a1a218efbb882b897bb6095ff3a757cb7e7b114f33100caf2d1ab5dd5baa1686f9a2d9e4fd95206c1efd7bdc2862bcaaaa7ac1fa1425f7c8fca1363

memory/1840-2788-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2856-2795-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3144-2802-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4832-2804-0x0000000000400000-0x000000000049E000-memory.dmp

memory/216-2808-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1880-2806-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2288-2810-0x0000000000400000-0x000000000049E000-memory.dmp

memory/684-2818-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2936-2817-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4052-2814-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1884-2813-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4052-2812-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2944-2834-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3776-2895-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2916-2893-0x0000000000400000-0x000000000049E000-memory.dmp

memory/980-2873-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1272-2865-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2416-2863-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2308-2861-0x0000000000400000-0x000000000049E000-memory.dmp

memory/740-2859-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2944-2858-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2944-2856-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4768-2995-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4576-2855-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5092-2852-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4072-2851-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4072-2846-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4072-2831-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2800-2829-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1220-2825-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5092-2854-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5092-2830-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2320-2827-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4104-3355-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5372-3238-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5700-3236-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5664-3230-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5592-3229-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5228-3221-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5484-3217-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5196-3225-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5012-3169-0x0000000000400000-0x000000000049E000-memory.dmp

memory/2552-3403-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5612-3579-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5756-3589-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5016-3595-0x0000000000400000-0x000000000049E000-memory.dmp

memory/6204-3614-0x0000000000400000-0x000000000049E000-memory.dmp

memory/6704-3668-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Hnbeeiji.exe

MD5 3e50d6d07c2336acee7fe7679770022f
SHA1 cd9283be159f96f2368974840bd68fbb11420afa
SHA256 70cf13afb823cee9aaeea9f68bea0de98bc9612d4461563417470d85800aaace
SHA512 53bc0789ff2c7a9aa40f390af39135ef7cbdeedbc5dcb8f4f6ce4dd87657e703124c5b8f40981ea6bc074b486e81fcf68c10052a4845d5420b2a223b622daf3c

C:\Windows\SysWOW64\Iacngdgj.exe

MD5 eb2555edc0dfc5469195eadd46093c47
SHA1 bce1b4b54a12bb5f332921cd15fe09f03f42edeb
SHA256 5721cb67d07eb6000394e946c195732ad94b7ee5ebdca2d32db21eaecd3dd3f6
SHA512 595f16dd3bd5e9bdec2406a8f5a68cae52a228a7ea6a5a5d754b39f2f90bc568a0b1a12d1bd39956a1273642c282cb4e645d08804cadbb8fb3fd85d0a72bca95

C:\Windows\SysWOW64\Ibjqaf32.exe

MD5 636338c5f8e28057a77074b60c828c5f
SHA1 3121e21e15d52e2135cbebf09414478270041ad3
SHA256 cd0ff8e8602f48ea41121b40a660d66acf888d6fbf13ce7a0572935730b4650d
SHA512 004afb779f11bbbd14a40fde01dc6cf66f85a9142669c436b08ffea09a9f7eda3a49f641cb9329258cc9c54cb81a87dc1e7c748ee59b3c6fdf0bc156d6e3873c

C:\Windows\SysWOW64\Kpiqfima.exe

MD5 9e03001fa60f018744b39233de83598f
SHA1 5615e45dc95f977fc031c42d5af60589a029b179
SHA256 978f059b045126856d37cede665929469adaf9cb3896f84af399a67599de25f4
SHA512 b3737dc8fff530a4b154e06271314b66faf6797229c308d516b7209549330a46a7797f5a75f47ee2e5fba4df95974f5dcf9dc8a78d56b5a7446f0c3ccc6572ed

C:\Windows\SysWOW64\Lcfidb32.exe

MD5 d7f61a11e31cf443f022dbc112abe0c5
SHA1 0d302527b6a00f294f0d72a611f4c3a28e21d782
SHA256 d8e595af4ed9243976b0efb77bef2bae4faa460e04ac7183bbf2acfd748a3b37
SHA512 cdcf5ad62fc331fd7aa2bfde847f80a3a7746b6a09809e800def390734057f65aefef541203d348ac7bb3f9999b52df6dc969847a7bef7da49cdcca04b7c8859

memory/5348-3982-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Windows\SysWOW64\Mqhfoebo.exe

MD5 f726ba1fad5708c5129609cae42ff01c
SHA1 ca220b4fae0743d326e455429007359b68f0584e
SHA256 f3e97ca9b72638b6f6f51b5360107598f870269b341037d9febdb995c2a5d062
SHA512 363dc865335917a6420141e10b5fa25c49311a92726b09cdb1370abaa1ee2d49a77631b18b919da725589dab504df0374f7d07d90422b71a11c1697ff4d5fdba

C:\Windows\SysWOW64\Ncmhko32.exe

MD5 bcb4d28222231af249e583d5b1fa1981
SHA1 3fba2c9d5907b4461b268b43d39030dc0786e1f7
SHA256 96177361ce47fa7fc72ef6efa4d613d2c6914d41965b53673e774ba525e73ccc
SHA512 7b444604b41f5f9c52ad7bece6f27d4009fa6e70bfa35d9db00b3bd1f696019a28691dcd2579e36a7f66d1ca96a39ef615719c0e82d471717e5a4d72be8bed9e

C:\Windows\SysWOW64\Obgohklm.exe

MD5 1ce0edce9afb402fc8b1c8ec581e0a58
SHA1 6bc4865d020b1f44119cc3535aca324a884dc2c6
SHA256 e920cabb669508370cdf862cdc2619d61e3fe892b7a496721c7ef940371207bc
SHA512 a6331bea192547f00cc2b8172a90e947be4e6714fe910ca67e459aa6d556b34ea47664c4274ab5061e1c8de2fbff15bb676a661cd831ff3bfe857fc0332eb42b

C:\Windows\SysWOW64\Pcegclgp.exe

MD5 9f508992e76d9c515d3b6f8c1b385072
SHA1 6531620b17bc952c30664471a032dbf9a5d1e66b
SHA256 28500ef33f1864be8f75a1584f131d2df4f04dbf6896eee5daf1e048ffab3ef4
SHA512 336a6b7f1e360beefb6763e94865189f277d264ff1d971e23eaf83c364ea4c0313dd227926c8983802fcff5e5d83d31ffaf2f2e59da26bb59f9edd0dd766b044

C:\Windows\SysWOW64\Pblajhje.exe

MD5 03e19ce4d3c0b32c2acf5f440c3c4112
SHA1 d69dc62dbb2cca3e4dddd9509b0e4c27b455890a
SHA256 00c6b5df6d744e80124c1aa5e0b9673b0a28a6d98d7cc1db6a5e743bf059249a
SHA512 18748e7b469de1bb914176378f266329bc5bbc83e5d8a2697510175ad06e972a98a8fc1aa439d01fe950c3daa8c1f7b613b5d98736c5ece3d45ea68c0bc8d250

memory/5440-4340-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5888-4353-0x0000000000400000-0x000000000049E000-memory.dmp

memory/4136-4372-0x0000000000400000-0x000000000049E000-memory.dmp

memory/11944-4423-0x0000000000400000-0x000000000049E000-memory.dmp

memory/12144-4443-0x0000000000400000-0x000000000049E000-memory.dmp

memory/11452-4463-0x0000000000400000-0x000000000049E000-memory.dmp

memory/11144-4495-0x0000000000400000-0x000000000049E000-memory.dmp

memory/7620-4540-0x0000000000400000-0x000000000049E000-memory.dmp

memory/10352-4542-0x0000000000400000-0x000000000049E000-memory.dmp

memory/9884-4590-0x0000000000400000-0x000000000049E000-memory.dmp

memory/9064-4628-0x0000000000400000-0x000000000049E000-memory.dmp

memory/10040-4588-0x0000000000400000-0x000000000049E000-memory.dmp

memory/8812-4657-0x0000000000400000-0x000000000049E000-memory.dmp