Malware Analysis Report

2025-06-16 00:07

Sample ID 241113-kc9s2a1qam
Target a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3
SHA256 a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3

Threat Level: Known bad

The file a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3 was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 08:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 08:28

Reported

2024-11-13 08:31

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ncnngfna.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnbojmmp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nedhjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Opglafab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bgllgedi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Loefnpnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ajpepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Akabgebj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccmpce32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pnbojmmp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oeindm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nefdpjkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmbcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mbcoio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pbagipfi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Caifjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Onfoin32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncnngfna.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbagipfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Phcilf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lcofio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oeindm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phcilf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akabgebj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Agjobffl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qndkpmkm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajpepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ccmpce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nefdpjkl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obmnna32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhgnaehm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phnpagdp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfmbek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegoqlof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Loefnpnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgedmb32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Lcofio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfmbek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loefnpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgedmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnbhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbcoio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnngfna.exe N/A
N/A N/A C:\Windows\SysWOW64\Onfoin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opglafab.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obmnna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbagipfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Phnpagdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcilf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Paknelgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbojmmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkfocaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Qndkpmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjklenpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aojabdlf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alnalh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akabgebj.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmgjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agjobffl.exe N/A
N/A N/A C:\Windows\SysWOW64\Akfkbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgllgedi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjkhdacm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbbpenco.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjmeiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnknoogp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqijljfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbndpmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqlfaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccmpce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cenljmgq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmedlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cileqlmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckjamgmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnimiblo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cebeem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjonncab.exe N/A
N/A N/A C:\Windows\SysWOW64\Caifjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgcnghpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjakccop.exe N/A
N/A N/A C:\Windows\SysWOW64\Cegoqlof.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmbcen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpapaj32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcofio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcofio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfmbek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfmbek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loefnpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Loefnpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgedmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgedmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnbhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnbhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbcoio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbcoio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnngfna.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnngfna.exe N/A
N/A N/A C:\Windows\SysWOW64\Onfoin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onfoin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opglafab.exe N/A
N/A N/A C:\Windows\SysWOW64\Opglafab.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obmnna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obmnna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbagipfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbagipfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Phnpagdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Phnpagdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcilf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcilf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Paknelgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Paknelgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbojmmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbojmmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkfocaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkfocaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Qndkpmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qndkpmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjklenpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjklenpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aojabdlf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aojabdlf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alnalh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alnalh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akabgebj.exe N/A
N/A N/A C:\Windows\SysWOW64\Akabgebj.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmgjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmgjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agjobffl.exe N/A
N/A N/A C:\Windows\SysWOW64\Agjobffl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Ajpepm32.exe N/A
File created C:\Windows\SysWOW64\Gbnbjo32.dll C:\Windows\SysWOW64\Bjbndpmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nedhjj32.exe N/A
File created C:\Windows\SysWOW64\Obmnna32.exe C:\Windows\SysWOW64\Oeindm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Obmnna32.exe C:\Windows\SysWOW64\Oeindm32.exe N/A
File created C:\Windows\SysWOW64\Aldhcb32.dll C:\Windows\SysWOW64\Qndkpmkm.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjbndpmd.exe C:\Windows\SysWOW64\Bqijljfd.exe N/A
File created C:\Windows\SysWOW64\Lcofio32.exe C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
File created C:\Windows\SysWOW64\Jbbobb32.dll C:\Windows\SysWOW64\Mbcoio32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncnngfna.exe C:\Windows\SysWOW64\Nhgnaehm.exe N/A
File opened for modification C:\Windows\SysWOW64\Oeindm32.exe C:\Windows\SysWOW64\Opglafab.exe N/A
File created C:\Windows\SysWOW64\Qndkpmkm.exe C:\Windows\SysWOW64\Qkfocaki.exe N/A
File created C:\Windows\SysWOW64\Abmgjo32.exe C:\Windows\SysWOW64\Akabgebj.exe N/A
File created C:\Windows\SysWOW64\Gfikmo32.dll C:\Windows\SysWOW64\Bqijljfd.exe N/A
File created C:\Windows\SysWOW64\Pobghn32.dll C:\Windows\SysWOW64\Ckjamgmk.exe N/A
File created C:\Windows\SysWOW64\Omakjj32.dll C:\Windows\SysWOW64\Caifjn32.exe N/A
File created C:\Windows\SysWOW64\Fikbiheg.dll C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Loefnpnn.exe C:\Windows\SysWOW64\Lfmbek32.exe N/A
File created C:\Windows\SysWOW64\Qkfocaki.exe C:\Windows\SysWOW64\Pnbojmmp.exe N/A
File created C:\Windows\SysWOW64\Hqjpab32.dll C:\Windows\SysWOW64\Qjklenpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegoqlof.exe C:\Windows\SysWOW64\Cjakccop.exe N/A
File created C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mgedmb32.exe N/A
File created C:\Windows\SysWOW64\Khoqme32.dll C:\Windows\SysWOW64\Ajmijmnn.exe N/A
File created C:\Windows\SysWOW64\Lgpgbj32.dll C:\Windows\SysWOW64\Ajpepm32.exe N/A
File created C:\Windows\SysWOW64\Bjkhdacm.exe C:\Windows\SysWOW64\Bgllgedi.exe N/A
File created C:\Windows\SysWOW64\Bjmeiq32.exe C:\Windows\SysWOW64\Bbbpenco.exe N/A
File created C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Cnimiblo.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe C:\Windows\SysWOW64\Cegoqlof.exe N/A
File opened for modification C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Bdpeiada.dll C:\Windows\SysWOW64\Lfmbek32.exe N/A
File created C:\Windows\SysWOW64\Gfblih32.dll C:\Windows\SysWOW64\Oeindm32.exe N/A
File created C:\Windows\SysWOW64\Ecinnn32.dll C:\Windows\SysWOW64\Pbagipfi.exe N/A
File created C:\Windows\SysWOW64\Bgllgedi.exe C:\Windows\SysWOW64\Akfkbd32.exe N/A
File created C:\Windows\SysWOW64\Bgmdailj.dll C:\Windows\SysWOW64\Bbbpenco.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckjamgmk.exe C:\Windows\SysWOW64\Cileqlmg.exe N/A
File created C:\Windows\SysWOW64\Gpajfg32.dll C:\Windows\SysWOW64\Cgcnghpl.exe N/A
File created C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Dmbcen32.exe N/A
File created C:\Windows\SysWOW64\Phcilf32.exe C:\Windows\SysWOW64\Phnpagdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Ajpepm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lfmbek32.exe C:\Windows\SysWOW64\Lcofio32.exe N/A
File created C:\Windows\SysWOW64\Loefnpnn.exe C:\Windows\SysWOW64\Lfmbek32.exe N/A
File created C:\Windows\SysWOW64\Kjkfeo32.dll C:\Windows\SysWOW64\Mgedmb32.exe N/A
File created C:\Windows\SysWOW64\Kagflkia.dll C:\Windows\SysWOW64\Nedhjj32.exe N/A
File created C:\Windows\SysWOW64\Onfoin32.exe C:\Windows\SysWOW64\Ncnngfna.exe N/A
File created C:\Windows\SysWOW64\Oeindm32.exe C:\Windows\SysWOW64\Opglafab.exe N/A
File created C:\Windows\SysWOW64\Aqcifjof.dll C:\Windows\SysWOW64\Phnpagdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Paknelgk.exe C:\Windows\SysWOW64\Phcilf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abmgjo32.exe C:\Windows\SysWOW64\Akabgebj.exe N/A
File created C:\Windows\SysWOW64\Gggpgo32.dll C:\Windows\SysWOW64\Agjobffl.exe N/A
File created C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Qjeeidhg.dll C:\Windows\SysWOW64\Opglafab.exe N/A
File created C:\Windows\SysWOW64\Pkcbnanl.exe C:\Windows\SysWOW64\Paknelgk.exe N/A
File opened for modification C:\Windows\SysWOW64\Qndkpmkm.exe C:\Windows\SysWOW64\Qkfocaki.exe N/A
File created C:\Windows\SysWOW64\Agjobffl.exe C:\Windows\SysWOW64\Abmgjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cenljmgq.exe C:\Windows\SysWOW64\Ccmpce32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgcnghpl.exe C:\Windows\SysWOW64\Caifjn32.exe N/A
File created C:\Windows\SysWOW64\Fchook32.dll C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nefdpjkl.exe N/A
File created C:\Windows\SysWOW64\Kfcgie32.dll C:\Windows\SysWOW64\Bgllgedi.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe C:\Windows\SysWOW64\Bjmeiq32.exe N/A
File created C:\Windows\SysWOW64\Ckndebll.dll C:\Windows\SysWOW64\Bjmeiq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqijljfd.exe C:\Windows\SysWOW64\Bnknoogp.exe N/A
File created C:\Windows\SysWOW64\Cmbfdl32.dll C:\Windows\SysWOW64\Cmedlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Cgfkmgnj.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeindm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akabgebj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhgnaehm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obmnna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjakccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgedmb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abmgjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akfkbd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onfoin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alnalh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Loefnpnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opglafab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agjobffl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phnpagdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnbojmmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cenljmgq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nedhjj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbbpenco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjonncab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbcoio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcnbhb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccmpce32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcofio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbagipfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgllgedi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paknelgk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cileqlmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phcilf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkfocaki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qndkpmkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nefdpjkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajpepm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfmbek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncnngfna.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cebeem32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caifjn32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgllgedi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qjklenpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll" C:\Windows\SysWOW64\Qkfocaki.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajpepm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbagipfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qndkpmkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll" C:\Windows\SysWOW64\Cenljmgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" C:\Windows\SysWOW64\Cebeem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ccmpce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oeindm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkfeo32.dll" C:\Windows\SysWOW64\Mgedmb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Onfoin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfiocpon.dll" C:\Windows\SysWOW64\Onfoin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opglafab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lcofio32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mgedmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akfkbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dmbcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nhgnaehm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nhgnaehm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oeindm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cegoqlof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcnbhb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfkcopd.dll" C:\Windows\SysWOW64\Obmnna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" C:\Windows\SysWOW64\Paknelgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll" C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgedmb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncnngfna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agjobffl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll" C:\Windows\SysWOW64\Nedhjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obmnna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll" C:\Windows\SysWOW64\Phnpagdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll" C:\Windows\SysWOW64\Akabgebj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Abmgjo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Opglafab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nedhjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akabgebj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Caifjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Caifjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" C:\Windows\SysWOW64\Loefnpnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lfmbek32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mbcoio32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe C:\Windows\SysWOW64\Lcofio32.exe
PID 2376 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe C:\Windows\SysWOW64\Lcofio32.exe
PID 2376 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe C:\Windows\SysWOW64\Lcofio32.exe
PID 2376 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe C:\Windows\SysWOW64\Lcofio32.exe
PID 2520 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Lcofio32.exe C:\Windows\SysWOW64\Lfmbek32.exe
PID 2520 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Lcofio32.exe C:\Windows\SysWOW64\Lfmbek32.exe
PID 2520 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Lcofio32.exe C:\Windows\SysWOW64\Lfmbek32.exe
PID 2520 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Lcofio32.exe C:\Windows\SysWOW64\Lfmbek32.exe
PID 2964 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lfmbek32.exe C:\Windows\SysWOW64\Loefnpnn.exe
PID 2964 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lfmbek32.exe C:\Windows\SysWOW64\Loefnpnn.exe
PID 2964 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lfmbek32.exe C:\Windows\SysWOW64\Loefnpnn.exe
PID 2964 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lfmbek32.exe C:\Windows\SysWOW64\Loefnpnn.exe
PID 2828 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Loefnpnn.exe C:\Windows\SysWOW64\Mgedmb32.exe
PID 2828 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Loefnpnn.exe C:\Windows\SysWOW64\Mgedmb32.exe
PID 2828 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Loefnpnn.exe C:\Windows\SysWOW64\Mgedmb32.exe
PID 2828 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Loefnpnn.exe C:\Windows\SysWOW64\Mgedmb32.exe
PID 2892 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Mgedmb32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 2892 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Mgedmb32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 2892 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Mgedmb32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 2892 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Mgedmb32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 2196 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mbcoio32.exe
PID 2196 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mbcoio32.exe
PID 2196 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mbcoio32.exe
PID 2196 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mbcoio32.exe
PID 2500 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Mbcoio32.exe C:\Windows\SysWOW64\Nedhjj32.exe
PID 2500 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Mbcoio32.exe C:\Windows\SysWOW64\Nedhjj32.exe
PID 2500 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Mbcoio32.exe C:\Windows\SysWOW64\Nedhjj32.exe
PID 2500 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Mbcoio32.exe C:\Windows\SysWOW64\Nedhjj32.exe
PID 3048 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nefdpjkl.exe
PID 3048 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nefdpjkl.exe
PID 3048 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nefdpjkl.exe
PID 3048 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nefdpjkl.exe
PID 1720 wrote to memory of 536 N/A C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 1720 wrote to memory of 536 N/A C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 1720 wrote to memory of 536 N/A C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 1720 wrote to memory of 536 N/A C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 536 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Ncnngfna.exe
PID 536 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Ncnngfna.exe
PID 536 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Ncnngfna.exe
PID 536 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Ncnngfna.exe
PID 1688 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Ncnngfna.exe C:\Windows\SysWOW64\Onfoin32.exe
PID 1688 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Ncnngfna.exe C:\Windows\SysWOW64\Onfoin32.exe
PID 1688 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Ncnngfna.exe C:\Windows\SysWOW64\Onfoin32.exe
PID 1688 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Ncnngfna.exe C:\Windows\SysWOW64\Onfoin32.exe
PID 1716 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Onfoin32.exe C:\Windows\SysWOW64\Opglafab.exe
PID 1716 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Onfoin32.exe C:\Windows\SysWOW64\Opglafab.exe
PID 1716 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Onfoin32.exe C:\Windows\SysWOW64\Opglafab.exe
PID 1716 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Onfoin32.exe C:\Windows\SysWOW64\Opglafab.exe
PID 2776 wrote to memory of 468 N/A C:\Windows\SysWOW64\Opglafab.exe C:\Windows\SysWOW64\Oeindm32.exe
PID 2776 wrote to memory of 468 N/A C:\Windows\SysWOW64\Opglafab.exe C:\Windows\SysWOW64\Oeindm32.exe
PID 2776 wrote to memory of 468 N/A C:\Windows\SysWOW64\Opglafab.exe C:\Windows\SysWOW64\Oeindm32.exe
PID 2776 wrote to memory of 468 N/A C:\Windows\SysWOW64\Opglafab.exe C:\Windows\SysWOW64\Oeindm32.exe
PID 468 wrote to memory of 1132 N/A C:\Windows\SysWOW64\Oeindm32.exe C:\Windows\SysWOW64\Obmnna32.exe
PID 468 wrote to memory of 1132 N/A C:\Windows\SysWOW64\Oeindm32.exe C:\Windows\SysWOW64\Obmnna32.exe
PID 468 wrote to memory of 1132 N/A C:\Windows\SysWOW64\Oeindm32.exe C:\Windows\SysWOW64\Obmnna32.exe
PID 468 wrote to memory of 1132 N/A C:\Windows\SysWOW64\Oeindm32.exe C:\Windows\SysWOW64\Obmnna32.exe
PID 1132 wrote to memory of 376 N/A C:\Windows\SysWOW64\Obmnna32.exe C:\Windows\SysWOW64\Pbagipfi.exe
PID 1132 wrote to memory of 376 N/A C:\Windows\SysWOW64\Obmnna32.exe C:\Windows\SysWOW64\Pbagipfi.exe
PID 1132 wrote to memory of 376 N/A C:\Windows\SysWOW64\Obmnna32.exe C:\Windows\SysWOW64\Pbagipfi.exe
PID 1132 wrote to memory of 376 N/A C:\Windows\SysWOW64\Obmnna32.exe C:\Windows\SysWOW64\Pbagipfi.exe
PID 376 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Pbagipfi.exe C:\Windows\SysWOW64\Phnpagdp.exe
PID 376 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Pbagipfi.exe C:\Windows\SysWOW64\Phnpagdp.exe
PID 376 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Pbagipfi.exe C:\Windows\SysWOW64\Phnpagdp.exe
PID 376 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Pbagipfi.exe C:\Windows\SysWOW64\Phnpagdp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe

"C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe"

C:\Windows\SysWOW64\Lcofio32.exe

C:\Windows\system32\Lcofio32.exe

C:\Windows\SysWOW64\Lfmbek32.exe

C:\Windows\system32\Lfmbek32.exe

C:\Windows\SysWOW64\Loefnpnn.exe

C:\Windows\system32\Loefnpnn.exe

C:\Windows\SysWOW64\Mgedmb32.exe

C:\Windows\system32\Mgedmb32.exe

C:\Windows\SysWOW64\Mcnbhb32.exe

C:\Windows\system32\Mcnbhb32.exe

C:\Windows\SysWOW64\Mbcoio32.exe

C:\Windows\system32\Mbcoio32.exe

C:\Windows\SysWOW64\Nedhjj32.exe

C:\Windows\system32\Nedhjj32.exe

C:\Windows\SysWOW64\Nefdpjkl.exe

C:\Windows\system32\Nefdpjkl.exe

C:\Windows\SysWOW64\Nhgnaehm.exe

C:\Windows\system32\Nhgnaehm.exe

C:\Windows\SysWOW64\Ncnngfna.exe

C:\Windows\system32\Ncnngfna.exe

C:\Windows\SysWOW64\Onfoin32.exe

C:\Windows\system32\Onfoin32.exe

C:\Windows\SysWOW64\Opglafab.exe

C:\Windows\system32\Opglafab.exe

C:\Windows\SysWOW64\Oeindm32.exe

C:\Windows\system32\Oeindm32.exe

C:\Windows\SysWOW64\Obmnna32.exe

C:\Windows\system32\Obmnna32.exe

C:\Windows\SysWOW64\Pbagipfi.exe

C:\Windows\system32\Pbagipfi.exe

C:\Windows\SysWOW64\Phnpagdp.exe

C:\Windows\system32\Phnpagdp.exe

C:\Windows\SysWOW64\Phcilf32.exe

C:\Windows\system32\Phcilf32.exe

C:\Windows\SysWOW64\Paknelgk.exe

C:\Windows\system32\Paknelgk.exe

C:\Windows\SysWOW64\Pkcbnanl.exe

C:\Windows\system32\Pkcbnanl.exe

C:\Windows\SysWOW64\Pnbojmmp.exe

C:\Windows\system32\Pnbojmmp.exe

C:\Windows\SysWOW64\Qkfocaki.exe

C:\Windows\system32\Qkfocaki.exe

C:\Windows\SysWOW64\Qndkpmkm.exe

C:\Windows\system32\Qndkpmkm.exe

C:\Windows\SysWOW64\Qdncmgbj.exe

C:\Windows\system32\Qdncmgbj.exe

C:\Windows\SysWOW64\Qjklenpa.exe

C:\Windows\system32\Qjklenpa.exe

C:\Windows\SysWOW64\Ajmijmnn.exe

C:\Windows\system32\Ajmijmnn.exe

C:\Windows\SysWOW64\Aojabdlf.exe

C:\Windows\system32\Aojabdlf.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Alnalh32.exe

C:\Windows\system32\Alnalh32.exe

C:\Windows\SysWOW64\Akabgebj.exe

C:\Windows\system32\Akabgebj.exe

C:\Windows\SysWOW64\Abmgjo32.exe

C:\Windows\system32\Abmgjo32.exe

C:\Windows\SysWOW64\Agjobffl.exe

C:\Windows\system32\Agjobffl.exe

C:\Windows\SysWOW64\Akfkbd32.exe

C:\Windows\system32\Akfkbd32.exe

C:\Windows\SysWOW64\Bgllgedi.exe

C:\Windows\system32\Bgllgedi.exe

C:\Windows\SysWOW64\Bjkhdacm.exe

C:\Windows\system32\Bjkhdacm.exe

C:\Windows\SysWOW64\Bbbpenco.exe

C:\Windows\system32\Bbbpenco.exe

C:\Windows\SysWOW64\Bjmeiq32.exe

C:\Windows\system32\Bjmeiq32.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bqijljfd.exe

C:\Windows\system32\Bqijljfd.exe

C:\Windows\SysWOW64\Bjbndpmd.exe

C:\Windows\system32\Bjbndpmd.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Bjdkjpkb.exe

C:\Windows\system32\Bjdkjpkb.exe

C:\Windows\SysWOW64\Ccmpce32.exe

C:\Windows\system32\Ccmpce32.exe

C:\Windows\SysWOW64\Cenljmgq.exe

C:\Windows\system32\Cenljmgq.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cileqlmg.exe

C:\Windows\system32\Cileqlmg.exe

C:\Windows\SysWOW64\Ckjamgmk.exe

C:\Windows\system32\Ckjamgmk.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cebeem32.exe

C:\Windows\system32\Cebeem32.exe

C:\Windows\SysWOW64\Cjonncab.exe

C:\Windows\system32\Cjonncab.exe

C:\Windows\SysWOW64\Caifjn32.exe

C:\Windows\system32\Caifjn32.exe

C:\Windows\SysWOW64\Cgcnghpl.exe

C:\Windows\system32\Cgcnghpl.exe

C:\Windows\SysWOW64\Cjakccop.exe

C:\Windows\system32\Cjakccop.exe

C:\Windows\SysWOW64\Cegoqlof.exe

C:\Windows\system32\Cegoqlof.exe

C:\Windows\SysWOW64\Cgfkmgnj.exe

C:\Windows\system32\Cgfkmgnj.exe

C:\Windows\SysWOW64\Dmbcen32.exe

C:\Windows\system32\Dmbcen32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 144

Network

N/A

Files

\Windows\SysWOW64\Lcofio32.exe

MD5 b8219f98f29a812018bf18ec80cdd2b7
SHA1 3eb19a4317626f7dcef75fa3a3f075a2b160ab80
SHA256 5a7762a351d404d076705136d4d1733a3ed5077a3f56db26ba2b22d14baf4f91
SHA512 75911fb1dceb198bd3d8a1215060fdf6fc2c993d1aa5d68d878630261e03ca29988e5a2366d7f5e5225860dcf6275756842c6765bec50e8f3cd212b7c442d071

memory/2520-14-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2376-13-0x0000000000440000-0x0000000000474000-memory.dmp

\Windows\SysWOW64\Lfmbek32.exe

MD5 8d7202d9ea4d9a71b9b9138f60fdd7d4
SHA1 d614a860656c26983a2492c478d794d0dbf6083e
SHA256 681ac23945e30b511785fff882b299d6d8b70c3559256195c62b1658b546499e
SHA512 745cfb7d1ea736b6052d04330c13dce7bafeffb92aa8dc3ad6159f01e922b24fd1403adf9fc5f89f5e714f61ba1b3d515d5bae540b93292ea45dfce68a9a930a

memory/2376-12-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2964-27-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2376-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Loefnpnn.exe

MD5 bac153bd503ba32f8d1d3c324f3fe450
SHA1 6db949a250d0110dbdd7b9d57f69036979a530a7
SHA256 183c47e31d5b18d1c2d3d4c47b4bdc2a9b334cc75837346d5934a6bcb04b1f83
SHA512 f27bf0260dbb6b85863d624a495d96f54f8fb653c6c94f1810982e643a84d88efebbcede8f8f0e5155585bc90ac74d65f6bfedba33d7c4974f0eda99f150f529

memory/2964-34-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/2828-46-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2892-54-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mgedmb32.exe

MD5 8131356f19f134d37dfe4f3620eb2fb4
SHA1 454a2ec2a208d21dd959d0abc52ae5d80aeedb66
SHA256 2aa38a4d46c7fb40fcfe3679e69276da1c4ab2ce6c3477cbea5b420380db6eeb
SHA512 189aa1bcdc92c4cce90997ad17ac5332b797fd73b2b95a8f2e9acd1cc57f9fadd895f8b800b9f20eba80ca8b3d9d685304ba44afa84330474196b77087abdccb

C:\Windows\SysWOW64\Kjkfeo32.dll

MD5 d35df5bf85623ec120a1bb6d2f890c55
SHA1 8608bb6e3f8101e8a69b50fe8ab7995fcc4c4dc0
SHA256 3f1266ddabeeb241871b817849d623b638ba1073f99eaa59805e6d8c4e8ced59
SHA512 5c82a5a62b0a8d784c25860331a09c051e979080dfbab839f7405dcbf0ab7fa134f3776ae3598bdb0aa8937bf2febb5419099790b3b4075bd525b17f9d0d1b3b

\Windows\SysWOW64\Mcnbhb32.exe

MD5 b54e77323e545bca0695fa4b36abea5b
SHA1 a54f58cd2b7ca7aa2b6f28028ee3463411c15e31
SHA256 f27518a8d19d8ac47e21841c84b588384e27af8dab80b7ca00bcb94315861692
SHA512 733fe625c1c27f75be3df060f30a0e626e22492b8ebb763471e4b35ab587995dbe7afa9e77406551bbf369ec984024696f72614de1b24b24d05fc7d951ebc64b

memory/2892-62-0x0000000000260000-0x0000000000294000-memory.dmp

memory/2892-65-0x0000000000260000-0x0000000000294000-memory.dmp

memory/2196-69-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2500-83-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mbcoio32.exe

MD5 28a65af0249dbe559dc02c4e733fd4d8
SHA1 543b125aa3b7cb3bcdcccd9cb4545a398655fca4
SHA256 2ec7b3b77d5b9f8d7ddbc4a13fa6378d07d8902420ac17d88a1a2939608764ee
SHA512 7c1ecb3631d3b18ccdb4f20bc30dbfe9a2658afac95054db2c8a31f32c444074af3046fbc41cb22d1dbd40ec2f5fa8a71cfe683b6ac2c59657d75a4f9359e177

memory/2196-81-0x00000000002E0000-0x0000000000314000-memory.dmp

\Windows\SysWOW64\Nedhjj32.exe

MD5 b55a25e0732494dcfba199eeb567a7f4
SHA1 9f1208329b0848c9289597f11158c8f13d935b08
SHA256 31b0f735250d34fbd274b9e9b6a26ccc7f95001593e57efbd38cf7f2415d5032
SHA512 d53db36de34d344a3bd0b557e19513ace56ab41af4038cc797966aee86cabd772e61f96350b047c67da084f8e964362b32fb3f2ca4a05e32993b3c9718966199

memory/2500-90-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1720-109-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nefdpjkl.exe

MD5 a16bb286e5ad72e9db6e6af48d90708a
SHA1 7bcffc31d4e18c45874996f87486823dd40fdf19
SHA256 04f7d5bea8f2814f825b27df8c630591b31f38c1fc3ef03880ab863b22b511b6
SHA512 e61fa55b04789259c27c22521ea40da7db88a02bd4306c484813d0aac12a189284da5f6f5cde53896189c1768f2ebfbb7abc93ad6a09421c70950c1f86a3a410

\Windows\SysWOW64\Nhgnaehm.exe

MD5 9d9f07e2ae79f6af7e32cd43ccb34721
SHA1 ba6b64849d21811942ba9d63ab7af9ab0efdad35
SHA256 e3f84ba79706ab3768cd97903a353283b5a8377de83a46d5182110d8146ca615
SHA512 bff389e97eb1f7cf7b1fea77a6088bf8ac55dc3d562cdb0271b9cd8e6cfbbe23ff4b8e01b5f59b5a49d17197f012b772964737cb6f76bc55b2ccbe3611865875

memory/1720-116-0x0000000000440000-0x0000000000474000-memory.dmp

memory/536-127-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1688-136-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ncnngfna.exe

MD5 8aaa78d52dd6f1ade93c153a169b4e37
SHA1 39a1a85901c1b4fdaf038b70c6fbed3bca77d6c8
SHA256 032aa641c09551d1aa217686a67ec870a7332f7a164a15f9b2cb61815b568255
SHA512 8e96c04b1f517c54800a1654ff3545cfc4d5b512e3f8388c5ce614c58058a09a803b875047cdc6189d0c0c3c29c285046e0358e848c2d191e1cedb832c4244b0

\Windows\SysWOW64\Onfoin32.exe

MD5 36968992311943dca3aaf92460602258
SHA1 6cd275db90cf932414567ba190920c1aa8c83c1d
SHA256 3c4f01e849c2a733f542732ea9a1379de5903a87bafab22c2fddfa153c8b90ec
SHA512 9a312700eb5624b060b76b01eafbafb7160a385d2524292548b725fe179e3a05a0b6d41fbca29252e1ba52b6e0a42c5c8168de6ca6b436c4fdb4eef20486c0f2

memory/1716-156-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2776-164-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Opglafab.exe

MD5 4a6249603e593571b33cc04963722e06
SHA1 449a912fa9cb96df440ed8258226a4b2ea8c0173
SHA256 3971c0478c1e297fa03c64d8fd2cf607db401516d5415f3ef77fa5e9e0861827
SHA512 b6f5b7a4e5016bb4291e1b7a1c924379cff542dd41eaa74276ee388e438285ccf6e8bf7d7f5b792b115a964f982128df2f4e9e64d28b203fa59fc5e3ed003388

memory/1688-149-0x00000000002F0000-0x0000000000324000-memory.dmp

memory/1688-148-0x00000000002F0000-0x0000000000324000-memory.dmp

\Windows\SysWOW64\Oeindm32.exe

MD5 cabbedfd2aacaf668a76c049eb7785e1
SHA1 626c8ec1c44bd262205fa9c81a7a669820ad497b
SHA256 d30ad4cf366b3dd4288a71669a1540077cdddae15a93860569d0942ab424167f
SHA512 9bdca921de29462beb67e9f4afb4e6da514d3cb63394917b29446e131fbd84d370c8065b2223af093132e05fdd407ccd242d61fba1e2f609c81fc0a60ae4025a

memory/2776-171-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/1132-192-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Obmnna32.exe

MD5 410635dac0bd15b7d3cf9e4e0f6ea098
SHA1 7c7e62df655ae5879273504335bb4f5501978987
SHA256 240455b7d34069bf1f8c97343a8e84d477fbe21dd0f0a17a6608e936aa7173d0
SHA512 80787fed7006ec94ccea00ef683d0e9707d245c252e1a51af408900ef4016fe1ef0605724a9c3dae8c0e73656e31e13667f53fd2ea797b635a2c491ae61e1e63

memory/468-190-0x00000000002A0000-0x00000000002D4000-memory.dmp

memory/468-183-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Pbagipfi.exe

MD5 10255faf630476bad330cc92d212ec5d
SHA1 3f56a1a37b9f542c5a0cbee1dfa9412c9e275b08
SHA256 a429a7d5039f5508fa8234b299069ed0c53e9f21114f3a714df4d722706e69d6
SHA512 5fa72785d6d117286f5970eb1bf81e5d99c8a783cb84d71a397ad2ebc0e37368750233333a20f35aba48e11bd633d560b2589c833d17b0a4c868fec3971ae68d

memory/376-206-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Phnpagdp.exe

MD5 bf9f4678d81592fb6567ff339084ff35
SHA1 a878463c5166f6c12876542b103c110076c1733b
SHA256 2fe1f65abcb2be973fded036fe091fe1207def3af66da76764c0441188d99974
SHA512 32995c5fa87521486a35be297558ebbe01f6667507eea7659a55ac8abd3e300c93ae32e91dd88993148751d4ad477c813d698cc0f97f21279091b042d58b38df

memory/2540-218-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2540-225-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Phcilf32.exe

MD5 79bfa43a343a58016fb34b1a4f5a1b27
SHA1 e9e13547daacdbdf471c5091cfa60b5365c0e19a
SHA256 83729d7a0819eea767c48f6ad404917b75ba415245cb45ff76f3b9f115c32e06
SHA512 fe10554746c22215ee6c4b19d79dce5a9f8dc107a95fca811aeda7ba6515486052c93ed4c69090bb068a7848d5bee88838ff8bbbda4dd351c6008bb27a95de19

memory/344-229-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Paknelgk.exe

MD5 9e1a8cfa4e633ef7c3bc0299e376b001
SHA1 690d80e052f6b91b897261e1bf499065672167a5
SHA256 e98892960ff419f25c7bebca4cd8984d4a29fae9eec8f23a325c9fed032aa568
SHA512 34a04a7ddfb1fe16d1ed7074c32502520d67d735fe103f5535512ea199c8217243c39282136cdc997672f5f7f51a3a546137c7ba56f6879d36f29d70669b2c3c

memory/568-238-0x0000000000400000-0x0000000000434000-memory.dmp

memory/568-244-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Pkcbnanl.exe

MD5 8fd5818972e2b6aa9132b90931411a14
SHA1 17961e291d2a21de6793392c971b1c5e701febb4
SHA256 6b7576069af400056625704be9efe854a762b4d5ce416bebb0d8399b63f7ae22
SHA512 652dd463f4efdcbf376596d369552cd56b0dc4713508bcaa27c04cba82aa6e937262cfbe14072c541a8ad33a7f230ef3f83e95acf1a6f7208c4df68ff0b4e854

memory/3004-248-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pnbojmmp.exe

MD5 829b76689f7100cab8592b9e8171f9f6
SHA1 d31d692517aecf86728a6509c66018b922d1dcbc
SHA256 757d8104f6a3f28db633760092878eb63aec1e362c3bcdf35a89afec418bd0bb
SHA512 3a4c59cd41d5f2c9807dd58cdf8632d9464223f842cdfc54101d5980d38be862e3f0071b0eea0e7c9d8fb9a674330573ba9e899ba1e08581d287261abcf4548d

memory/2088-258-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3004-257-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/2088-264-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Qkfocaki.exe

MD5 e28b52cd88c0d778cc58e4e9c11739f5
SHA1 38ca58171eb4de11de58aa487e283df322278545
SHA256 eec81eac5df19dfa174fcc61ea95799039ced0653bc3668fb561cdfc3159ee30
SHA512 95b53de7332a34f9097e0a8edfd39900168fb3191179ece9821b9de2afd1ffdb43edd2176c4023010c0eb63b804688451fc8c147ad09e947bd4a385b3f90f58f

memory/2528-276-0x00000000002F0000-0x0000000000324000-memory.dmp

memory/1924-277-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Qndkpmkm.exe

MD5 ec09d5f23b4fdbad20e0814ee1661af2
SHA1 61c029188ac6a3285fae625f12d7f720c4dbb4e9
SHA256 0b6c456063fe5ebf5ddf1743f2ae706d07396b1ff1ab1d30560e582e6e99b7bd
SHA512 f79e0e3d6f220d6a252ede6961be1db328579afecd6dfe6fdae180feb9666c70c1bb648c58ee7cf035d829198fab52c08340d51ffc0231b2f71c33aff73cb7a0

C:\Windows\SysWOW64\Qdncmgbj.exe

MD5 cb4074950483522063c083481fb35c52
SHA1 70f17c55feb609f953b39f26d0537c74d3572c7e
SHA256 f2b069491e58278ed4a833021c5925f46c7b8f576845d41ebacd5525ff04a630
SHA512 b6bf42a6cc9ad67b662540bf03014298f2cea15390feedad3e46fcfc2a7fee37833984e43b6459351b4527d18901a61556fd2503f55965d3992bf88d53fcc3a2

memory/884-291-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1924-286-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/796-298-0x0000000000400000-0x0000000000434000-memory.dmp

memory/884-297-0x0000000000250000-0x0000000000284000-memory.dmp

memory/884-296-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Qjklenpa.exe

MD5 9d7542f3c06c1b43e3e14c1beccd8bdb
SHA1 e7e90fd8d4354834e1ae0707e43bb72c3b46f2e6
SHA256 f42d6ceb959d95f5a0d6d4630028ab12fe00285562ad943421c459e651278fdb
SHA512 03bdaeab2156cace07c34ec3b1b7265f8dd768b5da71ee8e442bc96f17ca429016d60f81acea660c4a253603d9a492f20d41653d07c6bdf60b278e9349d07d44

memory/796-304-0x0000000000330000-0x0000000000364000-memory.dmp

C:\Windows\SysWOW64\Ajmijmnn.exe

MD5 b5d1e68a4b1724b7b03048b24640b01d
SHA1 d04a6fb10f675f87a951911e717fbaae684c1809
SHA256 d363eb487e482b34ca3b9ad2573fd2a5e073e730d6b93b5817c3650503eb8453
SHA512 8b83f95209176e8edd7a5ec87a9b142563d3826cf32f7a0cc7e8c8dceaa8e2484943fba804e210107adb0683f78b9d5ef33668613b2762ca3288484a3148d4d6

memory/796-308-0x0000000000330000-0x0000000000364000-memory.dmp

memory/2164-309-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Aojabdlf.exe

MD5 4fd4b64295727b847678b130a92d88b3
SHA1 1a4d6198ff31090d050e61d3e2f90f6d7870c361
SHA256 f42567ff6a97a58e1b12c5d29d3bc4b326d2c00a39abe8080becc1ec562c934a
SHA512 c5d1232ed82070a6d09a16c6654fb7ae919895a9987ce4b87ad6a2a06642c2120010a778861207d51405810e2b6f393511ccd1f915a28a23565073fe10ed0749

memory/2968-320-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2164-319-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2164-318-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2968-329-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 1f87c7492a72aab084a4fece279d43c1
SHA1 bf0c98bf0b604c5a270e8bac797d15895d0ed4b4
SHA256 e0c12180b1260eef77a7e88c333a007dcb57c0136002433ba312add7102a63a3
SHA512 1138cf54e2ac0d3a134304688613a76d9f269a673cb1b73017cbd2d08d31ee19f2ef5af4ea2c95e4e6cc942deb0240e383b6dead06e9082d06c7c08051ba9d8f

memory/2968-330-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/1332-331-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2520-343-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2740-342-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1332-341-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/2376-340-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Alnalh32.exe

MD5 6a61c69ce688fd071c2b278eab6e88ce
SHA1 831fb52ec1efb8ec56926de96937b854ba0756bb
SHA256 d5183afd30e08d59765a872f7cd759a291ce58d255b3daca8fc62ee038410deb
SHA512 0a276cb9ba1509e96a11e18f9a296613a7614228e280d3dd301e083271d767014989b186b35e1c3c01711faef69aa1e0d1d92fe62acd149b5c2f16e76ee542dd

memory/2740-352-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Akabgebj.exe

MD5 237e8d7400ba1d523fe678e98c28d94a
SHA1 e2b21498e7349c85ca9d596be7b592862d54aad6
SHA256 e4fd6a6b3bd5d4b3146e23570d7c88c08d4b4980976f54ab16e5e76a6d195858
SHA512 d70415eafd708e838824929b316986ac6758e1676606fc037f6db42623039c43646d994547e32f95183824786a8a6aaee3860835555387a8af54146af4dc4531

memory/2888-354-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2964-353-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Abmgjo32.exe

MD5 dd928ada094bbe527ce4871ccf444cae
SHA1 a6508940a791e373f88391a133545f47eab27bcd
SHA256 4dd526a1c81f53e751b6180135ac6599b62b168c60283145f3d208ddf97dda5c
SHA512 e9b7a95f7fb4eced7ff64ed4618c040b133fa6905af5df7e14138f3cb57d954ae150c363f8480a122be23fc63ebfbad0a11e762945ce3f1c0a07776a19ed9bdd

memory/2632-364-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2888-363-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Agjobffl.exe

MD5 5debc0b2872ac46db9ea016d8721cc8b
SHA1 07afbeb5bd59dd62b358ebefefb44d0ccc818256
SHA256 fd050ba7bdc60d68155d0ea3d4688b282485baead7cc27e89e85be25a5da0d2a
SHA512 e65577f492b950d91726999ed5e038f8231076c1758a30f34035de37ac9b8617645d9a5c3f5f7d428ae1a8a44cdc04ce9f01f6ecfdfee8754b7e5f7732883431

memory/2632-373-0x0000000000260000-0x0000000000294000-memory.dmp

memory/2596-374-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2444-385-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2596-384-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2892-383-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Akfkbd32.exe

MD5 a0428fe4359daa0f5d95be9475520a13
SHA1 a5cde4b64af545745264b144a3a899ae40909d15
SHA256 32897bf384fda2acadaab6131ca3615c9e902db76705f4ca7c0f08ae5041cc27
SHA512 98561e7082349755ebaa3a6f2b48ba994d96f2ec8872b3fac5df993afb666a8bb37af26d0b1051275b617000b6ae7eaa118a12c385141d853e4ddb8bba4b7223

memory/2196-390-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bgllgedi.exe

MD5 e20d31312917c90f8b90e5c07fed7e59
SHA1 e0ad6a51665689ae540bc81c019493ccc7823349
SHA256 740e85174a8ce0f275436ca0ab2344f8b306a45f04b1b05e99ca7cbbce7e6c73
SHA512 548c06aa82470a6a04f3360cdbb846edf619eb02d7c0a649fa8dc867114516ce0dcc98dc09e63b1bf14e33c259461fcb59208562de9dbe2c886d2c723a1cd0de

memory/2196-395-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/1812-399-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2412-406-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2500-405-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bjkhdacm.exe

MD5 8c83f8ad982e465cf0c4bde843000108
SHA1 e4a5a10f7ba190a3254ed0adcbede40953b2afe1
SHA256 97640232560b152b54bbf211bc18bffd5b421751d688b7817059307f3ca56312
SHA512 d43376ba144fe00f2a4cfca514f1650043a3ffe231b90b43b8b9ca44e4ab0f187697d73c88ca1c9903b71fb060d27eac52c411a818db0242317cdebf673cdb13

C:\Windows\SysWOW64\Bbbpenco.exe

MD5 794080037bcaf128480e3d173e3231f4
SHA1 903a9406b4f214b25faa554b775084669bbef61e
SHA256 374d59888cea85b24a87938bb86d11a01b83e54bc4865d55781733ac320f038f
SHA512 d6a0f44929f32ceb8649a9b9043fbf20e75001306f83f12e161d3363be4330e87046b93ec3035d5645c6323cfc8f515449fedd2970f14b02783846190008abff

memory/3048-417-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2412-416-0x0000000000300000-0x0000000000334000-memory.dmp

memory/2500-415-0x0000000000250000-0x0000000000284000-memory.dmp

memory/108-429-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1720-428-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2472-427-0x0000000000300000-0x0000000000334000-memory.dmp

memory/2472-426-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bjmeiq32.exe

MD5 309649fe5409232627efcdf620e067ad
SHA1 0aa5888fc928b1bde0a38f2f1ae84384403e0a67
SHA256 135dc6603d0f5c33b41f808cca03b7fc69960899eb7f0d2cca368fe72643d8b5
SHA512 539fde80139fc2c64153a6efdbcaebdd78cb02eed89764ce03b5e51e249087ebf0dba576899c61e7b64518119d8981220d24657fa5afcb65e8e844623918286a

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 00b0b959a8f3b0958aee534ab5171226
SHA1 c317f041189d0e235f97bb747bcd84f7a41c8cb3
SHA256 af12d264f2a3e35bbcadd28452d89c407a3a6b67ebb57befa87fdd1e2d6ca082
SHA512 748018b29e5d37e3253f6510b9ed1f08866371dcf8e7df82b9d1f18aa0643e8ce038893909124f4055fa7b62be7c2f25fdc7fcac0fb2da9a8b098ab5401b9d3e

memory/108-438-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/536-439-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bqijljfd.exe

MD5 3812e16918b1bbfa99179021fc6b3412
SHA1 d506c0247c6300aced4bc77b533b56075612c29f
SHA256 0ab853e6aa8cc0945dce76e510aeceea81f079339c9bf0412f85e1d8b5d50dd3
SHA512 12beadcfcf4905abea64d1279c7feb9063f41eb7a63f3884a2e0b1f468de140375b567b85224fe416bb03201056b5f3f18f9b693fa00e01413cf11029e289ad4

memory/1684-445-0x0000000000400000-0x0000000000434000-memory.dmp

memory/616-449-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bjbndpmd.exe

MD5 2af6e77c8791aba644036fe1fda915be
SHA1 3bb9b93d8db286f7f0ecd3f6094e50b89de47711
SHA256 c19186fdff2528b5811b90712a1340053936b0d83fe37f4ad3232797779b828e
SHA512 cf3d053b77ee12bee74acd8932a2e1aa13c628d324951c41b8091f5d5dfce0f7003cc06ccd4bf99546655e0ff3535947a61aedb94fdfda27ac0baa4e15b3e958

memory/1688-458-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2908-463-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2564-469-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2908-468-0x0000000000280000-0x00000000002B4000-memory.dmp

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 b25f7bf0882970d89bfad058755d7705
SHA1 a008437cf84b819ea544defe8fd20b81e99cc90f
SHA256 1fe944b625018211cf37648c1a34eab6262ef24a79a8a2d9ec168ecb820be2ff
SHA512 9519b16b542bf15179cf1c8904726938d817734f23acb9fcb9f6dd415cdeb30a237a3c1b293d06b1b77b4c76c0ae29fd50c543e2f2dc85b3c0b7be0970af19b4

memory/2776-474-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bjdkjpkb.exe

MD5 dd234fbe8f8c941aab7707563538bdd7
SHA1 affa7957e48141a2e4ae1dad155971c170508a3b
SHA256 595d2a33808632d0a360e1d23409ababaf9f1706ab629686aa13da1358907423
SHA512 bdb942b4090e8685b8c1a195b348590753a995d6a67465d4be86ecc8dba43841bca435686401cceda46946f8ca45ebf23700374218b67f625afd20d111c04017

memory/1528-479-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ccmpce32.exe

MD5 d91be54f6e48b2d11008d4f2970d0c7a
SHA1 5351679fd47d7eabdc345b05b5ec934b8b2e3e81
SHA256 b45b183ac863cf0f36a2adfe68a6059ac02a9c3697bd36d491db1adb0735df56
SHA512 81f10af885e80da5f28509696e285fd029452fa6b89dd97623b26671caaddc9d766ff3e47dea5874532774baf21aef94087fe90c04dd5e0f4ec506b3f5fd35f8

memory/3008-488-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1132-493-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cenljmgq.exe

MD5 64efcf17e3b17749159f0ccaad07ce49
SHA1 eda952df51313e827ceead154aa6a75278983407
SHA256 870feef4d3ee9f01e8caeb472a040db9b8c189ef4890ced80352faba3c35b2c6
SHA512 293964c94d97984f5784a05d190712bde1e6288449e42c12b74f4fe61a642b25ad21462559c102d4c663b5d6b4d940ef7eb623a611746d8ff66f73d8af14a2ec

memory/1132-498-0x0000000000260000-0x0000000000294000-memory.dmp

memory/556-504-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 1f1a61d751af94c04c09bf80eb3867fa
SHA1 cc0fda71c81296ba4cc94fb844c90a43ad3c9cd5
SHA256 61969b663303e2140101e337fa2a8e02dfe6a4c4e3da60dd3321869d43a109fa
SHA512 c8503f9ad484fb6c020c3f3e5ca095925c2d13a4e8c04c7d75859f3a0e2ef2564d113814e363664e6f4c06134b2aa0acabf695a59ba6e8a21fb4da11c2edca5d

memory/496-510-0x0000000000400000-0x0000000000434000-memory.dmp

memory/556-509-0x0000000000260000-0x0000000000294000-memory.dmp

memory/376-505-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2540-515-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cileqlmg.exe

MD5 049a7832972d4bd84b42cfbe47098649
SHA1 4569b9d3355cfdc42ac26ad11a90599af8906cb3
SHA256 4fc4984bcb0261124219e60dafb6a9002c18a4f6d8c82733a945cb285e067c41
SHA512 13121ae7a7d8d06992b6616f0f501c80c60609bf768cf396798e539ad0b5a5123aaccac6e01280463c4f1afd538dc7066361edacee16e4c7837e6243053f6205

C:\Windows\SysWOW64\Ckjamgmk.exe

MD5 02a0cec7dcb932579817167215697558
SHA1 1a4acb3ff6ae698152c862378d59b6e4db8c1756
SHA256 c256c604ab1e1d2ada9b1f84380fdaf5de3f81996e9f992e90751a5edee2202d
SHA512 735c07a2eedf85891f25b65558a197425a4a57bb4aae10199a092b59022c082569bdb4252f6cf37206cd925e14acf9f647d596a4b3fa522db975e6ea8d68d2d8

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 e15248b02118509d96a4903a272107e1
SHA1 bfb2b62a49808389aef889d1fac12a891737f5b5
SHA256 312823c76128976a31efab76f742b18f4305ee40244877ba968cf3390157761e
SHA512 095a919813841388ff688b8e11351c3bc5a004e0d721ab53be53c9db8490a90a283bf323ca30771ea246988e6486f998a52bc15b96fbb55af18988751553b34e

C:\Windows\SysWOW64\Cebeem32.exe

MD5 0885540efb107fb673d4a8cf034eb0dd
SHA1 bb9a16a11008d4113cb83023781f653b0f59825f
SHA256 d967ca84d1a5c6c6f3a1dfcde1632970689d3ec7d69114df2288edbe7512f589
SHA512 252f4a3574c6b9403334502694d49b9741206715279245f089f1642c6cc2c5804ed165e0ee206fde45cef5820258d4ba02fc7600c6f0bbb6e7a881097646177e

C:\Windows\SysWOW64\Cjonncab.exe

MD5 1cab6b9605effb6d90f52b62c2a27720
SHA1 745f712203d8c6b05aed9d87734db3d4c96c63f1
SHA256 24b287887f6d948815da2738f767d57526950981501101a77d2e97a55bbb15f5
SHA512 189ecb418d1385ff01f9611a3d976b7b514ae5eae94a4dc15a9adeeb1da7d89e08ef55b90e52241a56bf74e881897f67212c812115e5129d8054ab4ceac8d08d

C:\Windows\SysWOW64\Caifjn32.exe

MD5 3e23107fe357ee8c35077851ccc9df91
SHA1 6c9aef0d3743c9ca4fa39d012eb214bf2053430b
SHA256 b3e9228c94f6830b57228f6d8811c2c7d67bc41f097b2340bcae44c53a1ee4ee
SHA512 cefeec5254a6b073c7730302815b7f0aece23f210a3d7c7aca650d17e6923fa793cd6d6237031eb258701998d53202cc14737c4dd9fcc5683ec51e908e7eb344

C:\Windows\SysWOW64\Cgcnghpl.exe

MD5 839809f44da5f4dbe8c1350faa40d26e
SHA1 f22662b6cd3db37533449e4db2dd3cf48dd34867
SHA256 daa91db475df24a550f5b30ecfb8e0e8afcd6a6dc9ba12d65a6f4a38abac67f2
SHA512 33f8c7336c2911eacf336ec7d3f7d78dd6b768821b9f5ce48c50fe76f0db94421c778f84fdcdd7d3db58d4face9ce61aebff4601bb17b12bf598de25066394a6

C:\Windows\SysWOW64\Cjakccop.exe

MD5 3cf922da08e96b9e924110b881525267
SHA1 5b96438f1874a15c9b0c9bb52f39c2c625a608ff
SHA256 747fb4138211d9fea5db0bd3f99c3337327e355f5db22cbf1d30027e2ef01d3e
SHA512 8c072a264a5b060c20a1004e3f0e1d2047b26967cbc916643001e1cf2b6bf4bbaea695c235f12523286b227226541e9b8dab811133077e30197315fe599b5d49

C:\Windows\SysWOW64\Cegoqlof.exe

MD5 10a6f3564fb2be0ab03edb59a5e21589
SHA1 60bec0507006f985182158a2bd6dfcb9e57e832e
SHA256 825a43990e0b93f79b8396bcd3ee5b8b18e26a498ec060320ffc5c258684da90
SHA512 2f397934b2bdaf8d5a2e27619c23e8f7dbda10685c5e92fd3e739c5bed25bca89012a4e7e96e46641a19825a3d3be03a88130f5c114eaba22ef9cf096a828746

C:\Windows\SysWOW64\Cgfkmgnj.exe

MD5 3f1d19d4e63131f4f12167f3de07cbd3
SHA1 bf32155ddff6d8f75d9131a6c1304c84e9547d2a
SHA256 7c145407165989c48fee479e41872a35753693e1b308182941d902adfd6efbeb
SHA512 11a3cc234f088dbcf0bda9f314ae68d9732d5f87ca7d2023f085a3712d1d937d8def6a0b567aafcb45be2de85cb602a20c9d6a6770386380fbb8a534bc7eee06

C:\Windows\SysWOW64\Dmbcen32.exe

MD5 34dce908940c06cff062fdc95b584fb3
SHA1 b5d5c87e18d099e17767f503be889582498baeaa
SHA256 0098129d98572077f4b437ef74071a96623c126c7aad7ef6e2003a134bb2a783
SHA512 1bf167b11e43f06baa56054e08dd79b6197e9fab6893490b5d6cddb1f34e36fe23078e5d86957b8215b6c0ff4014ce6f382846654e2b0f4ab2070667d5422a15

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 16e0912b51ea7adfde3e40df63d827bb
SHA1 e60a1f58f0ea4956baa990afaac250603abfbc2c
SHA256 147a88c83646a2a5dbadbc620675b49eb7e884510634ce762389739e6948958f
SHA512 49a0a524ad2f721e35370cecf3bb9711667117455cc3f11d14f5ba64d0f95b9a3984418900699d12d40d4a29214cc85bfc6565786f239f52d2569b508c14312b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 08:28

Reported

2024-11-13 08:31

Platform

win10v2004-20241007-en

Max time kernel

97s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hhfedm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lejgch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdlfhj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pplobcpp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jhlgfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gdobnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jpdhkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhclmp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bopocbcq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djqblj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iojbpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnjdpaki.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jqglkmlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmfnpa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idkkpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ljobpiql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jkaicd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Emoadlfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hfhgkmpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bnlhncgi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Filiii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjjnae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Haafcb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jibmgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnbnhedj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nndjndbh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aafemk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlkngo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qhlkilba.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcddcbab.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcbnnpka.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nelfeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poimpapp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mgphpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aajhndkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gdmmbq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdkidohn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nbgcih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djelgied.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dbjkkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jnlbojee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ghmbno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlfelogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bbiado32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cbbdjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boflmdkk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jncoikmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kmfhkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nndjndbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qeodhjmo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ginnfgop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iahlcaol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hgdejd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hienlpel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddnfmqng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flkdfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hjjnae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkfcndce.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhdlao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Olgncmim.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhcjqinf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlhkgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljqhkckn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlepcdoa.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ehfcfb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efkphnbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiildjag.exe N/A
N/A N/A C:\Windows\SysWOW64\Filiii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgbfhmll.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpjjac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fggocmhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpodlbng.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdmmbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmeakf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkeio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkiaej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpfjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmbno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gklnjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ginnfgop.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnjjfegi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gphgbafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddbcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggbook32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gknkpjfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnlgleef.exe N/A
N/A N/A C:\Windows\SysWOW64\Gahcmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdfoio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgelek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkpheidp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjchaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hajpbckl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdilnojp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhdhon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkbdki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnaqgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hammhcij.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdkidohn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhfedm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkeaqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hncmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpbiip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhiajmod.exe N/A
N/A N/A C:\Windows\SysWOW64\Hglaej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjjnae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Haafcb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdpbon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgnoki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjlkge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnhghcki.exe N/A
N/A N/A C:\Windows\SysWOW64\Idbodn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Igqkqiai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijogmdqm.exe N/A
N/A N/A C:\Windows\SysWOW64\Iafonaao.exe N/A
N/A N/A C:\Windows\SysWOW64\Iddljmpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Igchfiof.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijadbdoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Iahlcaol.exe N/A
N/A N/A C:\Windows\SysWOW64\Idghpmnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Igedlh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijcahd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iakiia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idieem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihdafkdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikcmbfcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Inainbcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Iqpfjnba.exe N/A
N/A N/A C:\Windows\SysWOW64\Igjngh32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Qobhkjdi.exe C:\Windows\SysWOW64\Panhbfep.exe N/A
File opened for modification C:\Windows\SysWOW64\Pedlgbkh.exe C:\Windows\SysWOW64\Pcepkfld.exe N/A
File created C:\Windows\SysWOW64\Ciipkkdj.dll C:\Windows\SysWOW64\Bnlhncgi.exe N/A
File opened for modification C:\Windows\SysWOW64\Lkofdbkj.exe C:\Windows\SysWOW64\Liqihglg.exe N/A
File created C:\Windows\SysWOW64\Mejpje32.exe C:\Windows\SysWOW64\Mblcnj32.exe N/A
File created C:\Windows\SysWOW64\Dpphjp32.exe C:\Windows\SysWOW64\Dmalne32.exe N/A
File created C:\Windows\SysWOW64\Fmpqfq32.exe C:\Windows\SysWOW64\Fffhifdk.exe N/A
File created C:\Windows\SysWOW64\Dfjehbcf.dll C:\Windows\SysWOW64\Ifmqfm32.exe N/A
File created C:\Windows\SysWOW64\Djelgied.exe C:\Windows\SysWOW64\Dbndfl32.exe N/A
File created C:\Windows\SysWOW64\Edmpgp32.dll C:\Windows\SysWOW64\Dlieda32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilmmni32.exe C:\Windows\SysWOW64\Injmcmej.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndflak32.exe C:\Windows\SysWOW64\Nagpeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgffic32.exe C:\Windows\SysWOW64\Legjmh32.exe N/A
File created C:\Windows\SysWOW64\Hbhboolf.exe C:\Windows\SysWOW64\Hipmfjee.exe N/A
File created C:\Windows\SysWOW64\Aepjgm32.dll C:\Windows\SysWOW64\Nnhmnn32.exe N/A
File created C:\Windows\SysWOW64\Kmaopfjm.exe C:\Windows\SysWOW64\Jdfjld32.exe N/A
File created C:\Windows\SysWOW64\Danihi32.dll C:\Windows\SysWOW64\Qlimed32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbinam32.exe C:\Windows\SysWOW64\Lnnbqnjn.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkfglb32.exe C:\Windows\SysWOW64\Hcpojd32.exe N/A
File created C:\Windows\SysWOW64\Oodcdb32.exe C:\Windows\SysWOW64\Oelolmnd.exe N/A
File opened for modification C:\Windows\SysWOW64\Panhbfep.exe C:\Windows\SysWOW64\Ppolhcnm.exe N/A
File created C:\Windows\SysWOW64\Bnlhncgi.exe C:\Windows\SysWOW64\Bknlbhhe.exe N/A
File created C:\Windows\SysWOW64\Bchace32.dll C:\Windows\SysWOW64\Lnpofnhk.exe N/A
File created C:\Windows\SysWOW64\Mblcnj32.exe C:\Windows\SysWOW64\Mjellmbp.exe N/A
File opened for modification C:\Windows\SysWOW64\Oekiqccc.exe C:\Windows\SysWOW64\Oblmdhdo.exe N/A
File created C:\Windows\SysWOW64\Kmhjapnj.dll C:\Windows\SysWOW64\Hibjli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkafmd32.exe C:\Windows\SysWOW64\Bhcjqinf.exe N/A
File opened for modification C:\Windows\SysWOW64\Alqjpi32.exe C:\Windows\SysWOW64\Ahenokjf.exe N/A
File created C:\Windows\SysWOW64\Dcnqpo32.exe C:\Windows\SysWOW64\Dpbdopck.exe N/A
File created C:\Windows\SysWOW64\Gepgfb32.dll C:\Windows\SysWOW64\Fealin32.exe N/A
File created C:\Windows\SysWOW64\Dfokdq32.dll C:\Windows\SysWOW64\Hajpbckl.exe N/A
File created C:\Windows\SysWOW64\Hncmmd32.exe C:\Windows\SysWOW64\Hkeaqi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbnpcj32.exe C:\Windows\SysWOW64\Mldhfpib.exe N/A
File opened for modification C:\Windows\SysWOW64\Jqhafffk.exe C:\Windows\SysWOW64\Jnjejjgh.exe N/A
File created C:\Windows\SysWOW64\Odhifjkg.exe C:\Windows\SysWOW64\Najmjokc.exe N/A
File opened for modification C:\Windows\SysWOW64\Oakbehfe.exe C:\Windows\SysWOW64\Ojomcopk.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfbaonae.exe C:\Windows\SysWOW64\Bcddcbab.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbnkonbd.exe C:\Windows\SysWOW64\Bopocbcq.exe N/A
File created C:\Windows\SysWOW64\Mdijliok.dll C:\Windows\SysWOW64\Badanigc.exe N/A
File created C:\Windows\SysWOW64\Gppcmeem.exe C:\Windows\SysWOW64\Gmafajfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Jqglkmlj.exe C:\Windows\SysWOW64\Jnhpoamf.exe N/A
File created C:\Windows\SysWOW64\Aeheme32.dll C:\Windows\SysWOW64\Pemomqcn.exe N/A
File created C:\Windows\SysWOW64\Lgflfoob.dll C:\Windows\SysWOW64\Gdfoio32.exe N/A
File created C:\Windows\SysWOW64\Qcbhah32.dll C:\Windows\SysWOW64\Cnkkjh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Impliekg.exe C:\Windows\SysWOW64\Ioolkncg.exe N/A
File created C:\Windows\SysWOW64\Jiiicf32.exe C:\Windows\SysWOW64\Jpaekqhh.exe N/A
File created C:\Windows\SysWOW64\Alkijdci.exe C:\Windows\SysWOW64\Aafemk32.exe N/A
File created C:\Windows\SysWOW64\Jgamgpme.dll C:\Windows\SysWOW64\Lbinam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkiaej32.exe C:\Windows\SysWOW64\Ghkeio32.exe N/A
File created C:\Windows\SysWOW64\Bomfgoah.dll C:\Windows\SysWOW64\Manmoq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bedgjgkg.exe C:\Windows\SysWOW64\Bojomm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cklhcfle.exe C:\Windows\SysWOW64\Coegoe32.exe N/A
File created C:\Windows\SysWOW64\Gkbofaoj.dll C:\Windows\SysWOW64\Ecefqnel.exe N/A
File opened for modification C:\Windows\SysWOW64\Jqdoem32.exe C:\Windows\SysWOW64\Jnfcia32.exe N/A
File created C:\Windows\SysWOW64\Idieem32.exe C:\Windows\SysWOW64\Iakiia32.exe N/A
File created C:\Windows\SysWOW64\Kelkaj32.exe C:\Windows\SysWOW64\Kbmoen32.exe N/A
File created C:\Windows\SysWOW64\Famcfn32.dll C:\Windows\SysWOW64\Ljobpiql.exe N/A
File opened for modification C:\Windows\SysWOW64\Okchnk32.exe C:\Windows\SysWOW64\Nhdlao32.exe N/A
File opened for modification C:\Windows\SysWOW64\Elnoopdj.exe C:\Windows\SysWOW64\Ecbjkngo.exe N/A
File opened for modification C:\Windows\SysWOW64\Kqmkae32.exe C:\Windows\SysWOW64\Kmaopfjm.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjjnifbl.exe C:\Windows\SysWOW64\Fmfnpa32.exe N/A
File created C:\Windows\SysWOW64\Hdbplg32.dll C:\Windows\SysWOW64\Fpkibf32.exe N/A
File created C:\Windows\SysWOW64\Iddljmpc.exe C:\Windows\SysWOW64\Iafonaao.exe N/A
File created C:\Windows\SysWOW64\Glkmmefl.exe C:\Windows\SysWOW64\Geaepk32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnmmboed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppolhcnm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bknlbhhe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjahlgpf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ginnfgop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhoipb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkjgegae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbbdjm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmhand32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hienlpel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icknfcol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gphgbafl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjlpjm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpdhkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neqopnhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caojpaij.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Filiii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hnhghcki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ijadbdoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibobdqid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kghjhemo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mblcnj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jiiicf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gdfoio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajdjin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjpjel32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbpdblmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iknmla32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nagpeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blgifbil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgkfnh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhijqj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jkomneim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfnqklgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eokqkh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnjgfb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnlhncgi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbfheo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jdedak32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mngegmbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkhapk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkohaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bedgjgkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nflkbanj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efjbcakl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ehfcfb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neoieenp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbjkkl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fjjnifbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gdcliikj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebjdgmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebgpad32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmmmfj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cklhcfle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qhlkilba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojdnid32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgnffj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gnjjfegi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oakbehfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckbemgcp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oodcdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Idghpmnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jibmgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kelkaj32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll" C:\Windows\SysWOW64\Caageq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oimkbaed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcigeooj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aafemk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbaffgag.dll" C:\Windows\SysWOW64\Hgmgqc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfjcc32.dll" C:\Windows\SysWOW64\Ipeeobbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbefdijg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inbhocbm.dll" C:\Windows\SysWOW64\Bjpjel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ginnfgop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hplfookn.dll" C:\Windows\SysWOW64\Idbodn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hglppijc.dll" C:\Windows\SysWOW64\Iakiia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ckfphc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Njpdnedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lnpofnhk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Najceeoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aoofle32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcemmf32.dll" C:\Windows\SysWOW64\Gknkpjfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilkibdpe.dll" C:\Windows\SysWOW64\Pefhlaie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dmalne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlambk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Caageq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcocace.dll" C:\Windows\SysWOW64\Mblcnj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ckilmcgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jecampmk.dll" C:\Windows\SysWOW64\Coknoaic.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Neoieenp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ikpjbq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ooejohhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Plndcl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Icknfcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njjdho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpodlbng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcehifmk.dll" C:\Windows\SysWOW64\Jqlefl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Coegoe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fpjjac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjdgbbi.dll" C:\Windows\SysWOW64\Hgelek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijcahd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eecphp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbfpack.dll" C:\Windows\SysWOW64\Jqdoem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkafmd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nghekkmn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pldcjeia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Anclbkbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Efjbcakl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfedck32.dll" C:\Windows\SysWOW64\Oaajed32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nlhkgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpnbd32.dll" C:\Windows\SysWOW64\Alkijdci.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bmjkic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laqhhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Objpoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlkgmh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hibjli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkoafbld.dll" C:\Windows\SysWOW64\Lcimdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenghpla.dll" C:\Windows\SysWOW64\Emanjldl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Geaepk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fmmmfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjkqlam.dll" C:\Windows\SysWOW64\Olgncmim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfnqklgh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ipeeobbe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cjgpfk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fpbflg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll" C:\Windows\SysWOW64\Coegoe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqcnc32.dll" C:\Windows\SysWOW64\Gppcmeem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bfngdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lenicahg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe C:\Windows\SysWOW64\Ehfcfb32.exe
PID 4236 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe C:\Windows\SysWOW64\Ehfcfb32.exe
PID 4236 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe C:\Windows\SysWOW64\Ehfcfb32.exe
PID 1968 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Ehfcfb32.exe C:\Windows\SysWOW64\Efkphnbd.exe
PID 1968 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Ehfcfb32.exe C:\Windows\SysWOW64\Efkphnbd.exe
PID 1968 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Ehfcfb32.exe C:\Windows\SysWOW64\Efkphnbd.exe
PID 3436 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Efkphnbd.exe C:\Windows\SysWOW64\Eiildjag.exe
PID 3436 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Efkphnbd.exe C:\Windows\SysWOW64\Eiildjag.exe
PID 3436 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Efkphnbd.exe C:\Windows\SysWOW64\Eiildjag.exe
PID 1680 wrote to memory of 184 N/A C:\Windows\SysWOW64\Eiildjag.exe C:\Windows\SysWOW64\Filiii32.exe
PID 1680 wrote to memory of 184 N/A C:\Windows\SysWOW64\Eiildjag.exe C:\Windows\SysWOW64\Filiii32.exe
PID 1680 wrote to memory of 184 N/A C:\Windows\SysWOW64\Eiildjag.exe C:\Windows\SysWOW64\Filiii32.exe
PID 184 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Filiii32.exe C:\Windows\SysWOW64\Fgbfhmll.exe
PID 184 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Filiii32.exe C:\Windows\SysWOW64\Fgbfhmll.exe
PID 184 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Filiii32.exe C:\Windows\SysWOW64\Fgbfhmll.exe
PID 2004 wrote to memory of 4004 N/A C:\Windows\SysWOW64\Fgbfhmll.exe C:\Windows\SysWOW64\Fpjjac32.exe
PID 2004 wrote to memory of 4004 N/A C:\Windows\SysWOW64\Fgbfhmll.exe C:\Windows\SysWOW64\Fpjjac32.exe
PID 2004 wrote to memory of 4004 N/A C:\Windows\SysWOW64\Fgbfhmll.exe C:\Windows\SysWOW64\Fpjjac32.exe
PID 4004 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Fpjjac32.exe C:\Windows\SysWOW64\Fggocmhf.exe
PID 4004 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Fpjjac32.exe C:\Windows\SysWOW64\Fggocmhf.exe
PID 4004 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Fpjjac32.exe C:\Windows\SysWOW64\Fggocmhf.exe
PID 2400 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Fggocmhf.exe C:\Windows\SysWOW64\Fpodlbng.exe
PID 2400 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Fggocmhf.exe C:\Windows\SysWOW64\Fpodlbng.exe
PID 2400 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Fggocmhf.exe C:\Windows\SysWOW64\Fpodlbng.exe
PID 1888 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Fpodlbng.exe C:\Windows\SysWOW64\Gdmmbq32.exe
PID 1888 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Fpodlbng.exe C:\Windows\SysWOW64\Gdmmbq32.exe
PID 1888 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Fpodlbng.exe C:\Windows\SysWOW64\Gdmmbq32.exe
PID 1480 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Gdmmbq32.exe C:\Windows\SysWOW64\Gmeakf32.exe
PID 1480 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Gdmmbq32.exe C:\Windows\SysWOW64\Gmeakf32.exe
PID 1480 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Gdmmbq32.exe C:\Windows\SysWOW64\Gmeakf32.exe
PID 2736 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Gmeakf32.exe C:\Windows\SysWOW64\Ghkeio32.exe
PID 2736 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Gmeakf32.exe C:\Windows\SysWOW64\Ghkeio32.exe
PID 2736 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Gmeakf32.exe C:\Windows\SysWOW64\Ghkeio32.exe
PID 2776 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Ghkeio32.exe C:\Windows\SysWOW64\Gkiaej32.exe
PID 2776 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Ghkeio32.exe C:\Windows\SysWOW64\Gkiaej32.exe
PID 2776 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Ghkeio32.exe C:\Windows\SysWOW64\Gkiaej32.exe
PID 1248 wrote to memory of 4544 N/A C:\Windows\SysWOW64\Gkiaej32.exe C:\Windows\SysWOW64\Gpfjma32.exe
PID 1248 wrote to memory of 4544 N/A C:\Windows\SysWOW64\Gkiaej32.exe C:\Windows\SysWOW64\Gpfjma32.exe
PID 1248 wrote to memory of 4544 N/A C:\Windows\SysWOW64\Gkiaej32.exe C:\Windows\SysWOW64\Gpfjma32.exe
PID 4544 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Gpfjma32.exe C:\Windows\SysWOW64\Ghmbno32.exe
PID 4544 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Gpfjma32.exe C:\Windows\SysWOW64\Ghmbno32.exe
PID 4544 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Gpfjma32.exe C:\Windows\SysWOW64\Ghmbno32.exe
PID 1948 wrote to memory of 3500 N/A C:\Windows\SysWOW64\Ghmbno32.exe C:\Windows\SysWOW64\Gklnjj32.exe
PID 1948 wrote to memory of 3500 N/A C:\Windows\SysWOW64\Ghmbno32.exe C:\Windows\SysWOW64\Gklnjj32.exe
PID 1948 wrote to memory of 3500 N/A C:\Windows\SysWOW64\Ghmbno32.exe C:\Windows\SysWOW64\Gklnjj32.exe
PID 3500 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Gklnjj32.exe C:\Windows\SysWOW64\Ginnfgop.exe
PID 3500 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Gklnjj32.exe C:\Windows\SysWOW64\Ginnfgop.exe
PID 3500 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Gklnjj32.exe C:\Windows\SysWOW64\Ginnfgop.exe
PID 1072 wrote to memory of 4552 N/A C:\Windows\SysWOW64\Ginnfgop.exe C:\Windows\SysWOW64\Gnjjfegi.exe
PID 1072 wrote to memory of 4552 N/A C:\Windows\SysWOW64\Ginnfgop.exe C:\Windows\SysWOW64\Gnjjfegi.exe
PID 1072 wrote to memory of 4552 N/A C:\Windows\SysWOW64\Ginnfgop.exe C:\Windows\SysWOW64\Gnjjfegi.exe
PID 4552 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Gnjjfegi.exe C:\Windows\SysWOW64\Gphgbafl.exe
PID 4552 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Gnjjfegi.exe C:\Windows\SysWOW64\Gphgbafl.exe
PID 4552 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Gnjjfegi.exe C:\Windows\SysWOW64\Gphgbafl.exe
PID 1852 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Gphgbafl.exe C:\Windows\SysWOW64\Gddbcp32.exe
PID 1852 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Gphgbafl.exe C:\Windows\SysWOW64\Gddbcp32.exe
PID 1852 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Gphgbafl.exe C:\Windows\SysWOW64\Gddbcp32.exe
PID 4440 wrote to memory of 756 N/A C:\Windows\SysWOW64\Gddbcp32.exe C:\Windows\SysWOW64\Ggbook32.exe
PID 4440 wrote to memory of 756 N/A C:\Windows\SysWOW64\Gddbcp32.exe C:\Windows\SysWOW64\Ggbook32.exe
PID 4440 wrote to memory of 756 N/A C:\Windows\SysWOW64\Gddbcp32.exe C:\Windows\SysWOW64\Ggbook32.exe
PID 756 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Ggbook32.exe C:\Windows\SysWOW64\Gknkpjfb.exe
PID 756 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Ggbook32.exe C:\Windows\SysWOW64\Gknkpjfb.exe
PID 756 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Ggbook32.exe C:\Windows\SysWOW64\Gknkpjfb.exe
PID 2724 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Gknkpjfb.exe C:\Windows\SysWOW64\Gnlgleef.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe

"C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe"

C:\Windows\SysWOW64\Ehfcfb32.exe

C:\Windows\system32\Ehfcfb32.exe

C:\Windows\SysWOW64\Efkphnbd.exe

C:\Windows\system32\Efkphnbd.exe

C:\Windows\SysWOW64\Eiildjag.exe

C:\Windows\system32\Eiildjag.exe

C:\Windows\SysWOW64\Filiii32.exe

C:\Windows\system32\Filiii32.exe

C:\Windows\SysWOW64\Fgbfhmll.exe

C:\Windows\system32\Fgbfhmll.exe

C:\Windows\SysWOW64\Fpjjac32.exe

C:\Windows\system32\Fpjjac32.exe

C:\Windows\SysWOW64\Fggocmhf.exe

C:\Windows\system32\Fggocmhf.exe

C:\Windows\SysWOW64\Fpodlbng.exe

C:\Windows\system32\Fpodlbng.exe

C:\Windows\SysWOW64\Gdmmbq32.exe

C:\Windows\system32\Gdmmbq32.exe

C:\Windows\SysWOW64\Gmeakf32.exe

C:\Windows\system32\Gmeakf32.exe

C:\Windows\SysWOW64\Ghkeio32.exe

C:\Windows\system32\Ghkeio32.exe

C:\Windows\SysWOW64\Gkiaej32.exe

C:\Windows\system32\Gkiaej32.exe

C:\Windows\SysWOW64\Gpfjma32.exe

C:\Windows\system32\Gpfjma32.exe

C:\Windows\SysWOW64\Ghmbno32.exe

C:\Windows\system32\Ghmbno32.exe

C:\Windows\SysWOW64\Gklnjj32.exe

C:\Windows\system32\Gklnjj32.exe

C:\Windows\SysWOW64\Ginnfgop.exe

C:\Windows\system32\Ginnfgop.exe

C:\Windows\SysWOW64\Gnjjfegi.exe

C:\Windows\system32\Gnjjfegi.exe

C:\Windows\SysWOW64\Gphgbafl.exe

C:\Windows\system32\Gphgbafl.exe

C:\Windows\SysWOW64\Gddbcp32.exe

C:\Windows\system32\Gddbcp32.exe

C:\Windows\SysWOW64\Ggbook32.exe

C:\Windows\system32\Ggbook32.exe

C:\Windows\SysWOW64\Gknkpjfb.exe

C:\Windows\system32\Gknkpjfb.exe

C:\Windows\SysWOW64\Gnlgleef.exe

C:\Windows\system32\Gnlgleef.exe

C:\Windows\SysWOW64\Gahcmd32.exe

C:\Windows\system32\Gahcmd32.exe

C:\Windows\SysWOW64\Gdfoio32.exe

C:\Windows\system32\Gdfoio32.exe

C:\Windows\SysWOW64\Hgelek32.exe

C:\Windows\system32\Hgelek32.exe

C:\Windows\SysWOW64\Hkpheidp.exe

C:\Windows\system32\Hkpheidp.exe

C:\Windows\SysWOW64\Hjchaf32.exe

C:\Windows\system32\Hjchaf32.exe

C:\Windows\SysWOW64\Hajpbckl.exe

C:\Windows\system32\Hajpbckl.exe

C:\Windows\SysWOW64\Hdilnojp.exe

C:\Windows\system32\Hdilnojp.exe

C:\Windows\SysWOW64\Hhdhon32.exe

C:\Windows\system32\Hhdhon32.exe

C:\Windows\SysWOW64\Hkbdki32.exe

C:\Windows\system32\Hkbdki32.exe

C:\Windows\SysWOW64\Hnaqgd32.exe

C:\Windows\system32\Hnaqgd32.exe

C:\Windows\SysWOW64\Hammhcij.exe

C:\Windows\system32\Hammhcij.exe

C:\Windows\SysWOW64\Hdkidohn.exe

C:\Windows\system32\Hdkidohn.exe

C:\Windows\SysWOW64\Hhfedm32.exe

C:\Windows\system32\Hhfedm32.exe

C:\Windows\SysWOW64\Hkeaqi32.exe

C:\Windows\system32\Hkeaqi32.exe

C:\Windows\SysWOW64\Hncmmd32.exe

C:\Windows\system32\Hncmmd32.exe

C:\Windows\SysWOW64\Hpbiip32.exe

C:\Windows\system32\Hpbiip32.exe

C:\Windows\SysWOW64\Hhiajmod.exe

C:\Windows\system32\Hhiajmod.exe

C:\Windows\SysWOW64\Hglaej32.exe

C:\Windows\system32\Hglaej32.exe

C:\Windows\SysWOW64\Hjjnae32.exe

C:\Windows\system32\Hjjnae32.exe

C:\Windows\SysWOW64\Haafcb32.exe

C:\Windows\system32\Haafcb32.exe

C:\Windows\SysWOW64\Hdpbon32.exe

C:\Windows\system32\Hdpbon32.exe

C:\Windows\SysWOW64\Hgnoki32.exe

C:\Windows\system32\Hgnoki32.exe

C:\Windows\SysWOW64\Hjlkge32.exe

C:\Windows\system32\Hjlkge32.exe

C:\Windows\SysWOW64\Hnhghcki.exe

C:\Windows\system32\Hnhghcki.exe

C:\Windows\SysWOW64\Idbodn32.exe

C:\Windows\system32\Idbodn32.exe

C:\Windows\SysWOW64\Igqkqiai.exe

C:\Windows\system32\Igqkqiai.exe

C:\Windows\SysWOW64\Ijogmdqm.exe

C:\Windows\system32\Ijogmdqm.exe

C:\Windows\SysWOW64\Iafonaao.exe

C:\Windows\system32\Iafonaao.exe

C:\Windows\SysWOW64\Iddljmpc.exe

C:\Windows\system32\Iddljmpc.exe

C:\Windows\SysWOW64\Igchfiof.exe

C:\Windows\system32\Igchfiof.exe

C:\Windows\SysWOW64\Ijadbdoj.exe

C:\Windows\system32\Ijadbdoj.exe

C:\Windows\SysWOW64\Iahlcaol.exe

C:\Windows\system32\Iahlcaol.exe

C:\Windows\SysWOW64\Idghpmnp.exe

C:\Windows\system32\Idghpmnp.exe

C:\Windows\SysWOW64\Igedlh32.exe

C:\Windows\system32\Igedlh32.exe

C:\Windows\SysWOW64\Ijcahd32.exe

C:\Windows\system32\Ijcahd32.exe

C:\Windows\SysWOW64\Iakiia32.exe

C:\Windows\system32\Iakiia32.exe

C:\Windows\SysWOW64\Idieem32.exe

C:\Windows\system32\Idieem32.exe

C:\Windows\SysWOW64\Ihdafkdg.exe

C:\Windows\system32\Ihdafkdg.exe

C:\Windows\SysWOW64\Ikcmbfcj.exe

C:\Windows\system32\Ikcmbfcj.exe

C:\Windows\SysWOW64\Inainbcn.exe

C:\Windows\system32\Inainbcn.exe

C:\Windows\SysWOW64\Iqpfjnba.exe

C:\Windows\system32\Iqpfjnba.exe

C:\Windows\SysWOW64\Igjngh32.exe

C:\Windows\system32\Igjngh32.exe

C:\Windows\SysWOW64\Ijhjcchb.exe

C:\Windows\system32\Ijhjcchb.exe

C:\Windows\SysWOW64\Ibobdqid.exe

C:\Windows\system32\Ibobdqid.exe

C:\Windows\SysWOW64\Jdnoplhh.exe

C:\Windows\system32\Jdnoplhh.exe

C:\Windows\SysWOW64\Jhijqj32.exe

C:\Windows\system32\Jhijqj32.exe

C:\Windows\SysWOW64\Jkhgmf32.exe

C:\Windows\system32\Jkhgmf32.exe

C:\Windows\SysWOW64\Jnfcia32.exe

C:\Windows\system32\Jnfcia32.exe

C:\Windows\SysWOW64\Jqdoem32.exe

C:\Windows\system32\Jqdoem32.exe

C:\Windows\SysWOW64\Jhlgfj32.exe

C:\Windows\system32\Jhlgfj32.exe

C:\Windows\SysWOW64\Jkjcbe32.exe

C:\Windows\system32\Jkjcbe32.exe

C:\Windows\SysWOW64\Jnhpoamf.exe

C:\Windows\system32\Jnhpoamf.exe

C:\Windows\SysWOW64\Jqglkmlj.exe

C:\Windows\system32\Jqglkmlj.exe

C:\Windows\SysWOW64\Jhndljll.exe

C:\Windows\system32\Jhndljll.exe

C:\Windows\SysWOW64\Jgadgf32.exe

C:\Windows\system32\Jgadgf32.exe

C:\Windows\SysWOW64\Jjopcb32.exe

C:\Windows\system32\Jjopcb32.exe

C:\Windows\SysWOW64\Jbfheo32.exe

C:\Windows\system32\Jbfheo32.exe

C:\Windows\SysWOW64\Jdedak32.exe

C:\Windows\system32\Jdedak32.exe

C:\Windows\SysWOW64\Jgcamf32.exe

C:\Windows\system32\Jgcamf32.exe

C:\Windows\SysWOW64\Jkomneim.exe

C:\Windows\system32\Jkomneim.exe

C:\Windows\SysWOW64\Jnmijq32.exe

C:\Windows\system32\Jnmijq32.exe

C:\Windows\SysWOW64\Jqlefl32.exe

C:\Windows\system32\Jqlefl32.exe

C:\Windows\SysWOW64\Jibmgi32.exe

C:\Windows\system32\Jibmgi32.exe

C:\Windows\SysWOW64\Jkaicd32.exe

C:\Windows\system32\Jkaicd32.exe

C:\Windows\SysWOW64\Jnpfop32.exe

C:\Windows\system32\Jnpfop32.exe

C:\Windows\SysWOW64\Kqnbkl32.exe

C:\Windows\system32\Kqnbkl32.exe

C:\Windows\SysWOW64\Kghjhemo.exe

C:\Windows\system32\Kghjhemo.exe

C:\Windows\SysWOW64\Kjffdalb.exe

C:\Windows\system32\Kjffdalb.exe

C:\Windows\SysWOW64\Kbmoen32.exe

C:\Windows\system32\Kbmoen32.exe

C:\Windows\SysWOW64\Kelkaj32.exe

C:\Windows\system32\Kelkaj32.exe

C:\Windows\SysWOW64\Kkfcndce.exe

C:\Windows\system32\Kkfcndce.exe

C:\Windows\SysWOW64\Kndojobi.exe

C:\Windows\system32\Kndojobi.exe

C:\Windows\SysWOW64\Kqbkfkal.exe

C:\Windows\system32\Kqbkfkal.exe

C:\Windows\SysWOW64\Kgmcce32.exe

C:\Windows\system32\Kgmcce32.exe

C:\Windows\SysWOW64\Kjkpoq32.exe

C:\Windows\system32\Kjkpoq32.exe

C:\Windows\SysWOW64\Kbbhqn32.exe

C:\Windows\system32\Kbbhqn32.exe

C:\Windows\SysWOW64\Kaehljpj.exe

C:\Windows\system32\Kaehljpj.exe

C:\Windows\SysWOW64\Kilpmh32.exe

C:\Windows\system32\Kilpmh32.exe

C:\Windows\SysWOW64\Kkjlic32.exe

C:\Windows\system32\Kkjlic32.exe

C:\Windows\SysWOW64\Kniieo32.exe

C:\Windows\system32\Kniieo32.exe

C:\Windows\SysWOW64\Kbddfmgl.exe

C:\Windows\system32\Kbddfmgl.exe

C:\Windows\SysWOW64\Knkekn32.exe

C:\Windows\system32\Knkekn32.exe

C:\Windows\SysWOW64\Lajagj32.exe

C:\Windows\system32\Lajagj32.exe

C:\Windows\SysWOW64\Liqihglg.exe

C:\Windows\system32\Liqihglg.exe

C:\Windows\SysWOW64\Lkofdbkj.exe

C:\Windows\system32\Lkofdbkj.exe

C:\Windows\SysWOW64\Lnnbqnjn.exe

C:\Windows\system32\Lnnbqnjn.exe

C:\Windows\SysWOW64\Lbinam32.exe

C:\Windows\system32\Lbinam32.exe

C:\Windows\SysWOW64\Legjmh32.exe

C:\Windows\system32\Legjmh32.exe

C:\Windows\SysWOW64\Lgffic32.exe

C:\Windows\system32\Lgffic32.exe

C:\Windows\SysWOW64\Lkabjbih.exe

C:\Windows\system32\Lkabjbih.exe

C:\Windows\SysWOW64\Lnpofnhk.exe

C:\Windows\system32\Lnpofnhk.exe

C:\Windows\SysWOW64\Lankbigo.exe

C:\Windows\system32\Lankbigo.exe

C:\Windows\SysWOW64\Lejgch32.exe

C:\Windows\system32\Lejgch32.exe

C:\Windows\SysWOW64\Lghcocol.exe

C:\Windows\system32\Lghcocol.exe

C:\Windows\SysWOW64\Ljgpkonp.exe

C:\Windows\system32\Ljgpkonp.exe

C:\Windows\SysWOW64\Lbngllob.exe

C:\Windows\system32\Lbngllob.exe

C:\Windows\SysWOW64\Laqhhi32.exe

C:\Windows\system32\Laqhhi32.exe

C:\Windows\SysWOW64\Lihpif32.exe

C:\Windows\system32\Lihpif32.exe

C:\Windows\SysWOW64\Lgkpdcmi.exe

C:\Windows\system32\Lgkpdcmi.exe

C:\Windows\SysWOW64\Ljilqnlm.exe

C:\Windows\system32\Ljilqnlm.exe

C:\Windows\SysWOW64\Lbpdblmo.exe

C:\Windows\system32\Lbpdblmo.exe

C:\Windows\SysWOW64\Lacdmh32.exe

C:\Windows\system32\Lacdmh32.exe

C:\Windows\SysWOW64\Lijlof32.exe

C:\Windows\system32\Lijlof32.exe

C:\Windows\SysWOW64\Lhmmjbkf.exe

C:\Windows\system32\Lhmmjbkf.exe

C:\Windows\SysWOW64\Ljkifn32.exe

C:\Windows\system32\Ljkifn32.exe

C:\Windows\SysWOW64\Mngegmbc.exe

C:\Windows\system32\Mngegmbc.exe

C:\Windows\SysWOW64\Maeachag.exe

C:\Windows\system32\Maeachag.exe

C:\Windows\SysWOW64\Mhoipb32.exe

C:\Windows\system32\Mhoipb32.exe

C:\Windows\SysWOW64\Mlkepaam.exe

C:\Windows\system32\Mlkepaam.exe

C:\Windows\SysWOW64\Mjellmbp.exe

C:\Windows\system32\Mjellmbp.exe

C:\Windows\SysWOW64\Mblcnj32.exe

C:\Windows\system32\Mblcnj32.exe

C:\Windows\SysWOW64\Mejpje32.exe

C:\Windows\system32\Mejpje32.exe

C:\Windows\SysWOW64\Mhilfa32.exe

C:\Windows\system32\Mhilfa32.exe

C:\Windows\SysWOW64\Mldhfpib.exe

C:\Windows\system32\Mldhfpib.exe

C:\Windows\SysWOW64\Nbnpcj32.exe

C:\Windows\system32\Nbnpcj32.exe

C:\Windows\SysWOW64\Nemmoe32.exe

C:\Windows\system32\Nemmoe32.exe

C:\Windows\SysWOW64\Nhkikq32.exe

C:\Windows\system32\Nhkikq32.exe

C:\Windows\SysWOW64\Nlfelogp.exe

C:\Windows\system32\Nlfelogp.exe

C:\Windows\SysWOW64\Noeahkfc.exe

C:\Windows\system32\Noeahkfc.exe

C:\Windows\SysWOW64\Nacmdf32.exe

C:\Windows\system32\Nacmdf32.exe

C:\Windows\SysWOW64\Neoieenp.exe

C:\Windows\system32\Neoieenp.exe

C:\Windows\SysWOW64\Nhmeapmd.exe

C:\Windows\system32\Nhmeapmd.exe

C:\Windows\SysWOW64\Nklbmllg.exe

C:\Windows\system32\Nklbmllg.exe

C:\Windows\SysWOW64\Nbcjnilj.exe

C:\Windows\system32\Nbcjnilj.exe

C:\Windows\SysWOW64\Neafjdkn.exe

C:\Windows\system32\Neafjdkn.exe

C:\Windows\SysWOW64\Nhpbfpka.exe

C:\Windows\system32\Nhpbfpka.exe

C:\Windows\SysWOW64\Nlkngo32.exe

C:\Windows\system32\Nlkngo32.exe

C:\Windows\SysWOW64\Nbefdijg.exe

C:\Windows\system32\Nbefdijg.exe

C:\Windows\SysWOW64\Nahgoe32.exe

C:\Windows\system32\Nahgoe32.exe

C:\Windows\SysWOW64\Niooqcad.exe

C:\Windows\system32\Niooqcad.exe

C:\Windows\SysWOW64\Nhbolp32.exe

C:\Windows\system32\Nhbolp32.exe

C:\Windows\SysWOW64\Nkqkhk32.exe

C:\Windows\system32\Nkqkhk32.exe

C:\Windows\SysWOW64\Nbgcih32.exe

C:\Windows\system32\Nbgcih32.exe

C:\Windows\SysWOW64\Najceeoo.exe

C:\Windows\system32\Najceeoo.exe

C:\Windows\SysWOW64\Niakfbpa.exe

C:\Windows\system32\Niakfbpa.exe

C:\Windows\SysWOW64\Nhdlao32.exe

C:\Windows\system32\Nhdlao32.exe

C:\Windows\SysWOW64\Okchnk32.exe

C:\Windows\system32\Okchnk32.exe

C:\Windows\SysWOW64\Objpoh32.exe

C:\Windows\system32\Objpoh32.exe

C:\Windows\SysWOW64\Oampjeml.exe

C:\Windows\system32\Oampjeml.exe

C:\Windows\SysWOW64\Ohghgodi.exe

C:\Windows\system32\Ohghgodi.exe

C:\Windows\SysWOW64\Okedcjcm.exe

C:\Windows\system32\Okedcjcm.exe

C:\Windows\SysWOW64\Oblmdhdo.exe

C:\Windows\system32\Oblmdhdo.exe

C:\Windows\SysWOW64\Oekiqccc.exe

C:\Windows\system32\Oekiqccc.exe

C:\Windows\SysWOW64\Oldamm32.exe

C:\Windows\system32\Oldamm32.exe

C:\Windows\SysWOW64\Oocmii32.exe

C:\Windows\system32\Oocmii32.exe

C:\Windows\SysWOW64\Oaajed32.exe

C:\Windows\system32\Oaajed32.exe

C:\Windows\SysWOW64\Ohkbbn32.exe

C:\Windows\system32\Ohkbbn32.exe

C:\Windows\SysWOW64\Olgncmim.exe

C:\Windows\system32\Olgncmim.exe

C:\Windows\SysWOW64\Ooejohhq.exe

C:\Windows\system32\Ooejohhq.exe

C:\Windows\SysWOW64\Oadfkdgd.exe

C:\Windows\system32\Oadfkdgd.exe

C:\Windows\SysWOW64\Oiknlagg.exe

C:\Windows\system32\Oiknlagg.exe

C:\Windows\SysWOW64\Oklkdi32.exe

C:\Windows\system32\Oklkdi32.exe

C:\Windows\SysWOW64\Obcceg32.exe

C:\Windows\system32\Obcceg32.exe

C:\Windows\SysWOW64\Oafcqcea.exe

C:\Windows\system32\Oafcqcea.exe

C:\Windows\SysWOW64\Oimkbaed.exe

C:\Windows\system32\Oimkbaed.exe

C:\Windows\SysWOW64\Pllgnl32.exe

C:\Windows\system32\Pllgnl32.exe

C:\Windows\SysWOW64\Pcepkfld.exe

C:\Windows\system32\Pcepkfld.exe

C:\Windows\SysWOW64\Pedlgbkh.exe

C:\Windows\system32\Pedlgbkh.exe

C:\Windows\SysWOW64\Phbhcmjl.exe

C:\Windows\system32\Phbhcmjl.exe

C:\Windows\SysWOW64\Plndcl32.exe

C:\Windows\system32\Plndcl32.exe

C:\Windows\SysWOW64\Polppg32.exe

C:\Windows\system32\Polppg32.exe

C:\Windows\SysWOW64\Pchlpfjb.exe

C:\Windows\system32\Pchlpfjb.exe

C:\Windows\SysWOW64\Pefhlaie.exe

C:\Windows\system32\Pefhlaie.exe

C:\Windows\SysWOW64\Phedhmhi.exe

C:\Windows\system32\Phedhmhi.exe

C:\Windows\SysWOW64\Pcjiff32.exe

C:\Windows\system32\Pcjiff32.exe

C:\Windows\SysWOW64\Pamiaboj.exe

C:\Windows\system32\Pamiaboj.exe

C:\Windows\SysWOW64\Pidabppl.exe

C:\Windows\system32\Pidabppl.exe

C:\Windows\SysWOW64\Phganm32.exe

C:\Windows\system32\Phganm32.exe

C:\Windows\SysWOW64\Pkenjh32.exe

C:\Windows\system32\Pkenjh32.exe

C:\Windows\SysWOW64\Pcmeke32.exe

C:\Windows\system32\Pcmeke32.exe

C:\Windows\SysWOW64\Pekbga32.exe

C:\Windows\system32\Pekbga32.exe

C:\Windows\SysWOW64\Pifnhpmi.exe

C:\Windows\system32\Pifnhpmi.exe

C:\Windows\SysWOW64\Plejdkmm.exe

C:\Windows\system32\Plejdkmm.exe

C:\Windows\SysWOW64\Pcobaedj.exe

C:\Windows\system32\Pcobaedj.exe

C:\Windows\SysWOW64\Pemomqcn.exe

C:\Windows\system32\Pemomqcn.exe

C:\Windows\SysWOW64\Qhlkilba.exe

C:\Windows\system32\Qhlkilba.exe

C:\Windows\SysWOW64\Qkjgegae.exe

C:\Windows\system32\Qkjgegae.exe

C:\Windows\SysWOW64\Qcaofebg.exe

C:\Windows\system32\Qcaofebg.exe

C:\Windows\SysWOW64\Qepkbpak.exe

C:\Windows\system32\Qepkbpak.exe

C:\Windows\SysWOW64\Qohpkf32.exe

C:\Windows\system32\Qohpkf32.exe

C:\Windows\SysWOW64\Qaflgago.exe

C:\Windows\system32\Qaflgago.exe

C:\Windows\SysWOW64\Qebhhp32.exe

C:\Windows\system32\Qebhhp32.exe

C:\Windows\SysWOW64\Akoqpg32.exe

C:\Windows\system32\Akoqpg32.exe

C:\Windows\SysWOW64\Acfhad32.exe

C:\Windows\system32\Acfhad32.exe

C:\Windows\SysWOW64\Aeddnp32.exe

C:\Windows\system32\Aeddnp32.exe

C:\Windows\SysWOW64\Alnmjjdb.exe

C:\Windows\system32\Alnmjjdb.exe

C:\Windows\SysWOW64\Aomifecf.exe

C:\Windows\system32\Aomifecf.exe

C:\Windows\SysWOW64\Aakebqbj.exe

C:\Windows\system32\Aakebqbj.exe

C:\Windows\SysWOW64\Ahenokjf.exe

C:\Windows\system32\Ahenokjf.exe

C:\Windows\SysWOW64\Alqjpi32.exe

C:\Windows\system32\Alqjpi32.exe

C:\Windows\SysWOW64\Aoofle32.exe

C:\Windows\system32\Aoofle32.exe

C:\Windows\SysWOW64\Aanbhp32.exe

C:\Windows\system32\Aanbhp32.exe

C:\Windows\SysWOW64\Ajdjin32.exe

C:\Windows\system32\Ajdjin32.exe

C:\Windows\SysWOW64\Alcfei32.exe

C:\Windows\system32\Alcfei32.exe

C:\Windows\SysWOW64\Acmobchj.exe

C:\Windows\system32\Acmobchj.exe

C:\Windows\SysWOW64\Ajggomog.exe

C:\Windows\system32\Ajggomog.exe

C:\Windows\SysWOW64\Akhcfe32.exe

C:\Windows\system32\Akhcfe32.exe

C:\Windows\SysWOW64\Acokhc32.exe

C:\Windows\system32\Acokhc32.exe

C:\Windows\SysWOW64\Bfngdn32.exe

C:\Windows\system32\Bfngdn32.exe

C:\Windows\SysWOW64\Bjicdmmd.exe

C:\Windows\system32\Bjicdmmd.exe

C:\Windows\SysWOW64\Blhpqhlh.exe

C:\Windows\system32\Blhpqhlh.exe

C:\Windows\SysWOW64\Boflmdkk.exe

C:\Windows\system32\Boflmdkk.exe

C:\Windows\SysWOW64\Bbdhiojo.exe

C:\Windows\system32\Bbdhiojo.exe

C:\Windows\SysWOW64\Bjlpjm32.exe

C:\Windows\system32\Bjlpjm32.exe

C:\Windows\SysWOW64\Bhoqeibl.exe

C:\Windows\system32\Bhoqeibl.exe

C:\Windows\SysWOW64\Bkmmaeap.exe

C:\Windows\system32\Bkmmaeap.exe

C:\Windows\SysWOW64\Bcddcbab.exe

C:\Windows\system32\Bcddcbab.exe

C:\Windows\SysWOW64\Bfbaonae.exe

C:\Windows\system32\Bfbaonae.exe

C:\Windows\SysWOW64\Bjnmpl32.exe

C:\Windows\system32\Bjnmpl32.exe

C:\Windows\SysWOW64\Bkoigdom.exe

C:\Windows\system32\Bkoigdom.exe

C:\Windows\SysWOW64\Bokehc32.exe

C:\Windows\system32\Bokehc32.exe

C:\Windows\SysWOW64\Bbiado32.exe

C:\Windows\system32\Bbiado32.exe

C:\Windows\SysWOW64\Bjpjel32.exe

C:\Windows\system32\Bjpjel32.exe

C:\Windows\SysWOW64\Bhcjqinf.exe

C:\Windows\system32\Bhcjqinf.exe

C:\Windows\SysWOW64\Bkafmd32.exe

C:\Windows\system32\Bkafmd32.exe

C:\Windows\SysWOW64\Bcinna32.exe

C:\Windows\system32\Bcinna32.exe

C:\Windows\SysWOW64\Bheffh32.exe

C:\Windows\system32\Bheffh32.exe

C:\Windows\SysWOW64\Bkdcbd32.exe

C:\Windows\system32\Bkdcbd32.exe

C:\Windows\SysWOW64\Bopocbcq.exe

C:\Windows\system32\Bopocbcq.exe

C:\Windows\SysWOW64\Bbnkonbd.exe

C:\Windows\system32\Bbnkonbd.exe

C:\Windows\SysWOW64\Cjecpkcg.exe

C:\Windows\system32\Cjecpkcg.exe

C:\Windows\SysWOW64\Ckfphc32.exe

C:\Windows\system32\Ckfphc32.exe

C:\Windows\SysWOW64\Ccmgiaig.exe

C:\Windows\system32\Ccmgiaig.exe

C:\Windows\SysWOW64\Cfldelik.exe

C:\Windows\system32\Cfldelik.exe

C:\Windows\SysWOW64\Cjgpfk32.exe

C:\Windows\system32\Cjgpfk32.exe

C:\Windows\SysWOW64\Cmflbf32.exe

C:\Windows\system32\Cmflbf32.exe

C:\Windows\SysWOW64\Ckilmcgb.exe

C:\Windows\system32\Ckilmcgb.exe

C:\Windows\SysWOW64\Cbbdjm32.exe

C:\Windows\system32\Cbbdjm32.exe

C:\Windows\SysWOW64\Cfnqklgh.exe

C:\Windows\system32\Cfnqklgh.exe

C:\Windows\SysWOW64\Cmhigf32.exe

C:\Windows\system32\Cmhigf32.exe

C:\Windows\SysWOW64\Cofecami.exe

C:\Windows\system32\Cofecami.exe

C:\Windows\SysWOW64\Cbeapmll.exe

C:\Windows\system32\Cbeapmll.exe

C:\Windows\SysWOW64\Cfqmpl32.exe

C:\Windows\system32\Cfqmpl32.exe

C:\Windows\SysWOW64\Cmjemflb.exe

C:\Windows\system32\Cmjemflb.exe

C:\Windows\SysWOW64\Coiaiakf.exe

C:\Windows\system32\Coiaiakf.exe

C:\Windows\SysWOW64\Cbgnemjj.exe

C:\Windows\system32\Cbgnemjj.exe

C:\Windows\SysWOW64\Cjnffjkl.exe

C:\Windows\system32\Cjnffjkl.exe

C:\Windows\SysWOW64\Cmmbbejp.exe

C:\Windows\system32\Cmmbbejp.exe

C:\Windows\SysWOW64\Coknoaic.exe

C:\Windows\system32\Coknoaic.exe

C:\Windows\SysWOW64\Dbjkkl32.exe

C:\Windows\system32\Dbjkkl32.exe

C:\Windows\SysWOW64\Djqblj32.exe

C:\Windows\system32\Djqblj32.exe

C:\Windows\SysWOW64\Diccgfpd.exe

C:\Windows\system32\Diccgfpd.exe

C:\Windows\SysWOW64\Dcigeooj.exe

C:\Windows\system32\Dcigeooj.exe

C:\Windows\SysWOW64\Dblgpl32.exe

C:\Windows\system32\Dblgpl32.exe

C:\Windows\SysWOW64\Djcoai32.exe

C:\Windows\system32\Djcoai32.exe

C:\Windows\SysWOW64\Dmalne32.exe

C:\Windows\system32\Dmalne32.exe

C:\Windows\SysWOW64\Dpphjp32.exe

C:\Windows\system32\Dpphjp32.exe

C:\Windows\SysWOW64\Dbndfl32.exe

C:\Windows\system32\Dbndfl32.exe

C:\Windows\SysWOW64\Djelgied.exe

C:\Windows\system32\Djelgied.exe

C:\Windows\SysWOW64\Dpbdopck.exe

C:\Windows\system32\Dpbdopck.exe

C:\Windows\SysWOW64\Dcnqpo32.exe

C:\Windows\system32\Dcnqpo32.exe

C:\Windows\SysWOW64\Dflmlj32.exe

C:\Windows\system32\Dflmlj32.exe

C:\Windows\SysWOW64\Dmfeidbe.exe

C:\Windows\system32\Dmfeidbe.exe

C:\Windows\SysWOW64\Dlieda32.exe

C:\Windows\system32\Dlieda32.exe

C:\Windows\SysWOW64\Dcpmen32.exe

C:\Windows\system32\Dcpmen32.exe

C:\Windows\SysWOW64\Dfoiaj32.exe

C:\Windows\system32\Dfoiaj32.exe

C:\Windows\SysWOW64\Dmhand32.exe

C:\Windows\system32\Dmhand32.exe

C:\Windows\SysWOW64\Ecbjkngo.exe

C:\Windows\system32\Ecbjkngo.exe

C:\Windows\SysWOW64\Elnoopdj.exe

C:\Windows\system32\Elnoopdj.exe

C:\Windows\SysWOW64\Ecefqnel.exe

C:\Windows\system32\Ecefqnel.exe

C:\Windows\SysWOW64\Elpkep32.exe

C:\Windows\system32\Elpkep32.exe

C:\Windows\SysWOW64\Ebjcajjd.exe

C:\Windows\system32\Ebjcajjd.exe

C:\Windows\SysWOW64\Emphocjj.exe

C:\Windows\system32\Emphocjj.exe

C:\Windows\SysWOW64\Eciplm32.exe

C:\Windows\system32\Eciplm32.exe

C:\Windows\SysWOW64\Ejchhgid.exe

C:\Windows\system32\Ejchhgid.exe

C:\Windows\SysWOW64\Efjimhnh.exe

C:\Windows\system32\Efjimhnh.exe

C:\Windows\SysWOW64\Fpbmfn32.exe

C:\Windows\system32\Fpbmfn32.exe

C:\Windows\SysWOW64\Fmfnpa32.exe

C:\Windows\system32\Fmfnpa32.exe

C:\Windows\SysWOW64\Fjjnifbl.exe

C:\Windows\system32\Fjjnifbl.exe

C:\Windows\SysWOW64\Fdccbl32.exe

C:\Windows\system32\Fdccbl32.exe

C:\Windows\SysWOW64\Fjmkoeqi.exe

C:\Windows\system32\Fjmkoeqi.exe

C:\Windows\SysWOW64\Flngfn32.exe

C:\Windows\system32\Flngfn32.exe

C:\Windows\SysWOW64\Fplpll32.exe

C:\Windows\system32\Fplpll32.exe

C:\Windows\SysWOW64\Fffhifdk.exe

C:\Windows\system32\Fffhifdk.exe

C:\Windows\SysWOW64\Fmpqfq32.exe

C:\Windows\system32\Fmpqfq32.exe

C:\Windows\SysWOW64\Gdjibj32.exe

C:\Windows\system32\Gdjibj32.exe

C:\Windows\SysWOW64\Glengm32.exe

C:\Windows\system32\Glengm32.exe

C:\Windows\SysWOW64\Gdlfhj32.exe

C:\Windows\system32\Gdlfhj32.exe

C:\Windows\SysWOW64\Gdobnj32.exe

C:\Windows\system32\Gdobnj32.exe

C:\Windows\SysWOW64\Gfmojenc.exe

C:\Windows\system32\Gfmojenc.exe

C:\Windows\SysWOW64\Gpecbk32.exe

C:\Windows\system32\Gpecbk32.exe

C:\Windows\SysWOW64\Gmiclo32.exe

C:\Windows\system32\Gmiclo32.exe

C:\Windows\SysWOW64\Glldgljg.exe

C:\Windows\system32\Glldgljg.exe

C:\Windows\SysWOW64\Gdcliikj.exe

C:\Windows\system32\Gdcliikj.exe

C:\Windows\SysWOW64\Gkmdecbg.exe

C:\Windows\system32\Gkmdecbg.exe

C:\Windows\SysWOW64\Hbhijepa.exe

C:\Windows\system32\Hbhijepa.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hlambk32.exe

C:\Windows\system32\Hlambk32.exe

C:\Windows\SysWOW64\Hienlpel.exe

C:\Windows\system32\Hienlpel.exe

C:\Windows\SysWOW64\Hpofii32.exe

C:\Windows\system32\Hpofii32.exe

C:\Windows\SysWOW64\Hcmbee32.exe

C:\Windows\system32\Hcmbee32.exe

C:\Windows\SysWOW64\Hmbfbn32.exe

C:\Windows\system32\Hmbfbn32.exe

C:\Windows\SysWOW64\Hcpojd32.exe

C:\Windows\system32\Hcpojd32.exe

C:\Windows\SysWOW64\Hkfglb32.exe

C:\Windows\system32\Hkfglb32.exe

C:\Windows\SysWOW64\Hmechmip.exe

C:\Windows\system32\Hmechmip.exe

C:\Windows\SysWOW64\Hcblpdgg.exe

C:\Windows\system32\Hcblpdgg.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Injmcmej.exe

C:\Windows\system32\Injmcmej.exe

C:\Windows\SysWOW64\Ilmmni32.exe

C:\Windows\system32\Ilmmni32.exe

C:\Windows\SysWOW64\Iknmla32.exe

C:\Windows\system32\Iknmla32.exe

C:\Windows\SysWOW64\Iloidijb.exe

C:\Windows\system32\Iloidijb.exe

C:\Windows\SysWOW64\Ipjedh32.exe

C:\Windows\system32\Ipjedh32.exe

C:\Windows\SysWOW64\Ikpjbq32.exe

C:\Windows\system32\Ikpjbq32.exe

C:\Windows\SysWOW64\Icknfcol.exe

C:\Windows\system32\Icknfcol.exe

C:\Windows\SysWOW64\Iggjga32.exe

C:\Windows\system32\Iggjga32.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Jncoikmp.exe

C:\Windows\system32\Jncoikmp.exe

C:\Windows\SysWOW64\Jdmgfedl.exe

C:\Windows\system32\Jdmgfedl.exe

C:\Windows\SysWOW64\Jpdhkf32.exe

C:\Windows\system32\Jpdhkf32.exe

C:\Windows\SysWOW64\Jnhidk32.exe

C:\Windows\system32\Jnhidk32.exe

C:\Windows\SysWOW64\Jnjejjgh.exe

C:\Windows\system32\Jnjejjgh.exe

C:\Windows\SysWOW64\Jqhafffk.exe

C:\Windows\system32\Jqhafffk.exe

C:\Windows\SysWOW64\Jnlbojee.exe

C:\Windows\system32\Jnlbojee.exe

C:\Windows\SysWOW64\Jdfjld32.exe

C:\Windows\system32\Jdfjld32.exe

C:\Windows\SysWOW64\Kmaopfjm.exe

C:\Windows\system32\Kmaopfjm.exe

C:\Windows\SysWOW64\Kqmkae32.exe

C:\Windows\system32\Kqmkae32.exe

C:\Windows\SysWOW64\Knalji32.exe

C:\Windows\system32\Knalji32.exe

C:\Windows\SysWOW64\Kcndbp32.exe

C:\Windows\system32\Kcndbp32.exe

C:\Windows\SysWOW64\Kmfhkf32.exe

C:\Windows\system32\Kmfhkf32.exe

C:\Windows\SysWOW64\Knfeeimj.exe

C:\Windows\system32\Knfeeimj.exe

C:\Windows\SysWOW64\Kcbnnpka.exe

C:\Windows\system32\Kcbnnpka.exe

C:\Windows\SysWOW64\Kmkbfeab.exe

C:\Windows\system32\Kmkbfeab.exe

C:\Windows\SysWOW64\Kcejco32.exe

C:\Windows\system32\Kcejco32.exe

C:\Windows\SysWOW64\Lgqfdnah.exe

C:\Windows\system32\Lgqfdnah.exe

C:\Windows\SysWOW64\Ljobpiql.exe

C:\Windows\system32\Ljobpiql.exe

C:\Windows\SysWOW64\Lqkgbcff.exe

C:\Windows\system32\Lqkgbcff.exe

C:\Windows\SysWOW64\Lcjcnoej.exe

C:\Windows\system32\Lcjcnoej.exe

C:\Windows\SysWOW64\Lclpdncg.exe

C:\Windows\system32\Lclpdncg.exe

C:\Windows\SysWOW64\Lmdemd32.exe

C:\Windows\system32\Lmdemd32.exe

C:\Windows\SysWOW64\Lcnmin32.exe

C:\Windows\system32\Lcnmin32.exe

C:\Windows\SysWOW64\Lenicahg.exe

C:\Windows\system32\Lenicahg.exe

C:\Windows\SysWOW64\Mkhapk32.exe

C:\Windows\system32\Mkhapk32.exe

C:\Windows\SysWOW64\Mminhceb.exe

C:\Windows\system32\Mminhceb.exe

C:\Windows\SysWOW64\Mebcop32.exe

C:\Windows\system32\Mebcop32.exe

C:\Windows\SysWOW64\Mgaokl32.exe

C:\Windows\system32\Mgaokl32.exe

C:\Windows\SysWOW64\Mkohaj32.exe

C:\Windows\system32\Mkohaj32.exe

C:\Windows\SysWOW64\Mjahlgpf.exe

C:\Windows\system32\Mjahlgpf.exe

C:\Windows\SysWOW64\Mmpdhboj.exe

C:\Windows\system32\Mmpdhboj.exe

C:\Windows\SysWOW64\Malpia32.exe

C:\Windows\system32\Malpia32.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Mnpabe32.exe

C:\Windows\system32\Mnpabe32.exe

C:\Windows\SysWOW64\Manmoq32.exe

C:\Windows\system32\Manmoq32.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Nghekkmn.exe

C:\Windows\system32\Nghekkmn.exe

C:\Windows\SysWOW64\Nlcalieg.exe

C:\Windows\system32\Nlcalieg.exe

C:\Windows\SysWOW64\Nnbnhedj.exe

C:\Windows\system32\Nnbnhedj.exe

C:\Windows\SysWOW64\Nmenca32.exe

C:\Windows\system32\Nmenca32.exe

C:\Windows\SysWOW64\Nelfeo32.exe

C:\Windows\system32\Nelfeo32.exe

C:\Windows\SysWOW64\Ngjbaj32.exe

C:\Windows\system32\Ngjbaj32.exe

C:\Windows\SysWOW64\Nndjndbh.exe

C:\Windows\system32\Nndjndbh.exe

C:\Windows\SysWOW64\Nabfjpak.exe

C:\Windows\system32\Nabfjpak.exe

C:\Windows\SysWOW64\Nlhkgi32.exe

C:\Windows\system32\Nlhkgi32.exe

C:\Windows\SysWOW64\Nmigoagp.exe

C:\Windows\system32\Nmigoagp.exe

C:\Windows\SysWOW64\Neqopnhb.exe

C:\Windows\system32\Neqopnhb.exe

C:\Windows\SysWOW64\Nccokk32.exe

C:\Windows\system32\Nccokk32.exe

C:\Windows\SysWOW64\Nlkgmh32.exe

C:\Windows\system32\Nlkgmh32.exe

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Nagpeo32.exe

C:\Windows\system32\Nagpeo32.exe

C:\Windows\SysWOW64\Ndflak32.exe

C:\Windows\system32\Ndflak32.exe

C:\Windows\SysWOW64\Nlmdbh32.exe

C:\Windows\system32\Nlmdbh32.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Najmjokc.exe

C:\Windows\system32\Najmjokc.exe

C:\Windows\SysWOW64\Odhifjkg.exe

C:\Windows\system32\Odhifjkg.exe

C:\Windows\SysWOW64\Oloahhki.exe

C:\Windows\system32\Oloahhki.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Oanfen32.exe

C:\Windows\system32\Oanfen32.exe

C:\Windows\SysWOW64\Oobfob32.exe

C:\Windows\system32\Oobfob32.exe

C:\Windows\SysWOW64\Omegjomb.exe

C:\Windows\system32\Omegjomb.exe

C:\Windows\SysWOW64\Oelolmnd.exe

C:\Windows\system32\Oelolmnd.exe

C:\Windows\SysWOW64\Oodcdb32.exe

C:\Windows\system32\Oodcdb32.exe

C:\Windows\SysWOW64\Oogpjbbb.exe

C:\Windows\system32\Oogpjbbb.exe

C:\Windows\SysWOW64\Paelfmaf.exe

C:\Windows\system32\Paelfmaf.exe

C:\Windows\SysWOW64\Pddhbipj.exe

C:\Windows\system32\Pddhbipj.exe

C:\Windows\SysWOW64\Poimpapp.exe

C:\Windows\system32\Poimpapp.exe

C:\Windows\SysWOW64\Pahilmoc.exe

C:\Windows\system32\Pahilmoc.exe

C:\Windows\SysWOW64\Phaahggp.exe

C:\Windows\system32\Phaahggp.exe

C:\Windows\SysWOW64\Poliea32.exe

C:\Windows\system32\Poliea32.exe

C:\Windows\SysWOW64\Pajeam32.exe

C:\Windows\system32\Pajeam32.exe

C:\Windows\SysWOW64\Phdnngdn.exe

C:\Windows\system32\Phdnngdn.exe

C:\Windows\SysWOW64\Pkbjjbda.exe

C:\Windows\system32\Pkbjjbda.exe

C:\Windows\SysWOW64\Palbgl32.exe

C:\Windows\system32\Palbgl32.exe

C:\Windows\SysWOW64\Pkegpb32.exe

C:\Windows\system32\Pkegpb32.exe

C:\Windows\SysWOW64\Paoollik.exe

C:\Windows\system32\Paoollik.exe

C:\Windows\SysWOW64\Pejkmk32.exe

C:\Windows\system32\Pejkmk32.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Qmepam32.exe

C:\Windows\system32\Qmepam32.exe

C:\Windows\SysWOW64\Qemhbj32.exe

C:\Windows\system32\Qemhbj32.exe

C:\Windows\SysWOW64\Qhkdof32.exe

C:\Windows\system32\Qhkdof32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qeodhjmo.exe

C:\Windows\system32\Qeodhjmo.exe

C:\Windows\SysWOW64\Qlimed32.exe

C:\Windows\system32\Qlimed32.exe

C:\Windows\SysWOW64\Aafemk32.exe

C:\Windows\system32\Aafemk32.exe

C:\Windows\SysWOW64\Alkijdci.exe

C:\Windows\system32\Alkijdci.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Aolblopj.exe

C:\Windows\system32\Aolblopj.exe

C:\Windows\SysWOW64\Adikdfna.exe

C:\Windows\system32\Adikdfna.exe

C:\Windows\SysWOW64\Alpbecod.exe

C:\Windows\system32\Alpbecod.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Anclbkbp.exe

C:\Windows\system32\Anclbkbp.exe

C:\Windows\SysWOW64\Akglloai.exe

C:\Windows\system32\Akglloai.exe

C:\Windows\SysWOW64\Bemqih32.exe

C:\Windows\system32\Bemqih32.exe

C:\Windows\SysWOW64\Blgifbil.exe

C:\Windows\system32\Blgifbil.exe

C:\Windows\SysWOW64\Badanigc.exe

C:\Windows\system32\Badanigc.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Bklfgo32.exe

C:\Windows\system32\Bklfgo32.exe

C:\Windows\SysWOW64\Bnkbcj32.exe

C:\Windows\system32\Bnkbcj32.exe

C:\Windows\SysWOW64\Bebjdgmj.exe

C:\Windows\system32\Bebjdgmj.exe

C:\Windows\SysWOW64\Bojomm32.exe

C:\Windows\system32\Bojomm32.exe

C:\Windows\SysWOW64\Bedgjgkg.exe

C:\Windows\system32\Bedgjgkg.exe

C:\Windows\SysWOW64\Bkaobnio.exe

C:\Windows\system32\Bkaobnio.exe

C:\Windows\SysWOW64\Bdickcpo.exe

C:\Windows\system32\Bdickcpo.exe

C:\Windows\SysWOW64\Camddhoi.exe

C:\Windows\system32\Camddhoi.exe

C:\Windows\SysWOW64\Coadnlnb.exe

C:\Windows\system32\Coadnlnb.exe

C:\Windows\SysWOW64\Ckhecmcf.exe

C:\Windows\system32\Ckhecmcf.exe

C:\Windows\SysWOW64\Clgbmp32.exe

C:\Windows\system32\Clgbmp32.exe

C:\Windows\SysWOW64\Cfpffeaj.exe

C:\Windows\system32\Cfpffeaj.exe

C:\Windows\SysWOW64\Ckmonl32.exe

C:\Windows\system32\Ckmonl32.exe

C:\Windows\SysWOW64\Cnkkjh32.exe

C:\Windows\system32\Cnkkjh32.exe

C:\Windows\SysWOW64\Dmlkhofd.exe

C:\Windows\system32\Dmlkhofd.exe

C:\Windows\SysWOW64\Dhclmp32.exe

C:\Windows\system32\Dhclmp32.exe

C:\Windows\SysWOW64\Dbkqfe32.exe

C:\Windows\system32\Dbkqfe32.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Ddnfmqng.exe

C:\Windows\system32\Ddnfmqng.exe

C:\Windows\SysWOW64\Dmennnni.exe

C:\Windows\system32\Dmennnni.exe

C:\Windows\SysWOW64\Emhkdmlg.exe

C:\Windows\system32\Emhkdmlg.exe

C:\Windows\SysWOW64\Eecphp32.exe

C:\Windows\system32\Eecphp32.exe

C:\Windows\SysWOW64\Ebgpad32.exe

C:\Windows\system32\Ebgpad32.exe

C:\Windows\SysWOW64\Eokqkh32.exe

C:\Windows\system32\Eokqkh32.exe

C:\Windows\SysWOW64\Eehicoel.exe

C:\Windows\system32\Eehicoel.exe

C:\Windows\SysWOW64\Emoadlfo.exe

C:\Windows\system32\Emoadlfo.exe

C:\Windows\SysWOW64\Emanjldl.exe

C:\Windows\system32\Emanjldl.exe

C:\Windows\SysWOW64\Efjbcakl.exe

C:\Windows\system32\Efjbcakl.exe

C:\Windows\SysWOW64\Fpbflg32.exe

C:\Windows\system32\Fpbflg32.exe

C:\Windows\SysWOW64\Fmfgek32.exe

C:\Windows\system32\Fmfgek32.exe

C:\Windows\SysWOW64\Fealin32.exe

C:\Windows\system32\Fealin32.exe

C:\Windows\SysWOW64\Flkdfh32.exe

C:\Windows\system32\Flkdfh32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Fmkqpkla.exe

C:\Windows\system32\Fmkqpkla.exe

C:\Windows\SysWOW64\Fmmmfj32.exe

C:\Windows\system32\Fmmmfj32.exe

C:\Windows\SysWOW64\Fpkibf32.exe

C:\Windows\system32\Fpkibf32.exe

C:\Windows\SysWOW64\Gmojkj32.exe

C:\Windows\system32\Gmojkj32.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gppcmeem.exe

C:\Windows\system32\Gppcmeem.exe

C:\Windows\SysWOW64\Gfjkjo32.exe

C:\Windows\system32\Gfjkjo32.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Gflhoo32.exe

C:\Windows\system32\Gflhoo32.exe

C:\Windows\SysWOW64\Goglcahb.exe

C:\Windows\system32\Goglcahb.exe

C:\Windows\SysWOW64\Geaepk32.exe

C:\Windows\system32\Geaepk32.exe

C:\Windows\SysWOW64\Glkmmefl.exe

C:\Windows\system32\Glkmmefl.exe

C:\Windows\SysWOW64\Hfaajnfb.exe

C:\Windows\system32\Hfaajnfb.exe

C:\Windows\SysWOW64\Hipmfjee.exe

C:\Windows\system32\Hipmfjee.exe

C:\Windows\SysWOW64\Hbhboolf.exe

C:\Windows\system32\Hbhboolf.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hffken32.exe

C:\Windows\system32\Hffken32.exe

C:\Windows\SysWOW64\Hmpcbhji.exe

C:\Windows\system32\Hmpcbhji.exe

C:\Windows\SysWOW64\Hfhgkmpj.exe

C:\Windows\system32\Hfhgkmpj.exe

C:\Windows\SysWOW64\Hifcgion.exe

C:\Windows\system32\Hifcgion.exe

C:\Windows\SysWOW64\Hlepcdoa.exe

C:\Windows\system32\Hlepcdoa.exe

C:\Windows\SysWOW64\Hemdlj32.exe

C:\Windows\system32\Hemdlj32.exe

C:\Windows\SysWOW64\Ifmqfm32.exe

C:\Windows\system32\Ifmqfm32.exe

C:\Windows\SysWOW64\Ipeeobbe.exe

C:\Windows\system32\Ipeeobbe.exe

C:\Windows\SysWOW64\Ifomll32.exe

C:\Windows\system32\Ifomll32.exe

C:\Windows\SysWOW64\Iojbpo32.exe

C:\Windows\system32\Iojbpo32.exe

C:\Windows\SysWOW64\Iefgbh32.exe

C:\Windows\system32\Iefgbh32.exe

C:\Windows\SysWOW64\Ioolkncg.exe

C:\Windows\system32\Ioolkncg.exe

C:\Windows\SysWOW64\Impliekg.exe

C:\Windows\system32\Impliekg.exe

C:\Windows\SysWOW64\Jekqmhia.exe

C:\Windows\system32\Jekqmhia.exe

C:\Windows\SysWOW64\Jpaekqhh.exe

C:\Windows\system32\Jpaekqhh.exe

C:\Windows\SysWOW64\Jiiicf32.exe

C:\Windows\system32\Jiiicf32.exe

C:\Windows\SysWOW64\Jgmjmjnb.exe

C:\Windows\system32\Jgmjmjnb.exe

C:\Windows\SysWOW64\Johnamkm.exe

C:\Windows\system32\Johnamkm.exe

C:\Windows\SysWOW64\Jinboekc.exe

C:\Windows\system32\Jinboekc.exe

C:\Windows\SysWOW64\Komhll32.exe

C:\Windows\system32\Komhll32.exe

C:\Windows\SysWOW64\Kpmdfonj.exe

C:\Windows\system32\Kpmdfonj.exe

C:\Windows\SysWOW64\Keimof32.exe

C:\Windows\system32\Keimof32.exe

C:\Windows\SysWOW64\Koaagkcb.exe

C:\Windows\system32\Koaagkcb.exe

C:\Windows\SysWOW64\Kgkfnh32.exe

C:\Windows\system32\Kgkfnh32.exe

C:\Windows\SysWOW64\Kfpcoefj.exe

C:\Windows\system32\Kfpcoefj.exe

C:\Windows\SysWOW64\Lcdciiec.exe

C:\Windows\system32\Lcdciiec.exe

C:\Windows\SysWOW64\Lnjgfb32.exe

C:\Windows\system32\Lnjgfb32.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Lcimdh32.exe

C:\Windows\system32\Lcimdh32.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lcnfohmi.exe

C:\Windows\system32\Lcnfohmi.exe

C:\Windows\SysWOW64\Lflbkcll.exe

C:\Windows\system32\Lflbkcll.exe

C:\Windows\SysWOW64\Modgdicm.exe

C:\Windows\system32\Modgdicm.exe

C:\Windows\SysWOW64\Mcbpjg32.exe

C:\Windows\system32\Mcbpjg32.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mqimikfj.exe

C:\Windows\system32\Mqimikfj.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nfjola32.exe

C:\Windows\system32\Nfjola32.exe

C:\Windows\SysWOW64\Nflkbanj.exe

C:\Windows\system32\Nflkbanj.exe

C:\Windows\SysWOW64\Ncqlkemc.exe

C:\Windows\system32\Ncqlkemc.exe

C:\Windows\SysWOW64\Njjdho32.exe

C:\Windows\system32\Njjdho32.exe

C:\Windows\SysWOW64\Ngndaccj.exe

C:\Windows\system32\Ngndaccj.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Ojomcopk.exe

C:\Windows\system32\Ojomcopk.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Ogjdmbil.exe

C:\Windows\system32\Ogjdmbil.exe

C:\Windows\SysWOW64\Ojhpimhp.exe

C:\Windows\system32\Ojhpimhp.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Paeelgnj.exe

C:\Windows\system32\Paeelgnj.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Pdenmbkk.exe

C:\Windows\system32\Pdenmbkk.exe

C:\Windows\SysWOW64\Pplobcpp.exe

C:\Windows\system32\Pplobcpp.exe

C:\Windows\SysWOW64\Pnmopk32.exe

C:\Windows\system32\Pnmopk32.exe

C:\Windows\SysWOW64\Ppolhcnm.exe

C:\Windows\system32\Ppolhcnm.exe

C:\Windows\SysWOW64\Panhbfep.exe

C:\Windows\system32\Panhbfep.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Qacameaj.exe

C:\Windows\system32\Qacameaj.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Apjkcadp.exe

C:\Windows\system32\Apjkcadp.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Bpfkpp32.exe

C:\Windows\system32\Bpfkpp32.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Bmjkic32.exe

C:\Windows\system32\Bmjkic32.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Bknlbhhe.exe

C:\Windows\system32\Bknlbhhe.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Boldhf32.exe

C:\Windows\system32\Boldhf32.exe

C:\Windows\SysWOW64\Ckbemgcp.exe

C:\Windows\system32\Ckbemgcp.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Caojpaij.exe

C:\Windows\system32\Caojpaij.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Coegoe32.exe

C:\Windows\system32\Coegoe32.exe

C:\Windows\SysWOW64\Cklhcfle.exe

C:\Windows\system32\Cklhcfle.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dkndie32.exe

C:\Windows\system32\Dkndie32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 12704 -ip 12704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 12704 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4236-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ehfcfb32.exe

MD5 a0713bed5bb625a2a8cd3a4e10d4eb05
SHA1 925419bff36a7af3e2e21c8446cf4ce851070013
SHA256 917b740a181f1b2ca9d70d93b5aa1f5e6b86cfacd43f7796f94f3cf4ac147fe4
SHA512 30c140145212dfea5a07e70779f1bd470bd96b02740821bf86e072697abb40a0627d093f03f9aa38fbe4f647e577e82a8e5d2359bd7831ddf23df84e47cd1816

memory/1968-8-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3436-15-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Efkphnbd.exe

MD5 59dca083d42fc2bf4a5c054f4c251f64
SHA1 1d563ec03f9240fea01c4c0082095924fe11e27a
SHA256 91665d5725d67274bb2fa009c7db33b129fa7d2e4c40993963ba97ddd10c5f92
SHA512 1a0fd6a1e6212571740ca27b96a560d8c81cf7067dd4f807db4f8f4cbd637b63257da92c4b4d288be45f0a837e2e54f7d0af90ad56b5f575d28e3db237dade81

memory/1680-24-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Eiildjag.exe

MD5 b3c183c8297a0827455a9b6da8050a22
SHA1 cc41c70c74b768836c67c753f93416a1728a1a4e
SHA256 23f9a2a80519aef9ef62acac7fec0aa94c68cafac8ee898be8a6937594e02d77
SHA512 06f3c2eb8cb5bd29c0536fa7b70666b7d6cb630508ec58a79bd5135c4b08444e4cd11b3e03ba81cd56df2005c6a5cd140a36b16278965b9250e47620658a2ca3

C:\Windows\SysWOW64\Filiii32.exe

MD5 46072222854d831c1889cf523efbfbee
SHA1 422b87c97f1a221cce4dd08849213cea0e8fcfbc
SHA256 277294f7c853efe9121fe741f51f4e218f570b692e96b18bdcbea02cdbe99f76
SHA512 f44660bf5809538ed11988fca494ec84fa87d85e849c386519ddca7c59b6093037a6f4ca229f32237fc22acb3aff391043b2718f39f95b546aca38fe01c0d434

memory/184-32-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Kjcejfha.dll

MD5 849a6c59439a98e67da4b9521354d570
SHA1 9dfd541d05e3bcd910868ea9c3739555c74e36fe
SHA256 07691133684d1c959f78c40937da6f3d862262eaabb9903bc2c6a0d09271e825
SHA512 a9b247fec7c8233d964c4c35f67ba4b8bf143aa74772634e080f91aadd7be2c3633bc8f0ae82abd01fb416301e9c15fa37a3bdfc5b92b11563f2728ded82aa9d

memory/2004-39-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Fgbfhmll.exe

MD5 c486236c4b11e7609a880a388a897743
SHA1 4a880113ad95a249e9719f9d9d8170e7748a7496
SHA256 f046cbefd71089c8c184a0c793aa75ec71bc94a70f364d854ffb61e7835d1ef0
SHA512 8be2a4d82b7672bc27d0e6a5bf8c9aab499ea763c839c99c29a08dc22d52902c7dc91b3c197d0d137d49f432c4d68046822881f2902bd5f9a1f5f51f06788cd5

C:\Windows\SysWOW64\Fpjjac32.exe

MD5 2054382ed12ff23b291341139fa1925b
SHA1 ad4da162d737b53cc312edbd27b30e7901bd06c5
SHA256 e167041bffa24afb098b72a1e79e1f37462528ac9368191c09f1cbe90837bce5
SHA512 d004411bae6987ad5340a50035cdd60e98a01ab97d7e9760b26b81e9890828e77ee3e4628af2bd063738852c69c16744bb00d558b69c148dddfb5372203c555a

memory/4004-48-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Fggocmhf.exe

MD5 c2a4fb81846f46bd980940d4c1579bee
SHA1 71530886484acbb277bbfd6affb5428d68bfd088
SHA256 c38838d69ca9edf4516f0036483c0bdff6407911fd03f67f913e2cb1d2a018cc
SHA512 df7e22f8f56ff1d429799d20d7568febd5ca9c8dfe50b590e313c1ed3420ed86cb27b2ad6de9a7779f887c23d3583632936a14506a7d8eb3716c61053bf4b7c1

memory/2400-56-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Fpodlbng.exe

MD5 27869c2c56d5aa901504767c0e1a7e47
SHA1 f94e11034bb8373c89917bc6e4e86f9984061af5
SHA256 89805fccca34028e9f391730fce68c30764a1f04141f5a0eca27546b2c219d87
SHA512 26163389b8975d2e719fe4efb17370828fd40cc3fedb8cc97774f2f496cfbd84c83ad39aa1ce8d979c25df5dad1f1b634ef00dd282bba50eb35c11411dd184a5

memory/1888-64-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Gdmmbq32.exe

MD5 a38fca6db76d619de17357ec9af43213
SHA1 500baccc32e1b32f406fdf2ced718b80ac185ef0
SHA256 9916d5a67e770c9a43a35d56b068beef3896ba38d287c0795f5bef3e8ad51c58
SHA512 76ffa9600ad1e0eeb36b1794672987698056354d747ffb86b35bd97f0ea37bc754011ade39bf9414c3a888a94ebfc737851a7069d74d726e5c86d239e229a45d

memory/1480-71-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2736-80-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Gmeakf32.exe

MD5 04a100326d7b642335d1e628fa64d6ce
SHA1 b7f3942a9f47091b4787b9c8ac82fdedb2015c8b
SHA256 64f848067ce25b1d167597f189c0548d566d7a00c7529e4437c39d0c16951d7e
SHA512 3dd872d9f37b28fcf87bc27884cd5246c1816d767e79944f9e2dfd6b30455d463a9cec358fdc3f4e99f29da2fbf294f291f4ae971441ce2ff3b1d2b442dfd1f1

C:\Windows\SysWOW64\Ghkeio32.exe

MD5 3cee11cfd83bf2d96ea7a17bf5dab07e
SHA1 21163aa3b5dfa24b319f94bb144dd2e0275654b7
SHA256 22c3a0b5cc83b5470c5a2a7d1f50fffa11efba1c66c45c127572993f71a3d573
SHA512 27d0642d1b34583e751666d099de689ac75946c48a4644593d9301daa349f70f059d1c38b80f0d1741ccaa8ea0480dc13fca466aaef61fc12b6ba2971117e7c7

C:\Windows\SysWOW64\Gkiaej32.exe

MD5 5633cff1d8312cb022ba10fe36d3dfd1
SHA1 0cc899cabacbeb72a390010dd51d682ca2d569b7
SHA256 8d31f5257288e2cf627f5a2602325b7ba713bd1c585cc2448da5806821d72161
SHA512 660863e3efaee92d6e8b1a3000eb0b8fc419ca0750608f41625f3130575e046915539f4ea32b3a8fed3a22b182406acb3f43c0f3b66f4ee28e0696ad6e4e5354

memory/4544-103-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Gpfjma32.exe

MD5 b894913978685e58a6b76c31527c3678
SHA1 4126aaa129d476fe71a76292a847a2f89353bc6b
SHA256 3f98a11c97b802ba95cf298fdaaece71e419f13300fcafba3e8cdc635b81111d
SHA512 5593307e9658a9c2beec26eef45a38e74a2ed35eb813561598bb805b5f1a89def63b16ad2b5c4a0c649ed4646987c8e9ee938531fcf36c35db6bda8b41292720

memory/1948-116-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4552-140-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ggbook32.exe

MD5 1b9f93674a396b2e31cbb536bb4b9c1d
SHA1 9c1d8c105b109f7231cd941f4ee657bc6a5da4cc
SHA256 290ad53d2d95fabaa92d9fe3692a9ff50b6913645c20bc9b5a48dd68ee50bd6a
SHA512 c3fdcad01f10a970d33c47d893bbe021d7ae2d149355708c8b3c908e55a33c231dc470130fbfd7e3df3fab069e25f479f137fa79e8465ed95bf51baccaed198b

memory/2992-196-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2076-228-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hnaqgd32.exe

MD5 721f8ecf08c9cb786db630efd398083b
SHA1 0fadc7b44d33f306a663eb7f68be110d5e12b490
SHA256 b55099bbc30f0c33538f78c4284ae8732c4cd6879d8b57545fb807b66e627640
SHA512 ca3ef4643b65c58af523a90d4781e4f2b634241b3c0a742c74562187fb0841895523ff1371b7783cad5695bbec8854388154bc5e4b20daf0f44e19460692c400

memory/3960-278-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4324-308-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1772-374-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5292-452-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3504-598-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2400-597-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4488-591-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4004-590-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4988-584-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-583-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6104-577-0x0000000000400000-0x0000000000434000-memory.dmp

memory/184-576-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6056-570-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1680-569-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6016-563-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3436-562-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5968-556-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1968-555-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5928-549-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4236-548-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5888-542-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5848-536-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5808-530-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5768-524-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5728-518-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5688-512-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5648-506-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5608-500-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5568-494-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5528-488-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5488-482-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5448-476-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5408-470-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5368-464-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5328-458-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5248-446-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5208-440-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5168-434-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5128-428-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5108-422-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4276-416-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1484-410-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5012-404-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3696-398-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2044-392-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1652-386-0x0000000000400000-0x0000000000434000-memory.dmp

memory/100-380-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4416-368-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1744-362-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1060-356-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4824-350-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2192-344-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2396-338-0x0000000000400000-0x0000000000434000-memory.dmp

memory/752-332-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4064-326-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4012-320-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2480-314-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3128-302-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4984-296-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3648-290-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2136-284-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4480-272-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4260-266-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3956-260-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1096-252-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hkbdki32.exe

MD5 c72c7bf98895d1fce9ec7e6e3da4dae2
SHA1 67e8417c3d9ab60646ca72e168978f3ea1fb6309
SHA256 7aa26838a4c8c84cc0cc83d058b1e920a83456ed916e24d2c7681e4f0e2697fd
SHA512 a086d2bca55011282d75ec507734293d4886d80b80bacd5d48194c31b432af4f6a243f743cf06a076aa97d8f521cd3d5810eff5e60a01fff7c89af126a9f40af

memory/4412-244-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hhdhon32.exe

MD5 5fb72fc8abf3f55975eac28a2ffce186
SHA1 8b1e8684b11e13401590984f0e70e63e6a64a04a
SHA256 e4037271b00bc4573013f16969a8d39a3f0a6b45df0c6677520dc8e7f7184c74
SHA512 703cdb38454bcbd4a304d7bcd03073c2a880fc85b28efbadf4a50ab018094b267a98a0d4ce30b7f74f37d5a59db3a4e2b42906237e0ce0bbb2cd7638161b7abe

memory/4020-236-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hdilnojp.exe

MD5 68cd4b6edf2d75f49bebddb8afa5b120
SHA1 e28318bea39d2273b32d0dc8508b1e9d72e9ffaa
SHA256 87059cef27ffe4160768a4ae5720c06e6223d38575c79b310942c8efa3a6fb9e
SHA512 298add54ee04516ea3f6eab499e959dd8103bbbde2fe77d464c0d191d043c087ccad05815e5d27350e86262cd4a60558e8be5a8835b82af8555a4988114a47c4

C:\Windows\SysWOW64\Hajpbckl.exe

MD5 b85f1ce385768cee1102b8d06d251947
SHA1 039a45c5370f5f0488c034f4cf96301a1ac81092
SHA256 2d9223dc6c5827753a9affd467959abd5e1c686951cda59e5a6051e3ff5468fe
SHA512 067d6a1cb787c9aa23a9a5bbc300ffcaa5825cdfbc35bc737fb6ac85e062bbdbdad115cac72b74600b989af13dcc87e15f88b6c66b64180d2b2ad24e923b9f62

memory/432-220-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hjchaf32.exe

MD5 0127e99f9135ff42bc139f64b76402d0
SHA1 e6d28ae348ddf9467fdcb4b42e1f9c547c09d09a
SHA256 8362a0930dcf324f9d55ce89384aa6099072fb5736a923c88c3daeb81dd6a2cf
SHA512 a3db4942292ae14eccb1c1b038630511e660c4ad3672b7d3235beb22022c3e93456e83bf037222a887573127f448834f5ffa7fae195331a2845c83e55a1a7209

memory/3084-212-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hkpheidp.exe

MD5 8b5eeed6e1ea31e6ed0bbece015f0a44
SHA1 c2689060f9f5d080ce4323a2282a3a3a22d48e8d
SHA256 7a62a8c4aca54dd69da6bc31498d4d9ed166772b74eee8db03c2b22dfd1cda0a
SHA512 144d2a0b85b4fd014a779c53bd43a388004a7e1c6dbbde431ffd0bf4df66fcf570924eca64437e49da0b5afa8a37d67957ebe4307933d212e943eb73099f1fed

memory/1180-204-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hgelek32.exe

MD5 a6857b41085bcdd298826d402d9d43ea
SHA1 dae57c765dd8e67f25da17886e5d3e6a3a98cae7
SHA256 963f2e340c34a2ad97dd4074ed3e90412dfa8102a648db8a1e8e6f19275b3f19
SHA512 bb4dea9bee1936dab8975b19f94bb2cd62c9ddfab51fc6103563cb543114f7b9663a466b2146a10d5e10078a98793b9d487bd5f11e653707103730d3c6acd342

C:\Windows\SysWOW64\Gdfoio32.exe

MD5 917eb8590ed54c9b50f50494014735ff
SHA1 35cfe0aef10acb140e2bbc1c5c873c1853b4b732
SHA256 66752ef669beba31598c4d4761b74e73aca6854a68b06da6179a2f2a42b23324
SHA512 7789cae6eeebca8bd2edd147356f80994ab26691003d51db6ea9ea36f9f24845d21c08a96f8b36d2a3df7d83bbd0b9b818a3de4637def05d0d22d75eaf72eab7

memory/1188-188-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Gahcmd32.exe

MD5 8443dc8bbc2932371b9ee833d700f595
SHA1 f07e201ec01dedbe7d35818cb4dd9056e77a1eb9
SHA256 a4f433dd19104941421b8805ac7648d0ee696254bfb19b10d2c112a1adb93909
SHA512 b34a9a3ea26ad504d724e86a1c2a312da5997cb89f76d2262e38ffcb63cdbaacbd43e49a3cffe560ad341fdd74f5e7fddabbf2a78caddd0551859b28b4ec6887

memory/3712-180-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Gnlgleef.exe

MD5 7834d54ea014db2ff5f77da1ccc8f574
SHA1 d4147d0518f4cb168ea3a5a0dde3bee7b03e2c42
SHA256 8117251e8fb386ecbc49b727ff1a5f5f4d1304d1e76784b6e9b9478355382746
SHA512 cfc1f94018a1fdbbe5cd91f1a6bbaef86376b79eb657adfabd615a623694aa4c0e3ac7881c6dabdaa99b3285c8e90cdda3ccdb95030233845464d54c8cdd7477

memory/2724-172-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Gknkpjfb.exe

MD5 40450586511c48d6a887c7775bff7c6e
SHA1 36afaa2f01c6a9dff66636cc8d50b58687f07176
SHA256 5b6cc709bad9cdbfe39efd043361fca58fcb198d5a9bd321253b9a574c5847a8
SHA512 7818eb03816bc86f0bf988837cf77b91184cdb43984362f1f3488f0bae8043ad41b809c04160584fadf20e0f8f82694e83835d0f75f38747333b7d0106b7565c

memory/756-164-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4440-156-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Gddbcp32.exe

MD5 353602f7932eb9ac2d1b82b7d846141e
SHA1 73042becbaf369816ef9dbc510191940898d8044
SHA256 34ad8b9b587d2d48d4e7a72bee64ef0cddbd413616451cf85aa4c12218a272a7
SHA512 33952b8941a5ac0a526e5e9fd96d475d9726b7df9cdf473e941e7f57bdb5b37dd37540dc3c281a844a0b8579bebb2f00ad5f554223ddfa26cfa40ad59d65b02b

memory/1852-148-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Gphgbafl.exe

MD5 8c7d92c2f1fc4096eabbd56bea7bd1ff
SHA1 076ac1aff46e4a3543e2626ac5208167e20a0a54
SHA256 7c4cc6e9e5c3c8757abf7cd071b885e9766a77b3aa4355267062df1db1d74d1e
SHA512 06e8567b939cb86201c39ae982b5632afec04e17b4d9ffb766a1bb75fdac370144d4e34a43c2618670cd89052a2c3d2af50161ddc2d3306200e70cfde30af22c

C:\Windows\SysWOW64\Gnjjfegi.exe

MD5 c43963ae27e67675a29a67d542d50066
SHA1 1d2c9b273f5a366af64a6071d7f46bcc72a4644d
SHA256 8e91fde843b5ad8f3d13d1f7def3b56b4f6430a7eb0bd3b481c9a28245506ee1
SHA512 01ed3c5436bcb2d078632af70d860395361f6534ffe919caaed3c064f72608b91d7c1a8c4dc21a18c9de48c522ead03d4429b9c82e40d64a31454a30f5ba274a

memory/1072-132-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ginnfgop.exe

MD5 88a012a8a2a412961c6d1c02aed5cef9
SHA1 c0733ce0dac07fc7d682ec04099da0c0ebe8bf0a
SHA256 e3913aad17822358fce8eb444455119b2963033de104ada7bcbca0b492ea7f46
SHA512 2c7d0f23309e42f1b7d9a0e6f7185095f7534882743ea3e89b783e1c8b67d3a61679ff5e27ff9f0c24e6c8811a60b2e6e80c451e8baa23f8aed1f8c3b6c55a8a

memory/3500-124-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Gklnjj32.exe

MD5 9aac100ffc6ed60ac445cd4937b3feee
SHA1 fcf7ab5c79f61936d080a40260e4ffed6ce98c75
SHA256 7fde426f61068c02406da2a974600e8d8d6c9c077709b7bde3639553a7e03ed1
SHA512 2436bd4a5c20b25625b01b7d0109b234c816d683f2069c436cac6d165696a651960a68d63890e98c3a7cd8fd12faf267a93b2f6c1c7fa01117064ac17028b79b

C:\Windows\SysWOW64\Ghmbno32.exe

MD5 50af2ad9acdabc567e46aea577973177
SHA1 f8109171833ad5ceb6c166654e1ce91e45a6b9ae
SHA256 5df5d1cd13c9c3ae2e2e8acc8309f0d205139610e72f7eb0cf62a223e45b7a21
SHA512 d76c26502a7e9621bf76d77b94825abae3a6bd3b1815220ea8b54da9398477d04737042a466d6830a9a32a5f5d534fc9b8dfb13971b98feb674ece3faa2dc18f

memory/1248-100-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2776-99-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mldhfpib.exe

MD5 ebd94e6c1f173727b85ff7b8ea66ed44
SHA1 f91457e608ef9bea496c35ac7b3111403eb06477
SHA256 f009e9a8b6d432ea828c8d1b047585df1819cd13f6df369be1d00f4ddbecee38
SHA512 673988e466c95a3f19e81e6761bf2779e522dd4a509b442f04a3ab8d74470213a008a7409de0c71c0a2148b38c3219ca5b77ea36c552f8dbe4ad523db3546516

C:\Windows\SysWOW64\Nemmoe32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Oaajed32.exe

MD5 2ca7d4989e61f21109c484df2af3ced7
SHA1 2c388ea572bc13499c34f407cbf96ff9405bbad9
SHA256 49a7b228d171959416e25b485382080ff8974067470b0be3427806f9a443d5c5
SHA512 0873cf5fbe5787f619306f9335d9c6aacbf6137d5254ffb85187919947000f6a9a59b9ba0984322f659b1197e05ad0a584653353ac42d6cd5589fec3a60175d4

C:\Windows\SysWOW64\Pllgnl32.exe

MD5 e084178348b0bc95b7ba0056808760d9
SHA1 d6660f054dbeaaff1de9570e8f51e00f8e95ce07
SHA256 95a7184f079e8294e30d8f5d1183f39ab3a4b84d421013d39c4a918f4f48ce67
SHA512 c11a6269915cd358e2c487e98a0520e9800cbc267f797213762bd22007f88316717df5464af0448986c8a9c476d87ac8bad8482ac1e60e3790db4421082dc43f

C:\Windows\SysWOW64\Phedhmhi.exe

MD5 492b1aff9dfeee3d4fb99e1eeb6a2bbe
SHA1 2d7d3d5e45df554edb2b46a3318e08f47c151402
SHA256 d276119955984d3569df76a9875b451d29e7953e1c36697c0d62953549573fe5
SHA512 af427875db74c356d7a46926b305eafabcda9a7a07684e2673e1a964ec6a7afa6e53e746fbb95422eaf19d100ac11d58d0acb080e1a844df3d9640753662d83f

C:\Windows\SysWOW64\Qepkbpak.exe

MD5 09cbb759a00cd14ee0f9211573d87cac
SHA1 5f094c98b90a3081148da0623fea403d1652b0fc
SHA256 5d9f8d725b8b5b987ff8dc2a1cea404d8af538c744f6a89a55f831038055bef7
SHA512 1d38b23ebfaf4141cef7a0cd4f696422c0d1948e7f3393a956c4333a1b577301da4dc10c21f470f29ac3a13810614bc28322f1f65d010b6036e499cad1cdbaed

C:\Windows\SysWOW64\Qebhhp32.exe

MD5 f75e6c1c6f441aa5f8abe6c130722d94
SHA1 cc22dfc3839cba849b7c2107dc78651c28cefe9a
SHA256 eec82026ad36ce0b651b59fff89d1903e4aecda803bfe922e322463f01d6ce81
SHA512 e99ecf019d364ec590a8b1e67f58985c814523cb9f7a45b8899d0e41c8b93649c5b92a5da9cf086c6e7810321a56f541157dbfa6d85490792db97887ba6469be

C:\Windows\SysWOW64\Bcinna32.exe

MD5 ec60097da4fec837e237ad456067ebdf
SHA1 c65ce3e654e223442c1a489eb29b7ab2022488d5
SHA256 5872ccba6a0ed17e109cea0f125034d085824c37d19fc483a46993b09d1f4c16
SHA512 5c73acd633373a6872db5c770da0f30d698fd1d9592b62fc19b099f5501ad88b7b7f963f36a097719e52dc92d9f06b3e7fe61ae87a62a8634981d9707a07d0fe

C:\Windows\SysWOW64\Cjecpkcg.exe

MD5 b79a073dcb74300951947b0afbabc58f
SHA1 b615f725ac37c1103f1bbe377db6ec09b9756cef
SHA256 36a86a7d8636960c35a0b57bc271fbda83c06e254db4c2746facc11bb4a8dd0c
SHA512 827a1a85c1f29f9fce271bf82b01e170ba68bee8b00c5d6338df2c92f9493a5a5f6a4a870573dd5e51277a792e5d85de8bbda60edcbf7f78b6dce135ebf4ca33

C:\Windows\SysWOW64\Diccgfpd.exe

MD5 d31dcf3f93614f2d0ceffd74cf9acee9
SHA1 3e3c4cb7f26c817a833fc85c87d45e29f558b149
SHA256 d74067c8f2915f637ee4d2219b6eced2033916fc3741d25676ed039e91b7d4ac
SHA512 8488306f59cf24236e5301565ee12c771aed02593e46773c2f2542d8aebc585a03f42a97a89902b8aece44f4f519afb21abe6ad381b400bbcf8521026c117720

C:\Windows\SysWOW64\Djelgied.exe

MD5 f30820f821d678cb9b68dca25fb77289
SHA1 aa758f4c4a1c45a8a40469c1d0dda0010aa295ae
SHA256 825c265a6e04558bf9f7dc1067ce11e198b2ce932680fb9b88abf7b3fbe97e82
SHA512 5e67065b22eb5cdf7495b32b46c95aef0f2bb1a7c53411a7f25a95b5480d3b1181b28ee6e6c45b828028f44b40cd1b961b1bd753e8b44f3df7193f8cd05e0652

C:\Windows\SysWOW64\Ecbjkngo.exe

MD5 20ae76955f76f9652cd546ec036adb01
SHA1 66c4708aad1166bb021119b5d7bcf8dc500dcfb7
SHA256 5c788cfa4a560ed1ec05fdc8f59cb357991d30227f29b44ca10c8b5de8a38be8
SHA512 0f671b93ecec2780496bdbde314aaa0771a3a27548c34a57d2007827a2c6bdcb24b98608df69fddfea99956e788c4d2642ab0745c50396c92f07afed850d77ed

C:\Windows\SysWOW64\Ecefqnel.exe

MD5 f588d313e2652ed6196275ce9b63f930
SHA1 ee6d4578bb29c14e89f7d47a53d04f135feb7973
SHA256 0be2a8aba37a3b6ac6473f669963362914f8fb85e35c8841337fcfff0efc8be8
SHA512 c8cb7043f01a3808f9637c9ee0a64a8cb1b699c76cb8809bad419c6710a3f0ab9a18f23254bad1e39e40e6dc5a19f013593564afbd1ac17ee9c49e3ed295a940

C:\Windows\SysWOW64\Efjimhnh.exe

MD5 41b411205ce0197bb785b2f8e9892a4e
SHA1 3aa62b20d75695045d43adf5b3a0c3247947a901
SHA256 a697fb33bd6aaf4bcd99af085ca040108a4edbf28e2b6bbd551755468e005b31
SHA512 29189af5787d5c7c973b1163aa21cc55cc18fa1f86d9a968212373a81c7f9bfd702aad8daf2c5cb4e0d95ab102cd6c186097b358d3edd4bc0ae9fb455d09c032

C:\Windows\SysWOW64\Fjjnifbl.exe

MD5 2a5b4cd9755bea3ec6fee042cfa294d5
SHA1 568b54aa57254e7e3b739b431f02b40b0e4b84e6
SHA256 2e00cba501e3efad16a283756fee4cebfd1e7d1f0a31e14ff10fb801ec564539
SHA512 1296ff440bca0ab7b008212130df25cb88aba3f9360363686a13bc5005ab9a9cb1c9ebf8105bdbf1714e53ecf7f06f62dd87064cf38ee5fc334edbcafbaadf74

C:\Windows\SysWOW64\Fffhifdk.exe

MD5 c1c0cd6ff8b346ca73a35652d0fb5851
SHA1 25340afdacaeb53731f4ef5f99bfdd801af277d3
SHA256 ab10ee5fbf47031167d064185b911447bb3a58d32776297350a758b6dd891f5d
SHA512 e9a6db5a7bd5d3637a4d286a533b577d2b7ac960157b49a20b63b546845af08c0d8a9124174f31e001c3a141453a6072180c23233455d13dd37fdbbf00612229

C:\Windows\SysWOW64\Gdjibj32.exe

MD5 eeaf54174524a9177fa760b280f78012
SHA1 e34baee6b1400d6a6b5ea5c657e54201f3717893
SHA256 6f4a0782fe976442ca5805596a730a103f075124f03b3398b028d202136fca5b
SHA512 dafc3ec714a8ffe6580214294128d451732656db9b199a3e5111ebab54898b00debb9f76f3132c3949776b673873d5506134b4e6e503e354762ed1a96b4fad57

C:\Windows\SysWOW64\Gdlfhj32.exe

MD5 857c7ed6fbd96c3dbc0be7e070b724ce
SHA1 7a36171aeafef4ff77f1f191f7073c1f90019b58
SHA256 2fbbf6374544667079fefb72a27fb21de5f2566a827a2ba90a0a3c45264d6882
SHA512 d7cd113d9d52db7f54a67700b53c110c8bd63f1c1496b58379b908e2388f7ddea2c07fbb0800aec58cd99f3d00d9d61d5d235777bba0afb6fa9d1adafac362bc

C:\Windows\SysWOW64\Gkmdecbg.exe

MD5 57cc08b76fad460cb41fb1430575b35f
SHA1 e59c11e74d6462b65fa4cc1491a72ca1c34b67d7
SHA256 ae4bd2d4266bef5e1abb425bec2405dbec2c5b4af916a0842ba65f168de87127
SHA512 ce942b81da0efbf34207c9304f36e2f7a7f4a421f5a1f95de9f0d02c2ae624b89acf2a12a9132f221b09cda57584a04a8893f5c64f796bb7256c830fecd99d33

C:\Windows\SysWOW64\Hmechmip.exe

MD5 bc5d7bea78900259dba92e085ee7de3c
SHA1 d9043d65732f9195cb44af829b1cce5caa91d27f
SHA256 b8a3f25c1b73d054dc7fbd770cb7ea3e456d265e5b6fca9637992cec02c5b605
SHA512 8a2e17ba3d7c0b6280b3a1c410ef12145aaaa88cc00c496e25b8bc3eeb9a563c54ff26b21e4c5c8c2a7b8cb1071a8086dbf4b3291ff5e4784935765c0e92dd9e

C:\Windows\SysWOW64\Ingpmmgm.exe

MD5 f69bd05c84683677ccba15aa44aac443
SHA1 3f8157b1b0ee1609fba27157e9450bef97fdedbc
SHA256 6ef0710a848d17d94528f6f4bac0a2d6800de95fcf401beb65fce5448c9dca4a
SHA512 bdb05e6e920d4e052b0af139721d251617f88e6753f85c07a25c11284b42259ad5bf3ff8669e18913fbf978dac04ec9f6ac54bb969696106771005c7836f73c5

C:\Windows\SysWOW64\Ilmmni32.exe

MD5 3e715d2232a816ab1acb7df57fdbc2c6
SHA1 610cee660bfdc8f39bc4f0a597c9971e74aa4c3b
SHA256 233f757e82ad2eb3be6523db6bdb73d713ded69623ffa1cf98e4d7321abb7cd2
SHA512 9f509dbfe75ec2b7e851bb2835a9ee18e7ce881fb83d744d11407f16ab526f6669e6a76dd45da4f5508928b3a688138512fb192012bc0779b40faeda7c475f53

C:\Windows\SysWOW64\Ikpjbq32.exe

MD5 27deb4d7ec7cfea14f730125c443c712
SHA1 ba84ae9365cab629408b208d21e2cdb554255210
SHA256 da7950751fd16d045d399c47e83408572babec0bda601c1bc3e46ac7ae7b19aa
SHA512 24303d05aa2f19e48682a7e4972509a71d01f875bc0d4bd00f88af24d6b76c2cc00c36c9e7a19cc0808582048855e1d5fc4badac38e1e2a746919e95e3fb414b

C:\Windows\SysWOW64\Iggjga32.exe

MD5 8cde0b767f1d69e33ac444b290a4d9d6
SHA1 1d5242efa05db0b9fc5b4f8c1cd8c201f58bd184
SHA256 52dfa45b7d74d144dbad53af78c3ae9883fff0941d7053f631c9a1d5640cd019
SHA512 a4dff30ce986d391ad3cccfa08b908fdc905ccdf5b43eec9556b62cab6fd510933936f25cc151469633023c76c200b72e4ed2f4263daf4de82dc15ee48619948

C:\Windows\SysWOW64\Jdmgfedl.exe

MD5 54ee4f9fb5891e0bb75d6ea12f58b757
SHA1 fb057d612c3240e442ecffffda002ebaa6ee5462
SHA256 fdfce4722a962b9e120ed5e0a6ec3c830f677f2365ef868bc9a962efe80a6d7a
SHA512 d334c86d8398f53af318a243841c73314026ca42f901108107fb66e633af34732351090528157b104357ea65a0dea2205b615000833a9d0021408084cb661aed

C:\Windows\SysWOW64\Jnhidk32.exe

MD5 4d857fd275ac1a73d317ed9905c3c211
SHA1 7b5d8fff19aad35911391502be3b1ea8155d7a15
SHA256 ecd7f91629ec29fe35c89c1953b30f49af1385795dd62a52a1a5de34512faadb
SHA512 fbc59aca8b530377fe00d41d94fedb2e1ff12742e4fa9681c01e59771635347c01a18b97acc8ed8158214d502b16eb34e1c1df5aa8b95a164880684766390d70

C:\Windows\SysWOW64\Jdfjld32.exe

MD5 f6be60d544d11002b733d430633d7783
SHA1 f971c6355913db9af0a40993d9acd310128204b8
SHA256 e4290f5a10496d33ad814a34086b4b2743ba7eaa798f444b62d21741e774d363
SHA512 3c6fee3e6707b6558276445b2a5253a790a1a68902a997408e89ad13051087dc21e474f3cb9bf0d564a4145c09fb243e54b9cb07c12f378f551c326f49c66a82

C:\Windows\SysWOW64\Knfeeimj.exe

MD5 afc4507d75912f3ad31d11fba132cab7
SHA1 e114fb22138ef786f38a2e8136a4bed3ce52a9a7
SHA256 d6149668bf2a60d2a6c2fc61306f4d919430f108796e6bc7cae20d84cfbbfd35
SHA512 4e5a5074650dce3482a5f982a3c1e10316cb2a21af95eec80bd4c1552d7470d51b744a7eafd57e9260dd40e27383667e2e05fde0027f7c7d953fd685683bfe19

C:\Windows\SysWOW64\Kmkbfeab.exe

MD5 b30211b80f303c993694c9f6f0091be9
SHA1 4f1ef77419f998152ba241ca8cc8edfd9043b11b
SHA256 cc8a33f181424d7dccefd700a37934c159f6a689bbe17be4eb770b5401495ef0
SHA512 3d1a2c0539239cdd0e4a368ff40245ca23f70f95521a61bb560bcc4a6cb0ba95066a053872a685953b723ff815b4b9ae9c1c3253aafb41da4a8436381c437b54

C:\Windows\SysWOW64\Lcjcnoej.exe

MD5 7f309d1c05eefbb5384539c73f1c4d63
SHA1 525866ea83b5b3d7dbc4be3732d9112f20407c3e
SHA256 c43afe61c55788d0e488a26dc0e13fee4c97c5ccc5c8a2b6d06e46991b5b3a8a
SHA512 ca51a35d2469b54003f7c76c6a51bfbad52612dd1144161989e55bc462210f55ce8f3c09ccff69b14e13ec5fbbe7deaa85b3c47652822d164522a17f23acce75

C:\Windows\SysWOW64\Mminhceb.exe

MD5 e12dc2399cef0a8651debdf5363110ef
SHA1 ef1243f6f31f7749c7ac17131d428c472942529b
SHA256 c1678effb75d932f070d70a75eb1ea27ba032d2f2daa04dd6bba4a5230f9b624
SHA512 2733163628b0bfd974d9e3c5a73ab637d99ad08a7ab771128446c9cf689635864433eb68d424cf6e1b5278ac383944c434da456a65a2e733140d0f2bb1edcbbd

C:\Windows\SysWOW64\Mgaokl32.exe

MD5 a6433998383d08ec53b8bcab962e2eed
SHA1 f181ae1680c022235b3ee79493c1df4a0e63d656
SHA256 e0a07a97fe01af92e588c58295b02b2986524b15fc5f52b6b4d788342e8dd2ac
SHA512 749469537004f14d1a89eb4122d3db2395ca21be211a69587adf5d21f57a01b7df56655c836be33fb870ba1bb9e538780394e397696909bc8ff0957a04364bb8

C:\Windows\SysWOW64\Malpia32.exe

MD5 f93e7afcd170a84d165802ba49e8175c
SHA1 809612316bfba43b065ad992966d2c3a1ea1c667
SHA256 b05fd4a799894bd22b4ed8ce636501b3f21380669a24803c030d4f0274579215
SHA512 51bf1b5b85401ef5f78577c7325cb01baab04b605925775acc4a9e105ab78fdf95855f1515c9acc632ed486efad4ce8f57eca573c4af2e1a98908e109831f735

C:\Windows\SysWOW64\Nabfjpak.exe

MD5 b57afaa94462b1c42f3a1c425eb521f4
SHA1 fd80b15343f963f412ee0571b010b1770bce3653
SHA256 cf3de9e3510549159a3478e159482911ef044461312d4f739bdee058a555dd52
SHA512 e7d05b414d41dfa4fd0440e38cb7a75aa6a1d4b565b0dd87407c1c400377a87c0ee50599593693f4bfbdcabb98f120de978a227323f765e03ade9afd3e338647

C:\Windows\SysWOW64\Oloahhki.exe

MD5 14242edd6521fce44637bcdd379e3f68
SHA1 05e6e44d1b1b1b45a3a70d74a30ef8336ce8636f
SHA256 89d8259a872a680720fdb2af92af18cfaa24b140d99403799da5b2e0b2396941
SHA512 289ad0ae902ebcf329d02d4f96e20fcceb7d5852142d510042fef9d23ae92681254a7800dba8d734fee5cf022b1a024894161bc7c6c1ebf890cfdc829d8727db

C:\Windows\SysWOW64\Pddhbipj.exe

MD5 a1fc0c638f0473de0413fff41b43ed54
SHA1 7847d1d76362d1db0fe949355e6d11898347c09b
SHA256 555d6946200426f3da7c53b6e0c9731aec23753958bb9668a412c968890a6478
SHA512 fb1efde5e863dfa5dac9ed60201227b9bd4c16edf503f6698a6ab87172b07322269f7d4044986ae01b2237aa5368f9a06b03097dae5a496c768467f0e861517a

C:\Windows\SysWOW64\Pahilmoc.exe

MD5 effb55c1fa9fa4cd6d54df85d756ec19
SHA1 8c32339279dde305e241f3d622de4138b63e29a1
SHA256 e4d0169f083ccc460c6d937e8c509f766a7f9328a59ec3fa5637c826ae3f3d86
SHA512 2751bced4659ece8db20bd5e9afa2a5f092b5ea7f7cdee4dce5fa3bbf6c208fda3e9f15c6ae5361030161db745262371ba342b3e724b4b413a87b9c5d2c11807

C:\Windows\SysWOW64\Palbgl32.exe

MD5 c241b21d7cba668872a3a12559443e57
SHA1 4d7ab332528ab6d8e24b7ac96a93235265f7b31e
SHA256 7112b99b7100a4cdb40b8cc87ee97b554c83eaa8a97bf3311a3536a4cf1dd5b2
SHA512 c0e16fba4df99c79dc47acdaebe31691e391bc3e650e37d4915dc7d6cbf80b3d19e0183b12241d6e546e9147d6679d7062db338799d7b27b808ff2d6eda90353

C:\Windows\SysWOW64\Qoelkp32.exe

MD5 93948f560659dde3e4d46dc36587ce5e
SHA1 5d3963aed3c5cd23a6cfbdedfac912b3e9762508
SHA256 43b5e06567e5a9ff7380bb3d416406fc01d8b91d185a9ff8d5c363c52d7b945d
SHA512 c389a7b7bc49904d659af9573379725581d8a8f93988c5dc667a950a654ff99787e43d60efae88ea77dd921b5f6d203a268201e012cdc8e7821bf210578ac0cf

C:\Windows\SysWOW64\Aafemk32.exe

MD5 9c70b7cee2a69cb153dd173c3756c212
SHA1 315880abc6861007e469545349c629a30a0932fc
SHA256 ef7f2addbac746173b5b3f4cbccdf5c5a7feebef7a16e9e4730b50e7c3ea35ba
SHA512 f1e63532fec8a07066181effc8233724f3252b26ac3863a71eca8b5aa48b921299ee642dece6139bee95bcc7e80d60cfb4be754b808876cee52f01ca467607ac

C:\Windows\SysWOW64\Adkgje32.exe

MD5 c565075e4103138b4443f9af6ae4f46a
SHA1 4c930c672b341ad12520a7bdced91a7f0508087c
SHA256 1297bd1d348aa2d31192ef77e55ffac3ad09fa8d0acfd241bb6b819ea61e4538
SHA512 3dc560af987b74fcf26c0bf61cb8b996b9ba280ddc45e13e9ceac6662e523208b56d4dcecfe59d75983ebc09bcf36b0a4c30a7b06b258f6d4b5485caba8432c2

C:\Windows\SysWOW64\Bebjdgmj.exe

MD5 f798a5af20e2a56d9a1ebe807b020fc6
SHA1 489bb1913e2d57048814d7b07056848c80143eb7
SHA256 5072a007c1b16f3bc183ed8e8bef01251ec1aa7a80b60df32d908ebd9a0e34af
SHA512 4f88004db2eba2f549797b4565781e1587694b8895bb51a4f9cf36ad673d1e25f3bfa8183f9091a8e1c1f214ddea84467587185867990eefe99bc5fcf3147a44

C:\Windows\SysWOW64\Bedgjgkg.exe

MD5 ec9023dd96f4a7ef6a7764cea93797a1
SHA1 37f3241b9569d5d55c7e6f962293c6e572086440
SHA256 3d9a8ce6465b7104f11334daca7fe112c6b58fdc22da8a54d399b7a23805fa43
SHA512 a81716b255edb0e1f64f38c571829ea40d44f8f7988576bab782fede198ff025b371bc2121644571b1b436c17004e9bd642e2a3f4c3921074551cbdbfa533150

C:\Windows\SysWOW64\Coadnlnb.exe

MD5 94871bfa20672c15ffce3e7358051361
SHA1 a29d40486dc5a2309012c76e933071030703bc09
SHA256 8303640d763d3f303e365429bdba413b01f777f5fefb084a48a34b9c21279b82
SHA512 0d353261e2846b45155d4ddde1f0a951cd008c6dbaa5054af62e16905748217d8c9db6294a9e410eb7a09e3060d973150c2b035eed6fb260bf0ee4380c636fb2

C:\Windows\SysWOW64\Dmlkhofd.exe

MD5 15095d112319b3b85c02ab7f2f9c2c77
SHA1 4c9a59a394d3c01499fcd9a176fc4ea5e263a8c9
SHA256 54fff97d31bb125b4db362e148afde96e24a3053a3788d37555f0b2fbbcafcc7
SHA512 b45f55387f4c77fa110aef857b5733e0f1c264b7c3a6b1d0ca637f4172a14249dc61a2e7c334ec2eea77c4e30aa0d11c5460138cb942b0ad861f562f94ddf1a6

C:\Windows\SysWOW64\Dmennnni.exe

MD5 d4839ff77d88993f6f440267c5ce7602
SHA1 2f464eb05afe86d5b188e81565c92938545b1e39
SHA256 354ca400d401417b4d8252aed773c70c8a9b1cf696b684f8fe9d6ea8664730b0
SHA512 cfd1ca097986b319f043295fb76dd112c70666b7050df9c05dae17dc23affbb8125fd632ebd9e005a4ecb6ab1408c15f2cea5f856ba6e2baf0247550e6efeaea

C:\Windows\SysWOW64\Eecphp32.exe

MD5 c06c790f47effe6b5533d6ce0ddf55b4
SHA1 c8a9edcd35f92ab176147bf69d396ab978353b66
SHA256 50e190fae7f286d4976b0791edef29a2097f2dddcd3ed4a155baf70e0a0dbe20
SHA512 8451ac625dbfa7d61a1cefed2fece28ffda65efd2f2278dc9adba13ecd86e6f21120b8aadfa6c2fd15d8de7dcf426f1f9efd17d0d25928a2f24fe283b06d74c1

C:\Windows\SysWOW64\Emoadlfo.exe

MD5 7c6c4828302f0dba81919f860b5e3a00
SHA1 bdd57ae6369773bdfc2e4a69e7797633e2db6ca4
SHA256 e34eca3c1e0b98c4e693fa00fe63a23a2de1437ca8065862315b5bc73e5ed3a4
SHA512 01a936486664361578822187d01fdd48ebb5bfbe3bb8e997e10feece4d8520e59a830588e350e9953d76fc92ef8eb6666a813442e7b78a5d6a404ee95ff4a999

C:\Windows\SysWOW64\Fmfgek32.exe

MD5 3de765c6e72a3a0042e34a044233030b
SHA1 9f9ef2bf9b28534026b2b033faa88d2831eda467
SHA256 29002db38a40d20c871073cc6f91f215a481a97a07eb0c30efd15a5a1bb364fe
SHA512 1751165ceb508770015cdce27ace4e6a416076feab7f7fb5742919f50340fa6b959715cfbd13ee86462e2a4fce4b35aea5abc2d68a876f70b02f67ebbb16b54a

C:\Windows\SysWOW64\Fmkqpkla.exe

MD5 3847e0c87ce8a0abc82064bd99664fc1
SHA1 cf2865ebcc22841f65fde86117d463e03573edd4
SHA256 7878c07494a79c4482178cb915eb473ed3e4590a013890d5085fc240438762c9
SHA512 e21fcaca89de252022910a88f731c867fdd1aadccd785fab387edd680b8eaa65fa670026a11f3064a1e9a2a8a416213fd11bea4cd04a6cd0622f13fcbd8fcc2b

C:\Windows\SysWOW64\Glkmmefl.exe

MD5 a8bf317ddc36cee04f470e70d2b100af
SHA1 97f9112bbb2c644e478e449157313ba72d348655
SHA256 6384d6418d5089f649f89780f85e9a1d1f316dbd245c1f8b16ad9ea025869775
SHA512 724ed16cd2acf76c69bf49bd72cbcb24eba475917f9a11fade0f8039b35491a6820f8759ecba414c8db0aefaedf025ca67b1e9c771f93af676bd7a0459a44a01

C:\Windows\SysWOW64\Hipmfjee.exe

MD5 bda60884ba132c671a0bf14286f345ce
SHA1 0f3cbfd7204a0bcd6d75e032b34058e22c7ef420
SHA256 6aead11d57bd695aa71b11a545073b63a9e4cdc4241b768029e414cf6d9d9e53
SHA512 e95e510f27c2bf7956f835a6f01cce77a7ef6be6026ab76806101dd354cbb39cbb6e7cb7bceccecac9268858aebc033bc9894a481241bdad8f65239fe3a278b5

C:\Windows\SysWOW64\Hibjli32.exe

MD5 d855aa15d5581745e78ff9a71915e2f9
SHA1 74b2eecde1e418c41fa6566607bb20d164517def
SHA256 57a65e8af2799a571803871500aa82e800fa932c79320fd52501c2c77e0cfc5e
SHA512 fb79067cfb8b138284758e731ee4dbf6c7069e95ee412bcc9bc0c12c7cd8e05236c7dc5c35f8de6d855817c41de8035c4bb53b28acaf2d55b0cb8dc11cb4c458

C:\Windows\SysWOW64\Hmpcbhji.exe

MD5 77f99dc5bcc3ee1cff0b39bdea0f2fb1
SHA1 4b30d0c53469ea462baddfc9a81d612de8feb542
SHA256 1d2a7797e1b06ba4519836eea34f348b93d1b0a57771bbddc54eb95e35534fca
SHA512 e6d544ec31db6dfba88ec35ea301ba5d0508460fdbd440252af5392bd32bd28493232eb48af6fca94a3ea5ce77c8e4ac8f78f71a398b3835e6647a97fdbb41cb

C:\Windows\SysWOW64\Hlepcdoa.exe

MD5 47e05528fcbadba48cd44322070a8f96
SHA1 7358c39aa45a62861c828fbdb8534f49029f572d
SHA256 0d68931f46eec839ebf6e2e3f49c2433341a5a0f7f85a28862b920410fff9083
SHA512 a4f4e15180d24c41bc50b191978a3429a11435d3bd87fe47ff3c53dc1a5b328681f87441f95f71d07ce0797b33f2ea4ebaecac0a257b3fef9b3612a77beef0c9

C:\Windows\SysWOW64\Ifomll32.exe

MD5 abc481c5e2f984be87cc29a81230a139
SHA1 eac8357ac434293c91beba7cc9ad4b4b6d9288c2
SHA256 6bee7a1273fbf3d998859b2d177bc1cbc417eb2e7795587e3fb131b20c0ff676
SHA512 1dde68ae92e111536a17a9ae6c6aa9e5a94ff578b955ff9babd52bd8d56af3f8dc8497cf98cc79cc0d1614d3daab511a496eecb7304d6eb91912b102f62adfda

C:\Windows\SysWOW64\Jekqmhia.exe

MD5 59d39fc4f38c06d67f3964fcb9b0ae7d
SHA1 9c34f4e9ee8c8ebea8f2a70dae2e5a700903793b
SHA256 fb502d8b9f270c009d296f96086bb4c4fc42869ab46fbf7bccdac23b72a422e5
SHA512 4b96500e2a14674896077baa68c9971e8bde62ed61b90730cd620b88ca34125553d649675c30f479cd19f36c3dda88565b0b661e8679778de3d6245573378249

C:\Windows\SysWOW64\Jiiicf32.exe

MD5 1cbbf431dfb418bc26d52a7b35a678eb
SHA1 24e860d74e8abac44bca8219b7714fd789f89818
SHA256 fea7369676670c96cca953913f6002d1560ede905984c2adb16a5e9a9f564cdd
SHA512 b59aa8012e1fed64fd4911d7a32fd6de322198af54881839cef28e2921090ed6cb3fba14200d67666054d8e6d7ab46c0bfbfdd8e438025c272514e9634cc7f5d

C:\Windows\SysWOW64\Jinboekc.exe

MD5 a37f17b997d23612a8c89637daf41ec6
SHA1 d3c621ae3dee813c1dd5b2d3dd22c09253a45ae0
SHA256 60a2616afce1029efba3b96b9d0dc65f46332d6ebf6296569dc11312918f8287
SHA512 35fb24c162f86dd09cb8c596ae6d446b503d7dfeb35cc46e255d78227d6d9daa3f42bc980a99ce9c7bd784ecde14b2e5bc4f9becaf5de6d4983a685b5c69e490

C:\Windows\SysWOW64\Keimof32.exe

MD5 f903ece3afbdd7a311785de4bef46586
SHA1 ba1db203190b8dc32bab0dd1da7e07ece08fa5be
SHA256 789740a84a512089ddfed0698a2caaa90b31c02bf7e297c16bc34f2fae3e7f6d
SHA512 a03955e1b30cd3d35bbc5933a68aefc41b9155e2b17046371cd07fa681b6a20cca9357c4892b63c41b9ae729522c78f84396db23b7883ec256a2236d27bcee68

C:\Windows\SysWOW64\Kgkfnh32.exe

MD5 eb25551d6bd8e23a77b6546cc6686d83
SHA1 4c40e8c3b5c5bb8270393d74d7defc9d65f6cebe
SHA256 1674c26fecc2bf9715eb2bb650b6ca677c863fa45d8728e5601f09d8af123f8a
SHA512 81b4d5707a505da910cb4c976ee68ed8c9eaa4d760223c5a264a442cc3170ffd4c9bf7342487a660211f13931b64554dbea60318594f1806c7320d20624f7b7a

C:\Windows\SysWOW64\Lnjgfb32.exe

MD5 fbcde7bce6ca0a30ca7e4df123440c01
SHA1 a32dafb1ca5d0711b2bc796b31ec549d76d40828
SHA256 c12536e57538f770bd7257b07ccba1987e6c18cc5b25ec9ae6da72ccb81fb3c7
SHA512 adde8f563398589c45dfb21a8b1b07d389b240120fed2ac0c71c4fc77d20488486e68ff71bfaedf7a67f52fb0d4116981858547be51abe3e1541445d8a7e2882

C:\Windows\SysWOW64\Modgdicm.exe

MD5 6533797f3841ec451597a46a1697155f
SHA1 eea888a1ac97244880aef078dfdb78c3768fdd15
SHA256 51104eaf9bd355d09d8b3d2815f3338f2286ee7d407268b6bfe2dbd155b9a4c7
SHA512 ddd9ae4621b3383299b6c1a79aea03de86bb3f0e323dcc4ad80e5f6fa2ed4475da765c8f0ec58bdd875b0fe6e2c5dfdacde33c9b626079c4ce1ad2fcacfc5906

C:\Windows\SysWOW64\Nnhmnn32.exe

MD5 43f5eaadd733515336b54bdf506de879
SHA1 2d819a89f5d3cce948d38c2e8089fdbfb92e4661
SHA256 0228812ae7fbe3e247dc8b109019c8a1eb630475304e9dbb95d22933d323e7aa
SHA512 6b87f57113052e894ae1b10d29c0bedd64dbff517f22e47348cca7d3ded4d464d5e70d825897d39a24c1a54a2dd2f75bddfb0892cfb57df9acf4a6e6ffd69634

C:\Windows\SysWOW64\Ojhpimhp.exe

MD5 bd22a4cc14d5ed11a232599808498b43
SHA1 1b8b945578251bf890ac2ea0a6332430c2f85a37
SHA256 a2163f9ccbe01540f4a2aa305b925781bb6df90bb0eeb0d5b18c20bf4c4233cb
SHA512 c569eafdc7d441277c4dba7257addb9aa30d51a565568c0c3b6c5e804860deaad569db5ee3e430e00617677805692e620e58b97a5acc02ca091bbdb909821f28

C:\Windows\SysWOW64\Paeelgnj.exe

MD5 c0e295724e54f56fa6f475c1558ddf94
SHA1 fb0211a3fab8cbca9a25456ddf42cba73998e9f4
SHA256 801e1b521d7373af0e904846aced1ea2973df7ebfb46a551afa5920a10484e34
SHA512 0623c3dba9bc9ece1c375e4f95d4c8c21d2596a33e982848eebaf350435b434917c3b2058f78684c1c3f78bfeb31aeced48ba04144c10ed4c4410f0d1d9193d8

C:\Windows\SysWOW64\Ppolhcnm.exe

MD5 0da233766bb43fa9dae3d6291c8827c0
SHA1 b89bd96ec2f75576ae68f3099dc87f97f328ff03
SHA256 880625b2cfad29320c21f62ae4d8915617cd58feb5ccda10030671ed1d543e72
SHA512 a192f80a45d3f0f41eedfd1133582f33ad75e42aa97018b180adf774431be1f89413b14219b4c0778741193d1d2f2cff671dafa5f2d3e6a818fef9373d187af3

C:\Windows\SysWOW64\Qobhkjdi.exe

MD5 41c9dbec5c318809e5744713da13cd50
SHA1 4ec0bda8a2d3d155c07e0e56ebccfe904f2be9d9
SHA256 affc0c143bee8ddd9e75a4622d18739e623047750dd588ae1e9468c101fea7c8
SHA512 0a359a532dea0e8b1fd3b88e628014bdd622fe33b84794f7deb35a1cc15d62b35d7636894845ac30783ecc49a39182ff0e90eeb80dc266a645601f3c147c7b24

C:\Windows\SysWOW64\Qodeajbg.exe

MD5 1dac32e6b3931761a57de8034a704ca1
SHA1 c2a1a39e42050d880ce5103604dd909e3cfa231f
SHA256 47f4955aad9cfc9968d6399cb1f647410bb30cee01e7e22b3202b83693f44fcd
SHA512 38bf9e7e0649fd8505603475654bd6ae9977a3ae61c0464ee5949603008b2f367598cde384c51291b46d61aa155514af82b00f808fbcc487479edb280c9512c4

C:\Windows\SysWOW64\Aogbfi32.exe

MD5 508fe9f8a65dbbcd9fa73050541f999d
SHA1 915a32f3d480a29057cd7780ead54becc24cce9a
SHA256 fde5623226730d55d94397e3860f63bfb029826378956feffc52514794ab90da
SHA512 06af5ea28447f94f7cdff5999e2bf47a891e1b9d73c16741ddafda60115d123bf04efc7cd6cac71e4952b48f259b10648a36348dd102796e92e28249a1ba06a2

C:\Windows\SysWOW64\Bhhiemoj.exe

MD5 1edb51cf0f623dc9b066754ffeed65ee
SHA1 ccf3aa4b5fbd4ea0b9fe9c5b32b0b690367bba58
SHA256 376d4256e286b6ea111ce2d015a057f052b2d6e33db60bbc7b839994f733a865
SHA512 ff890fcb6703829893e88e0fd46dd9684802f72fc5d67d3564d8f10a38d8944152236f320a1c6c7cd087fdf444d2e7ce2041192119c73b4698aa0c1628103301

C:\Windows\SysWOW64\Bgnffj32.exe

MD5 e972a1acb0cb3810965e9113b2d2ea7b
SHA1 4e52587e20413d08ab6ca344b72c93381f7d5712
SHA256 9bd87301e0331673051ea95c47640a3d7f0bc4a5a5259e5a82f4f4379b27c47e
SHA512 745844d61b121d2cc0ab7c0b866139107d47976b675627c3d1f2b1f6678b3d220a7cd38c3d1c174038a48d121ff3f8195a900b501af437463f362b867c38f076

C:\Windows\SysWOW64\Bmjkic32.exe

MD5 51ce921a78af89b91ff0938cd88441bc
SHA1 16c83ffc6cdf6bd186e20054b5f7abca00532f63
SHA256 137709d060fa09b65967583680e734ffec02d325f4c9986ab91eeb8a5124d852
SHA512 a26c3427c5ea6d6059a2ae2a208768222017d120aceac7eafdfdba57a89008b28524a54cf90091426824d3573927a40c5d4f1ccfca0e45f4e5813aa6e1c34e8e

C:\Windows\SysWOW64\Bnlhncgi.exe

MD5 f120fca620d4804c4f06289814d3f0e5
SHA1 31c530ac3d9295ea6d48580b9b6637cd8744487a
SHA256 712d465eaf464dc118d68b924d1c0f04926188d16f7f2b8f76bb810bb62b717d
SHA512 dbe0382e742e6a2ddc0e6bd62c153134c80b62807d08b626d5c5a6f4035d07248248591d262c5a6ccdda10fe6786ea4bc585ef056b206f16bbd8f7e1f33fbe7c

C:\Windows\SysWOW64\Caojpaij.exe

MD5 65c709563dc356f180ff6151cffbd4f6
SHA1 5e34b9f2d773a4edcd8dae8c73c57cb9cf414d46
SHA256 6bd567b37b7dbdb42b66c8b2b94a7b529ee48610ec6773f6948757257bbbe402
SHA512 0b247e429df7614b62f39e9743572b6379184d5eb9f6812fb681da39241aa53112470219a6f373995a281bd251ff05a3202e3f83da80f5b694b5a50c4802a089

C:\Windows\SysWOW64\Coegoe32.exe

MD5 6d4c6041b4e782d01f15c1b0920cec56
SHA1 98c07164d83ae3516ab289b12c85b25e460a3e00
SHA256 d695c7eff046ee026aa4dcaa6aed770397dd58f600e34814ecf39c4d68c5b8b7
SHA512 560ffd3af188552d87a0a173b9882c7fe5123eaf5c4cd507f672eeb75613d325f822951ceac257b0e883297d68db3522f05a88b8bdd4cf79c23d83027a4799f7