Analysis Overview
SHA256
56c94ba077d500b34815440ce21bb43cd22c32099d1bd95fd2ad5dbcb046d5a6
Threat Level: Known bad
The file a3f8bb01466184393106d692b3db7d15.exe was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:37
Reported
2024-01-07 19:40
Platform
win7-20231215-en
Max time kernel
7s
Max time network
131s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Lmmfnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fbgpkpnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gfgegnbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gejebk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghkndf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gdboig32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdogedmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hhbdee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fodebh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfkpqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fpffje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gligjd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Delmmigh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gehhmkko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hicqmmfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nodgel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ghiaof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gbqbaofc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gligjd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ohendqhd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdanpb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fgkbeb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gnpmfqap.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cdanpb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bobhal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Glpdde32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjndlqal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fmjgcipg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nodgel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ookmfk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gcglec32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bhdgjb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhbdee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fbgpkpnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cphndc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cielhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ghacfmic.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cinfhigl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dodafoni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fqajihle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gaafhloq.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Fekagf32.dll | C:\Windows\SysWOW64\Icifjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbappj32.dll | C:\Windows\SysWOW64\Gjdldd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oklghebe.dll | C:\Windows\SysWOW64\Hjndlqal.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnflbh32.dll | C:\Windows\SysWOW64\Hhbdee32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpmhpbkc.exe | C:\Windows\SysWOW64\Cicpch32.exe | N/A |
| File created | C:\Windows\SysWOW64\Geqakadc.dll | C:\Windows\SysWOW64\Fnqqgm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Giahhj32.exe | C:\Windows\SysWOW64\Fbgpkpnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Gehhmkko.exe | C:\Windows\SysWOW64\Gcglec32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhfcpb32.exe | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnnffg32.dll | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfpfldpo.dll | C:\Windows\SysWOW64\Cicpch32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kblbkm32.dll | C:\Windows\SysWOW64\Fgiepced.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmjgcipg.exe | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nodgel32.exe | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmpgcm32.dll | C:\Windows\SysWOW64\Oagmmgdm.exe | N/A |
| File created | C:\Windows\SysWOW64\Bejdiffp.exe | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dglbkjbg.dll | C:\Windows\SysWOW64\Fncmmmma.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Giahhj32.exe | C:\Windows\SysWOW64\Fbgpkpnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Hicqmmfc.exe | C:\Windows\SysWOW64\Hfedqagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apoooa32.exe | C:\Windows\SysWOW64\Ghacfmic.exe | N/A |
| File created | C:\Windows\SysWOW64\Conkepdq.exe | C:\Windows\SysWOW64\Cgbfamff.exe | N/A |
| File created | C:\Windows\SysWOW64\Fgiepced.exe | C:\Windows\SysWOW64\Fdjidgfa.exe | N/A |
| File created | C:\Windows\SysWOW64\Fncmmmma.exe | C:\Windows\SysWOW64\Fgiepced.exe | N/A |
| File created | C:\Windows\SysWOW64\Binlfn32.dll | C:\Windows\SysWOW64\Gejebk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohendqhd.exe | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgpeal32.exe | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qhiphb32.dll | C:\Windows\SysWOW64\Qijdocfj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjdplm32.exe | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| File created | C:\Windows\SysWOW64\Maanfn32.dll | C:\Windows\SysWOW64\Hafock32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hfedqagp.exe | C:\Windows\SysWOW64\Hhbdee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fgnokb32.exe | C:\Windows\SysWOW64\Fpffje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbqbaofc.exe | C:\Windows\SysWOW64\Gjijqa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ookmfk32.exe | C:\Windows\SysWOW64\Oagmmgdm.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbkbgjcc.exe | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qqeicede.exe | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaheie32.exe | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bphbeplm.exe | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fdjidgfa.exe | C:\Windows\SysWOW64\Fnqqgm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qlgihhjl.dll | C:\Windows\SysWOW64\Gligjd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nodgel32.exe | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| File created | C:\Windows\SysWOW64\Hqlhpf32.dll | C:\Windows\SysWOW64\Bhdgjb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lopdpdmj.dll | C:\Windows\SysWOW64\Cinfhigl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgbfamff.exe | C:\Windows\SysWOW64\Cphndc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fnqqgm32.exe | C:\Windows\SysWOW64\Mdogedmh.exe | N/A |
| File created | C:\Windows\SysWOW64\Idlgcclp.dll | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mlcpdacl.dll | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| File created | C:\Windows\SysWOW64\Eoigpa32.exe | C:\Windows\SysWOW64\Dodafoni.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gnpmfqap.exe | C:\Windows\SysWOW64\Glbqje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbchfi32.dll | C:\Windows\SysWOW64\Glbqje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Apalea32.exe | C:\Windows\SysWOW64\Gjdldd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Apdhjq32.exe | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| File created | C:\Windows\SysWOW64\Fgkbeb32.exe | C:\Windows\SysWOW64\Fqajihle.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaoaahnn.dll | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlpdbghp.dll | C:\Windows\SysWOW64\Pqhijbog.exe | N/A |
| File created | C:\Windows\SysWOW64\Achojp32.exe | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gfgegnbb.exe | C:\Windows\SysWOW64\Gnpmfqap.exe | N/A |
| File created | C:\Windows\SysWOW64\Gejebk32.exe | C:\Windows\SysWOW64\Gfgegnbb.exe | N/A |
| File created | C:\Windows\SysWOW64\Onoflapg.dll | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fohodj32.dll | C:\Windows\SysWOW64\Gfgegnbb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gngcgp32.exe | C:\Windows\SysWOW64\Gligjd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njelgo32.dll | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmdgdp32.dll | C:\Windows\SysWOW64\Bbdallnd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cphndc32.exe | C:\Windows\SysWOW64\Cinfhigl.exe | N/A |
| File created | C:\Windows\SysWOW64\Oqjbqh32.dll | C:\Windows\SysWOW64\Cgbfamff.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblbkm32.dll" | C:\Windows\SysWOW64\Fgiepced.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fncmmmma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmiiak32.dll" | C:\Windows\SysWOW64\Gdboig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll" | C:\Windows\SysWOW64\Ohendqhd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" | C:\Windows\SysWOW64\Pqhijbog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanfn32.dll" | C:\Windows\SysWOW64\Hafock32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hahlhkhi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhbdee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oagmmgdm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cielhh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ghkndf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gjijqa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll" | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fqajihle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ghiaof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" | C:\Windows\SysWOW64\Nodgel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Icifjk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfkfemo.dll" | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fmjgcipg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfn32.dll" | C:\Windows\SysWOW64\Gejebk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hfedqagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll" | C:\Windows\SysWOW64\Achojp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fqajihle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" | C:\Windows\SysWOW64\Bbdallnd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gaafhloq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohodj32.dll" | C:\Windows\SysWOW64\Gfgegnbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gbqbaofc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll" | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdanpb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cphndc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fgiepced.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gligjd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hfedqagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pqhijbog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pdlkiepd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjfjb32.dll" | C:\Windows\SysWOW64\Ookmfk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll" | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfhkk32.dll" | C:\Windows\SysWOW64\Gaafhloq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ohendqhd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dhkiid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbhagfe.dll" | C:\Windows\SysWOW64\Hfedqagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fgkbeb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gfgegnbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneedo32.dll" | C:\Windows\SysWOW64\Hddlof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nodgel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Oagmmgdm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe
"C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe"
C:\Windows\SysWOW64\Onbgmg32.exe
C:\Windows\system32\Onbgmg32.exe
C:\Windows\SysWOW64\Pbkbgjcc.exe
C:\Windows\system32\Pbkbgjcc.exe
C:\Windows\SysWOW64\Apdhjq32.exe
C:\Windows\system32\Apdhjq32.exe
C:\Windows\SysWOW64\Afnagk32.exe
C:\Windows\system32\Afnagk32.exe
C:\Windows\SysWOW64\Bpfeppop.exe
C:\Windows\system32\Bpfeppop.exe
C:\Windows\SysWOW64\Bbdallnd.exe
C:\Windows\system32\Bbdallnd.exe
C:\Windows\SysWOW64\Biojif32.exe
C:\Windows\system32\Biojif32.exe
C:\Windows\SysWOW64\Bphbeplm.exe
C:\Windows\system32\Bphbeplm.exe
C:\Windows\SysWOW64\Beejng32.exe
C:\Windows\system32\Beejng32.exe
C:\Windows\SysWOW64\Bjbcfn32.exe
C:\Windows\system32\Bjbcfn32.exe
C:\Windows\SysWOW64\Cgbfamff.exe
C:\Windows\system32\Cgbfamff.exe
C:\Windows\SysWOW64\Conkepdq.exe
C:\Windows\system32\Conkepdq.exe
C:\Windows\SysWOW64\Cpmhpbkc.exe
C:\Windows\system32\Cpmhpbkc.exe
C:\Windows\SysWOW64\Dhkiid32.exe
C:\Windows\system32\Dhkiid32.exe
C:\Windows\SysWOW64\Delmmigh.exe
C:\Windows\system32\Delmmigh.exe
C:\Windows\SysWOW64\Dobdqo32.exe
C:\Windows\system32\Dobdqo32.exe
C:\Windows\SysWOW64\Cielhh32.exe
C:\Windows\system32\Cielhh32.exe
C:\Windows\SysWOW64\Cicpch32.exe
C:\Windows\system32\Cicpch32.exe
C:\Windows\SysWOW64\Cgdcgm32.exe
C:\Windows\system32\Cgdcgm32.exe
C:\Windows\SysWOW64\Cphndc32.exe
C:\Windows\system32\Cphndc32.exe
C:\Windows\SysWOW64\Cinfhigl.exe
C:\Windows\system32\Cinfhigl.exe
C:\Windows\SysWOW64\Cdanpb32.exe
C:\Windows\system32\Cdanpb32.exe
C:\Windows\SysWOW64\Cmgechbh.exe
C:\Windows\system32\Cmgechbh.exe
C:\Windows\SysWOW64\Chkmkacq.exe
C:\Windows\system32\Chkmkacq.exe
C:\Windows\SysWOW64\Bobhal32.exe
C:\Windows\system32\Bobhal32.exe
C:\Windows\SysWOW64\Bfkpqn32.exe
C:\Windows\system32\Bfkpqn32.exe
C:\Windows\SysWOW64\Bejdiffp.exe
C:\Windows\system32\Bejdiffp.exe
C:\Windows\SysWOW64\Bjdplm32.exe
C:\Windows\system32\Bjdplm32.exe
C:\Windows\SysWOW64\Bhfcpb32.exe
C:\Windows\system32\Bhfcpb32.exe
C:\Windows\SysWOW64\Balkchpi.exe
C:\Windows\system32\Balkchpi.exe
C:\Windows\SysWOW64\Dodafoni.exe
C:\Windows\system32\Dodafoni.exe
C:\Windows\SysWOW64\Bhdgjb32.exe
C:\Windows\system32\Bhdgjb32.exe
C:\Windows\SysWOW64\Eoigpa32.exe
C:\Windows\system32\Eoigpa32.exe
C:\Windows\SysWOW64\Fncmmmma.exe
C:\Windows\system32\Fncmmmma.exe
C:\Windows\SysWOW64\Fgkbeb32.exe
C:\Windows\system32\Fgkbeb32.exe
C:\Windows\SysWOW64\Fjlkgn32.exe
C:\Windows\system32\Fjlkgn32.exe
C:\Windows\SysWOW64\Glpdde32.exe
C:\Windows\system32\Glpdde32.exe
C:\Windows\SysWOW64\Glbqje32.exe
C:\Windows\system32\Glbqje32.exe
C:\Windows\SysWOW64\Gligjd32.exe
C:\Windows\system32\Gligjd32.exe
C:\Windows\SysWOW64\Hjndlqal.exe
C:\Windows\system32\Hjndlqal.exe
C:\Windows\SysWOW64\Hahlhkhi.exe
C:\Windows\system32\Hahlhkhi.exe
C:\Windows\SysWOW64\Hhbdee32.exe
C:\Windows\system32\Hhbdee32.exe
C:\Windows\SysWOW64\Hajinjff.exe
C:\Windows\system32\Hajinjff.exe
C:\Windows\SysWOW64\Hpbbdfik.exe
C:\Windows\system32\Hpbbdfik.exe
C:\Windows\SysWOW64\Hbqoqbho.exe
C:\Windows\system32\Hbqoqbho.exe
C:\Windows\SysWOW64\Ipdojfgh.exe
C:\Windows\system32\Ipdojfgh.exe
C:\Windows\SysWOW64\Ioilkblq.exe
C:\Windows\system32\Ioilkblq.exe
C:\Windows\SysWOW64\Ikpmpc32.exe
C:\Windows\system32\Ikpmpc32.exe
C:\Windows\SysWOW64\Ihdmihpn.exe
C:\Windows\system32\Ihdmihpn.exe
C:\Windows\SysWOW64\Iggned32.exe
C:\Windows\system32\Iggned32.exe
C:\Windows\SysWOW64\Idknoi32.exe
C:\Windows\system32\Idknoi32.exe
C:\Windows\SysWOW64\Jpdkii32.exe
C:\Windows\system32\Jpdkii32.exe
C:\Windows\SysWOW64\Jgncfcaa.exe
C:\Windows\system32\Jgncfcaa.exe
C:\Windows\SysWOW64\Jgqpkc32.exe
C:\Windows\system32\Jgqpkc32.exe
C:\Windows\SysWOW64\Jpfhoi32.exe
C:\Windows\system32\Jpfhoi32.exe
C:\Windows\SysWOW64\Jlmicj32.exe
C:\Windows\system32\Jlmicj32.exe
C:\Windows\SysWOW64\Jfemlpdf.exe
C:\Windows\system32\Jfemlpdf.exe
C:\Windows\SysWOW64\Kbokgpgg.exe
C:\Windows\system32\Kbokgpgg.exe
C:\Windows\SysWOW64\Kopokehd.exe
C:\Windows\system32\Kopokehd.exe
C:\Windows\SysWOW64\Kobkpdfa.exe
C:\Windows\system32\Kobkpdfa.exe
C:\Windows\SysWOW64\Kkileele.exe
C:\Windows\system32\Kkileele.exe
C:\Windows\SysWOW64\Kbcdbp32.exe
C:\Windows\system32\Kbcdbp32.exe
C:\Windows\SysWOW64\Kgpmjf32.exe
C:\Windows\system32\Kgpmjf32.exe
C:\Windows\SysWOW64\Kddmdk32.exe
C:\Windows\system32\Kddmdk32.exe
C:\Windows\SysWOW64\Konndhmb.exe
C:\Windows\system32\Konndhmb.exe
C:\Windows\SysWOW64\Lfjcfb32.exe
C:\Windows\system32\Lfjcfb32.exe
C:\Windows\SysWOW64\Lbackc32.exe
C:\Windows\system32\Lbackc32.exe
C:\Windows\SysWOW64\Liklhmom.exe
C:\Windows\system32\Liklhmom.exe
C:\Windows\SysWOW64\Lfolaang.exe
C:\Windows\system32\Lfolaang.exe
C:\Windows\SysWOW64\Leammn32.exe
C:\Windows\system32\Leammn32.exe
C:\Windows\SysWOW64\Makjho32.exe
C:\Windows\system32\Makjho32.exe
C:\Windows\SysWOW64\Mmakmp32.exe
C:\Windows\system32\Mmakmp32.exe
C:\Windows\SysWOW64\Mclcijfd.exe
C:\Windows\system32\Mclcijfd.exe
C:\Windows\SysWOW64\Mhilph32.exe
C:\Windows\system32\Mhilph32.exe
C:\Windows\SysWOW64\Mbcmpfhi.exe
C:\Windows\system32\Mbcmpfhi.exe
C:\Windows\SysWOW64\Mpgmijgc.exe
C:\Windows\system32\Mpgmijgc.exe
C:\Windows\SysWOW64\Mioabp32.exe
C:\Windows\system32\Mioabp32.exe
C:\Windows\SysWOW64\Nefbga32.exe
C:\Windows\system32\Nefbga32.exe
C:\Windows\SysWOW64\Npijoj32.exe
C:\Windows\system32\Npijoj32.exe
C:\Windows\SysWOW64\Mfaefd32.exe
C:\Windows\system32\Mfaefd32.exe
C:\Windows\SysWOW64\Mlkail32.exe
C:\Windows\system32\Mlkail32.exe
C:\Windows\SysWOW64\Mjjdacik.exe
C:\Windows\system32\Mjjdacik.exe
C:\Windows\SysWOW64\Mabphn32.exe
C:\Windows\system32\Mabphn32.exe
C:\Windows\SysWOW64\Mjhhld32.exe
C:\Windows\system32\Mjhhld32.exe
C:\Windows\SysWOW64\Mapccndn.exe
C:\Windows\system32\Mapccndn.exe
C:\Windows\SysWOW64\Mjekfd32.exe
C:\Windows\system32\Mjekfd32.exe
C:\Windows\SysWOW64\Mamgmofp.exe
C:\Windows\system32\Mamgmofp.exe
C:\Windows\SysWOW64\Mlpneh32.exe
C:\Windows\system32\Mlpneh32.exe
C:\Windows\SysWOW64\Mbhjlbbh.exe
C:\Windows\system32\Mbhjlbbh.exe
C:\Windows\SysWOW64\Llnaoh32.exe
C:\Windows\system32\Llnaoh32.exe
C:\Windows\SysWOW64\Lipecm32.exe
C:\Windows\system32\Lipecm32.exe
C:\Windows\SysWOW64\Ledibnco.exe
C:\Windows\system32\Ledibnco.exe
C:\Windows\SysWOW64\Lbemfbdk.exe
C:\Windows\system32\Lbemfbdk.exe
C:\Windows\SysWOW64\Lklejh32.exe
C:\Windows\system32\Lklejh32.exe
C:\Windows\SysWOW64\Lnhdqdnd.exe
C:\Windows\system32\Lnhdqdnd.exe
C:\Windows\SysWOW64\Lkgkoiqc.exe
C:\Windows\system32\Lkgkoiqc.exe
C:\Windows\SysWOW64\Ljfogake.exe
C:\Windows\system32\Ljfogake.exe
C:\Windows\SysWOW64\Lopkjhko.exe
C:\Windows\system32\Lopkjhko.exe
C:\Windows\SysWOW64\Lmbonmll.exe
C:\Windows\system32\Lmbonmll.exe
C:\Windows\SysWOW64\Knmamp32.exe
C:\Windows\system32\Knmamp32.exe
C:\Windows\SysWOW64\Kfeikcfa.exe
C:\Windows\system32\Kfeikcfa.exe
C:\Windows\SysWOW64\Kmmebm32.exe
C:\Windows\system32\Kmmebm32.exe
C:\Windows\SysWOW64\Knjegqif.exe
C:\Windows\system32\Knjegqif.exe
C:\Windows\SysWOW64\Kdbpnk32.exe
C:\Windows\system32\Kdbpnk32.exe
C:\Windows\SysWOW64\Knhhaaki.exe
C:\Windows\system32\Knhhaaki.exe
C:\Windows\SysWOW64\Khkpijma.exe
C:\Windows\system32\Khkpijma.exe
C:\Windows\SysWOW64\Kqdhhm32.exe
C:\Windows\system32\Kqdhhm32.exe
C:\Windows\SysWOW64\Kglcogeo.exe
C:\Windows\system32\Kglcogeo.exe
C:\Windows\SysWOW64\Kdmgclfk.exe
C:\Windows\system32\Kdmgclfk.exe
C:\Windows\SysWOW64\Jlbboiip.exe
C:\Windows\system32\Jlbboiip.exe
C:\Windows\SysWOW64\Jfhjbobc.exe
C:\Windows\system32\Jfhjbobc.exe
C:\Windows\SysWOW64\Jonbee32.exe
C:\Windows\system32\Jonbee32.exe
C:\Windows\SysWOW64\Jhdihkcj.exe
C:\Windows\system32\Jhdihkcj.exe
C:\Windows\SysWOW64\Jcgapdeb.exe
C:\Windows\system32\Jcgapdeb.exe
C:\Windows\SysWOW64\Jjmpbopd.exe
C:\Windows\system32\Jjmpbopd.exe
C:\Windows\SysWOW64\Jglgpdcc.exe
C:\Windows\system32\Jglgpdcc.exe
C:\Windows\SysWOW64\Jcpkpe32.exe
C:\Windows\system32\Jcpkpe32.exe
C:\Windows\SysWOW64\Ipbocjlg.exe
C:\Windows\system32\Ipbocjlg.exe
C:\Windows\SysWOW64\Incbgnmc.exe
C:\Windows\system32\Incbgnmc.exe
C:\Windows\SysWOW64\Ikefkcmo.exe
C:\Windows\system32\Ikefkcmo.exe
C:\Windows\SysWOW64\Iamabm32.exe
C:\Windows\system32\Iamabm32.exe
C:\Windows\SysWOW64\Imoilo32.exe
C:\Windows\system32\Imoilo32.exe
C:\Windows\SysWOW64\Ihbqdh32.exe
C:\Windows\system32\Ihbqdh32.exe
C:\Windows\SysWOW64\Ihpdoh32.exe
C:\Windows\system32\Ihpdoh32.exe
C:\Windows\SysWOW64\Iaelanmg.exe
C:\Windows\system32\Iaelanmg.exe
C:\Windows\SysWOW64\Ihmgiiff.exe
C:\Windows\system32\Ihmgiiff.exe
C:\Windows\SysWOW64\Heokmmgb.exe
C:\Windows\system32\Heokmmgb.exe
C:\Windows\SysWOW64\Hmcfhkjg.exe
C:\Windows\system32\Hmcfhkjg.exe
C:\Windows\SysWOW64\Helngnie.exe
C:\Windows\system32\Helngnie.exe
C:\Windows\SysWOW64\Hbnbkbja.exe
C:\Windows\system32\Hbnbkbja.exe
C:\Windows\SysWOW64\Hldjnhce.exe
C:\Windows\system32\Hldjnhce.exe
C:\Windows\SysWOW64\Hifmbmda.exe
C:\Windows\system32\Hifmbmda.exe
C:\Windows\SysWOW64\Hfgafadm.exe
C:\Windows\system32\Hfgafadm.exe
C:\Windows\SysWOW64\Hbleeb32.exe
C:\Windows\system32\Hbleeb32.exe
C:\Windows\SysWOW64\Hicqmmfc.exe
C:\Windows\system32\Hicqmmfc.exe
C:\Windows\SysWOW64\Hfedqagp.exe
C:\Windows\system32\Hfedqagp.exe
C:\Windows\SysWOW64\Hddlof32.exe
C:\Windows\system32\Hddlof32.exe
C:\Windows\SysWOW64\Hafock32.exe
C:\Windows\system32\Hafock32.exe
C:\Windows\SysWOW64\Gngcgp32.exe
C:\Windows\system32\Gngcgp32.exe
C:\Windows\SysWOW64\Gdboig32.exe
C:\Windows\system32\Gdboig32.exe
C:\Windows\SysWOW64\Gbqbaofc.exe
C:\Windows\system32\Gbqbaofc.exe
C:\Windows\SysWOW64\Gjijqa32.exe
C:\Windows\system32\Gjijqa32.exe
C:\Windows\SysWOW64\Ghkndf32.exe
C:\Windows\system32\Ghkndf32.exe
C:\Windows\SysWOW64\Gaafhloq.exe
C:\Windows\system32\Gaafhloq.exe
C:\Windows\SysWOW64\Gppipc32.exe
C:\Windows\system32\Gppipc32.exe
C:\Windows\SysWOW64\Ghiaof32.exe
C:\Windows\system32\Ghiaof32.exe
C:\Windows\SysWOW64\Gejebk32.exe
C:\Windows\system32\Gejebk32.exe
C:\Windows\SysWOW64\Gfgegnbb.exe
C:\Windows\system32\Gfgegnbb.exe
C:\Windows\SysWOW64\Gnpmfqap.exe
C:\Windows\system32\Gnpmfqap.exe
C:\Windows\SysWOW64\Gehhmkko.exe
C:\Windows\system32\Gehhmkko.exe
C:\Windows\SysWOW64\Gcglec32.exe
C:\Windows\system32\Gcglec32.exe
C:\Windows\SysWOW64\Giahhj32.exe
C:\Windows\system32\Giahhj32.exe
C:\Windows\SysWOW64\Fbgpkpnn.exe
C:\Windows\system32\Fbgpkpnn.exe
C:\Windows\SysWOW64\Fmjgcipg.exe
C:\Windows\system32\Fmjgcipg.exe
C:\Windows\SysWOW64\Fgnokb32.exe
C:\Windows\system32\Fgnokb32.exe
C:\Windows\SysWOW64\Fpffje32.exe
C:\Windows\system32\Fpffje32.exe
C:\Windows\SysWOW64\Fqajihle.exe
C:\Windows\system32\Fqajihle.exe
C:\Windows\SysWOW64\Fgiepced.exe
C:\Windows\system32\Fgiepced.exe
C:\Windows\SysWOW64\Fdjidgfa.exe
C:\Windows\system32\Fdjidgfa.exe
C:\Windows\SysWOW64\Fnqqgm32.exe
C:\Windows\system32\Fnqqgm32.exe
C:\Windows\SysWOW64\Aijpnfif.exe
C:\Windows\system32\Aijpnfif.exe
C:\Windows\SysWOW64\Afkdakjb.exe
C:\Windows\system32\Afkdakjb.exe
C:\Windows\SysWOW64\Apalea32.exe
C:\Windows\system32\Apalea32.exe
C:\Windows\SysWOW64\Ajecmj32.exe
C:\Windows\system32\Ajecmj32.exe
C:\Windows\SysWOW64\Agfgqo32.exe
C:\Windows\system32\Agfgqo32.exe
C:\Windows\SysWOW64\Apoooa32.exe
C:\Windows\system32\Apoooa32.exe
C:\Windows\SysWOW64\Ajbggjfq.exe
C:\Windows\system32\Ajbggjfq.exe
C:\Windows\SysWOW64\Achojp32.exe
C:\Windows\system32\Achojp32.exe
C:\Windows\SysWOW64\Anlfbi32.exe
C:\Windows\system32\Anlfbi32.exe
C:\Windows\SysWOW64\Acfaeq32.exe
C:\Windows\system32\Acfaeq32.exe
C:\Windows\SysWOW64\Aaheie32.exe
C:\Windows\system32\Aaheie32.exe
C:\Windows\SysWOW64\Qjnmlk32.exe
C:\Windows\system32\Qjnmlk32.exe
C:\Windows\SysWOW64\Qqeicede.exe
C:\Windows\system32\Qqeicede.exe
C:\Windows\SysWOW64\Qkhpkoen.exe
C:\Windows\system32\Qkhpkoen.exe
C:\Windows\SysWOW64\Qijdocfj.exe
C:\Windows\system32\Qijdocfj.exe
C:\Windows\SysWOW64\Poapfn32.exe
C:\Windows\system32\Poapfn32.exe
C:\Windows\SysWOW64\Pdlkiepd.exe
C:\Windows\system32\Pdlkiepd.exe
C:\Windows\SysWOW64\Pkdgpo32.exe
C:\Windows\system32\Pkdgpo32.exe
C:\Windows\SysWOW64\Pgbafl32.exe
C:\Windows\system32\Pgbafl32.exe
C:\Windows\SysWOW64\Pqhijbog.exe
C:\Windows\system32\Pqhijbog.exe
C:\Windows\SysWOW64\Pgpeal32.exe
C:\Windows\system32\Pgpeal32.exe
C:\Windows\SysWOW64\Pkidlk32.exe
C:\Windows\system32\Pkidlk32.exe
C:\Windows\SysWOW64\Oappcfmb.exe
C:\Windows\system32\Oappcfmb.exe
C:\Windows\SysWOW64\Ohendqhd.exe
C:\Windows\system32\Ohendqhd.exe
C:\Windows\SysWOW64\Oalfhf32.exe
C:\Windows\system32\Oalfhf32.exe
C:\Windows\SysWOW64\Ookmfk32.exe
C:\Windows\system32\Ookmfk32.exe
C:\Windows\SysWOW64\Oagmmgdm.exe
C:\Windows\system32\Oagmmgdm.exe
C:\Windows\SysWOW64\Nkmdpm32.exe
C:\Windows\system32\Nkmdpm32.exe
C:\Windows\SysWOW64\Niikceid.exe
C:\Windows\system32\Niikceid.exe
C:\Windows\SysWOW64\Nodgel32.exe
C:\Windows\system32\Nodgel32.exe
C:\Windows\SysWOW64\Nhdocl32.exe
C:\Windows\system32\Nhdocl32.exe
C:\Windows\SysWOW64\Gceailog.exe
C:\Windows\system32\Gceailog.exe
C:\Windows\SysWOW64\Bgaebe32.exe
C:\Windows\system32\Bgaebe32.exe
C:\Windows\SysWOW64\Edaalk32.exe
C:\Windows\system32\Edaalk32.exe
C:\Windows\SysWOW64\Ekmfne32.exe
C:\Windows\system32\Ekmfne32.exe
C:\Windows\SysWOW64\Fgdgcfmb.exe
C:\Windows\system32\Fgdgcfmb.exe
C:\Windows\SysWOW64\Figmjq32.exe
C:\Windows\system32\Figmjq32.exe
C:\Windows\SysWOW64\Fodebh32.exe
C:\Windows\system32\Fodebh32.exe
C:\Windows\SysWOW64\Fdqnkoep.exe
C:\Windows\system32\Fdqnkoep.exe
C:\Windows\SysWOW64\Ghacfmic.exe
C:\Windows\system32\Ghacfmic.exe
C:\Windows\SysWOW64\Lgngbmjp.exe
C:\Windows\system32\Lgngbmjp.exe
C:\Windows\SysWOW64\Kpfplo32.exe
C:\Windows\system32\Kpfplo32.exe
C:\Windows\SysWOW64\Kalipcmb.exe
C:\Windows\system32\Kalipcmb.exe
C:\Windows\SysWOW64\Jlhkgm32.exe
C:\Windows\system32\Jlhkgm32.exe
C:\Windows\SysWOW64\Gconbj32.exe
C:\Windows\system32\Gconbj32.exe
C:\Windows\SysWOW64\Gdjqamme.exe
C:\Windows\system32\Gdjqamme.exe
C:\Windows\SysWOW64\Gjdldd32.exe
C:\Windows\system32\Gjdldd32.exe
C:\Windows\SysWOW64\Gpjkeoha.exe
C:\Windows\system32\Gpjkeoha.exe
C:\Windows\SysWOW64\Gdcjpncm.exe
C:\Windows\system32\Gdcjpncm.exe
C:\Windows\SysWOW64\Fepjea32.exe
C:\Windows\system32\Fepjea32.exe
C:\Windows\SysWOW64\Fleifl32.exe
C:\Windows\system32\Fleifl32.exe
C:\Windows\SysWOW64\Fapeic32.exe
C:\Windows\system32\Fapeic32.exe
C:\Windows\SysWOW64\Fpohakbp.exe
C:\Windows\system32\Fpohakbp.exe
C:\Windows\SysWOW64\Fiepea32.exe
C:\Windows\system32\Fiepea32.exe
C:\Windows\SysWOW64\Foolgh32.exe
C:\Windows\system32\Foolgh32.exe
C:\Windows\SysWOW64\Fibcoalf.exe
C:\Windows\system32\Fibcoalf.exe
C:\Windows\SysWOW64\Fchkbg32.exe
C:\Windows\system32\Fchkbg32.exe
C:\Windows\SysWOW64\Fpjofl32.exe
C:\Windows\system32\Fpjofl32.exe
C:\Windows\SysWOW64\Fmlbjq32.exe
C:\Windows\system32\Fmlbjq32.exe
C:\Windows\SysWOW64\Ecfnmh32.exe
C:\Windows\system32\Ecfnmh32.exe
C:\Windows\SysWOW64\Ephbal32.exe
C:\Windows\system32\Ephbal32.exe
C:\Windows\SysWOW64\Emifeqid.exe
C:\Windows\system32\Emifeqid.exe
C:\Windows\SysWOW64\Ekkjheja.exe
C:\Windows\system32\Ekkjheja.exe
C:\Windows\SysWOW64\Emgioakg.exe
C:\Windows\system32\Emgioakg.exe
C:\Windows\SysWOW64\Elcpbigl.exe
C:\Windows\system32\Elcpbigl.exe
C:\Windows\SysWOW64\Kpkpadnl.exe
C:\Windows\system32\Kpkpadnl.exe
C:\Windows\SysWOW64\Mdogedmh.exe
C:\Windows\system32\Mdogedmh.exe
C:\Windows\SysWOW64\Icifjk32.exe
C:\Windows\system32\Icifjk32.exe
C:\Windows\SysWOW64\Jpepkk32.exe
C:\Windows\system32\Jpepkk32.exe
C:\Windows\SysWOW64\Jllqplnp.exe
C:\Windows\system32\Jllqplnp.exe
C:\Windows\SysWOW64\Jcciqi32.exe
C:\Windows\system32\Jcciqi32.exe
C:\Windows\SysWOW64\Jipaip32.exe
C:\Windows\system32\Jipaip32.exe
C:\Windows\SysWOW64\Jefbnacn.exe
C:\Windows\system32\Jefbnacn.exe
C:\Windows\SysWOW64\Jlnmel32.exe
C:\Windows\system32\Jlnmel32.exe
C:\Windows\SysWOW64\Jfaeme32.exe
C:\Windows\system32\Jfaeme32.exe
C:\Windows\SysWOW64\Khnapkjg.exe
C:\Windows\system32\Khnapkjg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 140
C:\Windows\SysWOW64\Lbjofi32.exe
C:\Windows\system32\Lbjofi32.exe
C:\Windows\SysWOW64\Lmmfnb32.exe
C:\Windows\system32\Lmmfnb32.exe
C:\Windows\SysWOW64\Kbhbai32.exe
C:\Windows\system32\Kbhbai32.exe
C:\Windows\SysWOW64\Kageia32.exe
C:\Windows\system32\Kageia32.exe
C:\Windows\SysWOW64\Kipmhc32.exe
C:\Windows\system32\Kipmhc32.exe
C:\Windows\SysWOW64\Jlqjkk32.exe
C:\Windows\system32\Jlqjkk32.exe
C:\Windows\SysWOW64\Jjjdhc32.exe
C:\Windows\system32\Jjjdhc32.exe
C:\Windows\SysWOW64\Jjhgbd32.exe
C:\Windows\system32\Jjhgbd32.exe
Network
Files
memory/1344-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1344-6-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2448-19-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1344-13-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Niikceid.exe
| MD5 | 74c4187e6a80dab42cbdcf420544484f |
| SHA1 | f4a5c9a121dc782648940ca7cfe48e1a4207ca74 |
| SHA256 | 7306141424abcddbf95b3bb992d38fdb605447b6a4156e32167a43198f813bcf |
| SHA512 | 002235a1e76a9753e8090dfdd60514bee108a7ddff867632e36dd267c6905cdf5a15900ef93979b1c4761c4cfdfc08e01b1b7e1803d7b3a228dd6a690618bfb4 |
memory/2448-21-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Nkmdpm32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2852-47-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2556-127-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2908-166-0x0000000000400000-0x0000000000433000-memory.dmp
memory/108-252-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2112-285-0x0000000000220000-0x0000000000253000-memory.dmp
memory/632-295-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2200-316-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2260-328-0x00000000003C0000-0x00000000003F3000-memory.dmp
memory/3016-339-0x00000000001B0000-0x00000000001E3000-memory.dmp
C:\Windows\SysWOW64\Cpmhpbkc.exe
| MD5 | 16615614f1c9efdcb5ea5c75168d7900 |
| SHA1 | 9ada3282858519d96ab520581480340af561035a |
| SHA256 | 7d3845c60a91a5087b37a8656fc40d6647d75adca2099cc7af5fd143e70bb2ce |
| SHA512 | 149ab974afca5541601210141abda08d1e83cb48d280ab06a16695f6af22e607431ea2f4de9f14ecb21c4b1766ab3e7738ce6de75cfbfe1baa557c6b0c36c1cd |
C:\Windows\SysWOW64\Cicpch32.exe
| MD5 | 732d1f27aad3f2ab03e12c798f40cd87 |
| SHA1 | 20c760f0e5381c7fa139586a400f5e76782ccc51 |
| SHA256 | d048c7f496acc0749f1d4685127abfc2e4646802669eccfdc4391d48be8db7e0 |
| SHA512 | 38183eb3c4b644dd00ea3be6f7b942eb6d2fc4fe9935c090d5ddb84615f3f9dace38494316f3d8f79fa49bdecb92f9881da98d3d3bd0ed21300337666ff7948b |
C:\Windows\SysWOW64\Cielhh32.exe
| MD5 | c1a484a019140d5696b332366396cee4 |
| SHA1 | 3a8f8bc9f137c24a7c53790d8d166ea7d4490fac |
| SHA256 | 044887c0c72a65e3d2529c6992be7943848a0093d3143e343637202466be7fa4 |
| SHA512 | f6642f5566a327ddef2157b06ae1cca6fa2d3776b48f9d31bd0f61512c88cdf5793fb2222c76ab5b92f343530bb810a524a00a258fee06a530ba6581487da17c |
C:\Windows\SysWOW64\Dobdqo32.exe
| MD5 | 4e92369737c50f08cf9d7f0447dfc488 |
| SHA1 | 4659bdd4d12cda062cdd7f2bcb5176a4307241f9 |
| SHA256 | bd6a36a343d34f45a8055edf8900e15a54ec385ec7512d7d837aaca2851ce782 |
| SHA512 | ffa1a1586259ce0ea69906ff5531170c25fe93640b342839be7354fb2e5b177d02eeb70397696eee0c07ca50ba614d54985aa18557ee2605ba234080cc6edbbc |
C:\Windows\SysWOW64\Delmmigh.exe
| MD5 | 55fd0d43f0df3167bee01b7689dab689 |
| SHA1 | 6811089517ce794269e6ce2fc0e1e54f6e4b5833 |
| SHA256 | b2a2ea972e6c8f11d85e7e9a0695de84917767da8d653a12673e7620f2c1a909 |
| SHA512 | 2e17f81fdfdc09e133090053d40d32e3748b7b0dd154685e1ae3d4e9b5892373534a41d9708f35a563447a394223d8cb0aaef15e7e773c77f0583090d70e2437 |
C:\Windows\SysWOW64\Dodafoni.exe
| MD5 | 9ccf35cb09716369076b92c16ef63fc5 |
| SHA1 | 013d583e70ebda202bf44a3374163ccb38ea1e06 |
| SHA256 | 6446e21e3975a0b5bc274af78f74a72f1ec41d107541daf33b5a01515bc4a52c |
| SHA512 | 92a832867affa79095b4e2f0b9803082f26b4cfeae5e64cbd2e9bafcc6c3aa90c1f1c9823ec429fcc0078c128ac7f6c4a49bb4544bc309fdbf1f533267ead19c |
C:\Windows\SysWOW64\Eoigpa32.exe
| MD5 | 4cd025d8767ded1839fdad2c9aa92504 |
| SHA1 | 69fcadfafa0996745cd1a25150f70093e2bcf1c9 |
| SHA256 | d9b68379df71d785caed9e2f210fd340b0b12ba40c68c370a89e704377527736 |
| SHA512 | f0889d79d45f504a0453feb3cac85cd2e1b4df3fae183f7c0631f5fa8391f8ea5a3b8d8090b895b05a398a8b85e52e4cec46d827672409ab145f586bb5e6ff3e |
C:\Windows\SysWOW64\Fnqqgm32.exe
| MD5 | 6c93399c8b01ecd23a79eff718407041 |
| SHA1 | e6d1baf08887154a2d6901c9bdcc6c878554128a |
| SHA256 | 924d2bffd9ffceaa1a3f5128c5987b9658d5a5cf23c97cb1f0165bce529cb029 |
| SHA512 | ab1e1a9eeccbf886791a82aaf903bebcd429843c895084d9d85c5092af2d1bcbdac84b610bf2f23be3353bb9367fd1a4ece24d80ddde48bdd7b265b65f63c36f |
C:\Windows\SysWOW64\Fdjidgfa.exe
| MD5 | b9e69099385674ea971ad20e9a386be1 |
| SHA1 | 534e9b735e64cb4ce818485a5934c82b0cd5a6c0 |
| SHA256 | 34e7d70828769481b6104f55128ff2716291c09666f0ea0328151864df79d9d6 |
| SHA512 | 36d37cdb8c685b48b5b0ad260efcaa46c45724f3d1a04359965d47bd7fa2e79edf027bec3536497a26fa3408244a1db386f51faa03aa52d3d813541e5a0f9833 |
C:\Windows\SysWOW64\Kmmebm32.exe
| MD5 | 59160d7179225f2f58cdff0744079db0 |
| SHA1 | b2dc2bf79065385451eaf90489eeeb61ca6d94c2 |
| SHA256 | 3c19afe0cb7565eb269e74e6e500d4754defdaae4213a8be743910c181bbbe02 |
| SHA512 | 7320cbd70b4a796ae9cf347658124acc428de498873540bb78b67d2c5157680b6e5afd1dc47b716f40975fab778922f39a30fc7e9b6ba627e4020e94c436d089 |
C:\Windows\SysWOW64\Kdbpnk32.exe
| MD5 | 14e149fc1009d7783f8bbd14ffde3f82 |
| SHA1 | 439242ebacbe92bb7ca6eb08e6bb9e57dc223bd9 |
| SHA256 | 441577ccd2aca2ef3a92e1a1f75a9c08100dda02d29606d6f4af7f3852a4c238 |
| SHA512 | 62cb4b731aedec9504aa8a19cd512f7ba4f385dd299c0a33f731d57fc3644e00622d898941eb8d9f936b65aa890c2eeae367df9f83e78e6a4716343e6c5e6e4a |
C:\Windows\SysWOW64\Kbcdbp32.exe
| MD5 | 49249487e71685292493afdc07f36d06 |
| SHA1 | cbf201d9f1d95f6f644915692f6048d84b38f8f8 |
| SHA256 | 06cae4eaa037b305b6ef53aa87a1ec1a76bf7a667ed7b333f78b0a90643879a9 |
| SHA512 | 343264c59e7541e1a7d9e1e4a5df09f660524c252de31f8c8e908c68882181826549b42aed1e4ee73e1fc886a19bb5d9f9b79b883a0080266a16eeacdda94388 |
C:\Windows\SysWOW64\Knhhaaki.exe
| MD5 | fa4b90df97287d956b0908c554ee3ed4 |
| SHA1 | 9f712b806287892c73d23bd33ff4e5e805ea218e |
| SHA256 | 4d307946c0381f45830c5d90f01bc17f104aed3dfbf9ea27f34d2fef425aa0fb |
| SHA512 | f784c9a390bd8cb01a0041df86c81cca3cc505ea9a10176e4732195425e20d1cf8659874a22c0080d0fec99bf2dc444570d411f94623e9b601527df9bce92b62 |
C:\Windows\SysWOW64\Kkileele.exe
| MD5 | b251f5690f03e50635c5808e90692961 |
| SHA1 | d1eb5c118a32a8e63021141e46320d6e5a7a7e94 |
| SHA256 | abd0b12099b6ce5e70ae317470351a3d156356013222d486724289e849656eef |
| SHA512 | e7105f5cd9d8a239372f316f78835597f7bf16b3a5223849634c36c26a4f28ae850a4c0d0e6a68a7d6b0e48adb84d1d4ac841020b1f8e85cc8ad68a88644c5d1 |
C:\Windows\SysWOW64\Kobkpdfa.exe
| MD5 | 68ef2b2899e860dc195c3737a0fe0d29 |
| SHA1 | 3f71ac58ec00b1d3e409e97b0f2cc3580136d67e |
| SHA256 | ee773e107ff4c9481c54034ca0147344f4322c7db846e14b9b2c7399bd34442d |
| SHA512 | c0ff7d72ffafc05c73da8dcb75d871121cc67eaa30c592d0fe68ee9b07349fee8d7e72aa17a9a37692f74e75b407583e0cb0831ef551390f1d93ba8db5911b71 |
C:\Windows\SysWOW64\Kglcogeo.exe
| MD5 | 41ef17cd17eb1e34a8ea99e824d301de |
| SHA1 | 6f1c9d8b3305a8c633c943a1855a2c744f858370 |
| SHA256 | bea41ee31c56cce6cd2e51992c68a87851198f0300301d6dab1bdc56bbd7f3d5 |
| SHA512 | e974c28f73ba6e54fe145560e93451be0f136de351bd4f05fed880c9a01a3cb7296427f38af1e83ac5c674128a9161caab1027aa813fb583997f59729b98c95e |
C:\Windows\SysWOW64\Jhdihkcj.exe
| MD5 | 57f8b70cfacf5b629d83768321701b16 |
| SHA1 | 3aabc0579bcf2fc4c3bf4d8ffd342eb23390eb83 |
| SHA256 | 054460fc9c562d38d59ff940be139d2600f7d24c03c3839d0134fae616aebfa2 |
| SHA512 | 3691d757a6e53ac22e7c3689a4ea216af957ae30f8c81fccb80de48b241e407c29a9b4303c04732b499835b35205a3f28d1c0e2cc0a3c5f2172db939d4898528 |
C:\Windows\SysWOW64\Jglgpdcc.exe
| MD5 | 2077335effe7618ca09ef6283deeb2f2 |
| SHA1 | 2584b92dbe5ced89329863b50be4d3437db916fa |
| SHA256 | 4c09747203ba592895afd1558adaac66c53ea2280364ad012de982cf76c0ccd0 |
| SHA512 | a7329f57576d848f8d46bf3effa5a0e2990e9c18d5f5b2a4665e8cb75c6af772c8da6e24afaaadb7e52cd113752947f7a3aef5bf97ccfa9fc8fe3d1c13a2d826 |
C:\Windows\SysWOW64\Incbgnmc.exe
| MD5 | 1e8c2e2fd4ef475b38a46e4f29aeea74 |
| SHA1 | 9c039683069b4d57d2771ecba83659847961c26f |
| SHA256 | b17494f20858ef44e60cda5e4dffe8c7fdaf13b4dcc426df83ddeb67beac4d26 |
| SHA512 | 72072b14c1cdce0fd57fa07d901b535ae29e41eeba4a189a2c03702218c277da8067c991b0bd7fe1b28ebc09686394fe92f698fd78a36699360ef407c1d20224 |
C:\Windows\SysWOW64\Ioilkblq.exe
| MD5 | fd04a3eaadd9f3a239e0e748548f7311 |
| SHA1 | 4660c225961d92ab7bf0ae5bac7d1872a0a5805c |
| SHA256 | 5d0defae216b325ef2fd8d08fa8d157939717822234a94ba5584faf61cc78d6c |
| SHA512 | 095ae05c1621cc411a9486b15e84a60493fe9855ed2774e9c608ced745960d7db5f6d63266c16cae425fa4f903e50231726d7ce731318b51b14a719a0c6e1ebf |
C:\Windows\SysWOW64\Ihmgiiff.exe
| MD5 | a6b3a1d0f3eb2cc4ee4d2c16f426920a |
| SHA1 | 77f1502f27bad0f9b8eb2ba7769fdea4029f03f8 |
| SHA256 | ec048e92d66c1257b654ee0e3178582a5a0519fd069b05408bcccaeb09fd9b95 |
| SHA512 | 598ec3b03507e202ee41397b66c88ada2d8125615bddddafe4dc06f8fe71e48d364e8c2ca14c9335505221b5e1eaffbae81982f44603d20a5f878d2d7bd23911 |
C:\Windows\SysWOW64\Hbqoqbho.exe
| MD5 | 3087bb145878b84390bf7b9fbffe4c6f |
| SHA1 | 2c15d4ce10fabc6e8367baf0a4181efff9bd44d8 |
| SHA256 | d2f3b0d836fb2e6c33f804fbc99a162980d68ad050ddada2b4c3484a38cf67dc |
| SHA512 | bbba3ff1de8a8e649f9bea82baa69efb8ae763b7d2ffaf4268688966ded2b41ba55b853b657707b495b79e81d79d1dc8e63a43d188f3820d0c99e14d452b1e14 |
C:\Windows\SysWOW64\Hpbbdfik.exe
| MD5 | 564b5f6c41d4270945aeb5b8231b1edb |
| SHA1 | 83d1c24a31466764ebb4b934435eea3be242f8e5 |
| SHA256 | 02893bfab661d7ed09a41e35bf64fc3ec0c9464f8647d4ad2da65eb92c243ba0 |
| SHA512 | ce9b6dc43bf678d711b8b8e01631b421ca740f24c0a83e9c74bc72a815ecb5895e07869763a7623f28aab3e269fc85192b8d8f246ff105bcd332e15965edcde7 |
C:\Windows\SysWOW64\Hbnbkbja.exe
| MD5 | 2f65e0554a2599bc9971a6abfc20a0b8 |
| SHA1 | be3f157758559e6bceb3f1433f2975b314e44080 |
| SHA256 | ab9212b171300c3b95ac14d2768beb996d303b8ff31c23ba22a49b5ea2818942 |
| SHA512 | c2f80c38dadb5b2fbc63de4ca094d54357109738b498cb7674a7dc46320f7fb31eb07a7eb4c630bd4012482d11da8b1ab8d5954d8e2ef0f7057bb3ee5f82fcaf |
C:\Windows\SysWOW64\Hbleeb32.exe
| MD5 | 03a3397de8ca4b67325bd09fc6127295 |
| SHA1 | b3b485c0cf1b0e07173f20a9f74d60f5697c43f1 |
| SHA256 | 72a40b1d352403cf3a697795f665d7508c3d68c657849be1e30028f85ba96db3 |
| SHA512 | 5f29543c45a6e730c1cd207296c35f89e243ff3a0d1f74c6dbf27cf5a114109c72fe99c83b312d9442370147637d29e5597722a0d226a6994cd67fad8634202f |
C:\Windows\SysWOW64\Hicqmmfc.exe
| MD5 | 1658bf490535bac9dbb595dbc7ce37ea |
| SHA1 | 2fc5383bdec833bcfc0cc1644edb7b9271cfd249 |
| SHA256 | 11f00acd38b47c96eb31b9c072aae62589c695a4bc027115b947dbe0e76d84fa |
| SHA512 | d0fae5cb210144a03d23b7caa22d8a22cf8ffea79b4510ce6b38903f5e268915e19036f84d3cf4b0985a2b62746a0792889ee5e8c21d95b7a349e8761bdd085a |
C:\Windows\SysWOW64\Hhbdee32.exe
| MD5 | 04040a913a7caa3f218c8e1d11b68451 |
| SHA1 | fb398b00bccfa343c02045ee7c294b06aff5950d |
| SHA256 | e897b4e3d6a22ca255bce2291593b167451986ce67bda0d72e20ef43b2e0c62f |
| SHA512 | 3c4723623de33ce6193d7851d6035b95d705b0202d7ddb78fe9c4e2a1d1ca515ade13fac6c3a9994f5499e1b81d9c516e84407ac5cfe7d4b33dc61bb0844d8e1 |
C:\Windows\SysWOW64\Hahlhkhi.exe
| MD5 | 5917171d172361442e6eea582e6db7b3 |
| SHA1 | da2b47d4328c8eecb89f495b5e0fcc0d2e5b3033 |
| SHA256 | 8a253b860eb83b5129fda6b30af1f8abc11056cb380d82de541bbc7654f67ed8 |
| SHA512 | 04d13f7326992d839b95c7eeb2cea317205c0ccc1b38e9005dee9d2e692c83467d209dd65db29b00456b0d93a52bdae8c52fd423cfc27a1f169181532b7d48e6 |
C:\Windows\SysWOW64\Hjndlqal.exe
| MD5 | f426f95f7b46931c389b95543176e5cd |
| SHA1 | 0f73fb7440288f138260dd9bcb31803a4d3f8359 |
| SHA256 | 189194f7805c785a962c5dd45bea42374af3d2f6fe90195c31562465a4880cf3 |
| SHA512 | 13e39fb1301fef8306f9af5726d10550a47539e45ccbabbda4e8f7cf687fa262d42880a29c7d39f09017b84979ffb6c8941cf7de0eb50b0cb66e78d71354c2e3 |
C:\Windows\SysWOW64\Hddlof32.exe
| MD5 | 4e51f8106074bfa4bbaff2dbeb19db36 |
| SHA1 | 9c36cfa6822a09afe027e6124d9ef775c56fb040 |
| SHA256 | eaa15f1a553138fd2775a65118a570d2991b9264a999866af26f27b2b285f637 |
| SHA512 | 11d5ddb875bd69b0ed39ed4ebfbdf6abc3ac4520c38e1c9ff8b33b1e93a1373a08a29a1b31bad3a805570cee1ff91681ab0ac59c2b6380538f241cddfcc50f27 |
C:\Windows\SysWOW64\Gligjd32.exe
| MD5 | 3059af8fe8ef0e7ff6f71b4eda01e6b6 |
| SHA1 | 8160b70acde05ab9cf2c53ae880726015558a2bf |
| SHA256 | f878a6ac281249370112553c2962ac86d07f06d7a6ab4d6b816fa9ba9dda70fa |
| SHA512 | 21f158c914122f3ce9c225d8c466cbdb92c22d9d4cbc03914deada7aac2168e5a3a27da475bb9cd9fc419fa8d8a03a4968484254d71a06632e3b23636b50d570 |
C:\Windows\SysWOW64\Gdboig32.exe
| MD5 | bf94b0d0b6d8b2cdba2ad565af0ea4ca |
| SHA1 | 268eeadd2a87d39adef4613f3a60e2524990e7d4 |
| SHA256 | 4b8403f464ee324f1f4a2214014fbadc3eeed69db415a43698c9ba9aae15349e |
| SHA512 | e07899c0f77f942c370413d589ae0947b1055bc9e6b7b9a678c7de8b2b50740b2e08d1f7d3864c52377cdd8bb6af8e6e65fd100139c817945422930edd7fbfc1 |
C:\Windows\SysWOW64\Gbqbaofc.exe
| MD5 | 81ef78a27dd3e4160a5540d396734d0f |
| SHA1 | 830b9a2afe237466e20e5adb5cf0f20a48ba9029 |
| SHA256 | c4f0e408bcfcc07cbdac2363e5511f348d5922c64a1fdf13406f1c59e558b570 |
| SHA512 | 263169e9ff7f18b86e5d2295fc0e1d830e9306f31d25c33d067ce9427a1899a9c464a10d1409f40c65c922fc744c6dd2c105e089942effe0d6838d68591815bf |
C:\Windows\SysWOW64\Gaafhloq.exe
| MD5 | 3ce9f5f294fdcf16657532fa4e8260f4 |
| SHA1 | 58d0dbe77cf4feb5d2de9018fb4866b70e9934ed |
| SHA256 | d799df05b0703791c95d87d1d26f78a57e4e3a413bb509e35b7f4a43e43977d4 |
| SHA512 | f92409174c51d6c289b48a17316086e58436e725b90d63744bd2ebffa8bbcc8dec6e5ee99ba8325b75e5dab61c15863c129b0b51e4d563ebc8765bc3c23ec98d |
C:\Windows\SysWOW64\Glbqje32.exe
| MD5 | 1d04e0267051ae260200e0e428cc17a7 |
| SHA1 | b72163739e2e33e76cf45efdc0ec0f463fc07122 |
| SHA256 | 202b6222cea53ed84d4d1430efab3570982235e5891c6da0e6ada5558a854137 |
| SHA512 | 8616f4278ce25899278e74e3482dbdff1a56d4ff418076c76ee06228520216b90bb726f6790cc61dd81c4ea72522351b5d6a1d942976e15a723f87e201183b94 |
C:\Windows\SysWOW64\Glpdde32.exe
| MD5 | 44aa5a1309290f9b1303b5ef9ab871a2 |
| SHA1 | 4c6daa04f460238e0b106442ad57cbb2984840aa |
| SHA256 | a327f86e594a95e6fd072f8c96a5f68cffc035201494be69986cc57fe9088893 |
| SHA512 | 8446f2ef403c78bb87f8df06fe2c7ee06343eb8be75346588f1165eaf7fc33b49d2f46bebb04e5ed6c0c7f18ed62ed2471229df116b873aded573ec5bc02a6d1 |
C:\Windows\SysWOW64\Giahhj32.exe
| MD5 | dcbcc87f312cea6e2d43e463574c648e |
| SHA1 | a6ef45c78f2d678466fc1f5831d67dcfc2101dc8 |
| SHA256 | 223fdf47ac7bd4a472f5a6c0d6e70bc4f66234da7f0c24f531675ababf7f85cd |
| SHA512 | 2f3744f9d3f55e25d9ad2131825399871332cfc7bf5ad9d1a29078ec7202107555c835e29087d0e1d397108ee8a1c8013ee8645f88c84c9548229c99787caa23 |
C:\Windows\SysWOW64\Fjlkgn32.exe
| MD5 | dedcdd6fb157ddfcfdd2b134cbc115ad |
| SHA1 | 254de6ae6a0c2f984e356a1b34146f65989fae91 |
| SHA256 | 8e81ed14278e073c868e51dd25f186394d50c487a3a24811a1031a15b4a3ebbf |
| SHA512 | 6004d27faf05545cb6c2e45737a9b2137852b24187ccea3a1892d0e904f72e3d5a4d61d0533add8dc6dc343205afcf8e7287a29ac274695c7d622521ae505eda |
C:\Windows\SysWOW64\Fgnokb32.exe
| MD5 | 2563514b89d9b30113cd40637cafbb9b |
| SHA1 | 53b1ec6f42739872813f9da2a8edb0a1d5868059 |
| SHA256 | 6bcc09d087afeef191c4a131ca07294f854f4f1aee3a1dbaaab5d89bbee2425f |
| SHA512 | d7da059421702cdbebd9bb2b49ab91424b7e60975f2164168900881a795934b38e39cf5959e7da57fd53f6a57212caa1edfc49681ed8aa3f03254e3784261579 |
C:\Windows\SysWOW64\Fgkbeb32.exe
| MD5 | dccf939c04ede18348525cceb78693e5 |
| SHA1 | 51e8bf4a45970e9af74bc09b7c76dc5ae6df072e |
| SHA256 | 597637b870e539a3c0e97be35d7b76c0a89185b7c523a36269ae82dcdb087a42 |
| SHA512 | 5083a1ba3d59e5d91c4011df828008546bf11f21db5ed7907b81da94ff79db01ba6e4aeef02505d1dbcb6e370f3186f28c5d24a6e966ddbe381d0ec2b9cc7307 |
C:\Windows\SysWOW64\Fncmmmma.exe
| MD5 | 1bb6406c9e48a6cfbc532ea711dc6048 |
| SHA1 | 1e78451e47d5be471654921c8b22850c66049aa1 |
| SHA256 | 930f836f8850572d76a81640b99e40e3413ac3606407535cf2e8b9c555cc647d |
| SHA512 | f7ed08e887709e11ec2ef374ef6417cb46b0aff09f62cf972954ec2f0703bb1d84ffbf09c5621231a828b533151ee7ea3c8f70ea12fdec6a203e6ba000dd2cb5 |
C:\Windows\SysWOW64\Fgiepced.exe
| MD5 | a3788d2fb71131c6a16a86f237540dec |
| SHA1 | 550b24405f4cc579178e257564a9a8a2004812c7 |
| SHA256 | f73d907637878203b3d2f05727f33ecc310505f3105dd96f17f439a78af9786e |
| SHA512 | fe3968be5f71f37dd0cf2ab4621b026e3df5213b0917d2d261f72a445828896c470a653ed3d60e4acafa28a6a23b044a68194068eda7ddce89813c95569e5055 |
memory/1604-359-0x00000000003A0000-0x00000000003D3000-memory.dmp
memory/3016-355-0x00000000001B0000-0x00000000001E3000-memory.dmp
memory/1604-353-0x00000000003A0000-0x00000000003D3000-memory.dmp
memory/1604-348-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3016-334-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2260-333-0x00000000003C0000-0x00000000003F3000-memory.dmp
memory/2200-323-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2260-322-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2200-321-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1472-311-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1472-306-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1472-301-0x0000000000400000-0x0000000000433000-memory.dmp
memory/632-300-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Acfaeq32.exe
| MD5 | fe8a3f75e3ed1daf93d0eabc5685e9cc |
| SHA1 | 076ce36d0dd4eaff195168078d48d01655ca7cc8 |
| SHA256 | cf43c00797f4c4796b75aba092cd548ad7baeb7b8ae80e951dcd72e2996ee8de |
| SHA512 | 66826e9be92eaf3724a3f9f193386969e664f66399cb8059db67d02ca130de958392d481e63ab8c163d033f716ca28db590dd7719f4784dabe7072e068b75b7d |
memory/632-290-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aaheie32.exe
| MD5 | fd34b3b0d510110cb802e319589f8da8 |
| SHA1 | a40bfdc06b0a0dbcf82700f9755e3a27ff6a37c8 |
| SHA256 | 04a52a93c3ce8e8b0aeb3db28f9a0f845f664a1ff832bc7231bac0fc54c15548 |
| SHA512 | bea6ce3d02bedcc45829c91728df264173867e3f81876bbb2ce2661c4c916e16da1881a66b93072ad2fc635214df0f9d57944f54299c246fa8269c81539c4820 |
memory/1296-280-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2112-279-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1296-274-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1296-269-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1664-268-0x0000000000300000-0x0000000000333000-memory.dmp
memory/1664-260-0x0000000000300000-0x0000000000333000-memory.dmp
memory/108-258-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1664-257-0x0000000000400000-0x0000000000433000-memory.dmp
memory/108-247-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qkhpkoen.exe
| MD5 | c34decaab27e7113bdc60a92a30ab7d0 |
| SHA1 | 0dc2fe8f34d4700268629a8bb4b9c59858834a5e |
| SHA256 | 408919ed20fcc9b1a05955c1fb505311c3667130cc9aacff625d3dbfcd6b806a |
| SHA512 | c622cc051aaa80213f10bd3bf1cb8f681f957cab15012111acee855f879d4c5d3b4eb07080198d4f31d442225dcde1006298109016507e894b6108c5468ecc87 |
memory/2276-246-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2276-236-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2248-232-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2372-227-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2248-226-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pdlkiepd.exe
| MD5 | 5cfce880f9c0d8bf161f5244fa4989cb |
| SHA1 | ec6b2b182a20fc0d69255369100203ab2a63d976 |
| SHA256 | b030399b090ec367206e06d7f21ac014260e0f0d8bd7588705a4a0778cd22870 |
| SHA512 | cd9c504834bbfd92c36e25e1bd4d74241c2bdb525ff02a85bbf6f11623a034be041deac63a10d6ec47c2e590b18138696ab3ec6cc7235cd52d457f78a4dac23b |
memory/2372-219-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1252-207-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Pkdgpo32.exe
| MD5 | 9d6dd6a65ddb9565fe97d5d7ad51d38a |
| SHA1 | 90eda647dbef561f135cbe493febe86f5a9ad6d8 |
| SHA256 | 3d01257eca8fddc5f04ea08247f26639e333dce9950033f107a0e511d1e22741 |
| SHA512 | ab61ddb98974122b74ec3263bd6e11dfd82c4f88d81f8e14f8f400405204378cf74a35e0e1d44ab07134b4380f2d2c382e9b9f70dca70f69bcdbdf838d19acb1 |
memory/1252-205-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1252-198-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pbkbgjcc.exe
| MD5 | f39d54b6dfea37491105ec2ff4e56d14 |
| SHA1 | 11df023d341b0f4c9daa03e9d779b95dfce445c4 |
| SHA256 | a83ed54a0996c329f8d2f295f255604a1a1aeb01373d2e57c875cca31b904efc |
| SHA512 | 013bec72a03e6838691d0df2e0cf9ab77644301d56885bfff7ddee4e52e37e305a37dc043cc7e20d6002612e4527fa5c28be611cc68195f34391d64ebf2436a6 |
memory/2988-191-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Pgbafl32.exe
| MD5 | 3dfbcf9d1f7cae62643de9a504df34ce |
| SHA1 | 194f74177940d3af3c1f8e65d0727235afced32d |
| SHA256 | be633a2b9d6424dd6376ced30bfe4d8b3d8da5fec96acbad44d0d9dd98c782d7 |
| SHA512 | 07d1179b96f7d4513adde29d3b4e054a3c4676cfff817768723e09927d2a4ec43b40b94c9d9dcd8c836a57216ac59c28e712f01433541859e19382a8bbecf9b9 |
memory/2908-174-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Pqhijbog.exe
| MD5 | 6c1b6b5296d43b3515009f6ce833cd0f |
| SHA1 | aef82a7a4e0c1705891d22ff9a637eed40fe66a9 |
| SHA256 | 130baf1dcb6c4baf18e542d68855401c0fc841425f171a94ded7bcb9f057cfb1 |
| SHA512 | 908b3232c896c141f2c8e86048a2ad438ec21fd17b39e0f62426edb2c80dea55c38b178a95e436cdf41ea96fd0051678616218fe10ad13c0220441848e5e98de |
memory/768-153-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pgpeal32.exe
| MD5 | 52dc45866505e387fb78f55266134287 |
| SHA1 | f6572416d94446c3d59a2e9130c1cd48865abf63 |
| SHA256 | 8cbe426f5545d9d24b6ebad46cdb0053aa31f8e654c8ace295df66f6b10a38ec |
| SHA512 | 765a8b81e733bbc7b2781932ffd9d52486b23de53b43360baef1bc2501a99b786cce5430ab0a43eb687e66f7319be36c022795fc1113be952d5ce31fc4e1f1fe |
memory/1828-145-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pkidlk32.exe
| MD5 | 9b1129f2513c6fc5b5011aba8a6df496 |
| SHA1 | a6dddcaf4cf7f98cedb94f093ebbf5fe0bea302b |
| SHA256 | 9dc918708206d16ccdaab8496458041581f0d772a31ac53ce3ca358d492068f9 |
| SHA512 | c429b9ededf4d317ba1bf207c72452dfd27c0c31a349dc058e58fa2cb228c6b725001f58cdb26a890792617127dc8b3a9f1943297b2f562e613d7429dbd2cb79 |
memory/2556-134-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Oappcfmb.exe
| MD5 | f4860aa07ad978b15689fbf3e73c49ed |
| SHA1 | df790e4ad479f23874ed5bc24cfa03533df538c9 |
| SHA256 | 900b7b3942556e98fef82c2291aff2b865278846cdb4853139b4b188894be6dd |
| SHA512 | 974dc6e89acee2cdee8f5ccf7a2fe25a821dce09bcc21d9f82fd67dce46f3d9105e4aeb085e7f22a33f30c837cd0323c552484c9d5f7a4e7d25384819a17b744 |
memory/2952-125-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Onbgmg32.exe
| MD5 | 52acf27ada24f3249ab72c356128c36c |
| SHA1 | b08be611beb02ffc07474b58282aa6aa89556904 |
| SHA256 | 8898ce645b68d63d186819c27eec91dc0f6f0548196bc020ee1e3779a006da2c |
| SHA512 | dbcb5e6fa3b9558ab2f0e3428a1a53abc6edf5c768403e36e673dd33ff19f578793671cf669b42ffd6ca8cc5eb17300409ad756e31ff5b8d7ea5936273d100fa |
memory/2952-112-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2024-106-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/2024-103-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ohendqhd.exe
| MD5 | b6065a3ee9d2542a4ba75e261e9d3089 |
| SHA1 | 5892fa8f8c4fcb6d16c6f415092c994c7ac0a0c5 |
| SHA256 | 848f6b4a261d850c828fd890459942ac94420ed5417ac7dad82e0488f404991b |
| SHA512 | b20ebbf78064a0d83cb651ee07c7fa0df02c37921746046cc9fd0d0e08d699c6869be007cfb5f829573bf5b6bad454badb83efad497e58fda80e6df6e271e19f |
memory/368-92-0x00000000004A0000-0x00000000004D3000-memory.dmp
memory/368-89-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Oalfhf32.exe
| MD5 | 8aa153cc9e5476ad575b18e9c440e1d5 |
| SHA1 | 379dfcb99b8dc8698edbef75ea4bf64199fd7a76 |
| SHA256 | 183114de12d872541ad9d69574dfe1566703749f9f258c326cb70fa255c0d050 |
| SHA512 | 6dbb8e0b11ac56e80ac78540a7522d1a82990c3fa5c3e2f1081363d34ed5941448b3f02b2ca07d349e640ece5b2157ad8fa100d3c35999af672e5c5b464f8b0d |
memory/2756-82-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Ookmfk32.exe
| MD5 | abce44bb1f2f9d60d7ceab5689b70716 |
| SHA1 | 83d5100a395a66db6ca5d7f5801820954bce7f3e |
| SHA256 | 362f51b7c2c57571e5003da843fc94f7b9c62a3732b7cf3305ba4fc647573641 |
| SHA512 | 00bd86e5b3e70c1aef9aaa67f564f2535227010914df7b170e0c7385e7a0d856e512866f751b3be74be3514dfcf10417b73eeef62c21c40ad53365e7c530e47f |
memory/2724-65-0x00000000001B0000-0x00000000001E3000-memory.dmp
memory/2724-62-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2852-61-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Oagmmgdm.exe
| MD5 | 5cc0b48515509a6e6c58303c854fef38 |
| SHA1 | 4f348fdcb3b61d83ae0ffac740b183f76d48aa52 |
| SHA256 | 5d4ded0186ae50aaf68849814ff07e9ee3bca704f72b5a87eed92a6d1ae40197 |
| SHA512 | cca537fb3dce07a1ab022abf87fc5a3d55860a898c6abf93dd1fbc25bdfd5ce3831d265422672f6f48392c35772e6cc93e3423f3df4bff827a78feffb1ceba95 |
memory/2852-55-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2936-41-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Nkmdpm32.exe
| MD5 | 6d7b373d77467c403745372b8284433b |
| SHA1 | d573cc7e57e2adaa72859ed5d3cfff7e8fbe4b1b |
| SHA256 | dcfc982da44451813a8a464bcbfe654cb2ca180fe2d3ee59de7e1b9d1a736078 |
| SHA512 | ef8d0fff5e9aa9ab3c46cd208e006d2e6f16273e203a917e886777c2e42adc1595b4d608a363cdc592b72aa03ca5307571ea1bd05c4ec7baa7e8c7512b4d6814 |
memory/2936-33-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Niikceid.exe
| MD5 | 52add455ee46b3e974cc8d5f4e59dcd2 |
| SHA1 | 85805450d38b90afbd4b394eebc130fd7bc36cc9 |
| SHA256 | 11709b0bc43c134663ed83d86fa2de938a358d3214cc7d63e09e82b721bda985 |
| SHA512 | 810f4572944e5f7993ec0da554252eb658fc7f43f6fd5936ebffd25a0ec3ae053e0e63b76728dd90b0035121d99f03dee144e177a4cff362793e8bc52b73f53f |
C:\Windows\SysWOW64\Nodgel32.exe
| MD5 | c71acfca15752bfd10a8f34bd72b999f |
| SHA1 | ed85aee3974790413965ccc85c66135e77969027 |
| SHA256 | 409ee2dc95dd258e0f78b7de4a95dfb0d6805aaaf92b89e8cb9064d4af4da48b |
| SHA512 | b477d17ff1b5526a604e8a191795177cfc2c329d4422409ba4af3381a00ac8aa990e646b156a8f7854de54be31ff7eef3491553c9db0e7da703eaadbda892ab2 |
C:\Windows\SysWOW64\Nhdocl32.exe
| MD5 | 26e8c21740d022c14057357fec71865b |
| SHA1 | ad9bc078bb630a688ca786795e90cc382c62bc73 |
| SHA256 | 3abe84081c430954f6888f4f684b7d96b6e484ac839d171b4d0e85621c18059a |
| SHA512 | 1658d4866d561e398d8ea1888728fb58303cfe070504aef48549cc93ad3518875a7d20ef68c481bafa7eaab12d16568e07002b3b881842a404c018d18e37b64f |
C:\Windows\SysWOW64\Gceailog.exe
| MD5 | 476645a116d36129f6a7df6524c60e41 |
| SHA1 | 7d7fa8331241e480fc2f40250f947837bb6e87a2 |
| SHA256 | ecdf4b4c7a7043a6a293492479b26f6ea48ca84672508784b742f9bc360be434 |
| SHA512 | ed0184e8919269f68eb7f4fcbf11a803c9360819972e9c369a27f2f6d19fb9b466754d3bf93782aca5437af6fe25152cf91c3b54bd76e44869da73777a5f6d17 |
memory/2276-1830-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2600-1848-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1480-1853-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2108-1854-0x0000000000400000-0x0000000000433000-memory.dmp
memory/672-1865-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1800-1866-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1648-1869-0x0000000000400000-0x0000000000433000-memory.dmp
memory/800-1870-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bgaebe32.exe
| MD5 | f635526f35df77a1dcee304fd796d687 |
| SHA1 | d8e684fa1dc5d0c2b90cdb0154622d71b02c353d |
| SHA256 | 6d4217b8d76b1a4d8fac9bc2db7d10d9a50e56815725b2c417d9355fbec3c02d |
| SHA512 | c34bdd20b4bb924013d3dcdaeef556b110a8a79d5f69f2ba4e86f234d91cf4dce3ffc2bd75d516adc2ca37d2ac360fd94b8550a7d369dee5b6a62cc43a33ee38 |
memory/2528-1874-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Elcpbigl.exe
| MD5 | a905e16dcadbe8e6a79ec1467b573ff9 |
| SHA1 | 18bd967700fbe013cb810e6abf034b038d29ca0b |
| SHA256 | 37fd93579a6a5a6c7c5e9f588fb4a465a28ee66e5a73958c31169d11d83ad536 |
| SHA512 | 1acd9e525e640c9d9e1ef3cd7f7611b4b86c792334417e428ba6b7e5278b32e30cb342605ccc8c6070a3e3ef12c1b63622bf58d0bc9bea8054f277706a63a496 |
C:\Windows\SysWOW64\Emgioakg.exe
| MD5 | d4f028564039ba2c2a415e901388b47f |
| SHA1 | a80d4af7179b011fa1f313f6b47d1a95e7fd5395 |
| SHA256 | ebd30b32d1e4eb2a5b94e80178822fe1f009c9c52b723f61f87c13dc6779aa26 |
| SHA512 | 56b39643887734ee14e27336202d9a14543bf231d1e1f2f833f21caadd8fbf6242e185a20eb3ba00972e9437b2149ca3202a18e500ac642de850d2e00f03cee5 |
C:\Windows\SysWOW64\Ekkjheja.exe
| MD5 | 3810ebd4ee24fa317a37e6ac51a02430 |
| SHA1 | c2386e241ff4ed619d5c588812036fd5ac7a6a99 |
| SHA256 | f807706de8172b982687948137bd22ce7c838ea0a24694e75795cf7d4e248e95 |
| SHA512 | 01b77a66443b6ffcb7cd3256ae6d00df45e8fa21cb18aa365d2acad77f057757426b2d2266c2052aa3b1d085ca261ddb6a2ea72d127be5d12c307c5818a020b8 |
C:\Windows\SysWOW64\Fmlbjq32.exe
| MD5 | cd8e31ec758d803744d2891bc50c2421 |
| SHA1 | 991b43361c4e35ce2d9b024d45f1c8a898daac3e |
| SHA256 | 113d7247c6506c2e458c4f08909be647b08695782290b931b415ce8c82671fb4 |
| SHA512 | e58fef822ab6415bc92472c2ae72fe2a38c380fdae897c4dfd1b79f566039e6e97679fbc8aab0da092e935eb6402a589e4aae13b5bd29cb3ac67603d43a619f6 |
C:\Windows\SysWOW64\Fgdgcfmb.exe
| MD5 | 1a96cfac97116222fa4044a64aef0b5c |
| SHA1 | 5605b21d1ce04e9d90ca244fe97f9b6ac0240b3f |
| SHA256 | ee06fb3bf738be2fa15eec3216186e54ec2663b0a473f291f39df53a27fdad22 |
| SHA512 | af4eb9a1b042dabeee611e6f907b72c697eb979ab1cc1599cd55200c2b002f9950c54a02d59a6fd57c74298604797b2438723470d359008bb5b4577cdc6c4495 |
memory/900-2056-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kalipcmb.exe
| MD5 | fa6dffe485596280b8db54a157f910e5 |
| SHA1 | 42ce4f9c922a911545a0c3f210558a95cfc25a17 |
| SHA256 | f145906c25f24bf642bd85f3802cf5bd71471ef0b769e7040c0c6bcfd3e48f8c |
| SHA512 | 1effd554bd194c42244a759e722c1076f38754076de8ace6e4057facc18c225f27a1527b79f3763628da8bb2d1f41ee4a5d74640657324066fb925ca6823e11d |
C:\Windows\SysWOW64\Lgngbmjp.exe
| MD5 | 23494d25bdc2be365d7f0e1288d8be18 |
| SHA1 | eb21e23c0a4491c35b2614f3c99f26c459b36dd8 |
| SHA256 | 6dee176eae8b839997c928be63790bc51394318dbec7a3dc764ce55cc27c7548 |
| SHA512 | 751f965f1942f6cce951b906392f1c48000b4dc51477865a82d0a583563d7809187ef2c4997f4b38352de6b171299f2a59165ea94a32f528132dcdb0a8bf238c |
C:\Windows\SysWOW64\Kpfplo32.exe
| MD5 | 3efb660c24ff8af2d6db0709bc4f0763 |
| SHA1 | 2a927d983a9ee4f5684522dfa120a9a4760c1e39 |
| SHA256 | 59474f31bd79eb0aa2b1029d013ef3c87460906b8cbbbab07ad6310f98f4ddf2 |
| SHA512 | 5f19d3c5092b73a8922051ee39befbfe29e853a7c3a69569384bbec1b48fd3982f79c95ea5cd28dba419f16fa9049a63de815a07279c5cc2c4ce6bb965389daf |
C:\Windows\SysWOW64\Jlhkgm32.exe
| MD5 | 600da7b461272ca130a12f53807b9783 |
| SHA1 | 43308e1ae30dd386c56a1b5a270864ade22c739e |
| SHA256 | f561eaee991e34a333705bef4d329444750e3540acc4f1294cd371ead4052084 |
| SHA512 | 2065c9c5d2fa9a42b7bc3d76f9ecbe9e7da8772bdf9acd792e26cdaa31202267d8162e4e1ea7d10bbb4d17852edd4de3e4dd825399dec377fa9b053b4c2b2076 |
C:\Windows\SysWOW64\Gconbj32.exe
| MD5 | 81ded9f9886764f1a5596c1d6a31bd3e |
| SHA1 | 04275467b9f9748d3715b443410db7a42251295d |
| SHA256 | 70c922a2c6c4af9bfa7aecdff79d74c3979fe1a3e3f43324fabc0ac86e9ca0f8 |
| SHA512 | 9eabc5a55af5b3868d213db7bccc04190a4b74335385ad4bd8246e5f5d793ff941731bf658f215c779171ff7ae52de68d9ca99cbc947617a635079f85a65e627 |
C:\Windows\SysWOW64\Gdjqamme.exe
| MD5 | fe7e8a5e28f8ccb952bbfe1269c48cd6 |
| SHA1 | 127a17d04f7c0102edac82bc8bc2bf7c6ff5e24c |
| SHA256 | ed849423a62fe078e5b635f984191011127fdbed5f3357149a430597b26b12df |
| SHA512 | 212eed82940558c660e83053f6b203fed49616c03a6f55faa193dbde04e3138e497e117336e8cbc7865fadc3b3a08bc33f5b2f12b747c84e7a8caf3f0dcaabcf |
C:\Windows\SysWOW64\Gjdldd32.exe
| MD5 | 36d55ec0def062ff4353970e1ce89c92 |
| SHA1 | 362ccf408c9a7b610d01c5e279f5253cd207538f |
| SHA256 | 25b70a0f3bf9dac0df5c4fd048e7dc5219f0b38ba1cccc389e77232ee30a3aed |
| SHA512 | a23d7fed0489a5e29f0a7eaaa095934aed824f4cff025a63fff177be99e6e13ae9d0e348bf085c616c08d66e2957eb260cbb5afb9a947091e7e0f534a810eac4 |
C:\Windows\SysWOW64\Gpjkeoha.exe
| MD5 | 41a746834e2c70a9e328e36f93cb8bc6 |
| SHA1 | 6a928329490d2f0a1756b01ce8245834fd136293 |
| SHA256 | 88cc642b6412d5ac475dc5584619e4486d0fb9474b715402f46002eed35ee348 |
| SHA512 | f87807fd064b5d06dd8e4a921a51d2ba811ff859c27a6c9f88a3af9d446187bae653d1e7190743bab96992e82598749ee41fa5e337eef067e337bf063acb43ec |
C:\Windows\SysWOW64\Gdcjpncm.exe
| MD5 | add63d515a84f744fbd9064a540d0527 |
| SHA1 | 22294e0e9f44c97810b9447622f09ad5d1fde4f2 |
| SHA256 | 567383c7d57f0bf14790420eb0e98dbd5abedb7333da73e8c6b1b07b483007e5 |
| SHA512 | 4fefa93741ab989591da32186fcad5d9d821b6f3fc46fdda52c88103c778b841521e31fdec9473dfe1262a58ee7070f4ac66c9850bb91ce4312047a9f29ae5d5 |
C:\Windows\SysWOW64\Fepjea32.exe
| MD5 | 647a32a97432c625d37003d254c874a5 |
| SHA1 | 6f11f902974a0d5ae21b07037b07897d85bcf354 |
| SHA256 | afc7855be2377619264b098efbe92ae18ca31173f930ec4d582957d8931e16e8 |
| SHA512 | c580e76b875ecb043b4a8d4840ff8a348f270e37bbb16e1594a71a3bfae247a48b949c55b1a30ad9eaf9813b841eafbf55ef473414e62ebf29a25e1d16f79eae |
C:\Windows\SysWOW64\Fdqnkoep.exe
| MD5 | fb5c41ad2ceee34cf850238c2c875fa9 |
| SHA1 | 517829ea0961564bce6480dbce531f84025ac5b7 |
| SHA256 | 8a24b7a3c4ad1948e8771432e8f345384f1171e5953307a9edccb0488fac89a1 |
| SHA512 | 4b75980283da74bd6e116c941d632916c7420e3fddf8bfa0b3fa96d46d80461d829a29e0cf7d4f8b0cb3f9ab8b47552e9572cfecda645952fe45bcbd77dc259f |
C:\Windows\SysWOW64\Fodebh32.exe
| MD5 | c3e106a357772c7f1994d2d17c3eb871 |
| SHA1 | 49baf74795b18f79211ef20bb2dcc8c4d9dcbbb1 |
| SHA256 | 5cfe04ef8600d58ea7739b033120a82782743bc5ac4b2f82505d7df40a9bec07 |
| SHA512 | c9e7a3763098c19ab6c0ea42db145d149014a7c286d67ff3e466260b0933897d43bbfb4167b3fc7413f6c32ecef20274792363c0a7b0f485ca558240ed202d84 |
C:\Windows\SysWOW64\Fleifl32.exe
| MD5 | df7b91569d4605abbbc0effe0dbb0717 |
| SHA1 | 820b9af9ce7da8d8b8daf524f43f6e6dff8554ac |
| SHA256 | e2496f2033581bdd86ac9f60e0b9ca6be474af3f301e0b0c1ca9337158db73a0 |
| SHA512 | 1aab5e16e46c9bde8c54d6c0a88234026f585fde1e32732081a4b4bc35c822664c84643a72410a194e985c98707275bbaa257478adb23de2efb78fad0914b3e3 |
C:\Windows\SysWOW64\Fapeic32.exe
| MD5 | 1a252b3447f3bbb49fb89fd78aa7d877 |
| SHA1 | 57f93e4998926c5ebf33d1f9275f7014e4d50dcb |
| SHA256 | b00fe0310753c509ab082cc3e9cf2a7ec0d2958da21047a3576293fdf2a01e46 |
| SHA512 | ba4d5aa2480d033caa796ad2de8194caa720860d2edeb015dc939502080a7983ba23027f0d8047a01d8a2ba795b05b1f85ee1b8b9fd6ca8dff81c33b8d10f368 |
C:\Windows\SysWOW64\Figmjq32.exe
| MD5 | f25127ef5d2151c69a2349c66aa0df8b |
| SHA1 | c4cc37a9eb47cb7a02287019aeb25f3d91942a68 |
| SHA256 | 5ae218c5ece308d35f6152f3e67d48d207142cb5478d10ee832d95b5ebd593f0 |
| SHA512 | 12916624ffdaa9b7d1f2a559e6610d3fb372f1ae583730ef47bf3364bc4c8912ccbf66253c3a87c99bd4d7153df9b5f6cd4fd57f7a98c9bce5937675645867f9 |
C:\Windows\SysWOW64\Fpohakbp.exe
| MD5 | 19958c92923d591ece5f1bcb22079727 |
| SHA1 | e4e97005dd6738fc26cab2acf0931f045479b958 |
| SHA256 | dffde87df1f078e8e42b836f6bbc86bbe5524f375b72fca70d417cd2d16ad343 |
| SHA512 | 7aa8b92d93869c7b6ec04836d23d52e49730ed35e89352d0e06ddfc350bce76f42b23ae62a85fcf5bbc64aea73ef497cc14db482fda3dfd7068899db047debbf |
memory/636-2015-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fchkbg32.exe
| MD5 | f98f78db7374c89e85a6c5da2ba6ade4 |
| SHA1 | 419cbf9d404504e45fc81c4bcfbb5d71319d95e0 |
| SHA256 | ab65fcff98691ebca22dbb54e9da2c3a27e3dfd052e53fb8af4335cab5981df3 |
| SHA512 | 67351587ce67f8fa9392061e0eac276f9022555437734982fff9b1cc94c0ceaf5194058a72b0f0a284a895516a89067978ac4b9f7c4ca325d27a5809aaf2a31b |
C:\Windows\SysWOW64\Fpjofl32.exe
| MD5 | df2310ed4873dc584aa11e9de794a804 |
| SHA1 | bcf765ec8b1da045ba6b8377ea56b5caeb618670 |
| SHA256 | 9c4116248d927ba90c681a2ae64fab0f722d8bd910c24e10748f1c79a7f50730 |
| SHA512 | c36499cbb517f0eaa32b3139467b1640a0aabc4277c1498c021fdb2d7743941c4e57587245a84e8286d9d4f7b856ac8200c514a57a68fab3684fab4a023f586e |
C:\Windows\SysWOW64\Ekmfne32.exe
| MD5 | f2d45aed2bc376f0b8cfdfa837515681 |
| SHA1 | da2f03ece2a29bf6231c98d3bd19b2246d7c3b2e |
| SHA256 | 9c7be384fd003f7804b1c89a85b3b34ee326f7d9da3dcb3655ed6f2d5a2832d9 |
| SHA512 | 24f35aeefc9d1c4dc434d91ee0f86dc1a44b4ad273a2b341d7060933a8e9c30cfcae49d2e577b00bf40adbad35ab89c9e56421120feb78f6eb2f3c147b393644 |
C:\Windows\SysWOW64\Ecfnmh32.exe
| MD5 | ac84a13fa3eb2b83ab184681cfa2a934 |
| SHA1 | 8c2f1ed72018e9e94bb2cb7471954ee89f59f9b4 |
| SHA256 | 61ff7213062cded40eafaf892bf84b7bb668cda5829357d8bad050e470e58b83 |
| SHA512 | 01a3a14191c02e519644a3456f979d051d3fc64c4f0e8ab7d1dddee9178aef04fad40613df473dab36b9a55d4027a62afe8b2a2a0fd629918ba5e218c00a1b8e |
C:\Windows\SysWOW64\Ephbal32.exe
| MD5 | 526fcc9836a7fdc5ee1a533a78e7840c |
| SHA1 | 5375ebb8e55bae4fd82cbd1d4fb46c8c2abaa1c0 |
| SHA256 | 34356fd248b7cedcd6c39e374ddfe8c6c4a3961ff67ac2a08d93df423c6cc3d0 |
| SHA512 | d23478cf59b58770be5ec33a0c7f9c2b32f580b534e4e8df07f579b816518b348978e45d9328c1ce5f0349037bc8a2c8eaa4f74fb3c21d78944ef354b1966810 |
C:\Windows\SysWOW64\Emifeqid.exe
| MD5 | 22df984d4284d0c2bf52af9f5ed4aff8 |
| SHA1 | 2275d4b3396ce2c6e23c02d58c87c5ae7f911138 |
| SHA256 | 29b7e4e1448ddbe8e1781056af8f6ba2a1c9086b049e3a80acc1f1e119058d5c |
| SHA512 | aaefb1ef4bfdf165d07a882707fa9fe92bfaefb3daac3476333711f0cb624604c757730183287a63cf3d5d82c63effe6e249387a96f5064c02cc62356a93b052 |
C:\Windows\SysWOW64\Edaalk32.exe
| MD5 | 91343164fc1fc01f508fb9e43e06fd6f |
| SHA1 | ffffd469bc7a4d6455ea1cb468ecdc53be602d14 |
| SHA256 | 5ece978ae684e9800436bc19dcec816ee3216a4084cb4c1eeee1a578813b3bb2 |
| SHA512 | 4464a741809ddb52f487c3f3590f8292dd84b55c2442c2e2dc905c18b21d130e56018149af822a5c195601b3642bfb4a687cfa111628a05ad4313018b189b408 |
memory/2892-1851-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1740-1847-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kpkpadnl.exe
| MD5 | f01f54a5a2254eeef5d1ed5832202d6a |
| SHA1 | 66b09c6cd0bde6d33a1a8e5b926e76cd7a078ac6 |
| SHA256 | 369302c577169696419b680d7b26373a63f79d44b115d9723ecc6bbcc0f5b8f5 |
| SHA512 | cacc9ba19129c1cea55d2d26134c8e2640108a27f9489e63bdcff5a9734b5fe07c7f8b30a5cd57ed68d3a452d87f16be1b423eb3cc30a64ab53d8776937881ff |
C:\Windows\SysWOW64\Mdogedmh.exe
| MD5 | 6ae2fb474ef2f61864c8aec8c580b70f |
| SHA1 | fce50b3badfd552d0e90473f241aedc98d86d85a |
| SHA256 | e891346fca8ec9733db9d4ff9b2ae1dff4abea9efb330eabdc1e5554faaa32c4 |
| SHA512 | e5024ddfb29ec184b7454a866dd3e96418e567c403d1ea43e726a5323fce1cfa3d8914f5cb1d2d1ffb8aa216df593f1b8f8c7cd0b14e4fc03088bd0e84b28879 |
C:\Windows\SysWOW64\Icifjk32.exe
| MD5 | 84962616ed8d4098daa9bc556917880a |
| SHA1 | 4c0b502205f9e05f7350735d3b20ca150c89329a |
| SHA256 | 977fa778ed6708cbbbb7d35f5570fbdfa858deb318a343c30b7dcf093726fb6d |
| SHA512 | 7e6a4b4d38cc434a2ed97ce19b13499de2b40c62271d15cfc42fc86ca7e83f5c2c4a92e585699800949cc0da49060ab5d381575fdd3a1083937f28c078137df2 |
C:\Windows\SysWOW64\Jpepkk32.exe
| MD5 | 2c211a10c6955ad5160096c08f2f2c03 |
| SHA1 | 0f3630e2cfbd72ff97873831fd1f2b5ae7cc9de4 |
| SHA256 | f8f281cbde3bbf17c0282e234115d1e52c56fadce4608c9afb8ffb54d38b74fc |
| SHA512 | 00773bd95957afee2542d16bd42080cf1698eabaabfcefebc82dc7eb74143e39d738213cf11ef243fa04ed05fc7ab290c624c8828e3dcca8a2fe95503adf8036 |
C:\Windows\SysWOW64\Jjhgbd32.exe
| MD5 | 5d809aed2048f76f7b0d6b903c478ce3 |
| SHA1 | 8f28f1ab59239a08f1b8bde75a74f08d4493a956 |
| SHA256 | 2c2a5462d0a88ebf95e660fd81de084ab4b9a1c7524399e15e8b595dcc85a416 |
| SHA512 | bc08a8e16077ad3db62c860d07828f052b6604c6dbba66ce58923a6eb715cc5bf4d49f4ec467de9307e5e1d7c73be48f8c35aa3b7abdde65fec9b8b0afe4d66e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:37
Reported
2024-01-07 19:40
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
118s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jmnaakne.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jmnaakne.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Jmnaakne.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jdmcidam.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Jaljgidl.exe | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdhine32.exe | C:\Windows\SysWOW64\Jmnaakne.exe | N/A |
| File created | C:\Windows\SysWOW64\Honcnp32.dll | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Jigollag.exe | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jangmibi.exe | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jdmcidam.exe | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| File created | C:\Windows\SysWOW64\Olmeac32.dll | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfhbppbc.exe | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jigollag.exe | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jangmibi.exe | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdmcidam.exe | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| File created | C:\Windows\SysWOW64\Qekdppan.dll | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ehifigof.dll | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| File created | C:\Windows\SysWOW64\Lppaheqp.dll | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| File created | C:\Windows\SysWOW64\Ecppdbpl.dll | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jdhine32.exe | C:\Windows\SysWOW64\Jmnaakne.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jidbflcj.exe | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfffjqdf.exe | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdjfcecp.exe | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmnaakne.exe | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jaljgidl.exe | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfffjqdf.exe | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jidbflcj.exe | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ggpfjejo.dll | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jmnaakne.exe | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| File created | C:\Windows\SysWOW64\Omfnojog.dll | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfhbppbc.exe | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| File created | C:\Windows\SysWOW64\Dbcjkf32.dll | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghmfdf32.dll | C:\Windows\SysWOW64\Jmnaakne.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jdjfcecp.exe | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll" | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll" | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll" | C:\Windows\SysWOW64\Jmnaakne.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jmnaakne.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll" | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll" | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll" | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll" | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll" | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jmnaakne.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll" | C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe
"C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe"
C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5484 -ip 5484
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 424
C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
C:\Windows\SysWOW64\Jmnaakne.exe
C:\Windows\system32\Jmnaakne.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| IE | 40.127.169.103:443 | tcp | |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1956-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1488-16-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1472-40-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1020-64-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4372-72-0x0000000000400000-0x0000000000433000-memory.dmp
memory/684-80-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3504-168-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3908-274-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2040-292-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4160-310-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4224-328-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1796-350-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5448-412-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5624-436-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5668-447-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ngedij32.exe
| MD5 | dcfefb26c87cc41ae92ceb25d682b920 |
| SHA1 | a9c802687fcf4190ee712c4434ab69c89a70db6c |
| SHA256 | 9a6e43739d85fdf2e4aba884c37cac7e644b85a71fb2afc7c04b5f7bb258c578 |
| SHA512 | e4ed08ee64a9eb05aa3ec1f6e1f6e8b1ba0dce170bcb1ddf491dc12af9243392e3dba6f3034188b73c433db023200387a11d1956b5d0b5e808a01c7b27060721 |
memory/5820-682-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5308-684-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5612-698-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5172-703-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5920-709-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5448-718-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5328-721-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5208-724-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3484-731-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1944-733-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3908-741-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4280-742-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5064-740-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4332-739-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2040-738-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1256-737-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2452-736-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4160-735-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5012-734-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4224-732-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3952-730-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3632-728-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4668-726-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5164-725-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5248-723-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5288-722-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5368-720-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5572-716-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5704-714-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5836-711-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6040-706-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6088-705-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5316-701-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5864-695-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6112-692-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5516-689-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5872-687-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6080-685-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5484-679-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Njacpf32.exe
| MD5 | 59e6755e0fa91ada084c27b8008ab9d1 |
| SHA1 | ef1168163e42d2578ea89632cc85e114bafe8805 |
| SHA256 | b891b821f3b33bcf164ecad0be96591eb4c129c33f60467a7e9b7948a6b26f72 |
| SHA512 | 9cda00e16be283f02161dd19e1d3ca1774bdcae26b3de8a2455a1002319c65d735e09689e1ea4129d797e04528bdec29a5efb20df675e780cf5f6a2a2411cad8 |
C:\Windows\SysWOW64\Njogjfoj.exe
| MD5 | 5632f5059ad8318f306ba29c25735049 |
| SHA1 | 9295be0326604adf632f636d54f3e9a095300df2 |
| SHA256 | bb4d53efe3668234f92909db4d95187cb4e37712ee1621033bb71a7dec6c29fe |
| SHA512 | b36b6b05e0db9ccb79398c9f0e9e5f53e07d3336cac52f2472aae3ab8b028d8c8cf2f6daf8a931c9c99d739f763d1178f7bd965171b5767d772205efbea85d03 |
C:\Windows\SysWOW64\Nqfbaq32.exe
| MD5 | b68a6af5a5a7db51a13b85f2153bce5a |
| SHA1 | 6b77e11069d9746b783e4919f94abdda4b36aa41 |
| SHA256 | 837923ba755381cda060bcdfe7cd3f8cc18fec64b99be1fdd4efb1600782c1c2 |
| SHA512 | bbcd25ce3c2656cf940db6031a52da963676bd9f230b28a2b24e990e04e541eca69e3c8e4c31cc43e6e22387f1b53869928098a39e30b7ad96f6686e66be5366 |
memory/5572-430-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5528-424-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5488-422-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5408-410-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5368-400-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5328-394-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5288-388-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5248-382-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5208-376-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5164-370-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4668-368-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4576-363-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3632-352-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3952-343-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3484-338-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1944-322-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5012-316-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2452-304-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1256-298-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4332-286-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5064-280-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4280-268-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4568-262-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2572-256-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3996-252-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2264-240-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4672-232-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2124-224-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2716-215-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2732-207-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2428-203-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3608-196-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3332-184-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3400-176-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4596-164-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2788-152-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1604-143-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2908-136-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2300-129-0x0000000000400000-0x0000000000433000-memory.dmp
memory/968-120-0x0000000000400000-0x0000000000433000-memory.dmp
memory/892-112-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4152-103-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1552-96-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5048-88-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5016-56-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5092-48-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2312-31-0x0000000000400000-0x0000000000433000-memory.dmp
memory/444-24-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2736-7-0x0000000000400000-0x0000000000433000-memory.dmp