Malware Analysis Report

2025-01-22 18:58

Sample ID 240315-zb17tsag61
Target 6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c
SHA256 6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c
Tags
gozi banker isfb persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c

Threat Level: Known bad

The file 6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb persistence trojan

Gozi

Adds autorun key to be loaded by Explorer.exe on startup

Detects executables built or packed with MPress PE compressor

UPX dump on OEP (original entry point)

Detects executables built or packed with MPress PE compressor

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 20:33

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 20:33

Reported

2024-03-15 20:36

Platform

win7-20240221-en

Max time kernel

143s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blaopqpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Okfgfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Blaopqpo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qqeicede.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ackkppma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgpeal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfikmh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkfceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkfceo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okfgfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgpeal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaheie32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afkdakjb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdoajb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfikmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ackkppma.exe N/A

Gozi

banker trojan gozi

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
N/A N/A C:\Windows\SysWOW64\Okfgfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okfgfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgpeal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgpeal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnimnfpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnimnfpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqjfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqjfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfceo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfceo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbggjfq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbggjfq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ackkppma.exe N/A
N/A N/A C:\Windows\SysWOW64\Ackkppma.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkdakjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkdakjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfpnmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfpnmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbcfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbcfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blaopqpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Blaopqpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdoajb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdoajb32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pgpeal32.exe N/A
File created C:\Windows\SysWOW64\Cdoajb32.exe C:\Windows\SysWOW64\Blaopqpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Okfgfl32.exe N/A
File created C:\Windows\SysWOW64\Dnabbkhk.dll C:\Windows\SysWOW64\Blaopqpo.exe N/A
File created C:\Windows\SysWOW64\Fdlpjk32.dll C:\Windows\SysWOW64\Cdoajb32.exe N/A
File created C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Pkfceo32.exe N/A
File created C:\Windows\SysWOW64\Ldeamlkj.dll C:\Windows\SysWOW64\Pqjfoa32.exe N/A
File created C:\Windows\SysWOW64\Ilfila32.dll C:\Windows\SysWOW64\Pkdgpo32.exe N/A
File created C:\Windows\SysWOW64\Imjcfnhk.dll C:\Windows\SysWOW64\Pkfceo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Qqeicede.exe N/A
File created C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Afkdakjb.exe N/A
File created C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Bfpnmj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pqjfoa32.exe N/A
File created C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cdoajb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pnimnfpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Pkfceo32.exe N/A
File created C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pgpeal32.exe N/A
File created C:\Windows\SysWOW64\Aipheffp.dll C:\Windows\SysWOW64\Pfikmh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cdoajb32.exe N/A
File created C:\Windows\SysWOW64\Ipgljgoi.dll C:\Windows\SysWOW64\Okfgfl32.exe N/A
File created C:\Windows\SysWOW64\Pmmani32.dll C:\Windows\SysWOW64\Ajbggjfq.exe N/A
File created C:\Windows\SysWOW64\Lmmlmd32.dll C:\Windows\SysWOW64\Ackkppma.exe N/A
File created C:\Windows\SysWOW64\Jhgkeald.dll C:\Windows\SysWOW64\Afkdakjb.exe N/A
File created C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pkdgpo32.exe N/A
File created C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pnimnfpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Ackkppma.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Bfpnmj32.exe N/A
File created C:\Windows\SysWOW64\Cfgheegc.dll C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File created C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File created C:\Windows\SysWOW64\Ackkppma.exe C:\Windows\SysWOW64\Ajbggjfq.exe N/A
File created C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Okfgfl32.exe N/A
File created C:\Windows\SysWOW64\Gneolbel.dll C:\Windows\SysWOW64\Pnimnfpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkfceo32.exe C:\Windows\SysWOW64\Pfikmh32.exe N/A
File created C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Qqeicede.exe N/A
File opened for modification C:\Windows\SysWOW64\Okfgfl32.exe C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pkdgpo32.exe N/A
File created C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Ackkppma.exe N/A
File created C:\Windows\SysWOW64\Okfgfl32.exe C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
File created C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Aaheie32.exe N/A
File created C:\Windows\SysWOW64\Cenaioaq.dll C:\Windows\SysWOW64\Aaheie32.exe N/A
File created C:\Windows\SysWOW64\Idlgcclp.dll C:\Windows\SysWOW64\Qqeicede.exe N/A
File created C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pqjfoa32.exe N/A
File created C:\Windows\SysWOW64\Nmqalo32.dll C:\Windows\SysWOW64\Pgpeal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Aaheie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Afkdakjb.exe N/A
File created C:\Windows\SysWOW64\Hqlhpf32.dll C:\Windows\SysWOW64\Bfpnmj32.exe N/A
File created C:\Windows\SysWOW64\Aohjlnjk.dll C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
File opened for modification C:\Windows\SysWOW64\Ackkppma.exe C:\Windows\SysWOW64\Ajbggjfq.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdoajb32.exe C:\Windows\SysWOW64\Blaopqpo.exe N/A
File created C:\Windows\SysWOW64\Pkfceo32.exe C:\Windows\SysWOW64\Pfikmh32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Cacacg32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll" C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfikmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll" C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Blaopqpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll" C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgljgoi.dll" C:\Windows\SysWOW64\Okfgfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pkfceo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll" C:\Windows\SysWOW64\Ackkppma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll" C:\Windows\SysWOW64\Pfikmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" C:\Windows\SysWOW64\Qqeicede.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ackkppma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfikmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkfceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ackkppma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" C:\Windows\SysWOW64\Blaopqpo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Okfgfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgpeal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll" C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgpeal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afkdakjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Okfgfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll" C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" C:\Windows\SysWOW64\Pkfceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll" C:\Windows\SysWOW64\Aaheie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll" C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll" C:\Windows\SysWOW64\Pgpeal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaheie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Blaopqpo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdoajb32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe C:\Windows\SysWOW64\Okfgfl32.exe
PID 1524 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe C:\Windows\SysWOW64\Okfgfl32.exe
PID 1524 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe C:\Windows\SysWOW64\Okfgfl32.exe
PID 1524 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe C:\Windows\SysWOW64\Okfgfl32.exe
PID 2496 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 2496 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 2496 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 2496 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 2612 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 2612 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 2612 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 2612 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 2628 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 2628 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 2628 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 2628 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 2620 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 2620 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 2620 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 2620 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 2452 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pfikmh32.exe
PID 2452 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pfikmh32.exe
PID 2452 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pfikmh32.exe
PID 2452 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pfikmh32.exe
PID 2888 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pkfceo32.exe
PID 2888 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pkfceo32.exe
PID 2888 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pkfceo32.exe
PID 2888 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pkfceo32.exe
PID 1652 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Pkfceo32.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 1652 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Pkfceo32.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 1652 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Pkfceo32.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 1652 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Pkfceo32.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 1020 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 1020 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 1020 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 1020 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 2824 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Ajbggjfq.exe
PID 2824 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Ajbggjfq.exe
PID 2824 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Ajbggjfq.exe
PID 2824 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Ajbggjfq.exe
PID 2500 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Ackkppma.exe
PID 2500 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Ackkppma.exe
PID 2500 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Ackkppma.exe
PID 2500 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Ackkppma.exe
PID 1960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\Ackkppma.exe C:\Windows\SysWOW64\Afkdakjb.exe
PID 1960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\Ackkppma.exe C:\Windows\SysWOW64\Afkdakjb.exe
PID 1960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\Ackkppma.exe C:\Windows\SysWOW64\Afkdakjb.exe
PID 1960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\Ackkppma.exe C:\Windows\SysWOW64\Afkdakjb.exe
PID 1120 wrote to memory of 1380 N/A C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Bfpnmj32.exe
PID 1120 wrote to memory of 1380 N/A C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Bfpnmj32.exe
PID 1120 wrote to memory of 1380 N/A C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Bfpnmj32.exe
PID 1120 wrote to memory of 1380 N/A C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Bfpnmj32.exe
PID 1380 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Bjbcfn32.exe
PID 1380 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Bjbcfn32.exe
PID 1380 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Bjbcfn32.exe
PID 1380 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Bjbcfn32.exe
PID 1268 wrote to memory of 320 N/A C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Blaopqpo.exe
PID 1268 wrote to memory of 320 N/A C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Blaopqpo.exe
PID 1268 wrote to memory of 320 N/A C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Blaopqpo.exe
PID 1268 wrote to memory of 320 N/A C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Blaopqpo.exe
PID 320 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Cdoajb32.exe
PID 320 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Cdoajb32.exe
PID 320 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Cdoajb32.exe
PID 320 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Cdoajb32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe

"C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe"

C:\Windows\SysWOW64\Okfgfl32.exe

C:\Windows\system32\Okfgfl32.exe

C:\Windows\SysWOW64\Pgpeal32.exe

C:\Windows\system32\Pgpeal32.exe

C:\Windows\SysWOW64\Pnimnfpc.exe

C:\Windows\system32\Pnimnfpc.exe

C:\Windows\SysWOW64\Pqjfoa32.exe

C:\Windows\system32\Pqjfoa32.exe

C:\Windows\SysWOW64\Pkdgpo32.exe

C:\Windows\system32\Pkdgpo32.exe

C:\Windows\SysWOW64\Pfikmh32.exe

C:\Windows\system32\Pfikmh32.exe

C:\Windows\SysWOW64\Pkfceo32.exe

C:\Windows\system32\Pkfceo32.exe

C:\Windows\SysWOW64\Qqeicede.exe

C:\Windows\system32\Qqeicede.exe

C:\Windows\SysWOW64\Aaheie32.exe

C:\Windows\system32\Aaheie32.exe

C:\Windows\SysWOW64\Ajbggjfq.exe

C:\Windows\system32\Ajbggjfq.exe

C:\Windows\SysWOW64\Ackkppma.exe

C:\Windows\system32\Ackkppma.exe

C:\Windows\SysWOW64\Afkdakjb.exe

C:\Windows\system32\Afkdakjb.exe

C:\Windows\SysWOW64\Bfpnmj32.exe

C:\Windows\system32\Bfpnmj32.exe

C:\Windows\SysWOW64\Bjbcfn32.exe

C:\Windows\system32\Bjbcfn32.exe

C:\Windows\SysWOW64\Blaopqpo.exe

C:\Windows\system32\Blaopqpo.exe

C:\Windows\SysWOW64\Cdoajb32.exe

C:\Windows\system32\Cdoajb32.exe

C:\Windows\SysWOW64\Cacacg32.exe

C:\Windows\system32\Cacacg32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 140

Network

N/A

Files

memory/1524-0-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Okfgfl32.exe

MD5 076943d7feef0803dc2c7956c93e6df1
SHA1 d9c9780558fbe4ff2fc5cb25e286589f296f5fce
SHA256 cfe22fee8b86c49f43332268ef536e663879abdf9c8226b8e31f675a28a54c44
SHA512 482e23d6067092c0764924e815210b1368cec78ab879d3282b3423c7561da0ac1609bcb1d2e909827289b02adfa9d85bfde6c4b8dc9ca5756cca5a9361a6579d

memory/1524-6-0x00000000003A0000-0x00000000003F3000-memory.dmp

\Windows\SysWOW64\Pgpeal32.exe

MD5 1bd90164dcb0da56b68657f5f8f4906c
SHA1 989f24475fa7dc126cf483490d00c36c9241d2ae
SHA256 151d0ddfac0e874d11c46c6b0fb239c5e3dbd8bacefd9b545fe312a4896d29ed
SHA512 09cd9fc1ff30ea02d371e818401f5406d1f8e40062f415f6a793b1e48bd653d2c543129f34692b9084e8755bd39093fb2c8ae16f6922a75e8fb9b44ccde2650b

\Windows\SysWOW64\Pqjfoa32.exe

MD5 701dfb1d6ddaeff3d28388cb2616ee3d
SHA1 b725180a09798f2fdb85a3e6153ed4fb1a9257e2
SHA256 f3ebb227c99b926b53a7651978cd52362ed3dfed8ccdbf924b2ac859eda40f97
SHA512 77fd2d9e34485d63cdad2be939ee156385e9ae213ec5c6d49b2625a529b7bc101bc0b910b5b87a136e9d8511d1b4434666f3302079f77bef8015a64072d6b7c5

C:\Windows\SysWOW64\Pnimnfpc.exe

MD5 ba47c238c36c3f385d8b9598a1fc5ff5
SHA1 6396c9fc797d2d9e72570767c4717f6f00a46d75
SHA256 8417a6defbd1d43a33c690005c483befb5de0b7b3cd575c684101f18b03b8516
SHA512 081ed4ec57af699dba5c0a0d284f43d40faa9ba913d1a59b2827ad23ba9428a30ed7164b91838b15e58486571a1bf3da26da4262e054e8a796ef16fc3159568f

\Windows\SysWOW64\Pfikmh32.exe

MD5 ba633d794f78b73e1fdfeeb3e3957ab4
SHA1 758c3c8664c8f54101ccd99e2e7ef868295c4df3
SHA256 67f2dabe02ada3b8b520cf0cd3567163db7e4448b1ca70c6e41e0d3fe9e29be2
SHA512 35f4464d439d63e507214b0136f5cd9b98900aa42bbdb9418e8252eddb1e59894469da51f9631c6cf0a4f7e09f5a9435f35af1705e252a2fbce204d9f6079cb5

memory/2888-88-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Pkfceo32.exe

MD5 581b80ef8c0cd7b6ad13345b23eb5abb
SHA1 5215385e863c8b987c0fe436e93ad373c95615ef
SHA256 d4969e3dfee984161b8880038d02e81496fe1f798a9942b30606464124e778c2
SHA512 45391930c6c616d3fc11f1e9ced17f12d9b261497ece52270254471224133fb1d941417ed405e4896935512255212101c7dc81c5297ebb45739bd82dbc070f19

C:\Windows\SysWOW64\Qqeicede.exe

MD5 b42c2e8dcfd27cd2f02b69f043976635
SHA1 9c7908ca69d39fd19c1c99fb0518e8c4a7e26460
SHA256 1cb957cc6bdd9cfe5e4c1edfdd1ca5fd2c223940270e962994d28051cedd3adb
SHA512 6d323bf0526e81a29f9baf4f362249b2af2dbb304dd97f9b42962d743572de11002f9916b613de888b73ea6711859e5f7555fad0d04a56be1a9a18f9b4bd8c6e

memory/1020-110-0x00000000002C0000-0x0000000000313000-memory.dmp

\Windows\SysWOW64\Aaheie32.exe

MD5 b54f95ef4ccd2d71189110ad5fd9e915
SHA1 d218db32509023d41c871425f3e57308e06eb7fa
SHA256 60e00bc41d3f377f4f3a41c4b60dd31298f351e593fd8dca9b35bc267c4271f5
SHA512 6421fb89eb6325b7bff32a8d88b3db847f3735aec338759ff5e94ab208f99ea8e5d39d9cd6e62953618e1afdf0e2f9d6e2955aa9727a65c9a6e93fd79aa3e21f

C:\Windows\SysWOW64\Ajbggjfq.exe

MD5 42ecef8a8e6f6847e08d010ed27132a1
SHA1 d9b7294e1377250c8770ae164a22d9efce83f8cc
SHA256 01f89498ad4649e424519f05be685f84ebffe740c498ab30e7553a348b81d738
SHA512 4735ebf050886f06332a8bbc319180c8e48c4b7553c1e3af4d45bb3beb69aaf8d5f799a5a258201c09b97ad9490e5ea4ef7bc42daed79d63d18f6a9e7ec8428f

C:\Windows\SysWOW64\Ackkppma.exe

MD5 32cae2fa4ed23e54385789679d30d73b
SHA1 7b32e88c6b99c7f0fa5fd6f73d8e4b243792bbd8
SHA256 192690c6d2bd9ab254562fef2fc868b7ae101a48488bd570ff96e0112e3630a9
SHA512 d9bdbfb58aa8a28d85488cd698e8c292956c9af625e6ac9e8958e7e1a3eef19d401562050379d48f1e9ecaa61675d4cb02226380a9cd64ffa4ffbfc30ca423a5

memory/2500-130-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1960-142-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2824-116-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1020-102-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Pkdgpo32.exe

MD5 e1c0c3c1cfe0b1ef6d105c8de10fe0d4
SHA1 628cb1966e664260c75f87a1d7122ca79f4b7cab
SHA256 856259de8c05637b5f12c66a0c4c1c8db5852505a8d7e454216598f31be5366a
SHA512 ec27a6e35169428133a33e9ae63b2138f8b764c5e8820d825eb752f249766172708a4384f27387960fadf584a4a8a5585585f1d9ab4e3b24daeed6064179e0fc

memory/2452-77-0x0000000000220000-0x0000000000273000-memory.dmp

memory/2612-56-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2496-37-0x0000000000220000-0x0000000000273000-memory.dmp

memory/2496-13-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Afkdakjb.exe

MD5 5ee43189f7c352e157c6d3caefec150a
SHA1 f75d78363f43b78299d13775b81552ceb029c212
SHA256 42a10dc1314b1c559c5eeef9dded5a7bda2c2420ca77b1001c0c213af59a0419
SHA512 c93132a5b8f520ba8e798e4f3d7a2a8ca654766a023a7007fc9b7adbff6515d1ad9ef2c1e4a6fd595c6993e2fb672e0535b78d441a799aee2caa52690b8790a0

memory/1960-149-0x00000000002E0000-0x0000000000333000-memory.dmp

memory/1120-157-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Bfpnmj32.exe

MD5 6510979eb449e7a07bf6bdb39a5ac755
SHA1 f922ffcb5830a0c5984f7977bf1f73e1ad40ab82
SHA256 a83d8260157d6e5dd32eb5059b140cd4f3ba76017c11706f708ef1a3ec74781a
SHA512 bfa1d8ebfb62b72c10074283fa78e90a127b71ff037d83f8ef6234067952c9931cb55df4561add0d0d7f4de3509c4ea8e2e096584ff249883fba31c71e8e7682

memory/1120-167-0x0000000001BA0000-0x0000000001BF3000-memory.dmp

\Windows\SysWOW64\Bjbcfn32.exe

MD5 1f8322e9013a935b0052337bbdd2ea63
SHA1 350aedc81e249f616a83194b2c33521c0a1cadd1
SHA256 4a7a92a7de9e666114a0af7fb4f38b5d31ea8f6f453969c6cd4818ab6cfa6762
SHA512 f3f9bbef908c6ca009f85ff871ef4a4ae5c3fd8bff9921a09eb4caecf6e0d80e37f30d099aac2a6607aa24addf566a944f32263563f3c78f6ae8287b0675a072

memory/1380-177-0x0000000000220000-0x0000000000273000-memory.dmp

memory/1268-188-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Blaopqpo.exe

MD5 65c03bb25f247a3440d9938383357745
SHA1 86dbb4bb63c9fce9e58904b4923f8feccfee47fe
SHA256 637450a4ac06be74b562cf6bce3407bad6ea207894de3302089f7e4c1261673b
SHA512 a475c8458c2d108ca282bcd360a6593ea551c25852eb5cf72893e13fcff62b88908df329ccd050129d98b3b107a4779f3be176efe26442c8c155f8b375e5abd1

\Windows\SysWOW64\Cdoajb32.exe

MD5 14ca80a5c6d3a47e6a5cc7f75c8d8125
SHA1 e55af2d8b9c05e9c0fd9173b7c332af425bcd92a
SHA256 729b3d8332fd6422689ddcb2a492584db13cc0c77ff5f1104234ff1d02cd2067
SHA512 f3bdd2ac291f871be8a734f647e3bae5e6a6d09443fbf76decf33d1f074dde635c99356ee3a6243b3bb8490d2909058db3a22e1662b4240ec86e1a9753935304

memory/320-203-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1268-196-0x0000000000220000-0x0000000000273000-memory.dmp

memory/1268-191-0x0000000000220000-0x0000000000273000-memory.dmp

memory/320-212-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/320-214-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/2784-213-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2124-223-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cacacg32.exe

MD5 07f31bd55c92bc492747c27f8dffa108
SHA1 79eb651b73c608aa62453a97521e3d2d83ef43a9
SHA256 ada476bbbb0cab66a0912bca7967a414cb587d86e3c6b99e2cf77aa461dc84fe
SHA512 efec4df909f75dde50f58d17b6defc435e4bd2da59b1b90ed77a3cee1f04fc335da22f04742647f3cf2233daf46fbb1c1d2cfb04c51831fd0ca5592722c6cbc7

memory/1524-261-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2496-263-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2612-265-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2628-272-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2620-274-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2452-276-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2888-278-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1652-280-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1020-282-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2824-284-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2500-286-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1960-288-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1120-290-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1380-292-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1268-294-0x0000000000400000-0x0000000000453000-memory.dmp

memory/320-296-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2784-298-0x0000000000400000-0x0000000000453000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 20:33

Reported

2024-03-15 20:36

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odedipge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mhmmieil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djipbbne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qoelkp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aonoao32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogekbb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbckcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlobmd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgnbdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjfogbjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aajohjon.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnfkgp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pnifekmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egaejeej.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndnnianm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kjbdbjbi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bllbaa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kakmna32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekqckmfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hepgkohh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gipbck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhhcne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cejjdlap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlpfhe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahfmpnql.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hepgkohh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnnnfalp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aajohjon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ihmfco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phmnfp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkaeih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcpjnjii.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbfoclai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecanojgl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpcdof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phodcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbnknpqj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lndagg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlepcdoa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Famhmfkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbfoclai.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ienlbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdokmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iialhaad.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Johggfha.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qppaclio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmdoel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfkamk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhbcfbjk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apmhiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnokjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbbkbbkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doojec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojnfihmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbhhieao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nconfh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdqcenmg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mphamg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dalkek32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bochmn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hemdlj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpdnjple.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chfegk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpogkhnl.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Hmlpaoaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Idfaefkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilafiihp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikbfgppo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkgpbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjlmclqa.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjoiil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jqknkedi.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjhloj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmieae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqfngd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjcnoej.exe N/A
N/A N/A C:\Windows\SysWOW64\Lggldm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lndagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mepfiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgclpkac.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmenca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmgjia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnicid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njpdnedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjeljhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Omgcpokp.exe N/A
N/A N/A C:\Windows\SysWOW64\Phodcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phaahggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmaffnce.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmepam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qoelkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qklmpalf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aednci32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajohjon.exe N/A
N/A N/A C:\Windows\SysWOW64\Aonoao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahgcjddh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bochmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boeebnhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnkbcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bllbaa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhbcfbjk.exe N/A
N/A N/A C:\Windows\SysWOW64\Coohhlpe.exe N/A
N/A N/A C:\Windows\SysWOW64\Clchbqoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnfaohbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckjbhmad.exe N/A
N/A N/A C:\Windows\SysWOW64\Chnbbqpn.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdecgbfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhclmp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dndnpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbffdlq.exe N/A
N/A N/A C:\Windows\SysWOW64\Eofgpikj.exe N/A
N/A N/A C:\Windows\SysWOW64\Eicedn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efjbcakl.exe N/A
N/A N/A C:\Windows\SysWOW64\Flfkkhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbbpmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmdcfidg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmfplibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hedafk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlpfhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlepcdoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Hemdlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibaeen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iplkpa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpenfp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgpfbjlo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jphkkpbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnlkedai.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dbmdml32.dll C:\Windows\SysWOW64\Pdmdnadc.exe N/A
File created C:\Windows\SysWOW64\Hpceplkl.dll C:\Windows\SysWOW64\Hifmmb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ipkdek32.exe C:\Windows\SysWOW64\Iialhaad.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfhmjf32.exe C:\Windows\SysWOW64\Pakdbp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nconfh32.exe C:\Windows\SysWOW64\Ndnnianm.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecanojgl.exe C:\Windows\SysWOW64\Elhfbp32.exe N/A
File created C:\Windows\SysWOW64\Kbmimp32.dll C:\Windows\SysWOW64\Ljceqb32.exe N/A
File created C:\Windows\SysWOW64\Flbfjl32.dll C:\Windows\SysWOW64\Oakbehfe.exe N/A
File created C:\Windows\SysWOW64\Qlqidj32.dll C:\Windows\SysWOW64\Bgfhnpde.exe N/A
File created C:\Windows\SysWOW64\Mjiloqjb.exe C:\Windows\SysWOW64\Mmdlflki.exe N/A
File opened for modification C:\Windows\SysWOW64\Niihlkdm.exe C:\Windows\SysWOW64\Ndhgie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gngeik32.exe C:\Windows\SysWOW64\Ggmmlamj.exe N/A
File created C:\Windows\SysWOW64\Ipdbmgdb.dll C:\Windows\SysWOW64\Llqjbhdc.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfmolc32.exe C:\Windows\SysWOW64\Bpcgpihi.exe N/A
File created C:\Windows\SysWOW64\Hjnmfk32.dll C:\Windows\SysWOW64\Mdghhb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kqdodo32.exe C:\Windows\SysWOW64\Jckeokan.exe N/A
File created C:\Windows\SysWOW64\Mmbopm32.exe C:\Windows\SysWOW64\Mfhgcbfo.exe N/A
File opened for modification C:\Windows\SysWOW64\Idfaefkd.exe C:\Windows\SysWOW64\Hmlpaoaj.exe N/A
File created C:\Windows\SysWOW64\Qmepam32.exe C:\Windows\SysWOW64\Pmaffnce.exe N/A
File created C:\Windows\SysWOW64\Qjffpe32.exe C:\Windows\SysWOW64\Qppaclio.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpogkhnl.exe C:\Windows\SysWOW64\Bbhildae.exe N/A
File created C:\Windows\SysWOW64\Pinffi32.dll C:\Windows\SysWOW64\Ilhkigcd.exe N/A
File opened for modification C:\Windows\SysWOW64\Doojec32.exe C:\Windows\SysWOW64\Ddifgk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Obqanjdb.exe C:\Windows\SysWOW64\Omdieb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbbmmo32.exe C:\Windows\SysWOW64\Jnnnfalp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecoaijio.exe C:\Windows\SysWOW64\Dekapfke.exe N/A
File created C:\Windows\SysWOW64\Gmeadk32.dll C:\Windows\SysWOW64\Eljchpnl.exe N/A
File created C:\Windows\SysWOW64\Eciqfjec.dll C:\Windows\SysWOW64\Ibqnkh32.exe N/A
File created C:\Windows\SysWOW64\Ipkdek32.exe C:\Windows\SysWOW64\Iialhaad.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkefmjcj.exe C:\Windows\SysWOW64\Gdknpp32.exe N/A
File created C:\Windows\SysWOW64\Mhjmpfcl.dll C:\Windows\SysWOW64\Dndnpf32.exe N/A
File created C:\Windows\SysWOW64\Hemdlj32.exe C:\Windows\SysWOW64\Hlepcdoa.exe N/A
File opened for modification C:\Windows\SysWOW64\Oikjkc32.exe C:\Windows\SysWOW64\Obqanjdb.exe N/A
File created C:\Windows\SysWOW64\Dekapfke.exe C:\Windows\SysWOW64\Dlqpaafg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlpfhe32.exe C:\Windows\SysWOW64\Hedafk32.exe N/A
File created C:\Windows\SysWOW64\Ofkhal32.dll C:\Windows\SysWOW64\Bpdnjple.exe N/A
File created C:\Windows\SysWOW64\Eemgkpef.exe C:\Windows\SysWOW64\Dbckcf32.exe N/A
File created C:\Windows\SysWOW64\Gakbde32.dll C:\Windows\SysWOW64\Geanfelc.exe N/A
File created C:\Windows\SysWOW64\Pbddobla.exe C:\Windows\SysWOW64\Pkklbh32.exe N/A
File created C:\Windows\SysWOW64\Mqkiok32.exe C:\Windows\SysWOW64\Mfqlfb32.exe N/A
File created C:\Windows\SysWOW64\Pjbcplpe.exe C:\Windows\SysWOW64\Pnkbkk32.exe N/A
File created C:\Windows\SysWOW64\Bddcenpi.exe C:\Windows\SysWOW64\Bhmbqm32.exe N/A
File created C:\Windows\SysWOW64\Hclkag32.dll C:\Windows\SysWOW64\Gnblnlhl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojnfihmo.exe C:\Windows\SysWOW64\Ocdnln32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fifomlap.exe C:\Windows\SysWOW64\Ehnpmkbg.exe N/A
File opened for modification C:\Windows\SysWOW64\Nmenca32.exe C:\Windows\SysWOW64\Mgclpkac.exe N/A
File created C:\Windows\SysWOW64\Iplkpa32.exe C:\Windows\SysWOW64\Ibaeen32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eebgqe32.exe C:\Windows\SysWOW64\Eljchpnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Agckiqgg.exe C:\Windows\SysWOW64\Abgcqjhp.exe N/A
File opened for modification C:\Windows\SysWOW64\Kcpjnjii.exe C:\Windows\SysWOW64\Klcekpdo.exe N/A
File created C:\Windows\SysWOW64\Kebkgjkg.dll C:\Windows\SysWOW64\Nbbeml32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpcgpihi.exe C:\Windows\SysWOW64\Bjfogbjb.exe N/A
File created C:\Windows\SysWOW64\Hgebnc32.exe C:\Windows\SysWOW64\Hjabdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lacbpccn.exe C:\Windows\SysWOW64\Lndfchdj.exe N/A
File created C:\Windows\SysWOW64\Bkdqdokk.exe C:\Windows\SysWOW64\Bfghlhmd.exe N/A
File created C:\Windows\SysWOW64\Ehmfqgao.dll C:\Windows\SysWOW64\Kifjip32.exe N/A
File created C:\Windows\SysWOW64\Lciibdmj.dll C:\Windows\SysWOW64\Hemdlj32.exe N/A
File created C:\Windows\SysWOW64\Iojkeh32.exe C:\Windows\SysWOW64\Ibcjqgnm.exe N/A
File created C:\Windows\SysWOW64\Cpclaedf.dll C:\Windows\SysWOW64\Hkmlnimb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlblcn32.exe C:\Windows\SysWOW64\Geanfelc.exe N/A
File opened for modification C:\Windows\SysWOW64\Iojkeh32.exe C:\Windows\SysWOW64\Ibcjqgnm.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekimjn32.exe C:\Windows\SysWOW64\Eaaiahei.exe N/A
File created C:\Windows\SysWOW64\Gjcfcakn.exe C:\Windows\SysWOW64\Gloejmld.exe N/A
File created C:\Windows\SysWOW64\Mffjnc32.exe C:\Windows\SysWOW64\Ldgnbg32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Eldlhckj.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ifleji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadhip32.dll" C:\Windows\SysWOW64\Clchbqoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll" C:\Windows\SysWOW64\Lggejg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jidinqpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbneceac.dll" C:\Windows\SysWOW64\Hqghqpnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fneoma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lndfchdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgblkajh.dll" C:\Windows\SysWOW64\Agobna32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bpkdjofm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghehjh32.dll" C:\Windows\SysWOW64\Eiekog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll" C:\Windows\SysWOW64\Ojnfihmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pakdbp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkefmjcj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hnjaonij.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnicid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofmfi32.dll" C:\Windows\SysWOW64\Onkidm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Edeeci32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oqhoeb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjabdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndkjik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckjbhmad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oqmhqapg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdbamc32.dll" C:\Windows\SysWOW64\Ecanojgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gjcfcakn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkonk32.dll" C:\Windows\SysWOW64\Anhcpeon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njpdnedf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Egaejeej.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmdmpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggaoeo32.dll" C:\Windows\SysWOW64\Mmpbkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acphqk32.dll" C:\Windows\SysWOW64\Djipbbne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjofoqdn.dll" C:\Windows\SysWOW64\Hlepcdoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcoljagj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll" C:\Windows\SysWOW64\Ppdbgncl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjfogbjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hclccd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbndn32.dll" C:\Windows\SysWOW64\Cejjdlap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chfegk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eiekog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mhldbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aimogakj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmhhpkcj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ppdbgncl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kaopoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahgcjddh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbobjbh.dll" C:\Windows\SysWOW64\Hbfdjc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll" C:\Windows\SysWOW64\Jbbmmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jepbodhg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ljdkll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ilhkigcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilmo32.dll" C:\Windows\SysWOW64\Aeopfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll" C:\Windows\SysWOW64\Ojajin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Omdieb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpqlfa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hnokjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqkcc32.dll" C:\Windows\SysWOW64\Pbdmdlie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlqidj32.dll" C:\Windows\SysWOW64\Bgfhnpde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofmdio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Objkmkjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qcncodki.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lmjcdd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfall32.dll" C:\Windows\SysWOW64\Jmamba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhcgogn.dll" C:\Windows\SysWOW64\Mhhcne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ikbfgppo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4748 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe C:\Windows\SysWOW64\Hmlpaoaj.exe
PID 4748 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe C:\Windows\SysWOW64\Hmlpaoaj.exe
PID 4748 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe C:\Windows\SysWOW64\Hmlpaoaj.exe
PID 1796 wrote to memory of 1952 N/A C:\Windows\SysWOW64\Hmlpaoaj.exe C:\Windows\SysWOW64\Idfaefkd.exe
PID 1796 wrote to memory of 1952 N/A C:\Windows\SysWOW64\Hmlpaoaj.exe C:\Windows\SysWOW64\Idfaefkd.exe
PID 1796 wrote to memory of 1952 N/A C:\Windows\SysWOW64\Hmlpaoaj.exe C:\Windows\SysWOW64\Idfaefkd.exe
PID 1952 wrote to memory of 2044 N/A C:\Windows\SysWOW64\Idfaefkd.exe C:\Windows\SysWOW64\Ilafiihp.exe
PID 1952 wrote to memory of 2044 N/A C:\Windows\SysWOW64\Idfaefkd.exe C:\Windows\SysWOW64\Ilafiihp.exe
PID 1952 wrote to memory of 2044 N/A C:\Windows\SysWOW64\Idfaefkd.exe C:\Windows\SysWOW64\Ilafiihp.exe
PID 2044 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Ilafiihp.exe C:\Windows\SysWOW64\Ikbfgppo.exe
PID 2044 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Ilafiihp.exe C:\Windows\SysWOW64\Ikbfgppo.exe
PID 2044 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Ilafiihp.exe C:\Windows\SysWOW64\Ikbfgppo.exe
PID 3328 wrote to memory of 452 N/A C:\Windows\SysWOW64\Ikbfgppo.exe C:\Windows\SysWOW64\Jkgpbp32.exe
PID 3328 wrote to memory of 452 N/A C:\Windows\SysWOW64\Ikbfgppo.exe C:\Windows\SysWOW64\Jkgpbp32.exe
PID 3328 wrote to memory of 452 N/A C:\Windows\SysWOW64\Ikbfgppo.exe C:\Windows\SysWOW64\Jkgpbp32.exe
PID 452 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Jkgpbp32.exe C:\Windows\SysWOW64\Jjlmclqa.exe
PID 452 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Jkgpbp32.exe C:\Windows\SysWOW64\Jjlmclqa.exe
PID 452 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Jkgpbp32.exe C:\Windows\SysWOW64\Jjlmclqa.exe
PID 2924 wrote to memory of 4520 N/A C:\Windows\SysWOW64\Jjlmclqa.exe C:\Windows\SysWOW64\Jjoiil32.exe
PID 2924 wrote to memory of 4520 N/A C:\Windows\SysWOW64\Jjlmclqa.exe C:\Windows\SysWOW64\Jjoiil32.exe
PID 2924 wrote to memory of 4520 N/A C:\Windows\SysWOW64\Jjlmclqa.exe C:\Windows\SysWOW64\Jjoiil32.exe
PID 4520 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Jjoiil32.exe C:\Windows\SysWOW64\Jqknkedi.exe
PID 4520 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Jjoiil32.exe C:\Windows\SysWOW64\Jqknkedi.exe
PID 4520 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Jjoiil32.exe C:\Windows\SysWOW64\Jqknkedi.exe
PID 1612 wrote to memory of 5108 N/A C:\Windows\SysWOW64\Jqknkedi.exe C:\Windows\SysWOW64\Kjhloj32.exe
PID 1612 wrote to memory of 5108 N/A C:\Windows\SysWOW64\Jqknkedi.exe C:\Windows\SysWOW64\Kjhloj32.exe
PID 1612 wrote to memory of 5108 N/A C:\Windows\SysWOW64\Jqknkedi.exe C:\Windows\SysWOW64\Kjhloj32.exe
PID 5108 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Kjhloj32.exe C:\Windows\SysWOW64\Kmieae32.exe
PID 5108 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Kjhloj32.exe C:\Windows\SysWOW64\Kmieae32.exe
PID 5108 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Kjhloj32.exe C:\Windows\SysWOW64\Kmieae32.exe
PID 4884 wrote to memory of 3848 N/A C:\Windows\SysWOW64\Kmieae32.exe C:\Windows\SysWOW64\Kqfngd32.exe
PID 4884 wrote to memory of 3848 N/A C:\Windows\SysWOW64\Kmieae32.exe C:\Windows\SysWOW64\Kqfngd32.exe
PID 4884 wrote to memory of 3848 N/A C:\Windows\SysWOW64\Kmieae32.exe C:\Windows\SysWOW64\Kqfngd32.exe
PID 3848 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Kqfngd32.exe C:\Windows\SysWOW64\Lcjcnoej.exe
PID 3848 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Kqfngd32.exe C:\Windows\SysWOW64\Lcjcnoej.exe
PID 3848 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Kqfngd32.exe C:\Windows\SysWOW64\Lcjcnoej.exe
PID 5032 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Lcjcnoej.exe C:\Windows\SysWOW64\Lggldm32.exe
PID 5032 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Lcjcnoej.exe C:\Windows\SysWOW64\Lggldm32.exe
PID 5032 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Lcjcnoej.exe C:\Windows\SysWOW64\Lggldm32.exe
PID 1564 wrote to memory of 4332 N/A C:\Windows\SysWOW64\Lggldm32.exe C:\Windows\SysWOW64\Lndagg32.exe
PID 1564 wrote to memory of 4332 N/A C:\Windows\SysWOW64\Lggldm32.exe C:\Windows\SysWOW64\Lndagg32.exe
PID 1564 wrote to memory of 4332 N/A C:\Windows\SysWOW64\Lggldm32.exe C:\Windows\SysWOW64\Lndagg32.exe
PID 4332 wrote to memory of 5000 N/A C:\Windows\SysWOW64\Lndagg32.exe C:\Windows\SysWOW64\Mepfiq32.exe
PID 4332 wrote to memory of 5000 N/A C:\Windows\SysWOW64\Lndagg32.exe C:\Windows\SysWOW64\Mepfiq32.exe
PID 4332 wrote to memory of 5000 N/A C:\Windows\SysWOW64\Lndagg32.exe C:\Windows\SysWOW64\Mepfiq32.exe
PID 5000 wrote to memory of 3308 N/A C:\Windows\SysWOW64\Mepfiq32.exe C:\Windows\SysWOW64\Mgclpkac.exe
PID 5000 wrote to memory of 3308 N/A C:\Windows\SysWOW64\Mepfiq32.exe C:\Windows\SysWOW64\Mgclpkac.exe
PID 5000 wrote to memory of 3308 N/A C:\Windows\SysWOW64\Mepfiq32.exe C:\Windows\SysWOW64\Mgclpkac.exe
PID 3308 wrote to memory of 3952 N/A C:\Windows\SysWOW64\Mgclpkac.exe C:\Windows\SysWOW64\Nmenca32.exe
PID 3308 wrote to memory of 3952 N/A C:\Windows\SysWOW64\Mgclpkac.exe C:\Windows\SysWOW64\Nmenca32.exe
PID 3308 wrote to memory of 3952 N/A C:\Windows\SysWOW64\Mgclpkac.exe C:\Windows\SysWOW64\Nmenca32.exe
PID 3952 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Nmenca32.exe C:\Windows\SysWOW64\Nmgjia32.exe
PID 3952 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Nmenca32.exe C:\Windows\SysWOW64\Nmgjia32.exe
PID 3952 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Nmenca32.exe C:\Windows\SysWOW64\Nmgjia32.exe
PID 1636 wrote to memory of 3280 N/A C:\Windows\SysWOW64\Nmgjia32.exe C:\Windows\SysWOW64\Nnicid32.exe
PID 1636 wrote to memory of 3280 N/A C:\Windows\SysWOW64\Nmgjia32.exe C:\Windows\SysWOW64\Nnicid32.exe
PID 1636 wrote to memory of 3280 N/A C:\Windows\SysWOW64\Nmgjia32.exe C:\Windows\SysWOW64\Nnicid32.exe
PID 3280 wrote to memory of 3856 N/A C:\Windows\SysWOW64\Nnicid32.exe C:\Windows\SysWOW64\Njpdnedf.exe
PID 3280 wrote to memory of 3856 N/A C:\Windows\SysWOW64\Nnicid32.exe C:\Windows\SysWOW64\Njpdnedf.exe
PID 3280 wrote to memory of 3856 N/A C:\Windows\SysWOW64\Nnicid32.exe C:\Windows\SysWOW64\Njpdnedf.exe
PID 3856 wrote to memory of 4036 N/A C:\Windows\SysWOW64\Njpdnedf.exe C:\Windows\SysWOW64\Odjeljhd.exe
PID 3856 wrote to memory of 4036 N/A C:\Windows\SysWOW64\Njpdnedf.exe C:\Windows\SysWOW64\Odjeljhd.exe
PID 3856 wrote to memory of 4036 N/A C:\Windows\SysWOW64\Njpdnedf.exe C:\Windows\SysWOW64\Odjeljhd.exe
PID 4036 wrote to memory of 3556 N/A C:\Windows\SysWOW64\Odjeljhd.exe C:\Windows\SysWOW64\Omgcpokp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe

"C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe"

C:\Windows\SysWOW64\Hmlpaoaj.exe

C:\Windows\system32\Hmlpaoaj.exe

C:\Windows\SysWOW64\Idfaefkd.exe

C:\Windows\system32\Idfaefkd.exe

C:\Windows\SysWOW64\Ilafiihp.exe

C:\Windows\system32\Ilafiihp.exe

C:\Windows\SysWOW64\Ikbfgppo.exe

C:\Windows\system32\Ikbfgppo.exe

C:\Windows\SysWOW64\Jkgpbp32.exe

C:\Windows\system32\Jkgpbp32.exe

C:\Windows\SysWOW64\Jjlmclqa.exe

C:\Windows\system32\Jjlmclqa.exe

C:\Windows\SysWOW64\Jjoiil32.exe

C:\Windows\system32\Jjoiil32.exe

C:\Windows\SysWOW64\Jqknkedi.exe

C:\Windows\system32\Jqknkedi.exe

C:\Windows\SysWOW64\Kjhloj32.exe

C:\Windows\system32\Kjhloj32.exe

C:\Windows\SysWOW64\Kmieae32.exe

C:\Windows\system32\Kmieae32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Lcjcnoej.exe

C:\Windows\system32\Lcjcnoej.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Lndagg32.exe

C:\Windows\system32\Lndagg32.exe

C:\Windows\SysWOW64\Mepfiq32.exe

C:\Windows\system32\Mepfiq32.exe

C:\Windows\SysWOW64\Mgclpkac.exe

C:\Windows\system32\Mgclpkac.exe

C:\Windows\SysWOW64\Nmenca32.exe

C:\Windows\system32\Nmenca32.exe

C:\Windows\SysWOW64\Nmgjia32.exe

C:\Windows\system32\Nmgjia32.exe

C:\Windows\SysWOW64\Nnicid32.exe

C:\Windows\system32\Nnicid32.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Odjeljhd.exe

C:\Windows\system32\Odjeljhd.exe

C:\Windows\SysWOW64\Omgcpokp.exe

C:\Windows\system32\Omgcpokp.exe

C:\Windows\SysWOW64\Phodcg32.exe

C:\Windows\system32\Phodcg32.exe

C:\Windows\SysWOW64\Phaahggp.exe

C:\Windows\system32\Phaahggp.exe

C:\Windows\SysWOW64\Pmaffnce.exe

C:\Windows\system32\Pmaffnce.exe

C:\Windows\SysWOW64\Qmepam32.exe

C:\Windows\system32\Qmepam32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Aednci32.exe

C:\Windows\system32\Aednci32.exe

C:\Windows\SysWOW64\Aajohjon.exe

C:\Windows\system32\Aajohjon.exe

C:\Windows\SysWOW64\Aonoao32.exe

C:\Windows\system32\Aonoao32.exe

C:\Windows\SysWOW64\Ahgcjddh.exe

C:\Windows\system32\Ahgcjddh.exe

C:\Windows\SysWOW64\Bochmn32.exe

C:\Windows\system32\Bochmn32.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Bnkbcj32.exe

C:\Windows\system32\Bnkbcj32.exe

C:\Windows\SysWOW64\Bllbaa32.exe

C:\Windows\system32\Bllbaa32.exe

C:\Windows\SysWOW64\Bhbcfbjk.exe

C:\Windows\system32\Bhbcfbjk.exe

C:\Windows\SysWOW64\Coohhlpe.exe

C:\Windows\system32\Coohhlpe.exe

C:\Windows\SysWOW64\Clchbqoo.exe

C:\Windows\system32\Clchbqoo.exe

C:\Windows\SysWOW64\Cnfaohbj.exe

C:\Windows\system32\Cnfaohbj.exe

C:\Windows\SysWOW64\Ckjbhmad.exe

C:\Windows\system32\Ckjbhmad.exe

C:\Windows\SysWOW64\Chnbbqpn.exe

C:\Windows\system32\Chnbbqpn.exe

C:\Windows\SysWOW64\Cdecgbfa.exe

C:\Windows\system32\Cdecgbfa.exe

C:\Windows\SysWOW64\Dhclmp32.exe

C:\Windows\system32\Dhclmp32.exe

C:\Windows\SysWOW64\Dndnpf32.exe

C:\Windows\system32\Dndnpf32.exe

C:\Windows\SysWOW64\Dbbffdlq.exe

C:\Windows\system32\Dbbffdlq.exe

C:\Windows\SysWOW64\Eofgpikj.exe

C:\Windows\system32\Eofgpikj.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Efjbcakl.exe

C:\Windows\system32\Efjbcakl.exe

C:\Windows\SysWOW64\Flfkkhid.exe

C:\Windows\system32\Flfkkhid.exe

C:\Windows\SysWOW64\Fbbpmb32.exe

C:\Windows\system32\Fbbpmb32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Gmdcfidg.exe

C:\Windows\system32\Gmdcfidg.exe

C:\Windows\SysWOW64\Gmfplibd.exe

C:\Windows\system32\Gmfplibd.exe

C:\Windows\SysWOW64\Hedafk32.exe

C:\Windows\system32\Hedafk32.exe

C:\Windows\SysWOW64\Hlpfhe32.exe

C:\Windows\system32\Hlpfhe32.exe

C:\Windows\SysWOW64\Hlepcdoa.exe

C:\Windows\system32\Hlepcdoa.exe

C:\Windows\SysWOW64\Hemdlj32.exe

C:\Windows\system32\Hemdlj32.exe

C:\Windows\SysWOW64\Ibaeen32.exe

C:\Windows\system32\Ibaeen32.exe

C:\Windows\SysWOW64\Iplkpa32.exe

C:\Windows\system32\Iplkpa32.exe

C:\Windows\SysWOW64\Jpenfp32.exe

C:\Windows\system32\Jpenfp32.exe

C:\Windows\SysWOW64\Jgpfbjlo.exe

C:\Windows\system32\Jgpfbjlo.exe

C:\Windows\SysWOW64\Jphkkpbp.exe

C:\Windows\system32\Jphkkpbp.exe

C:\Windows\SysWOW64\Jnlkedai.exe

C:\Windows\system32\Jnlkedai.exe

C:\Windows\SysWOW64\Komhll32.exe

C:\Windows\system32\Komhll32.exe

C:\Windows\SysWOW64\Klcekpdo.exe

C:\Windows\system32\Klcekpdo.exe

C:\Windows\SysWOW64\Kcpjnjii.exe

C:\Windows\system32\Kcpjnjii.exe

C:\Windows\SysWOW64\Kgnbdh32.exe

C:\Windows\system32\Kgnbdh32.exe

C:\Windows\SysWOW64\Lcdciiec.exe

C:\Windows\system32\Lcdciiec.exe

C:\Windows\SysWOW64\Ljnlecmp.exe

C:\Windows\system32\Ljnlecmp.exe

C:\Windows\SysWOW64\Lfeljd32.exe

C:\Windows\system32\Lfeljd32.exe

C:\Windows\SysWOW64\Lqkqhm32.exe

C:\Windows\system32\Lqkqhm32.exe

C:\Windows\SysWOW64\Ljceqb32.exe

C:\Windows\system32\Ljceqb32.exe

C:\Windows\SysWOW64\Lggejg32.exe

C:\Windows\system32\Lggejg32.exe

C:\Windows\SysWOW64\Mfqlfb32.exe

C:\Windows\system32\Mfqlfb32.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Nagiji32.exe

C:\Windows\system32\Nagiji32.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Ojajin32.exe

C:\Windows\system32\Ojajin32.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Ombcji32.exe

C:\Windows\system32\Ombcji32.exe

C:\Windows\SysWOW64\Opclldhj.exe

C:\Windows\system32\Opclldhj.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Ohlqcagj.exe

C:\Windows\system32\Ohlqcagj.exe

C:\Windows\SysWOW64\Pmiikh32.exe

C:\Windows\system32\Pmiikh32.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Afpjel32.exe

C:\Windows\system32\Afpjel32.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Amlogfel.exe

C:\Windows\system32\Amlogfel.exe

C:\Windows\SysWOW64\Ahaceo32.exe

C:\Windows\system32\Ahaceo32.exe

C:\Windows\SysWOW64\Apmhiq32.exe

C:\Windows\system32\Apmhiq32.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Ahfmpnql.exe

C:\Windows\system32\Ahfmpnql.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Bobabg32.exe

C:\Windows\system32\Bobabg32.exe

C:\Windows\SysWOW64\Bpdnjple.exe

C:\Windows\system32\Bpdnjple.exe

C:\Windows\SysWOW64\Bkibgh32.exe

C:\Windows\system32\Bkibgh32.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Bpkdjofm.exe

C:\Windows\system32\Bpkdjofm.exe

C:\Windows\SysWOW64\Bkphhgfc.exe

C:\Windows\system32\Bkphhgfc.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Ddgibkpc.exe

C:\Windows\system32\Ddgibkpc.exe

C:\Windows\SysWOW64\Dnonkq32.exe

C:\Windows\system32\Dnonkq32.exe

C:\Windows\SysWOW64\Ddifgk32.exe

C:\Windows\system32\Ddifgk32.exe

C:\Windows\SysWOW64\Doojec32.exe

C:\Windows\system32\Doojec32.exe

C:\Windows\SysWOW64\Dbocfo32.exe

C:\Windows\system32\Dbocfo32.exe

C:\Windows\SysWOW64\Dkhgod32.exe

C:\Windows\system32\Dkhgod32.exe

C:\Windows\SysWOW64\Egaejeej.exe

C:\Windows\system32\Egaejeej.exe

C:\Windows\SysWOW64\Enkmfolf.exe

C:\Windows\system32\Enkmfolf.exe

C:\Windows\SysWOW64\Edeeci32.exe

C:\Windows\system32\Edeeci32.exe

C:\Windows\SysWOW64\Eojiqb32.exe

C:\Windows\system32\Eojiqb32.exe

C:\Windows\SysWOW64\Ehbnigjj.exe

C:\Windows\system32\Ehbnigjj.exe

C:\Windows\SysWOW64\Eiekog32.exe

C:\Windows\system32\Eiekog32.exe

C:\Windows\SysWOW64\Fnbcgn32.exe

C:\Windows\system32\Fnbcgn32.exe

C:\Windows\SysWOW64\Fgjhpcmo.exe

C:\Windows\system32\Fgjhpcmo.exe

C:\Windows\SysWOW64\Filapfbo.exe

C:\Windows\system32\Filapfbo.exe

C:\Windows\SysWOW64\Finnef32.exe

C:\Windows\system32\Finnef32.exe

C:\Windows\SysWOW64\Fnkfmm32.exe

C:\Windows\system32\Fnkfmm32.exe

C:\Windows\SysWOW64\Gnnccl32.exe

C:\Windows\system32\Gnnccl32.exe

C:\Windows\SysWOW64\Gicgpelg.exe

C:\Windows\system32\Gicgpelg.exe

C:\Windows\SysWOW64\Ganldgib.exe

C:\Windows\system32\Ganldgib.exe

C:\Windows\SysWOW64\Gnblnlhl.exe

C:\Windows\system32\Gnblnlhl.exe

C:\Windows\SysWOW64\Gihpkd32.exe

C:\Windows\system32\Gihpkd32.exe

C:\Windows\SysWOW64\Gpaihooo.exe

C:\Windows\system32\Gpaihooo.exe

C:\Windows\SysWOW64\Ggmmlamj.exe

C:\Windows\system32\Ggmmlamj.exe

C:\Windows\SysWOW64\Gngeik32.exe

C:\Windows\system32\Gngeik32.exe

C:\Windows\SysWOW64\Geanfelc.exe

C:\Windows\system32\Geanfelc.exe

C:\Windows\SysWOW64\Hlblcn32.exe

C:\Windows\system32\Hlblcn32.exe

C:\Windows\SysWOW64\Hifmmb32.exe

C:\Windows\system32\Hifmmb32.exe

C:\Windows\SysWOW64\Hihibbjo.exe

C:\Windows\system32\Hihibbjo.exe

C:\Windows\SysWOW64\Ibqnkh32.exe

C:\Windows\system32\Ibqnkh32.exe

C:\Windows\SysWOW64\Ihmfco32.exe

C:\Windows\system32\Ihmfco32.exe

C:\Windows\SysWOW64\Ibcjqgnm.exe

C:\Windows\system32\Ibcjqgnm.exe

C:\Windows\SysWOW64\Iojkeh32.exe

C:\Windows\system32\Iojkeh32.exe

C:\Windows\SysWOW64\Ibgdlg32.exe

C:\Windows\system32\Ibgdlg32.exe

C:\Windows\SysWOW64\Iialhaad.exe

C:\Windows\system32\Iialhaad.exe

C:\Windows\SysWOW64\Ipkdek32.exe

C:\Windows\system32\Ipkdek32.exe

C:\Windows\SysWOW64\Jidinqpb.exe

C:\Windows\system32\Jidinqpb.exe

C:\Windows\SysWOW64\Jhkbdmbg.exe

C:\Windows\system32\Jhkbdmbg.exe

C:\Windows\SysWOW64\Jikoopij.exe

C:\Windows\system32\Jikoopij.exe

C:\Windows\SysWOW64\Johggfha.exe

C:\Windows\system32\Johggfha.exe

C:\Windows\SysWOW64\Jafdcbge.exe

C:\Windows\system32\Jafdcbge.exe

C:\Windows\SysWOW64\Jllhpkfk.exe

C:\Windows\system32\Jllhpkfk.exe

C:\Windows\SysWOW64\Kakmna32.exe

C:\Windows\system32\Kakmna32.exe

C:\Windows\SysWOW64\Klpakj32.exe

C:\Windows\system32\Klpakj32.exe

C:\Windows\SysWOW64\Ledepn32.exe

C:\Windows\system32\Ledepn32.exe

C:\Windows\SysWOW64\Llqjbhdc.exe

C:\Windows\system32\Llqjbhdc.exe

C:\Windows\SysWOW64\Ljdkll32.exe

C:\Windows\system32\Ljdkll32.exe

C:\Windows\SysWOW64\Mfkkqmiq.exe

C:\Windows\system32\Mfkkqmiq.exe

C:\Windows\SysWOW64\Mledmg32.exe

C:\Windows\system32\Mledmg32.exe

C:\Windows\SysWOW64\Mcoljagj.exe

C:\Windows\system32\Mcoljagj.exe

C:\Windows\SysWOW64\Mhldbh32.exe

C:\Windows\system32\Mhldbh32.exe

C:\Windows\SysWOW64\Mcaipa32.exe

C:\Windows\system32\Mcaipa32.exe

C:\Windows\SysWOW64\Mhoahh32.exe

C:\Windows\system32\Mhoahh32.exe

C:\Windows\SysWOW64\Mokfja32.exe

C:\Windows\system32\Mokfja32.exe

C:\Windows\SysWOW64\Mfenglqf.exe

C:\Windows\system32\Mfenglqf.exe

C:\Windows\SysWOW64\Mlofcf32.exe

C:\Windows\system32\Mlofcf32.exe

C:\Windows\SysWOW64\Nqmojd32.exe

C:\Windows\system32\Nqmojd32.exe

C:\Windows\SysWOW64\Nfihbk32.exe

C:\Windows\system32\Nfihbk32.exe

C:\Windows\SysWOW64\Nmcpoedn.exe

C:\Windows\system32\Nmcpoedn.exe

C:\Windows\SysWOW64\Nbphglbe.exe

C:\Windows\system32\Nbphglbe.exe

C:\Windows\SysWOW64\Nbbeml32.exe

C:\Windows\system32\Nbbeml32.exe

C:\Windows\SysWOW64\Ncbafoge.exe

C:\Windows\system32\Ncbafoge.exe

C:\Windows\SysWOW64\Njljch32.exe

C:\Windows\system32\Njljch32.exe

C:\Windows\SysWOW64\Nqfbpb32.exe

C:\Windows\system32\Nqfbpb32.exe

C:\Windows\SysWOW64\Ocdnln32.exe

C:\Windows\system32\Ocdnln32.exe

C:\Windows\SysWOW64\Ojnfihmo.exe

C:\Windows\system32\Ojnfihmo.exe

C:\Windows\SysWOW64\Oqhoeb32.exe

C:\Windows\system32\Oqhoeb32.exe

C:\Windows\SysWOW64\Objkmkjj.exe

C:\Windows\system32\Objkmkjj.exe

C:\Windows\SysWOW64\Oqmhqapg.exe

C:\Windows\system32\Oqmhqapg.exe

C:\Windows\SysWOW64\Omdieb32.exe

C:\Windows\system32\Omdieb32.exe

C:\Windows\SysWOW64\Obqanjdb.exe

C:\Windows\system32\Obqanjdb.exe

C:\Windows\SysWOW64\Oikjkc32.exe

C:\Windows\system32\Oikjkc32.exe

C:\Windows\SysWOW64\Ppdbgncl.exe

C:\Windows\system32\Ppdbgncl.exe

C:\Windows\SysWOW64\Ppgomnai.exe

C:\Windows\system32\Ppgomnai.exe

C:\Windows\SysWOW64\Pfagighf.exe

C:\Windows\system32\Pfagighf.exe

C:\Windows\SysWOW64\Pmkofa32.exe

C:\Windows\system32\Pmkofa32.exe

C:\Windows\SysWOW64\Pbhgoh32.exe

C:\Windows\system32\Pbhgoh32.exe

C:\Windows\SysWOW64\Pmmlla32.exe

C:\Windows\system32\Pmmlla32.exe

C:\Windows\SysWOW64\Pjaleemj.exe

C:\Windows\system32\Pjaleemj.exe

C:\Windows\SysWOW64\Pakdbp32.exe

C:\Windows\system32\Pakdbp32.exe

C:\Windows\SysWOW64\Pfhmjf32.exe

C:\Windows\system32\Pfhmjf32.exe

C:\Windows\SysWOW64\Qppaclio.exe

C:\Windows\system32\Qppaclio.exe

C:\Windows\SysWOW64\Qjffpe32.exe

C:\Windows\system32\Qjffpe32.exe

C:\Windows\SysWOW64\Abcgjg32.exe

C:\Windows\system32\Abcgjg32.exe

C:\Windows\SysWOW64\Aimogakj.exe

C:\Windows\system32\Aimogakj.exe

C:\Windows\SysWOW64\Amkhmoap.exe

C:\Windows\system32\Amkhmoap.exe

C:\Windows\SysWOW64\Bjfogbjb.exe

C:\Windows\system32\Bjfogbjb.exe

C:\Windows\SysWOW64\Bpcgpihi.exe

C:\Windows\system32\Bpcgpihi.exe

C:\Windows\SysWOW64\Bfmolc32.exe

C:\Windows\system32\Bfmolc32.exe

C:\Windows\SysWOW64\Bpedeiff.exe

C:\Windows\system32\Bpedeiff.exe

C:\Windows\SysWOW64\Bbdpad32.exe

C:\Windows\system32\Bbdpad32.exe

C:\Windows\SysWOW64\Bmidnm32.exe

C:\Windows\system32\Bmidnm32.exe

C:\Windows\SysWOW64\Bbfmgd32.exe

C:\Windows\system32\Bbfmgd32.exe

C:\Windows\SysWOW64\Bipecnkd.exe

C:\Windows\system32\Bipecnkd.exe

C:\Windows\SysWOW64\Bbhildae.exe

C:\Windows\system32\Bbhildae.exe

C:\Windows\SysWOW64\Cpogkhnl.exe

C:\Windows\system32\Cpogkhnl.exe

C:\Windows\SysWOW64\Ccppmc32.exe

C:\Windows\system32\Ccppmc32.exe

C:\Windows\SysWOW64\Cdolgfbp.exe

C:\Windows\system32\Cdolgfbp.exe

C:\Windows\SysWOW64\Eaaiahei.exe

C:\Windows\system32\Eaaiahei.exe

C:\Windows\SysWOW64\Ekimjn32.exe

C:\Windows\system32\Ekimjn32.exe

C:\Windows\SysWOW64\Enjfli32.exe

C:\Windows\system32\Enjfli32.exe

C:\Windows\SysWOW64\Eddnic32.exe

C:\Windows\system32\Eddnic32.exe

C:\Windows\SysWOW64\Enlcahgh.exe

C:\Windows\system32\Enlcahgh.exe

C:\Windows\SysWOW64\Ekqckmfb.exe

C:\Windows\system32\Ekqckmfb.exe

C:\Windows\SysWOW64\Eqmlccdi.exe

C:\Windows\system32\Eqmlccdi.exe

C:\Windows\SysWOW64\Fkcpql32.exe

C:\Windows\system32\Fkcpql32.exe

C:\Windows\SysWOW64\Famhmfkl.exe

C:\Windows\system32\Famhmfkl.exe

C:\Windows\SysWOW64\Fcpakn32.exe

C:\Windows\system32\Fcpakn32.exe

C:\Windows\SysWOW64\Fnffhgon.exe

C:\Windows\system32\Fnffhgon.exe

C:\Windows\SysWOW64\Fdpnda32.exe

C:\Windows\system32\Fdpnda32.exe

C:\Windows\SysWOW64\Fnhbmgmk.exe

C:\Windows\system32\Fnhbmgmk.exe

C:\Windows\SysWOW64\Fqikob32.exe

C:\Windows\system32\Fqikob32.exe

C:\Windows\SysWOW64\Ggccllai.exe

C:\Windows\system32\Ggccllai.exe

C:\Windows\SysWOW64\Gbhhieao.exe

C:\Windows\system32\Gbhhieao.exe

C:\Windows\SysWOW64\Ggepalof.exe

C:\Windows\system32\Ggepalof.exe

C:\Windows\SysWOW64\Gbkdod32.exe

C:\Windows\system32\Gbkdod32.exe

C:\Windows\SysWOW64\Gjficg32.exe

C:\Windows\system32\Gjficg32.exe

C:\Windows\SysWOW64\Gdknpp32.exe

C:\Windows\system32\Gdknpp32.exe

C:\Windows\SysWOW64\Gkefmjcj.exe

C:\Windows\system32\Gkefmjcj.exe

C:\Windows\SysWOW64\Gdnjfojj.exe

C:\Windows\system32\Gdnjfojj.exe

C:\Windows\SysWOW64\Gjkbnfha.exe

C:\Windows\system32\Gjkbnfha.exe

C:\Windows\SysWOW64\Hepgkohh.exe

C:\Windows\system32\Hepgkohh.exe

C:\Windows\SysWOW64\Hjmodffo.exe

C:\Windows\system32\Hjmodffo.exe

C:\Windows\SysWOW64\Hqghqpnl.exe

C:\Windows\system32\Hqghqpnl.exe

C:\Windows\SysWOW64\Hkmlnimb.exe

C:\Windows\system32\Hkmlnimb.exe

C:\Windows\SysWOW64\Hbfdjc32.exe

C:\Windows\system32\Hbfdjc32.exe

C:\Windows\SysWOW64\Hgcmbj32.exe

C:\Windows\system32\Hgcmbj32.exe

C:\Windows\SysWOW64\Hkaeih32.exe

C:\Windows\system32\Hkaeih32.exe

C:\Windows\SysWOW64\Hcljmj32.exe

C:\Windows\system32\Hcljmj32.exe

C:\Windows\SysWOW64\Ibnjkbog.exe

C:\Windows\system32\Ibnjkbog.exe

C:\Windows\SysWOW64\Icogcjde.exe

C:\Windows\system32\Icogcjde.exe

C:\Windows\SysWOW64\Ilhkigcd.exe

C:\Windows\system32\Ilhkigcd.exe

C:\Windows\SysWOW64\Infhebbh.exe

C:\Windows\system32\Infhebbh.exe

C:\Windows\SysWOW64\Ilmedf32.exe

C:\Windows\system32\Ilmedf32.exe

C:\Windows\SysWOW64\Ibgmaqfl.exe

C:\Windows\system32\Ibgmaqfl.exe

C:\Windows\SysWOW64\Idhiii32.exe

C:\Windows\system32\Idhiii32.exe

C:\Windows\SysWOW64\Jnnnfalp.exe

C:\Windows\system32\Jnnnfalp.exe

C:\Windows\SysWOW64\Jbbmmo32.exe

C:\Windows\system32\Jbbmmo32.exe

C:\Windows\SysWOW64\Kaopoj32.exe

C:\Windows\system32\Kaopoj32.exe

C:\Windows\SysWOW64\Lahbei32.exe

C:\Windows\system32\Lahbei32.exe

C:\Windows\SysWOW64\Mlemcq32.exe

C:\Windows\system32\Mlemcq32.exe

C:\Windows\SysWOW64\Mllccpfj.exe

C:\Windows\system32\Mllccpfj.exe

C:\Windows\SysWOW64\Mdghhb32.exe

C:\Windows\system32\Mdghhb32.exe

C:\Windows\SysWOW64\Nlnpio32.exe

C:\Windows\system32\Nlnpio32.exe

C:\Windows\SysWOW64\Nefdbekh.exe

C:\Windows\system32\Nefdbekh.exe

C:\Windows\SysWOW64\Nkcmjlio.exe

C:\Windows\system32\Nkcmjlio.exe

C:\Windows\SysWOW64\Noaeqjpe.exe

C:\Windows\system32\Noaeqjpe.exe

C:\Windows\SysWOW64\Ndnnianm.exe

C:\Windows\system32\Ndnnianm.exe

C:\Windows\SysWOW64\Nconfh32.exe

C:\Windows\system32\Nconfh32.exe

C:\Windows\SysWOW64\Nhlfoodc.exe

C:\Windows\system32\Nhlfoodc.exe

C:\Windows\SysWOW64\Nfpghccm.exe

C:\Windows\system32\Nfpghccm.exe

C:\Windows\SysWOW64\Okmpqjad.exe

C:\Windows\system32\Okmpqjad.exe

C:\Windows\SysWOW64\Odedipge.exe

C:\Windows\system32\Odedipge.exe

C:\Windows\SysWOW64\Ofdqcc32.exe

C:\Windows\system32\Ofdqcc32.exe

C:\Windows\SysWOW64\Pdqcenmg.exe

C:\Windows\system32\Pdqcenmg.exe

C:\Windows\SysWOW64\Pkklbh32.exe

C:\Windows\system32\Pkklbh32.exe

C:\Windows\SysWOW64\Pbddobla.exe

C:\Windows\system32\Pbddobla.exe

C:\Windows\SysWOW64\Pfbmdabh.exe

C:\Windows\system32\Pfbmdabh.exe

C:\Windows\SysWOW64\Pehjfm32.exe

C:\Windows\system32\Pehjfm32.exe

C:\Windows\SysWOW64\Pcijce32.exe

C:\Windows\system32\Pcijce32.exe

C:\Windows\SysWOW64\Qfjcep32.exe

C:\Windows\system32\Qfjcep32.exe

C:\Windows\SysWOW64\Qmckbjdl.exe

C:\Windows\system32\Qmckbjdl.exe

C:\Windows\SysWOW64\Qcncodki.exe

C:\Windows\system32\Qcncodki.exe

C:\Windows\SysWOW64\Aeopfl32.exe

C:\Windows\system32\Aeopfl32.exe

C:\Windows\SysWOW64\Apddce32.exe

C:\Windows\system32\Apddce32.exe

C:\Windows\SysWOW64\Aealll32.exe

C:\Windows\system32\Aealll32.exe

C:\Windows\SysWOW64\Aeffgkkp.exe

C:\Windows\system32\Aeffgkkp.exe

C:\Windows\SysWOW64\Bldgoeog.exe

C:\Windows\system32\Bldgoeog.exe

C:\Windows\SysWOW64\Bmddihfj.exe

C:\Windows\system32\Bmddihfj.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\Bikeni32.exe

C:\Windows\system32\Bikeni32.exe

C:\Windows\SysWOW64\Bfabmmhe.exe

C:\Windows\system32\Bfabmmhe.exe

C:\Windows\SysWOW64\Blnjecfl.exe

C:\Windows\system32\Blnjecfl.exe

C:\Windows\SysWOW64\Cplckbmc.exe

C:\Windows\system32\Cplckbmc.exe

C:\Windows\SysWOW64\Cdjlap32.exe

C:\Windows\system32\Cdjlap32.exe

C:\Windows\SysWOW64\Cpqlfa32.exe

C:\Windows\system32\Cpqlfa32.exe

C:\Windows\SysWOW64\Cmdmpe32.exe

C:\Windows\system32\Cmdmpe32.exe

C:\Windows\SysWOW64\Dbfoclai.exe

C:\Windows\system32\Dbfoclai.exe

C:\Windows\SysWOW64\Dgdgijhp.exe

C:\Windows\system32\Dgdgijhp.exe

C:\Windows\SysWOW64\Dlqpaafg.exe

C:\Windows\system32\Dlqpaafg.exe

C:\Windows\SysWOW64\Dekapfke.exe

C:\Windows\system32\Dekapfke.exe

C:\Windows\SysWOW64\Ecoaijio.exe

C:\Windows\system32\Ecoaijio.exe

C:\Windows\SysWOW64\Elhfbp32.exe

C:\Windows\system32\Elhfbp32.exe

C:\Windows\SysWOW64\Ecanojgl.exe

C:\Windows\system32\Ecanojgl.exe

C:\Windows\SysWOW64\Eljchpnl.exe

C:\Windows\system32\Eljchpnl.exe

C:\Windows\SysWOW64\Eebgqe32.exe

C:\Windows\system32\Eebgqe32.exe

C:\Windows\SysWOW64\Elolco32.exe

C:\Windows\system32\Elolco32.exe

C:\Windows\SysWOW64\Egdqph32.exe

C:\Windows\system32\Egdqph32.exe

C:\Windows\SysWOW64\Fneoma32.exe

C:\Windows\system32\Fneoma32.exe

C:\Windows\SysWOW64\Ffcpgcfj.exe

C:\Windows\system32\Ffcpgcfj.exe

C:\Windows\SysWOW64\Gddqejni.exe

C:\Windows\system32\Gddqejni.exe

C:\Windows\SysWOW64\Gloejmld.exe

C:\Windows\system32\Gloejmld.exe

C:\Windows\SysWOW64\Gjcfcakn.exe

C:\Windows\system32\Gjcfcakn.exe

C:\Windows\SysWOW64\Gqmnpk32.exe

C:\Windows\system32\Gqmnpk32.exe

C:\Windows\SysWOW64\Gmdoel32.exe

C:\Windows\system32\Gmdoel32.exe

C:\Windows\SysWOW64\Ggicbe32.exe

C:\Windows\system32\Ggicbe32.exe

C:\Windows\SysWOW64\Gmfkjl32.exe

C:\Windows\system32\Gmfkjl32.exe

C:\Windows\SysWOW64\Hfnpca32.exe

C:\Windows\system32\Hfnpca32.exe

C:\Windows\SysWOW64\Hmhhpkcj.exe

C:\Windows\system32\Hmhhpkcj.exe

C:\Windows\SysWOW64\Hnhdjn32.exe

C:\Windows\system32\Hnhdjn32.exe

C:\Windows\SysWOW64\Hnjaonij.exe

C:\Windows\system32\Hnjaonij.exe

C:\Windows\SysWOW64\Hcgjhega.exe

C:\Windows\system32\Hcgjhega.exe

C:\Windows\SysWOW64\Hjabdo32.exe

C:\Windows\system32\Hjabdo32.exe

C:\Windows\SysWOW64\Hgebnc32.exe

C:\Windows\system32\Hgebnc32.exe

C:\Windows\SysWOW64\Hnokjm32.exe

C:\Windows\system32\Hnokjm32.exe

C:\Windows\SysWOW64\Hclccd32.exe

C:\Windows\system32\Hclccd32.exe

C:\Windows\SysWOW64\Icnphd32.exe

C:\Windows\system32\Icnphd32.exe

C:\Windows\SysWOW64\Ijhhenhf.exe

C:\Windows\system32\Ijhhenhf.exe

C:\Windows\SysWOW64\Ienlbf32.exe

C:\Windows\system32\Ienlbf32.exe

C:\Windows\SysWOW64\Iepihf32.exe

C:\Windows\system32\Iepihf32.exe

C:\Windows\SysWOW64\Ifaepolg.exe

C:\Windows\system32\Ifaepolg.exe

C:\Windows\SysWOW64\Icefib32.exe

C:\Windows\system32\Icefib32.exe

C:\Windows\SysWOW64\Jepbodhg.exe

C:\Windows\system32\Jepbodhg.exe

C:\Windows\SysWOW64\Knifging.exe

C:\Windows\system32\Knifging.exe

C:\Windows\SysWOW64\Kagbdenk.exe

C:\Windows\system32\Kagbdenk.exe

C:\Windows\SysWOW64\Kfdklllb.exe

C:\Windows\system32\Kfdklllb.exe

C:\Windows\SysWOW64\Kmncif32.exe

C:\Windows\system32\Kmncif32.exe

C:\Windows\SysWOW64\Kjbdbjbi.exe

C:\Windows\system32\Kjbdbjbi.exe

C:\Windows\SysWOW64\Kdjhkp32.exe

C:\Windows\system32\Kdjhkp32.exe

C:\Windows\SysWOW64\Knpmhh32.exe

C:\Windows\system32\Knpmhh32.exe

C:\Windows\SysWOW64\Kfkamk32.exe

C:\Windows\system32\Kfkamk32.exe

C:\Windows\SysWOW64\Ldoafodd.exe

C:\Windows\system32\Ldoafodd.exe

C:\Windows\SysWOW64\Lndfchdj.exe

C:\Windows\system32\Lndfchdj.exe

C:\Windows\SysWOW64\Lacbpccn.exe

C:\Windows\system32\Lacbpccn.exe

C:\Windows\SysWOW64\Lmjcdd32.exe

C:\Windows\system32\Lmjcdd32.exe

C:\Windows\SysWOW64\Mgkjch32.exe

C:\Windows\system32\Mgkjch32.exe

C:\Windows\SysWOW64\Mdokmm32.exe

C:\Windows\system32\Mdokmm32.exe

C:\Windows\SysWOW64\Mgpcohcb.exe

C:\Windows\system32\Mgpcohcb.exe

C:\Windows\SysWOW64\Ngemjg32.exe

C:\Windows\system32\Ngemjg32.exe

C:\Windows\SysWOW64\Nnoefagj.exe

C:\Windows\system32\Nnoefagj.exe

C:\Windows\SysWOW64\Ndinck32.exe

C:\Windows\system32\Ndinck32.exe

C:\Windows\SysWOW64\Ndkjik32.exe

C:\Windows\system32\Ndkjik32.exe

C:\Windows\SysWOW64\Ndmgnkja.exe

C:\Windows\system32\Ndmgnkja.exe

C:\Windows\SysWOW64\Nnfkgp32.exe

C:\Windows\system32\Nnfkgp32.exe

C:\Windows\SysWOW64\Nemchn32.exe

C:\Windows\system32\Nemchn32.exe

C:\Windows\SysWOW64\Ngnppfgb.exe

C:\Windows\system32\Ngnppfgb.exe

C:\Windows\SysWOW64\Onmahojj.exe

C:\Windows\system32\Onmahojj.exe

C:\Windows\SysWOW64\Odgjdibf.exe

C:\Windows\system32\Odgjdibf.exe

C:\Windows\SysWOW64\Okqbac32.exe

C:\Windows\system32\Okqbac32.exe

C:\Windows\SysWOW64\Oeffnl32.exe

C:\Windows\system32\Oeffnl32.exe

C:\Windows\SysWOW64\Ogjpld32.exe

C:\Windows\system32\Ogjpld32.exe

C:\Windows\SysWOW64\Pbdmdlie.exe

C:\Windows\system32\Pbdmdlie.exe

C:\Windows\SysWOW64\Pdeffgff.exe

C:\Windows\system32\Pdeffgff.exe

C:\Windows\SysWOW64\Pfdbpjmi.exe

C:\Windows\system32\Pfdbpjmi.exe

C:\Windows\SysWOW64\Qbkcek32.exe

C:\Windows\system32\Qbkcek32.exe

C:\Windows\SysWOW64\Qdllffpo.exe

C:\Windows\system32\Qdllffpo.exe

C:\Windows\SysWOW64\Adnilfnl.exe

C:\Windows\system32\Adnilfnl.exe

C:\Windows\SysWOW64\Agobna32.exe

C:\Windows\system32\Agobna32.exe

C:\Windows\SysWOW64\Afpbkicl.exe

C:\Windows\system32\Afpbkicl.exe

C:\Windows\SysWOW64\Agaoca32.exe

C:\Windows\system32\Agaoca32.exe

C:\Windows\SysWOW64\Abgcqjhp.exe

C:\Windows\system32\Abgcqjhp.exe

C:\Windows\SysWOW64\Agckiqgg.exe

C:\Windows\system32\Agckiqgg.exe

C:\Windows\SysWOW64\Bgfhnpde.exe

C:\Windows\system32\Bgfhnpde.exe

C:\Windows\SysWOW64\Bfghlhmd.exe

C:\Windows\system32\Bfghlhmd.exe

C:\Windows\SysWOW64\Bkdqdokk.exe

C:\Windows\system32\Bkdqdokk.exe

C:\Windows\SysWOW64\Bgkaip32.exe

C:\Windows\system32\Bgkaip32.exe

C:\Windows\SysWOW64\Bijncb32.exe

C:\Windows\system32\Bijncb32.exe

C:\Windows\SysWOW64\Beaohcmf.exe

C:\Windows\system32\Beaohcmf.exe

C:\Windows\SysWOW64\Cbglgg32.exe

C:\Windows\system32\Cbglgg32.exe

C:\Windows\SysWOW64\Cpmifkgd.exe

C:\Windows\system32\Cpmifkgd.exe

C:\Windows\SysWOW64\Cfgace32.exe

C:\Windows\system32\Cfgace32.exe

C:\Windows\SysWOW64\Deokja32.exe

C:\Windows\system32\Deokja32.exe

C:\Windows\SysWOW64\Dlicflic.exe

C:\Windows\system32\Dlicflic.exe

C:\Windows\SysWOW64\Dbckcf32.exe

C:\Windows\system32\Dbckcf32.exe

C:\Windows\SysWOW64\Eemgkpef.exe

C:\Windows\system32\Eemgkpef.exe

C:\Windows\SysWOW64\Eoekde32.exe

C:\Windows\system32\Eoekde32.exe

C:\Windows\SysWOW64\Eflceb32.exe

C:\Windows\system32\Eflceb32.exe

C:\Windows\SysWOW64\Ehnpmkbg.exe

C:\Windows\system32\Ehnpmkbg.exe

C:\Windows\SysWOW64\Fifomlap.exe

C:\Windows\system32\Fifomlap.exe

C:\Windows\SysWOW64\Fgjpfqpi.exe

C:\Windows\system32\Fgjpfqpi.exe

C:\Windows\SysWOW64\Fpcdof32.exe

C:\Windows\system32\Fpcdof32.exe

C:\Windows\SysWOW64\Fepmgm32.exe

C:\Windows\system32\Fepmgm32.exe

C:\Windows\SysWOW64\Gipbck32.exe

C:\Windows\system32\Gipbck32.exe

C:\Windows\SysWOW64\Gpjjpe32.exe

C:\Windows\system32\Gpjjpe32.exe

C:\Windows\SysWOW64\Ghgljg32.exe

C:\Windows\system32\Ghgljg32.exe

C:\Windows\SysWOW64\Ggilgn32.exe

C:\Windows\system32\Ggilgn32.exe

C:\Windows\SysWOW64\Hcommoin.exe

C:\Windows\system32\Hcommoin.exe

C:\Windows\SysWOW64\Ioppho32.exe

C:\Windows\system32\Ioppho32.exe

C:\Windows\SysWOW64\Imcqacfq.exe

C:\Windows\system32\Imcqacfq.exe

C:\Windows\SysWOW64\Ifleji32.exe

C:\Windows\system32\Ifleji32.exe

C:\Windows\SysWOW64\Imfmgcdn.exe

C:\Windows\system32\Imfmgcdn.exe

C:\Windows\SysWOW64\Ioffhn32.exe

C:\Windows\system32\Ioffhn32.exe

C:\Windows\SysWOW64\Icdoolge.exe

C:\Windows\system32\Icdoolge.exe

C:\Windows\SysWOW64\Jjqdafmp.exe

C:\Windows\system32\Jjqdafmp.exe

C:\Windows\SysWOW64\Jmamba32.exe

C:\Windows\system32\Jmamba32.exe

C:\Windows\SysWOW64\Jckeokan.exe

C:\Windows\system32\Jckeokan.exe

C:\Windows\SysWOW64\Kqdodo32.exe

C:\Windows\system32\Kqdodo32.exe

C:\Windows\SysWOW64\Kfcdaehf.exe

C:\Windows\system32\Kfcdaehf.exe

C:\Windows\SysWOW64\Kgcqlh32.exe

C:\Windows\system32\Kgcqlh32.exe

C:\Windows\SysWOW64\Kakednfj.exe

C:\Windows\system32\Kakednfj.exe

C:\Windows\SysWOW64\Kifjip32.exe

C:\Windows\system32\Kifjip32.exe

C:\Windows\SysWOW64\Lpbokjho.exe

C:\Windows\system32\Lpbokjho.exe

C:\Windows\SysWOW64\Ladhkmno.exe

C:\Windows\system32\Ladhkmno.exe

C:\Windows\SysWOW64\Lccdghmc.exe

C:\Windows\system32\Lccdghmc.exe

C:\Windows\SysWOW64\Libido32.exe

C:\Windows\system32\Libido32.exe

C:\Windows\SysWOW64\Ldgnbg32.exe

C:\Windows\system32\Ldgnbg32.exe

C:\Windows\SysWOW64\Mffjnc32.exe

C:\Windows\system32\Mffjnc32.exe

C:\Windows\SysWOW64\Mmpbkm32.exe

C:\Windows\system32\Mmpbkm32.exe

C:\Windows\SysWOW64\Mfhgcbfo.exe

C:\Windows\system32\Mfhgcbfo.exe

C:\Windows\SysWOW64\Mmbopm32.exe

C:\Windows\system32\Mmbopm32.exe

C:\Windows\SysWOW64\Mhhcne32.exe

C:\Windows\system32\Mhhcne32.exe

C:\Windows\SysWOW64\Mmdlflki.exe

C:\Windows\system32\Mmdlflki.exe

C:\Windows\SysWOW64\Mjiloqjb.exe

C:\Windows\system32\Mjiloqjb.exe

C:\Windows\SysWOW64\Mhmmieil.exe

C:\Windows\system32\Mhmmieil.exe

C:\Windows\SysWOW64\Mphamg32.exe

C:\Windows\system32\Mphamg32.exe

C:\Windows\SysWOW64\Ndhgie32.exe

C:\Windows\system32\Ndhgie32.exe

C:\Windows\SysWOW64\Niihlkdm.exe

C:\Windows\system32\Niihlkdm.exe

C:\Windows\SysWOW64\Odaiodbp.exe

C:\Windows\system32\Odaiodbp.exe

C:\Windows\SysWOW64\Oknnanhj.exe

C:\Windows\system32\Oknnanhj.exe

C:\Windows\SysWOW64\Pdmikb32.exe

C:\Windows\system32\Pdmikb32.exe

C:\Windows\SysWOW64\Phmnfp32.exe

C:\Windows\system32\Phmnfp32.exe

C:\Windows\SysWOW64\Qnamofdf.exe

C:\Windows\system32\Qnamofdf.exe

C:\Windows\SysWOW64\Anhcpeon.exe

C:\Windows\system32\Anhcpeon.exe

C:\Windows\SysWOW64\Agqhik32.exe

C:\Windows\system32\Agqhik32.exe

C:\Windows\SysWOW64\Bgjjoi32.exe

C:\Windows\system32\Bgjjoi32.exe

C:\Windows\SysWOW64\Biigildg.exe

C:\Windows\system32\Biigildg.exe

C:\Windows\SysWOW64\Bbbkbbkg.exe

C:\Windows\system32\Bbbkbbkg.exe

C:\Windows\SysWOW64\Bilcol32.exe

C:\Windows\system32\Bilcol32.exe

C:\Windows\SysWOW64\Cnhlgc32.exe

C:\Windows\system32\Cnhlgc32.exe

C:\Windows\SysWOW64\Cqghcn32.exe

C:\Windows\system32\Cqghcn32.exe

C:\Windows\SysWOW64\Cjomldfp.exe

C:\Windows\system32\Cjomldfp.exe

C:\Windows\SysWOW64\Cejjdlap.exe

C:\Windows\system32\Cejjdlap.exe

C:\Windows\SysWOW64\Cbnknpqj.exe

C:\Windows\system32\Cbnknpqj.exe

C:\Windows\SysWOW64\Djipbbne.exe

C:\Windows\system32\Djipbbne.exe

C:\Windows\SysWOW64\Dendok32.exe

C:\Windows\system32\Dendok32.exe

C:\Windows\SysWOW64\Dlobmd32.exe

C:\Windows\system32\Dlobmd32.exe

C:\Windows\SysWOW64\Dalkek32.exe

C:\Windows\system32\Dalkek32.exe

C:\Windows\SysWOW64\Enpknplq.exe

C:\Windows\system32\Enpknplq.exe

C:\Windows\SysWOW64\Eejcki32.exe

C:\Windows\system32\Eejcki32.exe

C:\Windows\SysWOW64\Eldlhckj.exe

C:\Windows\system32\Eldlhckj.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7372 -ip 7372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 13.107.21.200:443 g.bing.com tcp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 34.179.17.96.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 15.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.16.234:443 chromewebstore.googleapis.com tcp
GB 172.217.16.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
GB 172.217.16.234:443 chromewebstore.googleapis.com tcp
GB 172.217.16.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 13.107.21.200:443 tse1.mm.bing.net tcp

Files

memory/4748-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4748-1-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Hmlpaoaj.exe

MD5 6a1208f341cb7db892a81819b889d269
SHA1 2599e86b857b09ebb9cc9441c64423601f0ab7e6
SHA256 425ac796fe718714b8931848810a25aa496ec3b5b72eb890abf06ca2d0872a9b
SHA512 227f4187f277c3af2f9545cf7322486a376624ec610c8d0f1f37b1c5b8642bfe3c8161e9958c2fb427959165ff7b303ae97c3ace3d9bba89cb1e2aa3d1b2038d

memory/1796-8-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Idfaefkd.exe

MD5 53e82ddf1f5051aef848a4302e240cb3
SHA1 6fa82616e9f0c1132bf92a95f416b23d4ee606ad
SHA256 badc223a7e03642d49df3cf2b0c65e14f3d8439af9b79ba6fab180f2f6d16be7
SHA512 5f342752643dfa1804abb802cb52aaf2f11668e2019db5a1a93fe462f5cceea074a16db6c5c2d7b9395e74f59b36f82ddc934280b875bd65e6902aa58e187f59

memory/1952-21-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ilafiihp.exe

MD5 771da260948a9c46bf8c84e4e0184795
SHA1 e86796aa88119637236c1666507d41717c3e1357
SHA256 18d7ef941487a9f83a80b09ee02c146a67fec30a5f53612ac9b25b68c689295d
SHA512 5b18dbc531781bda7d857afed8b334e4c35cf1cd17028ad7d6b78f421c7b57b3739731aefd52350d8ea4445b3b586d0ee9c6cb269358268ca09af74472f99ace

memory/2044-25-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ikbfgppo.exe

MD5 878d34fe024961c936c0d28a4513ce65
SHA1 9b6ef160e8c34c9baa1762c1325b1240c1a3efb4
SHA256 b10c0909e258e1e26ffec83378278d8042419f8889ab66e6c019b49cd9c82818
SHA512 8e976df68a2e5283179e76359382e3d171b5339cd9be3544511651924952dbabf65cde57fd03f4e67b647ef43fb791741eb0253c726f07edcf50f2e8aa84f85c

memory/3328-32-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Jkgpbp32.exe

MD5 45f181d77822a59d104f3cb64a1379fa
SHA1 45bc0bd5a0b284140d4fcfd0837886d0b0e3e1d4
SHA256 b026755bd0fa17dcce429f98794b691ec3e941d20647cf90fcc371e17d0827e4
SHA512 c9413f5d2a2c56fd4ae4811c4abc2e46d5e708c2c4a3ce490efd74c912ec5fa39e9ca474d84b475ed49f2dc202655140db04b5d91028a6de5f7053165b52b96b

memory/452-41-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Jjlmclqa.exe

MD5 e48be3e424cb53a64cfb7d2572c86a1d
SHA1 49045acc27ccde323d2244cbc70acbfafb02a90b
SHA256 9befe592c0fc6d9f35d40ab96a01b174ced0308e453ad2226b4a039788167aa1
SHA512 8609be728dfa299cefa516c95164402e92c108c58d730b14685b2f1786f69b11fedc6a300cb2ae6664a0e39ffd019612b2523d9a97eda40ace4f45a9f7848218

memory/2924-49-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Jjoiil32.exe

MD5 b505229e8cab17a0480770b13fe3b5e5
SHA1 b7a2161f05008400d0553c079fe0287507a5be3e
SHA256 b8f4b3e89b1086cf5e80e95b2592b5637efb517a426be1812e1852fd23bea2d5
SHA512 cbbefce5c6e99a619cc299a311edfc55c7f4f7c1f5b515eb99d4c1cabe2d63d454403c822e13793d6d7a4305d5cd0b5894d3353b650488b5456c9c61a7e0eb09

memory/4520-57-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Jqknkedi.exe

MD5 02148d4e7b434dc5bebfaa94b2a7959f
SHA1 0507b14105fc819bbe3253e5e855fe2262b101cf
SHA256 ef953545185b54476acf87aa5ff5b827f648716b80017cd0b7a3c8eaaa97cbcf
SHA512 3c770b935f91ab4ec4d2862f3c8cd62350b1e604c5e666d7ff9b0fb95caa16acb7fd325cf612a45554a14ca78fde37e54db11a91d8876e7d7c3c3dce6f12d0dc

memory/1612-65-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kjhloj32.exe

MD5 4cea89ac10ad43d2a09a9327e92010ec
SHA1 cc195a7f21fa3eecda537f7843bed10814dfd9b3
SHA256 bda20b13da7ce577b5d7fc9e52e59e8ecba8d72ff0ce4ea2ba506ba932c6ab1c
SHA512 bc93fc786d4e30df288148be5c7c842770aacf6bd058939c6de240935f41766fe974a17a7bc383f4a9906afca2c11bab2422b1029790b46843dc17fe7e90c8e0

memory/5108-72-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kmieae32.exe

MD5 969aae95c591ac71d184fb79674ecca1
SHA1 125e15b76ae652f7317a00f6bfb24a54edbb5e2b
SHA256 0ccdc34c035b5c6b89d46634574feb642fa8bab120e60446018866195b6e38ea
SHA512 65937aee7d0ebce384249910433ac5285f911fdd4e3ec45e261bd942be38e0eb85d418f0a82fc440d2df4db9a5aad174b39c15e825740a5eee11625f0f1db987

memory/4748-81-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4884-86-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kqfngd32.exe

MD5 664fbada38693a8f76439c13723c134a
SHA1 fb467a548c19cc957b325b3ade810999f2578f30
SHA256 d254b16d25072a9d4bd387860586edbb2c60ed3f451e0cf47029c17dc8a80ba5
SHA512 41d989945fa173ca5b42eaf8b5d14a70d16f2a4ca60b4d4293681f6a7be0eafc0418a7063d1932a4e37db9a784146ae138ce837bc8b24ca173ede0819fbdcba0

memory/3848-90-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lcjcnoej.exe

MD5 32a59c67e031d89f1bf526a75100b99e
SHA1 954c87a20472a04baefbde053cdd25d2171f5df7
SHA256 f1019ae68a8f955f9ce30b20ded4a3f09f2d93d19f96213a91229402bcd19a34
SHA512 39db790dbac3b13b33113714bf84912288d54af5791c3d729935303ec9c5fc346e6426065cf7be52d38c0122286ec65e2c450420a7f23ccffbeb04922a70cdc9

memory/5032-97-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lggldm32.exe

MD5 c0ad4a5c4fdc5827fca6121f1108f277
SHA1 473f04f5ba93249c49e130f76166cdb7421dcdb2
SHA256 25f853bb249cc25b5ede11ed504f2700113b97550ea663f60b5114c4d055b0b7
SHA512 77bc5fd4b4b508885948c950e754691d1642a8974d7fb2517a7f13b06a9ad92af287a80994fe8a699ae9b776a261fb49cd3a4a7a9a0ba368474216109ce81245

memory/1564-105-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lndagg32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Lndagg32.exe

MD5 7952da55152e74575ea7a97fe7ddf7dc
SHA1 f30da4e91b5a4f6faa85459302f6b2a50fc70eea
SHA256 66426275a040b0dc524c4d27ffd5e56aaaaa31debd2851b39b25c2a971c09b6c
SHA512 755c8074a1275f591f602b6bb01a62dccc0b08b2b4235a3873bffa46f54e73563388cac876645f429139caa699de7894ded9f18e8e107eb53ffef5772b031514

memory/4332-115-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mepfiq32.exe

MD5 8f59b71a27663041c1d07d5386e0b35f
SHA1 0cd278303f06130bca22e8573a8d0fc4b200d966
SHA256 3db3c290d6876a87f00ed750b8a81d4d4f80fd3b2a5d3693910107965a2d0042
SHA512 9a6ef22990c2c51ff6aa6e568ea61d62fc3c110499c5a0ca66395b1caf8bbfccb64f8987e84495449a9dc32c73c7b6550f14643896f415f6e66e820683404432

memory/5000-122-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mgclpkac.exe

MD5 86ad8691899d6ceae003ce0ef4bc0437
SHA1 7621895f8a49bf0a16c874334676108c205d5a34
SHA256 185b75cb727f24c472935c4380f617822040bee96414bbb9c42aef2341f1aecc
SHA512 c71c769565a03e380750c8aa58d5bc4de1f4c1ecf3cb6cd3ee918fbb212aeab9d706dd3fb3817e6fcac6b149f294e9d65f7cc3e877077d5397fc531e7ae662bd

memory/3308-130-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Nmenca32.exe

MD5 010e75991906a2dfa7be4efde76b21d9
SHA1 28fdbfe3583e9ca0376c2f64183e9a6fab80a465
SHA256 373b414cdba3bc3f32f0250d1d85920d6ade63f1c222dbcdb51122106a85e285
SHA512 f979a4ab8d43890fec7efe75eab9c76d5deb98b0f2e4904fae66726562fdd90ff34bbdaccb0cee9718caf60c11f978c9dd412ade6765eff32f725fd96e380aeb

C:\Windows\SysWOW64\Nmgjia32.exe

MD5 8629224ab81b5b0a0b356cd90307c4fb
SHA1 9bb2059743211e984a6c8068edd83ac4b5a13c8a
SHA256 93143ce5d5f68aa43211ff15a87a56a890395df7ccb270b08cdb3682a3284d1d
SHA512 9d4db0462738089fc99c3017b80f4d8c6c6ffcf2f372ce73dd6f88a113266604b7857d8f4a6dc0254ecee29de5ba416368bab28bba1a361affaa5479221a50c1

memory/3952-138-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1636-146-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Nnicid32.exe

MD5 e9bf3b5bcd6e4e159b30c8cc9692f4ba
SHA1 0c272a420564af49b6f58e8bd6cd52a3ccbae57e
SHA256 54414b42a2230923472039bd21d315c5f5c69c03e7a3555b9f312bdbb2d176f3
SHA512 602bda6c058264b7348d5b513bef383691a2712fdc48811481ae12f1d8fff783576724ff3d397bdc3ad11e8292e6f8f48ac5bb586e8813fe6ef1a31be238f366

memory/3280-155-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Njpdnedf.exe

MD5 83a1bd03d9a395394217ec2ea998eb34
SHA1 904d8bd39f28811f8291cc9fc11e767c08f327bf
SHA256 f17c6a3cbf13bffeb106a1297c10c3a116336d0875db1c498143667273a96ec6
SHA512 40ab5e04533f5187163206c30594e7c2ba772a7602d659f3650acf61a8f5b08d9b8b727fbd2e87e288398aee137bcc7b12d70dc28c0501bbbe993be1d00cab57

memory/3856-162-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Odjeljhd.exe

MD5 c3a299e0a70181589deb8e74243bf439
SHA1 c86bb01ce052c83e5945f9e6e920aa4219e6b2ab
SHA256 3e1c15583e79cc8efba7e11494cad75f725535dfdd15067c42cae938a0bf865c
SHA512 7c5825738bc4d6e1e3cb31b57876db34cfed92a8f6ad68860fc53f081bfe6821a67f5be6ed17686924c9795ff7fb7f359ae78886fae468eef3c7c6d58b0e631d

memory/4036-171-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Omgcpokp.exe

MD5 b51a2dbb8ae9315a9720cdc614a97290
SHA1 d7d7c9332abe2b4e0e5a886760826e78cd2be45c
SHA256 978ce995302c966fd45f0670d1662005e56a08569ebfec8ef1a955426d32f996
SHA512 cba02775e01ac3ef6d93b8713b830948066e5cbb54ea1d2773713c40b2800539667a72385118ffb5ac4a06fe46fb383be4bfd50f2614f6bdd69c09a8f10f03de

memory/3556-178-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Phodcg32.exe

MD5 a41f58e381c4719015e1950d3ded1020
SHA1 ce2d8803f1f2501b579c746d6f35db0a75b48c3f
SHA256 f5f9de2b745d296dec4bf9a765c84e0e174dcb72aacd8c696715dc38ecfe478f
SHA512 65b356e4e32fbbdb713223ad98089b3109829467cf34d371a3b6b62892df0f1717e2295767cb7476da8003b98049e6e2442714d0efdd09c57c23f15d7a9ece3a

memory/2120-186-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Phaahggp.exe

MD5 3810c67d5c23994ee596aaafec10c61f
SHA1 71acc46c236645c38978e33c97855a5ad48bf565
SHA256 9b7c4c95356c1ae99afbbf64d48a1f51257cbf19982eb01c7e908cee50f0ebc1
SHA512 8f2157ee0ca1ce1261e4a851486220e1c9562ec79961ab340ceedce0c3519d78c8828895e38359580fd5f3488ebf7f2554b8cc0b226b59c7634fb657539f3e14

memory/1152-194-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Pmaffnce.exe

MD5 5666e24b26ef1bf5ee3a6689cae13cca
SHA1 44e22da5edb151c0009a4e18d1aa117591481c61
SHA256 759ac9b3c8b9fcdb908b2b46d00cb74468570f839ffad15fe454e503b123c20a
SHA512 df7cbc3ad8d5d5d976dcf8c93166636f4b0f379341394a670c505d43925b786855d7e07d36ba50c35cf469e9fbc8e949ce0e377b546721636e78f54012960d36

memory/4324-202-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qmepam32.exe

MD5 b421dbb3f233bbb16bb4b159f00a701d
SHA1 6a8a0db79bdf3acd884153a3d867ccab6eb25495
SHA256 0b1d96c62a9c673fdcada5b55626d553d25b7b58168868ce56c96a9108b1e240
SHA512 ed5c2489e320c7b6f8d27718b3ea9ff83d7823be0ac04189244e794135a50cf232b27c5aec045168e2cde868b4c0d2c166f8a7e81e36121a484e4d27ded5c0ba

memory/4024-211-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qoelkp32.exe

MD5 7e47c8154a7f7c8c6371d6a59f5d6bc2
SHA1 01b03373c5c8771b258590d771fc8e295cc075c6
SHA256 25b9796b1caa7e6404bf99f53d3d308ba6b9b1d7efa54052491cba3d8d2dc0c0
SHA512 4562fbe8a9d5a9e42a7c07671ecc5914e9c0542a4e6d6ba1ad52e64cc11ae767c3fbf9198610ec9ede822a7b14535d4f817120f13abee00e8dc64bec2d44e086

C:\Windows\SysWOW64\Qoelkp32.exe

MD5 cec5c0ed1740da3c31677408af7279a0
SHA1 e4d038a90fc3c08f8afa1c10af2f113b8a9e52f8
SHA256 1ad6f32be6c4b52e77f4a39066c97dad651b3c3ddf7014b6caea33712b8c4dd9
SHA512 b6124a46248d2ab7cf1f0ee20b7fd781b59088ad9b58428ff1e108845350224845c81aeffc0e0ac192353b61867bbf54dbc8ec18a74e6a3049a0ac36b7abb838

memory/3668-218-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qklmpalf.exe

MD5 2391e19bd8eaa57050df7ea0a27f634d
SHA1 905db822e8eed332d95684edff06066a1a5b6b5b
SHA256 3d42b7fdd5aea5b8927da624527008745a63b2c5c7d4b69884a4296063499338
SHA512 57f310a80bf39a05068b3951228841d0f54fbff7d98b13d38837260a3910839b2d422e188f300efacdee635d3f713d6c99d2ba0740b35b951afefa8e705533ba

memory/2172-226-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aednci32.exe

MD5 e20abf98f19c0e64a6055babf9cc0175
SHA1 ca7f78578612451147e9d75458cbebb48de7ba14
SHA256 461bd9a1d816440e62ce5fd26d5f712222224c0baadfad2a9c1872c5b46560e6
SHA512 bb1e3decc9a623b9822e1766ea5440f88832ccef8c11e3777b5fe47749721d873503880f3a1cff017d564376a93f77ea3a1d95e7b656ae5342f3b9510a1de3fb

C:\Windows\SysWOW64\Aednci32.exe

MD5 284fdf0e4795a7186313943128d5e4e1
SHA1 6c8bfc4b9b3e46c0884b4418e99c255f1335bab7
SHA256 95c31430db0013d412156b6584dce14967eb6874c4074d9b91d935ec6fc79466
SHA512 eebb615889a3505eab4fc69a0e351d4894218e3a98880684e9d83f03ae767966cba7f893d6aeb76a986b802790f43ced7f0f0cc7cc77702e4cec2ce43425b318

memory/2680-234-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aajohjon.exe

MD5 2ded5bf160bf4da02c9a30c834441726
SHA1 5cede2661884b5b13884672681da0e0d3d92e78c
SHA256 ca1d95231fc77908d7a6873e829edd57afaf32b3dd76c6ac48b6436be247c1e9
SHA512 7d494de8f1af2c95d50c97265a8828a8e445256cd4da423c2a48513ec0ed863fb09b9fb4d60705a2c4751ec3978555348d3016f6a099cb9f512ff44be8c645c6

memory/2332-242-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aonoao32.exe

MD5 9a82f37e2582bd61810dc30fc69ceb46
SHA1 8d43708a475c534fd2517743322a713408aec993
SHA256 289a7e9beeeb0f3fec010c15ad0abd671e06e980029c4e3454a83f15a8369ffe
SHA512 46f1297858dbaae5eb1bd3f04c37d6d1dfdef15220abe82e32ff34eccd60cab33386156f95b7b79a254dfe15a181dbfd4ab678d68840dbf39e4ebdde6d892a17

memory/1752-251-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ahgcjddh.exe

MD5 03ecd10b0482c20a69369a32d54a66c7
SHA1 6b62a22734bf70ea8f96a7ffea67b6c37060ef30
SHA256 5eb1dad12cd0f66204bfbafbc1b9af97beaaa406ece2cb9ccec60610968000b5
SHA512 64e223242675c32024b756938201f9e18dedefb61e0eba1999fb727648014d1fea758540cd08dd91be7875ff619b23ab06dd25614a93a252ba6c63e034852be1

memory/1388-259-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2520-265-0x0000000000400000-0x0000000000453000-memory.dmp

memory/780-271-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bnkbcj32.exe

MD5 a16cb4c87aa1f1e18c0a029c3f461f4a
SHA1 23e3f2753cb44ae2d8880ffedd36990f7e59df54
SHA256 1481a283722744052017d84ce375eceab3f2d95753639815d218a57b85279f93
SHA512 60b6cfa3fa95958303789c76ac26a4de648d4c235091b753089368d2ff5652f8d3b04488d9bb350e8c4354dd795bd64c2e099f475394d842bb46e7e03122ff39

memory/4484-277-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2436-283-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4112-289-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4416-295-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5092-301-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2312-307-0x0000000000400000-0x0000000000453000-memory.dmp

memory/932-313-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2064-319-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1172-329-0x0000000000400000-0x0000000000453000-memory.dmp

memory/64-331-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3972-344-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3608-348-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Eicedn32.exe

MD5 e9ee5854628af12380f6dfa0a0479ece
SHA1 6cc100b361c6582c36fa333e878756ae875ff551
SHA256 1dd2d61f43da956a69c4f461dbb4a367a7b4c2adb3ea3118fd75f4592afae144
SHA512 0fbfd73f0e93aedcf8c2ee4766f08923b6e4a42351305b99cc94eeb5286859a084de3f805178b23dfe48fb4ffb99ee4d5419829e94f8bbe51d95f48d02c19cda

memory/5136-354-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5176-360-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Flfkkhid.exe

MD5 f7cdb4c705321be83e872072abe9541a
SHA1 28b257b76f99fe61183b7bec54e878ab9b627ebb
SHA256 6a25066481bb7c69335373986f26856e5cfaba95e2cc019f052bb4bf2b7ea4c0
SHA512 95a4ecb2e5311269d3435f14a2060820a8054cb9e2645707d7011db1c033e8dbed8b173c57af3745a08841652a6541f7086647c4a4ecedf31616ccdda2f0aa64

memory/5216-366-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5256-372-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5312-378-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5352-384-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Gmfplibd.exe

MD5 c9d890af1e0c931f4698b57b8bdb3da1
SHA1 ebedec888c954745032e99478ec1c9d11b0955c7
SHA256 4dc0b564f62d1938f0202b8ba127c407e0388e88a74203bedf7f9daee22266ac
SHA512 b96251f2a40bb44ef8f6147e4eae9fc3653d472026fe27c4952e03ee0f80daa69013c6621cb5aee7a9fd0265ec2dd5978a4376e20a94583c0137d7f3d27c0660

memory/5392-390-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5448-396-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5488-402-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5528-408-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5572-414-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5612-427-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5672-437-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5716-443-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5752-444-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Klcekpdo.exe

MD5 bf62b55cb47ff007c78ca4d22845b578
SHA1 4060c2903a5d4fbfc314c7122d8d7b7783d250ca
SHA256 1205a80c1020e912a6c5b0983780771b85b8a43567236f6d6908cdd84a89763a
SHA512 ee7ad5240bd330beeca632c01b767e007ea65459b1f14952aee62751cb2dfcc6d2f59cdd4d46846f878ea1fd467d366e57a34f9c235839c94fd4491706217512

C:\Windows\SysWOW64\Pdmdnadc.exe

MD5 8e0bf8fab3396ab55277f64b16e5ada1
SHA1 058c74cf43e8f64b7240775844a04b14b986a368
SHA256 9ae3900f1285954aa5f455128603725d3b12edeb9727141ed0daffaeb2809ae4
SHA512 ace9b838a24d89bdb60df3c1a86e1051f0448333114ebb1858547b5be4f784ec5efe979e16d41f1b10e4602491b86fe3b3280cba23bab1891468d25d27efbb20

C:\Windows\SysWOW64\Bkphhgfc.exe

MD5 de2b8f44dbb87cc41c3ce8a366510a33
SHA1 33f820b6a769e7b74199d735756276f408222d5a
SHA256 37175cb0d06fb171a97a37ea46c5bb4341b0a268a97927a3724c02d347c267e9
SHA512 278c768427a4281047c1f954eacd0ec22f95ccce342564df7e075b7be0258c1a9d149f5a6ed67432ecf8b72fa75cd45f7ff6e7c546e782a967423215ec6b9226

C:\Windows\SysWOW64\Dbocfo32.exe

MD5 6841ae36edbc425b807cce0e4257f46f
SHA1 f42c5c2af093cc0fc5445a79ed5d3254afe3cf38
SHA256 dc520fb0b2a1fc75335ec190babec47667cb2e55c23e140f37799569f9efa205
SHA512 0eea9321a6ec4901764c88c89aeab3fc5324f0388b24071bb3a57a0a0b9e80d6eba3df5ca345f1104fa8c1012c158a6a0ba8621e2c4d119c21312a67e27edea8

C:\Windows\SysWOW64\Filapfbo.exe

MD5 7d3c68a487ab56d6e346fc9c243ea24c
SHA1 2cb0e999b63dbfb206c3a3348c8b03307718cd40
SHA256 2ac673ea1ea5d7fc31b9c4cd9ba7a9a60ac98bb888e0db14da65f3e199f63292
SHA512 a44b78a9e890083cfce355927803c696407895e6d77aa79a011c66f83a0621532651b825386b4c03e45104946c7f80c1d5bbf3af485356b60878040aeca31770

C:\Windows\SysWOW64\Klpakj32.exe

MD5 b22c451e6b96084a1a952deae670bdb3
SHA1 1a2b9792420bd33e85bc73d70a85131f84e3f588
SHA256 f08481668903edca82de21f2239c36458bd3e6479ed85d975232e1e59c1755ed
SHA512 aeb526ffea050936dec31ca93ae393cbabe715441f97f008ae070cdd00b60cd66f0b99ea5bb19156617514927968a8d6a7d3029ac751c96eb93ee7a9c6b91d23

C:\Windows\SysWOW64\Ncbafoge.exe

MD5 649087a7dd572e89501f66a97e9d076e
SHA1 1accbb3445b87ff813d98e28f301f0a1ce716345
SHA256 fabffafd44b7d18ff61ec3e59af968bf7c2f9367a96cb6e1edcc107615eb6484
SHA512 eb7a4beb02b87cdd97072babc7df8a49b1d6ef8af9b2b3862f1f4ca0143b0c86ed3702f29be9b143a798568765a65dc204cb612cf7ded3edc64f28b49cad8adc

C:\Windows\SysWOW64\Cpogkhnl.exe

MD5 1e4d231b466e7e6f95c198608dcf9b4d
SHA1 e7ba279a230ef92030693c8c622e4ebd29193b85
SHA256 bb82b8e839c3a9315282bf6babaa58291b5089df52422ca98b5d6fbcd4836e77
SHA512 e37acbce6e93f05db8afbfeb0bfed46f34a2639c9ba3d110b67e73f732dad80df79714c24246f5c499b3c7d62f1c429a9b9f5e0680e4c17d85c9ca83ac14c7cd

C:\Windows\SysWOW64\Cdolgfbp.exe

MD5 8cb4c92a6c2b92f18b6d8e5b79120887
SHA1 beefd0670ffe5357336964320e0ea734e967869c
SHA256 9d9e214611b0c8a514bb73d21020233ea2261526112d016b6a23d333f5534cf0
SHA512 0df9159c593767b4a5a2b75c0d60b87d67af0aed936f5b5c5eb648f5ffeee0f1d96b38ce8ff7710fdf68550190dca8396b1b0e6e6441e4e3928af7a7b4456cec

C:\Windows\SysWOW64\Hkaeih32.exe

MD5 ab39181c81cc92932e5868473cf12762
SHA1 c7c97bd48738debff9a91e8f610c4120eaad272b
SHA256 a0ac518c4376c8772ea0831310746d2541e0ea7216749bc486006b04829f232d
SHA512 2e0e282d4e5d98a57707cc9d287e5c47615048cf0b3fac6d2c4e55b78390d1be149019176298f20837ee865f83aeeae70c8bb4dfcd745d1cb7377708acb5fddf