Malware Analysis Report

2025-03-14 23:12

Sample ID 240407-ac5tzaff66
Target e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118
SHA256 dce340e1e7c0f1782c5bc80acd3c8fae7efcf60ac1feb7bf4b0cff70ea9e55b6
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dce340e1e7c0f1782c5bc80acd3c8fae7efcf60ac1feb7bf4b0cff70ea9e55b6

Threat Level: Known bad

The file e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 00:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 00:05

Reported

2024-04-07 00:07

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnffgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Legmbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clmbddgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Legmbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmebnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Naimccpo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blkioa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mholen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Balkchpi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmldme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhajdblk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmefooki.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbbngf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oghopm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkglameg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljkomfjl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpjqiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olonpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oomjlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aganeoip.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipllekdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Keednado.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhdgjb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpjqiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgoapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiknhbcg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqcpob32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpceidcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgcdki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdacop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maedhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nekbmgcn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apalea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Balkchpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmldme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jhljdm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nekbmgcn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmplcp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbdklf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lmebnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laegiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mieeibkn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onbgmg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oalfhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cinfhigl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mbmjah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Blkioa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhajdblk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aijpnfif.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iheddndj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmplcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkaiqk32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Hiknhbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipgbjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iompkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iheddndj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipllekdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iamimc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioaifhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnffgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhljdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhngjmlo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbgkcb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgcdki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmplcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnpinc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcmafj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmefooki.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbbngf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kilfcpqm.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdklf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfhbeek.exe N/A
N/A N/A C:\Windows\SysWOW64\Keednado.exe N/A
N/A N/A C:\Windows\SysWOW64\Kicmdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkaiqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knpemf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lclnemgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmebnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljibgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljkomfjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Laegiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liplnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Legmbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbkmlh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mieeibkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbmjah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkhofjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbpgggol.exe N/A
N/A N/A C:\Windows\SysWOW64\Mencccop.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdacop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkklljmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Maedhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Meppiblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mholen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkmhaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmldme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpjqiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngdifkpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Naimccpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndhipoob.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkbalifo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcnda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngibaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nekbmgcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlekia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npccpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oohqqlei.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoafmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaiibg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olonpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohendqhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghopm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onbgmg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odlojanh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiknhbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiknhbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipgbjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipgbjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iompkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iompkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iheddndj.exe N/A
N/A N/A C:\Windows\SysWOW64\Iheddndj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipllekdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipllekdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iamimc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iamimc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioaifhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioaifhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnffgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnffgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhljdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhljdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhngjmlo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhngjmlo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbgkcb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbgkcb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgcdki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgcdki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmplcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmplcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnpinc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnpinc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcmafj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcmafj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmefooki.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmefooki.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbbngf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbbngf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kilfcpqm.exe N/A
N/A N/A C:\Windows\SysWOW64\Kilfcpqm.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdklf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdklf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfhbeek.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfhbeek.exe N/A
N/A N/A C:\Windows\SysWOW64\Keednado.exe N/A
N/A N/A C:\Windows\SysWOW64\Keednado.exe N/A
N/A N/A C:\Windows\SysWOW64\Kicmdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kicmdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkaiqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkaiqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knpemf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knpemf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lclnemgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lclnemgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmebnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmebnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljibgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljibgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljkomfjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljkomfjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Laegiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laegiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liplnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liplnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Legmbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Legmbd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cpdcnhnl.dll C:\Windows\SysWOW64\Jgcdki32.exe N/A
File created C:\Windows\SysWOW64\Hendhe32.dll C:\Windows\SysWOW64\Mbpgggol.exe N/A
File opened for modification C:\Windows\SysWOW64\Meppiblm.exe C:\Windows\SysWOW64\Maedhd32.exe N/A
File created C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Qeaedd32.exe N/A
File created C:\Windows\SysWOW64\Pqfjpj32.dll C:\Windows\SysWOW64\Acpdko32.exe N/A
File created C:\Windows\SysWOW64\Cpceidcn.exe C:\Windows\SysWOW64\Bobhal32.exe N/A
File created C:\Windows\SysWOW64\Hgpmbc32.dll C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File created C:\Windows\SysWOW64\Nelkpj32.dll C:\Windows\SysWOW64\Jbgkcb32.exe N/A
File created C:\Windows\SysWOW64\Jhngjmlo.exe C:\Windows\SysWOW64\Jhljdm32.exe N/A
File created C:\Windows\SysWOW64\Ngdifkpi.exe C:\Windows\SysWOW64\Mpjqiq32.exe N/A
File created C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Qflhbhgg.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Qeaedd32.exe N/A
File created C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Qjnmlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iheddndj.exe C:\Windows\SysWOW64\Iompkh32.exe N/A
File created C:\Windows\SysWOW64\Kbdklf32.exe C:\Windows\SysWOW64\Kilfcpqm.exe N/A
File created C:\Windows\SysWOW64\Lnlmhpjh.dll C:\Windows\SysWOW64\Mbmjah32.exe N/A
File created C:\Windows\SysWOW64\Maedhd32.exe C:\Windows\SysWOW64\Mkklljmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Olonpp32.exe N/A
File created C:\Windows\SysWOW64\Aaapnkij.dll C:\Windows\SysWOW64\Oalfhf32.exe N/A
File created C:\Windows\SysWOW64\Fnahcn32.dll C:\Windows\SysWOW64\Ohendqhd.exe N/A
File created C:\Windows\SysWOW64\Faflglmh.dll C:\Windows\SysWOW64\Oqcpob32.exe N/A
File created C:\Windows\SysWOW64\Jnpinc32.exe C:\Windows\SysWOW64\Jmplcp32.exe N/A
File created C:\Windows\SysWOW64\Fcohbnpe.dll C:\Windows\SysWOW64\Balkchpi.exe N/A
File created C:\Windows\SysWOW64\Kganqf32.dll C:\Windows\SysWOW64\Qgoapp32.exe N/A
File created C:\Windows\SysWOW64\Eppddhlj.dll C:\Windows\SysWOW64\Ngdifkpi.exe N/A
File opened for modification C:\Windows\SysWOW64\Npccpo32.exe C:\Windows\SysWOW64\Nlekia32.exe N/A
File created C:\Windows\SysWOW64\Mhdqqjhl.dll C:\Windows\SysWOW64\Okoafmkm.exe N/A
File opened for modification C:\Windows\SysWOW64\Oghopm32.exe C:\Windows\SysWOW64\Ohendqhd.exe N/A
File opened for modification C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Odlojanh.exe N/A
File created C:\Windows\SysWOW64\Ljkomfjl.exe C:\Windows\SysWOW64\Ljibgg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmefooki.exe C:\Windows\SysWOW64\Jcmafj32.exe N/A
File created C:\Windows\SysWOW64\Qaqkcf32.dll C:\Windows\SysWOW64\Mholen32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe C:\Windows\SysWOW64\Mpjqiq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngibaj32.exe C:\Windows\SysWOW64\Nlcnda32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aganeoip.exe C:\Windows\SysWOW64\Acfaeq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Bhdgjb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhljdm32.exe C:\Windows\SysWOW64\Jnffgd32.exe N/A
File created C:\Windows\SysWOW64\Oaajloig.dll C:\Windows\SysWOW64\Mdacop32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Onbgmg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Qjnmlk32.exe N/A
File created C:\Windows\SysWOW64\Kicmdo32.exe C:\Windows\SysWOW64\Keednado.exe N/A
File opened for modification C:\Windows\SysWOW64\Becnhgmg.exe C:\Windows\SysWOW64\Bfpnmj32.exe N/A
File created C:\Windows\SysWOW64\Bjdplm32.exe C:\Windows\SysWOW64\Blaopqpo.exe N/A
File created C:\Windows\SysWOW64\Kilfcpqm.exe C:\Windows\SysWOW64\Kbbngf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Keednado.exe C:\Windows\SysWOW64\Kbfhbeek.exe N/A
File created C:\Windows\SysWOW64\Ajdlmi32.dll C:\Windows\SysWOW64\Mbkmlh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ohendqhd.exe C:\Windows\SysWOW64\Oalfhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amnfnfgg.exe C:\Windows\SysWOW64\Aganeoip.exe N/A
File created C:\Windows\SysWOW64\Bbgnak32.exe C:\Windows\SysWOW64\Blmfea32.exe N/A
File created C:\Windows\SysWOW64\Keednado.exe C:\Windows\SysWOW64\Kbfhbeek.exe N/A
File opened for modification C:\Windows\SysWOW64\Oaiibg32.exe C:\Windows\SysWOW64\Okoafmkm.exe N/A
File created C:\Windows\SysWOW64\Lmebnb32.exe C:\Windows\SysWOW64\Lclnemgd.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmagdbci.exe C:\Windows\SysWOW64\Pkidlk32.exe N/A
File created C:\Windows\SysWOW64\Pdiadenf.dll C:\Windows\SysWOW64\Bfpnmj32.exe N/A
File created C:\Windows\SysWOW64\Cfgheegc.dll C:\Windows\SysWOW64\Bdkgocpm.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cbgjqo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmplcp32.exe C:\Windows\SysWOW64\Jgcdki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mbmjah32.exe C:\Windows\SysWOW64\Mieeibkn.exe N/A
File created C:\Windows\SysWOW64\Hjojco32.dll C:\Windows\SysWOW64\Qeaedd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Balkchpi.exe C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File created C:\Windows\SysWOW64\Bdkgocpm.exe C:\Windows\SysWOW64\Balkchpi.exe N/A
File opened for modification C:\Windows\SysWOW64\Iompkh32.exe C:\Windows\SysWOW64\Ipgbjl32.exe N/A
File created C:\Windows\SysWOW64\Laegiq32.exe C:\Windows\SysWOW64\Ljkomfjl.exe N/A
File created C:\Windows\SysWOW64\Mencccop.exe C:\Windows\SysWOW64\Mbpgggol.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlmj32.dll" C:\Windows\SysWOW64\Iamimc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Keednado.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" C:\Windows\SysWOW64\Nkbalifo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oomjlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll" C:\Windows\SysWOW64\Bkglameg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ipgbjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdfge32.dll" C:\Windows\SysWOW64\Ipllekdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkklljmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mholen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acpdko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll" C:\Windows\SysWOW64\Bhajdblk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicieohp.dll" C:\Windows\SysWOW64\Ioaifhid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mencccop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amcpie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iamimc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daekko32.dll" C:\Windows\SysWOW64\Onbgmg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laegiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll" C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qodlkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Agfgqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpceidcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiknhbcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnpinc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cilibi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdacop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Onbgmg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lclnemgd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Liplnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndhipoob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdmddc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll" C:\Windows\SysWOW64\Mieeibkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkhofjoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lmebnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngdifkpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nekbmgcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbgnak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iheddndj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kilfcpqm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nlekia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Okoafmkm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qgoapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aijpnfif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiknhbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Naimccpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abphal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jcmafj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghhkllb.dll" C:\Windows\SysWOW64\Knpemf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beejng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbbngf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mbkmlh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkbalifo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apalea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acpdko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cinfhigl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kbdklf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mholen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngibaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pledghce.dll" C:\Windows\SysWOW64\Jnffgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnbi32.dll" C:\Windows\SysWOW64\Kmefooki.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe C:\Windows\SysWOW64\Hiknhbcg.exe
PID 1460 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe C:\Windows\SysWOW64\Hiknhbcg.exe
PID 1460 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe C:\Windows\SysWOW64\Hiknhbcg.exe
PID 1460 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe C:\Windows\SysWOW64\Hiknhbcg.exe
PID 2204 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Hiknhbcg.exe C:\Windows\SysWOW64\Ipgbjl32.exe
PID 2204 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Hiknhbcg.exe C:\Windows\SysWOW64\Ipgbjl32.exe
PID 2204 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Hiknhbcg.exe C:\Windows\SysWOW64\Ipgbjl32.exe
PID 2204 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Hiknhbcg.exe C:\Windows\SysWOW64\Ipgbjl32.exe
PID 2552 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Ipgbjl32.exe C:\Windows\SysWOW64\Iompkh32.exe
PID 2552 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Ipgbjl32.exe C:\Windows\SysWOW64\Iompkh32.exe
PID 2552 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Ipgbjl32.exe C:\Windows\SysWOW64\Iompkh32.exe
PID 2552 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Ipgbjl32.exe C:\Windows\SysWOW64\Iompkh32.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Iompkh32.exe C:\Windows\SysWOW64\Iheddndj.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Iompkh32.exe C:\Windows\SysWOW64\Iheddndj.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Iompkh32.exe C:\Windows\SysWOW64\Iheddndj.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Iompkh32.exe C:\Windows\SysWOW64\Iheddndj.exe
PID 2568 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Iheddndj.exe C:\Windows\SysWOW64\Ipllekdl.exe
PID 2568 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Iheddndj.exe C:\Windows\SysWOW64\Ipllekdl.exe
PID 2568 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Iheddndj.exe C:\Windows\SysWOW64\Ipllekdl.exe
PID 2568 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Iheddndj.exe C:\Windows\SysWOW64\Ipllekdl.exe
PID 2452 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Ipllekdl.exe C:\Windows\SysWOW64\Iamimc32.exe
PID 2452 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Ipllekdl.exe C:\Windows\SysWOW64\Iamimc32.exe
PID 2452 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Ipllekdl.exe C:\Windows\SysWOW64\Iamimc32.exe
PID 2452 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Ipllekdl.exe C:\Windows\SysWOW64\Iamimc32.exe
PID 2484 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Iamimc32.exe C:\Windows\SysWOW64\Ioaifhid.exe
PID 2484 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Iamimc32.exe C:\Windows\SysWOW64\Ioaifhid.exe
PID 2484 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Iamimc32.exe C:\Windows\SysWOW64\Ioaifhid.exe
PID 2484 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Iamimc32.exe C:\Windows\SysWOW64\Ioaifhid.exe
PID 2384 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Ioaifhid.exe C:\Windows\SysWOW64\Jnffgd32.exe
PID 2384 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Ioaifhid.exe C:\Windows\SysWOW64\Jnffgd32.exe
PID 2384 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Ioaifhid.exe C:\Windows\SysWOW64\Jnffgd32.exe
PID 2384 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Ioaifhid.exe C:\Windows\SysWOW64\Jnffgd32.exe
PID 1624 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Jnffgd32.exe C:\Windows\SysWOW64\Jhljdm32.exe
PID 1624 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Jnffgd32.exe C:\Windows\SysWOW64\Jhljdm32.exe
PID 1624 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Jnffgd32.exe C:\Windows\SysWOW64\Jhljdm32.exe
PID 1624 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Jnffgd32.exe C:\Windows\SysWOW64\Jhljdm32.exe
PID 2584 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Jhljdm32.exe C:\Windows\SysWOW64\Jhngjmlo.exe
PID 2584 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Jhljdm32.exe C:\Windows\SysWOW64\Jhngjmlo.exe
PID 2584 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Jhljdm32.exe C:\Windows\SysWOW64\Jhngjmlo.exe
PID 2584 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Jhljdm32.exe C:\Windows\SysWOW64\Jhngjmlo.exe
PID 2764 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Jhngjmlo.exe C:\Windows\SysWOW64\Jbgkcb32.exe
PID 2764 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Jhngjmlo.exe C:\Windows\SysWOW64\Jbgkcb32.exe
PID 2764 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Jhngjmlo.exe C:\Windows\SysWOW64\Jbgkcb32.exe
PID 2764 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Jhngjmlo.exe C:\Windows\SysWOW64\Jbgkcb32.exe
PID 1976 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Jbgkcb32.exe C:\Windows\SysWOW64\Jgcdki32.exe
PID 1976 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Jbgkcb32.exe C:\Windows\SysWOW64\Jgcdki32.exe
PID 1976 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Jbgkcb32.exe C:\Windows\SysWOW64\Jgcdki32.exe
PID 1976 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Jbgkcb32.exe C:\Windows\SysWOW64\Jgcdki32.exe
PID 1680 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Jgcdki32.exe C:\Windows\SysWOW64\Jmplcp32.exe
PID 1680 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Jgcdki32.exe C:\Windows\SysWOW64\Jmplcp32.exe
PID 1680 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Jgcdki32.exe C:\Windows\SysWOW64\Jmplcp32.exe
PID 1680 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Jgcdki32.exe C:\Windows\SysWOW64\Jmplcp32.exe
PID 1224 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Jmplcp32.exe C:\Windows\SysWOW64\Jnpinc32.exe
PID 1224 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Jmplcp32.exe C:\Windows\SysWOW64\Jnpinc32.exe
PID 1224 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Jmplcp32.exe C:\Windows\SysWOW64\Jnpinc32.exe
PID 1224 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Jmplcp32.exe C:\Windows\SysWOW64\Jnpinc32.exe
PID 3060 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Jnpinc32.exe C:\Windows\SysWOW64\Jcmafj32.exe
PID 3060 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Jnpinc32.exe C:\Windows\SysWOW64\Jcmafj32.exe
PID 3060 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Jnpinc32.exe C:\Windows\SysWOW64\Jcmafj32.exe
PID 3060 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Jnpinc32.exe C:\Windows\SysWOW64\Jcmafj32.exe
PID 2812 wrote to memory of 2252 N/A C:\Windows\SysWOW64\Jcmafj32.exe C:\Windows\SysWOW64\Kmefooki.exe
PID 2812 wrote to memory of 2252 N/A C:\Windows\SysWOW64\Jcmafj32.exe C:\Windows\SysWOW64\Kmefooki.exe
PID 2812 wrote to memory of 2252 N/A C:\Windows\SysWOW64\Jcmafj32.exe C:\Windows\SysWOW64\Kmefooki.exe
PID 2812 wrote to memory of 2252 N/A C:\Windows\SysWOW64\Jcmafj32.exe C:\Windows\SysWOW64\Kmefooki.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe"

C:\Windows\SysWOW64\Hiknhbcg.exe

C:\Windows\system32\Hiknhbcg.exe

C:\Windows\SysWOW64\Ipgbjl32.exe

C:\Windows\system32\Ipgbjl32.exe

C:\Windows\SysWOW64\Iompkh32.exe

C:\Windows\system32\Iompkh32.exe

C:\Windows\SysWOW64\Iheddndj.exe

C:\Windows\system32\Iheddndj.exe

C:\Windows\SysWOW64\Ipllekdl.exe

C:\Windows\system32\Ipllekdl.exe

C:\Windows\SysWOW64\Iamimc32.exe

C:\Windows\system32\Iamimc32.exe

C:\Windows\SysWOW64\Ioaifhid.exe

C:\Windows\system32\Ioaifhid.exe

C:\Windows\SysWOW64\Jnffgd32.exe

C:\Windows\system32\Jnffgd32.exe

C:\Windows\SysWOW64\Jhljdm32.exe

C:\Windows\system32\Jhljdm32.exe

C:\Windows\SysWOW64\Jhngjmlo.exe

C:\Windows\system32\Jhngjmlo.exe

C:\Windows\SysWOW64\Jbgkcb32.exe

C:\Windows\system32\Jbgkcb32.exe

C:\Windows\SysWOW64\Jgcdki32.exe

C:\Windows\system32\Jgcdki32.exe

C:\Windows\SysWOW64\Jmplcp32.exe

C:\Windows\system32\Jmplcp32.exe

C:\Windows\SysWOW64\Jnpinc32.exe

C:\Windows\system32\Jnpinc32.exe

C:\Windows\SysWOW64\Jcmafj32.exe

C:\Windows\system32\Jcmafj32.exe

C:\Windows\SysWOW64\Kmefooki.exe

C:\Windows\system32\Kmefooki.exe

C:\Windows\SysWOW64\Kbbngf32.exe

C:\Windows\system32\Kbbngf32.exe

C:\Windows\SysWOW64\Kilfcpqm.exe

C:\Windows\system32\Kilfcpqm.exe

C:\Windows\SysWOW64\Kbdklf32.exe

C:\Windows\system32\Kbdklf32.exe

C:\Windows\SysWOW64\Kbfhbeek.exe

C:\Windows\system32\Kbfhbeek.exe

C:\Windows\SysWOW64\Keednado.exe

C:\Windows\system32\Keednado.exe

C:\Windows\SysWOW64\Kicmdo32.exe

C:\Windows\system32\Kicmdo32.exe

C:\Windows\SysWOW64\Kkaiqk32.exe

C:\Windows\system32\Kkaiqk32.exe

C:\Windows\SysWOW64\Knpemf32.exe

C:\Windows\system32\Knpemf32.exe

C:\Windows\SysWOW64\Lclnemgd.exe

C:\Windows\system32\Lclnemgd.exe

C:\Windows\SysWOW64\Lmebnb32.exe

C:\Windows\system32\Lmebnb32.exe

C:\Windows\SysWOW64\Ljibgg32.exe

C:\Windows\system32\Ljibgg32.exe

C:\Windows\SysWOW64\Ljkomfjl.exe

C:\Windows\system32\Ljkomfjl.exe

C:\Windows\SysWOW64\Laegiq32.exe

C:\Windows\system32\Laegiq32.exe

C:\Windows\SysWOW64\Liplnc32.exe

C:\Windows\system32\Liplnc32.exe

C:\Windows\SysWOW64\Legmbd32.exe

C:\Windows\system32\Legmbd32.exe

C:\Windows\SysWOW64\Mbkmlh32.exe

C:\Windows\system32\Mbkmlh32.exe

C:\Windows\SysWOW64\Mieeibkn.exe

C:\Windows\system32\Mieeibkn.exe

C:\Windows\SysWOW64\Mbmjah32.exe

C:\Windows\system32\Mbmjah32.exe

C:\Windows\SysWOW64\Mkhofjoj.exe

C:\Windows\system32\Mkhofjoj.exe

C:\Windows\SysWOW64\Mbpgggol.exe

C:\Windows\system32\Mbpgggol.exe

C:\Windows\SysWOW64\Mencccop.exe

C:\Windows\system32\Mencccop.exe

C:\Windows\SysWOW64\Mdacop32.exe

C:\Windows\system32\Mdacop32.exe

C:\Windows\SysWOW64\Mkklljmg.exe

C:\Windows\system32\Mkklljmg.exe

C:\Windows\SysWOW64\Maedhd32.exe

C:\Windows\system32\Maedhd32.exe

C:\Windows\SysWOW64\Meppiblm.exe

C:\Windows\system32\Meppiblm.exe

C:\Windows\SysWOW64\Mholen32.exe

C:\Windows\system32\Mholen32.exe

C:\Windows\SysWOW64\Mkmhaj32.exe

C:\Windows\system32\Mkmhaj32.exe

C:\Windows\SysWOW64\Mmldme32.exe

C:\Windows\system32\Mmldme32.exe

C:\Windows\SysWOW64\Mpjqiq32.exe

C:\Windows\system32\Mpjqiq32.exe

C:\Windows\SysWOW64\Ngdifkpi.exe

C:\Windows\system32\Ngdifkpi.exe

C:\Windows\SysWOW64\Naimccpo.exe

C:\Windows\system32\Naimccpo.exe

C:\Windows\SysWOW64\Ndhipoob.exe

C:\Windows\system32\Ndhipoob.exe

C:\Windows\SysWOW64\Nkbalifo.exe

C:\Windows\system32\Nkbalifo.exe

C:\Windows\SysWOW64\Nlcnda32.exe

C:\Windows\system32\Nlcnda32.exe

C:\Windows\SysWOW64\Ngibaj32.exe

C:\Windows\system32\Ngibaj32.exe

C:\Windows\SysWOW64\Nekbmgcn.exe

C:\Windows\system32\Nekbmgcn.exe

C:\Windows\SysWOW64\Nlekia32.exe

C:\Windows\system32\Nlekia32.exe

C:\Windows\SysWOW64\Npccpo32.exe

C:\Windows\system32\Npccpo32.exe

C:\Windows\SysWOW64\Oohqqlei.exe

C:\Windows\system32\Oohqqlei.exe

C:\Windows\SysWOW64\Okoafmkm.exe

C:\Windows\system32\Okoafmkm.exe

C:\Windows\SysWOW64\Oaiibg32.exe

C:\Windows\system32\Oaiibg32.exe

C:\Windows\SysWOW64\Olonpp32.exe

C:\Windows\system32\Olonpp32.exe

C:\Windows\SysWOW64\Oomjlk32.exe

C:\Windows\system32\Oomjlk32.exe

C:\Windows\SysWOW64\Oalfhf32.exe

C:\Windows\system32\Oalfhf32.exe

C:\Windows\SysWOW64\Ohendqhd.exe

C:\Windows\system32\Ohendqhd.exe

C:\Windows\SysWOW64\Oghopm32.exe

C:\Windows\system32\Oghopm32.exe

C:\Windows\SysWOW64\Onbgmg32.exe

C:\Windows\system32\Onbgmg32.exe

C:\Windows\SysWOW64\Odlojanh.exe

C:\Windows\system32\Odlojanh.exe

C:\Windows\SysWOW64\Okfgfl32.exe

C:\Windows\system32\Okfgfl32.exe

C:\Windows\SysWOW64\Oappcfmb.exe

C:\Windows\system32\Oappcfmb.exe

C:\Windows\SysWOW64\Oqcpob32.exe

C:\Windows\system32\Oqcpob32.exe

C:\Windows\SysWOW64\Pkidlk32.exe

C:\Windows\system32\Pkidlk32.exe

C:\Windows\SysWOW64\Pmagdbci.exe

C:\Windows\system32\Pmagdbci.exe

C:\Windows\SysWOW64\Qflhbhgg.exe

C:\Windows\system32\Qflhbhgg.exe

C:\Windows\SysWOW64\Qodlkm32.exe

C:\Windows\system32\Qodlkm32.exe

C:\Windows\SysWOW64\Qeaedd32.exe

C:\Windows\system32\Qeaedd32.exe

C:\Windows\SysWOW64\Qgoapp32.exe

C:\Windows\system32\Qgoapp32.exe

C:\Windows\SysWOW64\Qjnmlk32.exe

C:\Windows\system32\Qjnmlk32.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Aganeoip.exe

C:\Windows\system32\Aganeoip.exe

C:\Windows\SysWOW64\Amnfnfgg.exe

C:\Windows\system32\Amnfnfgg.exe

C:\Windows\SysWOW64\Agfgqo32.exe

C:\Windows\system32\Agfgqo32.exe

C:\Windows\SysWOW64\Amcpie32.exe

C:\Windows\system32\Amcpie32.exe

C:\Windows\SysWOW64\Apalea32.exe

C:\Windows\system32\Apalea32.exe

C:\Windows\SysWOW64\Abphal32.exe

C:\Windows\system32\Abphal32.exe

C:\Windows\SysWOW64\Aijpnfif.exe

C:\Windows\system32\Aijpnfif.exe

C:\Windows\SysWOW64\Acpdko32.exe

C:\Windows\system32\Acpdko32.exe

C:\Windows\SysWOW64\Aeqabgoj.exe

C:\Windows\system32\Aeqabgoj.exe

C:\Windows\SysWOW64\Blkioa32.exe

C:\Windows\system32\Blkioa32.exe

C:\Windows\SysWOW64\Bfpnmj32.exe

C:\Windows\system32\Bfpnmj32.exe

C:\Windows\SysWOW64\Becnhgmg.exe

C:\Windows\system32\Becnhgmg.exe

C:\Windows\SysWOW64\Bhajdblk.exe

C:\Windows\system32\Bhajdblk.exe

C:\Windows\SysWOW64\Blmfea32.exe

C:\Windows\system32\Blmfea32.exe

C:\Windows\SysWOW64\Bbgnak32.exe

C:\Windows\system32\Bbgnak32.exe

C:\Windows\SysWOW64\Beejng32.exe

C:\Windows\system32\Beejng32.exe

C:\Windows\SysWOW64\Bhdgjb32.exe

C:\Windows\system32\Bhdgjb32.exe

C:\Windows\SysWOW64\Bjbcfn32.exe

C:\Windows\system32\Bjbcfn32.exe

C:\Windows\SysWOW64\Balkchpi.exe

C:\Windows\system32\Balkchpi.exe

C:\Windows\SysWOW64\Bdkgocpm.exe

C:\Windows\system32\Bdkgocpm.exe

C:\Windows\SysWOW64\Blaopqpo.exe

C:\Windows\system32\Blaopqpo.exe

C:\Windows\SysWOW64\Bjdplm32.exe

C:\Windows\system32\Bjdplm32.exe

C:\Windows\SysWOW64\Bejdiffp.exe

C:\Windows\system32\Bejdiffp.exe

C:\Windows\SysWOW64\Bdmddc32.exe

C:\Windows\system32\Bdmddc32.exe

C:\Windows\SysWOW64\Bkglameg.exe

C:\Windows\system32\Bkglameg.exe

C:\Windows\SysWOW64\Bobhal32.exe

C:\Windows\system32\Bobhal32.exe

C:\Windows\SysWOW64\Cpceidcn.exe

C:\Windows\system32\Cpceidcn.exe

C:\Windows\SysWOW64\Chkmkacq.exe

C:\Windows\system32\Chkmkacq.exe

C:\Windows\SysWOW64\Cfnmfn32.exe

C:\Windows\system32\Cfnmfn32.exe

C:\Windows\SysWOW64\Cilibi32.exe

C:\Windows\system32\Cilibi32.exe

C:\Windows\SysWOW64\Cpfaocal.exe

C:\Windows\system32\Cpfaocal.exe

C:\Windows\SysWOW64\Cgpjlnhh.exe

C:\Windows\system32\Cgpjlnhh.exe

C:\Windows\SysWOW64\Cinfhigl.exe

C:\Windows\system32\Cinfhigl.exe

C:\Windows\SysWOW64\Clmbddgp.exe

C:\Windows\system32\Clmbddgp.exe

C:\Windows\SysWOW64\Cbgjqo32.exe

C:\Windows\system32\Cbgjqo32.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 140

Network

N/A

Files

memory/1460-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Hiknhbcg.exe

MD5 74f243ec285175046156bd52d14a4337
SHA1 6dbbad1eb108a39377454826cad38ef206430398
SHA256 19ec82b9ebb72849f211d868a1bd8f5eae0c6a1a48cf4dc0d16c509f80d8f3e8
SHA512 371ac96b3e75a18c6ef06d6fd8f15e7432577a488f7fb5ec6361dcfe340b64739eaf5381e9ff7c5d0c0894fcc4fee1b1a58f0bff488ea9796b028228c50778a5

memory/1460-6-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1460-13-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2204-21-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2204-24-0x00000000002B0000-0x00000000002E3000-memory.dmp

\Windows\SysWOW64\Ipgbjl32.exe

MD5 35aa9cf2e207118f556707f6c2956e26
SHA1 ea57509ab6a3e888eb3cd19612725c1f6fc30931
SHA256 1eb008bacab69b2796e7885570f2f276573370df87c434287a8b4e0d48dc70e9
SHA512 33fcdfc17c446a76ddf7d81049b4bcf0b072e0a25b3982bc032cf0266315f858bb8206932836f38b132897f91e5d885eb8569f3e7c00398d6460fcff913f73dc

memory/2552-35-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Iompkh32.exe

MD5 8d5d86091f44e19b66d3bc3e7a1a54aa
SHA1 1c8a494e84d30a18ab946e9a49ed4f7b9db6e2b4
SHA256 9a67bd6aa17e48bbecace252638be6bd093194aa77725a816a114f5f09d93119
SHA512 04014036cd8560099cd65b6d8680c77dbb234201324ef4cceeb7212154d07f8b2e41e372974d880f21d66e12a1e8b905d048d3e0b7173ea983f7359821cfe081

memory/2452-72-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ipllekdl.exe

MD5 e49dff97dc84efeebda077c877dc2966
SHA1 a25a617cfcd07a7ade055f898a52b73685e83120
SHA256 4ff4d55e83c64c424f6f1ccc9282c4f82947bfc90fb417d640b92f25b437a702
SHA512 2fad5b6e984136824077efb52fe304aa4eb4c80ea4c5ad026aeb3c559f467509a773a5a4c804018894bd6db329ca8f9da44de95612a2006735cb77218ccf980c

C:\Windows\SysWOW64\Iamimc32.exe

MD5 2fa6c64c06ad0258d6b239da13899b0a
SHA1 b958bcc8e4ee37f26c24ff41a29218df1581bc32
SHA256 cdb70f112c5dfd9e0c583c29ae26eda675731a1f8cea0cd9faf4f0feba0538de
SHA512 b3c4c9f61db4d72fc05b51d9469fbe8e799044cdc608fe4e67177daca3b453291a6578c68b6c624e17e4c37d2e99dce904b04b509901cd40609f9fb06364a680

memory/2568-59-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Iheddndj.exe

MD5 0f5ded8859e514c0def7b3dfc0893baa
SHA1 7e5338876e53210f179743b34e74ddbca3df067d
SHA256 32e39538da219c9910c30d4fe9e81a183c1ca3c90a9e7967c4336790fff1b05e
SHA512 a0ba69b0970cdb33fd287b05876803cfcbae1abdd13b0f136200cc36f6125be5503b3ecf05e298e112d612f458e468933159b38362df3d7e562a5490a99b2499

memory/2556-53-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2484-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2452-80-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Ioaifhid.exe

MD5 2c73dec6b20dbe07edcbd46383dde9d6
SHA1 0d0f8b6846174aee1e60cc0f2254bdd68e6d0ff9
SHA256 60026bb78e9c08374b0eeb41c0b427dcf97d27b09fa83c95b73a2862d1f708a0
SHA512 44f1aeff81a19290358ef70197dd20e8f599a8bda0cf752480c434661ee3404dee797244b48897628f843dbfe3cf154ab2054117fa70627383d249b9cc284d80

memory/2484-89-0x00000000002D0000-0x0000000000303000-memory.dmp

\Windows\SysWOW64\Jnffgd32.exe

MD5 33a40f04ad0a6ff060be54fb130ab2b0
SHA1 84afd180be5d458cd913f2254021e8dc293ea921
SHA256 c34bab7013d5c1d891db3cdb42d25863921f1f97c6553c534c4b81f9c228551e
SHA512 6b20d5a4adbffe0513ea4098c8946efcdb68114f0d8825bb033405f59f3aa0b9ffcf0002496e362129e221b5a82a2c51e8982e0d06cb97259627c1438e2af04b

memory/1624-107-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Jhljdm32.exe

MD5 6444a96eb2f643eaa55420f372f00d89
SHA1 541122c38e1bb9af14a3eef79b4b7797206c2661
SHA256 51ac0876d7a4a04665b6c2d0af19c82365fba2eb4b2b990a0e3a713bc02e25a1
SHA512 1024c0d8dd989aac38a6e3159a80502faa04381625e69d6c9501b3d5caa57106c135bc9701adb211b3998671cf4ece472cf200a710ec7fa9614a05d455bb1fae

memory/1624-115-0x00000000002C0000-0x00000000002F3000-memory.dmp

\Windows\SysWOW64\Jhngjmlo.exe

MD5 ebad456b76906d5ddaedaf7934c92454
SHA1 e07d5e2cd5023069df96e4e312e88a3a798e0c84
SHA256 89a672e65d793b2f07387ea5e2f2fae4694d6deb26d793a1379690a50ee0e939
SHA512 00035d3df07ab69a2613a78bb26b3f4597310f8b7cb4cb16f6d541df1f13d4442cb2fb7988acc51ad1c619266e23e2d0402b1f3485dd329d66ea9a7b82296c98

\Windows\SysWOW64\Jbgkcb32.exe

MD5 860b0cd0809d6e4f043c1f7327bdbd0f
SHA1 5d300bff08e757c05df4fe51aef26423cb7305b7
SHA256 2016642b1fad8034620dee88c4d6c7efdecff253b5672a2195f92f38c4ef5c81
SHA512 6c5645f6d76b2d02db00312920a56b1343e70e97d08186a5e29f0cb64c8d7219ce4f54442b8ea5bd449f6a02ab829a20a92b299c6752d62e4c3bba4bb6e92963

memory/2764-138-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2764-140-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1976-147-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Jgcdki32.exe

MD5 c21cddc0d872e6a58d3ac9f5956b8c27
SHA1 72d3d3cd7f48ab03e7571953be47125880e94f61
SHA256 84e25c1207a5e539eeccdec9747ed85b08ba1f3aae27de9760220ebb49b8e6d2
SHA512 cd62b71749c04cfb0fc9058785ef5a10e33051b645da87ee3e1d93803157fe067ee95d3afac65ef42e2a60711d7975048390e64e787c313c35ddcb3d5178f786

memory/1976-159-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/1680-165-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1680-169-0x0000000001B60000-0x0000000001B93000-memory.dmp

\Windows\SysWOW64\Jmplcp32.exe

MD5 860d8a714af0e4c1430456b13129f8c5
SHA1 d4eeeac7c990a7874b035af92601d17cf3e69b99
SHA256 c2fe6a78409d0a1374106870d44b4c7791bf27adeb31fac97596a4ba53ead014
SHA512 c7331b1270ffaa57130ddd3f0c1e3ecf5d2c657d3c7425df46c52f852d82b2b251a447098d48de8871a4471bc99b23cf10de4d6f8fe86ae7304640989d7748bd

memory/1224-175-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Jnpinc32.exe

MD5 1d804bb09b2c13a91ba8eee193ced90c
SHA1 e132bee92cc9c8e0d6bbce01ca12de4be4f722b3
SHA256 acac5d130e32ca627fc235e18c2e61fce609209502658d432c3e8bf07bdbaa7e
SHA512 ec466172b0a579515c5b59beb6767af11d35c485e4a8d5c3b3bcf11dc8f50586fc2f21faccce4c532d64d31413b06c8b5866a412dd0874e235c6a2407c03281c

memory/3060-192-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Jcmafj32.exe

MD5 bbf7c05e88362f22578c44836e93ff79
SHA1 0f206abc49c9b30de8cb6295f95eb94b6ddb2b1c
SHA256 a652a62e07a70846da2c7a140dc934cc087554b9bbe5de5e8ea0f89da843df71
SHA512 ac2d2b590189ba65396fd58fc1e6b5be6236e9e9d3ae5ad8a26c43530942b41b965d00c3e940028d4e717bf8083af7570d801c65f01b91cce3170c6712711289

memory/2812-201-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kmefooki.exe

MD5 b0d2c5d96be4963649bc7aaebcac0afb
SHA1 156678de01398ee796c75dd4e5bad6e1c1faceb6
SHA256 736ab4cca1ad13d3bd887931a97669c9d9446e304a9cf0de087078b7762eec46
SHA512 695d69890f247292b4344aa2d702cd366c6d1ce2fb69ff7db04484d568585b48e08723a37afadb5d167cf19e128651c2b94c3ab73d6930f7207a92fb46138336

memory/2252-220-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1840-229-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kbbngf32.exe

MD5 745f06e56de3ee72cb9d0f5122fe2bde
SHA1 2c11477402a1f8c93b389e3544df36d0c77daf18
SHA256 395c208bfdf58868d81e0fc93e3b9e93b38d180bb0536de95c3b6bda7bfe446c
SHA512 5ffd8253ad563ff36a132dfc4b7aebd548a91bf279c317eacea7adb5d8db327961a8910123649277c0ff78e2e3f87148ad4e678ac825c5c20717c3c44e273681

memory/1840-234-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/2036-239-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kilfcpqm.exe

MD5 15da1db5c8ff5e8d9defe70de28358c2
SHA1 5b69c5747e3451ae2c61f59c3cb9589543ec1715
SHA256 f5673cb80a9bb767e09e9cdc425a4431c77a4488f44b6c5097fc889768a90dc1
SHA512 47dfae7ae11eb1dbf1d945d00c984ae87588dd51fcfec3be1a4296213c1cd1a6bd70d3fa1f95b26d82ccf41ef6a800bf6fd768ff1eb73a92636ce4f4cd921f4b

memory/2812-209-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2036-241-0x00000000002B0000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Kbdklf32.exe

MD5 8889cbf4e5146c6c46ac15cff92a08c4
SHA1 e93e190b74dd4ebd35359ee0df091fd146fc7bc7
SHA256 92e6640fbdaeccd53c1ff5fb2110f77b5a8f0af9e52b158b85a57bfc4b66fdd2
SHA512 6c592db46b2aba13d46feb78d1a8194c0f413476a1e89168355ffc3b46bb8df391619c74fb4585c3fa443bb1e4dc52e8c906f4e16e3eff382e9a7c6ffc5066e7

memory/2108-245-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kbfhbeek.exe

MD5 6e0ee3f725464494d4e1c735d7727e44
SHA1 e0c519b401c307b04fdc72275ea687d86983f2f5
SHA256 fa12669953f64ad3043b39dc03b85efc532f1f19a9b53497b77490c1373ccce9
SHA512 69395d5c9730f19c4dd29353b4cf137809df503e3e33000d14866032b98adfb312e464d9dd66dc33e05cebf73e2b56c3b761ced8aaf3b2f2f61e5ecf25ed6975

memory/1716-254-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1716-260-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Keednado.exe

MD5 ff7a0df16a3849534e29d9196da46528
SHA1 804e18367be60079810073a3069bb453015dc389
SHA256 c0183777b0dda7e0dd50eff8a7bc7113b9de74ec1b7c15185d753134a207dce7
SHA512 1c691907cae76c61b40dce055fc14538dcd0ea72a828158f52bdf95d00727c9d13b9a3d8395447c2425e57c680c51ded40ab8d3de7afbbc0bb89b15796a03c5c

C:\Windows\SysWOW64\Kicmdo32.exe

MD5 7133b75aa3a5eb7218e4a46490ca9d32
SHA1 e07d327e5c6c560327aa188781621c9a1e3a5f8a
SHA256 24c16f885b172ba263a6536d71f1083cdc8de3305b9ed09e80481ec28de653e9
SHA512 f42cb2985ab1dd37e36e83c26052102721d245ce840670d6c4fba6af2ec98266bc60899bd9db52b582cbfaaf154ab8f90a6f09acc20b8f671f76e14922de6033

C:\Windows\SysWOW64\Kkaiqk32.exe

MD5 526948ae77c48c05e8fa60f7a24bf8cb
SHA1 e3b104563de15d76d6556354a85d0d6d7d7a8bfd
SHA256 09cd26182f939d736ca0cd4626ebc4ca71f75fc3f9925614d451ae727ac86446
SHA512 1059478e075bac6a7040b34ba99812e0ba4badead37aed1b7d0c132a0db7e89f4ee7150bbde4328dc23143fb632907850a01c4d74625e502050d26a99b10a18f

memory/3004-285-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1900-277-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1572-269-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1900-296-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1572-291-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Knpemf32.exe

MD5 959f84a55b8acbf0bf0789cc3d55836c
SHA1 f014199a85ba0f0ee39f82f350fac805a5be6de2
SHA256 63a27cb768f47f9c81c6a1f98786bc7a833780260dc28c065ff1ea3662b441f8
SHA512 d5fe15a735d2a19d51e60590251a955c034f2bb4b52bc1d1e52f54e30b9ea19de2e7f0d9bb8de06a3f3bb041368e2e5a2b0783dec991892b6773ec2f759bb4e3

memory/3004-301-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Lclnemgd.exe

MD5 236a4f51d94232c1181d7690efc08e73
SHA1 885e0d64b1060bbabb0cef11fae5077995d19386
SHA256 6b5f4209b88910b9e16b0566d4136b9b8bbbb5933e9aa43d51f2d8b1b509eb1b
SHA512 b72958adf88e531660c45c8dff33894a4b8d4cff1ae854f1f23fb6dc06fb81301c5e87c8d81bff8c6db107ff4a6159a07cc9e98abdad2095c8f0a421a509260d

memory/2296-306-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Lmebnb32.exe

MD5 7e29c356e81271019d212162e2a5ec0d
SHA1 fe44c0f05c89c6156c2d26933c7e8e6abbd6e470
SHA256 4f7f4720e99f9649d4abce33b54215203b8fc23a56753a92c41661b914088872
SHA512 827d19906990dba4c54c1d3512682437ad3434e064dd9bfa99d3fa65702441c0e99836fbfe9a29a244d54127f597e66506b143ebe238d809673a5c68c6bb3b09

memory/2296-316-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2296-317-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2040-319-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2040-320-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2760-321-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1928-326-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ljibgg32.exe

MD5 c350774470829053daf9bec523ad29f0
SHA1 abd54eb5c2bd26f84a87cfb7dfb15feb40e7c894
SHA256 b1ed74c6443ff5cd0e7dcf282a2381a31b2c110c30bcb89b7b9a6a54ebd8a48e
SHA512 77fe8a1ee390b76a9ae93f7ee4f0b1a2d0ace7e7c323388b320ce4d6fdeeee8239c6618286a7a4183f67da9d39d5f54db4dcdf720130e0f30ca15b7eebb3b079

memory/2040-318-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3004-311-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2760-332-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2760-336-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1928-337-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Ljkomfjl.exe

MD5 39342439caa90e52f9e201acc024b3a4
SHA1 4e41cf81110a2c6ad5115009efe33857c8f5d7d6
SHA256 0f85ee52dd72ceb8bea5950dcd631ddf050cd1bea00bf7b0a190d6a699087c1e
SHA512 e5db2422965be7a527100db54b0550c03cceff26772394330bdc7b09440964f968f90c348ab8c65ee7eae3be2f65d860aad25e254f6d0d49ff0633be884a9137

memory/1552-346-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1928-347-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Laegiq32.exe

MD5 6d01e8d9f6aca52b04e2d5aa437ce5c2
SHA1 b69eca523f9f72397d45fdc47e9d810469b96e62
SHA256 990b5aeef3ba8b73c1f8160a5d3abee0cf2300f12c548da52994a6c20ecea858
SHA512 9b36b6f951bb4b7f0ed398d1d790adc5d7cf7ac8115b77adb9d61a294f5697388bb83fcd432842ce64cc9eec2a3c5c3d3da8dbd2d7602269926056b63333c472

memory/1552-348-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1552-353-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Liplnc32.exe

MD5 a77b92a89f24302a86f3e6cef65e1a87
SHA1 732888e1cc96fa0aa123a0d6782dff40f3c6ae12
SHA256 229ce19d773de81b57f0cd281e4f5e769f9024e73dfca4f64c48000e316e71a6
SHA512 90df0b4945afc8f16f1a8f511236ab1ee0f2f53a3f32051ee0b5b0b5a079b6d804779b0c1bcca85532407fcd0e5a0d620e0fb6434a8fe9012f4178e55ca3fed1

memory/2628-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2936-364-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2936-363-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2936-358-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Legmbd32.exe

MD5 96f16e3116830a52b27f872aa65dbf74
SHA1 dde62ae62788292d24c67d2c40d003fe42d68e52
SHA256 f533f46fda80bb05966be28823ad561a0c394a1412905c01f3d52a8ca3eba2be
SHA512 8780bf89c422095f289179adaae81272a62c5a5f0d3b7facc2510e71017ab381ed1cc0cd56c1218ebd41dc4f3a4c507d709d45b7ab28b00f2dffc96e95724a7b

memory/2628-370-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2636-384-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mbkmlh32.exe

MD5 b6dceeaac6be7ef5030f29a4f81c06be
SHA1 bed847a75dcdc6ca056a88b0e2bcdb3f70ee42a5
SHA256 1c9f26e47f7f37cf04350187fa42045d48f9c0a78dfe2433f9e3203eee4d489a
SHA512 0de9e354e112d4d4a29c41823100462aeefefe65d68e6f70f5f4f45c9379115a1486f5dd25cc3fb0fb99dfeb428e81b863f9d18d1bb9a8fdae73b76e349def74

memory/2636-389-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Mieeibkn.exe

MD5 e31ce8f2c00b1ef4a559e193815b73f5
SHA1 08559f878614fd0affc5abe50fa50501d5a51cf3
SHA256 6d996f5c53620919a5cb345208141bd560efff2a4573ea306f1ce57f7e47819c
SHA512 87c9843972630724d9574b644ac796d575dddcef4a0c881a82ec04d98fff21b45d6692072e3df4feb0f13b9b18b44463866ea968e636f778f806897313a73c92

memory/2628-379-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2576-390-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mbmjah32.exe

MD5 68105c5d837978c285f4b8f1cfe3af6f
SHA1 a0074ef008f4275c9b75ad3f15d3de23c957b387
SHA256 5404bd7ab073517a1d02b6f7b42d27378e2ff7578735d3e66a5bc360579f5fbc
SHA512 7fd0415d8de04e31c2a09ba43863aa33d6abaef515c2a90b86bf8682f0449bfc9f7e39f6d8ae6735b94e5ac6e14caadf65313d8bfec8b38a05a1792d9f6f4817

memory/2576-396-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Mkhofjoj.exe

MD5 1db7389a6c600d20534d588b1de5e242
SHA1 b34b6731d9026d357c7f02b10e46d4253ea22e02
SHA256 fc6cd98e7c3234fad68fcf9b31cc1ff3a387cb694ac67f63425d629b78c14c9b
SHA512 27cfe39cb6c6d0f76ed53679bffc4bd032f64df78b04ea2172ee7d2bf675933e2521bfcd83bcf92688a72294d0035e4320c3d530e40c7773d8bd4ca1a6706ad8

C:\Windows\SysWOW64\Mbpgggol.exe

MD5 0d5bfda70d378afd30d42f8eb76aba0a
SHA1 4698b5fc57aec3cf087630d0f29c249b99d05c57
SHA256 ac65447ec1c52f14c4afbcef94413815aea238ce8b89ca3c3cd9baddd4d9d2dc
SHA512 d9fee0d297865cbf9b6497bf5d5d8d8860580c81bfe294b29e05a90b5509ec9b42bd0a22bdf527880a9ae6dce5f45c14b7cab33d295b21fa956e22be1a1379dc

C:\Windows\SysWOW64\Mencccop.exe

MD5 4fc009b3c8f3133380edd78cee9e38ff
SHA1 ba66cd47a4b005924a326371dd683111b6befad4
SHA256 3e3c4f56d3050a6308eacbfce054fb882fb7be768c3ba48a07f9ba42ac49b1d2
SHA512 3167b5476692958aa7e3a00ae814d0da1044564ed2d60fc3bd4950139f4c0985e1e96b67f250ebc5e9f654874cbbd58f533be5c4cc8c4047818943df842ef932

C:\Windows\SysWOW64\Mdacop32.exe

MD5 c78c59a82131bc8cffd4c30c77051409
SHA1 6591de78d87292163d3c7dde8802af87c95d8a21
SHA256 bb40a146ff571a742e5fb5644a3679966f2fe13db82a7c822d92593dd9c89e6c
SHA512 a035831aa873749bcf305247dca155d1d91e8eb124ed4b28ee24a375023896ddd4e23092ea4db90860b948a0aef1b51f2e209e4a680cc5a6957fb7428f053ff9

C:\Windows\SysWOW64\Mkklljmg.exe

MD5 0343d534e37ffd3ab73ed033e9347637
SHA1 ba22d876349751c1c91d008abf71f33acc8ad4d4
SHA256 5a48b2d7e05805855296af89e6e3171c62a07338bf4b7ca3ca7fd85465c9f2a2
SHA512 a15ff4eb7a382cf80b4c9b6cb1bbe615ea4585c86b5cccdf62a7c63ee6c5d8666966068eabdfe89f3ad6f7026bb67c68cf0855ddaad90bbbda0d4cdc1937305a

C:\Windows\SysWOW64\Maedhd32.exe

MD5 9265241c2dff7c3cc9dae357fd31f390
SHA1 9c56735505f4b93bfcf3bff173de891a51318e6d
SHA256 2998556b196cf63aa0f8245350c8bbb102b01c507900f0eb4674dbd08a505344
SHA512 ee6b3339f795216ad2231120fe84ebb5c332de8462309377286873e529c53b334f17e00d6d194f5881ccef9cb16baa7e0f5d30c01b1b3fb3830de3d212df4a51

C:\Windows\SysWOW64\Meppiblm.exe

MD5 d1955582dc17a1c19b48c1d7e21dbd5f
SHA1 0b7cf40c237786b5ce5c7dc1a7684e8685df9ece
SHA256 be346961063da31cc1d983cdc3b4be4cae373f528193dfd231e9288904cfd4ad
SHA512 d1c18e537214106e384a7d255056df603bf547d9c5d7a6bd783b859f7e4e48fdeaddf548b456bc23cec3b568d3da398b85107ba1ed5f597485f88b0041a15db9

C:\Windows\SysWOW64\Mholen32.exe

MD5 16b32d151c407ae117681a4964bea343
SHA1 b86b59bc5277bc71028153d89a1807c39ef2014a
SHA256 8a1f4bd572729fe3e2be0954af209454c0f70855084eef7f6a23b09747dfab3c
SHA512 ebc9bf9e82b5950535aee65010f52aa6f00c972e64dbfc409fb913f2a0f78b2c0e5a2e2e6ebd5728397a39e7139d88ab5a2f886224dc64928e0d62268650922b

C:\Windows\SysWOW64\Mkmhaj32.exe

MD5 62d563cb6e470a7460ecdca542be989f
SHA1 0bc69a8c31ad82e158a5340615de18b13660d4e2
SHA256 3db3b90df4ccce9990b8338eb15b025cbcc1122833739a1cfc9e8a03ec3d4c58
SHA512 8602c1fe030e67326bdbfddc99316148ae77fc9160293b891760b6cd59d2472f4737a3eb905248b62911ef002691b1c9386ae7b6dd0c664bd6d722cc29e874ea

C:\Windows\SysWOW64\Mmldme32.exe

MD5 599b9a115ca4d81c2e2ce242903fb586
SHA1 685e461bcde6c9355e7cdffcf8b8751a7e369d81
SHA256 2b9dc9c1052b8270f03bec09cdb4ecf92330f46d7a1fb05ec313a02c609422a0
SHA512 8d2cf68b888e1caf7c3f54e556af77f04baf19a5784e926792b5a33bc7b512ae80330bdac972ec69cf07afabbcbef42b13922bbaffda553d63ba7881fc14ebaa

C:\Windows\SysWOW64\Mpjqiq32.exe

MD5 fa5f3e9c0def88d1cc0a98609f9cdf67
SHA1 f4680abc1a29fc29df7889a4f3db2a23c2fccebe
SHA256 ed399ffd814a9a6a3d8a0ec83e3dc432411d359d1261a97173a02c8604697002
SHA512 be2d5195f0239992425ab0b4dce58ff6e6ee21fe9ebd23d79adf0b73ea8109ee44ce48e9e9ab941d8156450f1297c43a91fd1ebe85c627f6f2b2f7a7e427fc50

C:\Windows\SysWOW64\Ngdifkpi.exe

MD5 98f4a86d32df6704ae8a4124576aa1e8
SHA1 e5712fdd9603813733f94f1a0290453c79cdb231
SHA256 0c2f0b0ad886811c90b41e8c287ec466526889d7e0a98ebd2138b904ed7e6511
SHA512 20c6865dc86e51bcc27c0f8acebc3c9c0d8b7ea9b0ef6bdb34ed035f9a269e6d7ac033f1a9791ebe293e3f67b0e47be03721a188e0679f6c05d8cd17904420a2

C:\Windows\SysWOW64\Naimccpo.exe

MD5 6872a6cc0d15034640de697fd3db13bf
SHA1 8b71449b00a7db9c532d0972b955aa05a382208f
SHA256 afad345a8032ce43cc8af4796e78fe3d83c2a3db6d620f2d594e42e855075a70
SHA512 31ec01a8778ea3e635acc5d27c6fc46836d1accc2c7cc6631392b9374c41c9d143fb857925cf6fa738b20826370e88e1add443dcbec375f7015cf67bab45d04d

C:\Windows\SysWOW64\Ndhipoob.exe

MD5 69256728b411a9e3a9359fb3b4742d24
SHA1 93ade66a7b40dc611a54e4164e0ed3a46b0af781
SHA256 1d25f7e8d606f3854a3871fec3424e8bafdcfa243a72715f964ad95f221f74e5
SHA512 3d43425710fd680e603d7086be1eb4028d39a6b3af4d74026352ebbcb891f2ac08c3c9cca11de5784b3a054a9d9d5a02ba40c22ca9b80124df9380785031208c

C:\Windows\SysWOW64\Nkbalifo.exe

MD5 e85e7dddc84beb330f4f7620871374ef
SHA1 2f3f21d2edeeda8254f1c66f079f202c841c6105
SHA256 370d242e8f6c230cecfd1d97e86a13ca993749fb728b36c0daa5fa49a28bfd23
SHA512 7cf0d2d62e1a2953c6087c6bb890258a59902d936eaffb93a6cade4ef8b8c2085c4e4b6923b179243182979e1fa1e7eaf7f382ff907115c294a27eb0a27f1bdb

C:\Windows\SysWOW64\Nlcnda32.exe

MD5 90fb78ec528761a4a1cdab2ff74baab2
SHA1 85638f981f31c47887c805d464cdd5c7d24e2c3e
SHA256 d8ebce03c3ad9eab401af2e9b51b51638fb798a7d57c0e757377f700602df8e9
SHA512 5cffa9c4bce462a048c4ce464fb6ac784ef1c9a6c19d42e4798a75015cb7ad3dc9bb9a74d08e18bce7cebda071b3f1fc5f8d923caa5ccf4c25d1191b2daef02a

C:\Windows\SysWOW64\Ngibaj32.exe

MD5 04f4313c2c18b0e64d6f7ec27d11d92a
SHA1 7619243e0192816b1d61ecc7e529dfc1eba8a9db
SHA256 11f89c2ece21e003e6f233b0cae9325bd4125c34421e78894715f7bb0d529944
SHA512 4360d4bb9aa95ea9bf99eebcee486f8a118ae1061366944e44405b89ba8238a0d19671b2abe081a711802005cf2099b33914a8b075af439da9a7cf6e940931a7

C:\Windows\SysWOW64\Nekbmgcn.exe

MD5 34472cda237bda5b8fd19578e66ba5a8
SHA1 93adb9820c1bc9aa5df0b8484caac528c0bcdf38
SHA256 be8ba1afe2fd3ddf5320365bc6e20baf3b5a1cb43096445a8c2027407ad3bdd4
SHA512 9e63357a48301384988ae4c8be125745c55d53f294c2168da80170b5a2f4483ce04e27a1a66126a60ad7226638ce82e46509b97782679acc16a7d028412e955f

C:\Windows\SysWOW64\Nlekia32.exe

MD5 42cca3d32a73d716247e7dc51701222c
SHA1 1ad63a7d8936343fe524ba9a0af8c95228f410cb
SHA256 c4c87e00bfa6b673d8d84f9ee059d080157bd56bfc821e5bbeaaf971e014a560
SHA512 f5935f285c6bd2d70884d0ebcb366402ca886b1f326a4365d7e96c1251a1279ad2aa86f100b407fe6db4de62ec802f15920d65e4ccd6801b25ece0516dc3745f

C:\Windows\SysWOW64\Npccpo32.exe

MD5 52156dc60e6d5369e5e2dc6bb8b5f48f
SHA1 8843e9bb6101843603eb0f5872e72d21a2e17dcf
SHA256 9d41afa5bf275018bde5c30aa6dbe73cf9fd8a18fdf055521b8d75267572e361
SHA512 c5ba09d7512c2a2e7d42f943b491596c57463568ae0cb98c874192fd435cdddc8a3d6bd58d0db235f9f5898c68f4e479d5b7e8f50c2b19ce679aec87aea85cd4

C:\Windows\SysWOW64\Oohqqlei.exe

MD5 6a03706eaa3f65c2a3047363cd317891
SHA1 ffff4cdf187a06cad72ac19dbf823166c67cb67f
SHA256 e2d31252d7e50b5baebcda82027068559922603c860b339e4b06705e60510e2d
SHA512 94b518052e9ff75d10c5c2ca1590be9ddff81c5cd599cde25389f57ab1050c0a7cc72f992ab28a3edfa72eec04a991be3c439141cf1b6b48b48b59446f33fcd8

C:\Windows\SysWOW64\Okoafmkm.exe

MD5 cb314f128414a9c73a016fca1b04a9e6
SHA1 ce7f2e5752ef5194c06a48a79de42a30e10f6781
SHA256 2e59f1a3892596783d7349f23ea857d7b40bfdc234d4b86b05dd49e28035144e
SHA512 d0dca50114db5edf7d26135f13adcbd0822a2ac4c9adc41f2822973c4a3e02d55e26298835b0dab77d394ce34069d42b7e69fc5b98b2ffe9731998159a16e631

C:\Windows\SysWOW64\Oaiibg32.exe

MD5 40344c8a5357f40162e246f84e095417
SHA1 9a0bf5d96a249f2f788e1c4dd8f61ce191a4c953
SHA256 f98efb18f43db937b264de98b5a188c42dfcfce8c7827f15ab87ed80ef716be0
SHA512 1f2a6a5e3a0eaf1d988111507a46b28be969ca2646ae111caec5083f24814fb67d52b4397b0442de7e8e12cdd76a716fc228d1a61126b523bfacdbd9c048e3c0

C:\Windows\SysWOW64\Olonpp32.exe

MD5 69e4d7c8800c3fda21a0ac4ab4a1b3f0
SHA1 67e49b4ca36c6adc58848a8fbb119467c83155ff
SHA256 57c250c585c7237f2d043319a93b89272e4e1144e966b864c4e7d19baf254321
SHA512 346c2acc22118c741a5d73cc3503ded07bba9eea6612c28627caa39a03a4038d268a04bc755d37d7b332eda5f1eae4a2b217994147ea808e89ddf699d62f11df

C:\Windows\SysWOW64\Oomjlk32.exe

MD5 ee1adc9c6375ff8e69eb29c9853c79fa
SHA1 0e562450058536c84acbe46f33d7b79019ea70dd
SHA256 3dcdb5ce1c4344cf0627f1d7685840564daa6088f72075c3aa451e923d5cf626
SHA512 ac6519621ce9c1e011a66759ef67743462be7af34702cffe03c9a35b7ee4326c4d7b3541a765d61ad38fd2513b6588313a7419572c8985e126f0e3f11521bd29

C:\Windows\SysWOW64\Oalfhf32.exe

MD5 c0817b979d923de83539f601fdb94b55
SHA1 b04c495526850a8f3596ee7844d7c90c158f8bac
SHA256 45390c02226ba5c0442f1f4edf87d666c39c1f242222c61ee31c226f75ef87c5
SHA512 5dc536348e7990518b99a2f97df36eb02e64000c2cd266e55bce57ce688f466c6340e856e938cf4346fbb2344f44c97c06c9808abfe1fbd3fc4f4808e955e02d

C:\Windows\SysWOW64\Ohendqhd.exe

MD5 80969d413b2d1ce8ec6f6e24a6b371ba
SHA1 1a02afaa9e68bb3723c78896f43ca601b314866e
SHA256 13520c859c777ab7586597776cb836535420b22d4f21ef311896b4c572b4ff91
SHA512 013c209360312c34bc898496f0dbaaa63fcfe97cb7c944ff5066f287b3b903020c2af5cb5378846064e07b5b85ac2c3109a5811138336b62ab2a501ebf370514

C:\Windows\SysWOW64\Oghopm32.exe

MD5 3138f2288c901f66ca0a7c7d3889afba
SHA1 7049943620a582c8c4fa15386c6a8a11e86b3635
SHA256 588d7746c6d7eaef47965b271a4ae614a9320193384edc7ea696da5396146aa4
SHA512 fa2a0dd6828282c08c58be7ad258b3702860a86bc97deff52bdb776d12b910276cb62cf43b982434a9a1912944f4f548169b5f85fd5a7f16f85f8464edad1e3e

C:\Windows\SysWOW64\Onbgmg32.exe

MD5 52de9ea0879d2651c09b5ef52c1c301a
SHA1 f6bd00d895cc73c95c0c89d5dbf2a5e93c563469
SHA256 756c3899b051bd6e02784f6f267ed9788500aaad44a5013af1ba34c2db97dd11
SHA512 1515c97409f6491486978e39204c84c14a6711157c8b359c6c023e6a2324c396153ac6377bb3ca287f865399b5a5f123d2cc3b348a6bad9d372f1a1f9c7d12d9

C:\Windows\SysWOW64\Odlojanh.exe

MD5 232da680130dce3c06080c59d3173845
SHA1 467f689802db8b81e761c836b1709804407ca798
SHA256 bddab7b0bcda7e7ea3a43af91f5893f86a952466b296bf438391b8f26427a264
SHA512 b00f3e79c59edf03a1f74123ba03a3721f58cefcb3a6e2a489dc82ccbcd588c6da97a7bafca720678b7de46807b4e949f9c6d48aa64c602c6e4822710a200e09

C:\Windows\SysWOW64\Okfgfl32.exe

MD5 b191d9a129bc7c334ecade1071130f24
SHA1 c7a0c0c8c721bab42c22b5c598878f6a422828eb
SHA256 5418130508fb7e294228a090ef062e1a5ca4392addb7bc9cb6fae9528eb4a278
SHA512 bb6da0327218ba7d5b4e1a8dad4f2636350679771f077a53e9c5e0c4067cf70fe2094da691a2e56cc74ab56e07a3982be0dd5172a61fb45c53a35cf429737c2f

C:\Windows\SysWOW64\Oappcfmb.exe

MD5 3617f5eed8253f195aee5b6d18096c2d
SHA1 bfa728bc4eeea4185a2fb9d73b5c1acd6683fa8f
SHA256 7cb5e82f634fb6d4b73cfde5fc8023990821d68c6ca4b529c7dd1e311add2881
SHA512 3c0530b07af57e437ec72963d5fbdc828ce89d419093b4b9d6aec02446ab19f6dd942625596a13c4ed7460cda1b3ee697fb81a57e5bb1b0143400b6ba8279aa6

C:\Windows\SysWOW64\Oqcpob32.exe

MD5 0b0d45e300aa7de8303e33d03c3a9f75
SHA1 364196775e9e6a78018f579aa9414f2bb113b833
SHA256 a74f3bd75c6a9aabfc254ea9ac576b9518bc54a2958477b9bbb5c33f8757c208
SHA512 d98598e2ebfa65919ad33fbea7947a11b54552d2d87dbf26006fba3500a9425e359ec3950945ff56043cf31fcaf819f28cf6a233d6cf19e54d122859474e336a

C:\Windows\SysWOW64\Pkidlk32.exe

MD5 d30fd3af38378f44430ec97c023a9557
SHA1 a10f8493278b926891e85cb4fe3b1c04d19b4984
SHA256 286962ba071200ebeb8f16043995d7b39f3f15b52f0edeff27eeb68b334a9ffc
SHA512 63a4f660b433d235e34ea1a8f1cfb11d690e717175320707573d7340ada874adc3a30601045d53c390db1c7bdaa6a1490802b0ccd9f7bc718433aa39193d3c0d

C:\Windows\SysWOW64\Pmagdbci.exe

MD5 0f4f40258bc6686becd3bb00901009a4
SHA1 fe3335983cb5ce76ebc7e96b9542c3f3d9bc0904
SHA256 3805d0a581bd35a0efb612e6f41ee2555e7ef797f9a875a5b6b2e94585682e39
SHA512 755b046cdb104bc1fb6b44a90ddc8ff11f08133af70d3f4412e28b3aca68254d142aa560386bcf657487c6e7a5cbd16c02d590aac16711ff4c7e9d663d61f2e7

C:\Windows\SysWOW64\Qflhbhgg.exe

MD5 20d04bd65cbc1d72df5dd96a4f0ed4bd
SHA1 ca367e382648f5c588ad68c3e283559eec9fc501
SHA256 5bb578c7b0b74dea1a9e534f386fbf4991c8110dfdb5f38d35d4fa9e67e7969c
SHA512 7affe7d1a1eff21af86ab71c0180be987db63be13b2b1a1024464924f90d5c62590fe82ac6493fca6612af139b386a189e8fec51eb5ffda80488701305054c4a

C:\Windows\SysWOW64\Qodlkm32.exe

MD5 2f73cc8b7ecd35baae6a4d74307a6440
SHA1 e5250dccd39a6a811a3973f1454fab37cf2dbc49
SHA256 0773b6f695f73b0722df03f43f39fceae1e5bb661b52d17b03f40753745da81b
SHA512 f6f92df181af6f914f6eb3a279a82c65ae4fcfe94ab70e69231fc592c4ed306049abd34682fc22aa1ccbeffe55b491711065379fbce773be2dbb2454dc4301f5

C:\Windows\SysWOW64\Qeaedd32.exe

MD5 f8df8e9ea468da6bd4d6cf4dc8f0560d
SHA1 cf1734fad935dfaca4e4ccc5b40e937607a0f0ee
SHA256 80404b2ea14d4c9d0692007bc09f6d84ca5f05e57ede0a39a6607336c5f37477
SHA512 90f319dd057b0cc62c463510bf56f5fe4d7e69010142b5a2e2bc2d990416553250e4704c5218794d43f39c383d9dcab5f343bf7a16ad5b1e18183d089918000a

C:\Windows\SysWOW64\Qgoapp32.exe

MD5 78c54d684578fa09dc3655bb1fd4d5a3
SHA1 12473f50869150c128c2fa8d01f4bcf661c01c4c
SHA256 f5704f9e4108b259dd120cb33054fcf932c66aebd01f67a76747cdf993b3dd2a
SHA512 8524b288cdb75edf32e10e42c50324f9b61b70637a7973849ca91861a42a07b4b133388522d8828257fee0600bdfecd5f2414fa36b608b92e5e22e59348a84ff

C:\Windows\SysWOW64\Qjnmlk32.exe

MD5 06911101711ace3bd2b6e1d14281640f
SHA1 5ddc602086d27636658412c92b75e2f2026f848b
SHA256 6994686087311eaa2936e686f9630145a141a819fff6993a40fc271c2c4c0414
SHA512 0fcb4e15d6cf69f99e56da5e9378408f2e367c3598fed3aaccefdd1826f7c47b7a29c0bd6cfffdc96f412de7d55ffc6e0c63dc82b36d2754e3533e943e781bf3

C:\Windows\SysWOW64\Acfaeq32.exe

MD5 a6c4446017ad5b64a848765ebe7a6f71
SHA1 f04f38d6a8657b901b47e465aadacb25e5587132
SHA256 a026e811e5c12e043afff16019d14bb81f9023dded5d25384d0cd3e5cd21f738
SHA512 2bc92445cc161f0a77ef00ca92a993e24ac4ea3439791e64e1eb6ac3a2cad78ba809797fac53b2f0a9b25c51c4766b00744ce260f7402662a4d4ce296aa4fbbc

C:\Windows\SysWOW64\Aganeoip.exe

MD5 dd9a5282c849e06c3fb363b1685ffe89
SHA1 4616098a99813cc5fcec21811686ce2aa34e839c
SHA256 c25c78917746785f3fed8b3690b645d82fd6b84e3ce7612e3e3fdda4565ae448
SHA512 f54230cc9415cbdf65df5cec8ea8fc3f5f69782d0ae8ffdc16a57bf37aea499232f1388717539e0575017e8a8f433a7abf309a52b42ff3cda865a5e1d59161dc

C:\Windows\SysWOW64\Amnfnfgg.exe

MD5 2fc1040fd91937766419d0fcdae0c255
SHA1 96e07a1b91b8b306d7f4e0af264dbbb8a0c6534d
SHA256 6687324008701968455b8f83a2eda24d2d67b2ee9b7df5a268ab50700e6c3135
SHA512 359f2ca90215a80587c300a31f2d37f13d4529bf374bc306cf567b21ce3cb38d7a1a1000c6aca7056bdd8def395829989fc661c9f46a5863ca6588fe6bdbf141

C:\Windows\SysWOW64\Agfgqo32.exe

MD5 40618113a14cd9683897af7fd3302ec5
SHA1 fb9bacb6d30fbaa423afd2dd23fa080d8b795c2e
SHA256 57fc551ffff5cf1a138e75e41c7fc0a169b43e1efc12db2a73034e6a916f054d
SHA512 b7c00e1675528aacdbfce5370aa705188d2fca9625cf0dcceb224eda5c91c9935a2cbba51c358bb7bf78403a6fd9c33337d5dbd96dfb27cf9d89044d99d248b4

C:\Windows\SysWOW64\Amcpie32.exe

MD5 c904209b6676d85da77cdcf16c9d26f0
SHA1 49f3a1bfb46deba5c664bb41781a39f872f4dbf0
SHA256 1d8a1f0e108d74b6ceee966c0342c42dcc3de43152cab028a4beb062222985a5
SHA512 f070528018a2fcfe7713685cf67037cab8388c2be1bd7c171734c900978e267aaa0c4f39020ebeaf334eac51ba60f697239748dac97e1282e84797d1c79b8812

C:\Windows\SysWOW64\Apalea32.exe

MD5 fc3a8e3dc4765d5e5cb2c0a1f74715a0
SHA1 f6dd2235551a91fe411cbea5175321a5b6a0d4db
SHA256 5e1090ad985b87f853e65f835b957e50e3b62e7a2ffa278da935259e73742786
SHA512 c10218040e77ebe2f6ed3f7b67d9cd3b0d1f7127cf6e75e37de3ec5498cb0ea12e99615cd4d1bad07e9f6bbea2178769fed9eb953475bc2befbe24423baef260

C:\Windows\SysWOW64\Abphal32.exe

MD5 2d6c08cf191a6c1704e53ad5bf59bab1
SHA1 9fbe19bce90c66ea6afaaf40cc51e123ca22b333
SHA256 3305d1cd511218189b5566d187a6bd385692ba34f3a88b38a033573d7253d52f
SHA512 a9f8442b200dd18e1087d2fa05ffe1b6cebb8d636272a231ff954a0550a9164d252dd16c81f27f4c5398b0dcfef585fb9dac4702266026b8e59ee0f8a8f9ead5

C:\Windows\SysWOW64\Aijpnfif.exe

MD5 ae81336b0e5c2a600dba8f9e9c3d2597
SHA1 a9502073442ad87e6c9ffa9383147e8962aab895
SHA256 9b0abd56b366bf8ac27506f5911fdd03cac342e6641443d5cd2b87f9a9116319
SHA512 07b18483cb27640c6fb09bb7f83b519c9412f8cf5cee01f494be17f4c8f9999d52421aff8cb673f9a4490d8d6041eda487c6e42c16bc0e03506270674c33d2f3

C:\Windows\SysWOW64\Acpdko32.exe

MD5 e299165a1618e6514be2ea13b58cd97d
SHA1 2eff4a16379c43dafad6bad731ee8d341c7ffc56
SHA256 c756fb4499d89ef97027fe7cc7ffd0190d7f33760d89601cf68a3d9bcdca113c
SHA512 e631467825daa3ba6d474e0e5859b0eac0f11470825afe9bfb3b152145b5c2737878caafe4e93941c48442fba5e2195b4c42600655d6be31beeeca3f742b2fa9

C:\Windows\SysWOW64\Aeqabgoj.exe

MD5 86e78dfc6c60943ea0a766e92bcb8f28
SHA1 0de2458abc21dd59d2c00da65efcd5a70d8a3884
SHA256 e608bf4c26d02b7e7a47a416b3276c436cee076f11b6c4a327e30f31075ee9cf
SHA512 8997bc759dbc0f07d659e3b8ccb80c86749e033bde9559e96d2a981d3f80a23863a5296afa5d2fc2cbd8b0b95942590f3b2157a4effe055198fd4ed4982ae1cf

C:\Windows\SysWOW64\Blkioa32.exe

MD5 03ba0d8e26b5525155c521f2b97c466c
SHA1 546b8a4231dc883bd6d17842084b01c4a925b625
SHA256 8839e2c89985861e95e8fd9a7b8fd1eaa6ec7c725aaae1b5812b67a566f4faec
SHA512 f7d1501fc5519e276e99c6c30a78035b33935f586ae6e978dabd06194c0444f5c4fd2cbd1747b643a9c685e57037f8fb66bb7950f541815859bfb551f4fe473d

C:\Windows\SysWOW64\Bfpnmj32.exe

MD5 8122192f307162bd38db3a792f57f85f
SHA1 59e94cce7db0f4aee49ae649f22211a9a89941b1
SHA256 7df737066aa62c3f48cf83b96fb34812c08badbfa533d65308dd0758f6abde7d
SHA512 80544532f8ee537f0ff3a1ef962ee5873ad9508d2fcbb436abe7dab0d2ad634599f056f0305d02bcb1b21dd71231449bc9f7e52bcc9984d8b14ebf53c7a7b367

C:\Windows\SysWOW64\Becnhgmg.exe

MD5 f80edeb8e6ca27ce66a5474372439fc9
SHA1 d7833a5586dc85852b79fc17589787f543a870e8
SHA256 90eebcc2bf5a8f33831fa6768e302323b28bea749476e58e1e04686abb44cb4b
SHA512 b799da6065df0f3972963cc33f35d67fb2bc087a7680d555f288d3aaa75139b6a1ba102e17bc4d452b13590a79b0e4190dd57e53802b3fc2f3ecf9d7210e8082

C:\Windows\SysWOW64\Bhajdblk.exe

MD5 e4abd3431069fa465ba086ee87ae9d10
SHA1 b19bc4b0d294382e8d4ddc3a6c8f6b58c35a93f5
SHA256 09b59377019ad1ee68db7001889cd982583ee2afc3287f34f821b364112118ee
SHA512 46615836e58a2161ed4f3ab62141ea6d64dfa86ddaad1c641e8a8c427b65908314716637eba6fb435c1aa9d622426e1b098834e8790dc6454449aa1b2074a105

C:\Windows\SysWOW64\Blmfea32.exe

MD5 a7e63190fc987f886982a8f21a83e201
SHA1 e689b52783a6e0d0a8379e785e70eef63e14d7c0
SHA256 be7da4a773330942fb16b05cb871da8b750a4bfddd405392669ba1e703dc743f
SHA512 958c3925ebc51a902e09fd7b08cb681192011ade76676a1706861939b34791b00061892d6f92fc4dc1aa3d71cbc00802e9ef6f9401b21a5bbdf9c56dec0fef81

C:\Windows\SysWOW64\Bbgnak32.exe

MD5 be98f1a44ce9aff6082a896276f45647
SHA1 ef3e3543455f146d8b05c0f3a5bcc2ccac1ec0dd
SHA256 68d863bdc55628c8fb86a67080091f4e2feb97b49ed358ad32328526fd1334e2
SHA512 31a328b2e23fd42b4bb61491ae585ac787a8d7a491e6b2f044fa9091d992f340c1c9129bb67e71fefc05ac1a0ec32e6e4c1ab64d6bd92f83369b000d221f4115

C:\Windows\SysWOW64\Beejng32.exe

MD5 cf5f38c4c665269d5eb854aaed99ec99
SHA1 0b2222a9d36e341721629d261b33dc031b99333e
SHA256 0098795fd2e5d75d1c44ce74ab2ac4438daebcd3ac41a20ab832f351d6961c81
SHA512 fe22545610bb009c87593f5c458e5a230507eefd8f5aeba7a9c2dd60372bc282ad9157e7ad904c1be14744e1c8ece576d980c55bf2544d935048f9cd738e8ad3

C:\Windows\SysWOW64\Bhdgjb32.exe

MD5 5c8eb3b302e40f7868f75fe5288d2f8c
SHA1 c1e6bf1c0b0fb49b1db53c929c0a17c07d97056f
SHA256 a3da9a09cf80091d17dd9b6492381d2ccf6cd7bf816397101820f9dcd39c53a4
SHA512 965dfceb895190bb0ac384067a9a1dfd337594e62594c1ecd042edce448337b941c4635f296465c04ea7afb2b93c7c9a3099349dc07ccf7dd580e7349567c26f

C:\Windows\SysWOW64\Bjbcfn32.exe

MD5 b172cee4a7b05a13e842c930900fdec6
SHA1 ed869bd2a95fb118ec90fde8af5748ea86fb55c1
SHA256 d421a6cae9cfafb20ee793367344ddfa22e75685e698a68d945f8fde878bfe46
SHA512 1ab212c564a03ddbbefe4a1de155951727d17e436680cec039d8302cedec4bc5791902912f5f66ffdae58e018bb3fc8e30f89246d451c2390077a696286384ff

C:\Windows\SysWOW64\Bdkgocpm.exe

MD5 1be59359e6c0723c262f22d940f2c675
SHA1 c5eff611e160745f47f9a5de3444e1ce96d51a49
SHA256 3174eb360fb34c2e1600e3f79fe074e770a131ce4f4666dd23ed70daf1fe91b8
SHA512 d9b20c1987c277dbaa21751dc29f6adef66ef8faf9e1db112c995fb418ed4a035b11b9bda9199d6cc3e3a70f787c4493563b19eed7e1ed6a291de5910737f76a

C:\Windows\SysWOW64\Balkchpi.exe

MD5 15e1b3c98492049591b5c51259f800ca
SHA1 b30776b994ad7a785d572413c5b000092cf03d84
SHA256 4e8745f685ecd24199c8bafc74a1b5af64f7ea57d58be9c5139a871b32221bf8
SHA512 8c09d11f2dfc83947d051f495097dd64c1d83d58215e9971d32c320538b953a23e860e82e16dd49259ef2609ce120aaee8355d120eff1c57a1dfad07d98f2130

C:\Windows\SysWOW64\Blaopqpo.exe

MD5 f36797142578a6d25f87aa373c09b292
SHA1 3c0e2cbded37fe5fe838fe41bd453ad3f3f367bc
SHA256 29657df78238511d45d6290393ecd69143bec94f075ef0d94dd5b365ac117ab0
SHA512 77b74b75cd17ec0031b5ad6b91f90ca940ca86472d5898577762f876cb7e5b4d72e40381cd97bbbe510689377f634515f4b68b1ed6cf05443cbfcf8da681ce39

C:\Windows\SysWOW64\Bjdplm32.exe

MD5 e20cd71fbd54d05bb9bb4bd9052146c2
SHA1 a3a2b2a12ba0503c747944b5dd18a4834f9f4500
SHA256 2660c99ce86c12138d10306f9f5efe8337c2462021e504670f5384fd69704299
SHA512 45f2fe619d77cb09e042d35da99ce9d924240833915e466a1d5a3ae254bc1ec3a6ab954a56ac8286b715055d6a06cdd7d6585f5ed87c6b3972d44bc934e94eb2

C:\Windows\SysWOW64\Bejdiffp.exe

MD5 9864131cda7b0cafc9e29d7c760e27d3
SHA1 ac65c3d61b332c712ed78b1d338dba884e933336
SHA256 89e2dd03041d0ae788061bef900205b058465d75c7a6ca09e67625076a63bd42
SHA512 dc3402b105b779823cf200b53a092698e6cfa71bdef3f5e6352e20d898cf66cdfe231374a7725fc6a473cf81fc53903db1fb0e7ba8b5905417d98e6c21340302

C:\Windows\SysWOW64\Bdmddc32.exe

MD5 006d231371230b273aa8a6e6f35dd9f2
SHA1 8ff4d48dd987c9d7d3f821bb2dea7eae3379d343
SHA256 dbc607fae95d9908c7fe76a56c617fd1f6ec7406195a27599caea05d8406e4ea
SHA512 d4a9f64b4944255fc43972459ffdf35df18f1091f3873ea788b29cc78a44fee8854f0fd301074e0def5e5582923c264e949aa0ed39f894675c4cff67cd8a1a58

C:\Windows\SysWOW64\Bkglameg.exe

MD5 5960181a93aa4d344680b7ec734cfbe2
SHA1 5a1be6b5d62e3afe5173eca6b97876eafa4bf127
SHA256 ebdb00eb344e360c22c97e2e3ab9893d79a30510004d3594e3dd692e475a10cb
SHA512 496d7bc67f743d541e7c7e5b4db7f8d910bd61c0f241ce0ee4fdc8eef78c2a067aebace089d84c8d427a7f6cccde7e49721e2c1da953faca4115436274b3ac7d

C:\Windows\SysWOW64\Bobhal32.exe

MD5 dca43da5a1fa00244a0ebebe7dd51283
SHA1 f0bb392f8d8e28517f8a7a28d26a228e8d8c282a
SHA256 b25b9f55f9a620257af749e413e3ce1a1afeb3f8d13235159a7ec101287e6537
SHA512 a29856b3c52b75e2451c70af38c4fcdcdd7c0162d4a80dfa3d0c182133d16dc45a1ce27df9fd4b7bb4a8e93c266578dbf24e166611dc1ed8f01adb4ace048c4d

C:\Windows\SysWOW64\Cpceidcn.exe

MD5 49fce98a293e1807b93e1f02b95b0993
SHA1 fb7583b9ca06a27ae01620ccd8441f2be208f2b0
SHA256 108c1e5ae514e2abd2fc4c54b12515ef845cc82227dfafdab1e915ac4f2eac76
SHA512 0832012335fd2bf9e18a4c069c448a853537e38146b905222cf91cd660e95fa54390cd88731cbeafb42c0ddcd78b9c9ec26a8fdf0a26faf583f8f87b6ccf4d39

C:\Windows\SysWOW64\Chkmkacq.exe

MD5 3181a7206375fc1e4ef499ab9e20c8b9
SHA1 e1b3c64322e61de890e2ec3b59a49fa9f3ae5e56
SHA256 afb94719d767585d22b4d42bcc31e220420e99217eab72fd66ef5e686e932d30
SHA512 8cd91b086ff6c1722ce4bc0b6d6e59bc9669c157dc37d695802c8159965a985a6ed40a620778c19162ea0ed8cf4a3022d59d784a0bc8402d79a1469bd0b57827

C:\Windows\SysWOW64\Cfnmfn32.exe

MD5 ffa4b0f828d10c816a84ba9eac6ef58d
SHA1 35355eaab3161f0b89cbb27ee904ca71cc885151
SHA256 bb5d8d10bb1518717f6f98738370a2d756a128f475210008264f05005159c88c
SHA512 32030ca4c3350e4bf929143e21896b13e97c4098e37cc2f6e9aacc738c4c9b4d5f4723dad85f8a7378732442f42166fbd33e22e722663d0e00b8de13712379a2

C:\Windows\SysWOW64\Cilibi32.exe

MD5 aabc189b818315c2b887bb68f66ed99b
SHA1 4f87f45d58223d33d0b207869eab3e32420e2fae
SHA256 972edc09fce6ad115c3947addcc3f2514d5eabc1cdcd19a59531e40cb42420b5
SHA512 87659d2c0b66848e16620cba310ca5fc00ce18c9fa457e6669ac52c616cd70724bd984d75e7c84415190f34d0a5cc2fc347fc4ee41dd25ee0c36a6548a34e609

C:\Windows\SysWOW64\Cpfaocal.exe

MD5 acf1b233c2666c1392993f0510056a1b
SHA1 25a28d704eac41242e4700d6dbdeea7c8374d992
SHA256 202b6273db027bdde0f1a43b43d309c5b85b622742b6047c265c0fffd26c9875
SHA512 b9d1c4dee6577c2471fba76ad317811c3a1be5744db57e8d7c7f6a167d5ab968deeb24e94b9e90e3f7c7597c0bf764604c68b9e82ceeb8858efa89ff7e22bb2c

C:\Windows\SysWOW64\Cgpjlnhh.exe

MD5 cbf92288e5bdf10d29579a22fa6c7520
SHA1 8405d8019601223c609b56e45d5e26be6ea4a96e
SHA256 95371d245ebf9d2cfaa5595f9be45081d1189d2e7ea19ff69a92e363e34d12ec
SHA512 4f5c9b19b1f2e667b216f83830b731d6f9d6ab9c53a9ee8fc3cf26e1c3b5f533bbaed91d0912295e02b8cebc1667a079e8286b52ea3a74a52b95157012443ea5

C:\Windows\SysWOW64\Cinfhigl.exe

MD5 d1d66d96f40acc38d01ade5eef2dc2f6
SHA1 a2f1285bd5952b9bd00c314d0137550e3ef689ea
SHA256 a89dc04aaca749bb637d06b3c488bda0e21154f7292c3c52dc1ce3c885a94a16
SHA512 82d3e879d52f8eff5245c23c521a501164b02ead8ff339d86b20cabf42ecf12c61de0993f978eb81b151bf5de6a810d93be016733ccae4edc2144a14399ddc24

C:\Windows\SysWOW64\Cbgjqo32.exe

MD5 d718042b7e1ebca5aaa0c214e48ec3e2
SHA1 7396878e78de658b407f2d3288c1f68037345dfe
SHA256 1a7065832d4eea0b3a8a5d80e6dbf11211db503900ea0cdd5b2ed4d58a1e9168
SHA512 9ca0efcb46b7957d62bf0020c875ac5e8c4d17117e3926f0c35805d0bc268317d9a87f1e003b28d6023fc2c0e0748432d16fa5afafa359e76bec0946ad230f58

C:\Windows\SysWOW64\Ceegmj32.exe

MD5 d2eaa2c5039c3e121422f3449a4e5ce1
SHA1 bb0a17b94ea6d182d4f533813df34a1857a384c7
SHA256 3f91cd4a7645b93f25fff0b1208fe90d297e37a3ac0ecfec0e20755dfeaac98a
SHA512 bd7bd49b13d97f5162e7c4744e4a9393c567c9b8a1d0e5588d8541715a75ec3da31518fb691b6f662042a432fda5e82ac3d0cefdf99ed7163e2583c30c121f54

memory/1460-1012-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2552-1014-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2556-1015-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2484-1018-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2384-1019-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1624-1020-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2584-1021-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1976-1023-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1224-1025-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1680-1024-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3060-1026-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2812-1027-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2108-1031-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1716-1032-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3004-1035-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1928-1039-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2628-1042-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2160-1046-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1028-1049-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2756-1052-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2984-1059-0x0000000000400000-0x0000000000433000-memory.dmp

memory/552-1061-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2944-1060-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2104-1063-0x0000000000400000-0x0000000000433000-memory.dmp

memory/892-1064-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2064-1067-0x0000000000400000-0x0000000000433000-memory.dmp

memory/564-1069-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2072-1066-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1032-1065-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1752-1062-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1872-1058-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1416-1057-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1020-1056-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1712-1068-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2808-1055-0x0000000000400000-0x0000000000433000-memory.dmp

memory/332-1051-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1544-1054-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1660-1053-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1524-1070-0x0000000000400000-0x0000000000433000-memory.dmp

memory/876-1071-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-1073-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2912-1075-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2420-1074-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2648-1072-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2152-1050-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2644-1048-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2216-1047-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 00:05

Reported

2024-04-07 00:07

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jehokgge.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceaehfjj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elgfgl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghopckpi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iehfdi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kpeiioac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Leihbeib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llcpoo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baaplhef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmdkch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqhacgdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hofdacke.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hecmijim.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kebbafoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lebkhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgcknmop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beglgani.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkikkeeo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eleiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Flnlhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhgjblfq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcgbco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmdqgd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdkcde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Behbag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Deanodkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dllfkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flqimk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Immapg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bffkij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adcmmeog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eekaebcm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmnldp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Docmgjhp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glebhjlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdeqhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iikhfg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngdmod32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmdkch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbgipldd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aejfpjne.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Edpnfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hbeqmoji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hecmijim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njefqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgallfcq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Edkdkplj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qnnanphk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ognpebpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjmehkqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbfbkj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkhbdg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbjcolha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmnldp32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Peqcjkfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnihcq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qecppkdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgallfcq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnkdhpjn.exe N/A
N/A N/A C:\Windows\SysWOW64\Qajadlja.exe N/A
N/A N/A C:\Windows\SysWOW64\Qloebdig.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnnanphk.exe N/A
N/A N/A C:\Windows\SysWOW64\Qalnjkgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Acjjfggb.exe N/A
N/A N/A C:\Windows\SysWOW64\Alabgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anpncp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aejfpjne.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajfoiqll.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahkobekf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahmlgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Angddopp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaepqjpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Adcmmeog.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahoimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajneip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abemjmgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bahmfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdfibe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhaebcen.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgipldd.exe N/A
N/A N/A C:\Windows\SysWOW64\Blpnib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Behbag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blbknaib.exe N/A
N/A N/A C:\Windows\SysWOW64\Bblckl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjghpn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baaplhef.exe N/A
N/A N/A C:\Windows\SysWOW64\Blfdia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbqlfkmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Cliaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cogmkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceaehfjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Clkndpag.exe N/A
N/A N/A C:\Windows\SysWOW64\Cojjqlpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cahfmgoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Chbnia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Colffknh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cajcbgml.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdiooblp.exe N/A
N/A N/A C:\Windows\SysWOW64\Conclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cehkhecb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdkldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clbceo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Doqpak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbllbibl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dldpkoil.exe N/A
N/A N/A C:\Windows\SysWOW64\Docmgjhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Daaicfgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhkapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkjmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbaemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Deoaid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlijfneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dohfbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dafbne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Deanodkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dllfkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dojcgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dahode32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Inpocg32.dll C:\Windows\SysWOW64\Kipkhdeq.exe N/A
File opened for modification C:\Windows\SysWOW64\Cliaoq32.exe C:\Windows\SysWOW64\Cbqlfkmi.exe N/A
File opened for modification C:\Windows\SysWOW64\Glebhjlg.exe C:\Windows\SysWOW64\Fdnjgmle.exe N/A
File created C:\Windows\SysWOW64\Pnfeqknj.dll C:\Windows\SysWOW64\Gmlhii32.exe N/A
File created C:\Windows\SysWOW64\Eeijge32.dll C:\Windows\SysWOW64\Angddopp.exe N/A
File created C:\Windows\SysWOW64\Ibnccmbo.exe C:\Windows\SysWOW64\Ickchq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfhlejnh.exe C:\Windows\SysWOW64\Jcioiood.exe N/A
File created C:\Windows\SysWOW64\Nbgngp32.dll C:\Windows\SysWOW64\Ddmaok32.exe N/A
File created C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Deokon32.exe N/A
File created C:\Windows\SysWOW64\Jbjcolha.exe C:\Windows\SysWOW64\Jcgbco32.exe N/A
File opened for modification C:\Windows\SysWOW64\Npjebj32.exe C:\Windows\SysWOW64\Nloiakho.exe N/A
File opened for modification C:\Windows\SysWOW64\Oponmilc.exe C:\Windows\SysWOW64\Nnqbanmo.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmdkch32.exe C:\Windows\SysWOW64\Pjeoglgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdpmpdbd.exe C:\Windows\SysWOW64\Pjjhbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File created C:\Windows\SysWOW64\Fdmlkkap.dll C:\Windows\SysWOW64\Pnihcq32.exe N/A
File created C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Qloebdig.exe N/A
File opened for modification C:\Windows\SysWOW64\Iicbehnq.exe C:\Windows\SysWOW64\Iehfdi32.exe N/A
File created C:\Windows\SysWOW64\Kgoilo32.dll C:\Windows\SysWOW64\Abemjmgg.exe N/A
File created C:\Windows\SysWOW64\Eofbch32.exe C:\Windows\SysWOW64\Elgfgl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkmefd32.exe C:\Windows\SysWOW64\Hioiji32.exe N/A
File created C:\Windows\SysWOW64\Lbabgh32.exe C:\Windows\SysWOW64\Lpcfkm32.exe N/A
File created C:\Windows\SysWOW64\Dchfiejc.dll C:\Windows\SysWOW64\Chcddk32.exe N/A
File created C:\Windows\SysWOW64\Jiglalpk.dll C:\Windows\SysWOW64\Aaepqjpd.exe N/A
File created C:\Windows\SysWOW64\Eleiam32.exe C:\Windows\SysWOW64\Ehimanbq.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmhale32.exe C:\Windows\SysWOW64\Jfoiokfb.exe N/A
File created C:\Windows\SysWOW64\Eicplccq.dll C:\Windows\SysWOW64\Baaplhef.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Megdccmb.exe N/A
File created C:\Windows\SysWOW64\Qciaajej.dll C:\Windows\SysWOW64\Qdbiedpa.exe N/A
File created C:\Windows\SysWOW64\Ogbipa32.exe C:\Windows\SysWOW64\Oqhacgdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajckij32.exe C:\Windows\SysWOW64\Ageolo32.exe N/A
File created C:\Windows\SysWOW64\Daaicfgd.exe C:\Windows\SysWOW64\Docmgjhp.exe N/A
File created C:\Windows\SysWOW64\Kipkhdeq.exe C:\Windows\SysWOW64\Kedoge32.exe N/A
File created C:\Windows\SysWOW64\Cihmlb32.dll C:\Windows\SysWOW64\Ndcdmikd.exe N/A
File created C:\Windows\SysWOW64\Mkgldj32.dll C:\Windows\SysWOW64\Behbag32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbqlfkmi.exe C:\Windows\SysWOW64\Blfdia32.exe N/A
File created C:\Windows\SysWOW64\Goaojagc.dll C:\Windows\SysWOW64\Nlmllkja.exe N/A
File opened for modification C:\Windows\SysWOW64\Lebkhc32.exe C:\Windows\SysWOW64\Lbdolh32.exe N/A
File created C:\Windows\SysWOW64\Fmijnn32.dll C:\Windows\SysWOW64\Melnob32.exe N/A
File created C:\Windows\SysWOW64\Gcdmai32.dll C:\Windows\SysWOW64\Ogpmjb32.exe N/A
File created C:\Windows\SysWOW64\Qdbiedpa.exe C:\Windows\SysWOW64\Pjmehkqk.exe N/A
File opened for modification C:\Windows\SysWOW64\Bcoenmao.exe C:\Windows\SysWOW64\Bapiabak.exe N/A
File created C:\Windows\SysWOW64\Lnaendmh.dll C:\Windows\SysWOW64\Bjghpn32.exe N/A
File created C:\Windows\SysWOW64\Njohbh32.dll C:\Windows\SysWOW64\Ibjjhn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iikhfg32.exe C:\Windows\SysWOW64\Ifllil32.exe N/A
File created C:\Windows\SysWOW64\Ckijjqka.dll C:\Windows\SysWOW64\Mdckfk32.exe N/A
File created C:\Windows\SysWOW64\Jjjald32.dll C:\Windows\SysWOW64\Dejacond.exe N/A
File opened for modification C:\Windows\SysWOW64\Anpncp32.exe C:\Windows\SysWOW64\Alabgd32.exe N/A
File created C:\Windows\SysWOW64\Edkdkplj.exe C:\Windows\SysWOW64\Eamhodmf.exe N/A
File opened for modification C:\Windows\SysWOW64\Fomhdg32.exe C:\Windows\SysWOW64\Fkalchij.exe N/A
File created C:\Windows\SysWOW64\Jijjfldq.dll C:\Windows\SysWOW64\Bjagjhnc.exe N/A
File created C:\Windows\SysWOW64\Dhcbhjlp.dll C:\Windows\SysWOW64\Dldpkoil.exe N/A
File created C:\Windows\SysWOW64\Acbmpm32.dll C:\Windows\SysWOW64\Eekaebcm.exe N/A
File created C:\Windows\SysWOW64\Lommhphi.dll C:\Windows\SysWOW64\Bfabnjjp.exe N/A
File created C:\Windows\SysWOW64\Oekgfqeg.dll C:\Windows\SysWOW64\Hkikkeeo.exe N/A
File created C:\Windows\SysWOW64\Jifhaenk.exe C:\Windows\SysWOW64\Jfhlejnh.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjmehkqk.exe C:\Windows\SysWOW64\Pfaigm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cenahpha.exe N/A
File opened for modification C:\Windows\SysWOW64\Behbag32.exe C:\Windows\SysWOW64\Blpnib32.exe N/A
File created C:\Windows\SysWOW64\Baaplhef.exe C:\Windows\SysWOW64\Bjghpn32.exe N/A
File created C:\Windows\SysWOW64\Dgifdn32.dll C:\Windows\SysWOW64\Cdkldb32.exe N/A
File created C:\Windows\SysWOW64\Aoqimi32.dll C:\Windows\SysWOW64\Qcgffqei.exe N/A
File opened for modification C:\Windows\SysWOW64\Deokon32.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Bahmfj32.exe C:\Windows\SysWOW64\Abemjmgg.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Flnlhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipknlb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmkghpm.dll" C:\Windows\SysWOW64\Qecppkdm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhkapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbllbibl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll" C:\Windows\SysWOW64\Mmnldp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmnldp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll" C:\Windows\SysWOW64\Qffbbldm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeiofcji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cojjqlpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lbdolh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekgfqeg.dll" C:\Windows\SysWOW64\Hkikkeeo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfpcgpae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll" C:\Windows\SysWOW64\Kmdqgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll" C:\Windows\SysWOW64\Kmncnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Olfobjbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajckij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fcfhof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Olkhmi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Anmjcieo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gicinj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihoofe32.dll" C:\Windows\SysWOW64\Iihkpg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Onjegled.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qnkdhpjn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fljcmlfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icifbang.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll" C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qqijje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anpncp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfeqknj.dll" C:\Windows\SysWOW64\Gmlhii32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjinkg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fljcmlfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfmfg32.dll" C:\Windows\SysWOW64\Eabbjc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmijbcpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll" C:\Windows\SysWOW64\Likjcbkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eekaebcm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jfcbjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Blbknaib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibnccmbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gohhpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll" C:\Windows\SysWOW64\Nlmllkja.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddmaok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qalnjkgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelcja32.dll" C:\Windows\SysWOW64\Edkdkplj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhi32.dll" C:\Windows\SysWOW64\Dojcgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oncofm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ageolo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll" C:\Windows\SysWOW64\Mgkjhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll" C:\Windows\SysWOW64\Ipnjab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll" C:\Windows\SysWOW64\Kedoge32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdjagjco.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bagflcje.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe C:\Windows\SysWOW64\Peqcjkfp.exe
PID 3996 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe C:\Windows\SysWOW64\Peqcjkfp.exe
PID 3996 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe C:\Windows\SysWOW64\Peqcjkfp.exe
PID 4004 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Peqcjkfp.exe C:\Windows\SysWOW64\Pnihcq32.exe
PID 4004 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Peqcjkfp.exe C:\Windows\SysWOW64\Pnihcq32.exe
PID 4004 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Peqcjkfp.exe C:\Windows\SysWOW64\Pnihcq32.exe
PID 1084 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Pnihcq32.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 1084 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Pnihcq32.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 1084 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Pnihcq32.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 2680 wrote to memory of 3132 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qgallfcq.exe
PID 2680 wrote to memory of 3132 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qgallfcq.exe
PID 2680 wrote to memory of 3132 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qgallfcq.exe
PID 3132 wrote to memory of 4072 N/A C:\Windows\SysWOW64\Qgallfcq.exe C:\Windows\SysWOW64\Qnkdhpjn.exe
PID 3132 wrote to memory of 4072 N/A C:\Windows\SysWOW64\Qgallfcq.exe C:\Windows\SysWOW64\Qnkdhpjn.exe
PID 3132 wrote to memory of 4072 N/A C:\Windows\SysWOW64\Qgallfcq.exe C:\Windows\SysWOW64\Qnkdhpjn.exe
PID 4072 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Qnkdhpjn.exe C:\Windows\SysWOW64\Qajadlja.exe
PID 4072 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Qnkdhpjn.exe C:\Windows\SysWOW64\Qajadlja.exe
PID 4072 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Qnkdhpjn.exe C:\Windows\SysWOW64\Qajadlja.exe
PID 1196 wrote to memory of 388 N/A C:\Windows\SysWOW64\Qajadlja.exe C:\Windows\SysWOW64\Qloebdig.exe
PID 1196 wrote to memory of 388 N/A C:\Windows\SysWOW64\Qajadlja.exe C:\Windows\SysWOW64\Qloebdig.exe
PID 1196 wrote to memory of 388 N/A C:\Windows\SysWOW64\Qajadlja.exe C:\Windows\SysWOW64\Qloebdig.exe
PID 388 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Qloebdig.exe C:\Windows\SysWOW64\Qnnanphk.exe
PID 388 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Qloebdig.exe C:\Windows\SysWOW64\Qnnanphk.exe
PID 388 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Qloebdig.exe C:\Windows\SysWOW64\Qnnanphk.exe
PID 1488 wrote to memory of 744 N/A C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Qalnjkgo.exe
PID 1488 wrote to memory of 744 N/A C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Qalnjkgo.exe
PID 1488 wrote to memory of 744 N/A C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Qalnjkgo.exe
PID 744 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Qalnjkgo.exe C:\Windows\SysWOW64\Acjjfggb.exe
PID 744 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Qalnjkgo.exe C:\Windows\SysWOW64\Acjjfggb.exe
PID 744 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Qalnjkgo.exe C:\Windows\SysWOW64\Acjjfggb.exe
PID 2872 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Alabgd32.exe
PID 2872 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Alabgd32.exe
PID 2872 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Alabgd32.exe
PID 2660 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Alabgd32.exe C:\Windows\SysWOW64\Anpncp32.exe
PID 2660 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Alabgd32.exe C:\Windows\SysWOW64\Anpncp32.exe
PID 2660 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Alabgd32.exe C:\Windows\SysWOW64\Anpncp32.exe
PID 3480 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Anpncp32.exe C:\Windows\SysWOW64\Aejfpjne.exe
PID 3480 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Anpncp32.exe C:\Windows\SysWOW64\Aejfpjne.exe
PID 3480 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Anpncp32.exe C:\Windows\SysWOW64\Aejfpjne.exe
PID 3000 wrote to memory of 5040 N/A C:\Windows\SysWOW64\Aejfpjne.exe C:\Windows\SysWOW64\Ajfoiqll.exe
PID 3000 wrote to memory of 5040 N/A C:\Windows\SysWOW64\Aejfpjne.exe C:\Windows\SysWOW64\Ajfoiqll.exe
PID 3000 wrote to memory of 5040 N/A C:\Windows\SysWOW64\Aejfpjne.exe C:\Windows\SysWOW64\Ajfoiqll.exe
PID 5040 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Ajfoiqll.exe C:\Windows\SysWOW64\Ahkobekf.exe
PID 5040 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Ajfoiqll.exe C:\Windows\SysWOW64\Ahkobekf.exe
PID 5040 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Ajfoiqll.exe C:\Windows\SysWOW64\Ahkobekf.exe
PID 1816 wrote to memory of 3792 N/A C:\Windows\SysWOW64\Ahkobekf.exe C:\Windows\SysWOW64\Ahmlgd32.exe
PID 1816 wrote to memory of 3792 N/A C:\Windows\SysWOW64\Ahkobekf.exe C:\Windows\SysWOW64\Ahmlgd32.exe
PID 1816 wrote to memory of 3792 N/A C:\Windows\SysWOW64\Ahkobekf.exe C:\Windows\SysWOW64\Ahmlgd32.exe
PID 3792 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Ahmlgd32.exe C:\Windows\SysWOW64\Angddopp.exe
PID 3792 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Ahmlgd32.exe C:\Windows\SysWOW64\Angddopp.exe
PID 3792 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Ahmlgd32.exe C:\Windows\SysWOW64\Angddopp.exe
PID 4876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Angddopp.exe C:\Windows\SysWOW64\Aaepqjpd.exe
PID 4876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Angddopp.exe C:\Windows\SysWOW64\Aaepqjpd.exe
PID 4876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Angddopp.exe C:\Windows\SysWOW64\Aaepqjpd.exe
PID 2200 wrote to memory of 3484 N/A C:\Windows\SysWOW64\Aaepqjpd.exe C:\Windows\SysWOW64\Adcmmeog.exe
PID 2200 wrote to memory of 3484 N/A C:\Windows\SysWOW64\Aaepqjpd.exe C:\Windows\SysWOW64\Adcmmeog.exe
PID 2200 wrote to memory of 3484 N/A C:\Windows\SysWOW64\Aaepqjpd.exe C:\Windows\SysWOW64\Adcmmeog.exe
PID 3484 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Adcmmeog.exe C:\Windows\SysWOW64\Ahoimd32.exe
PID 3484 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Adcmmeog.exe C:\Windows\SysWOW64\Ahoimd32.exe
PID 3484 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Adcmmeog.exe C:\Windows\SysWOW64\Ahoimd32.exe
PID 2464 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Ahoimd32.exe C:\Windows\SysWOW64\Ajneip32.exe
PID 2464 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Ahoimd32.exe C:\Windows\SysWOW64\Ajneip32.exe
PID 2464 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Ahoimd32.exe C:\Windows\SysWOW64\Ajneip32.exe
PID 1476 wrote to memory of 1496 N/A C:\Windows\SysWOW64\Ajneip32.exe C:\Windows\SysWOW64\Abemjmgg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe"

C:\Windows\SysWOW64\Peqcjkfp.exe

C:\Windows\system32\Peqcjkfp.exe

C:\Windows\SysWOW64\Pnihcq32.exe

C:\Windows\system32\Pnihcq32.exe

C:\Windows\SysWOW64\Qecppkdm.exe

C:\Windows\system32\Qecppkdm.exe

C:\Windows\SysWOW64\Qgallfcq.exe

C:\Windows\system32\Qgallfcq.exe

C:\Windows\SysWOW64\Qnkdhpjn.exe

C:\Windows\system32\Qnkdhpjn.exe

C:\Windows\SysWOW64\Qajadlja.exe

C:\Windows\system32\Qajadlja.exe

C:\Windows\SysWOW64\Qloebdig.exe

C:\Windows\system32\Qloebdig.exe

C:\Windows\SysWOW64\Qnnanphk.exe

C:\Windows\system32\Qnnanphk.exe

C:\Windows\SysWOW64\Qalnjkgo.exe

C:\Windows\system32\Qalnjkgo.exe

C:\Windows\SysWOW64\Acjjfggb.exe

C:\Windows\system32\Acjjfggb.exe

C:\Windows\SysWOW64\Alabgd32.exe

C:\Windows\system32\Alabgd32.exe

C:\Windows\SysWOW64\Anpncp32.exe

C:\Windows\system32\Anpncp32.exe

C:\Windows\SysWOW64\Aejfpjne.exe

C:\Windows\system32\Aejfpjne.exe

C:\Windows\SysWOW64\Ajfoiqll.exe

C:\Windows\system32\Ajfoiqll.exe

C:\Windows\SysWOW64\Ahkobekf.exe

C:\Windows\system32\Ahkobekf.exe

C:\Windows\SysWOW64\Ahmlgd32.exe

C:\Windows\system32\Ahmlgd32.exe

C:\Windows\SysWOW64\Angddopp.exe

C:\Windows\system32\Angddopp.exe

C:\Windows\SysWOW64\Aaepqjpd.exe

C:\Windows\system32\Aaepqjpd.exe

C:\Windows\SysWOW64\Adcmmeog.exe

C:\Windows\system32\Adcmmeog.exe

C:\Windows\SysWOW64\Ahoimd32.exe

C:\Windows\system32\Ahoimd32.exe

C:\Windows\SysWOW64\Ajneip32.exe

C:\Windows\system32\Ajneip32.exe

C:\Windows\SysWOW64\Abemjmgg.exe

C:\Windows\system32\Abemjmgg.exe

C:\Windows\SysWOW64\Bahmfj32.exe

C:\Windows\system32\Bahmfj32.exe

C:\Windows\SysWOW64\Bdfibe32.exe

C:\Windows\system32\Bdfibe32.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Bbgipldd.exe

C:\Windows\system32\Bbgipldd.exe

C:\Windows\SysWOW64\Blpnib32.exe

C:\Windows\system32\Blpnib32.exe

C:\Windows\SysWOW64\Behbag32.exe

C:\Windows\system32\Behbag32.exe

C:\Windows\SysWOW64\Blbknaib.exe

C:\Windows\system32\Blbknaib.exe

C:\Windows\SysWOW64\Bblckl32.exe

C:\Windows\system32\Bblckl32.exe

C:\Windows\SysWOW64\Bjghpn32.exe

C:\Windows\system32\Bjghpn32.exe

C:\Windows\SysWOW64\Baaplhef.exe

C:\Windows\system32\Baaplhef.exe

C:\Windows\SysWOW64\Blfdia32.exe

C:\Windows\system32\Blfdia32.exe

C:\Windows\SysWOW64\Cbqlfkmi.exe

C:\Windows\system32\Cbqlfkmi.exe

C:\Windows\SysWOW64\Cliaoq32.exe

C:\Windows\system32\Cliaoq32.exe

C:\Windows\SysWOW64\Cogmkl32.exe

C:\Windows\system32\Cogmkl32.exe

C:\Windows\SysWOW64\Ceaehfjj.exe

C:\Windows\system32\Ceaehfjj.exe

C:\Windows\SysWOW64\Clkndpag.exe

C:\Windows\system32\Clkndpag.exe

C:\Windows\SysWOW64\Cojjqlpk.exe

C:\Windows\system32\Cojjqlpk.exe

C:\Windows\SysWOW64\Cahfmgoo.exe

C:\Windows\system32\Cahfmgoo.exe

C:\Windows\SysWOW64\Chbnia32.exe

C:\Windows\system32\Chbnia32.exe

C:\Windows\SysWOW64\Colffknh.exe

C:\Windows\system32\Colffknh.exe

C:\Windows\SysWOW64\Cajcbgml.exe

C:\Windows\system32\Cajcbgml.exe

C:\Windows\SysWOW64\Cdiooblp.exe

C:\Windows\system32\Cdiooblp.exe

C:\Windows\SysWOW64\Conclk32.exe

C:\Windows\system32\Conclk32.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Cdkldb32.exe

C:\Windows\system32\Cdkldb32.exe

C:\Windows\SysWOW64\Clbceo32.exe

C:\Windows\system32\Clbceo32.exe

C:\Windows\SysWOW64\Doqpak32.exe

C:\Windows\system32\Doqpak32.exe

C:\Windows\SysWOW64\Dbllbibl.exe

C:\Windows\system32\Dbllbibl.exe

C:\Windows\SysWOW64\Dldpkoil.exe

C:\Windows\system32\Dldpkoil.exe

C:\Windows\SysWOW64\Docmgjhp.exe

C:\Windows\system32\Docmgjhp.exe

C:\Windows\SysWOW64\Daaicfgd.exe

C:\Windows\system32\Daaicfgd.exe

C:\Windows\SysWOW64\Dhkapp32.exe

C:\Windows\system32\Dhkapp32.exe

C:\Windows\SysWOW64\Dkjmlk32.exe

C:\Windows\system32\Dkjmlk32.exe

C:\Windows\SysWOW64\Dbaemi32.exe

C:\Windows\system32\Dbaemi32.exe

C:\Windows\SysWOW64\Deoaid32.exe

C:\Windows\system32\Deoaid32.exe

C:\Windows\SysWOW64\Dlijfneg.exe

C:\Windows\system32\Dlijfneg.exe

C:\Windows\SysWOW64\Dohfbj32.exe

C:\Windows\system32\Dohfbj32.exe

C:\Windows\SysWOW64\Dafbne32.exe

C:\Windows\system32\Dafbne32.exe

C:\Windows\SysWOW64\Deanodkh.exe

C:\Windows\system32\Deanodkh.exe

C:\Windows\SysWOW64\Dllfkn32.exe

C:\Windows\system32\Dllfkn32.exe

C:\Windows\SysWOW64\Dojcgi32.exe

C:\Windows\system32\Dojcgi32.exe

C:\Windows\SysWOW64\Dahode32.exe

C:\Windows\system32\Dahode32.exe

C:\Windows\SysWOW64\Dedkdcie.exe

C:\Windows\system32\Dedkdcie.exe

C:\Windows\SysWOW64\Echknh32.exe

C:\Windows\system32\Echknh32.exe

C:\Windows\SysWOW64\Eefhjc32.exe

C:\Windows\system32\Eefhjc32.exe

C:\Windows\SysWOW64\Ehedfo32.exe

C:\Windows\system32\Ehedfo32.exe

C:\Windows\SysWOW64\Ekcpbj32.exe

C:\Windows\system32\Ekcpbj32.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Edkdkplj.exe

C:\Windows\system32\Edkdkplj.exe

C:\Windows\SysWOW64\Elbmlmml.exe

C:\Windows\system32\Elbmlmml.exe

C:\Windows\SysWOW64\Eoaihhlp.exe

C:\Windows\system32\Eoaihhlp.exe

C:\Windows\SysWOW64\Ecmeig32.exe

C:\Windows\system32\Ecmeig32.exe

C:\Windows\SysWOW64\Eekaebcm.exe

C:\Windows\system32\Eekaebcm.exe

C:\Windows\SysWOW64\Ehimanbq.exe

C:\Windows\system32\Ehimanbq.exe

C:\Windows\SysWOW64\Eleiam32.exe

C:\Windows\system32\Eleiam32.exe

C:\Windows\SysWOW64\Eabbjc32.exe

C:\Windows\system32\Eabbjc32.exe

C:\Windows\SysWOW64\Edpnfo32.exe

C:\Windows\system32\Edpnfo32.exe

C:\Windows\SysWOW64\Elgfgl32.exe

C:\Windows\system32\Elgfgl32.exe

C:\Windows\SysWOW64\Eofbch32.exe

C:\Windows\system32\Eofbch32.exe

C:\Windows\SysWOW64\Eepjpb32.exe

C:\Windows\system32\Eepjpb32.exe

C:\Windows\SysWOW64\Edbklofb.exe

C:\Windows\system32\Edbklofb.exe

C:\Windows\SysWOW64\Fljcmlfd.exe

C:\Windows\system32\Fljcmlfd.exe

C:\Windows\SysWOW64\Fohoigfh.exe

C:\Windows\system32\Fohoigfh.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Febgea32.exe

C:\Windows\system32\Febgea32.exe

C:\Windows\SysWOW64\Fhqcam32.exe

C:\Windows\system32\Fhqcam32.exe

C:\Windows\SysWOW64\Fkopnh32.exe

C:\Windows\system32\Fkopnh32.exe

C:\Windows\SysWOW64\Fcfhof32.exe

C:\Windows\system32\Fcfhof32.exe

C:\Windows\SysWOW64\Flnlhk32.exe

C:\Windows\system32\Flnlhk32.exe

C:\Windows\SysWOW64\Fkalchij.exe

C:\Windows\system32\Fkalchij.exe

C:\Windows\SysWOW64\Fomhdg32.exe

C:\Windows\system32\Fomhdg32.exe

C:\Windows\SysWOW64\Ffgqqaip.exe

C:\Windows\system32\Ffgqqaip.exe

C:\Windows\SysWOW64\Fhemmlhc.exe

C:\Windows\system32\Fhemmlhc.exe

C:\Windows\SysWOW64\Flqimk32.exe

C:\Windows\system32\Flqimk32.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Ffimfqgm.exe

C:\Windows\system32\Ffimfqgm.exe

C:\Windows\SysWOW64\Fhgjblfq.exe

C:\Windows\system32\Fhgjblfq.exe

C:\Windows\SysWOW64\Foabofnn.exe

C:\Windows\system32\Foabofnn.exe

C:\Windows\SysWOW64\Fcmnpe32.exe

C:\Windows\system32\Fcmnpe32.exe

C:\Windows\SysWOW64\Fdnjgmle.exe

C:\Windows\system32\Fdnjgmle.exe

C:\Windows\SysWOW64\Glebhjlg.exe

C:\Windows\system32\Glebhjlg.exe

C:\Windows\SysWOW64\Gkhbdg32.exe

C:\Windows\system32\Gkhbdg32.exe

C:\Windows\SysWOW64\Gdqgmmjb.exe

C:\Windows\system32\Gdqgmmjb.exe

C:\Windows\SysWOW64\Glhonj32.exe

C:\Windows\system32\Glhonj32.exe

C:\Windows\SysWOW64\Gkkojgao.exe

C:\Windows\system32\Gkkojgao.exe

C:\Windows\SysWOW64\Gcagkdba.exe

C:\Windows\system32\Gcagkdba.exe

C:\Windows\SysWOW64\Gfpcgpae.exe

C:\Windows\system32\Gfpcgpae.exe

C:\Windows\SysWOW64\Ghopckpi.exe

C:\Windows\system32\Ghopckpi.exe

C:\Windows\SysWOW64\Gohhpe32.exe

C:\Windows\system32\Gohhpe32.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Gfbploob.exe

C:\Windows\system32\Gfbploob.exe

C:\Windows\SysWOW64\Gdeqhl32.exe

C:\Windows\system32\Gdeqhl32.exe

C:\Windows\SysWOW64\Gmlhii32.exe

C:\Windows\system32\Gmlhii32.exe

C:\Windows\SysWOW64\Gokdeeec.exe

C:\Windows\system32\Gokdeeec.exe

C:\Windows\SysWOW64\Gcfqfc32.exe

C:\Windows\system32\Gcfqfc32.exe

C:\Windows\SysWOW64\Gfembo32.exe

C:\Windows\system32\Gfembo32.exe

C:\Windows\SysWOW64\Gicinj32.exe

C:\Windows\system32\Gicinj32.exe

C:\Windows\SysWOW64\Gkaejf32.exe

C:\Windows\system32\Gkaejf32.exe

C:\Windows\SysWOW64\Gfgjgo32.exe

C:\Windows\system32\Gfgjgo32.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hkdbpe32.exe

C:\Windows\system32\Hkdbpe32.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hcmgfbhd.exe

C:\Windows\system32\Hcmgfbhd.exe

C:\Windows\SysWOW64\Hflcbngh.exe

C:\Windows\system32\Hflcbngh.exe

C:\Windows\SysWOW64\Heocnk32.exe

C:\Windows\system32\Heocnk32.exe

C:\Windows\SysWOW64\Hkikkeeo.exe

C:\Windows\system32\Hkikkeeo.exe

C:\Windows\SysWOW64\Hbbdholl.exe

C:\Windows\system32\Hbbdholl.exe

C:\Windows\SysWOW64\Heapdjlp.exe

C:\Windows\system32\Heapdjlp.exe

C:\Windows\SysWOW64\Hmhhehlb.exe

C:\Windows\system32\Hmhhehlb.exe

C:\Windows\SysWOW64\Hofdacke.exe

C:\Windows\system32\Hofdacke.exe

C:\Windows\SysWOW64\Hbeqmoji.exe

C:\Windows\system32\Hbeqmoji.exe

C:\Windows\SysWOW64\Hfqlnm32.exe

C:\Windows\system32\Hfqlnm32.exe

C:\Windows\SysWOW64\Hecmijim.exe

C:\Windows\system32\Hecmijim.exe

C:\Windows\SysWOW64\Hioiji32.exe

C:\Windows\system32\Hioiji32.exe

C:\Windows\SysWOW64\Hkmefd32.exe

C:\Windows\system32\Hkmefd32.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Immapg32.exe

C:\Windows\system32\Immapg32.exe

C:\Windows\SysWOW64\Ipknlb32.exe

C:\Windows\system32\Ipknlb32.exe

C:\Windows\SysWOW64\Ibjjhn32.exe

C:\Windows\system32\Ibjjhn32.exe

C:\Windows\SysWOW64\Iehfdi32.exe

C:\Windows\system32\Iehfdi32.exe

C:\Windows\SysWOW64\Iicbehnq.exe

C:\Windows\system32\Iicbehnq.exe

C:\Windows\SysWOW64\Ipnjab32.exe

C:\Windows\system32\Ipnjab32.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Iejcji32.exe

C:\Windows\system32\Iejcji32.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ickchq32.exe

C:\Windows\system32\Ickchq32.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Ifjodl32.exe

C:\Windows\system32\Ifjodl32.exe

C:\Windows\SysWOW64\Iihkpg32.exe

C:\Windows\system32\Iihkpg32.exe

C:\Windows\SysWOW64\Ilghlc32.exe

C:\Windows\system32\Ilghlc32.exe

C:\Windows\SysWOW64\Icnpmp32.exe

C:\Windows\system32\Icnpmp32.exe

C:\Windows\SysWOW64\Ifllil32.exe

C:\Windows\system32\Ifllil32.exe

C:\Windows\SysWOW64\Iikhfg32.exe

C:\Windows\system32\Iikhfg32.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Icplcpgo.exe

C:\Windows\system32\Icplcpgo.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jcbihpel.exe

C:\Windows\system32\Jcbihpel.exe

C:\Windows\SysWOW64\Jfaedkdp.exe

C:\Windows\system32\Jfaedkdp.exe

C:\Windows\SysWOW64\Jmknaell.exe

C:\Windows\system32\Jmknaell.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jcgbco32.exe

C:\Windows\system32\Jcgbco32.exe

C:\Windows\SysWOW64\Jbjcolha.exe

C:\Windows\system32\Jbjcolha.exe

C:\Windows\SysWOW64\Jehokgge.exe

C:\Windows\system32\Jehokgge.exe

C:\Windows\SysWOW64\Jmpgldhg.exe

C:\Windows\system32\Jmpgldhg.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jcioiood.exe

C:\Windows\system32\Jcioiood.exe

C:\Windows\SysWOW64\Jfhlejnh.exe

C:\Windows\system32\Jfhlejnh.exe

C:\Windows\SysWOW64\Jifhaenk.exe

C:\Windows\system32\Jifhaenk.exe

C:\Windows\SysWOW64\Jpppnp32.exe

C:\Windows\system32\Jpppnp32.exe

C:\Windows\SysWOW64\Kboljk32.exe

C:\Windows\system32\Kboljk32.exe

C:\Windows\SysWOW64\Kemhff32.exe

C:\Windows\system32\Kemhff32.exe

C:\Windows\SysWOW64\Kmdqgd32.exe

C:\Windows\system32\Kmdqgd32.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kfmepi32.exe

C:\Windows\system32\Kfmepi32.exe

C:\Windows\SysWOW64\Kikame32.exe

C:\Windows\system32\Kikame32.exe

C:\Windows\SysWOW64\Kpeiioac.exe

C:\Windows\system32\Kpeiioac.exe

C:\Windows\SysWOW64\Kebbafoj.exe

C:\Windows\system32\Kebbafoj.exe

C:\Windows\SysWOW64\Kmijbcpl.exe

C:\Windows\system32\Kmijbcpl.exe

C:\Windows\SysWOW64\Kpgfooop.exe

C:\Windows\system32\Kpgfooop.exe

C:\Windows\SysWOW64\Kbfbkj32.exe

C:\Windows\system32\Kbfbkj32.exe

C:\Windows\SysWOW64\Kedoge32.exe

C:\Windows\system32\Kedoge32.exe

C:\Windows\SysWOW64\Kipkhdeq.exe

C:\Windows\system32\Kipkhdeq.exe

C:\Windows\SysWOW64\Klngdpdd.exe

C:\Windows\system32\Klngdpdd.exe

C:\Windows\SysWOW64\Kdeoemeg.exe

C:\Windows\system32\Kdeoemeg.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Kefkme32.exe

C:\Windows\system32\Kefkme32.exe

C:\Windows\SysWOW64\Kmncnb32.exe

C:\Windows\system32\Kmncnb32.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Kdgljmcd.exe

C:\Windows\system32\Kdgljmcd.exe

C:\Windows\SysWOW64\Leihbeib.exe

C:\Windows\system32\Leihbeib.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Lfhdlh32.exe

C:\Windows\system32\Lfhdlh32.exe

C:\Windows\SysWOW64\Ligqhc32.exe

C:\Windows\system32\Ligqhc32.exe

C:\Windows\SysWOW64\Lpqiemge.exe

C:\Windows\system32\Lpqiemge.exe

C:\Windows\SysWOW64\Lboeaifi.exe

C:\Windows\system32\Lboeaifi.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Lpcfkm32.exe

C:\Windows\system32\Lpcfkm32.exe

C:\Windows\SysWOW64\Lbabgh32.exe

C:\Windows\system32\Lbabgh32.exe

C:\Windows\SysWOW64\Lepncd32.exe

C:\Windows\system32\Lepncd32.exe

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lmgfda32.exe

C:\Windows\system32\Lmgfda32.exe

C:\Windows\SysWOW64\Lpebpm32.exe

C:\Windows\system32\Lpebpm32.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lebkhc32.exe

C:\Windows\system32\Lebkhc32.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mmlpoqpg.exe

C:\Windows\system32\Mmlpoqpg.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Megdccmb.exe

C:\Windows\system32\Megdccmb.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mlefklpj.exe

C:\Windows\system32\Mlefklpj.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Ncfdie32.exe

C:\Windows\system32\Ncfdie32.exe

C:\Windows\SysWOW64\Nloiakho.exe

C:\Windows\system32\Nloiakho.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Ncianepl.exe

C:\Windows\system32\Ncianepl.exe

C:\Windows\SysWOW64\Ngdmod32.exe

C:\Windows\system32\Ngdmod32.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Nnqbanmo.exe

C:\Windows\system32\Nnqbanmo.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Olfobjbg.exe

C:\Windows\system32\Olfobjbg.exe

C:\Windows\SysWOW64\Ocpgod32.exe

C:\Windows\system32\Ocpgod32.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Ofqpqo32.exe

C:\Windows\system32\Ofqpqo32.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pgefeajb.exe

C:\Windows\system32\Pgefeajb.exe

C:\Windows\SysWOW64\Pjcbbmif.exe

C:\Windows\system32\Pjcbbmif.exe

C:\Windows\SysWOW64\Pmannhhj.exe

C:\Windows\system32\Pmannhhj.exe

C:\Windows\SysWOW64\Pdifoehl.exe

C:\Windows\system32\Pdifoehl.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Pfaigm32.exe

C:\Windows\system32\Pfaigm32.exe

C:\Windows\SysWOW64\Pjmehkqk.exe

C:\Windows\system32\Pjmehkqk.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Adgbpc32.exe

C:\Windows\system32\Adgbpc32.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Ajckij32.exe

C:\Windows\system32\Ajckij32.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9236 -ip 9236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9236 -s 192

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:80 www.microsoft.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/3996-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3996-5-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Peqcjkfp.exe

MD5 18f865b052516e36431dfff417c8bfc9
SHA1 4e8c4cb1a021e8dfa3c3c78046da13851682eb3a
SHA256 dd3ff3654e8d428b20761cccf5d9946601a9f82732062302b99f0c853ce8a0c6
SHA512 0c606f9bd7adfdadf7e629718baf3892b59d5c89e0effa280ef2307b570f62550d11ddb19919451588f817a509e88c55bdb12307be8a66aa0eccad50ac09fbd7

memory/4004-9-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pnihcq32.exe

MD5 45dba52b9ec67751f7d2805740bd7a7f
SHA1 c4ac27dbbc8caae393856d121bd21069cd7b8c25
SHA256 730273a484eb0901513da2e0ee942213a515a6ef4f39fbbe21c6bda7b659e31a
SHA512 fd0f06ca7126e0cca91598278564718f4d42148a6378429e45d00f9d1a6731db640d69e376a6f59e4be2fe654be7a88fb74264d787cc529187264e410b8f0963

memory/1084-16-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qecppkdm.exe

MD5 f4e4f4a6b16efac492912bf22e6d7a7c
SHA1 64f88c69ec3415956309ad849ed7b022d108029c
SHA256 2b5fe3ba2440a1fe8bd860308b0810dfc1cd47088e38149823da84cc13817deb
SHA512 ebf3da2665a319d1660d7206e75be33d96c64474a45b3255833459ba68d7d5c5b855eb3b737700aeaba686e1ee32efdccd183923c82bb0a06d62eb4f7cd90367

memory/2680-25-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qgallfcq.exe

MD5 0206a0dafa216d3f82bc75b916977521
SHA1 e2b0e2532da860ec53e8919d8411368e3b35eac7
SHA256 008728fc50cc0a1176871dd825348f701c52fa48b627c28e94f52aedab53d43b
SHA512 bfc8874b0b4e03edfa2ed1e86f2fb17c4cebbcd1e446226e8ff8c77be31942f3295db0eda7861d029268cb3960d566176931415d41a873e685456372c21c6db7

C:\Windows\SysWOW64\Qnkdhpjn.exe

MD5 044c3c34c35b876084b07c635e55b225
SHA1 e7cc0bec5fc4ab1a087780fb44b5d3067d1336b6
SHA256 f118b123d25c40d7302043d7c8ffcea0952cf5d209e2dbd6f2d52adc7f7660c6
SHA512 35acc547f69a139a1d638714f83737315be1995037c61fcad474210f672e1820635ab13a7a2dc0b72a1eae81b6ed6076e5f35f7426374140a5126196f4a6b7bb

memory/3132-37-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4072-41-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qajadlja.exe

MD5 7787c12fb439ebbcf300cdb52bd1f80d
SHA1 71af7fe6ccac24ed8f71747e09c1443570bb4e9b
SHA256 0bd8129956c0d1c3ddae6c244402f965e0f05b43b4cf0e3969d31ea1f140d38f
SHA512 e9a70370f4b107adf5819b1bcb9aea6058d0f3f97f4f9506dcaaa1707c6e00694871905d0971fea88f8b050bc012a472d6e3334e6537eeae302ab231040b0598

memory/1196-49-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qloebdig.exe

MD5 e6bc20d532aa9730e6f497089a2a7dca
SHA1 c1593464b7447005f091e1b5d23e1d901a2fce08
SHA256 f31458f5d6c0399b461060e313053a5acb3f5921ab103c892d3af4cbd3bc414b
SHA512 a17b6d67267f903eb55992cdfa3b322dca5e61c30c6678c1ebf7608c82dafc4a0e7d7b752cec84ea30e9a139d603bb72307b5681af7825266397a2016761e60e

memory/388-61-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qnnanphk.exe

MD5 01ecdb65513a592ef4ec614634a5b8c1
SHA1 08b1a6de69cf0a65ca38d1fc5a1f6843e43b2fe2
SHA256 9cf14364667a4f9d6527b129e80b19a0285360448b01c1f9f435f8cd9e85b113
SHA512 5bee5bd3df5ea0965ed9f92f7f1d3a3da4924c48c80aab1cdb6dc100b48adc2a7bafd7c86bbf87fa251050ed8ec8a275971fe83da6b206357eb149fbc56f97f8

memory/1488-65-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qalnjkgo.exe

MD5 38fe85e637bd6b6babfdc2a71cbe41e4
SHA1 2c426c7f378e7c50814535934f9f414c91d82a43
SHA256 1c37447ecf647c68303f0c87dad4becd4f7d9b71933404c943470494cc0160e1
SHA512 8aadd304b35c84903db0cefef4d372a806709ce883f4daee10854dd6f17420899af9544210910c94060f2be42e11f0fd301f53d587b54e9c9f88beab7aee5cdb

memory/744-73-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Acjjfggb.exe

MD5 76d553cc9bd6c5a029a7717f3b8d9ba8
SHA1 6617964ec89f582d2235f1df7c822b98a34064a5
SHA256 8eb5a096a53513e831d0e7f7e0e87ea04245e384535738afdf27a449aaedec12
SHA512 5ea662caa6cf758505e9ae5ab257a56d8efa8ed1416683449557db5a0d86dfff3fe784a4499a887f03e438dad64faad65bc1f6cdef37ee81795647e912c0ae8a

memory/2872-81-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Alabgd32.exe

MD5 31019c3d4dfe3036f662a1dfafd7697d
SHA1 4b6d64c98bcaae97beb43face1e80eb5ab0f9137
SHA256 0adbec63b2a6919f4d89fbdf6ae425cb9b2e753043fba7ae51c56a8cc322748b
SHA512 4308ac05cf7b6876b10f6960786f32479633a4ac43e71d3d7d2aafbf3dc2007cfc1fa00b9276ab277f9682c30785b15845c21729666c2eb35869ac9a97f8e901

memory/2660-89-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Anpncp32.exe

MD5 1fe501e8baf615f5c4cccefcfd8d754c
SHA1 dea2068a8b961af8655649128e4ff13301ec43cc
SHA256 06e28d0b4c2d946ddecf97321fdfbf55cfac6383df9c931cbfdae03225a97ce9
SHA512 1b2e72017bdfa84cbc8433b0c64128b7af96de5b48a7440fbd942e7c3d4cfb5684cd5a0b4ebbaf7d524177ee603bf0a520a7bd5c342dd20ecf671bd425ab1a27

memory/3480-97-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aejfpjne.exe

MD5 8ede7be7f23f4f2981d442f999feed51
SHA1 3fd4b7af08994f568b64c2453ad2fc8a9c0da505
SHA256 7f52f0b9915560c13cb5661b6202191285bb144351ade346d98c43079004bbeb
SHA512 fe7e4f82009265f96a295aea4e4ff30fe21008f409abb4543a217d241a63182681729ad92705c63dc8b7f7aab54c585deda6b8b7b5515fba3a925ca058dc101d

memory/3000-105-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ajfoiqll.exe

MD5 268a8299d6804e331d6ceebe7cc0611f
SHA1 d92cb3af188d4a83363eaa783668106a6e30a2f1
SHA256 f3f7d03c8d2dc3458a90a4313d5d981b1734a0097446beecc6313fa4689e1e0a
SHA512 f7bb3788735ce02afc18ae5362719d5eedc7687097d18e787cbc423107c983c4bef67f7532fcc2bad6ccff231fbb50dce9268912c28add4514ecb1e4637bd7c3

memory/5040-112-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ahkobekf.exe

MD5 a9ccd47be7bbcdafb3c271068f1a6535
SHA1 e8e80217799845a72eb32168f90e2a0331ca28b9
SHA256 e03c6bef3a4c074c1a1bcb53a96916f3e3d58d0f78674c70088e62521dd75ccd
SHA512 809b37a713d3c2d8165f912d1bcb7211363cffa2cd8b74d92ad01d981d2210078e2e73aa8cc215cce226bd2ba814b3837990732de313061cb8f8b9d5cb5962cd

memory/1816-121-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ahmlgd32.exe

MD5 5a1ba2ccfedd3420677921e561dafa2f
SHA1 c813768030457faa02dc6d97e268a642516be3c9
SHA256 b2926eb980243ead152422630af7df0c5484f9d6922c92e1e48ec27eccfc93fe
SHA512 65a8afa4c0b36e64a78de56a98fb2cbbf4109e209f88059d6584d51ae411f543f57f516c81d790d5aa8afbae1b7950c696f57bb71a4ee2314717ce5ec228de0d

memory/3792-128-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Angddopp.exe

MD5 48e4390195d954c953c4a62fd3b6dfca
SHA1 910ddea9c3999524d988f48b0e3a7f2036ce355d
SHA256 98ba4edab85ebb0f69b832a70c552c8f00e5d04eb789a778d0fa3ea396d0bf20
SHA512 ed249bc77cd0db881b0026a9426fbfd1a1c8ccac6ff4048c16c025877d39d17bec8509d78252250b24a45c6e6ee95728127db54ff761aae8f6659f318f1016a8

C:\Windows\SysWOW64\Aaepqjpd.exe

MD5 adfb8d17ade16ac6cdd9f4fca515c8fa
SHA1 a6f9159969e0cf5ce0ccbe16c7ecb30d156ed162
SHA256 6771b61e7a102a0245efeae3e294dbeffd391d7fec550dea6e2ff05fcf2551a9
SHA512 6fa7876bea29d399991c7a9ecb67a7299807ab3cd99d21439b9e59289485f1ab1f2fbccd41e679f0aad091be6ee538e84e591c303ceb0465d86157b51822e26e

memory/2200-144-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Adcmmeog.exe

MD5 5b0d938766dfafacccc124f0910d915e
SHA1 9b47791b7e978fbd0f639438566bed75b04a4ccc
SHA256 f25815507feab38b3660ba82913e8dc4afed3ca5a36c2127d0aa11858c46d22b
SHA512 05c8a27f6cc426830c17ed8e0b5b9e9ceabdfc6417426256cb1edceb50ad658356a1414dd670a6fda374d8f678f5f90f543a03d525811ed5a0134a0ab6bde2c6

memory/3484-153-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ahoimd32.exe

MD5 932fc17630982318a89ce3086fafc268
SHA1 2ed0c5aa101abdf71a9f1f0cbf345a9f76151978
SHA256 5cc1b3333916901eaeeedb4fd1a267a350af3e28f2d4085270bc936badf633b5
SHA512 9be6382caf23cf678a603c055912c4932e440e2370b7d9519567735d008ca6c09ff8b47661d7e1af173eaf8200a3bf59b98225cb79fbf039d9316ea3b138e9bb

C:\Windows\SysWOW64\Ajneip32.exe

MD5 2a4712ef21e992bb8be3a110aca1ccba
SHA1 a5e0b4421121a69e503416162db8b665ec80203f
SHA256 0c226ad51814468742a4da1d9e240e14068dc96899353e1e7b1b9450c075bad9
SHA512 1a6e3c9a64dddec21f796fe80e344a0ff871e76a0a1591d5a1fd72ae33f823593a3ece667cd4a9a69f6f63c13b986d141ef7861319e4d88704484b78748b3333

memory/1496-176-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bahmfj32.exe

MD5 855102dae590a2507f09a1df9480be01
SHA1 e70d1040fe37f7b178892c385514b61fd88d0a07
SHA256 9f6847132b62366a5a7d56ba4128e9866a21a945712cbf0ee4f6b1a047c22307
SHA512 6717ad81f7830b0158af74ca73a765a9d2dfab97df59296c56af6e8b44e6432476c1690b483a24c94a37fa799e9636f8531ccbeb50294ad6380778b5d489cd50

C:\Windows\SysWOW64\Bdfibe32.exe

MD5 df3d5ec081f7a3b697dc2c1601dfd309
SHA1 f7f427e8e652348236551def1ca8dc9d3ab02574
SHA256 9b0f2ef9d3903ed1a7585185cd7991544e6154204577bcbea69c1fef94eafd65
SHA512 660341ebf5da46bf94f2547659310fe9a18ce373a74a551ea16cc78bb8555bc7d77542df15576d6b3aa4595488ee3000af73a89a7dec123e2657b118b49cb10d

C:\Windows\SysWOW64\Abemjmgg.exe

MD5 968034f7336f274f0dfa2b8bc98d164a
SHA1 a9dc12b31473a03850a427d3742996773a4fc4c1
SHA256 3fd0f8afbe59581abdbd1a1770ae7651ba2438d2d49dc2560fe332294dda3a81
SHA512 f0954a26d59ce0ad1f044b8cda51590cb892452f2401b4bba440b79b48f3405cddcf44a61ea47750707238c1723cf63669e0b6b57b9e38d2a0073ab8e346c0d8

memory/2464-165-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4876-141-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1476-184-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bhaebcen.exe

MD5 13e5aaa4c05c0cdc8219078d8443a398
SHA1 fd845a07474e235321f3db1b05cdba7f2b6cab00
SHA256 20333f764f13cb70734bd80c01c251f432f9f3ebbd1756a49b1da4faeb6cad9b
SHA512 fa23797c9bcc2a820c28b0e9b0e370e35ea9e27981df6f3533b9a42562dfb4f0fb71d8922ffab6a3b8615d829ee71798a5d94cac994258ab7328851b727918d2

memory/2832-192-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2640-200-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bbgipldd.exe

MD5 c37eff19ed48c9cdef7942825043ca46
SHA1 ba9fa7757a201aa82ba4ab853bc8614628f19a2c
SHA256 bd636759b6300ee613e767a35195c83ac4fbea6f0141c630615475f9cd44df87
SHA512 1f77a7ac23c487c84e62ee43baa2569e5d2fdf208cacfb17b45a6734ecc7b4007c174fdf9e417277b352697c4e9a60da53d75ea994a45c0a2160a1f51b7693df

memory/4168-208-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3832-209-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5032-216-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Blpnib32.exe

MD5 692a49971803881b9685f09b853ef4c2
SHA1 3c131f07c3f1b0d2e3602cf2dfa0c0536195ed20
SHA256 732d4046a0b07866e29a2409840a194b41ca8baa8f869319bbe6ea8c0ab66e17
SHA512 94d0938391260aba635a10f26131b77bdf9747992b8da8164ede0375875b167ee2d209412dc4f70003e4ef56b3e98b98d8dff7f24501e712e47b568a07df783a

C:\Windows\SysWOW64\Behbag32.exe

MD5 b459961b070f654265f1169289e6a733
SHA1 5113a58a43ec69227bd1fe1d8a5754801158b4bc
SHA256 a8e1c33b5990571f73c84aea9c9489c74f4d8f6e34332f74d7be099470efd18e
SHA512 b68e71fabb1e448f3eaa49fbe00e179b36154b5c534b63e21fd41008bf12a504fc8806636d5f2d8fac2d9e674866ef0b5331cf32b2612295d3694c0d1c377c2d

memory/1524-225-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Blbknaib.exe

MD5 92ebf8e63b7b4ae345e0738498934a20
SHA1 a681b590c82ed63c3b8481dfc5c3dddd742885f3
SHA256 951f4eef92499aa2eb87846b960240bc4a0d524d5685fa4203dbb9341fb2925e
SHA512 e4ff13c4a8f94a0513322ac415d367327b772f87c8c10d0f9806d587846636647bef5684d3a6b18b5203baa63f3088126c09d386423db6d4f9a2c22208658625

memory/5064-232-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bblckl32.exe

MD5 e562198be994a5bd795a8d8fa1e8d1af
SHA1 e40f0c8c6e75f2fd610054dfc35857ed43d1a68f
SHA256 76231dff34c02a9e5300ed8bb4fc9316cdb51512a6f6d4527759bef83069cbbb
SHA512 adfe4482d2f6ce0ab742906d7aabd58499a8c6d8a1cb5fec3e439595bf90c56ec4c69fec156d13118ae0b9758d37f2c90d78bd3a5787e61850d711da0ab453c3

memory/1632-240-0x0000000000400000-0x0000000000433000-memory.dmp

memory/752-248-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bjghpn32.exe

MD5 db07e6b6f6450fa13c30433d58c7a183
SHA1 f4cf9405d657be5257d315e3eb1039790cf9ffdb
SHA256 9cb7e492fb92d8415fb636c756cd527f6cfbd3ad90aa0d67df8ecfff154b096e
SHA512 defacf7e61c1499f031ffb219113e44650c39d7ef762d2441861490dc6ffcba598ee5e8e2706d74c73d2eb2f9457ea2998268d69b5aa445ae4b18bec9ed1ef87

C:\Windows\SysWOW64\Baaplhef.exe

MD5 a647e16f85901504fa7a3385bbd6576b
SHA1 3ab6d07250d178a9d2e5e08041e96a568172b02b
SHA256 0c442194c5e3ae8efbf97b1a256253af42247bbf1c0748f77d2411eed594ebe5
SHA512 1ad63d9c20870b63ec94be2f6f25acae44ee0c6832ea9577f8207e87c2b2946f38407b8462317e04436bddcf3c161679a4b649094a672661ed841dcdd0158bb8

memory/760-256-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1240-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1928-269-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2360-275-0x0000000000400000-0x0000000000433000-memory.dmp

memory/208-285-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3236-287-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4456-298-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3960-299-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2528-305-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2928-311-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2732-317-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2456-323-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2772-329-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4124-335-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4556-345-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3284-347-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3616-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2340-358-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3636-365-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5100-375-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4304-380-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1368-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1608-393-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2040-395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1772-401-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5088-407-0x0000000000400000-0x0000000000433000-memory.dmp

memory/768-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2016-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4888-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2556-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2924-437-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mplhql32.exe

MD5 e3f5c9ea8612c4ed09f4c8785bd3bceb
SHA1 86b23f1a0a0fb478db4bfcef819ee6b2cecfd235
SHA256 80c4e1d06bc2d6a08a9280c500822cb3c0f9af8c8c254c2c9da66cb55864df91
SHA512 dd8eedbb9ac292d285a400c45508536dc5c7cb006ea852153e272e4f97314f44ba2cc6f53d56b61a462ffef3ebf132354ec2b0c217ef64c6500812a5426daf83

C:\Windows\SysWOW64\Mlefklpj.exe

MD5 c740b56ddba070bcdf693986e18bbc19
SHA1 183c7b97d2d7e32b719ccb04b813b270c5ee8c05
SHA256 12ca162c4da2f9e5261bc33a827eed55432daa876eb5b5f83e31f5908c32aa92
SHA512 d124ca8938203438bc7a57d94789ffd6c978d45ff1e1bbae3dd4e0cfad7010df200af51f5827f88c3d14dfafc773c53d97c62e693cf5df8dfc8a110b945e77ba

C:\Windows\SysWOW64\Opdghh32.exe

MD5 3c0148896202fafabae39f31fcfff8fd
SHA1 a23ed9cc834cf3de5a56bd6b2d18f7240ea09484
SHA256 56a79180ff48991c8216e1ecd774f6c82ec94998d6490b7c714d4bba4113a585
SHA512 2f0eb231565dddba286ae52ff5392519d415a76b124b0e623aea17724d885f8c2f32bab18caa536844da6fdad159a6a129e272598199d9a9dd9a5fb38657e24d

memory/9236-2386-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5060-2387-0x0000000000400000-0x0000000000433000-memory.dmp

memory/10200-2388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/10160-2389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/10080-2391-0x0000000000400000-0x0000000000433000-memory.dmp

memory/10032-2392-0x0000000000400000-0x0000000000433000-memory.dmp

memory/9912-2395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/9660-2401-0x0000000000400000-0x0000000000433000-memory.dmp

memory/9608-2402-0x0000000000400000-0x0000000000433000-memory.dmp

memory/9388-2407-0x0000000000400000-0x0000000000433000-memory.dmp

memory/9296-2409-0x0000000000400000-0x0000000000433000-memory.dmp

memory/8716-2414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/9104-2416-0x0000000000400000-0x0000000000433000-memory.dmp