Malware Analysis Report

2025-03-14 23:27

Sample ID 240407-wtpd7sba64
Target 040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37
SHA256 040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37

Threat Level: Known bad

The file 040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:12

Reported

2024-04-07 18:15

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lmgocb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmldme32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfbelipa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qngmgjeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aajbne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Apalea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dookgcij.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhjbjopf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mmldme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpfeppop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Baadng32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdqbekcm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oomjlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Meppiblm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Okdkal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pfbelipa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qngmgjeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Alhmjbhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpgfki32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmdmcanc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Npccpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alhmjbhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lcfqkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Oomjlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqemdbaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bphbeplm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogmhkmki.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Piekcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pckoam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jqlhdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmgocb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nilhhdga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aajbne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlekia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bbdallnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nilhhdga.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdpndnei.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jdbkjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Poapfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmbpmapf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ichllgfb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gljnej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hmdmcanc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icfofg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjifhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nlekia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npccpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Picnndmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjfjbdle.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Dookgcij.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekhhadmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Emieil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecejkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fadminnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdjbaea.exe N/A
N/A N/A C:\Windows\SysWOW64\Gakcimgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Gljnej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpgfki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmbpmapf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmdmcanc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdqbekcm.exe N/A
N/A N/A C:\Windows\SysWOW64\Icfofg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ichllgfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdpndnei.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdbkjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jqlhdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjfjbdle.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjifhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdklf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbidgeci.exe N/A
N/A N/A C:\Windows\SysWOW64\Knpemf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmgocb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Linphc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcfqkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmneda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Moanaiie.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhjbjopf.exe N/A
N/A N/A C:\Windows\SysWOW64\Meppiblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmldme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Niebhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlekia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npccpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nilhhdga.exe N/A
N/A N/A C:\Windows\SysWOW64\Oebimf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ookmfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okdkal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogkkfmml.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqemdbaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbelipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnimnfpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Picnndmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckoam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgmdjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qngmgjeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpjakhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajbne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbggjfq.exe N/A
N/A N/A C:\Windows\SysWOW64\Agfgqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apalea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhmjbhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnagk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bilmcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfeppop.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdallnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphbeplm.exe N/A
N/A N/A C:\Windows\SysWOW64\Baohhgnf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe N/A
N/A N/A C:\Windows\SysWOW64\Dookgcij.exe N/A
N/A N/A C:\Windows\SysWOW64\Dookgcij.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekhhadmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekhhadmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Emieil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emieil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecejkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecejkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fadminnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fadminnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdjbaea.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdjbaea.exe N/A
N/A N/A C:\Windows\SysWOW64\Gakcimgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Gakcimgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Gljnej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gljnej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpgfki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpgfki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmbpmapf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmbpmapf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmdmcanc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmdmcanc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdqbekcm.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdqbekcm.exe N/A
N/A N/A C:\Windows\SysWOW64\Icfofg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icfofg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ichllgfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ichllgfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdpndnei.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdpndnei.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdbkjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdbkjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jqlhdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jqlhdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjfjbdle.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjfjbdle.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjifhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjifhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdklf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdklf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbidgeci.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbidgeci.exe N/A
N/A N/A C:\Windows\SysWOW64\Knpemf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knpemf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmgocb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmgocb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Linphc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Linphc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcfqkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcfqkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmneda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmneda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Moanaiie.exe N/A
N/A N/A C:\Windows\SysWOW64\Moanaiie.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhjbjopf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhjbjopf.exe N/A
N/A N/A C:\Windows\SysWOW64\Meppiblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Meppiblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmldme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmldme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Niebhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Niebhf32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Bdpoifde.dll C:\Windows\SysWOW64\Jdbkjn32.exe N/A
File created C:\Windows\SysWOW64\Ffjmmbcg.dll C:\Windows\SysWOW64\Piekcd32.exe N/A
File created C:\Windows\SysWOW64\Emieil32.exe C:\Windows\SysWOW64\Ekhhadmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Fadminnn.exe C:\Windows\SysWOW64\Ecejkf32.exe N/A
File created C:\Windows\SysWOW64\Gallbqdi.dll C:\Windows\SysWOW64\Fadminnn.exe N/A
File created C:\Windows\SysWOW64\Gheabp32.dll C:\Windows\SysWOW64\Gljnej32.exe N/A
File created C:\Windows\SysWOW64\Bdacap32.dll C:\Windows\SysWOW64\Emieil32.exe N/A
File created C:\Windows\SysWOW64\Jdbkjn32.exe C:\Windows\SysWOW64\Jdpndnei.exe N/A
File created C:\Windows\SysWOW64\Ekhhadmk.exe C:\Windows\SysWOW64\Dookgcij.exe N/A
File created C:\Windows\SysWOW64\Kbdklf32.exe C:\Windows\SysWOW64\Kjifhc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oebimf32.exe C:\Windows\SysWOW64\Nilhhdga.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbdallnd.exe C:\Windows\SysWOW64\Bpfeppop.exe N/A
File created C:\Windows\SysWOW64\Lgahjhop.dll C:\Windows\SysWOW64\Afnagk32.exe N/A
File created C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Emieil32.exe N/A
File created C:\Windows\SysWOW64\Kjfjbdle.exe C:\Windows\SysWOW64\Jqlhdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Linphc32.exe C:\Windows\SysWOW64\Lmgocb32.exe N/A
File created C:\Windows\SysWOW64\Cenaioaq.dll C:\Windows\SysWOW64\Agdjkogm.exe N/A
File created C:\Windows\SysWOW64\Icfofg32.exe C:\Windows\SysWOW64\Hdqbekcm.exe N/A
File opened for modification C:\Windows\SysWOW64\Kjfjbdle.exe C:\Windows\SysWOW64\Jqlhdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qngmgjeb.exe C:\Windows\SysWOW64\Qgmdjp32.exe N/A
File created C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Agdjkogm.exe N/A
File opened for modification C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Pckoam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kjifhc32.exe C:\Windows\SysWOW64\Kjfjbdle.exe N/A
File created C:\Windows\SysWOW64\Nmqalo32.dll C:\Windows\SysWOW64\Pfbelipa.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpfeppop.exe C:\Windows\SysWOW64\Bilmcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcfqkl32.exe C:\Windows\SysWOW64\Linphc32.exe N/A
File created C:\Windows\SysWOW64\Hpgfki32.exe C:\Windows\SysWOW64\Gljnej32.exe N/A
File created C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Ogkkfmml.exe N/A
File created C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Agdjkogm.exe N/A
File opened for modification C:\Windows\SysWOW64\Agfgqo32.exe C:\Windows\SysWOW64\Ajbggjfq.exe N/A
File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Afnagk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmneda32.exe C:\Windows\SysWOW64\Lcfqkl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhjbjopf.exe C:\Windows\SysWOW64\Moanaiie.exe N/A
File created C:\Windows\SysWOW64\Ookmfk32.exe C:\Windows\SysWOW64\Oebimf32.exe N/A
File created C:\Windows\SysWOW64\Qfgkcdoe.dll C:\Windows\SysWOW64\Ichllgfb.exe N/A
File created C:\Windows\SysWOW64\Jqlhdo32.exe C:\Windows\SysWOW64\Jdbkjn32.exe N/A
File created C:\Windows\SysWOW64\Picnndmb.exe C:\Windows\SysWOW64\Pnimnfpc.exe N/A
File created C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Qjnmlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Bphbeplm.exe N/A
File created C:\Windows\SysWOW64\Amfidj32.dll C:\Windows\SysWOW64\Dookgcij.exe N/A
File created C:\Windows\SysWOW64\Lmpgcm32.dll C:\Windows\SysWOW64\Oebimf32.exe N/A
File created C:\Windows\SysWOW64\Ogkkfmml.exe C:\Windows\SysWOW64\Okdkal32.exe N/A
File created C:\Windows\SysWOW64\Piekcd32.exe C:\Windows\SysWOW64\Picnndmb.exe N/A
File created C:\Windows\SysWOW64\Qngmgjeb.exe C:\Windows\SysWOW64\Qgmdjp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Baohhgnf.exe N/A
File created C:\Windows\SysWOW64\Kjcceqko.dll C:\Windows\SysWOW64\Pqemdbaj.exe N/A
File created C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Bphbeplm.exe N/A
File opened for modification C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File created C:\Windows\SysWOW64\Fadminnn.exe C:\Windows\SysWOW64\Ecejkf32.exe N/A
File created C:\Windows\SysWOW64\Cgmgbeon.dll C:\Windows\SysWOW64\Meppiblm.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Ogkkfmml.exe N/A
File created C:\Windows\SysWOW64\Cmelgapq.dll C:\Windows\SysWOW64\Qgmdjp32.exe N/A
File created C:\Windows\SysWOW64\Qlhpnakf.dll C:\Windows\SysWOW64\Fbdjbaea.exe N/A
File created C:\Windows\SysWOW64\Hmbpmapf.exe C:\Windows\SysWOW64\Hpgfki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmdmcanc.exe C:\Windows\SysWOW64\Hmbpmapf.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgmdjp32.exe C:\Windows\SysWOW64\Poapfn32.exe N/A
File created C:\Windows\SysWOW64\Bbdallnd.exe C:\Windows\SysWOW64\Bpfeppop.exe N/A
File opened for modification C:\Windows\SysWOW64\Ookmfk32.exe C:\Windows\SysWOW64\Oebimf32.exe N/A
File created C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Pckoam32.exe N/A
File created C:\Windows\SysWOW64\Kbidgeci.exe C:\Windows\SysWOW64\Kbdklf32.exe N/A
File created C:\Windows\SysWOW64\Okdkal32.exe C:\Windows\SysWOW64\Oomjlk32.exe N/A
File created C:\Windows\SysWOW64\Lbbjgn32.dll C:\Windows\SysWOW64\Pckoam32.exe N/A
File created C:\Windows\SysWOW64\Mabanhgg.dll C:\Windows\SysWOW64\Baadng32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Cacacg32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll" C:\Windows\SysWOW64\Picnndmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmbpmapf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gheabp32.dll" C:\Windows\SysWOW64\Gljnej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlejpga.dll" C:\Windows\SysWOW64\Jqlhdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qngmgjeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplhdp32.dll" C:\Windows\SysWOW64\Kjifhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Npccpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qngmgjeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nilhhdga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edfpjabf.dll" C:\Windows\SysWOW64\Hmbpmapf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Icfofg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll" C:\Windows\SysWOW64\Baohhgnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kjfjbdle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmlko32.dll" C:\Windows\SysWOW64\Hpgfki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll" C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Okdkal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agdjkogm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll" C:\Windows\SysWOW64\Agfgqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alhmjbhj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hpgfki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpgfki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Agfgqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbidgeci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgmdjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Niebhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedakjgc.dll" C:\Windows\SysWOW64\Okdkal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpgcm32.dll" C:\Windows\SysWOW64\Oebimf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Picnndmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll" C:\Windows\SysWOW64\Pckoam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcfhi32.dll" C:\Windows\SysWOW64\Lcfqkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmldme32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll" C:\Windows\SysWOW64\Knpemf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Picnndmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" C:\Windows\SysWOW64\Piekcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll" C:\Windows\SysWOW64\Apalea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll" C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnpcnhmk.dll" C:\Windows\SysWOW64\Gakcimgf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kbidgeci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pckoam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apalea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Piekcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll" C:\Windows\SysWOW64\Linphc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nlekia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmdmcanc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ichllgfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dookgcij.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aaheie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Knpemf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pfbelipa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbdjbaea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfgkcdoe.dll" C:\Windows\SysWOW64\Ichllgfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdqbekcm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe C:\Windows\SysWOW64\Dookgcij.exe
PID 1048 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe C:\Windows\SysWOW64\Dookgcij.exe
PID 1048 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe C:\Windows\SysWOW64\Dookgcij.exe
PID 1048 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe C:\Windows\SysWOW64\Dookgcij.exe
PID 1616 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Ekhhadmk.exe
PID 1616 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Ekhhadmk.exe
PID 1616 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Ekhhadmk.exe
PID 1616 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Ekhhadmk.exe
PID 2552 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ekhhadmk.exe C:\Windows\SysWOW64\Emieil32.exe
PID 2552 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ekhhadmk.exe C:\Windows\SysWOW64\Emieil32.exe
PID 2552 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ekhhadmk.exe C:\Windows\SysWOW64\Emieil32.exe
PID 2552 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ekhhadmk.exe C:\Windows\SysWOW64\Emieil32.exe
PID 2532 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Emieil32.exe C:\Windows\SysWOW64\Ecejkf32.exe
PID 2532 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Emieil32.exe C:\Windows\SysWOW64\Ecejkf32.exe
PID 2532 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Emieil32.exe C:\Windows\SysWOW64\Ecejkf32.exe
PID 2532 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Emieil32.exe C:\Windows\SysWOW64\Ecejkf32.exe
PID 2604 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Fadminnn.exe
PID 2604 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Fadminnn.exe
PID 2604 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Fadminnn.exe
PID 2604 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Fadminnn.exe
PID 2664 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Fadminnn.exe C:\Windows\SysWOW64\Fbdjbaea.exe
PID 2664 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Fadminnn.exe C:\Windows\SysWOW64\Fbdjbaea.exe
PID 2664 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Fadminnn.exe C:\Windows\SysWOW64\Fbdjbaea.exe
PID 2664 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Fadminnn.exe C:\Windows\SysWOW64\Fbdjbaea.exe
PID 2480 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Fbdjbaea.exe C:\Windows\SysWOW64\Gakcimgf.exe
PID 2480 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Fbdjbaea.exe C:\Windows\SysWOW64\Gakcimgf.exe
PID 2480 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Fbdjbaea.exe C:\Windows\SysWOW64\Gakcimgf.exe
PID 2480 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Fbdjbaea.exe C:\Windows\SysWOW64\Gakcimgf.exe
PID 2204 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Gakcimgf.exe C:\Windows\SysWOW64\Gljnej32.exe
PID 2204 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Gakcimgf.exe C:\Windows\SysWOW64\Gljnej32.exe
PID 2204 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Gakcimgf.exe C:\Windows\SysWOW64\Gljnej32.exe
PID 2204 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Gakcimgf.exe C:\Windows\SysWOW64\Gljnej32.exe
PID 2896 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Gljnej32.exe C:\Windows\SysWOW64\Hpgfki32.exe
PID 2896 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Gljnej32.exe C:\Windows\SysWOW64\Hpgfki32.exe
PID 2896 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Gljnej32.exe C:\Windows\SysWOW64\Hpgfki32.exe
PID 2896 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Gljnej32.exe C:\Windows\SysWOW64\Hpgfki32.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\Hpgfki32.exe C:\Windows\SysWOW64\Hmbpmapf.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\Hpgfki32.exe C:\Windows\SysWOW64\Hmbpmapf.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\Hpgfki32.exe C:\Windows\SysWOW64\Hmbpmapf.exe
PID 2444 wrote to memory of 548 N/A C:\Windows\SysWOW64\Hpgfki32.exe C:\Windows\SysWOW64\Hmbpmapf.exe
PID 548 wrote to memory of 312 N/A C:\Windows\SysWOW64\Hmbpmapf.exe C:\Windows\SysWOW64\Hmdmcanc.exe
PID 548 wrote to memory of 312 N/A C:\Windows\SysWOW64\Hmbpmapf.exe C:\Windows\SysWOW64\Hmdmcanc.exe
PID 548 wrote to memory of 312 N/A C:\Windows\SysWOW64\Hmbpmapf.exe C:\Windows\SysWOW64\Hmdmcanc.exe
PID 548 wrote to memory of 312 N/A C:\Windows\SysWOW64\Hmbpmapf.exe C:\Windows\SysWOW64\Hmdmcanc.exe
PID 312 wrote to memory of 460 N/A C:\Windows\SysWOW64\Hmdmcanc.exe C:\Windows\SysWOW64\Hdqbekcm.exe
PID 312 wrote to memory of 460 N/A C:\Windows\SysWOW64\Hmdmcanc.exe C:\Windows\SysWOW64\Hdqbekcm.exe
PID 312 wrote to memory of 460 N/A C:\Windows\SysWOW64\Hmdmcanc.exe C:\Windows\SysWOW64\Hdqbekcm.exe
PID 312 wrote to memory of 460 N/A C:\Windows\SysWOW64\Hmdmcanc.exe C:\Windows\SysWOW64\Hdqbekcm.exe
PID 460 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Hdqbekcm.exe C:\Windows\SysWOW64\Icfofg32.exe
PID 460 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Hdqbekcm.exe C:\Windows\SysWOW64\Icfofg32.exe
PID 460 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Hdqbekcm.exe C:\Windows\SysWOW64\Icfofg32.exe
PID 460 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Hdqbekcm.exe C:\Windows\SysWOW64\Icfofg32.exe
PID 2492 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Icfofg32.exe C:\Windows\SysWOW64\Ichllgfb.exe
PID 2492 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Icfofg32.exe C:\Windows\SysWOW64\Ichllgfb.exe
PID 2492 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Icfofg32.exe C:\Windows\SysWOW64\Ichllgfb.exe
PID 2492 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Icfofg32.exe C:\Windows\SysWOW64\Ichllgfb.exe
PID 1328 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Ichllgfb.exe C:\Windows\SysWOW64\Jdpndnei.exe
PID 1328 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Ichllgfb.exe C:\Windows\SysWOW64\Jdpndnei.exe
PID 1328 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Ichllgfb.exe C:\Windows\SysWOW64\Jdpndnei.exe
PID 1328 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Ichllgfb.exe C:\Windows\SysWOW64\Jdpndnei.exe
PID 1712 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Jdpndnei.exe C:\Windows\SysWOW64\Jdbkjn32.exe
PID 1712 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Jdpndnei.exe C:\Windows\SysWOW64\Jdbkjn32.exe
PID 1712 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Jdpndnei.exe C:\Windows\SysWOW64\Jdbkjn32.exe
PID 1712 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Jdpndnei.exe C:\Windows\SysWOW64\Jdbkjn32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe

"C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe"

C:\Windows\SysWOW64\Dookgcij.exe

C:\Windows\system32\Dookgcij.exe

C:\Windows\SysWOW64\Ekhhadmk.exe

C:\Windows\system32\Ekhhadmk.exe

C:\Windows\SysWOW64\Emieil32.exe

C:\Windows\system32\Emieil32.exe

C:\Windows\SysWOW64\Ecejkf32.exe

C:\Windows\system32\Ecejkf32.exe

C:\Windows\SysWOW64\Fadminnn.exe

C:\Windows\system32\Fadminnn.exe

C:\Windows\SysWOW64\Fbdjbaea.exe

C:\Windows\system32\Fbdjbaea.exe

C:\Windows\SysWOW64\Gakcimgf.exe

C:\Windows\system32\Gakcimgf.exe

C:\Windows\SysWOW64\Gljnej32.exe

C:\Windows\system32\Gljnej32.exe

C:\Windows\SysWOW64\Hpgfki32.exe

C:\Windows\system32\Hpgfki32.exe

C:\Windows\SysWOW64\Hmbpmapf.exe

C:\Windows\system32\Hmbpmapf.exe

C:\Windows\SysWOW64\Hmdmcanc.exe

C:\Windows\system32\Hmdmcanc.exe

C:\Windows\SysWOW64\Hdqbekcm.exe

C:\Windows\system32\Hdqbekcm.exe

C:\Windows\SysWOW64\Icfofg32.exe

C:\Windows\system32\Icfofg32.exe

C:\Windows\SysWOW64\Ichllgfb.exe

C:\Windows\system32\Ichllgfb.exe

C:\Windows\SysWOW64\Jdpndnei.exe

C:\Windows\system32\Jdpndnei.exe

C:\Windows\SysWOW64\Jdbkjn32.exe

C:\Windows\system32\Jdbkjn32.exe

C:\Windows\SysWOW64\Jqlhdo32.exe

C:\Windows\system32\Jqlhdo32.exe

C:\Windows\SysWOW64\Kjfjbdle.exe

C:\Windows\system32\Kjfjbdle.exe

C:\Windows\SysWOW64\Kjifhc32.exe

C:\Windows\system32\Kjifhc32.exe

C:\Windows\SysWOW64\Kbdklf32.exe

C:\Windows\system32\Kbdklf32.exe

C:\Windows\SysWOW64\Kbidgeci.exe

C:\Windows\system32\Kbidgeci.exe

C:\Windows\SysWOW64\Knpemf32.exe

C:\Windows\system32\Knpemf32.exe

C:\Windows\SysWOW64\Lmgocb32.exe

C:\Windows\system32\Lmgocb32.exe

C:\Windows\SysWOW64\Linphc32.exe

C:\Windows\system32\Linphc32.exe

C:\Windows\SysWOW64\Lcfqkl32.exe

C:\Windows\system32\Lcfqkl32.exe

C:\Windows\SysWOW64\Mmneda32.exe

C:\Windows\system32\Mmneda32.exe

C:\Windows\SysWOW64\Moanaiie.exe

C:\Windows\system32\Moanaiie.exe

C:\Windows\SysWOW64\Mhjbjopf.exe

C:\Windows\system32\Mhjbjopf.exe

C:\Windows\SysWOW64\Meppiblm.exe

C:\Windows\system32\Meppiblm.exe

C:\Windows\SysWOW64\Mmldme32.exe

C:\Windows\system32\Mmldme32.exe

C:\Windows\SysWOW64\Niebhf32.exe

C:\Windows\system32\Niebhf32.exe

C:\Windows\SysWOW64\Nlekia32.exe

C:\Windows\system32\Nlekia32.exe

C:\Windows\SysWOW64\Npccpo32.exe

C:\Windows\system32\Npccpo32.exe

C:\Windows\SysWOW64\Nilhhdga.exe

C:\Windows\system32\Nilhhdga.exe

C:\Windows\SysWOW64\Oebimf32.exe

C:\Windows\system32\Oebimf32.exe

C:\Windows\SysWOW64\Ookmfk32.exe

C:\Windows\system32\Ookmfk32.exe

C:\Windows\SysWOW64\Oomjlk32.exe

C:\Windows\system32\Oomjlk32.exe

C:\Windows\SysWOW64\Okdkal32.exe

C:\Windows\system32\Okdkal32.exe

C:\Windows\SysWOW64\Ogkkfmml.exe

C:\Windows\system32\Ogkkfmml.exe

C:\Windows\SysWOW64\Ogmhkmki.exe

C:\Windows\system32\Ogmhkmki.exe

C:\Windows\SysWOW64\Pqemdbaj.exe

C:\Windows\system32\Pqemdbaj.exe

C:\Windows\SysWOW64\Pfbelipa.exe

C:\Windows\system32\Pfbelipa.exe

C:\Windows\SysWOW64\Pnimnfpc.exe

C:\Windows\system32\Pnimnfpc.exe

C:\Windows\SysWOW64\Picnndmb.exe

C:\Windows\system32\Picnndmb.exe

C:\Windows\SysWOW64\Piekcd32.exe

C:\Windows\system32\Piekcd32.exe

C:\Windows\SysWOW64\Pckoam32.exe

C:\Windows\system32\Pckoam32.exe

C:\Windows\SysWOW64\Poapfn32.exe

C:\Windows\system32\Poapfn32.exe

C:\Windows\SysWOW64\Qgmdjp32.exe

C:\Windows\system32\Qgmdjp32.exe

C:\Windows\SysWOW64\Qngmgjeb.exe

C:\Windows\system32\Qngmgjeb.exe

C:\Windows\SysWOW64\Qgoapp32.exe

C:\Windows\system32\Qgoapp32.exe

C:\Windows\SysWOW64\Qjnmlk32.exe

C:\Windows\system32\Qjnmlk32.exe

C:\Windows\SysWOW64\Aaheie32.exe

C:\Windows\system32\Aaheie32.exe

C:\Windows\SysWOW64\Ajpjakhc.exe

C:\Windows\system32\Ajpjakhc.exe

C:\Windows\SysWOW64\Aajbne32.exe

C:\Windows\system32\Aajbne32.exe

C:\Windows\SysWOW64\Agdjkogm.exe

C:\Windows\system32\Agdjkogm.exe

C:\Windows\SysWOW64\Ajbggjfq.exe

C:\Windows\system32\Ajbggjfq.exe

C:\Windows\SysWOW64\Agfgqo32.exe

C:\Windows\system32\Agfgqo32.exe

C:\Windows\SysWOW64\Apalea32.exe

C:\Windows\system32\Apalea32.exe

C:\Windows\SysWOW64\Alhmjbhj.exe

C:\Windows\system32\Alhmjbhj.exe

C:\Windows\SysWOW64\Afnagk32.exe

C:\Windows\system32\Afnagk32.exe

C:\Windows\SysWOW64\Bilmcf32.exe

C:\Windows\system32\Bilmcf32.exe

C:\Windows\SysWOW64\Bpfeppop.exe

C:\Windows\system32\Bpfeppop.exe

C:\Windows\SysWOW64\Bbdallnd.exe

C:\Windows\system32\Bbdallnd.exe

C:\Windows\SysWOW64\Bphbeplm.exe

C:\Windows\system32\Bphbeplm.exe

C:\Windows\SysWOW64\Baohhgnf.exe

C:\Windows\system32\Baohhgnf.exe

C:\Windows\SysWOW64\Bfkpqn32.exe

C:\Windows\system32\Bfkpqn32.exe

C:\Windows\SysWOW64\Baadng32.exe

C:\Windows\system32\Baadng32.exe

C:\Windows\SysWOW64\Cfnmfn32.exe

C:\Windows\system32\Cfnmfn32.exe

C:\Windows\SysWOW64\Cacacg32.exe

C:\Windows\system32\Cacacg32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 140

Network

N/A

Files

memory/1048-0-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\Dookgcij.exe

MD5 e9bceb299d6a8907cf5b4e1f2072ff4e
SHA1 70412fbc63c2bd1d4b3b7e63d7d7d440c9ac3939
SHA256 2cd85ef15ea5ea8d7f6d03c08ee4d548784b9e6a5133539ad2b0678421e22607
SHA512 451028e4cee904973c56c285c6aa808bd2904c756d5eceea8b1e7802e1dbd2e354b50d2d4c97d7af32166defcde5c7772ff1717ef063e8719557dcd8812be8c6

memory/1048-6-0x00000000002A0000-0x00000000002E6000-memory.dmp

memory/1048-12-0x00000000002A0000-0x00000000002E6000-memory.dmp

memory/2552-32-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Ekhhadmk.exe

MD5 0e0c40b14f7b658a46ca68adcbbd08e6
SHA1 c0f41e565a9f8009a483538f9578d18a254af68a
SHA256 5feb973581f5f6bf8c9b113c8a318314a14b0c0e21b4f483da9de064f3a369c5
SHA512 0050a93bbb3e3b7b142e9d31c97325fe5f7242fab2099899d629a3c764b013c39eb34e43db1543f879068b67f359471caee3f67db89b995cdc4b1fc5cd0d0bbb

C:\Windows\SysWOW64\Emieil32.exe

MD5 8d392ef06151dcf8fe82e00f76aa70ab
SHA1 0d9f286d88ee94b9a36a111298bc90e4ac9eb21d
SHA256 77fe0df50afc530138580d1ccd5cf3b57cc012b148bcc0769279ee051d9a4ac9
SHA512 6c53b7aefc7a57cec5b97f5546346045c00a629d8b9a254b72c1075c9764727ea721d94ab34c076db6ef58b336c9bf01f82e39e310827118e7daa5e768cc4de4

memory/1616-19-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2532-40-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\Ecejkf32.exe

MD5 aabf2b0a38d3029eb85a52303ebb337d
SHA1 f5450856412b8c8134640f9729a15cbd5448e531
SHA256 7cbb6485aea713734e7e67e357d6f4a77f4c8ac32493033455aa954b75ab06ff
SHA512 562e04df42284acd4f6d3677b3d40fc6ba03985e93eb4786cac769ec1a28590c383dcf4360669fe6e653542ee2894c987ec5ff212476fc19cac41c82b797cf0c

memory/2532-50-0x0000000001C00000-0x0000000001C46000-memory.dmp

memory/2532-48-0x0000000001C00000-0x0000000001C46000-memory.dmp

C:\Windows\SysWOW64\Aoladf32.dll

MD5 ca18459d44dff19b18019782e62b8ef4
SHA1 3c6cc1e56ed79f1b7ac6f1900863b9ccb2e0cfc1
SHA256 47833ece5bef7605b5180912572d9725d291389e6c40401f8f79ac396f8100f6
SHA512 b8a4e824094282942870a9c3f42c76812cf9196de6734a826a9d1354489f4dfc5217a6e160a0a2ced6cfb250f193aec614135c8e159d27487e011688f8c68308

\Windows\SysWOW64\Fadminnn.exe

MD5 e7f8c2935c50ff2a53d9a8b30ac9e5be
SHA1 33b2d2207112ed16915c3457919ddae85624a2cc
SHA256 26991943df4389cbbc154e61f14b0a9c8e8f890fd09fbdad34fb69e7bc4a0e4b
SHA512 8cf3eb33ddd88838daa021bbe20fffefd42824f1d452ebf60e9d0bbb9b827a84cf42f8e3c529698cc480662b520be6c2ac05204b9dfdbd5b53c1c162fc724243

memory/2604-62-0x0000000000220000-0x0000000000266000-memory.dmp

memory/2664-68-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\Fbdjbaea.exe

MD5 68afb72c65ab7f6add2877a044cb95e2
SHA1 b6f4e4693e19f5e0f8a4117cbfe80fb2513a879b
SHA256 0bca284e543baa26516397dfb986973ec86b6d60f9e065f5506b14eb5d25477f
SHA512 d992e30f526c6431cdd5ee13c96997571047d4fdae48fceef9fb68d9e8e6bbb3dfe2c13578acffc0fe2f44fcf73c560a1f986a3e9ad8461963ef5f5a8639d8a4

memory/2664-85-0x0000000000220000-0x0000000000266000-memory.dmp

C:\Windows\SysWOW64\Gakcimgf.exe

MD5 70691e5902c633ca3c78586714f9d6aa
SHA1 2eb3bab25c9cd692dbbabd54314290055cf54faa
SHA256 12fa55cadfdd857b3961a93673edf13d2fee58aa9ba40fc31c2d3ddf216d5f8e
SHA512 39a7edab1c09399c0de0cd38f2bbb2b9c6d9d43ec1381cdbf015e72b981aa923484624e48e2160aa98f929cce5a480643957548b5f9269482b8bbed0ffec6252

memory/2204-100-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2480-94-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\Gljnej32.exe

MD5 dfd1edf4fd735c805e79ab93d0cb0bfb
SHA1 8ac6109477990fbabc9a7cfb7fb5cef5ec626ddd
SHA256 2a063a772edc9589c9bb94658027f6b5fc6707072754ceb81132bc35ec878137
SHA512 ff787424f6a2e22ffffc298e67a4572de53879f737d6565786fee073a3f56d1d7d7e2dde963a987cb92d4a1d2a3b6ac550ccc106c190c3f945e35d96db2413e4

memory/2896-113-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\Hpgfki32.exe

MD5 9c4c1f1ddf70af3a2239d3015edf421b
SHA1 da3d16c75fceff18674929e7ecfbf46207091cf3
SHA256 af9b7a119ffa4944677eb8d9fd1afd3d32433407bc65aa2e1edc3486f2a94bb4
SHA512 56a1a383c53e9a7babb6ad824894277eeeb8ed5005b412e021cb9bb4ea94729a700f448978e85d901b6343878775554d2b05870a13baf0ec6c85257e0485075d

memory/2444-121-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\Hmbpmapf.exe

MD5 d4ec131c6c39d181c4a065fe03c997c8
SHA1 81e7253488225b0532cc22702ed7f450f2bd0fe9
SHA256 3787a78452ff46b8dcb85a5748922efbb9df19a19246ac0107f0819760e48d4e
SHA512 d11471bb996fb7f2521d87a189748457c9de3d3e8662c34bd4a820695c6a2e307ee9b7f2d37f585df730b2166ed16c1a8158c3d076cf4e71d2d7ec5950ba76f0

memory/548-134-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\Hmdmcanc.exe

MD5 9138a2958468a5d0a320e74232dd0800
SHA1 c4c09a80c375aaa1291a332c7c1c27eff7e4aefa
SHA256 69b6fb925e5e6c9fda5dbbf0423dbf3f48cfe0e7c1be3b5ddfa1f7e7fdab9b5d
SHA512 06426c6f1704bd7189cb88e93f47104e7e61a89f45f491f6b278b74cb2560fa8cd77f757d8dc0f7438009c2a63c434aa76667c3e67ad033a8bcf766825d1d392

\Windows\SysWOW64\Hdqbekcm.exe

MD5 7ded569588ee5c1586ad972cedfa0f58
SHA1 0a168b14341862052ea3a8f18351ba06cc60dd64
SHA256 8aa690818549a76e7ae5a74c2a1bf7fa20be7c46ae3fbedfb8d28dbcfbcda685
SHA512 8c08d2a34c90c49453b018080a32029d309418efffb37d686f5127ba2ac75794107d509481fd61c437b71587b7e1eedead9125ee51e708a9d947b02f8ad0c7d0

memory/312-147-0x0000000000400000-0x0000000000446000-memory.dmp

memory/460-160-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Icfofg32.exe

MD5 2f3df7f133254d765c01d86eadd00102
SHA1 e0da21904835ac709a7401fd495cfcc5646841fb
SHA256 71299266b406d327a67316cfb0f671874b07f11fd6c36af28701d786a499097b
SHA512 734bec2aa6fafdfbf67498b9ad5a79bf4a07d6a54cc2caf0a6eb468721d192a35a33d3d907abdbcb3c240016ef46f2a90589868fa4cddbad2cf2f547e6056697

memory/2492-179-0x0000000000400000-0x0000000000446000-memory.dmp

memory/460-173-0x0000000000220000-0x0000000000266000-memory.dmp

\Windows\SysWOW64\Ichllgfb.exe

MD5 06d956eb022e3051334e1e11bd3c7c30
SHA1 f88e594fe54c5d5875dbb600e16b82ecd1753d56
SHA256 ca1c46b8c097035be9e437423a3d066e1feb6aebd95bcd6fa8cbe4205e9db61b
SHA512 158450065a17ce7557b2754e2a3e6d6c24409d044dbd5ac3c124a764c09055a0ed8b6addf14f3f72c75326cbbabe7d369abd03a5c10f63684a5086e706866ee9

memory/1328-187-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\Jdpndnei.exe

MD5 1d44f4497c94130de762c49184d65582
SHA1 f0faf7facb9e7fa53de435b4fccff748f207edc6
SHA256 066b1fda1ea6ac126f583cc90af5ccbda64ea74a546391fbf19a1f252f67a584
SHA512 987f376e84705d7e6cc3ba1ab09f5c0e066d937c58d72492ed3dcf62be58098d20ceff0593caae208c078378c8e4a7704322e162b479440a6d8345b18df20762

memory/1328-194-0x0000000000220000-0x0000000000266000-memory.dmp

memory/1712-201-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\Jdbkjn32.exe

MD5 79778ce50f2fa30fb8735ed2fa017bd4
SHA1 b9ba8f9a924b3bc368d2442e127cc23a71e1ef75
SHA256 03c30c15004189dc85e88c87dd5a8f17ea3dfbee49b3acbef9203bbf93a958d8
SHA512 abd4649607e623c520136f553fca41edac8b57bd8b5fa1e38e0e4388db02e63a5a9c6f3bf7b5813874d0c67958a2f3819596a92c15332edd17422d46a244de76

C:\Windows\SysWOW64\Jqlhdo32.exe

MD5 d164c8dd19f63abb8bd05c79b76fb64e
SHA1 3c8e9cdba1b37508bdf8fe5c0752518a5f3db772
SHA256 51bc38b9396796399967cb1af13ae0ae8c05529d4914935b7e36871dd2067c00
SHA512 5a417fe560d5a18633b07d4a7145782b78a12573e64bf4eb6c16b256667d2e26210cc443f7b71ce4b68bac0f5d772c67f335974804a76e5897f7872f6d5aa41e

memory/1644-220-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1644-224-0x0000000000220000-0x0000000000266000-memory.dmp

memory/1248-229-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Kjfjbdle.exe

MD5 a4e07a8cd2e3703eae35fd0c45f0b0d2
SHA1 96a2675e5bd10772c1a79dc92f8858db3a5c2725
SHA256 49bb6eaf3f7c66624a9e35eec1ef8d6c77d685177e0848de796c3ab26fd0e432
SHA512 bef635d46c04b32886cdbd67cc017d8f5826b202010f08cbe3e9628d271ae3a5a4f7823b69233da68608cda9555f3a85cc9ef8644141fe7e40136e4672627953

memory/1248-231-0x0000000000220000-0x0000000000266000-memory.dmp

memory/1248-238-0x0000000000220000-0x0000000000266000-memory.dmp

C:\Windows\SysWOW64\Kjifhc32.exe

MD5 c7f4f28b6f2e3aae2a19f21f8f479d40
SHA1 bd59d53a971c459e4365e91cbab111940d0ec61f
SHA256 f2e76a28c70932064aaa17cf151064f1b1d6f6aaebacfeac8318594b6a8f4146
SHA512 90f81d09ba128693190916b31918ee71b9c88dd1bcbf86fcc5bf03b8e7204198e19197d77d725804b0433b4fd2ee8783fc239bd3daf1fa33aa316ce14cfc25cf

memory/1640-245-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1940-241-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1940-250-0x00000000003B0000-0x00000000003F6000-memory.dmp

memory/1940-251-0x00000000003B0000-0x00000000003F6000-memory.dmp

memory/1640-253-0x00000000002E0000-0x0000000000326000-memory.dmp

C:\Windows\SysWOW64\Kbdklf32.exe

MD5 a07860ace30a4a0827532b322eafe4af
SHA1 21ddd2e79a7b34c9172093562945039979b2f6e1
SHA256 b8814778b90876735fdecd42567bad5781f8565496acc300cd8f3643cc2306ef
SHA512 f2e0dfab1c67c991154418066aead44c9966dceadae7a6a7be16a2750aea1bbe4ac414fbf20fbd4994b1d9919fea34eaeb6e80a179b5e4422fca83314026f8c4

memory/1640-257-0x00000000002E0000-0x0000000000326000-memory.dmp

memory/1756-262-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Kbidgeci.exe

MD5 6db43c07809eb56a19f85d15feaa22e8
SHA1 d367f6a014c7016d81a04b1ba1971c0a52932c20
SHA256 5622abd0ee016d4167b6e361726d47f107d453d82d3629089a2f81b060e3f49f
SHA512 363a04da2a310f31a789c4d7d600922f85c5f6888583e5b72ce70629064bb7cbd4a302e0e24b8ba85695d12b9680d85626ed0260051f12fcd287a8a29e461c0d

memory/1756-264-0x0000000000220000-0x0000000000266000-memory.dmp

memory/944-268-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1756-273-0x0000000000220000-0x0000000000266000-memory.dmp

memory/944-275-0x0000000000220000-0x0000000000266000-memory.dmp

memory/1748-283-0x0000000000400000-0x0000000000446000-memory.dmp

memory/944-279-0x0000000000220000-0x0000000000266000-memory.dmp

C:\Windows\SysWOW64\Knpemf32.exe

MD5 2ab6844c26e7e4d00127dc720daf03fa
SHA1 60835d78c6c75b259d916e17a27a283acb05371d
SHA256 8b087689c7df1efbf4c82a334503c40d8660afd5e121bffee416bd0d24141ff7
SHA512 bd0172a468b0162169f8329a770a8a68448da21f255a2a9cab93d6ef132d68a49876b47d9e9b0b5f08edfeade317b77dcd3104b4916698f120116844556fefcb

memory/1748-289-0x0000000000270000-0x00000000002B6000-memory.dmp

C:\Windows\SysWOW64\Lmgocb32.exe

MD5 b043824f8e9bbdbb625e7562af660103
SHA1 7c5fb57cdafb4394f556140093416d1150344e6f
SHA256 6fc1a551e2b109dbbd0609239b476be3f7782849570d26b29e0802390615924f
SHA512 b94e188b23136257f0a240b66f36dce9f0e32a90a5344caa49d79bb5f24fe00e9bbe49586ba80ad11db4d1806786f23bbcc2cca0631d8c4ae48c76d141148b72

memory/1748-294-0x0000000000270000-0x00000000002B6000-memory.dmp

memory/1040-295-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1168-303-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Linphc32.exe

MD5 4a272a546aba8a952e365cc1dd6d4d83
SHA1 3bec767ff7f813205973beda073e56ecac644b29
SHA256 42fdb2709341630f74886e797b7d0cd6e29125aa228df468a38ea9d31256246b
SHA512 80acd23bd22b04c3af31e1d390cb0f899533c8aed36ef6148e724f8713d3af086126218af6e32f5ac7c07cc9d363dfd92c5c5d9e316de1ea79a46d72fe4fed2d

memory/1040-300-0x00000000002A0000-0x00000000002E6000-memory.dmp

C:\Windows\SysWOW64\Lcfqkl32.exe

MD5 f1b6872c9cb515f1dc1820d4266c16ab
SHA1 99e98b208e369a07e9464f36cb9a2dd4ff6e6200
SHA256 1d208c09479363692ceb35606cf1b215d90bbf4df34e695724ace3bc70202a30
SHA512 6993e61e8a3a2a72c5df7a6bcd01d73d57307f2ddb79d9976914a7f5c284b7019414d6ce7d7e3b1aabdb8f751a67acfdbe2cf651dfca4d5d19a9f2ef303d991b

memory/1168-314-0x00000000003A0000-0x00000000003E6000-memory.dmp

memory/1868-315-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1040-316-0x00000000002A0000-0x00000000002E6000-memory.dmp

memory/1168-317-0x00000000003A0000-0x00000000003E6000-memory.dmp

memory/1868-322-0x0000000000220000-0x0000000000266000-memory.dmp

C:\Windows\SysWOW64\Mmneda32.exe

MD5 05dc638f977a1f300cb9793199ac9195
SHA1 3ad1e7080b148062e2d8df90357b2582130891f1
SHA256 3499f8d444d40797d14156136c4660b4f45a5081cb41ff1694a9c542cba58051
SHA512 cf90c9f9497184ab071f5964a25c08daf7883b4db0efa052c8308b212bacc83f504fcac09610eb64eb54aae2deff9e056e85553261cb46473fd2c7f399b2806c

memory/1868-331-0x0000000000220000-0x0000000000266000-memory.dmp

C:\Windows\SysWOW64\Moanaiie.exe

MD5 56ba9ea6d44d222cd3606864c69e48cf
SHA1 bddae7e826de55560326e3753929c4582b8c7170
SHA256 d5a22a93c975f27d06377f649b6bbbf4f38306ec75928963e0364255f0aa6176
SHA512 2c86a8433304f56bc64df55387a1cd6045bf6ebdf1df1035d1ed82cc8471ddb04e607554a1fa9c840e6d413fa221011a81bb43a8bb3f9f78a1c826f9a03f39cd

memory/800-336-0x0000000000400000-0x0000000000446000-memory.dmp

memory/800-337-0x00000000002C0000-0x0000000000306000-memory.dmp

memory/800-338-0x00000000002C0000-0x0000000000306000-memory.dmp

memory/2036-339-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Mhjbjopf.exe

MD5 bb504b0b2d9af5f4af569eb8033c78e5
SHA1 aa8002a3bfe9f5e527bf21cbfc2888eb597fa45b
SHA256 2d261cea7f13e75267becfa1356348c19f0e0bd49a389afd447ae125804fa4fe
SHA512 441e2195b32a1e4fb1d71ca29198c3e6848ac772fcfaec0dad43bfc61766ae2c1e9d6a1bd70e814d835577232902083f72eab0f3187a5426f564ac99b0c0478f

memory/2036-347-0x00000000001B0000-0x00000000001F6000-memory.dmp

memory/2512-354-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2512-359-0x0000000000230000-0x0000000000276000-memory.dmp

memory/2036-349-0x00000000001B0000-0x00000000001F6000-memory.dmp

C:\Windows\SysWOW64\Meppiblm.exe

MD5 e76dcdfa97dcafa5080513396a683402
SHA1 e5e45c87c35005b9ff5f89e70633a13c835e6e36
SHA256 d79ac4afb3c4dd215242b615964b5dedee344d480cafab64f13b106a46004e10
SHA512 59f919a46e86c66a1adbb921bb0ff7c1b7f5ac19e90260120099ea15242d54c5c5636e635d2796eadcb69d4d6412b2802d71643eefe310927e9c34dc1ec6e6bf

memory/2512-360-0x0000000000230000-0x0000000000276000-memory.dmp

memory/2824-361-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Mmldme32.exe

MD5 c51817140e057a89fb00e539052d9eae
SHA1 15dd0692439afb8b86cb1e407d1a60b2c87479bc
SHA256 0033ef0dac995cbed5348ec8b8e94b423e27fc04978496e4a8f29a09b808a7e3
SHA512 27f5bd5ecf3c0869d6ffdf1ae6cfa0611abcfa8c9550aad38f2b7386d6d7e62a45597c55ab5e2c177c59f75c36fdc05026e652e2333398353a68f2fac355f90a

memory/2824-366-0x00000000003A0000-0x00000000003E6000-memory.dmp

memory/2824-367-0x00000000003A0000-0x00000000003E6000-memory.dmp

C:\Windows\SysWOW64\Niebhf32.exe

MD5 8b86ef1b4cd9ec5b9d3cb16bba8fd7d6
SHA1 1d52e06b1deec4b728501319b694590af8abd8c2
SHA256 7680db12c739d4f465bd7b608fc8d7a2938b9f5441dccd463fd2768014e46323
SHA512 2594b4b33fa7aa5887ad08b3ca6595b45f9bea7a4c3f5ef45e4c898232d7b0a4ab8e1f26d043d6d437f31d7982893a1f7abe9c2adb887f732fd34462287f0fcd

C:\Windows\SysWOW64\Nlekia32.exe

MD5 af82b2b1ecea7f8da434a7043c92e366
SHA1 43f08b8266f4bb1e3f0d74a6a14007296833cfac
SHA256 9ee01ecf2f0ec95bc38f4d4d492790beb2d793022533050ae84e33283e2ef068
SHA512 b21ed2dc5415147a236becece97edca9f0a340d863b5f3331d8f40f7c6203390664ad879d886c148bdec0bb94fe86a167ecd5aceb45ad14580b56c0770e9dd2b

C:\Windows\SysWOW64\Npccpo32.exe

MD5 bc49998a4a348e84bb2fdc8d0959f670
SHA1 6d84a8f56714086f3585d7430e7a57de829a08c2
SHA256 5d9bd19f00ae547ab29df2941e1fde5264404c2378de6b1480304d0cf1d0e5ea
SHA512 d26e53d3e52862e6b5bdd0b5602ae3e1433161f5b45ea2b5c3b1b39ab7e297775bae1b19c82eeb3e86436d92409c107ac803fc2e671051482ab6d39bf2458fee

C:\Windows\SysWOW64\Nilhhdga.exe

MD5 a8f98f0905dcc4a51aa968decff68673
SHA1 fd05960234e0c77b705b977e6df57d0e1bb094c1
SHA256 a804e03ecbc15979677947939b2e8e13650b1cf4393db6217c3c799322ff256c
SHA512 eb89ea6b86576755c034a387dee3b9c4b895abb12a95f8be9360f1df9a5c9223546811457b6410d4c6961214fc334db8579eaa82679c7d2ce1b85d8bd5c56157

C:\Windows\SysWOW64\Oebimf32.exe

MD5 0681bbe7c38f60bb4ecd1c6008420514
SHA1 63b90713222f397dc6999805050308d84af6b934
SHA256 e598e1c8541ebeb1e243e4d487e33f8bb4230d66a3ecc393dab0c4026a25bc26
SHA512 18c30149bd6b85531285bed91bad19e967b22e0c24fce79a41e127a166fee8aa08e43e9078cf6607c6b1fd48b7fd7af9308f5f59a2f6c75160838d54f99e47ae

C:\Windows\SysWOW64\Ookmfk32.exe

MD5 488354005f712b7f9a099e275bbb2ef9
SHA1 e4f1ad3a20f7b4f93e0db5afb0ce21a038a640a0
SHA256 b7d6516da0dbc257531e1377dce13573120bf12a0487a156827081aa55519bb4
SHA512 e0f690318a95010c8736abc681d31795605793d36841c78b8e4c71f6d4a732fba6a156e01068b41e327aec991a990ceb5596407e71fff7bc06c98dcccf70dd9a

C:\Windows\SysWOW64\Oomjlk32.exe

MD5 8788c144815ee6e8d5a8c94ba8abce2d
SHA1 7e2b45593d2edebbfdd879dd6cabd9a73637e9e8
SHA256 cda530113142a1ed0bbd8e250215b72731ce9fb2a1f92bbeb7150dc00f546378
SHA512 5ab05686d64ac8d08f03acd1f15cd808e6da709145be1b4afce9db5dc158f57c86af4d4c017c46496c52e556c549bcfe68f2498436b1f42198588288e740ccba

C:\Windows\SysWOW64\Okdkal32.exe

MD5 973eab481a3d8f6f9cf52d849b85b9e1
SHA1 7bbbb6365fc8fa32f86b7d28671b8c19447eb1ac
SHA256 77d86186ca81c6ebd7870760a69f83c91dac1b8613f1951f26d098cdfbdadb19
SHA512 03f09d04cdf9d8c882292dda8242299762aaab4d3c145346abd2129bfd1fe6d74d4ca4af62e47d53dcbe97cfd6f52b318108442ef145bfdb4b67538891aeb08d

C:\Windows\SysWOW64\Ogkkfmml.exe

MD5 a1e9f208b393eb73ad32ed840703ae83
SHA1 fc1b3a7b57d87d5e641350cd822f4e7458205c00
SHA256 ad73dcc1a43291e664eb997a07f171689e658ecc63cd64b4b4ee8bb18bfb5324
SHA512 c1bb8b4a75b22ab7a006ac57f7f716ffe2e9ef2b4615b0aeb856f64f9ceb4b7db6921328bced360967c1ca49d9c950eb246f5a2555c0b909dfa0b724f243c2eb

C:\Windows\SysWOW64\Ogmhkmki.exe

MD5 01e808cbec81421effd0e5dc816c8214
SHA1 6f77e3365c2666ed3a495d27b76d85bea5e698e4
SHA256 4a86a2de4887104a2257e115c87850b5ea8e4fe6a7088698310b22722b2fe0ef
SHA512 62d64d648996235a5d4ea795b0829c0cebcd095bb35bc4f91bd3e09e5242a3d2d9a1ec973cb360e7d0d6f88b3cb1fcb524ee28f211c961ad37277e5d7599d1e4

C:\Windows\SysWOW64\Pqemdbaj.exe

MD5 c413b29fbeba281c7d467171913be892
SHA1 b94a4410241d561610d164543b2d73bbd433844c
SHA256 1678eff622a5b3928800e979bbad0abdca69bcd2011b71a9c8703c4aecd4db57
SHA512 be0b579567dd2c31117f728d73fdfbccdb2d69f1e15e7b072d15d28a9450db840350cdd2be82572554766a6cad455f92f218cc468c680d08012603a179bfb74c

C:\Windows\SysWOW64\Pfbelipa.exe

MD5 55fa087f42a10dea857c7668ffc65929
SHA1 60aaa57e2595f07d65db674bcbcd72704be7b34a
SHA256 557e1cfa1be47a17588e66ce0e8131650d3329faa1d354b644023802ed2ab595
SHA512 d4ee95990d96a1d12f370b7d702879ea1344ae27abee94fd110e2892fc8f45c151c7951b0ce4e4695ac459f28fac7ddd02491bd1296a6e3cc0e1039b8137f62c

C:\Windows\SysWOW64\Pnimnfpc.exe

MD5 2a29127135876a897af01d1b0e18916e
SHA1 4c60057fb9eb5ce3faa57208e5ecb13535cc062c
SHA256 1bb6bdab69c046881ba3e84d6e93e25cd200b428bdff5364228a9749dab15d19
SHA512 9fdc14c4ea5357007d1b5fa9572af1883e51414df700d37c33705e405c8d85b5579b223a4112850c429f57577e24be1c46c54f50eb468e544cbc18733cde443c

C:\Windows\SysWOW64\Picnndmb.exe

MD5 23f59373541c38d3bf0af2b9840f94bb
SHA1 93b9172a571fd8c1289e56c76f439288c8ddfa97
SHA256 01b857b0364cef1d512aee8a55c79d3c6dabd9a53a8d14402f334c60b3d1ded9
SHA512 4499ed3ab0b52ee2ffbeacc6a9073910cc0a8f49186d4d6b67980f32f6ff889ba13e2ef6065d501ccbc0a394fd1451f5f190a4f4379740471e7e2623cfaafef7

C:\Windows\SysWOW64\Piekcd32.exe

MD5 abb662d2f818a070068e083b82c68999
SHA1 c872f17e26c0ca3e956809aa4fbf55f196753a69
SHA256 b90da7e053da28a67de5cfee3351a880722a1b7065c7d92a8784b0c9f7a37895
SHA512 23d4fc56130fd6d79bb92b2553b0c98073235f43c5135fa4166f1fe31d2b26e36715adee74451f8a5a1aba234dbf0a33f47c161043319914fae999667f73ffa8

C:\Windows\SysWOW64\Pckoam32.exe

MD5 bf1c7a238c195dde519456094234142b
SHA1 42def114cf8b4b43521293a86890e6b4beddeb3a
SHA256 fc12448641c05e0f94cb7ae9a87fe92087ae324702ae95a973d7293bb3894412
SHA512 6738e8890080dc8273eae372cf61c2ef5d656804b651d1e286943e55935eda00d8fb3eb8ec2c02d8a0c0c3477ae8457fd0f33ff823fa49aab9b8b4ca38466b0b

C:\Windows\SysWOW64\Poapfn32.exe

MD5 e6ebf6bb46f0e349416d4ec8279445c6
SHA1 81890de07416b510c717a3a7e3ed6341995932b6
SHA256 3a6518710b30f3b36df4f6e928e58bcabd204c6aa0d52211e601b6408b69253f
SHA512 ef6a6d181ee76bf1af12e403436a3eeddb84596d2a379c5d030085de14b949acac52691328d475ba66804cef1b85f2de861b6c94c64ade3fbe17be61195e0fa4

C:\Windows\SysWOW64\Qgmdjp32.exe

MD5 ca77379a15fadd6724d297cd63ef46be
SHA1 9cf47c962cef16c14e345116ab7fa448a3fcde27
SHA256 f8d906eb4024a26e78e5a3238f32e609450b9025a92afdcd3442cb3ecf2bf42b
SHA512 e34be5f537b1ca8ecc603740eab8af379aa2ad5acbf1ed2a70f36e760f65bcadd9d25654371a8fa3f544f14fec4b212f8b7187d78615363123523bdf56255947

C:\Windows\SysWOW64\Qngmgjeb.exe

MD5 b0b76ffa7cec791355f31b2b95ac7202
SHA1 5ee281578a4fc4792e9ad841f0acba5eb625c71f
SHA256 3070fbe520eada050c55fd2084da8fd6db555ca30f13738b41a039135e6ccbd7
SHA512 273d097bc5e8082ca3aba258d4d73c80616e80f1deca95778cc3f4fde029d7c899adfeb2c092ea07c7b4fbca7485b796b50cda4bfb186960ab1aa43ded2a1cc8

C:\Windows\SysWOW64\Qgoapp32.exe

MD5 e0c01dec225b5ef5fd2a08f37883e13b
SHA1 d4af036b7b46cd92377aebc2c39b93ec4fc54e21
SHA256 f32e0f1c8e60bff11561b26498a3d3a9d7d2efdc71106bf08250af296ef133a3
SHA512 1cb8aa7c9e3bb3bdcd7cf8a42d5ccdbd0a75ee27f539da7c68a3920fcdff0006801f15c6e76f9807a6873b9bc6e0ab4a2e6c537a84b0f37857f258b1a7b92054

C:\Windows\SysWOW64\Qjnmlk32.exe

MD5 8051a7e0d6060ebbf1af52aa9c862eff
SHA1 74f18df8f280af1b43f65c7c5256e32ef14c4501
SHA256 25bd61e45704c3ba57b8a3cd8003328ab1c1607e2b7f31a9a85ed16886ff8b32
SHA512 04c415b19b03da67f3a39aacc1dd8a33db5ef533701daa593e94a5fe5715f522851df4355074e4da42ba35907cb815f63de2cc8385fe252430f2f82e01fbf62d

C:\Windows\SysWOW64\Aaheie32.exe

MD5 2010919a02a839307c755cd371f08323
SHA1 5422b92171a5012b0bfd618f05e4a0a8ee86c245
SHA256 76c4115b995e9ff8a4be71cf33ea0d2e1dc602d931dba85f8ad4491b21cdda40
SHA512 32e60691d7e99d4d9de383b2f295888c694d1f40faa33b74edfd7a173c713820fd85adc24e507087c7c9f3287e27d91d87575aaa99838c1f68c37ff7cd4eab1a

C:\Windows\SysWOW64\Ajpjakhc.exe

MD5 89ec2eab5f8720e1dc56be70d7c92d94
SHA1 81efd8143909e9793c48895d4f97309e0459dd55
SHA256 14ba94e3cade2620d2d3a853678ece9c13ceb6e13360293a0409823fb67d66da
SHA512 2c34123ec32fa1300649eda49e23da80ad4935e5695856e16bd42e5c56516ee2fa391b762a2e55e24521593e26678497ac2e04947c40f916468f86860e67e064

C:\Windows\SysWOW64\Aajbne32.exe

MD5 79ad3ca32829d4fa19699a6bd7fb9b55
SHA1 45529acfda94f721e1d2e9f927fd2fa237fa2be0
SHA256 d7ccb41b9a8960ab671e2bbdc029e3db10cbe6dd2cc43804ab171e4317f4a50c
SHA512 6705a9a5626d6d446122ec766cbf0b019f979cd32e63002748c8bc74f7a722468a78ea97e7f1df7c10a917bb0407f6d9a7a04b1260d396e87c39db6bd486c856

C:\Windows\SysWOW64\Ajbggjfq.exe

MD5 1571c48d64beec11d2e7ebb86f2d46a2
SHA1 386c37e83b309ac094606d19e02260c62d8647fb
SHA256 cb53d37ef33f12fbd7717bc9f1f44382d27d0a7f8ca255885898ae52662171d8
SHA512 31286fa0abc37899a0a252efde0dbcfe05c51e585d53283acb8697dc91235e2daf3c7770d294302431c4262bc2fba4a4f48b88b8b057c262fcac0c2a92c1ba9e

C:\Windows\SysWOW64\Agfgqo32.exe

MD5 cb2db9259f319f0e2aa5bd5f0192bbce
SHA1 fdfb77301ef8c25692904b8b29a8ca533fd8d198
SHA256 1497b2360437d2f4f1d101408ce8c953ee552c621a3d13c0b3e8decc20dc79f2
SHA512 b46743e4c6883ed4f3dbac36a98a8ce15d758144334dd2e3ac309dce18e403d40bdb877a5d7b16e4367a19d93264efc569f63742976f9f97ebe3dc62ff4920e6

C:\Windows\SysWOW64\Apalea32.exe

MD5 d925932c7e62dc748f4e2b75b7e53c33
SHA1 591699a01d92ad88a6bb3a977a89a679c0bc4951
SHA256 db455269323f36982cc25b58092cb0444ecfd665a8146fd9005cb826ce8f8399
SHA512 24707c16be218a9b823537d5dc730a0eab819cd164f3fd90190eec135b1d3212d70dfae2e1a62b7689f1e315e75b9ac812eac9c07a9fb85456a435365e0430ab

C:\Windows\SysWOW64\Alhmjbhj.exe

MD5 a9ed32a81f6e2bb97c65bbe71685a2fd
SHA1 a238702ca15b32194b09a495b5c3ad761ff4633a
SHA256 38c3f114aa5dd8610d661847094cf285eecbe7b6bcdf3ca33e36f93476f4d213
SHA512 cd1a1cb371f8eb6859f14282cdbaf5b27e4ede451b882870763b8fbfeaf94b8d1f9d1922551933b777d682b0ba110bcdffb8a273726990ed1833bfac1a48c815

C:\Windows\SysWOW64\Afnagk32.exe

MD5 1506279471ce243563871eafd339849c
SHA1 3a31dbeed8e817bb54831069e996b277bc175564
SHA256 04f34565a39a6132f49789f7b6a915753f8ccb4cd210e5bc585a77b6e9958361
SHA512 87984a2ae13f9cbc5d526aaa18dcfa5925fdf820d381f4e013fb55daacf57b08af60486f8d309b467784b1313e87ba5d1f48bf1553d6054ef232817150e7d433

C:\Windows\SysWOW64\Bilmcf32.exe

MD5 ae6f5cc325a9dadb6a8b8eeda960f2d1
SHA1 cd9dd278f167d53753c177783fce20f795bd03a6
SHA256 5867a9383245b232a5f62024ff13fd576463099620e41829330a6c3f017091ef
SHA512 89dfb1b24e2cc878d4a44b1cbc7183138ba538801e0bc28fd5fd963adf80dfff788f1e48898e6a4c4a1fb9cb48a35e43764ca366716b1e8f09f3eefb4346b37e

C:\Windows\SysWOW64\Bpfeppop.exe

MD5 1bb0ab280b6087cffc350a9c8ca2f922
SHA1 feb58daf0aa0de5cce8fd8bd94d908661b9e56cc
SHA256 8b498b35e0fe27bf246899c6a4cb8632f7b46331021a2cd86acc9f3ff56186fa
SHA512 dd1e77adab5598d1da9e256aa2c4819b8fe5a908ce3b96bc5d9adc8b086a783735425e29d083938eb2486467685b8731add2da8ca96443238afc3a15dfa6dcc8

C:\Windows\SysWOW64\Bbdallnd.exe

MD5 12a84d452b89c5adde7bf1ee8077de1a
SHA1 8a4fb7a64d1d66999f7ae1e9d37eaa06ea63a50b
SHA256 08c670c8950d97ed3767644c32ced0a9ae6aa0cc2cde32cc79294d8134225d08
SHA512 3630ab4f601476786b5d8df0e5e9c6accb684655076bd921167d4de1ed379bfff16c17df8e64a9a83210b8d28213a93c69e02c1dee69a87314ba87e8773c74cd

C:\Windows\SysWOW64\Bphbeplm.exe

MD5 e4d284502b17d3f0c675b3900b13b5ef
SHA1 e496e3eb0e5a6898c9fe2a0b3454acc7b7ecfd5d
SHA256 06aae769f34f7d6e708ff04e617beb32864f353fca0294002ac707d01b7014a3
SHA512 83ea916335aab7a790e6f832fba471667da0833a15c02482efb43b00f67ce97df8a735139eeb11332c39adf7ce30926dc1e39da435eecb3ab42a1fba325d4540

C:\Windows\SysWOW64\Baohhgnf.exe

MD5 620612c931043bcf673fbbcd14d8fdb4
SHA1 1f4e9cf6adba27856f84998b97df29bb2f232e84
SHA256 394ae48221acc681b5eea66c6bca23a5c483dc9c92ac23f3294bd80af35c1ac7
SHA512 4ed4615c8565358db79b298c43214b826d48b2001cbc9bec30da383aa725d4e23509998338193d48e1bdcc8a376812011bbd61a22fa5678e8a21ef97e76c4529

C:\Windows\SysWOW64\Bfkpqn32.exe

MD5 a7658fbb3afa5389952d29fad68f34b7
SHA1 3f076c0ee4afab7831ba94c2719c8889824fbe79
SHA256 245c54d19d538b78e497ff4f988af482ec931154e276defce20732120ec19522
SHA512 0bfa5894f747f88e2241213478bd3776b5fcef2e9787f300756e5bfbabe773b90f5698b751031213f7376767a73ec7e5269e24f4c2a9a6290f6ed22c1365f3e8

C:\Windows\SysWOW64\Baadng32.exe

MD5 0e322b6d660d48d138c718b9fb527d84
SHA1 eccaad8d33d0cae53596397105692f3fb8fa1886
SHA256 0f87903a2ae16a249bf0cae1c3253d3e5bae871ea764ea7e157a3cd668446da5
SHA512 fc14b3203eb0e95a27f403c2c90947005ee01094c81ad901144c422507afbf215a8c8c77b0ef76ef9522262bca7ed526276b5c75c423baa84a8fb41f5ef94ed0

C:\Windows\SysWOW64\Cfnmfn32.exe

MD5 487ca20c12d4b53ea53daa3dc1a7f248
SHA1 1d3715dfdae1d48f67bc2a0f257977471e313c9f
SHA256 0b7b167b179f5b4e5904dc67e846f3ccba4053a6e49ec327b09008ddc042b6c7
SHA512 0e5775f2b808d9648276ef2a11f43195cfb52cb2e9e73967e4cda8be5276164c92bbe491a5acfed5bc0a67e9210f2e6a942a998b9e6fcec876c8b28e5a624201

C:\Windows\SysWOW64\Cacacg32.exe

MD5 420efee69b880c7f5b93142c8ec9d94b
SHA1 0a2013b6e0f292b93d812b783c627993f5051d3c
SHA256 acd1cff3bd35c537d297b6bf8b90f16d8ca7b115153742591a65270a2cd80ba9
SHA512 6605b58719fec04535b1444a6c6fcc0c31398266221218a07129a4c9b8c05ca44a54595b97fa7328659e4b0719707e7e821c95f50f5a0c4561e4f2114aced268

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:12

Reported

2024-04-07 18:15

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Conclk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jianff32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdjagjco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pdkcde32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Demecd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eleiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pgmcqggf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Conclk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jcefno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hkdbpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjghpn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gcagkdba.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipbdmaah.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdkcde32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjmehkqk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kdaldd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbifelba.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hflcbngh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfnphn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcioiood.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mpjlklok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocdqjceo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Abpcon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jjpeepnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qeemej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doqpak32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imdgqfbd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Peljol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ocgmpccl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Chghdqbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hkikkeeo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Njefqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bajjli32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blbknaib.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldoaklml.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpccdlj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fdnjgmle.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcmgfbhd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qcgffqei.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dboigi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gbbkaako.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncnadk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dedkdcie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcpclbfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddpeoafg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhgjblfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hbgmcnhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nlmllkja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mciobn32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jjpeepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmnaakne.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbkjjblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjbako32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbmfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmbklj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdmcidam.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfkoeppq.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiikak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpccnefa.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbapjafe.exe N/A
N/A N/A C:\Windows\SysWOW64\Kilhgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kacphh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdaldd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkkdan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kinemkko.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmjqmi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kphmie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfiep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgbefoji.exe N/A
N/A N/A C:\Windows\SysWOW64\Kknafn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmlnbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kagichjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpjjod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdffocib.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcifkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkpnlm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmnjhioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kajfig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdhbec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgfoan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkbkamnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Liekmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lalcng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpocjdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldkojb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgikfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liggbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmccchkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Laopdgcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpappc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijdhiaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcbiao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhmng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldaeka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjjdgee.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphfpbdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgbnmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnlfigcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mciobn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcgohig.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiklqhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgghhlhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjeddggd.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnhmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkepnjng.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmegp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mglack32.exe N/A
N/A N/A C:\Windows\SysWOW64\Maaepd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnnhk32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Hkdbpe32.exe C:\Windows\SysWOW64\Hiefcj32.exe N/A
File created C:\Windows\SysWOW64\Imdgqfbd.exe C:\Windows\SysWOW64\Iemppiab.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Mdjagjco.exe N/A
File created C:\Windows\SysWOW64\Lffnijnj.dll C:\Windows\SysWOW64\Mdmnlj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pghieg32.exe C:\Windows\SysWOW64\Pqnaim32.exe N/A
File created C:\Windows\SysWOW64\Dlgcki32.dll C:\Windows\SysWOW64\Abbpem32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Lingibiq.exe N/A
File created C:\Windows\SysWOW64\Ghngib32.dll C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
File created C:\Windows\SysWOW64\Kmfiloih.dll C:\Windows\SysWOW64\Aminee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bjfaeh32.exe N/A
File created C:\Windows\SysWOW64\Poahbe32.dll C:\Windows\SysWOW64\Ddonekbl.exe N/A
File created C:\Windows\SysWOW64\Elbmlmml.exe C:\Windows\SysWOW64\Edkdkplj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jimekgff.exe C:\Windows\SysWOW64\Jfoiokfb.exe N/A
File created C:\Windows\SysWOW64\Qihfjd32.dll C:\Windows\SysWOW64\Bnpppgdj.exe N/A
File created C:\Windows\SysWOW64\Bobcpmfc.exe C:\Windows\SysWOW64\Bjghpn32.exe N/A
File created C:\Windows\SysWOW64\Eadopc32.exe C:\Windows\SysWOW64\Eabbjc32.exe N/A
File created C:\Windows\SysWOW64\Pjjhbl32.exe C:\Windows\SysWOW64\Pcppfaka.exe N/A
File created C:\Windows\SysWOW64\Pnfkma32.exe C:\Windows\SysWOW64\Pkhoae32.exe N/A
File created C:\Windows\SysWOW64\Qalnjkgo.exe C:\Windows\SysWOW64\Qloebdig.exe N/A
File opened for modification C:\Windows\SysWOW64\Chdkoa32.exe C:\Windows\SysWOW64\Cdiooblp.exe N/A
File opened for modification C:\Windows\SysWOW64\Icgjmapi.exe C:\Windows\SysWOW64\Ipknlb32.exe N/A
File created C:\Windows\SysWOW64\Kpgfooop.exe C:\Windows\SysWOW64\Kimnbd32.exe N/A
File created C:\Windows\SysWOW64\Jilkmnni.dll C:\Windows\SysWOW64\Onjegled.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojhiqefo.exe C:\Windows\SysWOW64\Ogjmdigk.exe N/A
File created C:\Windows\SysWOW64\Gfogkano.dll C:\Windows\SysWOW64\Okhfjh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjjhbl32.exe C:\Windows\SysWOW64\Pcppfaka.exe N/A
File created C:\Windows\SysWOW64\Pmgmnjcj.dll C:\Windows\SysWOW64\Bcebhoii.exe N/A
File opened for modification C:\Windows\SysWOW64\Pbmncp32.exe C:\Windows\SysWOW64\Pjffbc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Blfdia32.exe C:\Windows\SysWOW64\Bdolhc32.exe N/A
File created C:\Windows\SysWOW64\Eamhodmf.exe C:\Windows\SysWOW64\Ecjhcg32.exe N/A
File created C:\Windows\SysWOW64\Ehfnmfki.dll C:\Windows\SysWOW64\Ampkof32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmjqmi32.exe C:\Windows\SysWOW64\Kinemkko.exe N/A
File created C:\Windows\SysWOW64\Ogijli32.dll C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgbnmm32.exe C:\Windows\SysWOW64\Lphfpbdi.exe N/A
File opened for modification C:\Windows\SysWOW64\Bajjli32.exe C:\Windows\SysWOW64\Bjpaooda.exe N/A
File created C:\Windows\SysWOW64\Behbag32.exe C:\Windows\SysWOW64\Bbifelba.exe N/A
File created C:\Windows\SysWOW64\Namdcd32.dll C:\Windows\SysWOW64\Klqcioba.exe N/A
File opened for modification C:\Windows\SysWOW64\Olmeci32.exe C:\Windows\SysWOW64\Onjegled.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfmajipb.exe C:\Windows\SysWOW64\Bapiabak.exe N/A
File created C:\Windows\SysWOW64\Lmmcfa32.dll C:\Windows\SysWOW64\Kpccnefa.exe N/A
File created C:\Windows\SysWOW64\Bnckcnhb.dll C:\Windows\SysWOW64\Kacphh32.exe N/A
File created C:\Windows\SysWOW64\Kibgmdcn.exe C:\Windows\SysWOW64\Kdeoemeg.exe N/A
File created C:\Windows\SysWOW64\Pnonbk32.exe C:\Windows\SysWOW64\Pgefeajb.exe N/A
File opened for modification C:\Windows\SysWOW64\Afmhck32.exe C:\Windows\SysWOW64\Aeklkchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe C:\Windows\SysWOW64\Dfknkg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe C:\Windows\SysWOW64\Deagdn32.exe N/A
File created C:\Windows\SysWOW64\Cehkhecb.exe C:\Windows\SysWOW64\Cbjoljdo.exe N/A
File created C:\Windows\SysWOW64\Dddojq32.exe C:\Windows\SysWOW64\Dccbbhld.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncbknfed.exe C:\Windows\SysWOW64\Npcoakfp.exe N/A
File created C:\Windows\SysWOW64\Lcnhho32.dll C:\Windows\SysWOW64\Odmgcgbi.exe N/A
File created C:\Windows\SysWOW64\Bdjinlko.dll C:\Windows\SysWOW64\Pmoahijl.exe N/A
File opened for modification C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bebblb32.exe N/A
File created C:\Windows\SysWOW64\Ibcmom32.exe C:\Windows\SysWOW64\Ipdqba32.exe N/A
File created C:\Windows\SysWOW64\Jmbdbd32.exe C:\Windows\SysWOW64\Jfhlejnh.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpeiioac.exe C:\Windows\SysWOW64\Kmfmmcbo.exe N/A
File opened for modification C:\Windows\SysWOW64\Lekehdgp.exe C:\Windows\SysWOW64\Lbmhlihl.exe N/A
File created C:\Windows\SysWOW64\Pqdqof32.exe C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
File created C:\Windows\SysWOW64\Pcpopjlq.dll C:\Windows\SysWOW64\Blfdia32.exe N/A
File created C:\Windows\SysWOW64\Jfhlejnh.exe C:\Windows\SysWOW64\Jcioiood.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbgbgj32.exe C:\Windows\SysWOW64\Colffknh.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkljak32.exe C:\Windows\SysWOW64\Dhnnep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbceejpf.exe C:\Windows\SysWOW64\Kpeiioac.exe N/A
File created C:\Windows\SysWOW64\Ifndpaoq.dll C:\Windows\SysWOW64\Njqmepik.exe N/A
File created C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Dogogcpo.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll" C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" C:\Windows\SysWOW64\Bffkij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" C:\Windows\SysWOW64\Onjegled.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll" C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfmpnfb.dll" C:\Windows\SysWOW64\Bjpaooda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eabbjc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gododflk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Okloegjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdolhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhkffjm.dll" C:\Windows\SysWOW64\Conclk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjahg32.dll" C:\Windows\SysWOW64\Gdcdbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lpocjdld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pkjlge32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kphmie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Conclk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nepgjaeg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pqdqof32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kmnjhioc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmbmidf.dll" C:\Windows\SysWOW64\Pcjapi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Flceckoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nfjjppmm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Odnnnnfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmacdaj.dll" C:\Windows\SysWOW64\Icgjmapi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ngpccdlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nkncdifl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Njfmke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alkdnboj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fakdpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibqpimpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipknlb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Medgncoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgkmfoj.dll" C:\Windows\SysWOW64\Gkkojgao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qjpiha32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cbefaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll" C:\Windows\SysWOW64\Pdifoehl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pclgkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apignbdf.dll" C:\Windows\SysWOW64\Fdnjgmle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkkojgao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll" C:\Windows\SysWOW64\Ngpccdlj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jbmfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdhbec32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qalnjkgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbjoljdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkgqfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll" C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epogol32.dll" C:\Windows\SysWOW64\Paegjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Elppfmoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll" C:\Windows\SysWOW64\Lmbmibhb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ampkof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafdghob.dll" C:\Windows\SysWOW64\Pqnaim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qloebdig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hihbijhn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmkfhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lekehdgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" C:\Windows\SysWOW64\Ddjejl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deokon32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe C:\Windows\SysWOW64\Jjpeepnb.exe
PID 1916 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe C:\Windows\SysWOW64\Jjpeepnb.exe
PID 1916 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe C:\Windows\SysWOW64\Jjpeepnb.exe
PID 4056 wrote to memory of 3724 N/A C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jmnaakne.exe
PID 4056 wrote to memory of 3724 N/A C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jmnaakne.exe
PID 4056 wrote to memory of 3724 N/A C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jmnaakne.exe
PID 3724 wrote to memory of 932 N/A C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jbkjjblm.exe
PID 3724 wrote to memory of 932 N/A C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jbkjjblm.exe
PID 3724 wrote to memory of 932 N/A C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jbkjjblm.exe
PID 932 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Jbkjjblm.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 932 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Jbkjjblm.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 932 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Jbkjjblm.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 1948 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jbmfoa32.exe
PID 1948 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jbmfoa32.exe
PID 1948 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jbmfoa32.exe
PID 1192 wrote to memory of 4200 N/A C:\Windows\SysWOW64\Jbmfoa32.exe C:\Windows\SysWOW64\Jmbklj32.exe
PID 1192 wrote to memory of 4200 N/A C:\Windows\SysWOW64\Jbmfoa32.exe C:\Windows\SysWOW64\Jmbklj32.exe
PID 1192 wrote to memory of 4200 N/A C:\Windows\SysWOW64\Jbmfoa32.exe C:\Windows\SysWOW64\Jmbklj32.exe
PID 4200 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Jmbklj32.exe C:\Windows\SysWOW64\Jdmcidam.exe
PID 4200 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Jmbklj32.exe C:\Windows\SysWOW64\Jdmcidam.exe
PID 4200 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Jmbklj32.exe C:\Windows\SysWOW64\Jdmcidam.exe
PID 1848 wrote to memory of 4880 N/A C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jfkoeppq.exe
PID 1848 wrote to memory of 4880 N/A C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jfkoeppq.exe
PID 1848 wrote to memory of 4880 N/A C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jfkoeppq.exe
PID 4880 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Jfkoeppq.exe C:\Windows\SysWOW64\Jiikak32.exe
PID 4880 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Jfkoeppq.exe C:\Windows\SysWOW64\Jiikak32.exe
PID 4880 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Jfkoeppq.exe C:\Windows\SysWOW64\Jiikak32.exe
PID 1068 wrote to memory of 444 N/A C:\Windows\SysWOW64\Jiikak32.exe C:\Windows\SysWOW64\Kpccnefa.exe
PID 1068 wrote to memory of 444 N/A C:\Windows\SysWOW64\Jiikak32.exe C:\Windows\SysWOW64\Kpccnefa.exe
PID 1068 wrote to memory of 444 N/A C:\Windows\SysWOW64\Jiikak32.exe C:\Windows\SysWOW64\Kpccnefa.exe
PID 444 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 444 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 444 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 4232 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kilhgk32.exe
PID 4232 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kilhgk32.exe
PID 4232 wrote to memory of 1880 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kilhgk32.exe
PID 1880 wrote to memory of 376 N/A C:\Windows\SysWOW64\Kilhgk32.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 1880 wrote to memory of 376 N/A C:\Windows\SysWOW64\Kilhgk32.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 1880 wrote to memory of 376 N/A C:\Windows\SysWOW64\Kilhgk32.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 376 wrote to memory of 3160 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kdaldd32.exe
PID 376 wrote to memory of 3160 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kdaldd32.exe
PID 376 wrote to memory of 3160 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kdaldd32.exe
PID 3160 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kkkdan32.exe
PID 3160 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kkkdan32.exe
PID 3160 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kkkdan32.exe
PID 2896 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Kkkdan32.exe C:\Windows\SysWOW64\Kinemkko.exe
PID 2896 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Kkkdan32.exe C:\Windows\SysWOW64\Kinemkko.exe
PID 2896 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Kkkdan32.exe C:\Windows\SysWOW64\Kinemkko.exe
PID 1164 wrote to memory of 4828 N/A C:\Windows\SysWOW64\Kinemkko.exe C:\Windows\SysWOW64\Kmjqmi32.exe
PID 1164 wrote to memory of 4828 N/A C:\Windows\SysWOW64\Kinemkko.exe C:\Windows\SysWOW64\Kmjqmi32.exe
PID 1164 wrote to memory of 4828 N/A C:\Windows\SysWOW64\Kinemkko.exe C:\Windows\SysWOW64\Kmjqmi32.exe
PID 4828 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Kmjqmi32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 4828 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Kmjqmi32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 4828 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Kmjqmi32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 4064 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kbfiep32.exe
PID 4064 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kbfiep32.exe
PID 4064 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kbfiep32.exe
PID 1488 wrote to memory of 492 N/A C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kgbefoji.exe
PID 1488 wrote to memory of 492 N/A C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kgbefoji.exe
PID 1488 wrote to memory of 492 N/A C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kgbefoji.exe
PID 492 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 492 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 492 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 1712 wrote to memory of 3216 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kmlnbi32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe

"C:\Users\Admin\AppData\Local\Temp\040f29080a490d2b8f719a22d7fbc9654a0b7923bb25c751b88658b72de21d37.exe"

C:\Windows\SysWOW64\Jjpeepnb.exe

C:\Windows\system32\Jjpeepnb.exe

C:\Windows\SysWOW64\Jmnaakne.exe

C:\Windows\system32\Jmnaakne.exe

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jmbklj32.exe

C:\Windows\system32\Jmbklj32.exe

C:\Windows\SysWOW64\Jdmcidam.exe

C:\Windows\system32\Jdmcidam.exe

C:\Windows\SysWOW64\Jfkoeppq.exe

C:\Windows\system32\Jfkoeppq.exe

C:\Windows\SysWOW64\Jiikak32.exe

C:\Windows\system32\Jiikak32.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kdaldd32.exe

C:\Windows\system32\Kdaldd32.exe

C:\Windows\SysWOW64\Kkkdan32.exe

C:\Windows\system32\Kkkdan32.exe

C:\Windows\SysWOW64\Kinemkko.exe

C:\Windows\system32\Kinemkko.exe

C:\Windows\SysWOW64\Kmjqmi32.exe

C:\Windows\system32\Kmjqmi32.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kagichjo.exe

C:\Windows\system32\Kagichjo.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kkpnlm32.exe

C:\Windows\system32\Kkpnlm32.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kmnjhioc.exe

C:\Windows\system32\Kmnjhioc.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Liekmj32.exe

C:\Windows\system32\Liekmj32.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lgkhlnbn.exe

C:\Windows\system32\Lgkhlnbn.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lphfpbdi.exe

C:\Windows\system32\Lphfpbdi.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mnlfigcc.exe

C:\Windows\system32\Mnlfigcc.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Njfmke32.exe

C:\Windows\system32\Njfmke32.exe

C:\Windows\SysWOW64\Nbmelbid.exe

C:\Windows\system32\Nbmelbid.exe

C:\Windows\SysWOW64\Ncnadk32.exe

C:\Windows\system32\Ncnadk32.exe

C:\Windows\SysWOW64\Ogjmdigk.exe

C:\Windows\system32\Ogjmdigk.exe

C:\Windows\SysWOW64\Ojhiqefo.exe

C:\Windows\system32\Ojhiqefo.exe

C:\Windows\SysWOW64\Odnnnnfe.exe

C:\Windows\system32\Odnnnnfe.exe

C:\Windows\SysWOW64\Okhfjh32.exe

C:\Windows\system32\Okhfjh32.exe

C:\Windows\SysWOW64\Obangb32.exe

C:\Windows\system32\Obangb32.exe

C:\Windows\SysWOW64\Odpjcm32.exe

C:\Windows\system32\Odpjcm32.exe

C:\Windows\SysWOW64\Ogogoi32.exe

C:\Windows\system32\Ogogoi32.exe

C:\Windows\SysWOW64\Ojmcld32.exe

C:\Windows\system32\Ojmcld32.exe

C:\Windows\SysWOW64\Obdkma32.exe

C:\Windows\system32\Obdkma32.exe

C:\Windows\SysWOW64\Ocegdjij.exe

C:\Windows\system32\Ocegdjij.exe

C:\Windows\SysWOW64\Okloegjl.exe

C:\Windows\system32\Okloegjl.exe

C:\Windows\SysWOW64\Onklabip.exe

C:\Windows\system32\Onklabip.exe

C:\Windows\SysWOW64\Odednmpm.exe

C:\Windows\system32\Odednmpm.exe

C:\Windows\SysWOW64\Ogcpjhoq.exe

C:\Windows\system32\Ogcpjhoq.exe

C:\Windows\SysWOW64\Onmhgb32.exe

C:\Windows\system32\Onmhgb32.exe

C:\Windows\SysWOW64\Pcjapi32.exe

C:\Windows\system32\Pcjapi32.exe

C:\Windows\SysWOW64\Pkaiqf32.exe

C:\Windows\system32\Pkaiqf32.exe

C:\Windows\SysWOW64\Pqnaim32.exe

C:\Windows\system32\Pqnaim32.exe

C:\Windows\SysWOW64\Pghieg32.exe

C:\Windows\system32\Pghieg32.exe

C:\Windows\SysWOW64\Pjffbc32.exe

C:\Windows\system32\Pjffbc32.exe

C:\Windows\SysWOW64\Pbmncp32.exe

C:\Windows\system32\Pbmncp32.exe

C:\Windows\SysWOW64\Peljol32.exe

C:\Windows\system32\Peljol32.exe

C:\Windows\SysWOW64\Pgjfkg32.exe

C:\Windows\system32\Pgjfkg32.exe

C:\Windows\SysWOW64\Pndohaqe.exe

C:\Windows\system32\Pndohaqe.exe

C:\Windows\SysWOW64\Pengdk32.exe

C:\Windows\system32\Pengdk32.exe

C:\Windows\SysWOW64\Pgmcqggf.exe

C:\Windows\system32\Pgmcqggf.exe

C:\Windows\SysWOW64\Pkhoae32.exe

C:\Windows\system32\Pkhoae32.exe

C:\Windows\SysWOW64\Pnfkma32.exe

C:\Windows\system32\Pnfkma32.exe

C:\Windows\SysWOW64\Paegjl32.exe

C:\Windows\system32\Paegjl32.exe

C:\Windows\SysWOW64\Pkjlge32.exe

C:\Windows\system32\Pkjlge32.exe

C:\Windows\SysWOW64\Pbddcoei.exe

C:\Windows\system32\Pbddcoei.exe

C:\Windows\SysWOW64\Qecppkdm.exe

C:\Windows\system32\Qecppkdm.exe

C:\Windows\SysWOW64\Qcepkg32.exe

C:\Windows\system32\Qcepkg32.exe

C:\Windows\SysWOW64\Qjpiha32.exe

C:\Windows\system32\Qjpiha32.exe

C:\Windows\SysWOW64\Qbgqio32.exe

C:\Windows\system32\Qbgqio32.exe

C:\Windows\SysWOW64\Qeemej32.exe

C:\Windows\system32\Qeemej32.exe

C:\Windows\SysWOW64\Qloebdig.exe

C:\Windows\system32\Qloebdig.exe

C:\Windows\SysWOW64\Qalnjkgo.exe

C:\Windows\system32\Qalnjkgo.exe

C:\Windows\SysWOW64\Alabgd32.exe

C:\Windows\system32\Alabgd32.exe

C:\Windows\SysWOW64\Anpncp32.exe

C:\Windows\system32\Anpncp32.exe

C:\Windows\SysWOW64\Aanjpk32.exe

C:\Windows\system32\Aanjpk32.exe

C:\Windows\SysWOW64\Acmflf32.exe

C:\Windows\system32\Acmflf32.exe

C:\Windows\SysWOW64\Aldomc32.exe

C:\Windows\system32\Aldomc32.exe

C:\Windows\SysWOW64\Ajfoiqll.exe

C:\Windows\system32\Ajfoiqll.exe

C:\Windows\SysWOW64\Abngjnmo.exe

C:\Windows\system32\Abngjnmo.exe

C:\Windows\SysWOW64\Acocaf32.exe

C:\Windows\system32\Acocaf32.exe

C:\Windows\SysWOW64\Ahkobekf.exe

C:\Windows\system32\Ahkobekf.exe

C:\Windows\SysWOW64\Ajiknpjj.exe

C:\Windows\system32\Ajiknpjj.exe

C:\Windows\SysWOW64\Abpcon32.exe

C:\Windows\system32\Abpcon32.exe

C:\Windows\SysWOW64\Aeopki32.exe

C:\Windows\system32\Aeopki32.exe

C:\Windows\SysWOW64\Alhhhcal.exe

C:\Windows\system32\Alhhhcal.exe

C:\Windows\SysWOW64\Abbpem32.exe

C:\Windows\system32\Abbpem32.exe

C:\Windows\SysWOW64\Aealah32.exe

C:\Windows\system32\Aealah32.exe

C:\Windows\SysWOW64\Ahoimd32.exe

C:\Windows\system32\Ahoimd32.exe

C:\Windows\SysWOW64\Alkdnboj.exe

C:\Windows\system32\Alkdnboj.exe

C:\Windows\SysWOW64\Becifhfj.exe

C:\Windows\system32\Becifhfj.exe

C:\Windows\SysWOW64\Blmacb32.exe

C:\Windows\system32\Blmacb32.exe

C:\Windows\SysWOW64\Bjpaooda.exe

C:\Windows\system32\Bjpaooda.exe

C:\Windows\SysWOW64\Bajjli32.exe

C:\Windows\system32\Bajjli32.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Bhdbhcck.exe

C:\Windows\system32\Bhdbhcck.exe

C:\Windows\SysWOW64\Bjbndobo.exe

C:\Windows\system32\Bjbndobo.exe

C:\Windows\SysWOW64\Bbifelba.exe

C:\Windows\system32\Bbifelba.exe

C:\Windows\SysWOW64\Behbag32.exe

C:\Windows\system32\Behbag32.exe

C:\Windows\SysWOW64\Blbknaib.exe

C:\Windows\system32\Blbknaib.exe

C:\Windows\SysWOW64\Baocghgi.exe

C:\Windows\system32\Baocghgi.exe

C:\Windows\SysWOW64\Bdmpcdfm.exe

C:\Windows\system32\Bdmpcdfm.exe

C:\Windows\SysWOW64\Bjghpn32.exe

C:\Windows\system32\Bjghpn32.exe

C:\Windows\SysWOW64\Bobcpmfc.exe

C:\Windows\system32\Bobcpmfc.exe

C:\Windows\SysWOW64\Baaplhef.exe

C:\Windows\system32\Baaplhef.exe

C:\Windows\SysWOW64\Bdolhc32.exe

C:\Windows\system32\Bdolhc32.exe

C:\Windows\SysWOW64\Blfdia32.exe

C:\Windows\system32\Blfdia32.exe

C:\Windows\SysWOW64\Cbqlfkmi.exe

C:\Windows\system32\Cbqlfkmi.exe

C:\Windows\SysWOW64\Cliaoq32.exe

C:\Windows\system32\Cliaoq32.exe

C:\Windows\SysWOW64\Cbcilkjg.exe

C:\Windows\system32\Cbcilkjg.exe

C:\Windows\SysWOW64\Ceaehfjj.exe

C:\Windows\system32\Ceaehfjj.exe

C:\Windows\SysWOW64\Chpada32.exe

C:\Windows\system32\Chpada32.exe

C:\Windows\SysWOW64\Cknnpm32.exe

C:\Windows\system32\Cknnpm32.exe

C:\Windows\SysWOW64\Cbefaj32.exe

C:\Windows\system32\Cbefaj32.exe

C:\Windows\SysWOW64\Cdfbibnb.exe

C:\Windows\system32\Cdfbibnb.exe

C:\Windows\SysWOW64\Chbnia32.exe

C:\Windows\system32\Chbnia32.exe

C:\Windows\SysWOW64\Colffknh.exe

C:\Windows\system32\Colffknh.exe

C:\Windows\SysWOW64\Cbgbgj32.exe

C:\Windows\system32\Cbgbgj32.exe

C:\Windows\SysWOW64\Cefoce32.exe

C:\Windows\system32\Cefoce32.exe

C:\Windows\SysWOW64\Cdiooblp.exe

C:\Windows\system32\Cdiooblp.exe

C:\Windows\SysWOW64\Chdkoa32.exe

C:\Windows\system32\Chdkoa32.exe

C:\Windows\SysWOW64\Conclk32.exe

C:\Windows\system32\Conclk32.exe

C:\Windows\SysWOW64\Cbjoljdo.exe

C:\Windows\system32\Cbjoljdo.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Chghdqbf.exe

C:\Windows\system32\Chghdqbf.exe

C:\Windows\SysWOW64\Ckedalaj.exe

C:\Windows\system32\Ckedalaj.exe

C:\Windows\SysWOW64\Doqpak32.exe

C:\Windows\system32\Doqpak32.exe

C:\Windows\SysWOW64\Dbllbibl.exe

C:\Windows\system32\Dbllbibl.exe

C:\Windows\SysWOW64\Ddmhja32.exe

C:\Windows\system32\Ddmhja32.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Dboigi32.exe

C:\Windows\system32\Dboigi32.exe

C:\Windows\SysWOW64\Demecd32.exe

C:\Windows\system32\Demecd32.exe

C:\Windows\SysWOW64\Ddpeoafg.exe

C:\Windows\system32\Ddpeoafg.exe

C:\Windows\SysWOW64\Dlgmpogj.exe

C:\Windows\system32\Dlgmpogj.exe

C:\Windows\SysWOW64\Doeiljfn.exe

C:\Windows\system32\Doeiljfn.exe

C:\Windows\SysWOW64\Dhnnep32.exe

C:\Windows\system32\Dhnnep32.exe

C:\Windows\SysWOW64\Dkljak32.exe

C:\Windows\system32\Dkljak32.exe

C:\Windows\SysWOW64\Dccbbhld.exe

C:\Windows\system32\Dccbbhld.exe

C:\Windows\SysWOW64\Dddojq32.exe

C:\Windows\system32\Dddojq32.exe

C:\Windows\SysWOW64\Dojcgi32.exe

C:\Windows\system32\Dojcgi32.exe

C:\Windows\SysWOW64\Dahode32.exe

C:\Windows\system32\Dahode32.exe

C:\Windows\SysWOW64\Dedkdcie.exe

C:\Windows\system32\Dedkdcie.exe

C:\Windows\SysWOW64\Dhbgqohi.exe

C:\Windows\system32\Dhbgqohi.exe

C:\Windows\SysWOW64\Ekacmjgl.exe

C:\Windows\system32\Ekacmjgl.exe

C:\Windows\SysWOW64\Eolpmi32.exe

C:\Windows\system32\Eolpmi32.exe

C:\Windows\SysWOW64\Edihepnm.exe

C:\Windows\system32\Edihepnm.exe

C:\Windows\SysWOW64\Elppfmoo.exe

C:\Windows\system32\Elppfmoo.exe

C:\Windows\SysWOW64\Ekcpbj32.exe

C:\Windows\system32\Ekcpbj32.exe

C:\Windows\SysWOW64\Ecjhcg32.exe

C:\Windows\system32\Ecjhcg32.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Edkdkplj.exe

C:\Windows\system32\Edkdkplj.exe

C:\Windows\SysWOW64\Elbmlmml.exe

C:\Windows\system32\Elbmlmml.exe

C:\Windows\SysWOW64\Ecmeig32.exe

C:\Windows\system32\Ecmeig32.exe

C:\Windows\SysWOW64\Ednaqo32.exe

C:\Windows\system32\Ednaqo32.exe

C:\Windows\SysWOW64\Eleiam32.exe

C:\Windows\system32\Eleiam32.exe

C:\Windows\SysWOW64\Eocenh32.exe

C:\Windows\system32\Eocenh32.exe

C:\Windows\SysWOW64\Eabbjc32.exe

C:\Windows\system32\Eabbjc32.exe

C:\Windows\SysWOW64\Eadopc32.exe

C:\Windows\system32\Eadopc32.exe

C:\Windows\SysWOW64\Edbklofb.exe

C:\Windows\system32\Edbklofb.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fohoigfh.exe

C:\Windows\system32\Fohoigfh.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Fafkecel.exe

C:\Windows\system32\Fafkecel.exe

C:\Windows\SysWOW64\Fdegandp.exe

C:\Windows\system32\Fdegandp.exe

C:\Windows\SysWOW64\Fllpbldb.exe

C:\Windows\system32\Fllpbldb.exe

C:\Windows\SysWOW64\Fkopnh32.exe

C:\Windows\system32\Fkopnh32.exe

C:\Windows\SysWOW64\Fcfhof32.exe

C:\Windows\system32\Fcfhof32.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Flnlhk32.exe

C:\Windows\system32\Flnlhk32.exe

C:\Windows\SysWOW64\Fomhdg32.exe

C:\Windows\system32\Fomhdg32.exe

C:\Windows\SysWOW64\Fakdpb32.exe

C:\Windows\system32\Fakdpb32.exe

C:\Windows\SysWOW64\Flqimk32.exe

C:\Windows\system32\Flqimk32.exe

C:\Windows\SysWOW64\Fkciihgg.exe

C:\Windows\system32\Fkciihgg.exe

C:\Windows\SysWOW64\Fhgjblfq.exe

C:\Windows\system32\Fhgjblfq.exe

C:\Windows\SysWOW64\Flceckoj.exe

C:\Windows\system32\Flceckoj.exe

C:\Windows\SysWOW64\Fkffog32.exe

C:\Windows\system32\Fkffog32.exe

C:\Windows\SysWOW64\Foabofnn.exe

C:\Windows\system32\Foabofnn.exe

C:\Windows\SysWOW64\Fbpnkama.exe

C:\Windows\system32\Fbpnkama.exe

C:\Windows\SysWOW64\Fdnjgmle.exe

C:\Windows\system32\Fdnjgmle.exe

C:\Windows\SysWOW64\Fhjfhl32.exe

C:\Windows\system32\Fhjfhl32.exe

C:\Windows\SysWOW64\Gododflk.exe

C:\Windows\system32\Gododflk.exe

C:\Windows\SysWOW64\Gbbkaako.exe

C:\Windows\system32\Gbbkaako.exe

C:\Windows\SysWOW64\Gkkojgao.exe

C:\Windows\system32\Gkkojgao.exe

C:\Windows\SysWOW64\Gcagkdba.exe

C:\Windows\system32\Gcagkdba.exe

C:\Windows\SysWOW64\Gfpcgpae.exe

C:\Windows\system32\Gfpcgpae.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gkmlofol.exe

C:\Windows\system32\Gkmlofol.exe

C:\Windows\SysWOW64\Gcddpdpo.exe

C:\Windows\system32\Gcddpdpo.exe

C:\Windows\SysWOW64\Ghaliknf.exe

C:\Windows\system32\Ghaliknf.exe

C:\Windows\SysWOW64\Gcfqfc32.exe

C:\Windows\system32\Gcfqfc32.exe

C:\Windows\SysWOW64\Gfembo32.exe

C:\Windows\system32\Gfembo32.exe

C:\Windows\SysWOW64\Gicinj32.exe

C:\Windows\system32\Gicinj32.exe

C:\Windows\SysWOW64\Gkaejf32.exe

C:\Windows\system32\Gkaejf32.exe

C:\Windows\SysWOW64\Gcimkc32.exe

C:\Windows\system32\Gcimkc32.exe

C:\Windows\SysWOW64\Gblngpbd.exe

C:\Windows\system32\Gblngpbd.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hkdbpe32.exe

C:\Windows\system32\Hkdbpe32.exe

C:\Windows\SysWOW64\Hfifmnij.exe

C:\Windows\system32\Hfifmnij.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hkfoeega.exe

C:\Windows\system32\Hkfoeega.exe

C:\Windows\SysWOW64\Hcmgfbhd.exe

C:\Windows\system32\Hcmgfbhd.exe

C:\Windows\SysWOW64\Hflcbngh.exe

C:\Windows\system32\Hflcbngh.exe

C:\Windows\SysWOW64\Hijooifk.exe

C:\Windows\system32\Hijooifk.exe

C:\Windows\SysWOW64\Hmfkoh32.exe

C:\Windows\system32\Hmfkoh32.exe

C:\Windows\SysWOW64\Hkikkeeo.exe

C:\Windows\system32\Hkikkeeo.exe

C:\Windows\SysWOW64\Hcpclbfa.exe

C:\Windows\system32\Hcpclbfa.exe

C:\Windows\SysWOW64\Hfnphn32.exe

C:\Windows\system32\Hfnphn32.exe

C:\Windows\SysWOW64\Himldi32.exe

C:\Windows\system32\Himldi32.exe

C:\Windows\SysWOW64\Hkkhqd32.exe

C:\Windows\system32\Hkkhqd32.exe

C:\Windows\SysWOW64\Hcbpab32.exe

C:\Windows\system32\Hcbpab32.exe

C:\Windows\SysWOW64\Hbeqmoji.exe

C:\Windows\system32\Hbeqmoji.exe

C:\Windows\SysWOW64\Hecmijim.exe

C:\Windows\system32\Hecmijim.exe

C:\Windows\SysWOW64\Hkmefd32.exe

C:\Windows\system32\Hkmefd32.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Hfcicmqp.exe

C:\Windows\system32\Hfcicmqp.exe

C:\Windows\SysWOW64\Immapg32.exe

C:\Windows\system32\Immapg32.exe

C:\Windows\SysWOW64\Ipknlb32.exe

C:\Windows\system32\Ipknlb32.exe

C:\Windows\SysWOW64\Icgjmapi.exe

C:\Windows\system32\Icgjmapi.exe

C:\Windows\SysWOW64\Ifefimom.exe

C:\Windows\system32\Ifefimom.exe

C:\Windows\SysWOW64\Imoneg32.exe

C:\Windows\system32\Imoneg32.exe

C:\Windows\SysWOW64\Iblfnn32.exe

C:\Windows\system32\Iblfnn32.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Ickchq32.exe

C:\Windows\system32\Ickchq32.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Iemppiab.exe

C:\Windows\system32\Iemppiab.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Ipbdmaah.exe

C:\Windows\system32\Ipbdmaah.exe

C:\Windows\SysWOW64\Ibqpimpl.exe

C:\Windows\system32\Ibqpimpl.exe

C:\Windows\SysWOW64\Ieolehop.exe

C:\Windows\system32\Ieolehop.exe

C:\Windows\SysWOW64\Imfdff32.exe

C:\Windows\system32\Imfdff32.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jimekgff.exe

C:\Windows\system32\Jimekgff.exe

C:\Windows\SysWOW64\Jlkagbej.exe

C:\Windows\system32\Jlkagbej.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jcbihpel.exe

C:\Windows\system32\Jcbihpel.exe

C:\Windows\SysWOW64\Jfaedkdp.exe

C:\Windows\system32\Jfaedkdp.exe

C:\Windows\SysWOW64\Jioaqfcc.exe

C:\Windows\system32\Jioaqfcc.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jcefno32.exe

C:\Windows\system32\Jcefno32.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jianff32.exe

C:\Windows\system32\Jianff32.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jcgbco32.exe

C:\Windows\system32\Jcgbco32.exe

C:\Windows\SysWOW64\Jehokgge.exe

C:\Windows\system32\Jehokgge.exe

C:\Windows\SysWOW64\Jlbgha32.exe

C:\Windows\system32\Jlbgha32.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jcioiood.exe

C:\Windows\system32\Jcioiood.exe

C:\Windows\SysWOW64\Jfhlejnh.exe

C:\Windows\system32\Jfhlejnh.exe

C:\Windows\SysWOW64\Jmbdbd32.exe

C:\Windows\system32\Jmbdbd32.exe

C:\Windows\SysWOW64\Jcllonma.exe

C:\Windows\system32\Jcllonma.exe

C:\Windows\SysWOW64\Kemhff32.exe

C:\Windows\system32\Kemhff32.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kepelfam.exe

C:\Windows\system32\Kepelfam.exe

C:\Windows\SysWOW64\Kikame32.exe

C:\Windows\system32\Kikame32.exe

C:\Windows\SysWOW64\Kmfmmcbo.exe

C:\Windows\system32\Kmfmmcbo.exe

C:\Windows\SysWOW64\Kpeiioac.exe

C:\Windows\system32\Kpeiioac.exe

C:\Windows\SysWOW64\Kbceejpf.exe

C:\Windows\system32\Kbceejpf.exe

C:\Windows\SysWOW64\Kfoafi32.exe

C:\Windows\system32\Kfoafi32.exe

C:\Windows\SysWOW64\Kimnbd32.exe

C:\Windows\system32\Kimnbd32.exe

C:\Windows\SysWOW64\Kpgfooop.exe

C:\Windows\system32\Kpgfooop.exe

C:\Windows\SysWOW64\Kbfbkj32.exe

C:\Windows\system32\Kbfbkj32.exe

C:\Windows\SysWOW64\Kmkfhc32.exe

C:\Windows\system32\Kmkfhc32.exe

C:\Windows\SysWOW64\Klngdpdd.exe

C:\Windows\system32\Klngdpdd.exe

C:\Windows\SysWOW64\Kdeoemeg.exe

C:\Windows\system32\Kdeoemeg.exe

C:\Windows\SysWOW64\Kibgmdcn.exe

C:\Windows\system32\Kibgmdcn.exe

C:\Windows\SysWOW64\Klqcioba.exe

C:\Windows\system32\Klqcioba.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Liddbc32.exe

C:\Windows\system32\Liddbc32.exe

C:\Windows\SysWOW64\Lpnlpnih.exe

C:\Windows\system32\Lpnlpnih.exe

C:\Windows\SysWOW64\Lbmhlihl.exe

C:\Windows\system32\Lbmhlihl.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Lmbmibhb.exe

C:\Windows\system32\Lmbmibhb.exe

C:\Windows\SysWOW64\Lpqiemge.exe

C:\Windows\system32\Lpqiemge.exe

C:\Windows\SysWOW64\Lenamdem.exe

C:\Windows\system32\Lenamdem.exe

C:\Windows\SysWOW64\Llgjjnlj.exe

C:\Windows\system32\Llgjjnlj.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mipcob32.exe

C:\Windows\system32\Mipcob32.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mdehlk32.exe

C:\Windows\system32\Mdehlk32.exe

C:\Windows\SysWOW64\Mibpda32.exe

C:\Windows\system32\Mibpda32.exe

C:\Windows\SysWOW64\Mlampmdo.exe

C:\Windows\system32\Mlampmdo.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Mmpijp32.exe

C:\Windows\system32\Mmpijp32.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Mgimcebb.exe

C:\Windows\system32\Mgimcebb.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Npcoakfp.exe

C:\Windows\system32\Npcoakfp.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Nepgjaeg.exe

C:\Windows\system32\Nepgjaeg.exe

C:\Windows\SysWOW64\Nngokoej.exe

C:\Windows\system32\Nngokoej.exe

C:\Windows\SysWOW64\Ndaggimg.exe

C:\Windows\system32\Ndaggimg.exe

C:\Windows\SysWOW64\Ngpccdlj.exe

C:\Windows\system32\Ngpccdlj.exe

C:\Windows\SysWOW64\Nebdoa32.exe

C:\Windows\system32\Nebdoa32.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Nloiakho.exe

C:\Windows\system32\Nloiakho.exe

C:\Windows\SysWOW64\Ncianepl.exe

C:\Windows\system32\Ncianepl.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Nlaegk32.exe

C:\Windows\system32\Nlaegk32.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Odkjng32.exe

C:\Windows\system32\Odkjng32.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Odmgcgbi.exe

C:\Windows\system32\Odmgcgbi.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Ocbddc32.exe

C:\Windows\system32\Ocbddc32.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Onhhamgg.exe

C:\Windows\system32\Onhhamgg.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Olmeci32.exe

C:\Windows\system32\Olmeci32.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pgefeajb.exe

C:\Windows\system32\Pgefeajb.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pmannhhj.exe

C:\Windows\system32\Pmannhhj.exe

C:\Windows\SysWOW64\Pdifoehl.exe

C:\Windows\system32\Pdifoehl.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pnakhkol.exe

C:\Windows\system32\Pnakhkol.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pqpgdfnp.exe

C:\Windows\system32\Pqpgdfnp.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pcppfaka.exe

C:\Windows\system32\Pcppfaka.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pnfdcjkg.exe

C:\Windows\system32\Pnfdcjkg.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Pjmehkqk.exe

C:\Windows\system32\Pjmehkqk.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Aqppkd32.exe

C:\Windows\system32\Aqppkd32.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Bcjlcn32.exe

C:\Windows\system32\Bcjlcn32.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 11412 -ip 11412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11412 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1916-0-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Jjpeepnb.exe

MD5 c49b45a2581cbc17653e11bfa490aef7
SHA1 038babb7c6826d6d4d3005f1f39b6ee93c1eac95
SHA256 03982760423ef6397d417fa7363093aa09b20f08834aa6937b280ba99e0bbf5f
SHA512 e0c28151703bc56b3dce0e22a0c4ffd27f311fffba209074a1e0a9c1bf5bdbc15d7028d34d3aff6f331a23bd5ca62f4021eb4aad7548662f11a163b87c73c4b6

memory/4056-8-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Jmnaakne.exe

MD5 525fc150fe30ee02f87adac481a91aa8
SHA1 b0623a7d247c8a7cd691da11af820410ccff3ab3
SHA256 5757ed7cc279cc50cd1139636d30147f226875d66767d34deb27d84b8fb124b3
SHA512 d5bfbf058665d12c047d7372e6c7509640085f1cadf3e3613bd2de7cf82513873966f337152586eb2f4e75b65060a43b143ed09ba3dee388eea96d80ae7a1f32

memory/3724-16-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Jbkjjblm.exe

MD5 e63ad444f0b5bd65b91714ae5b9b42bf
SHA1 bdebe39dd1e44597cd5cce3f9bfa4cbb72caa3e4
SHA256 4529956bb51d04a6c7754a433b266fbeba45453e30468610f3ef6bc8fee198bd
SHA512 be2313376c0591b8b194374de894ad8796eef33e4e3cb40f210d11b1067841cab5eb48d6a673490d232f14c686bc3e214f10d5d637ab64b3b1588dc6fc441c09

memory/932-24-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Jjbako32.exe

MD5 2f069b3401e2ad2969bd5c79b5aac3ac
SHA1 21efb9737873307129aac7347c838e84e8d0b58e
SHA256 32add9091dd4e2ba9e512b263a0b010cef219e90020e06d66c7b8a75bda6bc96
SHA512 b4c189c5924e50f71208de8095b63b32739dc8b95fa52c24c8eff255453ec5a3336aefbd6e59bcbf6e289c66676f853e406fa0e86c2ef391480a1ce9a9a7aa16

C:\Windows\SysWOW64\Jeiooj32.dll

MD5 fe2f5acf8b379537919d6c0f2e673da7
SHA1 b913a6f712843918b4a8d7831a4e56796bd3b3a0
SHA256 b0e4254d87a12121b20caf41983f99b87fa439bb562b979947b7ab836684c5f3
SHA512 3fb158e4563a6dbbb2e9299d847270aa0c5b99014a6d3198a6e8977058185d95349fa82e53713de713099bf56ac0744d47e7907cf87e9d1ad471a45de3356afc

C:\Windows\SysWOW64\Jbmfoa32.exe

MD5 cda057030886c9cc63498e2bf3a3ef9b
SHA1 ea1f47480792ad5696c7c78864e87e3dd557d3d3
SHA256 26adb3ad22128b1d050f0a669445836eed8dbcc17b0fe58e5857ea10529f5a2c
SHA512 8b1de163c7174a7565576c12ade53666cddf50ebf50556764a9e58741867d82a6eec8467eb0c231a0946476bd88a8d335cda7a45152f52647915f74d7c491d97

memory/1948-32-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Jbmfoa32.exe

MD5 69e1db4a3aaf5ca37caf6eda0930868b
SHA1 7f8106664102a60a9370479257731aca96da3d3e
SHA256 598b01c4f136ec77796a7b73ca3fc376473bb5708107f9f6d7d227206b149717
SHA512 95dde88044d091f70aa81a28ba1f412ff279014e5735f619c93760b49d3fd47f632caee3898b385ff5a8402513a67b19cfd25bb1124441ca217a4503b55ee95a

memory/1192-39-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Jmbklj32.exe

MD5 ea273092b33336a8b9bbfe246a5e9023
SHA1 bda96cba8b10c40d6d8724264e1246c8a5b5faf1
SHA256 de757cdf35d5b504ef3b245791414cdc32258e6487ddd2818a67c837c135d895
SHA512 6a7b3c92ba57b87c9f9a7648848754ed309426b169061870d374f59141bbe6d79fc426197bc3777f46f51184b0f96329b3162543192a4ce029de87606f5923e0

C:\Windows\SysWOW64\Jdmcidam.exe

MD5 486840085ef3ff360ba4ab65fa54853c
SHA1 ee2f7805fc9f40bddbb17b5fd849276b859f67f2
SHA256 488bce85583041bbbb5534004ecc214455248fb4e88ce544a0a847f4bdb665f6
SHA512 9181f9e2a24e7d878307888909fb759274063dc1fb64dc1a9b109c44184384b9c99b94df702a0cd9469d67f00dd848c18428430c6a7180d7275dfeff0ee00de0

memory/1848-56-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Jfkoeppq.exe

MD5 57a3aeb6f52c360ed10a700fbb4b5768
SHA1 a2ae8273f45035ee02f57c6eaeb720fd8cf325ee
SHA256 7479486d034e7a520aa45be65b95844e0c7177df55fbf5be1e81ff76a092cb20
SHA512 c5f14ef249e59f40fb7e232c9994d2b8b830061dd18157a876acaef2ab7dd963b7325db959322fdcc5f5bb7daa2703bf5e2539a3660fd6f5af12578280a9d5c0

C:\Windows\SysWOW64\Jiikak32.exe

MD5 b97473923739aa5accb9a2ebd5b8d195
SHA1 24a78f7565737a895c0b04f674e7b408e54eb89f
SHA256 4de944d6a66b4943046242c54c953e84b8e35e93a8146e2ccdcb3c7a1e7d80dd
SHA512 cceae08dde92cf71654ccf14bd075bf9cbd56ff3a6ec1d646c555af03acb3f16f1a69015052badb9c098542716ed5480b047f38103a222aed57c74b8b4c25ea6

memory/444-83-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Kpccnefa.exe

MD5 f8a7be376ade301582ced9428b1c3fd9
SHA1 b9c1f706ac8097049cb23d9d5896379697711443
SHA256 f4aebc9883ab05368aa6e87225e3a90cb625fae83483c6816ee036994ace5e8b
SHA512 6dfc9a51dcd67743af0d3766eb32ee484dfddf50a3bbfecff66284690a5fbfe2c12855eb6e595e7bbfde214e2949138725e90a269517b376b59eac23a1ec2b4a

C:\Windows\SysWOW64\Kbapjafe.exe

MD5 4638a384513627421d92ce66ad1a0e15
SHA1 8f5fae355eac20bd2c011eb8466143e33ee82058
SHA256 031508fdd13217f8e6152bef11bc920c4005f1db1b33153a67980c6ebaea16f8
SHA512 5f956fe242df0be5a3960905a06928c7cf459f4a4dc80492507ac7bb277a25ed7142dd67742922dfbbae69cc7a2ce388085f93c9f1aec2258af243e2ddb68b14

C:\Windows\SysWOW64\Kilhgk32.exe

MD5 f4cf72fea16977d7f217d916dfe59663
SHA1 58ac4ed0df0f9997f49096faa6b73d1b9adee437
SHA256 5e2a3407d2318efd4fe8cc0f4725a0c73a3e1675718756626a78983c46317622
SHA512 31202fa9475aa67b6edc3ab9664c98b67bcfdf36fde84bc87fe1949e3e63fb740feb3e4cdb35154fcba1f683469011eced79511a0c864b193c931f31a3663803

memory/1880-94-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Kacphh32.exe

MD5 078c4948a74d860bc4988836979b55de
SHA1 334a1b455515c4bfe2e45ee656ee28d7d5e49d12
SHA256 89bc700a4ce2d69b016c60d17c6722611c7db61a143357fd09fd71bae2ac86f1
SHA512 2a0b7f21876f2c5d0806324cf9b2bb161f4e6d322475da660ae4bb65b0f130068d34dfe42a672d75d78885bb6c4676296ebf622de36efc0f96bc7a4441ca612b

memory/4232-107-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Kdaldd32.exe

MD5 12ebdc8282fc83399c2f94366db8478a
SHA1 d4504042285754922f544aa89e66a3d8f0783897
SHA256 790c491c481851ee38f2908049221ffd98e4aa94a5bc039086c0be2a6389587e
SHA512 cc97d31e1a692a7bed69569370370a940ced3ff7773f63deb8c08506a75a332d4a901b6f238e73c4bb43d024a5e95ec8e8d47ac0fbf3829dd75a462c4386250e

C:\Windows\SysWOW64\Kkkdan32.exe

MD5 9416478f1d53704fc6189ed4c808cbe3
SHA1 7620b644d6443e361bcf8270920239401d4cf3cf
SHA256 9f77341999afaf643ca147a1129613fceec17bf5176d82395e20ec87bcde9456
SHA512 0e2574e7bf06d11cd64b6cb877e7e49cb19317c8f92680fe59c5f360ad35aa643ed8e2a2f9f9b1a7a1284265a51f02c072ecbc99b4257a7358ac5a69ed61693c

C:\Windows\SysWOW64\Kinemkko.exe

MD5 d6a6daa5d8f439fd0b745d85ad7fbd41
SHA1 87f65eb4301e1b59ad3fc13b90fad4868a026765
SHA256 23ec901d3b9f5a17d24cd52eb086c78f69eb935cf26d097841012658026afb0c
SHA512 916a1cb9dcbbf7d9f26935d985e0d1e7bad17fb12f825f247ea4719d6a86b9e35ca62f4957129c68c0a468a39a623b31654117c25fcc0da08a215afd185938d6

C:\Windows\SysWOW64\Kmjqmi32.exe

MD5 f7004661669ef0090fc5d3d56439f577
SHA1 85931e30c866944e473b882b897f34bcd532103f
SHA256 d2b305e46b84977f27c9a3907cee5b6e1cd7c2a109d72bf9b2bfcbc97ad2e307
SHA512 edaf3acea6768f3d4275ceb48816a1efd9bb6c065959660645a26ff1ec4339344e59ba9064a11511d31e2baf5a119017e24ea8ae853f1cd6b566787bd78fbbb0

C:\Windows\SysWOW64\Kphmie32.exe

MD5 9ffa1fa11de6479d0d3c33e3e1939e63
SHA1 41162d649142de4fd7406f7790cb6648951ec772
SHA256 0df17c5ae82ea22eb5748cf5c76eeb3130ffb6377c918db076d0515de8da7bce
SHA512 94428c949b79bbc8bb9e2fc4aa736993287e71fe8cebcda376167cf0e9c0a750a0dc340949eb741a7f1531d2598bfae9eb7ccabf9730f28a49cc99d982de44b1

C:\Windows\SysWOW64\Kbfiep32.exe

MD5 3d9e3ee078d52e117f5b6178f22e5984
SHA1 8fa105427e3f3701bbbc2f8d6289205fd04f9617
SHA256 729dcba5c1d86df99c33d839bcc3ea154a4682efb17cb07bcc3c68444ff0b5c4
SHA512 8d04f12b1d335b9ccf6ea25148f558c22fa612954e25e4c6d6f5e37d42af99294c30682b495749b576816b3cd362d0e7dce0092dfcbe054b7244f071e518e63f

C:\Windows\SysWOW64\Kgbefoji.exe

MD5 20c2bf63aa6678202c0946a7488125f5
SHA1 a4328b12abeeac58d3e09b3643d1c651412e4a2c
SHA256 bee865d37dbe3cb83b3611bc72590b98d2103731e22753274f141c6daf6ff6ff
SHA512 de81d842d86b709fa14ad07ee5e6425701a3f69b69be43ae888ac5db5551dbac14808834089d0849377ff5edf73044a296c4d065b2568157e171cc3ff7468597

C:\Windows\SysWOW64\Kknafn32.exe

MD5 76d800cfa31cc007d6816d026961442e
SHA1 a92216de4c334aeec26b7cfb98bbce488520da61
SHA256 eb0e2bc5863d1cefa96940c5566afc79cdb2bdb51cc0f6fc47a6bd7ce9bb80d0
SHA512 433b0798d278f0ae5afd0b207d45321f8c88df85da794e32dc83e4c5fb55ae18474b0a230b7cafa601f2bf40e1cbf72c4879872394aad4f554d05f27d1c93431

C:\Windows\SysWOW64\Kmlnbi32.exe

MD5 254a5abe99659a34551085d49b8fcf7a
SHA1 f3926692b3917c4f1651d47f1bcc0f94c2a4612d
SHA256 e83a3bbb4063b604d90f0349fdd65b07fe69e0b08fc1c211cc1e2db15bed6b40
SHA512 6cb55f1f13a21efebf149e2956e0926ea0e33d72c76f17edd863b521069366c3280a997e74bf503c3f43e53ad963493b575bb8f81f487e4857bd2cb50d01558a

C:\Windows\SysWOW64\Kkpnlm32.exe

MD5 7cdf708beb028a04379c80ce3d2847a3
SHA1 dfa9268a9cd8266ac0e99275a579949ee2973106
SHA256 8a1f1e7cec7ef1403c4fdf7de05dbe568777ea18d50f38c3554fc3975331b2c3
SHA512 70ae6bc7a9b84ca488eb11fdf7b754ea7bcf9cb5f21ff2b42afae841624cd9c282c17e4a8ecb249726de5be4b3b489ab3ee309698399dd48e8ab647fbbb623d2

C:\Windows\SysWOW64\Kmnjhioc.exe

MD5 67a0c5cd2b343748e7cdcf8e2f7e4076
SHA1 b2ca3cccc822f2f1b3cf49e254e2a8e4070aa299
SHA256 2c5f6c417e03f4c35f87f91ceb1333d0e673c478ac86f0372a800c1515e06188
SHA512 d12147ff158958222ae96726eba8e5b684df0bc70f4d250c2ae4436fa837ee840bf33879ca3f6624234638f91c253c3b5115409f7838c8921be3103f1b8af363

C:\Windows\SysWOW64\Kpmfddnf.exe

MD5 e050c31966573bfefb33adefcf66206b
SHA1 a1bde077a8c7e8a0974ce4222b021f8fd5b50869
SHA256 4391ab8d7d29e6bf17fa2c0c0daa0e834a75c4e55779f1b6133dd0eca24bb32e
SHA512 02408a0d6b3d0f7ae2ec70f084cda39a0eddbe1b08c53c86612ad0aee73fb5af13ae3658904d6fd8eb9eab858e461b15598c56e42f6ee45f53c36efcf203919a

C:\Windows\SysWOW64\Kdhbec32.exe

MD5 1c37be1bd9e3c8c6e07577a198484e0d
SHA1 243209bb8da1375985155236797318fc68419b95
SHA256 631176defd2f724c7eab258f1b6b487fa411062988adfc1b786c358687a68f08
SHA512 2401fe0b38ab2d949a10cdfbbe14da8fe432d4be07a6719e6669504fe4aacfac6c340b2d338b94cfdc9f2e78ac6c3220516c3f3487db031f0b034e26c30db727

C:\Windows\SysWOW64\Kajfig32.exe

MD5 9fa39cac185699a2f8bc35712ffbf9aa
SHA1 47ec3b876f99305cf468cd152ff18817cdea87c8
SHA256 4d53fd333fc851a5836a4d3f1e439ed1350cecb58dde0aef64be99bcc38786eb
SHA512 e06efaf656d7777bfdfc675cc42a9ab254c2e2345bb5d3caa4a332fb97efada4b176a8f85ab55c0c7e4265ac888215052f40ac5ae1d4fbea3c5598f4b25da4d3

C:\Windows\SysWOW64\Kibnhjgj.exe

MD5 af0abc4d5b679a1fc78eec4e0b46ea51
SHA1 fec7fa4a25f431ac39d48ab925632aeb893db8eb
SHA256 11cdefb30602e8316d4ab9a5e4152cb0c22853259234b16d098a63cdf64c2e1c
SHA512 471331ce10d919ebd8e0bfc5e26114f82efde992882f8685102b10c499956a3f6e6bfc644a01352855c38bc6836997cf36825970dd73bbfa7afc5170a7f95a98

C:\Windows\SysWOW64\Kcifkp32.exe

MD5 e99633a9d28bda71b912a5abbc9cab02
SHA1 868586996fd2b2c76af80c2f91acfe90e4544192
SHA256 b0217872e27c8485d9d7e889ad72a98c49c4d8ec86ce24b87f585462ee9b999a
SHA512 c9ba2bf86264e103a6eaed650e25512672c3c2dfe38c9f84c1c2ea5b16aa137e0a20091a360bc06908fa7763510d776cf237d03054cf6169c417e9bc6098983a

C:\Windows\SysWOW64\Kdffocib.exe

MD5 662b7cbe2f0ad80ca392f0d0fbc0b73b
SHA1 7540e402583d92c174937ab96900cba7f14bd390
SHA256 f6e6e6599cd395f7023260e8386d2e1ef3b35ac15485fcb0bc7b103f9f52ed07
SHA512 707998b4a6ebdba668160f15dc7eeaa903e91668adf50b4a45ca119fb45f854a537fd88946d28264f84dbdff9088820b5712c1915533c8d7093bc0db664de8cf

C:\Windows\SysWOW64\Kpjjod32.exe

MD5 cf870e3064308b3419995af57c06048b
SHA1 d0e698f759e0c9bca6106a8c644ccb48b16f7050
SHA256 091208c6b0499b1ba885adb9af91e833c9e08250520f2ff1703d6780d70060e5
SHA512 0c5875e1128ddece9902137171086847c2615d0e3cf749ec73b3c946a2ce0f14a293209d2d2fa5991174bf561e69bbf0f247cb911d2b0734a823e719b111ac54

C:\Windows\SysWOW64\Kagichjo.exe

MD5 5d7fd81f01a0c967f972f93a575cbeca
SHA1 52bc1d8f51eaf9fd66c2799d9d1da9b45f95303f
SHA256 d754e52b479a0ca607b29f01fd2288d4629e08f0d1a8ad0ef9140199a08985a8
SHA512 20c48e394f6dfcd0c8876472373161b6f9956b502e73b562a941ff3316b40880af0e6fc8752527444e0b6c1b9da479966c976907f25bf98d46a65e0bd8d4a5b8

memory/1068-102-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4880-68-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4200-48-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2896-308-0x0000000000400000-0x0000000000446000-memory.dmp

memory/376-306-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4064-315-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1164-309-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1488-317-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4828-314-0x0000000000400000-0x0000000000446000-memory.dmp

memory/492-318-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1712-324-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3216-325-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4000-326-0x0000000000400000-0x0000000000446000-memory.dmp

memory/232-333-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4728-327-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1432-334-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2056-339-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3124-341-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4256-347-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2392-348-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4936-354-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3200-355-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3188-362-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2584-360-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2360-363-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1480-370-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1044-369-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4568-372-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4800-371-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2328-378-0x0000000000400000-0x0000000000446000-memory.dmp

memory/844-379-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3940-380-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4276-386-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4116-387-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1664-399-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1036-393-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1648-400-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3160-406-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4596-407-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4896-413-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3992-414-0x0000000000400000-0x0000000000446000-memory.dmp

memory/404-415-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2232-420-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3092-428-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3624-422-0x0000000000400000-0x0000000000446000-memory.dmp

memory/488-430-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3816-427-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1752-431-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1816-438-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4744-439-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4400-437-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2728-440-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3744-446-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1824-447-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\Pcjapi32.exe

MD5 a8a731ff1cdc992ff0b7785a06b584e4
SHA1 6a7a39264b04ed72c02e40d220c1c86963a25180
SHA256 6f083f872447ba4b9408bb6f9c99e9fad716872217a98453fcbe6cbdc4598fa0
SHA512 d946e19c202c002267105e7da7b93f44d96eab9971a87e23d38433f7d233fa2c19280fd14305166333b3aeabd88601b9c34bf2b3bf642e7ace55713207ebea79

C:\Windows\SysWOW64\Pndohaqe.exe

MD5 0472b1246b261b84d739162d426d9026
SHA1 418277b00859a2264ec79453449d12df85e5cf62
SHA256 9ed987260471801b94f64989317eec19b1421f71b013c2d532b45813136d8d7e
SHA512 2da3e3155f9c286b9f28c66d5b45b19a39b2502530de27a8e640f91ac75d8578ab5f3c629efb29ea548cfff58f9e86536ef6d1773ef419fba37a86ea2a9b43ed

C:\Windows\SysWOW64\Npcoakfp.exe

MD5 62f2c9fa3a6d7f2cb63b5a3c1a07ceb4
SHA1 c6ecf4802ec13090d090fdcddd1a3ae54f2dc200
SHA256 987f213e749949c50a77144b9d1c4ac10b3a8ed68e8dcff34926292e29769152
SHA512 e0920c828ef36e7a966e414524689829ee550c5141f6ea94eea403b222e555b9755c3eadb548b8b23e7e35c995d53571f9aa1336bce2966587d6e2254cfba0a3

C:\Windows\SysWOW64\Cfmajipb.exe

MD5 64a96fde35797d5944eff64b16ec9893
SHA1 0328c8e305e7507e43d58f29157fd7b06cae4c80
SHA256 76e8d8b75fa1d508aa4e60f9f516979d448c6d3e17334fe5cc93280c01d47f7c
SHA512 156b3908a41d551342896ece6744536c525e2e0c6d4ba3d531c7dd619794f68f8ba3c8adbdc641a0080c8a71125b303d1ebcda87e65f9fe76ec105a409a964fa