Analysis Overview
SHA256
042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d
Threat Level: Known bad
The file 042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:13
Reported
2024-04-07 18:15
Platform
win7-20240319-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aidnohbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cohigamf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nnhkcj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ombapedi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pamiog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Noqamn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojahnj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ofjfhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dpeekh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dbhnhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lojomkdn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nefpnhlc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ndkmpe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ebmgcohn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aidnohbk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ckoilb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Egllae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pgbhabjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Chbjffad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dpeekh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgnnln32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndpfkdmf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Onhgbmfb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Caknol32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mdmmfa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Okgnab32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qfahhm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Oqideepg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhkdeggl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bpiipf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bblogakg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eqijej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nkgbbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ombapedi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qjjgclai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jbnhng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Noqamn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnhkcj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oqideepg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkpagq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ocnfbo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjhknm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Biamilfj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngpolo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ckoilb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dcadac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kgnnln32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lhpfqama.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lojomkdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bldcpf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dgjclbdi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dcadac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgbhabjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ahikqd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Onhgbmfb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjenhm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pjhknm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Anafhopc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdmmfa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ojahnj32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Lojomkdn.exe | C:\Windows\SysWOW64\Lhpfqama.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdmmfa32.exe | C:\Windows\SysWOW64\Lojomkdn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ombapedi.exe | C:\Windows\SysWOW64\Ojahnj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aidnohbk.exe | C:\Windows\SysWOW64\Anojbobe.exe | N/A |
| File created | C:\Windows\SysWOW64\Igdaoinc.dll | C:\Windows\SysWOW64\Anafhopc.exe | N/A |
| File created | C:\Windows\SysWOW64\Dbhnhp32.exe | C:\Windows\SysWOW64\Dfamcogo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eqgnokip.exe | C:\Windows\SysWOW64\Efaibbij.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Caknol32.exe | C:\Windows\SysWOW64\Chbjffad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfffnn32.exe | C:\Windows\SysWOW64\Dlnbeh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Enfenplo.exe | C:\Windows\SysWOW64\Egllae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qbgpffch.dll | C:\Windows\SysWOW64\Cjfccn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Egjpkffe.exe | C:\Windows\SysWOW64\Ebmgcohn.exe | N/A |
| File created | C:\Windows\SysWOW64\Okgnab32.exe | C:\Windows\SysWOW64\Ofjfhk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgggfhdc.dll | C:\Windows\SysWOW64\Okgnab32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dcadac32.exe | C:\Windows\SysWOW64\Dlgldibq.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipnnggjm.dll | C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe | N/A |
| File created | C:\Windows\SysWOW64\Bibkki32.dll | C:\Windows\SysWOW64\Kjnfniii.exe | N/A |
| File created | C:\Windows\SysWOW64\Apmabnaj.dll | C:\Windows\SysWOW64\Pjenhm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbkafj32.dll | C:\Windows\SysWOW64\Coelaaoi.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfkjnkib.dll | C:\Windows\SysWOW64\Pamiog32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mbiaej32.dll | C:\Windows\SysWOW64\Ahikqd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaqddb32.dll | C:\Windows\SysWOW64\Efaibbij.exe | N/A |
| File created | C:\Windows\SysWOW64\Clkmne32.dll | C:\Windows\SysWOW64\Fjaonpnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Egahmk32.dll | C:\Windows\SysWOW64\Omfkke32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pnjdhmdo.exe | C:\Windows\SysWOW64\Pgplkb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dpeekh32.exe | C:\Windows\SysWOW64\Dcadac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ionkallc.dll | C:\Windows\SysWOW64\Ombapedi.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpkeqmgm.dll | C:\Windows\SysWOW64\Onhgbmfb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qjjgclai.exe | C:\Windows\SysWOW64\Pjhknm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eekkdc32.dll | C:\Windows\SysWOW64\Bhkdeggl.exe | N/A |
| File created | C:\Windows\SysWOW64\Cohigamf.exe | C:\Windows\SysWOW64\Cdbdjhmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dlnbeh32.exe | C:\Windows\SysWOW64\Dbhnhp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjnfniii.exe | C:\Windows\SysWOW64\Kmjfdejp.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjjgclai.exe | C:\Windows\SysWOW64\Pjhknm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbnhng32.exe | C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe | N/A |
| File created | C:\Windows\SysWOW64\Iecenlqh.dll | C:\Windows\SysWOW64\Bpiipf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bpiipf32.exe | C:\Windows\SysWOW64\Ahikqd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dlgldibq.exe | C:\Windows\SysWOW64\Dgjclbdi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eqijej32.exe | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| File created | C:\Windows\SysWOW64\Ahikqd32.exe | C:\Windows\SysWOW64\Anafhopc.exe | N/A |
| File created | C:\Windows\SysWOW64\Biamilfj.exe | C:\Windows\SysWOW64\Bpiipf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lhpfqama.exe | C:\Windows\SysWOW64\Kjnfniii.exe | N/A |
| File created | C:\Windows\SysWOW64\Mnhlblil.dll | C:\Windows\SysWOW64\Oqideepg.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbnnqb32.dll | C:\Windows\SysWOW64\Pkpagq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhkdeggl.exe | C:\Windows\SysWOW64\Bldcpf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ofjfhk32.exe | C:\Windows\SysWOW64\Ombapedi.exe | N/A |
| File created | C:\Windows\SysWOW64\Behnnm32.exe | C:\Windows\SysWOW64\Biamilfj.exe | N/A |
| File created | C:\Windows\SysWOW64\Abkphdmd.dll | C:\Windows\SysWOW64\Ebmgcohn.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmjfdejp.exe | C:\Windows\SysWOW64\Kgnnln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpiipf32.exe | C:\Windows\SysWOW64\Ahikqd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cohigamf.exe | C:\Windows\SysWOW64\Cdbdjhmp.exe | N/A |
| File created | C:\Windows\SysWOW64\Enfenplo.exe | C:\Windows\SysWOW64\Egllae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgplkb32.exe | C:\Windows\SysWOW64\Onhgbmfb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qfahhm32.exe | C:\Windows\SysWOW64\Qjjgclai.exe | N/A |
| File created | C:\Windows\SysWOW64\Iakdqgfi.dll | C:\Windows\SysWOW64\Qjjgclai.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pgplkb32.exe | C:\Windows\SysWOW64\Onhgbmfb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddpkof32.dll | C:\Windows\SysWOW64\Pnjdhmdo.exe | N/A |
| File created | C:\Windows\SysWOW64\Bldcpf32.exe | C:\Windows\SysWOW64\Bblogakg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ckoilb32.exe | C:\Windows\SysWOW64\Cohigamf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Efaibbij.exe | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| File created | C:\Windows\SysWOW64\Aonghnnp.dll | C:\Windows\SysWOW64\Nefpnhlc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jejinjob.dll | C:\Windows\SysWOW64\Pgbhabjp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Biamilfj.exe | C:\Windows\SysWOW64\Bpiipf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pkpagq32.exe | C:\Windows\SysWOW64\Pbhmnkjf.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Fkckeh32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdcoomf.dll" | C:\Windows\SysWOW64\Cohigamf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dbhnhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" | C:\Windows\SysWOW64\Dbhnhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Noqamn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ombapedi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Biamilfj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dpeekh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" | C:\Windows\SysWOW64\Dfamcogo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Eqgnokip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lojomkdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" | C:\Windows\SysWOW64\Bpiipf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Behnnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dookgcij.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkepc32.dll" | C:\Windows\SysWOW64\Nnhkcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" | C:\Windows\SysWOW64\Ofjfhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dookgcij.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebmgcohn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eqijej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kgnnln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aidnohbk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pamiog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejinjob.dll" | C:\Windows\SysWOW64\Pgbhabjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kjnfniii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" | C:\Windows\SysWOW64\Ndpfkdmf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afcenm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Egjpkffe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kgnnln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" | C:\Windows\SysWOW64\Noqamn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pgplkb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pjhknm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Anafhopc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlegpjp.dll" | C:\Windows\SysWOW64\Mdmmfa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Omfkke32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ofjfhk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pamiog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnnggjm.dll" | C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefbii32.dll" | C:\Windows\SysWOW64\Lhpfqama.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Anojbobe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekkdc32.dll" | C:\Windows\SysWOW64\Bhkdeggl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ckoilb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eqgnokip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnnp32.dll" | C:\Windows\SysWOW64\Ngpolo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljilnja.dll" | C:\Windows\SysWOW64\Pbhmnkjf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Efaibbij.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bldcpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dlgldibq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" | C:\Windows\SysWOW64\Dfffnn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Egllae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll" | C:\Windows\SysWOW64\Dlgldibq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ojahnj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Onhgbmfb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" | C:\Windows\SysWOW64\Bblogakg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lhpfqama.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Oqideepg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" | C:\Windows\SysWOW64\Ombapedi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pnjdhmdo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egahmk32.dll" | C:\Windows\SysWOW64\Omfkke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dcadac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obilnl32.dll" | C:\Windows\SysWOW64\Cdbdjhmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Anojbobe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" | C:\Windows\SysWOW64\Lojomkdn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe
"C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe"
C:\Windows\SysWOW64\Jbnhng32.exe
C:\Windows\system32\Jbnhng32.exe
C:\Windows\SysWOW64\Kgnnln32.exe
C:\Windows\system32\Kgnnln32.exe
C:\Windows\SysWOW64\Kmjfdejp.exe
C:\Windows\system32\Kmjfdejp.exe
C:\Windows\SysWOW64\Kjnfniii.exe
C:\Windows\system32\Kjnfniii.exe
C:\Windows\SysWOW64\Lhpfqama.exe
C:\Windows\system32\Lhpfqama.exe
C:\Windows\SysWOW64\Lojomkdn.exe
C:\Windows\system32\Lojomkdn.exe
C:\Windows\SysWOW64\Mdmmfa32.exe
C:\Windows\system32\Mdmmfa32.exe
C:\Windows\SysWOW64\Nefpnhlc.exe
C:\Windows\system32\Nefpnhlc.exe
C:\Windows\SysWOW64\Ndkmpe32.exe
C:\Windows\system32\Ndkmpe32.exe
C:\Windows\SysWOW64\Noqamn32.exe
C:\Windows\system32\Noqamn32.exe
C:\Windows\SysWOW64\Nejiih32.exe
C:\Windows\system32\Nejiih32.exe
C:\Windows\SysWOW64\Nkgbbo32.exe
C:\Windows\system32\Nkgbbo32.exe
C:\Windows\SysWOW64\Ndpfkdmf.exe
C:\Windows\system32\Ndpfkdmf.exe
C:\Windows\SysWOW64\Nnhkcj32.exe
C:\Windows\system32\Nnhkcj32.exe
C:\Windows\SysWOW64\Ngpolo32.exe
C:\Windows\system32\Ngpolo32.exe
C:\Windows\SysWOW64\Oqideepg.exe
C:\Windows\system32\Oqideepg.exe
C:\Windows\SysWOW64\Ojahnj32.exe
C:\Windows\system32\Ojahnj32.exe
C:\Windows\SysWOW64\Ombapedi.exe
C:\Windows\system32\Ombapedi.exe
C:\Windows\SysWOW64\Ofjfhk32.exe
C:\Windows\system32\Ofjfhk32.exe
C:\Windows\SysWOW64\Okgnab32.exe
C:\Windows\system32\Okgnab32.exe
C:\Windows\SysWOW64\Ocnfbo32.exe
C:\Windows\system32\Ocnfbo32.exe
C:\Windows\SysWOW64\Omfkke32.exe
C:\Windows\system32\Omfkke32.exe
C:\Windows\SysWOW64\Onhgbmfb.exe
C:\Windows\system32\Onhgbmfb.exe
C:\Windows\SysWOW64\Pgplkb32.exe
C:\Windows\system32\Pgplkb32.exe
C:\Windows\SysWOW64\Pnjdhmdo.exe
C:\Windows\system32\Pnjdhmdo.exe
C:\Windows\SysWOW64\Pgbhabjp.exe
C:\Windows\system32\Pgbhabjp.exe
C:\Windows\SysWOW64\Pbhmnkjf.exe
C:\Windows\system32\Pbhmnkjf.exe
C:\Windows\SysWOW64\Pkpagq32.exe
C:\Windows\system32\Pkpagq32.exe
C:\Windows\SysWOW64\Pamiog32.exe
C:\Windows\system32\Pamiog32.exe
C:\Windows\SysWOW64\Pjenhm32.exe
C:\Windows\system32\Pjenhm32.exe
C:\Windows\SysWOW64\Pjhknm32.exe
C:\Windows\system32\Pjhknm32.exe
C:\Windows\SysWOW64\Qjjgclai.exe
C:\Windows\system32\Qjjgclai.exe
C:\Windows\SysWOW64\Qfahhm32.exe
C:\Windows\system32\Qfahhm32.exe
C:\Windows\SysWOW64\Afcenm32.exe
C:\Windows\system32\Afcenm32.exe
C:\Windows\SysWOW64\Anojbobe.exe
C:\Windows\system32\Anojbobe.exe
C:\Windows\SysWOW64\Aidnohbk.exe
C:\Windows\system32\Aidnohbk.exe
C:\Windows\SysWOW64\Anafhopc.exe
C:\Windows\system32\Anafhopc.exe
C:\Windows\SysWOW64\Ahikqd32.exe
C:\Windows\system32\Ahikqd32.exe
C:\Windows\SysWOW64\Bpiipf32.exe
C:\Windows\system32\Bpiipf32.exe
C:\Windows\SysWOW64\Biamilfj.exe
C:\Windows\system32\Biamilfj.exe
C:\Windows\SysWOW64\Behnnm32.exe
C:\Windows\system32\Behnnm32.exe
C:\Windows\SysWOW64\Bblogakg.exe
C:\Windows\system32\Bblogakg.exe
C:\Windows\SysWOW64\Bldcpf32.exe
C:\Windows\system32\Bldcpf32.exe
C:\Windows\SysWOW64\Bhkdeggl.exe
C:\Windows\system32\Bhkdeggl.exe
C:\Windows\SysWOW64\Coelaaoi.exe
C:\Windows\system32\Coelaaoi.exe
C:\Windows\SysWOW64\Cdbdjhmp.exe
C:\Windows\system32\Cdbdjhmp.exe
C:\Windows\SysWOW64\Cohigamf.exe
C:\Windows\system32\Cohigamf.exe
C:\Windows\SysWOW64\Ckoilb32.exe
C:\Windows\system32\Ckoilb32.exe
C:\Windows\SysWOW64\Chbjffad.exe
C:\Windows\system32\Chbjffad.exe
C:\Windows\SysWOW64\Caknol32.exe
C:\Windows\system32\Caknol32.exe
C:\Windows\SysWOW64\Cjfccn32.exe
C:\Windows\system32\Cjfccn32.exe
C:\Windows\SysWOW64\Dgjclbdi.exe
C:\Windows\system32\Dgjclbdi.exe
C:\Windows\SysWOW64\Dlgldibq.exe
C:\Windows\system32\Dlgldibq.exe
C:\Windows\SysWOW64\Dcadac32.exe
C:\Windows\system32\Dcadac32.exe
C:\Windows\SysWOW64\Dpeekh32.exe
C:\Windows\system32\Dpeekh32.exe
C:\Windows\SysWOW64\Dfamcogo.exe
C:\Windows\system32\Dfamcogo.exe
C:\Windows\SysWOW64\Dbhnhp32.exe
C:\Windows\system32\Dbhnhp32.exe
C:\Windows\SysWOW64\Dlnbeh32.exe
C:\Windows\system32\Dlnbeh32.exe
C:\Windows\SysWOW64\Dfffnn32.exe
C:\Windows\system32\Dfffnn32.exe
C:\Windows\SysWOW64\Dookgcij.exe
C:\Windows\system32\Dookgcij.exe
C:\Windows\SysWOW64\Ebmgcohn.exe
C:\Windows\system32\Ebmgcohn.exe
C:\Windows\SysWOW64\Egjpkffe.exe
C:\Windows\system32\Egjpkffe.exe
C:\Windows\SysWOW64\Egllae32.exe
C:\Windows\system32\Egllae32.exe
C:\Windows\SysWOW64\Enfenplo.exe
C:\Windows\system32\Enfenplo.exe
C:\Windows\SysWOW64\Efaibbij.exe
C:\Windows\system32\Efaibbij.exe
C:\Windows\SysWOW64\Eqgnokip.exe
C:\Windows\system32\Eqgnokip.exe
C:\Windows\SysWOW64\Ejobhppq.exe
C:\Windows\system32\Ejobhppq.exe
C:\Windows\SysWOW64\Eqijej32.exe
C:\Windows\system32\Eqijej32.exe
C:\Windows\SysWOW64\Fjaonpnn.exe
C:\Windows\system32\Fjaonpnn.exe
C:\Windows\SysWOW64\Fkckeh32.exe
C:\Windows\system32\Fkckeh32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 140
Network
Files
memory/2200-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2200-6-0x0000000000300000-0x0000000000334000-memory.dmp
\Windows\SysWOW64\Jbnhng32.exe
| MD5 | 4bc0b05a9186422f271c8ed5487388ea |
| SHA1 | f37b9e70645f1fd3003c142e856456c126c006d4 |
| SHA256 | fd18bcffea6b10ee97ff38ea2381e5c25cafe4403fa32b189b45b7a210338909 |
| SHA512 | 330fd9a26bd565bcad4c4faeefed70efbda2bc637536a0f978810674e2aeb9fdd3f9e988003c80643a22f101761ebc4d7f3b0438d10b70ef409d0bd44c2284eb |
\Windows\SysWOW64\Kgnnln32.exe
| MD5 | f7c82ace3c1fbac11004a13cf158806e |
| SHA1 | 88c0b45f16c2b9a24139d8bd8bc496da164ff2b3 |
| SHA256 | 30b154e6fdc0df6298813a3ac2f203f547058e3a7e02c1b5e8c8a0c5a593d70c |
| SHA512 | 8c1140b13eab73800a7d4b0aeec68a5d3ab8c2a3b6f61721f6caf564fda35a7b50ab9f164fb052ace087c6ae50e8ee8f61521c8949f518589b2a948f43c38e78 |
C:\Windows\SysWOW64\Kmjfdejp.exe
| MD5 | 31e4dad28276293b159fea97e11ceec8 |
| SHA1 | d1f42326750211bc27dc4455f07537bbc4b9e434 |
| SHA256 | 3b2d50e55e810e90a2f61d81e14388a83ab8953c044084f034f9e450f3b1556d |
| SHA512 | 1df68e18f976306de1466828e5c846b0136f2541e9df2fff37f2878652c2816fbc223c299b527abd992e07c8a76daa66bc907beaf5c2de25c2804219b9519f03 |
memory/2200-18-0x0000000000300000-0x0000000000334000-memory.dmp
memory/2368-26-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Lhpfqama.exe
| MD5 | ad55b10c71204b7c33d79fd88b3161bc |
| SHA1 | 1bd2fb62391a4c4168f12cac786323db0fed87df |
| SHA256 | 141629e72de299f777e69ac8991261664fcb40f34a5f25bd05290c35b0845650 |
| SHA512 | b1f7fc66e64c8168fc23192907b1cb771a3d8def7e97c622311dbfe405d54f4df1ec19c9289088a5bae58d16bc345d6188275e436ec6203dd9deaa8236eab4ff |
C:\Windows\SysWOW64\Kjnfniii.exe
| MD5 | cc16f0862e7fe6186e7cf1ba77775c5f |
| SHA1 | 9a89d4bbad919f999a2aba0be1e97e0101942e63 |
| SHA256 | e790138e1133916b5e610b82c65c911c02e376d3a4807537960fd94f2ffdd72d |
| SHA512 | c2146a4b8c69dd7603fce5f8f4933d336e8b45cafd2e9d5b085889273f4543a1a18df2fe8af0ec5bdb097011e1066c14ed95d589f93b1cb2c1196888cc3e37ca |
C:\Windows\SysWOW64\Aefbii32.dll
| MD5 | 0fa77a000dc98ac1b8e4d464ec4ec005 |
| SHA1 | 3f9c17d40e74a76ee427042e35e85b734b37bc13 |
| SHA256 | a647bff7a1fbc12b83034d051948558e373fa4112a6f5f1e71796f435fcbb51a |
| SHA512 | 00d53242dd48d1d93b8a17e5a6b1c071b8a559e1672589313c8032466051edb67c5f19162c1be9a6f10550b7d22fd89bfd8ccf54a4517926aef7c3545fc54c48 |
memory/1744-50-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Lojomkdn.exe
| MD5 | 4f6c9991f74bd2d078c094f6e956fd98 |
| SHA1 | ae73c7ab0366f7aeaed86184b541ea2e92543418 |
| SHA256 | 83e388fc5b8854508178a902573c0fefaef28778ebeacdad7cf083f7879c5d0a |
| SHA512 | e9dbfc5b8ef328c29d22783610b160f5f464f0b4c3e1211123a5905510064a64d5ef48c12508a374f4913893676970dc73158413f4c847ba9be32d5c2f68d44e |
memory/2536-75-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2808-83-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2808-84-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2808-82-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Mdmmfa32.exe
| MD5 | f789633d2978d92867032bfa9ce1c4a5 |
| SHA1 | f34dd7dcd6f221c6a6ff1354ff22d35c50ed134a |
| SHA256 | 4ca144b39e66b8891ec26af6f1613eb5a62cc996a7e116c9c419f8524f68e33b |
| SHA512 | 87d134cbc5651d397abbc8e6e60b73b14e7e480c2f81e9ee871bfb717de6a8410b7606bdd826236b1e7f51806a69e92ad5ca253abbc51d9ab46af36d5b69ceb7 |
memory/2632-85-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2940-94-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1060-88-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nefpnhlc.exe
| MD5 | 4c28b22134c82ba60134d06764dc52d3 |
| SHA1 | c8d120a63a7957b9a70787efb27b7c545bd720dc |
| SHA256 | 3ce4098bde3663d92782c6ed17c13f327ff414cab4a5f979d6bc36301c031c7e |
| SHA512 | d7def3bf06842485f5f94c542ba517cf8ad08a1e1bf748a5cd5257080613d7b5c1ac677a7261161b17723897a77a10fb041b89f58782d9ddfb1635bda3e3031e |
C:\Windows\SysWOW64\Ndkmpe32.exe
| MD5 | 678e50fd76ee7ddfb172ad78b0acbed0 |
| SHA1 | 978d6c99ff80ebdbecac176721aa854ef6a697a4 |
| SHA256 | 99959e536909c5ed76633a547f1beb46a3e2744cbf0fb2b184665ca20ed6d283 |
| SHA512 | b3d56508101765a7a1f11802b774529da7acfbd3f385fd085dd6987a576326a587d1046ff845e344d7d3c683338eb573b0ba4b8a6f88d9b33b8e30eba4e7fa19 |
C:\Windows\SysWOW64\Noqamn32.exe
| MD5 | 0f1893e0f11f123a7b46879d2b775c14 |
| SHA1 | b6396eb6ad430c11809d9f49b9853cb8d0e6c7c7 |
| SHA256 | c12a2225457336180a7c7e77e51d981e9ef5f931fc6c9842db87dec2719b11c9 |
| SHA512 | cfb0a807614671dbbad7a2a06a1e8a135466caa86c55897c749a11423f9f8e58a48acf4ef6623db8775e42735a3a11ba598121738c9256f98d885325aeb50a36 |
C:\Windows\SysWOW64\Nejiih32.exe
| MD5 | 77fc889f5af773a84b0506e0adad17fe |
| SHA1 | 53cb4a494947c034e479e1693c548768621342ae |
| SHA256 | 00d964e54a7212ca32d96c7bde82164b609feb757d7e099080f47d0fd8c524ac |
| SHA512 | c67a561b716a05cc743cd8cdf7f57d4cf641e677c2590d5fe2c23d8f1ed37b8b37a5cb43840e9ba519113e201b4dc2f716575d9900b4d98c7e31b1e9874c5aca |
C:\Windows\SysWOW64\Nkgbbo32.exe
| MD5 | 1da8a44abc8fdf7ca278b6dfcb45f110 |
| SHA1 | 0a4cdba69b666707d8a27f91064f23bd90800a57 |
| SHA256 | f66e17f90d104f66990da6fcbba39cc80bf634cd31579b78821d345381b386e6 |
| SHA512 | 6d0c10e4daa562c35b6b94bce3d884c1929fa29962b902c5a665d0931e40ffa1a0f0b0abdb928392c303e4b4949c3990b2535e47eb73905253e14963fbb3a688 |
\Windows\SysWOW64\Ngpolo32.exe
| MD5 | f34ea18f05de6b71cf6bc1e8c9905b61 |
| SHA1 | 76115d54f5a9edf053334fcce1a224091c8c8a38 |
| SHA256 | 171e914e789420fa58c4d2f788417dc3ba2b998a416b95974a7170282c51912c |
| SHA512 | 288dade6556b7d6c206c813269b85c7865ef2385b42f2abc35502f15a327e0cf61241ff7a423066841e42adb85de10afacc594aba49b87f3ad8d47c731caae8e |
C:\Windows\SysWOW64\Oqideepg.exe
| MD5 | 7d118c7f6d7917bec6d19ea5a5f228a0 |
| SHA1 | 8f62c799f482ec4e9a1553d073af44cd65e062b0 |
| SHA256 | 6935e5aae85232c11cd971c3ee8d4a1930e755d1b0a09bd7466623f9cc1dfa9a |
| SHA512 | 974399c146f4135f0c8ddbd5e294f29418c72cd6c867de1c362de56bdb51e5c3347f978bd8f43c47ccc375b915f7758a70b7999af403ed1162a6157b648cd75a |
C:\Windows\SysWOW64\Okgnab32.exe
| MD5 | 2ca4ae2de2d92134b4488d5927026bca |
| SHA1 | 3c4c5d7bb7d259c35f6f0b186ab07294e3d373e9 |
| SHA256 | 97499775e48b26456ae9e45102e5cbf88ba6ba2c4664f85e519e44346c96a3e2 |
| SHA512 | a9c251dd9a42e03f0256f2811000519b5ee3d7729f54453e67da05c2d1cc55eab42da7da9889d0deca5a53de16ec32a81c1db4eeec6dacb851f92de1434e59ad |
C:\Windows\SysWOW64\Pbhmnkjf.exe
| MD5 | b610d1ca4bfe62a017412457564e9892 |
| SHA1 | defdf2a8ca504d82bc1625f6f57bcc344d24f1ea |
| SHA256 | 5e8a7236bf651d972c247a9903143443724c227c6fba45bf5cb7ecbd3dfec868 |
| SHA512 | b7072a898a517bb4da76db06da82ad6c91f376ca7381ea144c08f8e3fe25d0ccd27c56c5a3f18c258ed0988432fbb9c316fee822d98c2abbe2d732e5ddb5a08c |
C:\Windows\SysWOW64\Anafhopc.exe
| MD5 | 416d8ab7fddad8aaa965dd353b7fdf83 |
| SHA1 | 447f068696c8b5f585adba6a37caf30ada07cca2 |
| SHA256 | 42cd61cad2b92735123d39ff416ad38fa9c0f398b09ec4aaceb18a71e50c02d0 |
| SHA512 | 2a7222ee6972e8a83dff16ee14db1229489f633a9b7f40ca00b5914c7ae0e82c771ad3adfe68c5a7ede955976ac0caa07a635b120143def318084656c00137c0 |
C:\Windows\SysWOW64\Ahikqd32.exe
| MD5 | fd715fbb704c9f72476e3886b03edbcb |
| SHA1 | 18b4a3f4fb4e8b8e875409fe855d9dfa4026d113 |
| SHA256 | 66944ce261e34b4ca08b2557b38438f60017dd45d140972360822c741b4c030b |
| SHA512 | 1ba5f96a28d3359895c4a661b1f279d19353238193d67732677cd8a373dd45cdad6e3313eb5dc15c3aa4a7d22608ccd52ada154aa521bc789a1825e1b103fd7c |
C:\Windows\SysWOW64\Behnnm32.exe
| MD5 | 06a1176cb8582203e15c6595b1357d58 |
| SHA1 | b306269a1ec59dca1313f101a8f40d83fd41e6e6 |
| SHA256 | 55b2f8f4c0389f803c8a1b3ba386a20ce11e27413b6c593562a0c50fa2fdb7d6 |
| SHA512 | 75d34ba335b22f9f618791bbd5d3821c52ac9fe9cef13c16f00e5f7bb2c7c04e3a30aecfea6b06515c04d45deac10f8ac4cf8b3278486627dbb63a71959bd9fe |
C:\Windows\SysWOW64\Bhkdeggl.exe
| MD5 | 3a491931f56967c1138cc5f535fe5bf5 |
| SHA1 | 31131220f2a69def8aa6ab0d848725062025f6f8 |
| SHA256 | 99a382887de56fe0bf36cb7045825fe90d5cd32bfc26bf68c5f3b11500856dae |
| SHA512 | 7cef7bcf8ccb60eaf8fa42f1e40f994db964bfc18735484403aeb2030db3c0891b6a432615b7669ddf048cd3f1c797430dd8e05ee35d685c028e13ff7ba6e01f |
C:\Windows\SysWOW64\Cohigamf.exe
| MD5 | 6fb8b92409e28195c1ee278acecbdf41 |
| SHA1 | 2ab5a33559aa25fbf6b0f9dbacca3cd42f9be42f |
| SHA256 | d44736880eda2dfe38560c6c8add2ba8f92604644d046661f51a1c5dbc401d71 |
| SHA512 | 0c81fbc82a7a102ee011c9409060ce84a6c810b407e7567ee9a64900023e5ab664e839cd660571052ee4cc193dbf1f315c8b62fe411ffa23288e385fc1352b5d |
C:\Windows\SysWOW64\Caknol32.exe
| MD5 | 093bbe03977f2b7ab26ede40ed34be9b |
| SHA1 | 780b1f01771dbf236f63a31fc35b5a4cc8019d25 |
| SHA256 | 44c502153b2db49e24636220412fd7ab18eaadf85636536d847006d3a77e5b14 |
| SHA512 | 1b61b73968a83a4cfd52cfb7955eea1d198709891213534a1b2ccc08a35b667ef89b60d8249c6716a0dc2b323147e4ee0171d658e122e3aaa68e7520762799f4 |
C:\Windows\SysWOW64\Dlgldibq.exe
| MD5 | ec46cc68174da16fd2cab038dee6901c |
| SHA1 | f4d482a6acc08a62cad8ec17e889fdec2265fe65 |
| SHA256 | 5ffe04fcd4a5be2b790d40dc54136595713e0b41b7d6cdd7ee48c8c4fba8b4b5 |
| SHA512 | 91cd1bd90d1fdd487891a5ed102f1b2aaaed74bacded41d360f9a7f8dd51ab23778afaed4f9426937164c45d40d54cc1b07bc7c106bf2a0991c00f27e17fcd07 |
C:\Windows\SysWOW64\Dcadac32.exe
| MD5 | 908d0428cabcc0746b23e5c8d09c0073 |
| SHA1 | 3390da28145f3015726a2d314630b68a72007d84 |
| SHA256 | e993620b30d2887f6a22c4c93731ac9fd4bbdd1f26afbb692f0cd22fb0184bff |
| SHA512 | 0159be149ca8d3cd20a8cf226810f02f833e657484c7d6c12c4493dd6e6eb108dc50dc5f3bc1ce51f9effdae65ca74764b22fb9fed6c1d4ba7da24df0059bff0 |
C:\Windows\SysWOW64\Dfamcogo.exe
| MD5 | 3c682c1bd2a5cd5f57681b9a098babc3 |
| SHA1 | febda1b375eefbeeed8568dead43e06879223ec1 |
| SHA256 | 64da6adaa7b95453f22b786d3b8874813f33eaa69de4632af09971e572ce5cb3 |
| SHA512 | 149df970e564edfbe40419727dcb5587d43157937d8312f9e2aa6fcc0f5a36f79c31427df707c45d9a62f92ca1410882220d610c9d211497568812ed71f22f96 |
C:\Windows\SysWOW64\Dbhnhp32.exe
| MD5 | 7b6ae4022bc8ead6145c1607cebed913 |
| SHA1 | dea49c449adccf45a124b82f29a415865d52809e |
| SHA256 | deb9e33af6644f498254c1501c3890e2627b63be74a943d1ae89f7b8a6b88eb2 |
| SHA512 | 8fb2518cd7e092887026b10cf92d0a0f781b457d479d908f0fb043ef0a2152a60e6bb9cc9b1c72a451fe7e2dfe8dd564c32d2fec6527a3c3c2e6cd933ba451d5 |
C:\Windows\SysWOW64\Dlnbeh32.exe
| MD5 | 136ba3263dc19ffd965be9c981d292d7 |
| SHA1 | fa23a8e6a9c4f807689bcb188f76eecb3567eeeb |
| SHA256 | 88b46dc9d79fe97a20414f10eb559f701b07c6c6597f336157e6fd21eb253b8f |
| SHA512 | 349a5abd0d590643013139be84e056166bf7f34fd7e2b22a79eeb46739e4d18ab0e91a12d9af3d5b8816a40bb3658ded1a112db5b5490317ebe5d09b5bb227b5 |
C:\Windows\SysWOW64\Dookgcij.exe
| MD5 | 5ec6d0d430a775eb770e34bd621f502d |
| SHA1 | 63cdcc38bef517e4e25e67901dbb983191d133b6 |
| SHA256 | 454e86a4b556a8d16dc9f725dcbd4928aafb8ef3c9ef1276334d0f4f2c21890c |
| SHA512 | 59c8e5512d08b584c6262f817617b71ea8f49cedcc092e2910c00890bea09c2a62b94d4263a643c37a4cf5d6a046ed070b07f25a8348839de49704a8d4b47bba |
C:\Windows\SysWOW64\Ebmgcohn.exe
| MD5 | e54984c4f14bbb10a94a3b221c8faf54 |
| SHA1 | 66d51e351effac00d796ee4cb48ca700cbfb0102 |
| SHA256 | 23db1973b18a895a239a489adc212c017b8db5aaaf6de9b32ebdf0c11ef8ee34 |
| SHA512 | 851cbe35cb0a4c3e9ce21f7d93456c43956b8258c414ff8e6813daca67e24d2c5a810f59d99e7c3ca406674b2ed4b080df66feca7f7265245fbd494ea46e4e0d |
C:\Windows\SysWOW64\Egjpkffe.exe
| MD5 | a1a62324ba93de6a813f903e18b0e7ba |
| SHA1 | 85c5b8401575bf82ecc7274cda4e281f26d60bfc |
| SHA256 | b53fd5aba75ada2b084d3671340f5707fcaa561e953732bf7fbb94f048711a4d |
| SHA512 | e1b3f230b7c4d865fcd48b44f3e535e495e515a787265b93f86250212f29d6c1a7b668197d8f0fdeaf74f0b37a2d2b0c36abd3ad5a8de5f72b50ad528a6519c8 |
C:\Windows\SysWOW64\Egllae32.exe
| MD5 | 457351d713af2c9930381e12546703c6 |
| SHA1 | 42179b4c7751a5ba1983ac0f3dc54ca826dca559 |
| SHA256 | e15e511bfb73dd5e5e803290278f3268d4c8c3d266174de32d5db13d5a1c327b |
| SHA512 | 54a58c753e5225447168ca4a968c67a19b2ab28e7a80d179e6bd1954aa1c30a624e2087a75c157c48f7c419bf5522a16cad67051cf1ca83f2eb6ab848cdaf7b3 |
C:\Windows\SysWOW64\Enfenplo.exe
| MD5 | bdab4610a981c877e0b6e8a855501882 |
| SHA1 | 3dc77539e65e903345d6bc7ec232aee2b4bbbd55 |
| SHA256 | fa1b82b05c4dc970fed90bef47ad4d45867e703a558f1be5c21e999a6ab97410 |
| SHA512 | a348a0d23e132f6828718530688022d6920038a0d1cd03b6b8a2cb62be62f4c32ffbc4776cdbebae07350db84150feeb129942ab4b495721c5a50e0ed562d460 |
C:\Windows\SysWOW64\Efaibbij.exe
| MD5 | 2e002dd7b9eee6b9f6fb234b14bc6e85 |
| SHA1 | fe99f664d6b57b28a329469545f7ce130750cfbb |
| SHA256 | f2332dedac11dfe1b2335dad40b7bb801b8d18f7175f1f7725d735a5a66778a2 |
| SHA512 | 91539db124c9ec9c44429e7b3ee397512a565dddea4a95db250b90e3c721db4b6125e547105c198b3f6b55c58a7f5cd27429257ee664db211207d8f22a8ffeb0 |
C:\Windows\SysWOW64\Ejobhppq.exe
| MD5 | 6b143258e7d7f302fa4c542381dde3e8 |
| SHA1 | 779210abea9ca8c110803a2f06ed1328c1fa82e6 |
| SHA256 | 68b4d6adee55a7071ee06b85e221bf2c29be3858561b8276808b6d6374b38e5b |
| SHA512 | 3188217a12f5c85e92a87bb4d286fbb00df31bee7f14918ff2cef2595dbcf7161120e9d76ac63d86598dc8357bdec3c84f6a099fc89c7efa9c9b0c9fd7ea36e1 |
C:\Windows\SysWOW64\Fjaonpnn.exe
| MD5 | b01f14574044153fba5ec6a632db9d26 |
| SHA1 | bbc62a8c76809d1704283a0403b7b73a6563ef88 |
| SHA256 | 8d617f61a8939bfbf2d76b3670eb00090d5c85002fa95e8c89e8d585812821e6 |
| SHA512 | 2a5ec7629c78e70b0d0dc4fb16dc30bb78f88bdbbcf5d89b9599f47b9c6938df367482c2e949a7e7dd3da4b2e3be66bb10193107ecb80892a6509b85c2c99d67 |
C:\Windows\SysWOW64\Eqijej32.exe
| MD5 | 120b62733553bcc3a862afd6458c3c4b |
| SHA1 | ca54691c70eb85ad47acc43bf477adc4a8fce689 |
| SHA256 | 86533b884d6c5c8cb2d4740b4a43fc0f137073511e9cec5e44b115de0a3ee4c9 |
| SHA512 | 50ce45604354fbea27dc5756c52d4ebe16b473773ea0f33998711a9d6944ba8acb9b6ab763397aa4e48af53dc56b1c72e4edfa1cb67db818c848f7f973ced308 |
C:\Windows\SysWOW64\Fkckeh32.exe
| MD5 | 82dc3ab19bc38b114ca9e10d9a969841 |
| SHA1 | 5a2bf18604f49ab38fa6d5c6052bb3335b78b327 |
| SHA256 | 0f096858ee34bfdf9d6f1aa69eadc4cdcda71e4e86f8696d49448f3173e28c80 |
| SHA512 | b4e840cf2b9dc13cf63b3d9cb6d7035109cea317e03ffbad51532035e2fd318020757c2693d944e2f01fc08e0169e4ef9954e707ef7bc211ee48c5996ebd08d4 |
C:\Windows\SysWOW64\Eqgnokip.exe
| MD5 | 9a3ce5264ace2a2b6a348c2670234159 |
| SHA1 | 197279257b767002614dd890a2a65ed347ea619b |
| SHA256 | 6a37cc88f1e0dcf9608d536c899b97fcfedd77272ccd2a9d25cf42b0feacad5c |
| SHA512 | 3025a0ec7847f45339868adec27a9d95be5977a891aa438bafbb917911ee91ba98a5c70db9ad753d4972621190ee6942f7a7c26961b5a537328bbbf5ffcf48bb |
C:\Windows\SysWOW64\Dfffnn32.exe
| MD5 | fa953109a984d0543c9276d2484b0b31 |
| SHA1 | baf75461990f48f7ee953cde4162c3801f0fd434 |
| SHA256 | c2ae0d2bc431b283c84855c83a0a92e34cc9cfdfce59bdeef67f8dff4053e786 |
| SHA512 | 72bccd0e455429a781a0e708f1458e44f559e251360d9c9a5836e02b652e609f021832048478d824e6c73a6008db063126700cd3b981c892facb5227520aa238 |
C:\Windows\SysWOW64\Dpeekh32.exe
| MD5 | 9d055ef71e15dff71cee7a7ff6830d08 |
| SHA1 | 32b58a99c88be02e65c0375d21c7b8b72e3dff35 |
| SHA256 | 4739a1e306ac3e3f34381e702e25c5fa675c1deff122d944e72214bcf1cc4c47 |
| SHA512 | 45eea5befa3143869a46357b888caa76fe7f72ef9e46e2389d0e14f1b8db46368bdb6e8c1993b184b9756dc8af750b297d439cf021f46dcedd19815fa58db22d |
C:\Windows\SysWOW64\Dgjclbdi.exe
| MD5 | 2ff4bde3253d46beeab293f2346a6f96 |
| SHA1 | eeb216db51b717a9f466218da702a7394a675810 |
| SHA256 | 88399d6d45dd64d6098977b27fda5c2de1f77044029e18d724cbbfeb2ffd723d |
| SHA512 | 42f4da8a3225bc7cdd12d1291d4e940d5eb6f19eb93ea52e3e4037aec28fc19f98d5bf1df4e31e5f99b64e87456198a131fd8d4b5bef4e8691293b689ff6aad3 |
C:\Windows\SysWOW64\Cjfccn32.exe
| MD5 | bb85b58945121718d9f87939baa98b8e |
| SHA1 | afa451f7c3e3130e5ad68bce94101dedfb60fb75 |
| SHA256 | add60adb2731c5fab2f2c051e87b33a8d43840d59f133b183fa29b1a16870139 |
| SHA512 | 1ac6751273af7ca54e1f7e496c451a06b151436daa67cfc204cc3daa63e805cf2cae700452d12dbb1b6a955cc75e7a9d5324254c8251e87f5a6ab345d1b12b57 |
C:\Windows\SysWOW64\Chbjffad.exe
| MD5 | bb7e66d99ff32da33542654a6c305b71 |
| SHA1 | e4c3aafc63228680740256c4b574949e409b2f15 |
| SHA256 | ce17107137d9ef97c0fe9e7f1983333c29888dd9476adc43513b5c64fe527238 |
| SHA512 | c0f29a43921c9a4dda494c581eed2010203573c64d673d18b0682d0d7176c7d4b72c5cc57847d86f63c9eeadfdd5fa06b9aa063670cd6f347448c264bbba5621 |
C:\Windows\SysWOW64\Ckoilb32.exe
| MD5 | 7b3a69a34f813ae76639b83d596fcbff |
| SHA1 | d3be124ae97042d8bce2e946006566356076cabc |
| SHA256 | 9b34bb5c286f9205cf5dcd2ce7932a6e959a723e9397492c1902442da271a6d4 |
| SHA512 | ce69820adca3fff655b869885a009a6961c66de504f8e2d3e3258b27caabba1d01184d80c4651c5986df52967d55ad9ef7a6d3fae72e4db35188021c989a4264 |
C:\Windows\SysWOW64\Cdbdjhmp.exe
| MD5 | 33407d9f3e504dc5edab32396ac68dac |
| SHA1 | 3d4d013f265fa9b4534fa78274226b6e049f0e08 |
| SHA256 | cc1a46d112d5948f289460213b60299562c57cb6565beb4c16cab9cda8468904 |
| SHA512 | d57ad15c45c6b83f892d8e4d9599649a4dc922dfc6545dba0fbc1c88c1aa30d601de730d97e43ca881f798297a74cc608950587f891c502729d9ecf57e227e10 |
C:\Windows\SysWOW64\Coelaaoi.exe
| MD5 | 593a754ae0e9b9e2ab359d4c208db322 |
| SHA1 | f39b669ea865cc94528a486083f0320ae9b3382b |
| SHA256 | 1b52e5d284bdaf672c9ec07216a99d9eb169b8001ca1fdd642fb72ac862e781f |
| SHA512 | 193c78af397f8cfebb9b158a0cf602fbb81b06ac257abc4577bc42ebeca7c1a8b22fc51f6fc728e1f7ebb3a27dcf4281e9b57989b9924f0d05be6c0a8e33b527 |
C:\Windows\SysWOW64\Bldcpf32.exe
| MD5 | 2d6e5e2d7cc7f5f5054c3907ff45abe7 |
| SHA1 | 2e0bdc4fb75ba667c067d01a92209486cc1a57c3 |
| SHA256 | 62efa62e938bf015a996ab012e232f6b27cd0e848745f689f0e34c68d26ee3d5 |
| SHA512 | 0e80c5e0d2d331d6045f0a8b23b73bbac0de384ae495cc67e747af46a589baa7561be432e56dd39bb1b1035c33113f7f5c0bb662a8b2fe6863ac68a8b00de2b9 |
C:\Windows\SysWOW64\Bblogakg.exe
| MD5 | 1860a6523d35c55ef28489383da48f3b |
| SHA1 | 14a327af97fb41f3aa7cf86eb1b7636355be7274 |
| SHA256 | 7a3098b3e95aba629ecbb83a1f8fc8ecdc40ab16a4910ff1efced9c353a6a4ec |
| SHA512 | 16dde2fc86fd0ff4add9e92cf35d1969364cd65ff5bb84c9cccc81ce98cc53a4aa6e086eb43f250db98bbd86d8354ec6526f6131deb64b5b11135c913642b6d2 |
C:\Windows\SysWOW64\Biamilfj.exe
| MD5 | 87ea163bb97a3e62d59e6c57e71f8304 |
| SHA1 | 8af08fb29bc5c7f6273155eb0a3905846d9c314b |
| SHA256 | dfcbcbf19688bc511d4fcb9e3183f2c623e42b79ebd2e596528d7a8c11f32e79 |
| SHA512 | 231b857c98cd7b4a7696216c4917e1cddf1c3b1828ad664f9bb1a2b89859edd74833c810a2f160fb7b891a30b8d07aa366df90f3f27be318924d73e346a091e4 |
C:\Windows\SysWOW64\Bpiipf32.exe
| MD5 | 56aff745b119ba540cdb1fed1c64bb4e |
| SHA1 | 3bb9d651fffe58f788472eb1d7cfe30017ffc7b3 |
| SHA256 | ff5624dc976437ee3c7a967837ebeb3d0a26b3c115b2ba287a3d5f4c91a0c916 |
| SHA512 | 0326adf289793f0a0a0f0fae97043b939d2c2d982b39a5ea7cb1aa85d107bc2351af9277291f53666b51aae908c59b9716a87985a7ccf8c204b0a7ea32f71991 |
C:\Windows\SysWOW64\Aidnohbk.exe
| MD5 | 18f349a17cf03aff4da8c5ae8d585edd |
| SHA1 | 3515280519522e7617135aecda02422b6d474566 |
| SHA256 | 6e9d3bace0d0d2c2e3802850b2ce2b30bb078bd94e75e6a857322155e10a95e9 |
| SHA512 | 9fe8afd989bedffcb3fdb4dfe4b028fd66cb77500234d1f9839212a21b0df59bfa73dc9022756449446df3835283b8c68c083380f84f03e96cc25b17e71cc29c |
C:\Windows\SysWOW64\Anojbobe.exe
| MD5 | d03ceffbfec56601e8ebea62483cb2a9 |
| SHA1 | d0ce85e9efa58b953dbb220a7b57d90c9af5564a |
| SHA256 | d99de01ef97d2e9fa1641c81263245b7c5b14b0b32c0da3fe2bd049279cf4149 |
| SHA512 | f451de1715fdb4ca370a9ae8fd0b4d7dbb213e32cc0a86213960a1a5c9c50299af45b539ab101ffd86d3f74d65c311100d7882fa008160a078f19ae14e9cf0ce |
C:\Windows\SysWOW64\Afcenm32.exe
| MD5 | 63afa441cbc8378ed7048a941b28257a |
| SHA1 | 2c62760ee4c6441b63e35ad5f37cbe7d2f41930d |
| SHA256 | c20c3cfbdbd105434e6d71a72f9688c22827bdeac66e84538ec1111640804b69 |
| SHA512 | cffe724f0814ce07413890192468a2365f500aef3df4949ecf76b7b928f6bcd525fc31ccba139d3840b40e823f702dfecd77cd3a4f9f36554791dda5fa609556 |
C:\Windows\SysWOW64\Qfahhm32.exe
| MD5 | 6773d57d92e1a929acaa5bed1c4a7734 |
| SHA1 | 9ea42c522b08bf965b991f70f992cb8d4e727dd9 |
| SHA256 | a68104c7ada24570b42ef122ef8d1537a8309555817067b80dd8564d034396da |
| SHA512 | f7f5de0ec1bc912a36e435a92648f77b60eafbba00b51579ca43fd386fcd7cbab9c1d8da5a8109ea842d59b38ac454f390ff0c0f6922933e1df94c2b20239dc5 |
C:\Windows\SysWOW64\Qjjgclai.exe
| MD5 | 86092f464de5c45790a4a197fb1fb53d |
| SHA1 | 2bf8008a79b45cd5c6a7866fd93a251a7d1b369f |
| SHA256 | 20fc508608f51c220f4320787bebd3775eda79344d30902d5416d75036a6cc99 |
| SHA512 | ddabcafdcc4733bc476a8ee3803de7b6c9d187e953abf2ac2727a846f9ab65631da46632044efe548b2a0cd4f2e4c41c273089ff2d998d9c25cc7a50643bd78b |
C:\Windows\SysWOW64\Pjhknm32.exe
| MD5 | 05470a2aa1bc6f246ea1654d58c5f050 |
| SHA1 | fd9a0bc484b0a40d5ccc30c3c001ea24c357754c |
| SHA256 | 6ee1481935d173b38e848ab31e048e822b098b42ff1e903399747f1600676e24 |
| SHA512 | 73c25c86601519a09b07ea290c912e0319e768ea61b59520ad4c8d8848775e0ff86727187684ee38cf30f7faaad27ac44b4383dd20e1685229845bbeff1b467d |
C:\Windows\SysWOW64\Pjenhm32.exe
| MD5 | 556a25a2afd6750ebad3ac2c89de1429 |
| SHA1 | 827e9ba286d8ecb4289ce45d4765f6a3f78e25a4 |
| SHA256 | 41f711ab88fe21f27647838f8109fda5b0d1e2bbd5696a13dcdedb922e3e60e1 |
| SHA512 | 65d404e9ccea3dd829ff6e2a5be21674bae97519470a9e9a2ed4f8075dd38759da07caae5d85284f5aed947da1362bd160d790424f7f0d7a2b42e995ea2222f9 |
C:\Windows\SysWOW64\Pamiog32.exe
| MD5 | ca6b98178af12f8daeb4d79e2c521fb7 |
| SHA1 | fccd3e45a9ed7fa43fe0ba74a4a4d6ddfe3137fc |
| SHA256 | 128342a2ef8cd07b453a5622e859c108e037ab3d64acdf5558fc78ef0b97dacc |
| SHA512 | 24776b99935de12879e89d213fe8239ef20a8b43ae0ad723c07006bffb7ddcb7fb19aa2aa7c9c18026051795d0d34fc0fcdc12a078a16c73813b75b8119097d6 |
C:\Windows\SysWOW64\Pkpagq32.exe
| MD5 | c8106b14f5c96a4269e8167d5d59b4ce |
| SHA1 | 10b64030e5eb6e3831855557b9390e2fadc9bd1e |
| SHA256 | 6455870a7d65b3028d90720692bd24a59ab4bcc7ee1b1c29ce76355012817698 |
| SHA512 | 7ae672b948821ddf8002ac9c29ce6f7fc9c6787d5a8f0674dc5a1ddd08461d0ce52ec610c8b1c10f080bb5072bb267aa5c89aced97e68a7c115d0ac107bc2348 |
C:\Windows\SysWOW64\Pgbhabjp.exe
| MD5 | 1ddf3f6637ec7ce2b3ca74a867800878 |
| SHA1 | eda0044a809663f62a68f9bf661bd33a41055f73 |
| SHA256 | 5031fd657171b2d4fdee3da88656134feac6b577de895f1d24f3aebf3128843e |
| SHA512 | 99336a14d78ebc16626d7c4fc818794017e9925efc660ddd756c63566e93e114ac3a55e1ae67b51c99d3889bea4f01d79a856bd8a298d1c52a55761f28a7281e |
C:\Windows\SysWOW64\Pnjdhmdo.exe
| MD5 | 6fcb740ae2ddda33b6f2b61f5aed178b |
| SHA1 | 20b9bec2d0c423150d7cb5ddf8780560c10b5aed |
| SHA256 | e24814780267c43d36a94d6403f4ee70bf0df562cf8b4f2b2e8a281b4e5c4073 |
| SHA512 | bfb39cd52c0ea362b1a7d18e0f710f7d6b223c6f843cc8e550064a50241989fa4bb0a9f5b31b94c62d5660a95e08c62d374e7ba6e999f29d5ce9f7c649dfb927 |
C:\Windows\SysWOW64\Pgplkb32.exe
| MD5 | 46d44d49cd5cef599800a957a121610d |
| SHA1 | 1975ae669b0b2f281bb090398d7cfd68e14c9a74 |
| SHA256 | 5427a68feb5a3e21f3fce19af99feba6ffde1a1c1dce6e6e4413bdfe18671edd |
| SHA512 | 592604c030f829a03c03256040b0adb73f5bf4d4017738b6547d17532d6a3f4a21a4acbdc93d802cefa789cc149bf7d8a4287c0556410f2f8cc29ca5197c4765 |
C:\Windows\SysWOW64\Onhgbmfb.exe
| MD5 | 68691f02b631084616818b2688839e55 |
| SHA1 | 14ba785fff34fe021b3e450685859d12ec36bf12 |
| SHA256 | 8ae841c01baddf3ec2dd6a31654ec04f5fb91eeb66cdac702b0d045b31c6e9f6 |
| SHA512 | f9015e98c4f7828b3c2cd0dd6585a15c51b75d8acd8cff032507f10ea883171dd0ddfd7d7197d09388ef863b726f6b6028e9dcf53aa88041d57e418ab454e86a |
C:\Windows\SysWOW64\Omfkke32.exe
| MD5 | 830fb023be6fc262aaa103cd8e82a018 |
| SHA1 | a89c7f167576f4502d7f823532add62782af88b5 |
| SHA256 | ad0f6ca25137c73b298603059f3392b80234a4dcc190f3eba137e90b6d631bd4 |
| SHA512 | 4ec4e77d43a493183dbca70cd72efbe35e2adab6c2fe9d7e6c20ee52d291d37dbfd82e50234a836ba31f444dafbd7438e68d732be4a23606f494c7e7b0254dcb |
C:\Windows\SysWOW64\Ocnfbo32.exe
| MD5 | 40d5d43dd372cbb661e0d92b2072be86 |
| SHA1 | f5b6e6322d8cdfaf2de271acbb86d311274d76a2 |
| SHA256 | 3a3f79beae20f006f134db7ce981dc2d9d7057a1b89b76c1d4fe256c1eb31bf8 |
| SHA512 | f4e178a9ba6556738fad18d483cdfcc5d8ce5e8caceffa42e3b058bde815ed880d4f34b2b8f1e079aff1d4e8ef8f074318742bcafdd5599c015e0669546e795c |
C:\Windows\SysWOW64\Ofjfhk32.exe
| MD5 | 7e6695dafeb3d71a414c13458bfd090b |
| SHA1 | d5c5fc1a92aed88e52bbfb2cc96df8ac25a34359 |
| SHA256 | 02d922b95fb301c00fe2939aa84cc6327c01a7d3302459158d680586553437dd |
| SHA512 | 7259c19f1bbceb64be88cd09f8eba78e2c71456c64799539dde5d6bb6be26262a6a7fd45139e43fb6dabe3e892e45329b39f2bc0edf81dc2cc369dca72682748 |
C:\Windows\SysWOW64\Ombapedi.exe
| MD5 | 28b263ea0a712bcee8b1472de1a8e86a |
| SHA1 | 18e35e8d6f4aab631e35fe4e0818d1be31159098 |
| SHA256 | 89b91686e7c9aca4372a22d39bdf582b2ab4ae04b085bd6e4ec0bd3e607bcdf1 |
| SHA512 | a6919d37f4e11d585fa62172c43ef02c41204a455139eea0de12afc11e5e242cab6aa18bb6235ea2fade56451b13581c7e751d7bd3c54d728f0610c3bcc2bcda |
C:\Windows\SysWOW64\Ojahnj32.exe
| MD5 | 9b57d5f0419bab9278dd284ef18f2c7f |
| SHA1 | 02bf17f17040335da0be389abb13d7238231c2ba |
| SHA256 | 309e04d25e6f02ee83fc2df1b1dbfcf2476dec25059dc78e96e23fbf5e21629b |
| SHA512 | 8bb759f0fffb11107197dabff23bc02701c83f2402c40ae4a8da8f1ec9b1b752a480759cb5deb5d151e818df0d56a0fc8886db2bdbc6299f8c49f1845d44936a |
C:\Windows\SysWOW64\Nnhkcj32.exe
| MD5 | ae5c1e0adc77d28b973bfd3ae823daf1 |
| SHA1 | 7efdb3876c2beecffe81f08287863d1f30aadb6b |
| SHA256 | d36e5e14793ec643bf3811316e8d40d275d01b15dd0a2609aaef6451fb08cb26 |
| SHA512 | 5aef36d090678044d1e369eace9aa0c4ead5ab4a10ca926d2848374c2fd2a755635b5f940b3f894aa006ae8792971558e5d3cc7aff7326711d3863da4f270205 |
C:\Windows\SysWOW64\Ndpfkdmf.exe
| MD5 | d1ea63eb7041c67512b5be10a27f0967 |
| SHA1 | 0ea663ac80d715875f5bdb751cb4d09f282acdf4 |
| SHA256 | 06f6ce7a5ade7f72623d2de43fe661159464c6015302b77ff6e66bbb40f993c9 |
| SHA512 | 47a8e1b3a6f1f92c258512a71f20f3ba09eeda1a24a3b10af7012e5aff2f04b8e66d84cdd8657b1c5756e2778205077347fc412825702ef927a4e080c456ca69 |
memory/2200-636-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2940-643-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1528-644-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2780-645-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1532-646-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2344-647-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2792-648-0x0000000000400000-0x0000000000434000-memory.dmp
memory/560-649-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1356-650-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1752-651-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2260-652-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2280-653-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2380-654-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2896-655-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1152-656-0x0000000000400000-0x0000000000434000-memory.dmp
memory/436-657-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1536-659-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1104-660-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1040-658-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2992-661-0x0000000000400000-0x0000000000434000-memory.dmp
memory/932-662-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2172-663-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2020-664-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1996-665-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1892-666-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1708-667-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1696-668-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2712-669-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2696-670-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2648-671-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2436-672-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2652-673-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2424-674-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2504-675-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2548-676-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2472-677-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2748-678-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1172-679-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2772-680-0x0000000000400000-0x0000000000434000-memory.dmp
memory/476-681-0x0000000000400000-0x0000000000434000-memory.dmp
memory/860-682-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1168-683-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1424-684-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2316-685-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2332-687-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1812-688-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1904-686-0x0000000000400000-0x0000000000434000-memory.dmp
memory/300-689-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1616-690-0x0000000000400000-0x0000000000434000-memory.dmp
memory/748-691-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1796-692-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2732-693-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1676-694-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2416-695-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2052-696-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1020-697-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2700-698-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2556-699-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1052-701-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2592-704-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2824-707-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2460-709-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2544-708-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2276-711-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:13
Reported
2024-04-07 18:15
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fdnjgmle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hbpgbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jedeph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ldjhpl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mlampmdo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qnjnnj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Okolkg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eaklidoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Eaklidoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pgemphmn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfeopj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kipkhdeq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ilghlc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ehnglm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fhcpgmjf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qjbena32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bbifelba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hfqlnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kpbmco32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Obfhba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ajiknpjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gdeqhl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oqbamo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pcccfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Anbkio32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bdolhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Llemdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pcncpbmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddmhja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gkkojgao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gicinj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Icnpmp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibcmom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jmmjgejj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Npjebj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Elppfmoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kmkfhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nggqoj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oncofm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Acmflf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jlpkba32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iehfdi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ifgbnlmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojhiqefo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dafbne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gdcdbl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pjmehkqk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gomakdcp.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Enlqgg32.dll | C:\Windows\SysWOW64\Hmjdjgjo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmoahijl.exe | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmhnkg32.dll | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Beihma32.exe | C:\Windows\SysWOW64\Bmbplc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Okhfjh32.exe | C:\Windows\SysWOW64\Ogljjiei.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnmkhg32.dll | C:\Windows\SysWOW64\Ojalgcnd.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcagphom.exe | C:\Windows\SysWOW64\Pengdk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfqlnm32.exe | C:\Windows\SysWOW64\Hofdacke.exe | N/A |
| File created | C:\Windows\SysWOW64\Cenahpha.exe | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| File created | C:\Windows\SysWOW64\Behbag32.exe | C:\Windows\SysWOW64\Bbifelba.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngmgne32.exe | C:\Windows\SysWOW64\Ndokbi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbaipkbi.exe | C:\Windows\SysWOW64\Kpbmco32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kimnbd32.exe | C:\Windows\SysWOW64\Kpeiioac.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnbbbabh.exe | C:\Windows\SysWOW64\Pjffbc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bobcpmfc.exe | C:\Windows\SysWOW64\Bldgdago.exe | N/A |
| File created | C:\Windows\SysWOW64\Icnpmp32.exe | C:\Windows\SysWOW64\Ilghlc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjdlbifk.dll | C:\Windows\SysWOW64\Jcgbco32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mchhggno.exe | C:\Windows\SysWOW64\Mmlpoqpg.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfhfan32.exe | C:\Windows\SysWOW64\Pgefeajb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhkhibmc.exe | C:\Windows\SysWOW64\Bdolhc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nghjpm32.dll | C:\Windows\SysWOW64\Gododflk.exe | N/A |
| File created | C:\Windows\SysWOW64\Choehhlk.dll | C:\Windows\SysWOW64\Hecmijim.exe | N/A |
| File created | C:\Windows\SysWOW64\Glbandkm.dll | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgllfjld.dll | C:\Windows\SysWOW64\Pnfkma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ahioknai.dll | C:\Windows\SysWOW64\Ndaggimg.exe | N/A |
| File created | C:\Windows\SysWOW64\Npmagine.exe | C:\Windows\SysWOW64\Nlaegk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbqlfkmi.exe | C:\Windows\SysWOW64\Bkidenlg.exe | N/A |
| File created | C:\Windows\SysWOW64\Qddfkd32.exe | C:\Windows\SysWOW64\Qnjnnj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gblnkg32.dll | C:\Windows\SysWOW64\Bmbplc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghekjiam.dll | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnambi32.dll | C:\Windows\SysWOW64\Dafbne32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ecmeig32.exe | C:\Windows\SysWOW64\Eoaihhlp.exe | N/A |
| File created | C:\Windows\SysWOW64\Fhcpgmjf.exe | C:\Windows\SysWOW64\Ffddka32.exe | N/A |
| File created | C:\Windows\SysWOW64\Doilmc32.exe | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjbnapki.dll | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| File created | C:\Windows\SysWOW64\Alcidkmm.dll | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fbnafb32.exe | C:\Windows\SysWOW64\Fooeif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcgdbi32.dll | C:\Windows\SysWOW64\Gcagkdba.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kimnbd32.exe | C:\Windows\SysWOW64\Kpeiioac.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Llemdo32.exe | C:\Windows\SysWOW64\Ligqhc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mnepdqjg.dll | C:\Windows\SysWOW64\Elppfmoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcoppd32.dll | C:\Windows\SysWOW64\Obangb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjdilcla.exe | C:\Windows\SysWOW64\Pkaiqf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Peimil32.exe | C:\Windows\SysWOW64\Pqnaim32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgciaf32.exe | C:\Windows\SysWOW64\Qeemej32.exe | N/A |
| File created | C:\Windows\SysWOW64\Imdhga32.dll | C:\Windows\SysWOW64\Cafigg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Npjebj32.exe | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ofqpqo32.exe | C:\Windows\SysWOW64\Odocigqg.exe | N/A |
| File created | C:\Windows\SysWOW64\Deimfpda.dll | C:\Windows\SysWOW64\Lpebpm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eiojlkkj.dll | C:\Windows\SysWOW64\Aeiofcji.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlkefpan.dll | C:\Windows\SysWOW64\Pjdilcla.exe | N/A |
| File created | C:\Windows\SysWOW64\Geplnioe.dll | C:\Windows\SysWOW64\Fkalchij.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocdfloja.dll | C:\Windows\SysWOW64\Kfjhkjle.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldleel32.exe | C:\Windows\SysWOW64\Llemdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcebhoii.exe | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmldgi32.dll | C:\Windows\SysWOW64\Imoneg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpnchp32.exe | C:\Windows\SysWOW64\Jmpgldhg.exe | N/A |
| File created | C:\Windows\SysWOW64\Namdcd32.dll | C:\Windows\SysWOW64\Kefkme32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aihbcp32.dll | C:\Windows\SysWOW64\Mlampmdo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jmknaell.exe | C:\Windows\SysWOW64\Jedeph32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjgaigfg.dll | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndkahnhh.exe | C:\Windows\SysWOW64\Njfmke32.exe | N/A |
| File created | C:\Windows\SysWOW64\Odpjcm32.exe | C:\Windows\SysWOW64\Oqdoboli.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcobhnfc.dll | C:\Windows\SysWOW64\Pnpemb32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dboiieof.dll" | C:\Windows\SysWOW64\Odgqdlnj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cdfbibnb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" | C:\Windows\SysWOW64\Gcfqfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ifjodl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Eleiam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anphnl32.dll" | C:\Windows\SysWOW64\Fdnjgmle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hmjdjgjo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ligqhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll" | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dahode32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kmfmmcbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojllan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienanm32.dll" | C:\Windows\SysWOW64\Cbqlfkmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gicinj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gcimkc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jeklag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mpoefk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ecmeig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcmgfbhd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ifllil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Obfhba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijnlbk32.dll" | C:\Windows\SysWOW64\Cecbmf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobdihjo.dll" | C:\Windows\SysWOW64\Clbceo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibjjhn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmfmmcbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll" | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hfifmnij.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aeniabfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ogcpjhoq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmipecpd.dll" | C:\Windows\SysWOW64\Fllpbldb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kmkfhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kplpjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" | C:\Windows\SysWOW64\Aeniabfd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pqnaim32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Aniajnnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbegho32.dll" | C:\Windows\SysWOW64\Bdolhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhclmi.dll" | C:\Windows\SysWOW64\Gomakdcp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll" | C:\Windows\SysWOW64\Lpebpm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll" | C:\Windows\SysWOW64\Pclgkb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jmhale32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kiidgeki.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lmgfda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll" | C:\Windows\SysWOW64\Gododflk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll" | C:\Windows\SysWOW64\Kdcbom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echmafdm.dll" | C:\Windows\SysWOW64\Ogogoi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jcioiood.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndaggimg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Edpnfo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfedla.dll" | C:\Windows\SysWOW64\Heapdjlp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe
"C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe"
C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
C:\Windows\SysWOW64\Njfmke32.exe
C:\Windows\system32\Njfmke32.exe
C:\Windows\SysWOW64\Ndkahnhh.exe
C:\Windows\system32\Ndkahnhh.exe
C:\Windows\SysWOW64\Okeieh32.exe
C:\Windows\system32\Okeieh32.exe
C:\Windows\SysWOW64\Ojhiqefo.exe
C:\Windows\system32\Ojhiqefo.exe
C:\Windows\SysWOW64\Oboaabga.exe
C:\Windows\system32\Oboaabga.exe
C:\Windows\SysWOW64\Oqbamo32.exe
C:\Windows\system32\Oqbamo32.exe
C:\Windows\SysWOW64\Ocqnij32.exe
C:\Windows\system32\Ocqnij32.exe
C:\Windows\SysWOW64\Ogljjiei.exe
C:\Windows\system32\Ogljjiei.exe
C:\Windows\SysWOW64\Okhfjh32.exe
C:\Windows\system32\Okhfjh32.exe
C:\Windows\SysWOW64\Onfbfc32.exe
C:\Windows\system32\Onfbfc32.exe
C:\Windows\SysWOW64\Obangb32.exe
C:\Windows\system32\Obangb32.exe
C:\Windows\SysWOW64\Oqdoboli.exe
C:\Windows\system32\Oqdoboli.exe
C:\Windows\SysWOW64\Odpjcm32.exe
C:\Windows\system32\Odpjcm32.exe
C:\Windows\SysWOW64\Ogogoi32.exe
C:\Windows\system32\Ogogoi32.exe
C:\Windows\SysWOW64\Okjbpglo.exe
C:\Windows\system32\Okjbpglo.exe
C:\Windows\SysWOW64\Ojmcld32.exe
C:\Windows\system32\Ojmcld32.exe
C:\Windows\SysWOW64\Odbgim32.exe
C:\Windows\system32\Odbgim32.exe
C:\Windows\SysWOW64\Ocegdjij.exe
C:\Windows\system32\Ocegdjij.exe
C:\Windows\SysWOW64\Okloegjl.exe
C:\Windows\system32\Okloegjl.exe
C:\Windows\SysWOW64\Ojopad32.exe
C:\Windows\system32\Ojopad32.exe
C:\Windows\SysWOW64\Obfhba32.exe
C:\Windows\system32\Obfhba32.exe
C:\Windows\SysWOW64\Oqihnn32.exe
C:\Windows\system32\Oqihnn32.exe
C:\Windows\SysWOW64\Odednmpm.exe
C:\Windows\system32\Odednmpm.exe
C:\Windows\SysWOW64\Ogcpjhoq.exe
C:\Windows\system32\Ogcpjhoq.exe
C:\Windows\SysWOW64\Okolkg32.exe
C:\Windows\system32\Okolkg32.exe
C:\Windows\SysWOW64\Ojalgcnd.exe
C:\Windows\system32\Ojalgcnd.exe
C:\Windows\SysWOW64\Obidhaog.exe
C:\Windows\system32\Obidhaog.exe
C:\Windows\SysWOW64\Oqkdcn32.exe
C:\Windows\system32\Oqkdcn32.exe
C:\Windows\SysWOW64\Odgqdlnj.exe
C:\Windows\system32\Odgqdlnj.exe
C:\Windows\SysWOW64\Pgemphmn.exe
C:\Windows\system32\Pgemphmn.exe
C:\Windows\SysWOW64\Pkaiqf32.exe
C:\Windows\system32\Pkaiqf32.exe
C:\Windows\SysWOW64\Pjdilcla.exe
C:\Windows\system32\Pjdilcla.exe
C:\Windows\SysWOW64\Pnpemb32.exe
C:\Windows\system32\Pnpemb32.exe
C:\Windows\SysWOW64\Pqnaim32.exe
C:\Windows\system32\Pqnaim32.exe
C:\Windows\SysWOW64\Peimil32.exe
C:\Windows\system32\Peimil32.exe
C:\Windows\SysWOW64\Pclneicb.exe
C:\Windows\system32\Pclneicb.exe
C:\Windows\SysWOW64\Pkceffcd.exe
C:\Windows\system32\Pkceffcd.exe
C:\Windows\SysWOW64\Pjffbc32.exe
C:\Windows\system32\Pjffbc32.exe
C:\Windows\SysWOW64\Pnbbbabh.exe
C:\Windows\system32\Pnbbbabh.exe
C:\Windows\SysWOW64\Pqpnombl.exe
C:\Windows\system32\Pqpnombl.exe
C:\Windows\SysWOW64\Peljol32.exe
C:\Windows\system32\Peljol32.exe
C:\Windows\SysWOW64\Pcojkhap.exe
C:\Windows\system32\Pcojkhap.exe
C:\Windows\SysWOW64\Pkfblfab.exe
C:\Windows\system32\Pkfblfab.exe
C:\Windows\SysWOW64\Pjhbgb32.exe
C:\Windows\system32\Pjhbgb32.exe
C:\Windows\SysWOW64\Pndohaqe.exe
C:\Windows\system32\Pndohaqe.exe
C:\Windows\SysWOW64\Pbpjhp32.exe
C:\Windows\system32\Pbpjhp32.exe
C:\Windows\SysWOW64\Pengdk32.exe
C:\Windows\system32\Pengdk32.exe
C:\Windows\SysWOW64\Pcagphom.exe
C:\Windows\system32\Pcagphom.exe
C:\Windows\SysWOW64\Pgmcqggf.exe
C:\Windows\system32\Pgmcqggf.exe
C:\Windows\SysWOW64\Pjkombfj.exe
C:\Windows\system32\Pjkombfj.exe
C:\Windows\SysWOW64\Pnfkma32.exe
C:\Windows\system32\Pnfkma32.exe
C:\Windows\SysWOW64\Pbbgnpgl.exe
C:\Windows\system32\Pbbgnpgl.exe
C:\Windows\SysWOW64\Peqcjkfp.exe
C:\Windows\system32\Peqcjkfp.exe
C:\Windows\SysWOW64\Pcccfh32.exe
C:\Windows\system32\Pcccfh32.exe
C:\Windows\SysWOW64\Pgopffec.exe
C:\Windows\system32\Pgopffec.exe
C:\Windows\SysWOW64\Pkjlge32.exe
C:\Windows\system32\Pkjlge32.exe
C:\Windows\SysWOW64\Pnihcq32.exe
C:\Windows\system32\Pnihcq32.exe
C:\Windows\SysWOW64\Pbddcoei.exe
C:\Windows\system32\Pbddcoei.exe
C:\Windows\SysWOW64\Pagdol32.exe
C:\Windows\system32\Pagdol32.exe
C:\Windows\SysWOW64\Qecppkdm.exe
C:\Windows\system32\Qecppkdm.exe
C:\Windows\SysWOW64\Qgallfcq.exe
C:\Windows\system32\Qgallfcq.exe
C:\Windows\SysWOW64\Qkmhlekj.exe
C:\Windows\system32\Qkmhlekj.exe
C:\Windows\SysWOW64\Qjpiha32.exe
C:\Windows\system32\Qjpiha32.exe
C:\Windows\SysWOW64\Qnkdhpjn.exe
C:\Windows\system32\Qnkdhpjn.exe
C:\Windows\SysWOW64\Qajadlja.exe
C:\Windows\system32\Qajadlja.exe
C:\Windows\SysWOW64\Qeemej32.exe
C:\Windows\system32\Qeemej32.exe
C:\Windows\SysWOW64\Qgciaf32.exe
C:\Windows\system32\Qgciaf32.exe
C:\Windows\SysWOW64\Qloebdig.exe
C:\Windows\system32\Qloebdig.exe
C:\Windows\SysWOW64\Qjbena32.exe
C:\Windows\system32\Qjbena32.exe
C:\Windows\SysWOW64\Qnnanphk.exe
C:\Windows\system32\Qnnanphk.exe
C:\Windows\SysWOW64\Qalnjkgo.exe
C:\Windows\system32\Qalnjkgo.exe
C:\Windows\SysWOW64\Agffge32.exe
C:\Windows\system32\Agffge32.exe
C:\Windows\SysWOW64\Aanjpk32.exe
C:\Windows\system32\Aanjpk32.exe
C:\Windows\SysWOW64\Acmflf32.exe
C:\Windows\system32\Acmflf32.exe
C:\Windows\SysWOW64\Aldomc32.exe
C:\Windows\system32\Aldomc32.exe
C:\Windows\SysWOW64\Anbkio32.exe
C:\Windows\system32\Anbkio32.exe
C:\Windows\SysWOW64\Aaqgek32.exe
C:\Windows\system32\Aaqgek32.exe
C:\Windows\SysWOW64\Ahkobekf.exe
C:\Windows\system32\Ahkobekf.exe
C:\Windows\SysWOW64\Ajiknpjj.exe
C:\Windows\system32\Ajiknpjj.exe
C:\Windows\SysWOW64\Aacckjaf.exe
C:\Windows\system32\Aacckjaf.exe
C:\Windows\SysWOW64\Adapgfqj.exe
C:\Windows\system32\Adapgfqj.exe
C:\Windows\SysWOW64\Ajkhdp32.exe
C:\Windows\system32\Ajkhdp32.exe
C:\Windows\SysWOW64\Aaepqjpd.exe
C:\Windows\system32\Aaepqjpd.exe
C:\Windows\SysWOW64\Aniajnnn.exe
C:\Windows\system32\Aniajnnn.exe
C:\Windows\SysWOW64\Bhaebcen.exe
C:\Windows\system32\Bhaebcen.exe
C:\Windows\SysWOW64\Bajjli32.exe
C:\Windows\system32\Bajjli32.exe
C:\Windows\SysWOW64\Blpnib32.exe
C:\Windows\system32\Blpnib32.exe
C:\Windows\SysWOW64\Bbifelba.exe
C:\Windows\system32\Bbifelba.exe
C:\Windows\SysWOW64\Behbag32.exe
C:\Windows\system32\Behbag32.exe
C:\Windows\SysWOW64\Blbknaib.exe
C:\Windows\system32\Blbknaib.exe
C:\Windows\SysWOW64\Bopgjmhe.exe
C:\Windows\system32\Bopgjmhe.exe
C:\Windows\SysWOW64\Baocghgi.exe
C:\Windows\system32\Baocghgi.exe
C:\Windows\SysWOW64\Bejogg32.exe
C:\Windows\system32\Bejogg32.exe
C:\Windows\SysWOW64\Bhikcb32.exe
C:\Windows\system32\Bhikcb32.exe
C:\Windows\SysWOW64\Bldgdago.exe
C:\Windows\system32\Bldgdago.exe
C:\Windows\SysWOW64\Bobcpmfc.exe
C:\Windows\system32\Bobcpmfc.exe
C:\Windows\SysWOW64\Bbnpqk32.exe
C:\Windows\system32\Bbnpqk32.exe
C:\Windows\SysWOW64\Bdolhc32.exe
C:\Windows\system32\Bdolhc32.exe
C:\Windows\SysWOW64\Bhkhibmc.exe
C:\Windows\system32\Bhkhibmc.exe
C:\Windows\SysWOW64\Bkidenlg.exe
C:\Windows\system32\Bkidenlg.exe
C:\Windows\SysWOW64\Cbqlfkmi.exe
C:\Windows\system32\Cbqlfkmi.exe
C:\Windows\SysWOW64\Cdainc32.exe
C:\Windows\system32\Cdainc32.exe
C:\Windows\SysWOW64\Chmeobkq.exe
C:\Windows\system32\Chmeobkq.exe
C:\Windows\SysWOW64\Cogmkl32.exe
C:\Windows\system32\Cogmkl32.exe
C:\Windows\SysWOW64\Cafigg32.exe
C:\Windows\system32\Cafigg32.exe
C:\Windows\SysWOW64\Ceaehfjj.exe
C:\Windows\system32\Ceaehfjj.exe
C:\Windows\SysWOW64\Chpada32.exe
C:\Windows\system32\Chpada32.exe
C:\Windows\SysWOW64\Cojjqlpk.exe
C:\Windows\system32\Cojjqlpk.exe
C:\Windows\SysWOW64\Cecbmf32.exe
C:\Windows\system32\Cecbmf32.exe
C:\Windows\SysWOW64\Cdfbibnb.exe
C:\Windows\system32\Cdfbibnb.exe
C:\Windows\SysWOW64\Chbnia32.exe
C:\Windows\system32\Chbnia32.exe
C:\Windows\SysWOW64\Ckpjfm32.exe
C:\Windows\system32\Ckpjfm32.exe
C:\Windows\SysWOW64\Cdiooblp.exe
C:\Windows\system32\Cdiooblp.exe
C:\Windows\SysWOW64\Ckcgkldl.exe
C:\Windows\system32\Ckcgkldl.exe
C:\Windows\SysWOW64\Cdkldb32.exe
C:\Windows\system32\Cdkldb32.exe
C:\Windows\SysWOW64\Clbceo32.exe
C:\Windows\system32\Clbceo32.exe
C:\Windows\SysWOW64\Doqpak32.exe
C:\Windows\system32\Doqpak32.exe
C:\Windows\SysWOW64\Ddmhja32.exe
C:\Windows\system32\Ddmhja32.exe
C:\Windows\SysWOW64\Dldpkoil.exe
C:\Windows\system32\Dldpkoil.exe
C:\Windows\SysWOW64\Dkgqfl32.exe
C:\Windows\system32\Dkgqfl32.exe
C:\Windows\SysWOW64\Dboigi32.exe
C:\Windows\system32\Dboigi32.exe
C:\Windows\SysWOW64\Dhkapp32.exe
C:\Windows\system32\Dhkapp32.exe
C:\Windows\SysWOW64\Dkjmlk32.exe
C:\Windows\system32\Dkjmlk32.exe
C:\Windows\SysWOW64\Deoaid32.exe
C:\Windows\system32\Deoaid32.exe
C:\Windows\SysWOW64\Dhnnep32.exe
C:\Windows\system32\Dhnnep32.exe
C:\Windows\SysWOW64\Dohfbj32.exe
C:\Windows\system32\Dohfbj32.exe
C:\Windows\SysWOW64\Dafbne32.exe
C:\Windows\system32\Dafbne32.exe
C:\Windows\SysWOW64\Deanodkh.exe
C:\Windows\system32\Deanodkh.exe
C:\Windows\SysWOW64\Dhpjkojk.exe
C:\Windows\system32\Dhpjkojk.exe
C:\Windows\SysWOW64\Dllfkn32.exe
C:\Windows\system32\Dllfkn32.exe
C:\Windows\SysWOW64\Dceohhja.exe
C:\Windows\system32\Dceohhja.exe
C:\Windows\SysWOW64\Dahode32.exe
C:\Windows\system32\Dahode32.exe
C:\Windows\SysWOW64\Ddgkpp32.exe
C:\Windows\system32\Ddgkpp32.exe
C:\Windows\SysWOW64\Dlncan32.exe
C:\Windows\system32\Dlncan32.exe
C:\Windows\SysWOW64\Ekacmjgl.exe
C:\Windows\system32\Ekacmjgl.exe
C:\Windows\SysWOW64\Eaklidoi.exe
C:\Windows\system32\Eaklidoi.exe
C:\Windows\SysWOW64\Edihepnm.exe
C:\Windows\system32\Edihepnm.exe
C:\Windows\SysWOW64\Elppfmoo.exe
C:\Windows\system32\Elppfmoo.exe
C:\Windows\SysWOW64\Eoolbinc.exe
C:\Windows\system32\Eoolbinc.exe
C:\Windows\SysWOW64\Eamhodmf.exe
C:\Windows\system32\Eamhodmf.exe
C:\Windows\SysWOW64\Edkdkplj.exe
C:\Windows\system32\Edkdkplj.exe
C:\Windows\SysWOW64\Ehgqln32.exe
C:\Windows\system32\Ehgqln32.exe
C:\Windows\SysWOW64\Eoaihhlp.exe
C:\Windows\system32\Eoaihhlp.exe
C:\Windows\SysWOW64\Ecmeig32.exe
C:\Windows\system32\Ecmeig32.exe
C:\Windows\SysWOW64\Eekaebcm.exe
C:\Windows\system32\Eekaebcm.exe
C:\Windows\SysWOW64\Ednaqo32.exe
C:\Windows\system32\Ednaqo32.exe
C:\Windows\SysWOW64\Eleiam32.exe
C:\Windows\system32\Eleiam32.exe
C:\Windows\SysWOW64\Eocenh32.exe
C:\Windows\system32\Eocenh32.exe
C:\Windows\SysWOW64\Ecoangbg.exe
C:\Windows\system32\Ecoangbg.exe
C:\Windows\SysWOW64\Edpnfo32.exe
C:\Windows\system32\Edpnfo32.exe
C:\Windows\SysWOW64\Ekjfcipa.exe
C:\Windows\system32\Ekjfcipa.exe
C:\Windows\SysWOW64\Ecandfpd.exe
C:\Windows\system32\Ecandfpd.exe
C:\Windows\SysWOW64\Eadopc32.exe
C:\Windows\system32\Eadopc32.exe
C:\Windows\SysWOW64\Ehnglm32.exe
C:\Windows\system32\Ehnglm32.exe
C:\Windows\SysWOW64\Fkmchi32.exe
C:\Windows\system32\Fkmchi32.exe
C:\Windows\SysWOW64\Fcckif32.exe
C:\Windows\system32\Fcckif32.exe
C:\Windows\SysWOW64\Fllpbldb.exe
C:\Windows\system32\Fllpbldb.exe
C:\Windows\SysWOW64\Fojlngce.exe
C:\Windows\system32\Fojlngce.exe
C:\Windows\SysWOW64\Ffddka32.exe
C:\Windows\system32\Ffddka32.exe
C:\Windows\SysWOW64\Fhcpgmjf.exe
C:\Windows\system32\Fhcpgmjf.exe
C:\Windows\SysWOW64\Fkalchij.exe
C:\Windows\system32\Fkalchij.exe
C:\Windows\SysWOW64\Fchddejl.exe
C:\Windows\system32\Fchddejl.exe
C:\Windows\SysWOW64\Fdialn32.exe
C:\Windows\system32\Fdialn32.exe
C:\Windows\SysWOW64\Flqimk32.exe
C:\Windows\system32\Flqimk32.exe
C:\Windows\SysWOW64\Fooeif32.exe
C:\Windows\system32\Fooeif32.exe
C:\Windows\SysWOW64\Fbnafb32.exe
C:\Windows\system32\Fbnafb32.exe
C:\Windows\SysWOW64\Fdlnbm32.exe
C:\Windows\system32\Fdlnbm32.exe
C:\Windows\SysWOW64\Flceckoj.exe
C:\Windows\system32\Flceckoj.exe
C:\Windows\SysWOW64\Fcmnpe32.exe
C:\Windows\system32\Fcmnpe32.exe
C:\Windows\SysWOW64\Fdnjgmle.exe
C:\Windows\system32\Fdnjgmle.exe
C:\Windows\SysWOW64\Gododflk.exe
C:\Windows\system32\Gododflk.exe
C:\Windows\SysWOW64\Gbbkaako.exe
C:\Windows\system32\Gbbkaako.exe
C:\Windows\SysWOW64\Gdqgmmjb.exe
C:\Windows\system32\Gdqgmmjb.exe
C:\Windows\SysWOW64\Gkkojgao.exe
C:\Windows\system32\Gkkojgao.exe
C:\Windows\SysWOW64\Gcagkdba.exe
C:\Windows\system32\Gcagkdba.exe
C:\Windows\SysWOW64\Gbdgfa32.exe
C:\Windows\system32\Gbdgfa32.exe
C:\Windows\SysWOW64\Gdcdbl32.exe
C:\Windows\system32\Gdcdbl32.exe
C:\Windows\SysWOW64\Ghopckpi.exe
C:\Windows\system32\Ghopckpi.exe
C:\Windows\SysWOW64\Gkmlofol.exe
C:\Windows\system32\Gkmlofol.exe
C:\Windows\SysWOW64\Gbgdlq32.exe
C:\Windows\system32\Gbgdlq32.exe
C:\Windows\SysWOW64\Gdeqhl32.exe
C:\Windows\system32\Gdeqhl32.exe
C:\Windows\SysWOW64\Gmlhii32.exe
C:\Windows\system32\Gmlhii32.exe
C:\Windows\SysWOW64\Gcfqfc32.exe
C:\Windows\system32\Gcfqfc32.exe
C:\Windows\SysWOW64\Gbiaapdf.exe
C:\Windows\system32\Gbiaapdf.exe
C:\Windows\SysWOW64\Gdhmnlcj.exe
C:\Windows\system32\Gdhmnlcj.exe
C:\Windows\SysWOW64\Gicinj32.exe
C:\Windows\system32\Gicinj32.exe
C:\Windows\SysWOW64\Gomakdcp.exe
C:\Windows\system32\Gomakdcp.exe
C:\Windows\SysWOW64\Gcimkc32.exe
C:\Windows\system32\Gcimkc32.exe
C:\Windows\SysWOW64\Gfgjgo32.exe
C:\Windows\system32\Gfgjgo32.exe
C:\Windows\SysWOW64\Gdjjckag.exe
C:\Windows\system32\Gdjjckag.exe
C:\Windows\SysWOW64\Hmabdibj.exe
C:\Windows\system32\Hmabdibj.exe
C:\Windows\SysWOW64\Hkdbpe32.exe
C:\Windows\system32\Hkdbpe32.exe
C:\Windows\SysWOW64\Hckjacjg.exe
C:\Windows\system32\Hckjacjg.exe
C:\Windows\SysWOW64\Hfifmnij.exe
C:\Windows\system32\Hfifmnij.exe
C:\Windows\SysWOW64\Hihbijhn.exe
C:\Windows\system32\Hihbijhn.exe
C:\Windows\SysWOW64\Hkfoeega.exe
C:\Windows\system32\Hkfoeega.exe
C:\Windows\SysWOW64\Hcmgfbhd.exe
C:\Windows\system32\Hcmgfbhd.exe
C:\Windows\SysWOW64\Hbpgbo32.exe
C:\Windows\system32\Hbpgbo32.exe
C:\Windows\SysWOW64\Heocnk32.exe
C:\Windows\system32\Heocnk32.exe
C:\Windows\SysWOW64\Hmfkoh32.exe
C:\Windows\system32\Hmfkoh32.exe
C:\Windows\SysWOW64\Hodgkc32.exe
C:\Windows\system32\Hodgkc32.exe
C:\Windows\SysWOW64\Hcpclbfa.exe
C:\Windows\system32\Hcpclbfa.exe
C:\Windows\SysWOW64\Heapdjlp.exe
C:\Windows\system32\Heapdjlp.exe
C:\Windows\SysWOW64\Hmhhehlb.exe
C:\Windows\system32\Hmhhehlb.exe
C:\Windows\SysWOW64\Hofdacke.exe
C:\Windows\system32\Hofdacke.exe
C:\Windows\SysWOW64\Hfqlnm32.exe
C:\Windows\system32\Hfqlnm32.exe
C:\Windows\SysWOW64\Hecmijim.exe
C:\Windows\system32\Hecmijim.exe
C:\Windows\SysWOW64\Hmjdjgjo.exe
C:\Windows\system32\Hmjdjgjo.exe
C:\Windows\SysWOW64\Hoiafcic.exe
C:\Windows\system32\Hoiafcic.exe
C:\Windows\SysWOW64\Hbgmcnhf.exe
C:\Windows\system32\Hbgmcnhf.exe
C:\Windows\SysWOW64\Iiaephpc.exe
C:\Windows\system32\Iiaephpc.exe
C:\Windows\SysWOW64\Ipknlb32.exe
C:\Windows\system32\Ipknlb32.exe
C:\Windows\SysWOW64\Ibjjhn32.exe
C:\Windows\system32\Ibjjhn32.exe
C:\Windows\SysWOW64\Iehfdi32.exe
C:\Windows\system32\Iehfdi32.exe
C:\Windows\SysWOW64\Imoneg32.exe
C:\Windows\system32\Imoneg32.exe
C:\Windows\SysWOW64\Ikbnacmd.exe
C:\Windows\system32\Ikbnacmd.exe
C:\Windows\SysWOW64\Icifbang.exe
C:\Windows\system32\Icifbang.exe
C:\Windows\SysWOW64\Ifgbnlmj.exe
C:\Windows\system32\Ifgbnlmj.exe
C:\Windows\SysWOW64\Iifokh32.exe
C:\Windows\system32\Iifokh32.exe
C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
C:\Windows\SysWOW64\Ickchq32.exe
C:\Windows\system32\Ickchq32.exe
C:\Windows\SysWOW64\Ifjodl32.exe
C:\Windows\system32\Ifjodl32.exe
C:\Windows\SysWOW64\Iemppiab.exe
C:\Windows\system32\Iemppiab.exe
C:\Windows\SysWOW64\Ilghlc32.exe
C:\Windows\system32\Ilghlc32.exe
C:\Windows\SysWOW64\Icnpmp32.exe
C:\Windows\system32\Icnpmp32.exe
C:\Windows\SysWOW64\Ifllil32.exe
C:\Windows\system32\Ifllil32.exe
C:\Windows\SysWOW64\Imfdff32.exe
C:\Windows\system32\Imfdff32.exe
C:\Windows\SysWOW64\Ipdqba32.exe
C:\Windows\system32\Ipdqba32.exe
C:\Windows\SysWOW64\Ibcmom32.exe
C:\Windows\system32\Ibcmom32.exe
C:\Windows\SysWOW64\Jeaikh32.exe
C:\Windows\system32\Jeaikh32.exe
C:\Windows\SysWOW64\Jmhale32.exe
C:\Windows\system32\Jmhale32.exe
C:\Windows\SysWOW64\Jcbihpel.exe
C:\Windows\system32\Jcbihpel.exe
C:\Windows\SysWOW64\Jbeidl32.exe
C:\Windows\system32\Jbeidl32.exe
C:\Windows\SysWOW64\Jedeph32.exe
C:\Windows\system32\Jedeph32.exe
C:\Windows\SysWOW64\Jmknaell.exe
C:\Windows\system32\Jmknaell.exe
C:\Windows\SysWOW64\Jlnnmb32.exe
C:\Windows\system32\Jlnnmb32.exe
C:\Windows\SysWOW64\Jcefno32.exe
C:\Windows\system32\Jcefno32.exe
C:\Windows\SysWOW64\Jfcbjk32.exe
C:\Windows\system32\Jfcbjk32.exe
C:\Windows\SysWOW64\Jianff32.exe
C:\Windows\system32\Jianff32.exe
C:\Windows\SysWOW64\Jmmjgejj.exe
C:\Windows\system32\Jmmjgejj.exe
C:\Windows\SysWOW64\Jlpkba32.exe
C:\Windows\system32\Jlpkba32.exe
C:\Windows\SysWOW64\Jcgbco32.exe
C:\Windows\system32\Jcgbco32.exe
C:\Windows\SysWOW64\Jfeopj32.exe
C:\Windows\system32\Jfeopj32.exe
C:\Windows\SysWOW64\Jmpgldhg.exe
C:\Windows\system32\Jmpgldhg.exe
C:\Windows\SysWOW64\Jpnchp32.exe
C:\Windows\system32\Jpnchp32.exe
C:\Windows\SysWOW64\Jcioiood.exe
C:\Windows\system32\Jcioiood.exe
C:\Windows\SysWOW64\Jblpek32.exe
C:\Windows\system32\Jblpek32.exe
C:\Windows\SysWOW64\Jeklag32.exe
C:\Windows\system32\Jeklag32.exe
C:\Windows\SysWOW64\Jmbdbd32.exe
C:\Windows\system32\Jmbdbd32.exe
C:\Windows\SysWOW64\Kboljk32.exe
C:\Windows\system32\Kboljk32.exe
C:\Windows\SysWOW64\Kfjhkjle.exe
C:\Windows\system32\Kfjhkjle.exe
C:\Windows\SysWOW64\Kiidgeki.exe
C:\Windows\system32\Kiidgeki.exe
C:\Windows\SysWOW64\Kmdqgd32.exe
C:\Windows\system32\Kmdqgd32.exe
C:\Windows\SysWOW64\Kpbmco32.exe
C:\Windows\system32\Kpbmco32.exe
C:\Windows\SysWOW64\Kbaipkbi.exe
C:\Windows\system32\Kbaipkbi.exe
C:\Windows\SysWOW64\Kepelfam.exe
C:\Windows\system32\Kepelfam.exe
C:\Windows\SysWOW64\Kmfmmcbo.exe
C:\Windows\system32\Kmfmmcbo.exe
C:\Windows\SysWOW64\Kpeiioac.exe
C:\Windows\system32\Kpeiioac.exe
C:\Windows\SysWOW64\Kimnbd32.exe
C:\Windows\system32\Kimnbd32.exe
C:\Windows\SysWOW64\Klljnp32.exe
C:\Windows\system32\Klljnp32.exe
C:\Windows\SysWOW64\Kdcbom32.exe
C:\Windows\system32\Kdcbom32.exe
C:\Windows\SysWOW64\Kfankifm.exe
C:\Windows\system32\Kfankifm.exe
C:\Windows\SysWOW64\Kipkhdeq.exe
C:\Windows\system32\Kipkhdeq.exe
C:\Windows\SysWOW64\Kmkfhc32.exe
C:\Windows\system32\Kmkfhc32.exe
C:\Windows\SysWOW64\Kbhoqj32.exe
C:\Windows\system32\Kbhoqj32.exe
C:\Windows\SysWOW64\Kefkme32.exe
C:\Windows\system32\Kefkme32.exe
C:\Windows\SysWOW64\Kplpjn32.exe
C:\Windows\system32\Kplpjn32.exe
C:\Windows\SysWOW64\Kdgljmcd.exe
C:\Windows\system32\Kdgljmcd.exe
C:\Windows\SysWOW64\Lffhfh32.exe
C:\Windows\system32\Lffhfh32.exe
C:\Windows\SysWOW64\Liddbc32.exe
C:\Windows\system32\Liddbc32.exe
C:\Windows\SysWOW64\Llcpoo32.exe
C:\Windows\system32\Llcpoo32.exe
C:\Windows\SysWOW64\Ldjhpl32.exe
C:\Windows\system32\Ldjhpl32.exe
C:\Windows\SysWOW64\Lbmhlihl.exe
C:\Windows\system32\Lbmhlihl.exe
C:\Windows\SysWOW64\Lekehdgp.exe
C:\Windows\system32\Lekehdgp.exe
C:\Windows\SysWOW64\Ligqhc32.exe
C:\Windows\system32\Ligqhc32.exe
C:\Windows\SysWOW64\Llemdo32.exe
C:\Windows\system32\Llemdo32.exe
C:\Windows\SysWOW64\Ldleel32.exe
C:\Windows\system32\Ldleel32.exe
C:\Windows\SysWOW64\Lenamdem.exe
C:\Windows\system32\Lenamdem.exe
C:\Windows\SysWOW64\Liimncmf.exe
C:\Windows\system32\Liimncmf.exe
C:\Windows\SysWOW64\Llgjjnlj.exe
C:\Windows\system32\Llgjjnlj.exe
C:\Windows\SysWOW64\Lbabgh32.exe
C:\Windows\system32\Lbabgh32.exe
C:\Windows\SysWOW64\Lepncd32.exe
C:\Windows\system32\Lepncd32.exe
C:\Windows\SysWOW64\Lmgfda32.exe
C:\Windows\system32\Lmgfda32.exe
C:\Windows\SysWOW64\Lpebpm32.exe
C:\Windows\system32\Lpebpm32.exe
C:\Windows\SysWOW64\Lbdolh32.exe
C:\Windows\system32\Lbdolh32.exe
C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
C:\Windows\SysWOW64\Lingibiq.exe
C:\Windows\system32\Lingibiq.exe
C:\Windows\SysWOW64\Lphoelqn.exe
C:\Windows\system32\Lphoelqn.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mmlpoqpg.exe
C:\Windows\system32\Mmlpoqpg.exe
C:\Windows\SysWOW64\Mchhggno.exe
C:\Windows\system32\Mchhggno.exe
C:\Windows\SysWOW64\Mibpda32.exe
C:\Windows\system32\Mibpda32.exe
C:\Windows\SysWOW64\Mlampmdo.exe
C:\Windows\system32\Mlampmdo.exe
C:\Windows\SysWOW64\Mdhdajea.exe
C:\Windows\system32\Mdhdajea.exe
C:\Windows\SysWOW64\Mgfqmfde.exe
C:\Windows\system32\Mgfqmfde.exe
C:\Windows\SysWOW64\Mpoefk32.exe
C:\Windows\system32\Mpoefk32.exe
C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
C:\Windows\SysWOW64\Mnebeogl.exe
C:\Windows\system32\Mnebeogl.exe
C:\Windows\SysWOW64\Ndokbi32.exe
C:\Windows\system32\Ndokbi32.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Nljofl32.exe
C:\Windows\system32\Nljofl32.exe
C:\Windows\SysWOW64\Ndaggimg.exe
C:\Windows\system32\Ndaggimg.exe
C:\Windows\SysWOW64\Njnpppkn.exe
C:\Windows\system32\Njnpppkn.exe
C:\Windows\SysWOW64\Nphhmj32.exe
C:\Windows\system32\Nphhmj32.exe
C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
C:\Windows\SysWOW64\Npjebj32.exe
C:\Windows\system32\Npjebj32.exe
C:\Windows\SysWOW64\Ngdmod32.exe
C:\Windows\system32\Ngdmod32.exe
C:\Windows\SysWOW64\Nfgmjqop.exe
C:\Windows\system32\Nfgmjqop.exe
C:\Windows\SysWOW64\Nlaegk32.exe
C:\Windows\system32\Nlaegk32.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
C:\Windows\SysWOW64\Nfjjppmm.exe
C:\Windows\system32\Nfjjppmm.exe
C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
C:\Windows\SysWOW64\Oncofm32.exe
C:\Windows\system32\Oncofm32.exe
C:\Windows\SysWOW64\Olfobjbg.exe
C:\Windows\system32\Olfobjbg.exe
C:\Windows\SysWOW64\Odmgcgbi.exe
C:\Windows\system32\Odmgcgbi.exe
C:\Windows\SysWOW64\Ogkcpbam.exe
C:\Windows\system32\Ogkcpbam.exe
C:\Windows\SysWOW64\Ofnckp32.exe
C:\Windows\system32\Ofnckp32.exe
C:\Windows\SysWOW64\Oneklm32.exe
C:\Windows\system32\Oneklm32.exe
C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
C:\Windows\SysWOW64\Odocigqg.exe
C:\Windows\system32\Odocigqg.exe
C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
C:\Windows\SysWOW64\Ojllan32.exe
C:\Windows\system32\Ojllan32.exe
C:\Windows\SysWOW64\Onhhamgg.exe
C:\Windows\system32\Onhhamgg.exe
C:\Windows\SysWOW64\Odapnf32.exe
C:\Windows\system32\Odapnf32.exe
C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
C:\Windows\SysWOW64\Ojoign32.exe
C:\Windows\system32\Ojoign32.exe
C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
C:\Windows\SysWOW64\Oddmdf32.exe
C:\Windows\system32\Oddmdf32.exe
C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
C:\Windows\SysWOW64\Pmoahijl.exe
C:\Windows\system32\Pmoahijl.exe
C:\Windows\SysWOW64\Pqknig32.exe
C:\Windows\system32\Pqknig32.exe
C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
C:\Windows\SysWOW64\Pgefeajb.exe
C:\Windows\system32\Pgefeajb.exe
C:\Windows\SysWOW64\Pfhfan32.exe
C:\Windows\system32\Pfhfan32.exe
C:\Windows\SysWOW64\Pnonbk32.exe
C:\Windows\system32\Pnonbk32.exe
C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
C:\Windows\SysWOW64\Pclgkb32.exe
C:\Windows\system32\Pclgkb32.exe
C:\Windows\SysWOW64\Pfjcgn32.exe
C:\Windows\system32\Pfjcgn32.exe
C:\Windows\SysWOW64\Pnakhkol.exe
C:\Windows\system32\Pnakhkol.exe
C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
C:\Windows\SysWOW64\Pcncpbmd.exe
C:\Windows\system32\Pcncpbmd.exe
C:\Windows\SysWOW64\Pflplnlg.exe
C:\Windows\system32\Pflplnlg.exe
C:\Windows\SysWOW64\Pqbdjfln.exe
C:\Windows\system32\Pqbdjfln.exe
C:\Windows\SysWOW64\Pdmpje32.exe
C:\Windows\system32\Pdmpje32.exe
C:\Windows\SysWOW64\Pgllfp32.exe
C:\Windows\system32\Pgllfp32.exe
C:\Windows\SysWOW64\Pjjhbl32.exe
C:\Windows\system32\Pjjhbl32.exe
C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
C:\Windows\SysWOW64\Pjmehkqk.exe
C:\Windows\system32\Pjmehkqk.exe
C:\Windows\SysWOW64\Qmkadgpo.exe
C:\Windows\system32\Qmkadgpo.exe
C:\Windows\SysWOW64\Qqfmde32.exe
C:\Windows\system32\Qqfmde32.exe
C:\Windows\SysWOW64\Qceiaa32.exe
C:\Windows\system32\Qceiaa32.exe
C:\Windows\SysWOW64\Qgqeappe.exe
C:\Windows\system32\Qgqeappe.exe
C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
C:\Windows\SysWOW64\Qnjnnj32.exe
C:\Windows\system32\Qnjnnj32.exe
C:\Windows\SysWOW64\Qddfkd32.exe
C:\Windows\system32\Qddfkd32.exe
C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
C:\Windows\SysWOW64\Anmjcieo.exe
C:\Windows\system32\Anmjcieo.exe
C:\Windows\SysWOW64\Aqkgpedc.exe
C:\Windows\system32\Aqkgpedc.exe
C:\Windows\SysWOW64\Adgbpc32.exe
C:\Windows\system32\Adgbpc32.exe
C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
C:\Windows\SysWOW64\Anogiicl.exe
C:\Windows\system32\Anogiicl.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aeiofcji.exe
C:\Windows\system32\Aeiofcji.exe
C:\Windows\SysWOW64\Aclpap32.exe
C:\Windows\system32\Aclpap32.exe
C:\Windows\SysWOW64\Afjlnk32.exe
C:\Windows\system32\Afjlnk32.exe
C:\Windows\SysWOW64\Anadoi32.exe
C:\Windows\system32\Anadoi32.exe
C:\Windows\SysWOW64\Amddjegd.exe
C:\Windows\system32\Amddjegd.exe
C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
C:\Windows\SysWOW64\Agjhgngj.exe
C:\Windows\system32\Agjhgngj.exe
C:\Windows\SysWOW64\Andqdh32.exe
C:\Windows\system32\Andqdh32.exe
C:\Windows\SysWOW64\Aabmqd32.exe
C:\Windows\system32\Aabmqd32.exe
C:\Windows\SysWOW64\Aeniabfd.exe
C:\Windows\system32\Aeniabfd.exe
C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
C:\Windows\SysWOW64\Bfdodjhm.exe
C:\Windows\system32\Bfdodjhm.exe
C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
C:\Windows\SysWOW64\Baicac32.exe
C:\Windows\system32\Baicac32.exe
C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
C:\Windows\SysWOW64\Bmbplc32.exe
C:\Windows\system32\Bmbplc32.exe
C:\Windows\SysWOW64\Beihma32.exe
C:\Windows\system32\Beihma32.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bnbmefbg.exe
C:\Windows\system32\Bnbmefbg.exe
C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
C:\Windows\SysWOW64\Cfmajipb.exe
C:\Windows\system32\Cfmajipb.exe
C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
C:\Windows\SysWOW64\Cenahpha.exe
C:\Windows\system32\Cenahpha.exe
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
C:\Windows\SysWOW64\Ceehho32.exe
C:\Windows\system32\Ceehho32.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dejacond.exe
C:\Windows\system32\Dejacond.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
C:\Windows\SysWOW64\Daqbip32.exe
C:\Windows\system32\Daqbip32.exe
C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
C:\Windows\SysWOW64\Deokon32.exe
C:\Windows\system32\Deokon32.exe
C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Doilmc32.exe
C:\Windows\system32\Doilmc32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 11004 -ip 11004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11004 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/1596-0-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ncihikcg.exe
| MD5 | fcc500ce293dc32c0a70128c4533d29b |
| SHA1 | 63b58bc7c6cf9a2330223b222b666f1a14346464 |
| SHA256 | d657da030b93642ee54329c55f5963546798f5becf200ee7102976663b4ff393 |
| SHA512 | 5d2ee46a27933c1e62f45a41b7b87fe4dee70b0c9118617c0f8cd75dc4f35ca0c2700e120d4fe6a7799769e187ca786769a133832c45c158ef46880d28ba5be4 |
memory/4476-13-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nbkhfc32.exe
| MD5 | 930a325893c39510059665b0f529e19f |
| SHA1 | 83d0eef477e64ac3302d58788ef1a79f88fc0438 |
| SHA256 | fea462bf4ebeb5f02c3d32f456156776f9cc78f3702028dd1c1d99021d7e6ebc |
| SHA512 | d7e11b8108968703f68a684d9bb87d55714136e1e853467ddb484e094d0025cd8469804bd13cdbe54efb026fca3e2b3f11932fce8afe855e84402f2da2f8be75 |
C:\Windows\SysWOW64\Ndidbn32.exe
| MD5 | 345b115e71ff97ed5afced3f246c577b |
| SHA1 | 4ccb095e4912b0a0df41bfdd6b0b35b807836577 |
| SHA256 | 9194e8bbe88a7b2760d4e1c5276c1bc2b1facc246270d00960aa59f0dad82b15 |
| SHA512 | 0601c38417bb14b8f252dc3ec9eab8c95f4d735e484f2e67a884721dfc455c587f59a2ebe143c8fae2b7023b38aaa39e9c00c7f84881d34f6ad8953e364b764a |
C:\Windows\SysWOW64\Addjcmqn.dll
| MD5 | 5893514842bf723a6e223b539b42067b |
| SHA1 | 1f0aa5c37f56f0be9a6be82bc16d01ce71d93ec7 |
| SHA256 | efb785570ac78bbebfc9b4971b6cf2cd9f8682edea1e5ea7195f207ea3153ae9 |
| SHA512 | 77fd7678e27dfa788ad5e613c5417e3dfb3b981d231933ef7940e60293ae329f3f3c73dc41d9283642af1ab35c8be563cd9a9da6adf331b28169bbb1eb8e7ea6 |
C:\Windows\SysWOW64\Nggqoj32.exe
| MD5 | e26929b606f49036c3cb0160e9a36b29 |
| SHA1 | e8a6f21957f4793bcd15d7a724c4d4e7168441e1 |
| SHA256 | fea5e86cace087acae3f8a286f2b66a022dc66f73597b6ee41147ad48cc79b6e |
| SHA512 | 9cddf9309f9f41ed35eed33576f2b381e090bfd4d5a44938e28cb5802282e3b655bc0febf0d2bcaac9ef002f27b1026fb1cc426d74d52a1a9af7bf35ebc6577d |
memory/2016-39-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2532-40-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5020-52-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ndkahnhh.exe
| MD5 | 95a3ea651b3f2985bd216a231b691220 |
| SHA1 | 16f5cb10c1efd543a96758944a83f42c87a3b34c |
| SHA256 | a17520ac7d85d1c9ebfa2dba4cbefb338b6b8fbbaf5b74a4a8fd42a13c6e7bfd |
| SHA512 | b848c19c3ee0c0cc86468a2e97e0faee3a3becfafd194163b679054165a622cd01411dfd422c3bfdd5f8cc173d52ee24df9f15c2999ab63df9d29e06b39a045d |
C:\Windows\SysWOW64\Okeieh32.exe
| MD5 | 6f9c5b5c38be981d3a4711cefddf06ec |
| SHA1 | 15de8a86b8adaec10ecc5089032b666324e1200b |
| SHA256 | bb384f406d0d484d4061c5aac7b2a0e1f7c849ac26de941f70d06589ec5ef707 |
| SHA512 | 89daa67160eced2894f83924c2dad4e8ca15f4025a5fc7bd346463850e8f5e9d069606faeac1145990545897fea5ac09581b6076f71b3391b7ddfeb0b347733f |
C:\Windows\SysWOW64\Ojhiqefo.exe
| MD5 | da1bae9f9d70895fad8e29fa9c29f1bd |
| SHA1 | 0c3f3dbe7b4879d818a18345e6e55729d91e823e |
| SHA256 | e503f9cca1f99280254fd79c7db3b491ad69f3dbbf0e368b7091682f35abc5d1 |
| SHA512 | f0451f2cbe257ac5eb4b04b37cc30fdeecc3a0768353a8c012461803b248a5c1ed3cb260fd1fab0dcfda8d7a5301c82fa8393ecb18ee96ef8a1e3bd55126d7f5 |
C:\Windows\SysWOW64\Oboaabga.exe
| MD5 | 8dd2cc09795f80d62d5df672404b8af2 |
| SHA1 | 7645e77dd70a2d03234c88a237b487245f5cb1e5 |
| SHA256 | 1c659bcedd1ebad61b163f3d7efb7d5d03c677db2ff96ab7b88818ed19c340ad |
| SHA512 | c240cd37a8d12a483f5b3aad046401b9bbf8b101f96ff1b70661b8a954ba8bf9c114222faee723bf3d39c3a3619c173fcaf5c2b81015f1adb88242165133dae3 |
C:\Windows\SysWOW64\Oqbamo32.exe
| MD5 | f3a1a572c0ca049ed8f66d1cdc18a31d |
| SHA1 | ea4dcf0bbc1ad897fd8730f110c703eb9b4b4087 |
| SHA256 | 60e3a7545bccf221cd63800a6b8b5fb7131ae8a4ce1198fcb562ecb94acf1fe4 |
| SHA512 | f784d285b16850a7711b13595f75026ab7d294ff4bc3043ece757f3a9250b225deb11d6121abc62c6efd5162c785eae336b2b2aea75fd38429c49e7cb3bf0d3f |
C:\Windows\SysWOW64\Ocqnij32.exe
| MD5 | 9eb499a6b5971460c599df6cab2bd9e8 |
| SHA1 | ed6e6fc227a4fca0a10b60cefbe951da4fccd2c6 |
| SHA256 | d207ff3aa5314d90fe8dd183826d500bf74eef7e9ce188f7ff7bad0c63dd87eb |
| SHA512 | 55c4c6dc7563188082cb57787051f161d6d41abe5a5f0d9fa315b47ad5991ab7515e1656a420cf4d4c12c9f6ae7a6baf27ce3fb0f6888fd95e9bc2bbcd117bea |
C:\Windows\SysWOW64\Onfbfc32.exe
| MD5 | 163a5e462b4c4d285c11e1fb054887bb |
| SHA1 | bef8ee9fd5ad4d417569b6e1c0bc415e9ec68044 |
| SHA256 | 6b2305b969ee24538bad78aa113e3aa5e073e71e757933a3089e2593a280db78 |
| SHA512 | b3e32ed61d89f12e90243cbdda10d9eb7a42ef454f66b7c82985d162020385978d4f14dce0ebfc196cf37013dd4c05d3030f853fcf205585a4e3c405266fe45a |
C:\Windows\SysWOW64\Oqdoboli.exe
| MD5 | c538495ad144707249e049411751a78c |
| SHA1 | a625e33701c2734e3be7d503e918e22ddd1f9e08 |
| SHA256 | 5aac1ad275c4b64d178f796106024d9679e9553503765b86095c4b815185a4f9 |
| SHA512 | 440ebda080e6772d2c0102912523ade02c8cb7098c6b02fc95218a1e6d35d5357a6f9e5b7a0bca8331c9b26cc79a50450fa89cd7d52bfeead44963c1ec942432 |
C:\Windows\SysWOW64\Odpjcm32.exe
| MD5 | 6007415d4d0a044507d967d324b1ee37 |
| SHA1 | 6b68919ff508a9124865f19e624cb93462cc19ee |
| SHA256 | 86e038afa3fd9eb12f8b8612abfc491eec538f0585e8cbd22ba8311388069281 |
| SHA512 | 9268180a6439f0679ba0cf657fb112c14dda3e05776be94ec15c80348afd3160164ad7b9df6c87d66813c8399dfb026d1aa74e74cc0b69f8293febb54f30b005 |
C:\Windows\SysWOW64\Ocegdjij.exe
| MD5 | d5c4a7f700e466f4b4ec8a948a9830e2 |
| SHA1 | 71c2cfb6a4d1af3c86b0790ee9185187b72cbd1d |
| SHA256 | 24234397f53a7cc94d01cce994fe862100725207668b33e0149c87e99c7a6822 |
| SHA512 | 8c9bea107d0335ad39afc56a3c1c54638137ebe4ed802ff250c9ca32f12ebe8c5f01819c3a2694ca2b713f3fdc28734ff8f51c809c74670bf28b3a689ae82d35 |
C:\Windows\SysWOW64\Oqihnn32.exe
| MD5 | 03df449dfa18c50dc558434841a57252 |
| SHA1 | bcb23611915660c76c73c45fae166acbc23bc036 |
| SHA256 | a4ebcfe71257bb43e9157ab387d525fd0f2a7703c65a5a98bede23fef55db310 |
| SHA512 | cf98da13d87fed85aa63b1568eabbe389912596a152847b73af484ff873b59000b3cece1b42ee44f46cd4e95cef34801772d378db4e4224bae4b5f0a4e1e0a4d |
C:\Windows\SysWOW64\Okolkg32.exe
| MD5 | a601e51a9cf5c4c97a89d018ba5737e6 |
| SHA1 | bbef08a38d1f9cfe41c95ea8643b3139d4053be0 |
| SHA256 | 67b6ea32e3258070b272a0b6da54e193f4fd09613099e4d80e3372bed42b1dff |
| SHA512 | e2818cbdf11ff6bf49a64045a34e74a3565bc160b0ab5e8718ac77b0405afab5954b7c54f2beafe0fb803108e70a34f47443970422e3269c6753303e49801d14 |
C:\Windows\SysWOW64\Obidhaog.exe
| MD5 | 92ad2817506bcfb059e41b48a41e3437 |
| SHA1 | 3a94a9bce8d699d130da87e33d12b2ce991bd340 |
| SHA256 | 3ae8270219c06a58e607ea4affea7d50bcf3ba1c14ced7964b200429f98f52f2 |
| SHA512 | 92e086670388064f99f254e3b50757d20b215aef2a8bac324ae105707e247a6ae0c39e0a0c1f8c747a45261f136d301af3887950ecbd1adb4bd6b3b385b72f49 |
memory/4464-451-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3856-453-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3704-452-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2036-458-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1720-462-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4008-461-0x0000000000400000-0x0000000000434000-memory.dmp
memory/748-460-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1860-459-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2516-464-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4792-463-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1940-467-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4204-473-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4636-478-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4396-465-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2344-480-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2884-486-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5000-481-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4548-488-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3908-494-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1824-495-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4520-500-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ojalgcnd.exe
| MD5 | f6754605626b8dcc3d310d83c20ac7e9 |
| SHA1 | 1e4e96f99e44a499c5257902bd67366bbca99429 |
| SHA256 | 0f30f7505863475fa74f2f5874c278f39f353174df57fb2b4ef86d36dcf17a5a |
| SHA512 | 0fb768919d753b4d0d4a996b2dc3850ecbf9e88d7caa7f102e5f60ee620ddad295b10c65501647bdc2ec6654efe269d7267cfb99ee7b02cf11f76fd97ddd1211 |
C:\Windows\SysWOW64\Ogcpjhoq.exe
| MD5 | 0caac00c7938e0a67ba3f0d9f12d1d1a |
| SHA1 | 32ed2e0ba54cf66c94077453a87720987ca13665 |
| SHA256 | 5fcf0d0998be15401b078788267ef73244636b7b75533d537f1325e938bc11a7 |
| SHA512 | c42b2e0e8cc680744ca1921b55e9003bb4d9aca4cc36d3abcea4f6229a52632eaab9ead66476e66a8a00fa0d89dd9e3b15f5d660175b986204b1986c0975673e |
C:\Windows\SysWOW64\Odednmpm.exe
| MD5 | 4ad0d6ac68b097aa9cdba4b49cb19916 |
| SHA1 | e839777d8d276ce78f13f595b4086e10b9cff196 |
| SHA256 | 517baede1bb8fdafd454a3ebdce833fdf331795d60f7c3d1aedc299a5f767e72 |
| SHA512 | ecabeb68bc2d70e0a39fc39d899e8f3e2ed7755d95db02029162208c70e174d188d8fda8245790fbc85b8a3093b60b89bab703534575bedfed0bb566f9084814 |
C:\Windows\SysWOW64\Obfhba32.exe
| MD5 | 6f1afb361f0bb97aa8bf909d7212d330 |
| SHA1 | eda790f9490eda00483ce7e8e8cfba40033deb2b |
| SHA256 | fe701d7aab858ebfe65e8466519e393e9d0298b44f8f48aa449e384754339420 |
| SHA512 | 5c7ba0ebf3d5e163e080ddf3d3f7a30d9bc028cbac646e4efac50e099be5693c032e92187da655dbfe642dafff3c9b529e9123a54613e80b71a918351e155900 |
C:\Windows\SysWOW64\Ojopad32.exe
| MD5 | 67003c4be4b06e7e51cf1d7a11f9c322 |
| SHA1 | 9114d56398b0b25677c3eaf454bac9ad085cedd1 |
| SHA256 | 5051b56cd7676815dc158d46456d7063fe78a5a59ccc1e1b45a0fc053dc9b237 |
| SHA512 | e6cb277c4f257987d97e5724a2f19b14f2d9366b7c2769bdb842cb51c11e2cb50e46e49242461fe005c2364dc9fed77e68fbc5cdbda6f5ba7dac2da127c1ee3f |
C:\Windows\SysWOW64\Okloegjl.exe
| MD5 | dd715534a9580f323a83c273a2285f20 |
| SHA1 | bdd9df4a75183c2ac6edcf882c9fa0d2acdb0731 |
| SHA256 | a845ccea09951cf713d6ba0bb1aeb0e453dd7ff20daf4bab8805a149436fd7d9 |
| SHA512 | 3be82a12feff21e050e4d891802dc54462a7b11e23d6de4861f2b2c409dcf79e791dda6096d6a83e73fb8a290936d17c2226342cb0d8b0415adbb33f608b645b |
C:\Windows\SysWOW64\Odbgim32.exe
| MD5 | 32cd0b573cbcaa0ef4c69ea7776a43d9 |
| SHA1 | 0d06d8409b2818cd921d87ed5ac9dd6070e95688 |
| SHA256 | 093a2239a7d073674522536ed0d771fd5fa862b25f19a7c3c3d0d25b13f12bff |
| SHA512 | 30d29b850745211a03b914841ef4a447ef25ca1cd19935e2c7e0af83326790a10a0681314b1f8cd98fa92846220f85aaf3d688d569c8984d40289906322b7e20 |
C:\Windows\SysWOW64\Ojmcld32.exe
| MD5 | c3b4f663c37591707613782d86848b51 |
| SHA1 | 1742c94663db8dd787899edfd767a48e74e1af59 |
| SHA256 | ed805c3577567132f95a8529b5b2531f8133c5c5ccab1ad02be1ef728e017bf5 |
| SHA512 | 0795bac3dc010b7106514236850c08c1045918fc226f9c1c1f90101104328819198c54a8e9fedde1b511bf05f985ab1f484fe69ca44460e0b2f26a7b75dc95ce |
C:\Windows\SysWOW64\Okjbpglo.exe
| MD5 | 8d90d17dac6549f73dda072a1fe5429e |
| SHA1 | 5566cb7b6c31509b526cb40c96f167cf67005296 |
| SHA256 | 0b9f29004be74c7694273d8cecd96cab16585cdca781aadcfc53121b04e8ab9c |
| SHA512 | 8cc8f514a44d4b31d0d0586673b9dd4d122b891e743804e767b478ac8d8ccfa08fa0a6861fa56730e760ec47477648575b4de96336979c20bdc9e49f0bcd2665 |
C:\Windows\SysWOW64\Ogogoi32.exe
| MD5 | 0df4c71b1d15163ddd821d9987cd6fb5 |
| SHA1 | b3169fd4d2ac93ae5340e61d3124ae1223ed00dd |
| SHA256 | 226bc029aa5cc52fe7e9a2c642857792667a1dcece4c014da9af636a75ddcd70 |
| SHA512 | 1d18d854716a9074f436a2edd1e5f637f409aaf9339ead6c3c5b2cb2030883a3cd41fd45b29b7882772de36c4b1e6d9cc5efb0b23998d2d9e6ea924dcaabf1bc |
C:\Windows\SysWOW64\Obangb32.exe
| MD5 | 07e1dde5c4a605285c540d1077a54473 |
| SHA1 | fa3824a40da7aba718a6822dfe48d4c52f0491ca |
| SHA256 | 8b60fb408266a23b9f20bff0bd0cb5304caee35f97ed4e0fad52f061e37b56a8 |
| SHA512 | 8be66676e48e5e12c545c25861e39fcce9b863cede43bc684d8875d897ff71ef9c8c082d4443ca08f157c3120bef1c406d2f381f35095bd221e51d1cbf527a09 |
C:\Windows\SysWOW64\Okhfjh32.exe
| MD5 | 966c61413e79a44ab2e83ded24607267 |
| SHA1 | 28c2e44c977251b77a8b4c2e21395a415eedfde6 |
| SHA256 | e39ffa73f039810af89a650e8b0cba0d28bc77ec3d2b61f0a0902eb39e1379f2 |
| SHA512 | dd70472c0c262ef9b2ea17d97d28e6bfa79868425f47b9df5cfe9d9a39e575d4be7182e12ca151284a4214bc53dced2f507e5cc15cddd112f7f7dcb7b5ffef69 |
C:\Windows\SysWOW64\Ogljjiei.exe
| MD5 | dc2ee0011cdd5ed12515194735315730 |
| SHA1 | 3da4ad5bec0264e4199a6b72e60cda0b4117937f |
| SHA256 | 4ff6342a72e5d6f5064df68d16fc8b6306d69bf5ad280ee697250baeecae928e |
| SHA512 | 079f435cef5224a4a3e5657967fd9452472c81148261dd87652dafce6447e6f7e064ab60be873e3c34ab2cbdb7ccd78cf93f29afa797dcb4c86831ba79f8860f |
C:\Windows\SysWOW64\Njfmke32.exe
| MD5 | a20933aa12f93220bec4399d78e04949 |
| SHA1 | dcf1a09deed7cdbed96ee8a9ee206bab7b31f8ff |
| SHA256 | 751289c1f9cc05e2ab119a672f671a8efd41fb648021e473df106922d17778ae |
| SHA512 | 9fad51f0eed330e5a324802681e09eed1320230e25492a49cbdd793034a06fe993b5406237062f83024880742a9cf232376ee7e721720bb7b23b6dde06475c49 |
memory/2772-24-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3264-20-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Njcpee32.exe
| MD5 | 6caf414a99ca7f6dd3fde12a78e5dbb6 |
| SHA1 | 94e5a45d9ca26b81415a3e29caa4a6a3d20d2d44 |
| SHA256 | e0ac3421d0f9f0ec3e440167424d0fbe3bdba0076e95aba855b77ab5fd2ca05c |
| SHA512 | 38f92e38fc7e63558f83f5534d957e67cdbfe66b0475492ee4cd69ddb8365bdf1dc39fba5ec072b0418cf93771373200b9c213d68a46a568ba3924b5a6ac40b8 |
memory/1112-504-0x0000000000400000-0x0000000000434000-memory.dmp
memory/972-513-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5076-515-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4144-521-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3940-516-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3360-508-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2000-525-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5068-531-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4344-524-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2008-532-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4320-523-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4104-533-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1496-540-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2248-546-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2948-547-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4440-539-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1468-548-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1628-555-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4912-554-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3640-564-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4052-557-0x0000000000400000-0x0000000000434000-memory.dmp
memory/900-562-0x0000000000400000-0x0000000000434000-memory.dmp
memory/996-556-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1692-565-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3052-570-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3468-573-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1876-574-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2896-572-0x0000000000400000-0x0000000000434000-memory.dmp
memory/940-575-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4816-579-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3120-580-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4424-584-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3656-590-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4292-583-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4868-592-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3604-591-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ckcgkldl.exe
| MD5 | 5ea145c7a2b81e67b99c3684fec90672 |
| SHA1 | bb54ceb93aa0e639f9c53b4f7c788e617bad4b1c |
| SHA256 | 380cdf0cd19e2381e973f4c514670c4ae9dd8aeff6c5f900b59fb29831126567 |
| SHA512 | 06f6297178b57faa2de8ce6a239cba7f47fccb35e38ccdbf469c9ec0c16f67c65f7ae484c3885517fa23acac3dd5d6cc1defaf05a0ef5fe8458af1e47430d1ca |
C:\Windows\SysWOW64\Doqpak32.exe
| MD5 | 19e15e49aca24f5c6ff9ced277042a32 |
| SHA1 | 86564a32acd4ea4472b33d4baa387a7e7d2409f9 |
| SHA256 | afe595abbbd9340f955b24ca31407a301a0226240f38bce8544d2129e79eed05 |
| SHA512 | 613a11945ddb6120768933a36e6c79c6bcd168efb14d0c2e60869a266b2dcf6810bc248d50e95f3837731267c4a98254d9f8c7c256f630069ca80b456b32bcfa |
C:\Windows\SysWOW64\Edpnfo32.exe
| MD5 | 554589546a2b605eaf75babfd32598b6 |
| SHA1 | 29bd62ddae307b495c8189fc6d1b30d159ac0825 |
| SHA256 | 9d0330b517f76fda3236252cf43019bc403d33fc205877ad1c46df160f1608b6 |
| SHA512 | 8f2e61049cd619bab4b5fc5859baf0968e9a19e6a80457572258c5a029fbecac08fc94d6c77ea2e45764b3f329f3db0a873c1646fe85d8c7e9fcdfe0dc01459f |
C:\Windows\SysWOW64\Eadopc32.exe
| MD5 | 0ddfe1340e18539849006bd97f2dc587 |
| SHA1 | b3ad4b0af4551414f48e916b6e9d2a1aa83ea72a |
| SHA256 | bcfc19955ef55d178dff3bc6c448da0be59d84a652e10cd619604fecb9caa244 |
| SHA512 | d52ab24fa0ef2b9e144338798d9d7f83ae61e584063406939187b785d0c2d8eb71c61fa7f9cf0635af24f3eb599efaa6c75c5ed2a892733111ebef2538704c4e |
C:\Windows\SysWOW64\Fcckif32.exe
| MD5 | 5202c7e27a6417074e1b205b56a3deab |
| SHA1 | ac8631690921e928a5672d888a6bac9f9dc98822 |
| SHA256 | 5a3d23817e4a878792ce0ceb3d42ae22d03e5307326a56a24afa3f602f49ed2d |
| SHA512 | aad6dea4a3d07c7e715d47fbca8d682c85d3c42230830f461fd72b72f820955470465c763c9f3916df1cff32fb97a46d7ee4be74128ca050ab2fcbe3addd39ee |
C:\Windows\SysWOW64\Kefkme32.exe
| MD5 | f288d79c009874c80bf5f3aa63a575cf |
| SHA1 | 3f659393e476d9bdfbfeb51a5dcb8e1d7e035e67 |
| SHA256 | 8d5bb869e9995250481daee2acad0b82d42cef1ff92823b869a0195f4e6b53df |
| SHA512 | 98796f0527a6cd544f6d634832b17c48ce7d322a5942e1924906cd376638056d3f86cfcd7e968d0e34202fabdeb6daea10f008a22e10a2ab3e0c5eb7ff03b484 |
C:\Windows\SysWOW64\Ldleel32.exe
| MD5 | d01a7682afccdefcdc808773ea950d30 |
| SHA1 | 358465d5f25baf44de5b9571cc60e29c43b389f5 |
| SHA256 | 013174b8af03fc39fc42d4bcfeedce851ade43cb69d605e9f487a5aad76cff30 |
| SHA512 | 6da76e246946c8bb524200c0df01f5b92498a6222e77ae4cfcaefb7d18555f735ea9e8d8e03f2dc9600c659a5eae97c835b6af3b4fdd110eadbfce68b2e349ab |
C:\Windows\SysWOW64\Lphoelqn.exe
| MD5 | 0755ea086abb6fd95280c8e569ebe3f2 |
| SHA1 | e2af78627b19795cd83b8bc47631eed3a38a8daa |
| SHA256 | 605d2b219aa9da1a9fceaa403c72eb68b8fa362551e652a7deb176676c4d1617 |
| SHA512 | c4d21b7a540d14d91e9febda15f35f09a1ae6e264364d41242b151e68427ff863110ae895b9c50776d0a5ea767f8883c8ec9da85fb5f9166752f432a69854214 |
C:\Windows\SysWOW64\Mpoefk32.exe
| MD5 | 03656026e091c0b4ca46b3de60ae0f1e |
| SHA1 | 925717ebfdce16159c02053734ba47856527e277 |
| SHA256 | 2226337725ed7f94d30dfce4232b881cd6d49672b451fdac1c63a953d27c5cd8 |
| SHA512 | bbe66244fc3df8442127e37ffcccaa9a45dfa2f07ce1ec44d23d3a35cdf46e2037f28d2be7eae5623087babde9fec6417c9a1acfbb4ec781a5f9f6f3a8632384 |
C:\Windows\SysWOW64\Mgkjhe32.exe
| MD5 | 63ce134ca6c3ed40d05d9fe48b596d05 |
| SHA1 | 0ad26c90db110f667fd292ad68d23397f28840b2 |
| SHA256 | 7877c7163464ee7ea634f950a238f3526ed9eb219fde907ca535e92c00cdd2ec |
| SHA512 | 1b3ce7c787281b7bb9aaca92edf9fdf1f1b00d55a7493e94c1d8cad36d0cf9acd80121aea546f5ef5516e8d1d85fa44890ea732f0b90adb18f07349fb52bf697 |
C:\Windows\SysWOW64\Pcbmka32.exe
| MD5 | b5b1ec66decca09e066ba87721a060c5 |
| SHA1 | 0ba35d5e7b05cbfe60c584adbd691530143628ef |
| SHA256 | d279d0be100bcf910552f58a332f62227b4f106143a843e0102d18e26a9e3e8b |
| SHA512 | b5a4de19b8552726c3086c31252080c0c39bd113458588ec4a4944a1b326685bc91893d8e3a26465ebe8d939c8276e508543a72d3fa2bb56f1b102faa79c20dc |
C:\Windows\SysWOW64\Agjhgngj.exe
| MD5 | 3cee6af52db915b5d017e13307034b30 |
| SHA1 | 13e95d825cedce72a8017e23f7cc29d7fb60ce5f |
| SHA256 | 10a1373c2a298fcc869aaa72341728c2a15abfd88169dc4ea38fd4015f24737c |
| SHA512 | b6946656463e22cc3863746be61c9a19cd2a101aed6a9c89cf26dc698b299b40f8ca0c95c05dd402d63c11f850b474ee26d4f33a426a2d30c0d8332361cf9248 |
C:\Windows\SysWOW64\Cjkjpgfi.exe
| MD5 | 6184880e9ff68f97dc8b36b9acb07c98 |
| SHA1 | 3a9ec9cc9885e4bf789e90c0c6817000841a5c75 |
| SHA256 | 63e351030e357f313c2adcf02671eaae6973a1cf5cc6f8e4083c588f928cf916 |
| SHA512 | 8c5d7142bdba14b57508be60af3b9cdb5799802d82308e78772f6740bb72b4f2ea0b261cf2e2ebaa606bd680d5d57cd12fef1acf647a12850def64ae899d782d |
C:\Windows\SysWOW64\Dkifae32.exe
| MD5 | 3d8bdc651040869dcbfcac071a8af414 |
| SHA1 | be418304346433e22ceec82744a1024e1eb6e0b8 |
| SHA256 | 48b16cd2918a29c97b074912f446f2dce44c3f2bed389b36b91879391974ff8c |
| SHA512 | 3caeb649e0581f4de7702b66bdfaf26346a306a1cd9f5c136448506f60bbb2dad372079befe47311703fafc50418fcdc43661245f772752d7352b08e7ed21838 |
memory/10768-2865-0x0000000000400000-0x0000000000434000-memory.dmp
memory/10292-2867-0x0000000000400000-0x0000000000434000-memory.dmp
memory/11188-2877-0x0000000000400000-0x0000000000434000-memory.dmp
memory/10612-2885-0x0000000000400000-0x0000000000434000-memory.dmp
memory/10352-2888-0x0000000000400000-0x0000000000434000-memory.dmp
memory/10244-2889-0x0000000000400000-0x0000000000434000-memory.dmp
memory/11192-2891-0x0000000000400000-0x0000000000434000-memory.dmp
memory/11148-2892-0x0000000000400000-0x0000000000434000-memory.dmp
memory/11104-2893-0x0000000000400000-0x0000000000434000-memory.dmp