Malware Analysis Report

2025-03-14 23:28

Sample ID 240407-wtv7raaf8t
Target 042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d
SHA256 042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d

Threat Level: Known bad

The file 042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:13

Reported

2024-04-07 18:15

Platform

win7-20240319-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aidnohbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cohigamf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnhkcj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ombapedi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pamiog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Noqamn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojahnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ofjfhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpeekh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dbhnhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lojomkdn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nefpnhlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndkmpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ebmgcohn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aidnohbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckoilb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Egllae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pgbhabjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chbjffad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dpeekh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgnnln32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndpfkdmf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onhgbmfb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caknol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mdmmfa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okgnab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qfahhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oqideepg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhkdeggl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpiipf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bblogakg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqijej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nkgbbo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ombapedi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjjgclai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbnhng32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Noqamn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ejobhppq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhkcj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqideepg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkpagq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ocnfbo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjhknm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Biamilfj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpolo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ckoilb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dcadac32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejobhppq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kgnnln32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lhpfqama.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lojomkdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Enfenplo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bldcpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dgjclbdi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcadac32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgbhabjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ahikqd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Onhgbmfb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjenhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pjhknm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anafhopc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdmmfa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ojahnj32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jbnhng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmjfdejp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjnfniii.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpfqama.exe N/A
N/A N/A C:\Windows\SysWOW64\Lojomkdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmmfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefpnhlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndkmpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Noqamn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nejiih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkgbbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndpfkdmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnhkcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqideepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojahnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ombapedi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofjfhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okgnab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocnfbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omfkke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onhgbmfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgplkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnjdhmdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbhabjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbhmnkjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkpagq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pamiog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjenhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhknm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjjgclai.exe N/A
N/A N/A C:\Windows\SysWOW64\Qfahhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afcenm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anojbobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Aidnohbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Anafhopc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahikqd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpiipf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biamilfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Behnnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bblogakg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bldcpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhkdeggl.exe N/A
N/A N/A C:\Windows\SysWOW64\Coelaaoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdbdjhmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Cohigamf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckoilb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chbjffad.exe N/A
N/A N/A C:\Windows\SysWOW64\Caknol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjfccn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgjclbdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlgldibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcadac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpeekh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfamcogo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbhnhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlnbeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfffnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dookgcij.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebmgcohn.exe N/A
N/A N/A C:\Windows\SysWOW64\Egjpkffe.exe N/A
N/A N/A C:\Windows\SysWOW64\Egllae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enfenplo.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbnhng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbnhng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmjfdejp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmjfdejp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjnfniii.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjnfniii.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpfqama.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpfqama.exe N/A
N/A N/A C:\Windows\SysWOW64\Lojomkdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lojomkdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmmfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmmfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefpnhlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefpnhlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndkmpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndkmpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Noqamn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Noqamn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nejiih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nejiih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkgbbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkgbbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndpfkdmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndpfkdmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnhkcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnhkcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqideepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqideepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojahnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojahnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ombapedi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ombapedi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofjfhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofjfhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okgnab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okgnab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocnfbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocnfbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omfkke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omfkke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onhgbmfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Onhgbmfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgplkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgplkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnjdhmdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnjdhmdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbhabjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbhabjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbhmnkjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbhmnkjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkpagq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkpagq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pamiog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pamiog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjenhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjenhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhknm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhknm32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Lojomkdn.exe C:\Windows\SysWOW64\Lhpfqama.exe N/A
File created C:\Windows\SysWOW64\Mdmmfa32.exe C:\Windows\SysWOW64\Lojomkdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Ombapedi.exe C:\Windows\SysWOW64\Ojahnj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe C:\Windows\SysWOW64\Anojbobe.exe N/A
File created C:\Windows\SysWOW64\Igdaoinc.dll C:\Windows\SysWOW64\Anafhopc.exe N/A
File created C:\Windows\SysWOW64\Dbhnhp32.exe C:\Windows\SysWOW64\Dfamcogo.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqgnokip.exe C:\Windows\SysWOW64\Efaibbij.exe N/A
File opened for modification C:\Windows\SysWOW64\Caknol32.exe C:\Windows\SysWOW64\Chbjffad.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfffnn32.exe C:\Windows\SysWOW64\Dlnbeh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Enfenplo.exe C:\Windows\SysWOW64\Egllae32.exe N/A
File created C:\Windows\SysWOW64\Qbgpffch.dll C:\Windows\SysWOW64\Cjfccn32.exe N/A
File created C:\Windows\SysWOW64\Egjpkffe.exe C:\Windows\SysWOW64\Ebmgcohn.exe N/A
File created C:\Windows\SysWOW64\Okgnab32.exe C:\Windows\SysWOW64\Ofjfhk32.exe N/A
File created C:\Windows\SysWOW64\Hgggfhdc.dll C:\Windows\SysWOW64\Okgnab32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcadac32.exe C:\Windows\SysWOW64\Dlgldibq.exe N/A
File created C:\Windows\SysWOW64\Ipnnggjm.dll C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe N/A
File created C:\Windows\SysWOW64\Bibkki32.dll C:\Windows\SysWOW64\Kjnfniii.exe N/A
File created C:\Windows\SysWOW64\Apmabnaj.dll C:\Windows\SysWOW64\Pjenhm32.exe N/A
File created C:\Windows\SysWOW64\Pbkafj32.dll C:\Windows\SysWOW64\Coelaaoi.exe N/A
File created C:\Windows\SysWOW64\Dfkjnkib.dll C:\Windows\SysWOW64\Pamiog32.exe N/A
File created C:\Windows\SysWOW64\Mbiaej32.dll C:\Windows\SysWOW64\Ahikqd32.exe N/A
File created C:\Windows\SysWOW64\Jaqddb32.dll C:\Windows\SysWOW64\Efaibbij.exe N/A
File created C:\Windows\SysWOW64\Clkmne32.dll C:\Windows\SysWOW64\Fjaonpnn.exe N/A
File created C:\Windows\SysWOW64\Egahmk32.dll C:\Windows\SysWOW64\Omfkke32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnjdhmdo.exe C:\Windows\SysWOW64\Pgplkb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe C:\Windows\SysWOW64\Dcadac32.exe N/A
File created C:\Windows\SysWOW64\Ionkallc.dll C:\Windows\SysWOW64\Ombapedi.exe N/A
File created C:\Windows\SysWOW64\Fpkeqmgm.dll C:\Windows\SysWOW64\Onhgbmfb.exe N/A
File opened for modification C:\Windows\SysWOW64\Qjjgclai.exe C:\Windows\SysWOW64\Pjhknm32.exe N/A
File created C:\Windows\SysWOW64\Eekkdc32.dll C:\Windows\SysWOW64\Bhkdeggl.exe N/A
File created C:\Windows\SysWOW64\Cohigamf.exe C:\Windows\SysWOW64\Cdbdjhmp.exe N/A
File opened for modification C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dbhnhp32.exe N/A
File created C:\Windows\SysWOW64\Kjnfniii.exe C:\Windows\SysWOW64\Kmjfdejp.exe N/A
File created C:\Windows\SysWOW64\Qjjgclai.exe C:\Windows\SysWOW64\Pjhknm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbnhng32.exe C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe N/A
File created C:\Windows\SysWOW64\Iecenlqh.dll C:\Windows\SysWOW64\Bpiipf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpiipf32.exe C:\Windows\SysWOW64\Ahikqd32.exe N/A
File created C:\Windows\SysWOW64\Dlgldibq.exe C:\Windows\SysWOW64\Dgjclbdi.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqijej32.exe C:\Windows\SysWOW64\Ejobhppq.exe N/A
File created C:\Windows\SysWOW64\Ahikqd32.exe C:\Windows\SysWOW64\Anafhopc.exe N/A
File created C:\Windows\SysWOW64\Biamilfj.exe C:\Windows\SysWOW64\Bpiipf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe C:\Windows\SysWOW64\Kjnfniii.exe N/A
File created C:\Windows\SysWOW64\Mnhlblil.dll C:\Windows\SysWOW64\Oqideepg.exe N/A
File created C:\Windows\SysWOW64\Cbnnqb32.dll C:\Windows\SysWOW64\Pkpagq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhkdeggl.exe C:\Windows\SysWOW64\Bldcpf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofjfhk32.exe C:\Windows\SysWOW64\Ombapedi.exe N/A
File created C:\Windows\SysWOW64\Behnnm32.exe C:\Windows\SysWOW64\Biamilfj.exe N/A
File created C:\Windows\SysWOW64\Abkphdmd.dll C:\Windows\SysWOW64\Ebmgcohn.exe N/A
File created C:\Windows\SysWOW64\Kmjfdejp.exe C:\Windows\SysWOW64\Kgnnln32.exe N/A
File created C:\Windows\SysWOW64\Bpiipf32.exe C:\Windows\SysWOW64\Ahikqd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cohigamf.exe C:\Windows\SysWOW64\Cdbdjhmp.exe N/A
File created C:\Windows\SysWOW64\Enfenplo.exe C:\Windows\SysWOW64\Egllae32.exe N/A
File created C:\Windows\SysWOW64\Pgplkb32.exe C:\Windows\SysWOW64\Onhgbmfb.exe N/A
File opened for modification C:\Windows\SysWOW64\Qfahhm32.exe C:\Windows\SysWOW64\Qjjgclai.exe N/A
File created C:\Windows\SysWOW64\Iakdqgfi.dll C:\Windows\SysWOW64\Qjjgclai.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgplkb32.exe C:\Windows\SysWOW64\Onhgbmfb.exe N/A
File created C:\Windows\SysWOW64\Ddpkof32.dll C:\Windows\SysWOW64\Pnjdhmdo.exe N/A
File created C:\Windows\SysWOW64\Bldcpf32.exe C:\Windows\SysWOW64\Bblogakg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckoilb32.exe C:\Windows\SysWOW64\Cohigamf.exe N/A
File opened for modification C:\Windows\SysWOW64\Efaibbij.exe C:\Windows\SysWOW64\Enfenplo.exe N/A
File created C:\Windows\SysWOW64\Aonghnnp.dll C:\Windows\SysWOW64\Nefpnhlc.exe N/A
File created C:\Windows\SysWOW64\Jejinjob.dll C:\Windows\SysWOW64\Pgbhabjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Biamilfj.exe C:\Windows\SysWOW64\Bpiipf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkpagq32.exe C:\Windows\SysWOW64\Pbhmnkjf.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Fkckeh32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdcoomf.dll" C:\Windows\SysWOW64\Cohigamf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dbhnhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" C:\Windows\SysWOW64\Dbhnhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Noqamn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ombapedi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Biamilfj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dpeekh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" C:\Windows\SysWOW64\Dfamcogo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eqgnokip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ejobhppq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lojomkdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" C:\Windows\SysWOW64\Bpiipf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Behnnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dookgcij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enfenplo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkepc32.dll" C:\Windows\SysWOW64\Nnhkcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" C:\Windows\SysWOW64\Ofjfhk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dookgcij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebmgcohn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eqijej32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kgnnln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aidnohbk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pamiog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejinjob.dll" C:\Windows\SysWOW64\Pgbhabjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kjnfniii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" C:\Windows\SysWOW64\Ndpfkdmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afcenm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Egjpkffe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgnnln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" C:\Windows\SysWOW64\Noqamn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgplkb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pjhknm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anafhopc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlegpjp.dll" C:\Windows\SysWOW64\Mdmmfa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Omfkke32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ofjfhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pamiog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnnggjm.dll" C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefbii32.dll" C:\Windows\SysWOW64\Lhpfqama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anojbobe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekkdc32.dll" C:\Windows\SysWOW64\Bhkdeggl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ckoilb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eqgnokip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnnp32.dll" C:\Windows\SysWOW64\Ngpolo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljilnja.dll" C:\Windows\SysWOW64\Pbhmnkjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Efaibbij.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bldcpf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dlgldibq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" C:\Windows\SysWOW64\Dfffnn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Egllae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll" C:\Windows\SysWOW64\Dlgldibq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ojahnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Onhgbmfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" C:\Windows\SysWOW64\Bblogakg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lhpfqama.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oqideepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" C:\Windows\SysWOW64\Ombapedi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pnjdhmdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Enfenplo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egahmk32.dll" C:\Windows\SysWOW64\Omfkke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcadac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obilnl32.dll" C:\Windows\SysWOW64\Cdbdjhmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Anojbobe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" C:\Windows\SysWOW64\Lojomkdn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe C:\Windows\SysWOW64\Jbnhng32.exe
PID 2200 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe C:\Windows\SysWOW64\Jbnhng32.exe
PID 2200 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe C:\Windows\SysWOW64\Jbnhng32.exe
PID 2200 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe C:\Windows\SysWOW64\Jbnhng32.exe
PID 2368 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Jbnhng32.exe C:\Windows\SysWOW64\Kgnnln32.exe
PID 2368 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Jbnhng32.exe C:\Windows\SysWOW64\Kgnnln32.exe
PID 2368 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Jbnhng32.exe C:\Windows\SysWOW64\Kgnnln32.exe
PID 2368 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Jbnhng32.exe C:\Windows\SysWOW64\Kgnnln32.exe
PID 1744 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Kgnnln32.exe C:\Windows\SysWOW64\Kmjfdejp.exe
PID 1744 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Kgnnln32.exe C:\Windows\SysWOW64\Kmjfdejp.exe
PID 1744 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Kgnnln32.exe C:\Windows\SysWOW64\Kmjfdejp.exe
PID 1744 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Kgnnln32.exe C:\Windows\SysWOW64\Kmjfdejp.exe
PID 2536 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Kmjfdejp.exe C:\Windows\SysWOW64\Kjnfniii.exe
PID 2536 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Kmjfdejp.exe C:\Windows\SysWOW64\Kjnfniii.exe
PID 2536 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Kmjfdejp.exe C:\Windows\SysWOW64\Kjnfniii.exe
PID 2536 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Kmjfdejp.exe C:\Windows\SysWOW64\Kjnfniii.exe
PID 2632 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Kjnfniii.exe C:\Windows\SysWOW64\Lhpfqama.exe
PID 2632 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Kjnfniii.exe C:\Windows\SysWOW64\Lhpfqama.exe
PID 2632 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Kjnfniii.exe C:\Windows\SysWOW64\Lhpfqama.exe
PID 2632 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Kjnfniii.exe C:\Windows\SysWOW64\Lhpfqama.exe
PID 2808 wrote to memory of 1060 N/A C:\Windows\SysWOW64\Lhpfqama.exe C:\Windows\SysWOW64\Lojomkdn.exe
PID 2808 wrote to memory of 1060 N/A C:\Windows\SysWOW64\Lhpfqama.exe C:\Windows\SysWOW64\Lojomkdn.exe
PID 2808 wrote to memory of 1060 N/A C:\Windows\SysWOW64\Lhpfqama.exe C:\Windows\SysWOW64\Lojomkdn.exe
PID 2808 wrote to memory of 1060 N/A C:\Windows\SysWOW64\Lhpfqama.exe C:\Windows\SysWOW64\Lojomkdn.exe
PID 1060 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Lojomkdn.exe C:\Windows\SysWOW64\Mdmmfa32.exe
PID 1060 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Lojomkdn.exe C:\Windows\SysWOW64\Mdmmfa32.exe
PID 1060 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Lojomkdn.exe C:\Windows\SysWOW64\Mdmmfa32.exe
PID 1060 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Lojomkdn.exe C:\Windows\SysWOW64\Mdmmfa32.exe
PID 2940 wrote to memory of 1528 N/A C:\Windows\SysWOW64\Mdmmfa32.exe C:\Windows\SysWOW64\Nefpnhlc.exe
PID 2940 wrote to memory of 1528 N/A C:\Windows\SysWOW64\Mdmmfa32.exe C:\Windows\SysWOW64\Nefpnhlc.exe
PID 2940 wrote to memory of 1528 N/A C:\Windows\SysWOW64\Mdmmfa32.exe C:\Windows\SysWOW64\Nefpnhlc.exe
PID 2940 wrote to memory of 1528 N/A C:\Windows\SysWOW64\Mdmmfa32.exe C:\Windows\SysWOW64\Nefpnhlc.exe
PID 1528 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Nefpnhlc.exe C:\Windows\SysWOW64\Ndkmpe32.exe
PID 1528 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Nefpnhlc.exe C:\Windows\SysWOW64\Ndkmpe32.exe
PID 1528 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Nefpnhlc.exe C:\Windows\SysWOW64\Ndkmpe32.exe
PID 1528 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Nefpnhlc.exe C:\Windows\SysWOW64\Ndkmpe32.exe
PID 2780 wrote to memory of 1532 N/A C:\Windows\SysWOW64\Ndkmpe32.exe C:\Windows\SysWOW64\Noqamn32.exe
PID 2780 wrote to memory of 1532 N/A C:\Windows\SysWOW64\Ndkmpe32.exe C:\Windows\SysWOW64\Noqamn32.exe
PID 2780 wrote to memory of 1532 N/A C:\Windows\SysWOW64\Ndkmpe32.exe C:\Windows\SysWOW64\Noqamn32.exe
PID 2780 wrote to memory of 1532 N/A C:\Windows\SysWOW64\Ndkmpe32.exe C:\Windows\SysWOW64\Noqamn32.exe
PID 1532 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Noqamn32.exe C:\Windows\SysWOW64\Nejiih32.exe
PID 1532 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Noqamn32.exe C:\Windows\SysWOW64\Nejiih32.exe
PID 1532 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Noqamn32.exe C:\Windows\SysWOW64\Nejiih32.exe
PID 1532 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Noqamn32.exe C:\Windows\SysWOW64\Nejiih32.exe
PID 2344 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Nejiih32.exe C:\Windows\SysWOW64\Nkgbbo32.exe
PID 2344 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Nejiih32.exe C:\Windows\SysWOW64\Nkgbbo32.exe
PID 2344 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Nejiih32.exe C:\Windows\SysWOW64\Nkgbbo32.exe
PID 2344 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Nejiih32.exe C:\Windows\SysWOW64\Nkgbbo32.exe
PID 2792 wrote to memory of 560 N/A C:\Windows\SysWOW64\Nkgbbo32.exe C:\Windows\SysWOW64\Ndpfkdmf.exe
PID 2792 wrote to memory of 560 N/A C:\Windows\SysWOW64\Nkgbbo32.exe C:\Windows\SysWOW64\Ndpfkdmf.exe
PID 2792 wrote to memory of 560 N/A C:\Windows\SysWOW64\Nkgbbo32.exe C:\Windows\SysWOW64\Ndpfkdmf.exe
PID 2792 wrote to memory of 560 N/A C:\Windows\SysWOW64\Nkgbbo32.exe C:\Windows\SysWOW64\Ndpfkdmf.exe
PID 560 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Ndpfkdmf.exe C:\Windows\SysWOW64\Nnhkcj32.exe
PID 560 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Ndpfkdmf.exe C:\Windows\SysWOW64\Nnhkcj32.exe
PID 560 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Ndpfkdmf.exe C:\Windows\SysWOW64\Nnhkcj32.exe
PID 560 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Ndpfkdmf.exe C:\Windows\SysWOW64\Nnhkcj32.exe
PID 1356 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Nnhkcj32.exe C:\Windows\SysWOW64\Ngpolo32.exe
PID 1356 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Nnhkcj32.exe C:\Windows\SysWOW64\Ngpolo32.exe
PID 1356 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Nnhkcj32.exe C:\Windows\SysWOW64\Ngpolo32.exe
PID 1356 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Nnhkcj32.exe C:\Windows\SysWOW64\Ngpolo32.exe
PID 1752 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Ngpolo32.exe C:\Windows\SysWOW64\Oqideepg.exe
PID 1752 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Ngpolo32.exe C:\Windows\SysWOW64\Oqideepg.exe
PID 1752 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Ngpolo32.exe C:\Windows\SysWOW64\Oqideepg.exe
PID 1752 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Ngpolo32.exe C:\Windows\SysWOW64\Oqideepg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe

"C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe"

C:\Windows\SysWOW64\Jbnhng32.exe

C:\Windows\system32\Jbnhng32.exe

C:\Windows\SysWOW64\Kgnnln32.exe

C:\Windows\system32\Kgnnln32.exe

C:\Windows\SysWOW64\Kmjfdejp.exe

C:\Windows\system32\Kmjfdejp.exe

C:\Windows\SysWOW64\Kjnfniii.exe

C:\Windows\system32\Kjnfniii.exe

C:\Windows\SysWOW64\Lhpfqama.exe

C:\Windows\system32\Lhpfqama.exe

C:\Windows\SysWOW64\Lojomkdn.exe

C:\Windows\system32\Lojomkdn.exe

C:\Windows\SysWOW64\Mdmmfa32.exe

C:\Windows\system32\Mdmmfa32.exe

C:\Windows\SysWOW64\Nefpnhlc.exe

C:\Windows\system32\Nefpnhlc.exe

C:\Windows\SysWOW64\Ndkmpe32.exe

C:\Windows\system32\Ndkmpe32.exe

C:\Windows\SysWOW64\Noqamn32.exe

C:\Windows\system32\Noqamn32.exe

C:\Windows\SysWOW64\Nejiih32.exe

C:\Windows\system32\Nejiih32.exe

C:\Windows\SysWOW64\Nkgbbo32.exe

C:\Windows\system32\Nkgbbo32.exe

C:\Windows\SysWOW64\Ndpfkdmf.exe

C:\Windows\system32\Ndpfkdmf.exe

C:\Windows\SysWOW64\Nnhkcj32.exe

C:\Windows\system32\Nnhkcj32.exe

C:\Windows\SysWOW64\Ngpolo32.exe

C:\Windows\system32\Ngpolo32.exe

C:\Windows\SysWOW64\Oqideepg.exe

C:\Windows\system32\Oqideepg.exe

C:\Windows\SysWOW64\Ojahnj32.exe

C:\Windows\system32\Ojahnj32.exe

C:\Windows\SysWOW64\Ombapedi.exe

C:\Windows\system32\Ombapedi.exe

C:\Windows\SysWOW64\Ofjfhk32.exe

C:\Windows\system32\Ofjfhk32.exe

C:\Windows\SysWOW64\Okgnab32.exe

C:\Windows\system32\Okgnab32.exe

C:\Windows\SysWOW64\Ocnfbo32.exe

C:\Windows\system32\Ocnfbo32.exe

C:\Windows\SysWOW64\Omfkke32.exe

C:\Windows\system32\Omfkke32.exe

C:\Windows\SysWOW64\Onhgbmfb.exe

C:\Windows\system32\Onhgbmfb.exe

C:\Windows\SysWOW64\Pgplkb32.exe

C:\Windows\system32\Pgplkb32.exe

C:\Windows\SysWOW64\Pnjdhmdo.exe

C:\Windows\system32\Pnjdhmdo.exe

C:\Windows\SysWOW64\Pgbhabjp.exe

C:\Windows\system32\Pgbhabjp.exe

C:\Windows\SysWOW64\Pbhmnkjf.exe

C:\Windows\system32\Pbhmnkjf.exe

C:\Windows\SysWOW64\Pkpagq32.exe

C:\Windows\system32\Pkpagq32.exe

C:\Windows\SysWOW64\Pamiog32.exe

C:\Windows\system32\Pamiog32.exe

C:\Windows\SysWOW64\Pjenhm32.exe

C:\Windows\system32\Pjenhm32.exe

C:\Windows\SysWOW64\Pjhknm32.exe

C:\Windows\system32\Pjhknm32.exe

C:\Windows\SysWOW64\Qjjgclai.exe

C:\Windows\system32\Qjjgclai.exe

C:\Windows\SysWOW64\Qfahhm32.exe

C:\Windows\system32\Qfahhm32.exe

C:\Windows\SysWOW64\Afcenm32.exe

C:\Windows\system32\Afcenm32.exe

C:\Windows\SysWOW64\Anojbobe.exe

C:\Windows\system32\Anojbobe.exe

C:\Windows\SysWOW64\Aidnohbk.exe

C:\Windows\system32\Aidnohbk.exe

C:\Windows\SysWOW64\Anafhopc.exe

C:\Windows\system32\Anafhopc.exe

C:\Windows\SysWOW64\Ahikqd32.exe

C:\Windows\system32\Ahikqd32.exe

C:\Windows\SysWOW64\Bpiipf32.exe

C:\Windows\system32\Bpiipf32.exe

C:\Windows\SysWOW64\Biamilfj.exe

C:\Windows\system32\Biamilfj.exe

C:\Windows\SysWOW64\Behnnm32.exe

C:\Windows\system32\Behnnm32.exe

C:\Windows\SysWOW64\Bblogakg.exe

C:\Windows\system32\Bblogakg.exe

C:\Windows\SysWOW64\Bldcpf32.exe

C:\Windows\system32\Bldcpf32.exe

C:\Windows\SysWOW64\Bhkdeggl.exe

C:\Windows\system32\Bhkdeggl.exe

C:\Windows\SysWOW64\Coelaaoi.exe

C:\Windows\system32\Coelaaoi.exe

C:\Windows\SysWOW64\Cdbdjhmp.exe

C:\Windows\system32\Cdbdjhmp.exe

C:\Windows\SysWOW64\Cohigamf.exe

C:\Windows\system32\Cohigamf.exe

C:\Windows\SysWOW64\Ckoilb32.exe

C:\Windows\system32\Ckoilb32.exe

C:\Windows\SysWOW64\Chbjffad.exe

C:\Windows\system32\Chbjffad.exe

C:\Windows\SysWOW64\Caknol32.exe

C:\Windows\system32\Caknol32.exe

C:\Windows\SysWOW64\Cjfccn32.exe

C:\Windows\system32\Cjfccn32.exe

C:\Windows\SysWOW64\Dgjclbdi.exe

C:\Windows\system32\Dgjclbdi.exe

C:\Windows\SysWOW64\Dlgldibq.exe

C:\Windows\system32\Dlgldibq.exe

C:\Windows\SysWOW64\Dcadac32.exe

C:\Windows\system32\Dcadac32.exe

C:\Windows\SysWOW64\Dpeekh32.exe

C:\Windows\system32\Dpeekh32.exe

C:\Windows\SysWOW64\Dfamcogo.exe

C:\Windows\system32\Dfamcogo.exe

C:\Windows\SysWOW64\Dbhnhp32.exe

C:\Windows\system32\Dbhnhp32.exe

C:\Windows\SysWOW64\Dlnbeh32.exe

C:\Windows\system32\Dlnbeh32.exe

C:\Windows\SysWOW64\Dfffnn32.exe

C:\Windows\system32\Dfffnn32.exe

C:\Windows\SysWOW64\Dookgcij.exe

C:\Windows\system32\Dookgcij.exe

C:\Windows\SysWOW64\Ebmgcohn.exe

C:\Windows\system32\Ebmgcohn.exe

C:\Windows\SysWOW64\Egjpkffe.exe

C:\Windows\system32\Egjpkffe.exe

C:\Windows\SysWOW64\Egllae32.exe

C:\Windows\system32\Egllae32.exe

C:\Windows\SysWOW64\Enfenplo.exe

C:\Windows\system32\Enfenplo.exe

C:\Windows\SysWOW64\Efaibbij.exe

C:\Windows\system32\Efaibbij.exe

C:\Windows\SysWOW64\Eqgnokip.exe

C:\Windows\system32\Eqgnokip.exe

C:\Windows\SysWOW64\Ejobhppq.exe

C:\Windows\system32\Ejobhppq.exe

C:\Windows\SysWOW64\Eqijej32.exe

C:\Windows\system32\Eqijej32.exe

C:\Windows\SysWOW64\Fjaonpnn.exe

C:\Windows\system32\Fjaonpnn.exe

C:\Windows\SysWOW64\Fkckeh32.exe

C:\Windows\system32\Fkckeh32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 140

Network

N/A

Files

memory/2200-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2200-6-0x0000000000300000-0x0000000000334000-memory.dmp

\Windows\SysWOW64\Jbnhng32.exe

MD5 4bc0b05a9186422f271c8ed5487388ea
SHA1 f37b9e70645f1fd3003c142e856456c126c006d4
SHA256 fd18bcffea6b10ee97ff38ea2381e5c25cafe4403fa32b189b45b7a210338909
SHA512 330fd9a26bd565bcad4c4faeefed70efbda2bc637536a0f978810674e2aeb9fdd3f9e988003c80643a22f101761ebc4d7f3b0438d10b70ef409d0bd44c2284eb

\Windows\SysWOW64\Kgnnln32.exe

MD5 f7c82ace3c1fbac11004a13cf158806e
SHA1 88c0b45f16c2b9a24139d8bd8bc496da164ff2b3
SHA256 30b154e6fdc0df6298813a3ac2f203f547058e3a7e02c1b5e8c8a0c5a593d70c
SHA512 8c1140b13eab73800a7d4b0aeec68a5d3ab8c2a3b6f61721f6caf564fda35a7b50ab9f164fb052ace087c6ae50e8ee8f61521c8949f518589b2a948f43c38e78

C:\Windows\SysWOW64\Kmjfdejp.exe

MD5 31e4dad28276293b159fea97e11ceec8
SHA1 d1f42326750211bc27dc4455f07537bbc4b9e434
SHA256 3b2d50e55e810e90a2f61d81e14388a83ab8953c044084f034f9e450f3b1556d
SHA512 1df68e18f976306de1466828e5c846b0136f2541e9df2fff37f2878652c2816fbc223c299b527abd992e07c8a76daa66bc907beaf5c2de25c2804219b9519f03

memory/2200-18-0x0000000000300000-0x0000000000334000-memory.dmp

memory/2368-26-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lhpfqama.exe

MD5 ad55b10c71204b7c33d79fd88b3161bc
SHA1 1bd2fb62391a4c4168f12cac786323db0fed87df
SHA256 141629e72de299f777e69ac8991261664fcb40f34a5f25bd05290c35b0845650
SHA512 b1f7fc66e64c8168fc23192907b1cb771a3d8def7e97c622311dbfe405d54f4df1ec19c9289088a5bae58d16bc345d6188275e436ec6203dd9deaa8236eab4ff

C:\Windows\SysWOW64\Kjnfniii.exe

MD5 cc16f0862e7fe6186e7cf1ba77775c5f
SHA1 9a89d4bbad919f999a2aba0be1e97e0101942e63
SHA256 e790138e1133916b5e610b82c65c911c02e376d3a4807537960fd94f2ffdd72d
SHA512 c2146a4b8c69dd7603fce5f8f4933d336e8b45cafd2e9d5b085889273f4543a1a18df2fe8af0ec5bdb097011e1066c14ed95d589f93b1cb2c1196888cc3e37ca

C:\Windows\SysWOW64\Aefbii32.dll

MD5 0fa77a000dc98ac1b8e4d464ec4ec005
SHA1 3f9c17d40e74a76ee427042e35e85b734b37bc13
SHA256 a647bff7a1fbc12b83034d051948558e373fa4112a6f5f1e71796f435fcbb51a
SHA512 00d53242dd48d1d93b8a17e5a6b1c071b8a559e1672589313c8032466051edb67c5f19162c1be9a6f10550b7d22fd89bfd8ccf54a4517926aef7c3545fc54c48

memory/1744-50-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Lojomkdn.exe

MD5 4f6c9991f74bd2d078c094f6e956fd98
SHA1 ae73c7ab0366f7aeaed86184b541ea2e92543418
SHA256 83e388fc5b8854508178a902573c0fefaef28778ebeacdad7cf083f7879c5d0a
SHA512 e9dbfc5b8ef328c29d22783610b160f5f464f0b4c3e1211123a5905510064a64d5ef48c12508a374f4913893676970dc73158413f4c847ba9be32d5c2f68d44e

memory/2536-75-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2808-83-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2808-84-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2808-82-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Mdmmfa32.exe

MD5 f789633d2978d92867032bfa9ce1c4a5
SHA1 f34dd7dcd6f221c6a6ff1354ff22d35c50ed134a
SHA256 4ca144b39e66b8891ec26af6f1613eb5a62cc996a7e116c9c419f8524f68e33b
SHA512 87d134cbc5651d397abbc8e6e60b73b14e7e480c2f81e9ee871bfb717de6a8410b7606bdd826236b1e7f51806a69e92ad5ca253abbc51d9ab46af36d5b69ceb7

memory/2632-85-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2940-94-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1060-88-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nefpnhlc.exe

MD5 4c28b22134c82ba60134d06764dc52d3
SHA1 c8d120a63a7957b9a70787efb27b7c545bd720dc
SHA256 3ce4098bde3663d92782c6ed17c13f327ff414cab4a5f979d6bc36301c031c7e
SHA512 d7def3bf06842485f5f94c542ba517cf8ad08a1e1bf748a5cd5257080613d7b5c1ac677a7261161b17723897a77a10fb041b89f58782d9ddfb1635bda3e3031e

C:\Windows\SysWOW64\Ndkmpe32.exe

MD5 678e50fd76ee7ddfb172ad78b0acbed0
SHA1 978d6c99ff80ebdbecac176721aa854ef6a697a4
SHA256 99959e536909c5ed76633a547f1beb46a3e2744cbf0fb2b184665ca20ed6d283
SHA512 b3d56508101765a7a1f11802b774529da7acfbd3f385fd085dd6987a576326a587d1046ff845e344d7d3c683338eb573b0ba4b8a6f88d9b33b8e30eba4e7fa19

C:\Windows\SysWOW64\Noqamn32.exe

MD5 0f1893e0f11f123a7b46879d2b775c14
SHA1 b6396eb6ad430c11809d9f49b9853cb8d0e6c7c7
SHA256 c12a2225457336180a7c7e77e51d981e9ef5f931fc6c9842db87dec2719b11c9
SHA512 cfb0a807614671dbbad7a2a06a1e8a135466caa86c55897c749a11423f9f8e58a48acf4ef6623db8775e42735a3a11ba598121738c9256f98d885325aeb50a36

C:\Windows\SysWOW64\Nejiih32.exe

MD5 77fc889f5af773a84b0506e0adad17fe
SHA1 53cb4a494947c034e479e1693c548768621342ae
SHA256 00d964e54a7212ca32d96c7bde82164b609feb757d7e099080f47d0fd8c524ac
SHA512 c67a561b716a05cc743cd8cdf7f57d4cf641e677c2590d5fe2c23d8f1ed37b8b37a5cb43840e9ba519113e201b4dc2f716575d9900b4d98c7e31b1e9874c5aca

C:\Windows\SysWOW64\Nkgbbo32.exe

MD5 1da8a44abc8fdf7ca278b6dfcb45f110
SHA1 0a4cdba69b666707d8a27f91064f23bd90800a57
SHA256 f66e17f90d104f66990da6fcbba39cc80bf634cd31579b78821d345381b386e6
SHA512 6d0c10e4daa562c35b6b94bce3d884c1929fa29962b902c5a665d0931e40ffa1a0f0b0abdb928392c303e4b4949c3990b2535e47eb73905253e14963fbb3a688

\Windows\SysWOW64\Ngpolo32.exe

MD5 f34ea18f05de6b71cf6bc1e8c9905b61
SHA1 76115d54f5a9edf053334fcce1a224091c8c8a38
SHA256 171e914e789420fa58c4d2f788417dc3ba2b998a416b95974a7170282c51912c
SHA512 288dade6556b7d6c206c813269b85c7865ef2385b42f2abc35502f15a327e0cf61241ff7a423066841e42adb85de10afacc594aba49b87f3ad8d47c731caae8e

C:\Windows\SysWOW64\Oqideepg.exe

MD5 7d118c7f6d7917bec6d19ea5a5f228a0
SHA1 8f62c799f482ec4e9a1553d073af44cd65e062b0
SHA256 6935e5aae85232c11cd971c3ee8d4a1930e755d1b0a09bd7466623f9cc1dfa9a
SHA512 974399c146f4135f0c8ddbd5e294f29418c72cd6c867de1c362de56bdb51e5c3347f978bd8f43c47ccc375b915f7758a70b7999af403ed1162a6157b648cd75a

C:\Windows\SysWOW64\Okgnab32.exe

MD5 2ca4ae2de2d92134b4488d5927026bca
SHA1 3c4c5d7bb7d259c35f6f0b186ab07294e3d373e9
SHA256 97499775e48b26456ae9e45102e5cbf88ba6ba2c4664f85e519e44346c96a3e2
SHA512 a9c251dd9a42e03f0256f2811000519b5ee3d7729f54453e67da05c2d1cc55eab42da7da9889d0deca5a53de16ec32a81c1db4eeec6dacb851f92de1434e59ad

C:\Windows\SysWOW64\Pbhmnkjf.exe

MD5 b610d1ca4bfe62a017412457564e9892
SHA1 defdf2a8ca504d82bc1625f6f57bcc344d24f1ea
SHA256 5e8a7236bf651d972c247a9903143443724c227c6fba45bf5cb7ecbd3dfec868
SHA512 b7072a898a517bb4da76db06da82ad6c91f376ca7381ea144c08f8e3fe25d0ccd27c56c5a3f18c258ed0988432fbb9c316fee822d98c2abbe2d732e5ddb5a08c

C:\Windows\SysWOW64\Anafhopc.exe

MD5 416d8ab7fddad8aaa965dd353b7fdf83
SHA1 447f068696c8b5f585adba6a37caf30ada07cca2
SHA256 42cd61cad2b92735123d39ff416ad38fa9c0f398b09ec4aaceb18a71e50c02d0
SHA512 2a7222ee6972e8a83dff16ee14db1229489f633a9b7f40ca00b5914c7ae0e82c771ad3adfe68c5a7ede955976ac0caa07a635b120143def318084656c00137c0

C:\Windows\SysWOW64\Ahikqd32.exe

MD5 fd715fbb704c9f72476e3886b03edbcb
SHA1 18b4a3f4fb4e8b8e875409fe855d9dfa4026d113
SHA256 66944ce261e34b4ca08b2557b38438f60017dd45d140972360822c741b4c030b
SHA512 1ba5f96a28d3359895c4a661b1f279d19353238193d67732677cd8a373dd45cdad6e3313eb5dc15c3aa4a7d22608ccd52ada154aa521bc789a1825e1b103fd7c

C:\Windows\SysWOW64\Behnnm32.exe

MD5 06a1176cb8582203e15c6595b1357d58
SHA1 b306269a1ec59dca1313f101a8f40d83fd41e6e6
SHA256 55b2f8f4c0389f803c8a1b3ba386a20ce11e27413b6c593562a0c50fa2fdb7d6
SHA512 75d34ba335b22f9f618791bbd5d3821c52ac9fe9cef13c16f00e5f7bb2c7c04e3a30aecfea6b06515c04d45deac10f8ac4cf8b3278486627dbb63a71959bd9fe

C:\Windows\SysWOW64\Bhkdeggl.exe

MD5 3a491931f56967c1138cc5f535fe5bf5
SHA1 31131220f2a69def8aa6ab0d848725062025f6f8
SHA256 99a382887de56fe0bf36cb7045825fe90d5cd32bfc26bf68c5f3b11500856dae
SHA512 7cef7bcf8ccb60eaf8fa42f1e40f994db964bfc18735484403aeb2030db3c0891b6a432615b7669ddf048cd3f1c797430dd8e05ee35d685c028e13ff7ba6e01f

C:\Windows\SysWOW64\Cohigamf.exe

MD5 6fb8b92409e28195c1ee278acecbdf41
SHA1 2ab5a33559aa25fbf6b0f9dbacca3cd42f9be42f
SHA256 d44736880eda2dfe38560c6c8add2ba8f92604644d046661f51a1c5dbc401d71
SHA512 0c81fbc82a7a102ee011c9409060ce84a6c810b407e7567ee9a64900023e5ab664e839cd660571052ee4cc193dbf1f315c8b62fe411ffa23288e385fc1352b5d

C:\Windows\SysWOW64\Caknol32.exe

MD5 093bbe03977f2b7ab26ede40ed34be9b
SHA1 780b1f01771dbf236f63a31fc35b5a4cc8019d25
SHA256 44c502153b2db49e24636220412fd7ab18eaadf85636536d847006d3a77e5b14
SHA512 1b61b73968a83a4cfd52cfb7955eea1d198709891213534a1b2ccc08a35b667ef89b60d8249c6716a0dc2b323147e4ee0171d658e122e3aaa68e7520762799f4

C:\Windows\SysWOW64\Dlgldibq.exe

MD5 ec46cc68174da16fd2cab038dee6901c
SHA1 f4d482a6acc08a62cad8ec17e889fdec2265fe65
SHA256 5ffe04fcd4a5be2b790d40dc54136595713e0b41b7d6cdd7ee48c8c4fba8b4b5
SHA512 91cd1bd90d1fdd487891a5ed102f1b2aaaed74bacded41d360f9a7f8dd51ab23778afaed4f9426937164c45d40d54cc1b07bc7c106bf2a0991c00f27e17fcd07

C:\Windows\SysWOW64\Dcadac32.exe

MD5 908d0428cabcc0746b23e5c8d09c0073
SHA1 3390da28145f3015726a2d314630b68a72007d84
SHA256 e993620b30d2887f6a22c4c93731ac9fd4bbdd1f26afbb692f0cd22fb0184bff
SHA512 0159be149ca8d3cd20a8cf226810f02f833e657484c7d6c12c4493dd6e6eb108dc50dc5f3bc1ce51f9effdae65ca74764b22fb9fed6c1d4ba7da24df0059bff0

C:\Windows\SysWOW64\Dfamcogo.exe

MD5 3c682c1bd2a5cd5f57681b9a098babc3
SHA1 febda1b375eefbeeed8568dead43e06879223ec1
SHA256 64da6adaa7b95453f22b786d3b8874813f33eaa69de4632af09971e572ce5cb3
SHA512 149df970e564edfbe40419727dcb5587d43157937d8312f9e2aa6fcc0f5a36f79c31427df707c45d9a62f92ca1410882220d610c9d211497568812ed71f22f96

C:\Windows\SysWOW64\Dbhnhp32.exe

MD5 7b6ae4022bc8ead6145c1607cebed913
SHA1 dea49c449adccf45a124b82f29a415865d52809e
SHA256 deb9e33af6644f498254c1501c3890e2627b63be74a943d1ae89f7b8a6b88eb2
SHA512 8fb2518cd7e092887026b10cf92d0a0f781b457d479d908f0fb043ef0a2152a60e6bb9cc9b1c72a451fe7e2dfe8dd564c32d2fec6527a3c3c2e6cd933ba451d5

C:\Windows\SysWOW64\Dlnbeh32.exe

MD5 136ba3263dc19ffd965be9c981d292d7
SHA1 fa23a8e6a9c4f807689bcb188f76eecb3567eeeb
SHA256 88b46dc9d79fe97a20414f10eb559f701b07c6c6597f336157e6fd21eb253b8f
SHA512 349a5abd0d590643013139be84e056166bf7f34fd7e2b22a79eeb46739e4d18ab0e91a12d9af3d5b8816a40bb3658ded1a112db5b5490317ebe5d09b5bb227b5

C:\Windows\SysWOW64\Dookgcij.exe

MD5 5ec6d0d430a775eb770e34bd621f502d
SHA1 63cdcc38bef517e4e25e67901dbb983191d133b6
SHA256 454e86a4b556a8d16dc9f725dcbd4928aafb8ef3c9ef1276334d0f4f2c21890c
SHA512 59c8e5512d08b584c6262f817617b71ea8f49cedcc092e2910c00890bea09c2a62b94d4263a643c37a4cf5d6a046ed070b07f25a8348839de49704a8d4b47bba

C:\Windows\SysWOW64\Ebmgcohn.exe

MD5 e54984c4f14bbb10a94a3b221c8faf54
SHA1 66d51e351effac00d796ee4cb48ca700cbfb0102
SHA256 23db1973b18a895a239a489adc212c017b8db5aaaf6de9b32ebdf0c11ef8ee34
SHA512 851cbe35cb0a4c3e9ce21f7d93456c43956b8258c414ff8e6813daca67e24d2c5a810f59d99e7c3ca406674b2ed4b080df66feca7f7265245fbd494ea46e4e0d

C:\Windows\SysWOW64\Egjpkffe.exe

MD5 a1a62324ba93de6a813f903e18b0e7ba
SHA1 85c5b8401575bf82ecc7274cda4e281f26d60bfc
SHA256 b53fd5aba75ada2b084d3671340f5707fcaa561e953732bf7fbb94f048711a4d
SHA512 e1b3f230b7c4d865fcd48b44f3e535e495e515a787265b93f86250212f29d6c1a7b668197d8f0fdeaf74f0b37a2d2b0c36abd3ad5a8de5f72b50ad528a6519c8

C:\Windows\SysWOW64\Egllae32.exe

MD5 457351d713af2c9930381e12546703c6
SHA1 42179b4c7751a5ba1983ac0f3dc54ca826dca559
SHA256 e15e511bfb73dd5e5e803290278f3268d4c8c3d266174de32d5db13d5a1c327b
SHA512 54a58c753e5225447168ca4a968c67a19b2ab28e7a80d179e6bd1954aa1c30a624e2087a75c157c48f7c419bf5522a16cad67051cf1ca83f2eb6ab848cdaf7b3

C:\Windows\SysWOW64\Enfenplo.exe

MD5 bdab4610a981c877e0b6e8a855501882
SHA1 3dc77539e65e903345d6bc7ec232aee2b4bbbd55
SHA256 fa1b82b05c4dc970fed90bef47ad4d45867e703a558f1be5c21e999a6ab97410
SHA512 a348a0d23e132f6828718530688022d6920038a0d1cd03b6b8a2cb62be62f4c32ffbc4776cdbebae07350db84150feeb129942ab4b495721c5a50e0ed562d460

C:\Windows\SysWOW64\Efaibbij.exe

MD5 2e002dd7b9eee6b9f6fb234b14bc6e85
SHA1 fe99f664d6b57b28a329469545f7ce130750cfbb
SHA256 f2332dedac11dfe1b2335dad40b7bb801b8d18f7175f1f7725d735a5a66778a2
SHA512 91539db124c9ec9c44429e7b3ee397512a565dddea4a95db250b90e3c721db4b6125e547105c198b3f6b55c58a7f5cd27429257ee664db211207d8f22a8ffeb0

C:\Windows\SysWOW64\Ejobhppq.exe

MD5 6b143258e7d7f302fa4c542381dde3e8
SHA1 779210abea9ca8c110803a2f06ed1328c1fa82e6
SHA256 68b4d6adee55a7071ee06b85e221bf2c29be3858561b8276808b6d6374b38e5b
SHA512 3188217a12f5c85e92a87bb4d286fbb00df31bee7f14918ff2cef2595dbcf7161120e9d76ac63d86598dc8357bdec3c84f6a099fc89c7efa9c9b0c9fd7ea36e1

C:\Windows\SysWOW64\Fjaonpnn.exe

MD5 b01f14574044153fba5ec6a632db9d26
SHA1 bbc62a8c76809d1704283a0403b7b73a6563ef88
SHA256 8d617f61a8939bfbf2d76b3670eb00090d5c85002fa95e8c89e8d585812821e6
SHA512 2a5ec7629c78e70b0d0dc4fb16dc30bb78f88bdbbcf5d89b9599f47b9c6938df367482c2e949a7e7dd3da4b2e3be66bb10193107ecb80892a6509b85c2c99d67

C:\Windows\SysWOW64\Eqijej32.exe

MD5 120b62733553bcc3a862afd6458c3c4b
SHA1 ca54691c70eb85ad47acc43bf477adc4a8fce689
SHA256 86533b884d6c5c8cb2d4740b4a43fc0f137073511e9cec5e44b115de0a3ee4c9
SHA512 50ce45604354fbea27dc5756c52d4ebe16b473773ea0f33998711a9d6944ba8acb9b6ab763397aa4e48af53dc56b1c72e4edfa1cb67db818c848f7f973ced308

C:\Windows\SysWOW64\Fkckeh32.exe

MD5 82dc3ab19bc38b114ca9e10d9a969841
SHA1 5a2bf18604f49ab38fa6d5c6052bb3335b78b327
SHA256 0f096858ee34bfdf9d6f1aa69eadc4cdcda71e4e86f8696d49448f3173e28c80
SHA512 b4e840cf2b9dc13cf63b3d9cb6d7035109cea317e03ffbad51532035e2fd318020757c2693d944e2f01fc08e0169e4ef9954e707ef7bc211ee48c5996ebd08d4

C:\Windows\SysWOW64\Eqgnokip.exe

MD5 9a3ce5264ace2a2b6a348c2670234159
SHA1 197279257b767002614dd890a2a65ed347ea619b
SHA256 6a37cc88f1e0dcf9608d536c899b97fcfedd77272ccd2a9d25cf42b0feacad5c
SHA512 3025a0ec7847f45339868adec27a9d95be5977a891aa438bafbb917911ee91ba98a5c70db9ad753d4972621190ee6942f7a7c26961b5a537328bbbf5ffcf48bb

C:\Windows\SysWOW64\Dfffnn32.exe

MD5 fa953109a984d0543c9276d2484b0b31
SHA1 baf75461990f48f7ee953cde4162c3801f0fd434
SHA256 c2ae0d2bc431b283c84855c83a0a92e34cc9cfdfce59bdeef67f8dff4053e786
SHA512 72bccd0e455429a781a0e708f1458e44f559e251360d9c9a5836e02b652e609f021832048478d824e6c73a6008db063126700cd3b981c892facb5227520aa238

C:\Windows\SysWOW64\Dpeekh32.exe

MD5 9d055ef71e15dff71cee7a7ff6830d08
SHA1 32b58a99c88be02e65c0375d21c7b8b72e3dff35
SHA256 4739a1e306ac3e3f34381e702e25c5fa675c1deff122d944e72214bcf1cc4c47
SHA512 45eea5befa3143869a46357b888caa76fe7f72ef9e46e2389d0e14f1b8db46368bdb6e8c1993b184b9756dc8af750b297d439cf021f46dcedd19815fa58db22d

C:\Windows\SysWOW64\Dgjclbdi.exe

MD5 2ff4bde3253d46beeab293f2346a6f96
SHA1 eeb216db51b717a9f466218da702a7394a675810
SHA256 88399d6d45dd64d6098977b27fda5c2de1f77044029e18d724cbbfeb2ffd723d
SHA512 42f4da8a3225bc7cdd12d1291d4e940d5eb6f19eb93ea52e3e4037aec28fc19f98d5bf1df4e31e5f99b64e87456198a131fd8d4b5bef4e8691293b689ff6aad3

C:\Windows\SysWOW64\Cjfccn32.exe

MD5 bb85b58945121718d9f87939baa98b8e
SHA1 afa451f7c3e3130e5ad68bce94101dedfb60fb75
SHA256 add60adb2731c5fab2f2c051e87b33a8d43840d59f133b183fa29b1a16870139
SHA512 1ac6751273af7ca54e1f7e496c451a06b151436daa67cfc204cc3daa63e805cf2cae700452d12dbb1b6a955cc75e7a9d5324254c8251e87f5a6ab345d1b12b57

C:\Windows\SysWOW64\Chbjffad.exe

MD5 bb7e66d99ff32da33542654a6c305b71
SHA1 e4c3aafc63228680740256c4b574949e409b2f15
SHA256 ce17107137d9ef97c0fe9e7f1983333c29888dd9476adc43513b5c64fe527238
SHA512 c0f29a43921c9a4dda494c581eed2010203573c64d673d18b0682d0d7176c7d4b72c5cc57847d86f63c9eeadfdd5fa06b9aa063670cd6f347448c264bbba5621

C:\Windows\SysWOW64\Ckoilb32.exe

MD5 7b3a69a34f813ae76639b83d596fcbff
SHA1 d3be124ae97042d8bce2e946006566356076cabc
SHA256 9b34bb5c286f9205cf5dcd2ce7932a6e959a723e9397492c1902442da271a6d4
SHA512 ce69820adca3fff655b869885a009a6961c66de504f8e2d3e3258b27caabba1d01184d80c4651c5986df52967d55ad9ef7a6d3fae72e4db35188021c989a4264

C:\Windows\SysWOW64\Cdbdjhmp.exe

MD5 33407d9f3e504dc5edab32396ac68dac
SHA1 3d4d013f265fa9b4534fa78274226b6e049f0e08
SHA256 cc1a46d112d5948f289460213b60299562c57cb6565beb4c16cab9cda8468904
SHA512 d57ad15c45c6b83f892d8e4d9599649a4dc922dfc6545dba0fbc1c88c1aa30d601de730d97e43ca881f798297a74cc608950587f891c502729d9ecf57e227e10

C:\Windows\SysWOW64\Coelaaoi.exe

MD5 593a754ae0e9b9e2ab359d4c208db322
SHA1 f39b669ea865cc94528a486083f0320ae9b3382b
SHA256 1b52e5d284bdaf672c9ec07216a99d9eb169b8001ca1fdd642fb72ac862e781f
SHA512 193c78af397f8cfebb9b158a0cf602fbb81b06ac257abc4577bc42ebeca7c1a8b22fc51f6fc728e1f7ebb3a27dcf4281e9b57989b9924f0d05be6c0a8e33b527

C:\Windows\SysWOW64\Bldcpf32.exe

MD5 2d6e5e2d7cc7f5f5054c3907ff45abe7
SHA1 2e0bdc4fb75ba667c067d01a92209486cc1a57c3
SHA256 62efa62e938bf015a996ab012e232f6b27cd0e848745f689f0e34c68d26ee3d5
SHA512 0e80c5e0d2d331d6045f0a8b23b73bbac0de384ae495cc67e747af46a589baa7561be432e56dd39bb1b1035c33113f7f5c0bb662a8b2fe6863ac68a8b00de2b9

C:\Windows\SysWOW64\Bblogakg.exe

MD5 1860a6523d35c55ef28489383da48f3b
SHA1 14a327af97fb41f3aa7cf86eb1b7636355be7274
SHA256 7a3098b3e95aba629ecbb83a1f8fc8ecdc40ab16a4910ff1efced9c353a6a4ec
SHA512 16dde2fc86fd0ff4add9e92cf35d1969364cd65ff5bb84c9cccc81ce98cc53a4aa6e086eb43f250db98bbd86d8354ec6526f6131deb64b5b11135c913642b6d2

C:\Windows\SysWOW64\Biamilfj.exe

MD5 87ea163bb97a3e62d59e6c57e71f8304
SHA1 8af08fb29bc5c7f6273155eb0a3905846d9c314b
SHA256 dfcbcbf19688bc511d4fcb9e3183f2c623e42b79ebd2e596528d7a8c11f32e79
SHA512 231b857c98cd7b4a7696216c4917e1cddf1c3b1828ad664f9bb1a2b89859edd74833c810a2f160fb7b891a30b8d07aa366df90f3f27be318924d73e346a091e4

C:\Windows\SysWOW64\Bpiipf32.exe

MD5 56aff745b119ba540cdb1fed1c64bb4e
SHA1 3bb9d651fffe58f788472eb1d7cfe30017ffc7b3
SHA256 ff5624dc976437ee3c7a967837ebeb3d0a26b3c115b2ba287a3d5f4c91a0c916
SHA512 0326adf289793f0a0a0f0fae97043b939d2c2d982b39a5ea7cb1aa85d107bc2351af9277291f53666b51aae908c59b9716a87985a7ccf8c204b0a7ea32f71991

C:\Windows\SysWOW64\Aidnohbk.exe

MD5 18f349a17cf03aff4da8c5ae8d585edd
SHA1 3515280519522e7617135aecda02422b6d474566
SHA256 6e9d3bace0d0d2c2e3802850b2ce2b30bb078bd94e75e6a857322155e10a95e9
SHA512 9fe8afd989bedffcb3fdb4dfe4b028fd66cb77500234d1f9839212a21b0df59bfa73dc9022756449446df3835283b8c68c083380f84f03e96cc25b17e71cc29c

C:\Windows\SysWOW64\Anojbobe.exe

MD5 d03ceffbfec56601e8ebea62483cb2a9
SHA1 d0ce85e9efa58b953dbb220a7b57d90c9af5564a
SHA256 d99de01ef97d2e9fa1641c81263245b7c5b14b0b32c0da3fe2bd049279cf4149
SHA512 f451de1715fdb4ca370a9ae8fd0b4d7dbb213e32cc0a86213960a1a5c9c50299af45b539ab101ffd86d3f74d65c311100d7882fa008160a078f19ae14e9cf0ce

C:\Windows\SysWOW64\Afcenm32.exe

MD5 63afa441cbc8378ed7048a941b28257a
SHA1 2c62760ee4c6441b63e35ad5f37cbe7d2f41930d
SHA256 c20c3cfbdbd105434e6d71a72f9688c22827bdeac66e84538ec1111640804b69
SHA512 cffe724f0814ce07413890192468a2365f500aef3df4949ecf76b7b928f6bcd525fc31ccba139d3840b40e823f702dfecd77cd3a4f9f36554791dda5fa609556

C:\Windows\SysWOW64\Qfahhm32.exe

MD5 6773d57d92e1a929acaa5bed1c4a7734
SHA1 9ea42c522b08bf965b991f70f992cb8d4e727dd9
SHA256 a68104c7ada24570b42ef122ef8d1537a8309555817067b80dd8564d034396da
SHA512 f7f5de0ec1bc912a36e435a92648f77b60eafbba00b51579ca43fd386fcd7cbab9c1d8da5a8109ea842d59b38ac454f390ff0c0f6922933e1df94c2b20239dc5

C:\Windows\SysWOW64\Qjjgclai.exe

MD5 86092f464de5c45790a4a197fb1fb53d
SHA1 2bf8008a79b45cd5c6a7866fd93a251a7d1b369f
SHA256 20fc508608f51c220f4320787bebd3775eda79344d30902d5416d75036a6cc99
SHA512 ddabcafdcc4733bc476a8ee3803de7b6c9d187e953abf2ac2727a846f9ab65631da46632044efe548b2a0cd4f2e4c41c273089ff2d998d9c25cc7a50643bd78b

C:\Windows\SysWOW64\Pjhknm32.exe

MD5 05470a2aa1bc6f246ea1654d58c5f050
SHA1 fd9a0bc484b0a40d5ccc30c3c001ea24c357754c
SHA256 6ee1481935d173b38e848ab31e048e822b098b42ff1e903399747f1600676e24
SHA512 73c25c86601519a09b07ea290c912e0319e768ea61b59520ad4c8d8848775e0ff86727187684ee38cf30f7faaad27ac44b4383dd20e1685229845bbeff1b467d

C:\Windows\SysWOW64\Pjenhm32.exe

MD5 556a25a2afd6750ebad3ac2c89de1429
SHA1 827e9ba286d8ecb4289ce45d4765f6a3f78e25a4
SHA256 41f711ab88fe21f27647838f8109fda5b0d1e2bbd5696a13dcdedb922e3e60e1
SHA512 65d404e9ccea3dd829ff6e2a5be21674bae97519470a9e9a2ed4f8075dd38759da07caae5d85284f5aed947da1362bd160d790424f7f0d7a2b42e995ea2222f9

C:\Windows\SysWOW64\Pamiog32.exe

MD5 ca6b98178af12f8daeb4d79e2c521fb7
SHA1 fccd3e45a9ed7fa43fe0ba74a4a4d6ddfe3137fc
SHA256 128342a2ef8cd07b453a5622e859c108e037ab3d64acdf5558fc78ef0b97dacc
SHA512 24776b99935de12879e89d213fe8239ef20a8b43ae0ad723c07006bffb7ddcb7fb19aa2aa7c9c18026051795d0d34fc0fcdc12a078a16c73813b75b8119097d6

C:\Windows\SysWOW64\Pkpagq32.exe

MD5 c8106b14f5c96a4269e8167d5d59b4ce
SHA1 10b64030e5eb6e3831855557b9390e2fadc9bd1e
SHA256 6455870a7d65b3028d90720692bd24a59ab4bcc7ee1b1c29ce76355012817698
SHA512 7ae672b948821ddf8002ac9c29ce6f7fc9c6787d5a8f0674dc5a1ddd08461d0ce52ec610c8b1c10f080bb5072bb267aa5c89aced97e68a7c115d0ac107bc2348

C:\Windows\SysWOW64\Pgbhabjp.exe

MD5 1ddf3f6637ec7ce2b3ca74a867800878
SHA1 eda0044a809663f62a68f9bf661bd33a41055f73
SHA256 5031fd657171b2d4fdee3da88656134feac6b577de895f1d24f3aebf3128843e
SHA512 99336a14d78ebc16626d7c4fc818794017e9925efc660ddd756c63566e93e114ac3a55e1ae67b51c99d3889bea4f01d79a856bd8a298d1c52a55761f28a7281e

C:\Windows\SysWOW64\Pnjdhmdo.exe

MD5 6fcb740ae2ddda33b6f2b61f5aed178b
SHA1 20b9bec2d0c423150d7cb5ddf8780560c10b5aed
SHA256 e24814780267c43d36a94d6403f4ee70bf0df562cf8b4f2b2e8a281b4e5c4073
SHA512 bfb39cd52c0ea362b1a7d18e0f710f7d6b223c6f843cc8e550064a50241989fa4bb0a9f5b31b94c62d5660a95e08c62d374e7ba6e999f29d5ce9f7c649dfb927

C:\Windows\SysWOW64\Pgplkb32.exe

MD5 46d44d49cd5cef599800a957a121610d
SHA1 1975ae669b0b2f281bb090398d7cfd68e14c9a74
SHA256 5427a68feb5a3e21f3fce19af99feba6ffde1a1c1dce6e6e4413bdfe18671edd
SHA512 592604c030f829a03c03256040b0adb73f5bf4d4017738b6547d17532d6a3f4a21a4acbdc93d802cefa789cc149bf7d8a4287c0556410f2f8cc29ca5197c4765

C:\Windows\SysWOW64\Onhgbmfb.exe

MD5 68691f02b631084616818b2688839e55
SHA1 14ba785fff34fe021b3e450685859d12ec36bf12
SHA256 8ae841c01baddf3ec2dd6a31654ec04f5fb91eeb66cdac702b0d045b31c6e9f6
SHA512 f9015e98c4f7828b3c2cd0dd6585a15c51b75d8acd8cff032507f10ea883171dd0ddfd7d7197d09388ef863b726f6b6028e9dcf53aa88041d57e418ab454e86a

C:\Windows\SysWOW64\Omfkke32.exe

MD5 830fb023be6fc262aaa103cd8e82a018
SHA1 a89c7f167576f4502d7f823532add62782af88b5
SHA256 ad0f6ca25137c73b298603059f3392b80234a4dcc190f3eba137e90b6d631bd4
SHA512 4ec4e77d43a493183dbca70cd72efbe35e2adab6c2fe9d7e6c20ee52d291d37dbfd82e50234a836ba31f444dafbd7438e68d732be4a23606f494c7e7b0254dcb

C:\Windows\SysWOW64\Ocnfbo32.exe

MD5 40d5d43dd372cbb661e0d92b2072be86
SHA1 f5b6e6322d8cdfaf2de271acbb86d311274d76a2
SHA256 3a3f79beae20f006f134db7ce981dc2d9d7057a1b89b76c1d4fe256c1eb31bf8
SHA512 f4e178a9ba6556738fad18d483cdfcc5d8ce5e8caceffa42e3b058bde815ed880d4f34b2b8f1e079aff1d4e8ef8f074318742bcafdd5599c015e0669546e795c

C:\Windows\SysWOW64\Ofjfhk32.exe

MD5 7e6695dafeb3d71a414c13458bfd090b
SHA1 d5c5fc1a92aed88e52bbfb2cc96df8ac25a34359
SHA256 02d922b95fb301c00fe2939aa84cc6327c01a7d3302459158d680586553437dd
SHA512 7259c19f1bbceb64be88cd09f8eba78e2c71456c64799539dde5d6bb6be26262a6a7fd45139e43fb6dabe3e892e45329b39f2bc0edf81dc2cc369dca72682748

C:\Windows\SysWOW64\Ombapedi.exe

MD5 28b263ea0a712bcee8b1472de1a8e86a
SHA1 18e35e8d6f4aab631e35fe4e0818d1be31159098
SHA256 89b91686e7c9aca4372a22d39bdf582b2ab4ae04b085bd6e4ec0bd3e607bcdf1
SHA512 a6919d37f4e11d585fa62172c43ef02c41204a455139eea0de12afc11e5e242cab6aa18bb6235ea2fade56451b13581c7e751d7bd3c54d728f0610c3bcc2bcda

C:\Windows\SysWOW64\Ojahnj32.exe

MD5 9b57d5f0419bab9278dd284ef18f2c7f
SHA1 02bf17f17040335da0be389abb13d7238231c2ba
SHA256 309e04d25e6f02ee83fc2df1b1dbfcf2476dec25059dc78e96e23fbf5e21629b
SHA512 8bb759f0fffb11107197dabff23bc02701c83f2402c40ae4a8da8f1ec9b1b752a480759cb5deb5d151e818df0d56a0fc8886db2bdbc6299f8c49f1845d44936a

C:\Windows\SysWOW64\Nnhkcj32.exe

MD5 ae5c1e0adc77d28b973bfd3ae823daf1
SHA1 7efdb3876c2beecffe81f08287863d1f30aadb6b
SHA256 d36e5e14793ec643bf3811316e8d40d275d01b15dd0a2609aaef6451fb08cb26
SHA512 5aef36d090678044d1e369eace9aa0c4ead5ab4a10ca926d2848374c2fd2a755635b5f940b3f894aa006ae8792971558e5d3cc7aff7326711d3863da4f270205

C:\Windows\SysWOW64\Ndpfkdmf.exe

MD5 d1ea63eb7041c67512b5be10a27f0967
SHA1 0ea663ac80d715875f5bdb751cb4d09f282acdf4
SHA256 06f6ce7a5ade7f72623d2de43fe661159464c6015302b77ff6e66bbb40f993c9
SHA512 47a8e1b3a6f1f92c258512a71f20f3ba09eeda1a24a3b10af7012e5aff2f04b8e66d84cdd8657b1c5756e2778205077347fc412825702ef927a4e080c456ca69

memory/2200-636-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2940-643-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1528-644-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2780-645-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1532-646-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2344-647-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2792-648-0x0000000000400000-0x0000000000434000-memory.dmp

memory/560-649-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1356-650-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1752-651-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2260-652-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2280-653-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2380-654-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2896-655-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1152-656-0x0000000000400000-0x0000000000434000-memory.dmp

memory/436-657-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1536-659-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1104-660-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1040-658-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2992-661-0x0000000000400000-0x0000000000434000-memory.dmp

memory/932-662-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2172-663-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2020-664-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1996-665-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1892-666-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1708-667-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1696-668-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2712-669-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2696-670-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2648-671-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2436-672-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2652-673-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2424-674-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2504-675-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-676-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2472-677-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2748-678-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1172-679-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2772-680-0x0000000000400000-0x0000000000434000-memory.dmp

memory/476-681-0x0000000000400000-0x0000000000434000-memory.dmp

memory/860-682-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1168-683-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1424-684-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2316-685-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2332-687-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1812-688-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1904-686-0x0000000000400000-0x0000000000434000-memory.dmp

memory/300-689-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1616-690-0x0000000000400000-0x0000000000434000-memory.dmp

memory/748-691-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1796-692-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2732-693-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1676-694-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2416-695-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2052-696-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1020-697-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2700-698-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2556-699-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1052-701-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2592-704-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2824-707-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2460-709-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2544-708-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2276-711-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:13

Reported

2024-04-07 18:15

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fdnjgmle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hbpgbo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jedeph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ldjhpl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlampmdo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okolkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eaklidoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eaklidoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pgemphmn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfeopj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kipkhdeq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilghlc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ildkgc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ehnglm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fhcpgmjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qjbena32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbifelba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hfqlnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kpbmco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obfhba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ajiknpjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gdeqhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ambgef32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqbamo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pcccfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Anbkio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bdolhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Daekdooc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Llemdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pcncpbmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddmhja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gkkojgao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gicinj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Icnpmp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibcmom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmmjgejj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Npjebj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncihikcg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elppfmoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kmkfhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nphhmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pfhfan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Agjhgngj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nggqoj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oncofm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Acmflf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jlpkba32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iehfdi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifgbnlmj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojhiqefo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dafbne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gdcdbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojaelm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pjmehkqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gomakdcp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ncihikcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Njcpee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbkhfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndidbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggqoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfmke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndkahnhh.exe N/A
N/A N/A C:\Windows\SysWOW64\Okeieh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojhiqefo.exe N/A
N/A N/A C:\Windows\SysWOW64\Oboaabga.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqbamo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocqnij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogljjiei.exe N/A
N/A N/A C:\Windows\SysWOW64\Okhfjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onfbfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obangb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqdoboli.exe N/A
N/A N/A C:\Windows\SysWOW64\Odpjcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogogoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okjbpglo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojmcld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odbgim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocegdjij.exe N/A
N/A N/A C:\Windows\SysWOW64\Okloegjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojopad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obfhba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqihnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odednmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogcpjhoq.exe N/A
N/A N/A C:\Windows\SysWOW64\Okolkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojalgcnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Obidhaog.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqkdcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odgqdlnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgemphmn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkaiqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjdilcla.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnpemb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqnaim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Peimil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pclneicb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkceffcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjffbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbbbabh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqpnombl.exe N/A
N/A N/A C:\Windows\SysWOW64\Peljol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcojkhap.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfblfab.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhbgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndohaqe.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbpjhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pengdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcagphom.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgmcqggf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjkombfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnfkma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbbgnpgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Peqcjkfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgopffec.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjlge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnihcq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbddcoei.exe N/A
N/A N/A C:\Windows\SysWOW64\Pagdol32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Enlqgg32.dll C:\Windows\SysWOW64\Hmjdjgjo.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmoahijl.exe C:\Windows\SysWOW64\Ojaelm32.exe N/A
File created C:\Windows\SysWOW64\Bmhnkg32.dll C:\Windows\SysWOW64\Balpgb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Bmbplc32.exe N/A
File created C:\Windows\SysWOW64\Okhfjh32.exe C:\Windows\SysWOW64\Ogljjiei.exe N/A
File created C:\Windows\SysWOW64\Jnmkhg32.dll C:\Windows\SysWOW64\Ojalgcnd.exe N/A
File created C:\Windows\SysWOW64\Pcagphom.exe C:\Windows\SysWOW64\Pengdk32.exe N/A
File created C:\Windows\SysWOW64\Hfqlnm32.exe C:\Windows\SysWOW64\Hofdacke.exe N/A
File created C:\Windows\SysWOW64\Cenahpha.exe C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
File created C:\Windows\SysWOW64\Behbag32.exe C:\Windows\SysWOW64\Bbifelba.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngmgne32.exe C:\Windows\SysWOW64\Ndokbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbaipkbi.exe C:\Windows\SysWOW64\Kpbmco32.exe N/A
File created C:\Windows\SysWOW64\Kimnbd32.exe C:\Windows\SysWOW64\Kpeiioac.exe N/A
File created C:\Windows\SysWOW64\Pnbbbabh.exe C:\Windows\SysWOW64\Pjffbc32.exe N/A
File created C:\Windows\SysWOW64\Bobcpmfc.exe C:\Windows\SysWOW64\Bldgdago.exe N/A
File created C:\Windows\SysWOW64\Icnpmp32.exe C:\Windows\SysWOW64\Ilghlc32.exe N/A
File created C:\Windows\SysWOW64\Gjdlbifk.dll C:\Windows\SysWOW64\Jcgbco32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mchhggno.exe C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
File created C:\Windows\SysWOW64\Pfhfan32.exe C:\Windows\SysWOW64\Pgefeajb.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhkhibmc.exe C:\Windows\SysWOW64\Bdolhc32.exe N/A
File created C:\Windows\SysWOW64\Nghjpm32.dll C:\Windows\SysWOW64\Gododflk.exe N/A
File created C:\Windows\SysWOW64\Choehhlk.dll C:\Windows\SysWOW64\Hecmijim.exe N/A
File created C:\Windows\SysWOW64\Glbandkm.dll C:\Windows\SysWOW64\Bcebhoii.exe N/A
File created C:\Windows\SysWOW64\Kgllfjld.dll C:\Windows\SysWOW64\Pnfkma32.exe N/A
File created C:\Windows\SysWOW64\Ahioknai.dll C:\Windows\SysWOW64\Ndaggimg.exe N/A
File created C:\Windows\SysWOW64\Npmagine.exe C:\Windows\SysWOW64\Nlaegk32.exe N/A
File created C:\Windows\SysWOW64\Cbqlfkmi.exe C:\Windows\SysWOW64\Bkidenlg.exe N/A
File created C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Qnjnnj32.exe N/A
File created C:\Windows\SysWOW64\Gblnkg32.dll C:\Windows\SysWOW64\Bmbplc32.exe N/A
File created C:\Windows\SysWOW64\Ghekjiam.dll C:\Windows\SysWOW64\Cdcoim32.exe N/A
File created C:\Windows\SysWOW64\Nnambi32.dll C:\Windows\SysWOW64\Dafbne32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecmeig32.exe C:\Windows\SysWOW64\Eoaihhlp.exe N/A
File created C:\Windows\SysWOW64\Fhcpgmjf.exe C:\Windows\SysWOW64\Ffddka32.exe N/A
File created C:\Windows\SysWOW64\Doilmc32.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Fjbnapki.dll C:\Windows\SysWOW64\Pfhfan32.exe N/A
File created C:\Windows\SysWOW64\Alcidkmm.dll C:\Windows\SysWOW64\Djgjlelk.exe N/A
File opened for modification C:\Windows\SysWOW64\Fbnafb32.exe C:\Windows\SysWOW64\Fooeif32.exe N/A
File created C:\Windows\SysWOW64\Lcgdbi32.dll C:\Windows\SysWOW64\Gcagkdba.exe N/A
File opened for modification C:\Windows\SysWOW64\Kimnbd32.exe C:\Windows\SysWOW64\Kpeiioac.exe N/A
File opened for modification C:\Windows\SysWOW64\Llemdo32.exe C:\Windows\SysWOW64\Ligqhc32.exe N/A
File created C:\Windows\SysWOW64\Mnepdqjg.dll C:\Windows\SysWOW64\Elppfmoo.exe N/A
File created C:\Windows\SysWOW64\Lcoppd32.dll C:\Windows\SysWOW64\Obangb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjdilcla.exe C:\Windows\SysWOW64\Pkaiqf32.exe N/A
File created C:\Windows\SysWOW64\Peimil32.exe C:\Windows\SysWOW64\Pqnaim32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgciaf32.exe C:\Windows\SysWOW64\Qeemej32.exe N/A
File created C:\Windows\SysWOW64\Imdhga32.dll C:\Windows\SysWOW64\Cafigg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Npjebj32.exe C:\Windows\SysWOW64\Njqmepik.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofqpqo32.exe C:\Windows\SysWOW64\Odocigqg.exe N/A
File created C:\Windows\SysWOW64\Deimfpda.dll C:\Windows\SysWOW64\Lpebpm32.exe N/A
File created C:\Windows\SysWOW64\Eiojlkkj.dll C:\Windows\SysWOW64\Aeiofcji.exe N/A
File created C:\Windows\SysWOW64\Hlkefpan.dll C:\Windows\SysWOW64\Pjdilcla.exe N/A
File created C:\Windows\SysWOW64\Geplnioe.dll C:\Windows\SysWOW64\Fkalchij.exe N/A
File created C:\Windows\SysWOW64\Ocdfloja.dll C:\Windows\SysWOW64\Kfjhkjle.exe N/A
File created C:\Windows\SysWOW64\Ldleel32.exe C:\Windows\SysWOW64\Llemdo32.exe N/A
File created C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bebblb32.exe N/A
File created C:\Windows\SysWOW64\Lmldgi32.dll C:\Windows\SysWOW64\Imoneg32.exe N/A
File created C:\Windows\SysWOW64\Jpnchp32.exe C:\Windows\SysWOW64\Jmpgldhg.exe N/A
File created C:\Windows\SysWOW64\Namdcd32.dll C:\Windows\SysWOW64\Kefkme32.exe N/A
File created C:\Windows\SysWOW64\Aihbcp32.dll C:\Windows\SysWOW64\Mlampmdo.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmknaell.exe C:\Windows\SysWOW64\Jedeph32.exe N/A
File created C:\Windows\SysWOW64\Hjgaigfg.dll C:\Windows\SysWOW64\Ngdmod32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndkahnhh.exe C:\Windows\SysWOW64\Njfmke32.exe N/A
File created C:\Windows\SysWOW64\Odpjcm32.exe C:\Windows\SysWOW64\Oqdoboli.exe N/A
File created C:\Windows\SysWOW64\Bcobhnfc.dll C:\Windows\SysWOW64\Pnpemb32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dboiieof.dll" C:\Windows\SysWOW64\Odgqdlnj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cdfbibnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" C:\Windows\SysWOW64\Gcfqfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifjodl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngmgne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eleiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anphnl32.dll" C:\Windows\SysWOW64\Fdnjgmle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmjdjgjo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ligqhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aclpap32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll" C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dahode32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kmfmmcbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojllan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aabmqd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienanm32.dll" C:\Windows\SysWOW64\Cbqlfkmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gicinj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gcimkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jeklag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpoefk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pcbmka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecmeig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcmgfbhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifllil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obfhba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijnlbk32.dll" C:\Windows\SysWOW64\Cecbmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobdihjo.dll" C:\Windows\SysWOW64\Clbceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibjjhn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmfmmcbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll" C:\Windows\SysWOW64\Lphoelqn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgllfp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hfifmnij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeniabfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogcpjhoq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmipecpd.dll" C:\Windows\SysWOW64\Fllpbldb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kmkfhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kplpjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" C:\Windows\SysWOW64\Aeniabfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pqnaim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aniajnnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbegho32.dll" C:\Windows\SysWOW64\Bdolhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhclmi.dll" C:\Windows\SysWOW64\Gomakdcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll" C:\Windows\SysWOW64\Lpebpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll" C:\Windows\SysWOW64\Pclgkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmhale32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kiidgeki.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lmgfda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll" C:\Windows\SysWOW64\Gododflk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll" C:\Windows\SysWOW64\Kdcbom32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lphoelqn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oponmilc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echmafdm.dll" C:\Windows\SysWOW64\Ogogoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jcioiood.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndaggimg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Edpnfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfedla.dll" C:\Windows\SysWOW64\Heapdjlp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dgbdlf32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe C:\Windows\SysWOW64\Ncihikcg.exe
PID 1596 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe C:\Windows\SysWOW64\Ncihikcg.exe
PID 1596 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe C:\Windows\SysWOW64\Ncihikcg.exe
PID 4476 wrote to memory of 3264 N/A C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Njcpee32.exe
PID 4476 wrote to memory of 3264 N/A C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Njcpee32.exe
PID 4476 wrote to memory of 3264 N/A C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Njcpee32.exe
PID 3264 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Nbkhfc32.exe
PID 3264 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Nbkhfc32.exe
PID 3264 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Nbkhfc32.exe
PID 2772 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 2772 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 2772 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 2016 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nggqoj32.exe
PID 2016 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nggqoj32.exe
PID 2016 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nggqoj32.exe
PID 2532 wrote to memory of 5020 N/A C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Njfmke32.exe
PID 2532 wrote to memory of 5020 N/A C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Njfmke32.exe
PID 2532 wrote to memory of 5020 N/A C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Njfmke32.exe
PID 5020 wrote to memory of 4552 N/A C:\Windows\SysWOW64\Njfmke32.exe C:\Windows\SysWOW64\Ndkahnhh.exe
PID 5020 wrote to memory of 4552 N/A C:\Windows\SysWOW64\Njfmke32.exe C:\Windows\SysWOW64\Ndkahnhh.exe
PID 5020 wrote to memory of 4552 N/A C:\Windows\SysWOW64\Njfmke32.exe C:\Windows\SysWOW64\Ndkahnhh.exe
PID 4552 wrote to memory of 4464 N/A C:\Windows\SysWOW64\Ndkahnhh.exe C:\Windows\SysWOW64\Okeieh32.exe
PID 4552 wrote to memory of 4464 N/A C:\Windows\SysWOW64\Ndkahnhh.exe C:\Windows\SysWOW64\Okeieh32.exe
PID 4552 wrote to memory of 4464 N/A C:\Windows\SysWOW64\Ndkahnhh.exe C:\Windows\SysWOW64\Okeieh32.exe
PID 4464 wrote to memory of 3704 N/A C:\Windows\SysWOW64\Okeieh32.exe C:\Windows\SysWOW64\Ojhiqefo.exe
PID 4464 wrote to memory of 3704 N/A C:\Windows\SysWOW64\Okeieh32.exe C:\Windows\SysWOW64\Ojhiqefo.exe
PID 4464 wrote to memory of 3704 N/A C:\Windows\SysWOW64\Okeieh32.exe C:\Windows\SysWOW64\Ojhiqefo.exe
PID 3704 wrote to memory of 3856 N/A C:\Windows\SysWOW64\Ojhiqefo.exe C:\Windows\SysWOW64\Oboaabga.exe
PID 3704 wrote to memory of 3856 N/A C:\Windows\SysWOW64\Ojhiqefo.exe C:\Windows\SysWOW64\Oboaabga.exe
PID 3704 wrote to memory of 3856 N/A C:\Windows\SysWOW64\Ojhiqefo.exe C:\Windows\SysWOW64\Oboaabga.exe
PID 3856 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Oboaabga.exe C:\Windows\SysWOW64\Oqbamo32.exe
PID 3856 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Oboaabga.exe C:\Windows\SysWOW64\Oqbamo32.exe
PID 3856 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Oboaabga.exe C:\Windows\SysWOW64\Oqbamo32.exe
PID 2036 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Oqbamo32.exe C:\Windows\SysWOW64\Ocqnij32.exe
PID 2036 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Oqbamo32.exe C:\Windows\SysWOW64\Ocqnij32.exe
PID 2036 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Oqbamo32.exe C:\Windows\SysWOW64\Ocqnij32.exe
PID 1860 wrote to memory of 748 N/A C:\Windows\SysWOW64\Ocqnij32.exe C:\Windows\SysWOW64\Ogljjiei.exe
PID 1860 wrote to memory of 748 N/A C:\Windows\SysWOW64\Ocqnij32.exe C:\Windows\SysWOW64\Ogljjiei.exe
PID 1860 wrote to memory of 748 N/A C:\Windows\SysWOW64\Ocqnij32.exe C:\Windows\SysWOW64\Ogljjiei.exe
PID 748 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Ogljjiei.exe C:\Windows\SysWOW64\Okhfjh32.exe
PID 748 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Ogljjiei.exe C:\Windows\SysWOW64\Okhfjh32.exe
PID 748 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Ogljjiei.exe C:\Windows\SysWOW64\Okhfjh32.exe
PID 4008 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Okhfjh32.exe C:\Windows\SysWOW64\Onfbfc32.exe
PID 4008 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Okhfjh32.exe C:\Windows\SysWOW64\Onfbfc32.exe
PID 4008 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Okhfjh32.exe C:\Windows\SysWOW64\Onfbfc32.exe
PID 1720 wrote to memory of 4792 N/A C:\Windows\SysWOW64\Onfbfc32.exe C:\Windows\SysWOW64\Obangb32.exe
PID 1720 wrote to memory of 4792 N/A C:\Windows\SysWOW64\Onfbfc32.exe C:\Windows\SysWOW64\Obangb32.exe
PID 1720 wrote to memory of 4792 N/A C:\Windows\SysWOW64\Onfbfc32.exe C:\Windows\SysWOW64\Obangb32.exe
PID 4792 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Obangb32.exe C:\Windows\SysWOW64\Oqdoboli.exe
PID 4792 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Obangb32.exe C:\Windows\SysWOW64\Oqdoboli.exe
PID 4792 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Obangb32.exe C:\Windows\SysWOW64\Oqdoboli.exe
PID 2516 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Oqdoboli.exe C:\Windows\SysWOW64\Odpjcm32.exe
PID 2516 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Oqdoboli.exe C:\Windows\SysWOW64\Odpjcm32.exe
PID 2516 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Oqdoboli.exe C:\Windows\SysWOW64\Odpjcm32.exe
PID 4396 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Odpjcm32.exe C:\Windows\SysWOW64\Ogogoi32.exe
PID 4396 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Odpjcm32.exe C:\Windows\SysWOW64\Ogogoi32.exe
PID 4396 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Odpjcm32.exe C:\Windows\SysWOW64\Ogogoi32.exe
PID 1940 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Ogogoi32.exe C:\Windows\SysWOW64\Okjbpglo.exe
PID 1940 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Ogogoi32.exe C:\Windows\SysWOW64\Okjbpglo.exe
PID 1940 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Ogogoi32.exe C:\Windows\SysWOW64\Okjbpglo.exe
PID 4204 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Okjbpglo.exe C:\Windows\SysWOW64\Ojmcld32.exe
PID 4204 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Okjbpglo.exe C:\Windows\SysWOW64\Ojmcld32.exe
PID 4204 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Okjbpglo.exe C:\Windows\SysWOW64\Ojmcld32.exe
PID 4636 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Ojmcld32.exe C:\Windows\SysWOW64\Odbgim32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe

"C:\Users\Admin\AppData\Local\Temp\042c640064bdaee5f864ee129ceac6061cc072b5def6771ee76604aed7c9621d.exe"

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Njfmke32.exe

C:\Windows\system32\Njfmke32.exe

C:\Windows\SysWOW64\Ndkahnhh.exe

C:\Windows\system32\Ndkahnhh.exe

C:\Windows\SysWOW64\Okeieh32.exe

C:\Windows\system32\Okeieh32.exe

C:\Windows\SysWOW64\Ojhiqefo.exe

C:\Windows\system32\Ojhiqefo.exe

C:\Windows\SysWOW64\Oboaabga.exe

C:\Windows\system32\Oboaabga.exe

C:\Windows\SysWOW64\Oqbamo32.exe

C:\Windows\system32\Oqbamo32.exe

C:\Windows\SysWOW64\Ocqnij32.exe

C:\Windows\system32\Ocqnij32.exe

C:\Windows\SysWOW64\Ogljjiei.exe

C:\Windows\system32\Ogljjiei.exe

C:\Windows\SysWOW64\Okhfjh32.exe

C:\Windows\system32\Okhfjh32.exe

C:\Windows\SysWOW64\Onfbfc32.exe

C:\Windows\system32\Onfbfc32.exe

C:\Windows\SysWOW64\Obangb32.exe

C:\Windows\system32\Obangb32.exe

C:\Windows\SysWOW64\Oqdoboli.exe

C:\Windows\system32\Oqdoboli.exe

C:\Windows\SysWOW64\Odpjcm32.exe

C:\Windows\system32\Odpjcm32.exe

C:\Windows\SysWOW64\Ogogoi32.exe

C:\Windows\system32\Ogogoi32.exe

C:\Windows\SysWOW64\Okjbpglo.exe

C:\Windows\system32\Okjbpglo.exe

C:\Windows\SysWOW64\Ojmcld32.exe

C:\Windows\system32\Ojmcld32.exe

C:\Windows\SysWOW64\Odbgim32.exe

C:\Windows\system32\Odbgim32.exe

C:\Windows\SysWOW64\Ocegdjij.exe

C:\Windows\system32\Ocegdjij.exe

C:\Windows\SysWOW64\Okloegjl.exe

C:\Windows\system32\Okloegjl.exe

C:\Windows\SysWOW64\Ojopad32.exe

C:\Windows\system32\Ojopad32.exe

C:\Windows\SysWOW64\Obfhba32.exe

C:\Windows\system32\Obfhba32.exe

C:\Windows\SysWOW64\Oqihnn32.exe

C:\Windows\system32\Oqihnn32.exe

C:\Windows\SysWOW64\Odednmpm.exe

C:\Windows\system32\Odednmpm.exe

C:\Windows\SysWOW64\Ogcpjhoq.exe

C:\Windows\system32\Ogcpjhoq.exe

C:\Windows\SysWOW64\Okolkg32.exe

C:\Windows\system32\Okolkg32.exe

C:\Windows\SysWOW64\Ojalgcnd.exe

C:\Windows\system32\Ojalgcnd.exe

C:\Windows\SysWOW64\Obidhaog.exe

C:\Windows\system32\Obidhaog.exe

C:\Windows\SysWOW64\Oqkdcn32.exe

C:\Windows\system32\Oqkdcn32.exe

C:\Windows\SysWOW64\Odgqdlnj.exe

C:\Windows\system32\Odgqdlnj.exe

C:\Windows\SysWOW64\Pgemphmn.exe

C:\Windows\system32\Pgemphmn.exe

C:\Windows\SysWOW64\Pkaiqf32.exe

C:\Windows\system32\Pkaiqf32.exe

C:\Windows\SysWOW64\Pjdilcla.exe

C:\Windows\system32\Pjdilcla.exe

C:\Windows\SysWOW64\Pnpemb32.exe

C:\Windows\system32\Pnpemb32.exe

C:\Windows\SysWOW64\Pqnaim32.exe

C:\Windows\system32\Pqnaim32.exe

C:\Windows\SysWOW64\Peimil32.exe

C:\Windows\system32\Peimil32.exe

C:\Windows\SysWOW64\Pclneicb.exe

C:\Windows\system32\Pclneicb.exe

C:\Windows\SysWOW64\Pkceffcd.exe

C:\Windows\system32\Pkceffcd.exe

C:\Windows\SysWOW64\Pjffbc32.exe

C:\Windows\system32\Pjffbc32.exe

C:\Windows\SysWOW64\Pnbbbabh.exe

C:\Windows\system32\Pnbbbabh.exe

C:\Windows\SysWOW64\Pqpnombl.exe

C:\Windows\system32\Pqpnombl.exe

C:\Windows\SysWOW64\Peljol32.exe

C:\Windows\system32\Peljol32.exe

C:\Windows\SysWOW64\Pcojkhap.exe

C:\Windows\system32\Pcojkhap.exe

C:\Windows\SysWOW64\Pkfblfab.exe

C:\Windows\system32\Pkfblfab.exe

C:\Windows\SysWOW64\Pjhbgb32.exe

C:\Windows\system32\Pjhbgb32.exe

C:\Windows\SysWOW64\Pndohaqe.exe

C:\Windows\system32\Pndohaqe.exe

C:\Windows\SysWOW64\Pbpjhp32.exe

C:\Windows\system32\Pbpjhp32.exe

C:\Windows\SysWOW64\Pengdk32.exe

C:\Windows\system32\Pengdk32.exe

C:\Windows\SysWOW64\Pcagphom.exe

C:\Windows\system32\Pcagphom.exe

C:\Windows\SysWOW64\Pgmcqggf.exe

C:\Windows\system32\Pgmcqggf.exe

C:\Windows\SysWOW64\Pjkombfj.exe

C:\Windows\system32\Pjkombfj.exe

C:\Windows\SysWOW64\Pnfkma32.exe

C:\Windows\system32\Pnfkma32.exe

C:\Windows\SysWOW64\Pbbgnpgl.exe

C:\Windows\system32\Pbbgnpgl.exe

C:\Windows\SysWOW64\Peqcjkfp.exe

C:\Windows\system32\Peqcjkfp.exe

C:\Windows\SysWOW64\Pcccfh32.exe

C:\Windows\system32\Pcccfh32.exe

C:\Windows\SysWOW64\Pgopffec.exe

C:\Windows\system32\Pgopffec.exe

C:\Windows\SysWOW64\Pkjlge32.exe

C:\Windows\system32\Pkjlge32.exe

C:\Windows\SysWOW64\Pnihcq32.exe

C:\Windows\system32\Pnihcq32.exe

C:\Windows\SysWOW64\Pbddcoei.exe

C:\Windows\system32\Pbddcoei.exe

C:\Windows\SysWOW64\Pagdol32.exe

C:\Windows\system32\Pagdol32.exe

C:\Windows\SysWOW64\Qecppkdm.exe

C:\Windows\system32\Qecppkdm.exe

C:\Windows\SysWOW64\Qgallfcq.exe

C:\Windows\system32\Qgallfcq.exe

C:\Windows\SysWOW64\Qkmhlekj.exe

C:\Windows\system32\Qkmhlekj.exe

C:\Windows\SysWOW64\Qjpiha32.exe

C:\Windows\system32\Qjpiha32.exe

C:\Windows\SysWOW64\Qnkdhpjn.exe

C:\Windows\system32\Qnkdhpjn.exe

C:\Windows\SysWOW64\Qajadlja.exe

C:\Windows\system32\Qajadlja.exe

C:\Windows\SysWOW64\Qeemej32.exe

C:\Windows\system32\Qeemej32.exe

C:\Windows\SysWOW64\Qgciaf32.exe

C:\Windows\system32\Qgciaf32.exe

C:\Windows\SysWOW64\Qloebdig.exe

C:\Windows\system32\Qloebdig.exe

C:\Windows\SysWOW64\Qjbena32.exe

C:\Windows\system32\Qjbena32.exe

C:\Windows\SysWOW64\Qnnanphk.exe

C:\Windows\system32\Qnnanphk.exe

C:\Windows\SysWOW64\Qalnjkgo.exe

C:\Windows\system32\Qalnjkgo.exe

C:\Windows\SysWOW64\Agffge32.exe

C:\Windows\system32\Agffge32.exe

C:\Windows\SysWOW64\Aanjpk32.exe

C:\Windows\system32\Aanjpk32.exe

C:\Windows\SysWOW64\Acmflf32.exe

C:\Windows\system32\Acmflf32.exe

C:\Windows\SysWOW64\Aldomc32.exe

C:\Windows\system32\Aldomc32.exe

C:\Windows\SysWOW64\Anbkio32.exe

C:\Windows\system32\Anbkio32.exe

C:\Windows\SysWOW64\Aaqgek32.exe

C:\Windows\system32\Aaqgek32.exe

C:\Windows\SysWOW64\Ahkobekf.exe

C:\Windows\system32\Ahkobekf.exe

C:\Windows\SysWOW64\Ajiknpjj.exe

C:\Windows\system32\Ajiknpjj.exe

C:\Windows\SysWOW64\Aacckjaf.exe

C:\Windows\system32\Aacckjaf.exe

C:\Windows\SysWOW64\Adapgfqj.exe

C:\Windows\system32\Adapgfqj.exe

C:\Windows\SysWOW64\Ajkhdp32.exe

C:\Windows\system32\Ajkhdp32.exe

C:\Windows\SysWOW64\Aaepqjpd.exe

C:\Windows\system32\Aaepqjpd.exe

C:\Windows\SysWOW64\Aniajnnn.exe

C:\Windows\system32\Aniajnnn.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Bajjli32.exe

C:\Windows\system32\Bajjli32.exe

C:\Windows\SysWOW64\Blpnib32.exe

C:\Windows\system32\Blpnib32.exe

C:\Windows\SysWOW64\Bbifelba.exe

C:\Windows\system32\Bbifelba.exe

C:\Windows\SysWOW64\Behbag32.exe

C:\Windows\system32\Behbag32.exe

C:\Windows\SysWOW64\Blbknaib.exe

C:\Windows\system32\Blbknaib.exe

C:\Windows\SysWOW64\Bopgjmhe.exe

C:\Windows\system32\Bopgjmhe.exe

C:\Windows\SysWOW64\Baocghgi.exe

C:\Windows\system32\Baocghgi.exe

C:\Windows\SysWOW64\Bejogg32.exe

C:\Windows\system32\Bejogg32.exe

C:\Windows\SysWOW64\Bhikcb32.exe

C:\Windows\system32\Bhikcb32.exe

C:\Windows\SysWOW64\Bldgdago.exe

C:\Windows\system32\Bldgdago.exe

C:\Windows\SysWOW64\Bobcpmfc.exe

C:\Windows\system32\Bobcpmfc.exe

C:\Windows\SysWOW64\Bbnpqk32.exe

C:\Windows\system32\Bbnpqk32.exe

C:\Windows\SysWOW64\Bdolhc32.exe

C:\Windows\system32\Bdolhc32.exe

C:\Windows\SysWOW64\Bhkhibmc.exe

C:\Windows\system32\Bhkhibmc.exe

C:\Windows\SysWOW64\Bkidenlg.exe

C:\Windows\system32\Bkidenlg.exe

C:\Windows\SysWOW64\Cbqlfkmi.exe

C:\Windows\system32\Cbqlfkmi.exe

C:\Windows\SysWOW64\Cdainc32.exe

C:\Windows\system32\Cdainc32.exe

C:\Windows\SysWOW64\Chmeobkq.exe

C:\Windows\system32\Chmeobkq.exe

C:\Windows\SysWOW64\Cogmkl32.exe

C:\Windows\system32\Cogmkl32.exe

C:\Windows\SysWOW64\Cafigg32.exe

C:\Windows\system32\Cafigg32.exe

C:\Windows\SysWOW64\Ceaehfjj.exe

C:\Windows\system32\Ceaehfjj.exe

C:\Windows\SysWOW64\Chpada32.exe

C:\Windows\system32\Chpada32.exe

C:\Windows\SysWOW64\Cojjqlpk.exe

C:\Windows\system32\Cojjqlpk.exe

C:\Windows\SysWOW64\Cecbmf32.exe

C:\Windows\system32\Cecbmf32.exe

C:\Windows\SysWOW64\Cdfbibnb.exe

C:\Windows\system32\Cdfbibnb.exe

C:\Windows\SysWOW64\Chbnia32.exe

C:\Windows\system32\Chbnia32.exe

C:\Windows\SysWOW64\Ckpjfm32.exe

C:\Windows\system32\Ckpjfm32.exe

C:\Windows\SysWOW64\Cdiooblp.exe

C:\Windows\system32\Cdiooblp.exe

C:\Windows\SysWOW64\Ckcgkldl.exe

C:\Windows\system32\Ckcgkldl.exe

C:\Windows\SysWOW64\Cdkldb32.exe

C:\Windows\system32\Cdkldb32.exe

C:\Windows\SysWOW64\Clbceo32.exe

C:\Windows\system32\Clbceo32.exe

C:\Windows\SysWOW64\Doqpak32.exe

C:\Windows\system32\Doqpak32.exe

C:\Windows\SysWOW64\Ddmhja32.exe

C:\Windows\system32\Ddmhja32.exe

C:\Windows\SysWOW64\Dldpkoil.exe

C:\Windows\system32\Dldpkoil.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Dboigi32.exe

C:\Windows\system32\Dboigi32.exe

C:\Windows\SysWOW64\Dhkapp32.exe

C:\Windows\system32\Dhkapp32.exe

C:\Windows\SysWOW64\Dkjmlk32.exe

C:\Windows\system32\Dkjmlk32.exe

C:\Windows\SysWOW64\Deoaid32.exe

C:\Windows\system32\Deoaid32.exe

C:\Windows\SysWOW64\Dhnnep32.exe

C:\Windows\system32\Dhnnep32.exe

C:\Windows\SysWOW64\Dohfbj32.exe

C:\Windows\system32\Dohfbj32.exe

C:\Windows\SysWOW64\Dafbne32.exe

C:\Windows\system32\Dafbne32.exe

C:\Windows\SysWOW64\Deanodkh.exe

C:\Windows\system32\Deanodkh.exe

C:\Windows\SysWOW64\Dhpjkojk.exe

C:\Windows\system32\Dhpjkojk.exe

C:\Windows\SysWOW64\Dllfkn32.exe

C:\Windows\system32\Dllfkn32.exe

C:\Windows\SysWOW64\Dceohhja.exe

C:\Windows\system32\Dceohhja.exe

C:\Windows\SysWOW64\Dahode32.exe

C:\Windows\system32\Dahode32.exe

C:\Windows\SysWOW64\Ddgkpp32.exe

C:\Windows\system32\Ddgkpp32.exe

C:\Windows\SysWOW64\Dlncan32.exe

C:\Windows\system32\Dlncan32.exe

C:\Windows\SysWOW64\Ekacmjgl.exe

C:\Windows\system32\Ekacmjgl.exe

C:\Windows\SysWOW64\Eaklidoi.exe

C:\Windows\system32\Eaklidoi.exe

C:\Windows\SysWOW64\Edihepnm.exe

C:\Windows\system32\Edihepnm.exe

C:\Windows\SysWOW64\Elppfmoo.exe

C:\Windows\system32\Elppfmoo.exe

C:\Windows\SysWOW64\Eoolbinc.exe

C:\Windows\system32\Eoolbinc.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Edkdkplj.exe

C:\Windows\system32\Edkdkplj.exe

C:\Windows\SysWOW64\Ehgqln32.exe

C:\Windows\system32\Ehgqln32.exe

C:\Windows\SysWOW64\Eoaihhlp.exe

C:\Windows\system32\Eoaihhlp.exe

C:\Windows\SysWOW64\Ecmeig32.exe

C:\Windows\system32\Ecmeig32.exe

C:\Windows\SysWOW64\Eekaebcm.exe

C:\Windows\system32\Eekaebcm.exe

C:\Windows\SysWOW64\Ednaqo32.exe

C:\Windows\system32\Ednaqo32.exe

C:\Windows\SysWOW64\Eleiam32.exe

C:\Windows\system32\Eleiam32.exe

C:\Windows\SysWOW64\Eocenh32.exe

C:\Windows\system32\Eocenh32.exe

C:\Windows\SysWOW64\Ecoangbg.exe

C:\Windows\system32\Ecoangbg.exe

C:\Windows\SysWOW64\Edpnfo32.exe

C:\Windows\system32\Edpnfo32.exe

C:\Windows\SysWOW64\Ekjfcipa.exe

C:\Windows\system32\Ekjfcipa.exe

C:\Windows\SysWOW64\Ecandfpd.exe

C:\Windows\system32\Ecandfpd.exe

C:\Windows\SysWOW64\Eadopc32.exe

C:\Windows\system32\Eadopc32.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fkmchi32.exe

C:\Windows\system32\Fkmchi32.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Fllpbldb.exe

C:\Windows\system32\Fllpbldb.exe

C:\Windows\SysWOW64\Fojlngce.exe

C:\Windows\system32\Fojlngce.exe

C:\Windows\SysWOW64\Ffddka32.exe

C:\Windows\system32\Ffddka32.exe

C:\Windows\SysWOW64\Fhcpgmjf.exe

C:\Windows\system32\Fhcpgmjf.exe

C:\Windows\SysWOW64\Fkalchij.exe

C:\Windows\system32\Fkalchij.exe

C:\Windows\SysWOW64\Fchddejl.exe

C:\Windows\system32\Fchddejl.exe

C:\Windows\SysWOW64\Fdialn32.exe

C:\Windows\system32\Fdialn32.exe

C:\Windows\SysWOW64\Flqimk32.exe

C:\Windows\system32\Flqimk32.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Fbnafb32.exe

C:\Windows\system32\Fbnafb32.exe

C:\Windows\SysWOW64\Fdlnbm32.exe

C:\Windows\system32\Fdlnbm32.exe

C:\Windows\SysWOW64\Flceckoj.exe

C:\Windows\system32\Flceckoj.exe

C:\Windows\SysWOW64\Fcmnpe32.exe

C:\Windows\system32\Fcmnpe32.exe

C:\Windows\SysWOW64\Fdnjgmle.exe

C:\Windows\system32\Fdnjgmle.exe

C:\Windows\SysWOW64\Gododflk.exe

C:\Windows\system32\Gododflk.exe

C:\Windows\SysWOW64\Gbbkaako.exe

C:\Windows\system32\Gbbkaako.exe

C:\Windows\SysWOW64\Gdqgmmjb.exe

C:\Windows\system32\Gdqgmmjb.exe

C:\Windows\SysWOW64\Gkkojgao.exe

C:\Windows\system32\Gkkojgao.exe

C:\Windows\SysWOW64\Gcagkdba.exe

C:\Windows\system32\Gcagkdba.exe

C:\Windows\SysWOW64\Gbdgfa32.exe

C:\Windows\system32\Gbdgfa32.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Ghopckpi.exe

C:\Windows\system32\Ghopckpi.exe

C:\Windows\SysWOW64\Gkmlofol.exe

C:\Windows\system32\Gkmlofol.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Gdeqhl32.exe

C:\Windows\system32\Gdeqhl32.exe

C:\Windows\SysWOW64\Gmlhii32.exe

C:\Windows\system32\Gmlhii32.exe

C:\Windows\SysWOW64\Gcfqfc32.exe

C:\Windows\system32\Gcfqfc32.exe

C:\Windows\SysWOW64\Gbiaapdf.exe

C:\Windows\system32\Gbiaapdf.exe

C:\Windows\SysWOW64\Gdhmnlcj.exe

C:\Windows\system32\Gdhmnlcj.exe

C:\Windows\SysWOW64\Gicinj32.exe

C:\Windows\system32\Gicinj32.exe

C:\Windows\SysWOW64\Gomakdcp.exe

C:\Windows\system32\Gomakdcp.exe

C:\Windows\SysWOW64\Gcimkc32.exe

C:\Windows\system32\Gcimkc32.exe

C:\Windows\SysWOW64\Gfgjgo32.exe

C:\Windows\system32\Gfgjgo32.exe

C:\Windows\SysWOW64\Gdjjckag.exe

C:\Windows\system32\Gdjjckag.exe

C:\Windows\SysWOW64\Hmabdibj.exe

C:\Windows\system32\Hmabdibj.exe

C:\Windows\SysWOW64\Hkdbpe32.exe

C:\Windows\system32\Hkdbpe32.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hfifmnij.exe

C:\Windows\system32\Hfifmnij.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hkfoeega.exe

C:\Windows\system32\Hkfoeega.exe

C:\Windows\SysWOW64\Hcmgfbhd.exe

C:\Windows\system32\Hcmgfbhd.exe

C:\Windows\SysWOW64\Hbpgbo32.exe

C:\Windows\system32\Hbpgbo32.exe

C:\Windows\SysWOW64\Heocnk32.exe

C:\Windows\system32\Heocnk32.exe

C:\Windows\SysWOW64\Hmfkoh32.exe

C:\Windows\system32\Hmfkoh32.exe

C:\Windows\SysWOW64\Hodgkc32.exe

C:\Windows\system32\Hodgkc32.exe

C:\Windows\SysWOW64\Hcpclbfa.exe

C:\Windows\system32\Hcpclbfa.exe

C:\Windows\SysWOW64\Heapdjlp.exe

C:\Windows\system32\Heapdjlp.exe

C:\Windows\SysWOW64\Hmhhehlb.exe

C:\Windows\system32\Hmhhehlb.exe

C:\Windows\SysWOW64\Hofdacke.exe

C:\Windows\system32\Hofdacke.exe

C:\Windows\SysWOW64\Hfqlnm32.exe

C:\Windows\system32\Hfqlnm32.exe

C:\Windows\SysWOW64\Hecmijim.exe

C:\Windows\system32\Hecmijim.exe

C:\Windows\SysWOW64\Hmjdjgjo.exe

C:\Windows\system32\Hmjdjgjo.exe

C:\Windows\SysWOW64\Hoiafcic.exe

C:\Windows\system32\Hoiafcic.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Iiaephpc.exe

C:\Windows\system32\Iiaephpc.exe

C:\Windows\SysWOW64\Ipknlb32.exe

C:\Windows\system32\Ipknlb32.exe

C:\Windows\SysWOW64\Ibjjhn32.exe

C:\Windows\system32\Ibjjhn32.exe

C:\Windows\SysWOW64\Iehfdi32.exe

C:\Windows\system32\Iehfdi32.exe

C:\Windows\SysWOW64\Imoneg32.exe

C:\Windows\system32\Imoneg32.exe

C:\Windows\SysWOW64\Ikbnacmd.exe

C:\Windows\system32\Ikbnacmd.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Ifgbnlmj.exe

C:\Windows\system32\Ifgbnlmj.exe

C:\Windows\SysWOW64\Iifokh32.exe

C:\Windows\system32\Iifokh32.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ickchq32.exe

C:\Windows\system32\Ickchq32.exe

C:\Windows\SysWOW64\Ifjodl32.exe

C:\Windows\system32\Ifjodl32.exe

C:\Windows\SysWOW64\Iemppiab.exe

C:\Windows\system32\Iemppiab.exe

C:\Windows\SysWOW64\Ilghlc32.exe

C:\Windows\system32\Ilghlc32.exe

C:\Windows\SysWOW64\Icnpmp32.exe

C:\Windows\system32\Icnpmp32.exe

C:\Windows\SysWOW64\Ifllil32.exe

C:\Windows\system32\Ifllil32.exe

C:\Windows\SysWOW64\Imfdff32.exe

C:\Windows\system32\Imfdff32.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jeaikh32.exe

C:\Windows\system32\Jeaikh32.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jcbihpel.exe

C:\Windows\system32\Jcbihpel.exe

C:\Windows\SysWOW64\Jbeidl32.exe

C:\Windows\system32\Jbeidl32.exe

C:\Windows\SysWOW64\Jedeph32.exe

C:\Windows\system32\Jedeph32.exe

C:\Windows\SysWOW64\Jmknaell.exe

C:\Windows\system32\Jmknaell.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jcefno32.exe

C:\Windows\system32\Jcefno32.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jianff32.exe

C:\Windows\system32\Jianff32.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jcgbco32.exe

C:\Windows\system32\Jcgbco32.exe

C:\Windows\SysWOW64\Jfeopj32.exe

C:\Windows\system32\Jfeopj32.exe

C:\Windows\SysWOW64\Jmpgldhg.exe

C:\Windows\system32\Jmpgldhg.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jcioiood.exe

C:\Windows\system32\Jcioiood.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Jeklag32.exe

C:\Windows\system32\Jeklag32.exe

C:\Windows\SysWOW64\Jmbdbd32.exe

C:\Windows\system32\Jmbdbd32.exe

C:\Windows\SysWOW64\Kboljk32.exe

C:\Windows\system32\Kboljk32.exe

C:\Windows\SysWOW64\Kfjhkjle.exe

C:\Windows\system32\Kfjhkjle.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Kmdqgd32.exe

C:\Windows\system32\Kmdqgd32.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kepelfam.exe

C:\Windows\system32\Kepelfam.exe

C:\Windows\SysWOW64\Kmfmmcbo.exe

C:\Windows\system32\Kmfmmcbo.exe

C:\Windows\SysWOW64\Kpeiioac.exe

C:\Windows\system32\Kpeiioac.exe

C:\Windows\SysWOW64\Kimnbd32.exe

C:\Windows\system32\Kimnbd32.exe

C:\Windows\SysWOW64\Klljnp32.exe

C:\Windows\system32\Klljnp32.exe

C:\Windows\SysWOW64\Kdcbom32.exe

C:\Windows\system32\Kdcbom32.exe

C:\Windows\SysWOW64\Kfankifm.exe

C:\Windows\system32\Kfankifm.exe

C:\Windows\SysWOW64\Kipkhdeq.exe

C:\Windows\system32\Kipkhdeq.exe

C:\Windows\SysWOW64\Kmkfhc32.exe

C:\Windows\system32\Kmkfhc32.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Kefkme32.exe

C:\Windows\system32\Kefkme32.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Kdgljmcd.exe

C:\Windows\system32\Kdgljmcd.exe

C:\Windows\SysWOW64\Lffhfh32.exe

C:\Windows\system32\Lffhfh32.exe

C:\Windows\SysWOW64\Liddbc32.exe

C:\Windows\system32\Liddbc32.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Lbmhlihl.exe

C:\Windows\system32\Lbmhlihl.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Ligqhc32.exe

C:\Windows\system32\Ligqhc32.exe

C:\Windows\SysWOW64\Llemdo32.exe

C:\Windows\system32\Llemdo32.exe

C:\Windows\SysWOW64\Ldleel32.exe

C:\Windows\system32\Ldleel32.exe

C:\Windows\SysWOW64\Lenamdem.exe

C:\Windows\system32\Lenamdem.exe

C:\Windows\SysWOW64\Liimncmf.exe

C:\Windows\system32\Liimncmf.exe

C:\Windows\SysWOW64\Llgjjnlj.exe

C:\Windows\system32\Llgjjnlj.exe

C:\Windows\SysWOW64\Lbabgh32.exe

C:\Windows\system32\Lbabgh32.exe

C:\Windows\SysWOW64\Lepncd32.exe

C:\Windows\system32\Lepncd32.exe

C:\Windows\SysWOW64\Lmgfda32.exe

C:\Windows\system32\Lmgfda32.exe

C:\Windows\SysWOW64\Lpebpm32.exe

C:\Windows\system32\Lpebpm32.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mmlpoqpg.exe

C:\Windows\system32\Mmlpoqpg.exe

C:\Windows\SysWOW64\Mchhggno.exe

C:\Windows\system32\Mchhggno.exe

C:\Windows\SysWOW64\Mibpda32.exe

C:\Windows\system32\Mibpda32.exe

C:\Windows\SysWOW64\Mlampmdo.exe

C:\Windows\system32\Mlampmdo.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Mpoefk32.exe

C:\Windows\system32\Mpoefk32.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Ndokbi32.exe

C:\Windows\system32\Ndokbi32.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Ndaggimg.exe

C:\Windows\system32\Ndaggimg.exe

C:\Windows\SysWOW64\Njnpppkn.exe

C:\Windows\system32\Njnpppkn.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Ngdmod32.exe

C:\Windows\system32\Ngdmod32.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Nlaegk32.exe

C:\Windows\system32\Nlaegk32.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Olfobjbg.exe

C:\Windows\system32\Olfobjbg.exe

C:\Windows\SysWOW64\Odmgcgbi.exe

C:\Windows\system32\Odmgcgbi.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Ofnckp32.exe

C:\Windows\system32\Ofnckp32.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Odocigqg.exe

C:\Windows\system32\Odocigqg.exe

C:\Windows\SysWOW64\Ofqpqo32.exe

C:\Windows\system32\Ofqpqo32.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Onhhamgg.exe

C:\Windows\system32\Onhhamgg.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Olmeci32.exe

C:\Windows\system32\Olmeci32.exe

C:\Windows\SysWOW64\Oddmdf32.exe

C:\Windows\system32\Oddmdf32.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pqknig32.exe

C:\Windows\system32\Pqknig32.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pgefeajb.exe

C:\Windows\system32\Pgefeajb.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pnakhkol.exe

C:\Windows\system32\Pnakhkol.exe

C:\Windows\SysWOW64\Pqpgdfnp.exe

C:\Windows\system32\Pqpgdfnp.exe

C:\Windows\SysWOW64\Pcncpbmd.exe

C:\Windows\system32\Pcncpbmd.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pgllfp32.exe

C:\Windows\system32\Pgllfp32.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Pjmehkqk.exe

C:\Windows\system32\Pjmehkqk.exe

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qceiaa32.exe

C:\Windows\system32\Qceiaa32.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Adgbpc32.exe

C:\Windows\system32\Adgbpc32.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Aeniabfd.exe

C:\Windows\system32\Aeniabfd.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Doilmc32.exe

C:\Windows\system32\Doilmc32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 11004 -ip 11004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11004 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/1596-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ncihikcg.exe

MD5 fcc500ce293dc32c0a70128c4533d29b
SHA1 63b58bc7c6cf9a2330223b222b666f1a14346464
SHA256 d657da030b93642ee54329c55f5963546798f5becf200ee7102976663b4ff393
SHA512 5d2ee46a27933c1e62f45a41b7b87fe4dee70b0c9118617c0f8cd75dc4f35ca0c2700e120d4fe6a7799769e187ca786769a133832c45c158ef46880d28ba5be4

memory/4476-13-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nbkhfc32.exe

MD5 930a325893c39510059665b0f529e19f
SHA1 83d0eef477e64ac3302d58788ef1a79f88fc0438
SHA256 fea462bf4ebeb5f02c3d32f456156776f9cc78f3702028dd1c1d99021d7e6ebc
SHA512 d7e11b8108968703f68a684d9bb87d55714136e1e853467ddb484e094d0025cd8469804bd13cdbe54efb026fca3e2b3f11932fce8afe855e84402f2da2f8be75

C:\Windows\SysWOW64\Ndidbn32.exe

MD5 345b115e71ff97ed5afced3f246c577b
SHA1 4ccb095e4912b0a0df41bfdd6b0b35b807836577
SHA256 9194e8bbe88a7b2760d4e1c5276c1bc2b1facc246270d00960aa59f0dad82b15
SHA512 0601c38417bb14b8f252dc3ec9eab8c95f4d735e484f2e67a884721dfc455c587f59a2ebe143c8fae2b7023b38aaa39e9c00c7f84881d34f6ad8953e364b764a

C:\Windows\SysWOW64\Addjcmqn.dll

MD5 5893514842bf723a6e223b539b42067b
SHA1 1f0aa5c37f56f0be9a6be82bc16d01ce71d93ec7
SHA256 efb785570ac78bbebfc9b4971b6cf2cd9f8682edea1e5ea7195f207ea3153ae9
SHA512 77fd7678e27dfa788ad5e613c5417e3dfb3b981d231933ef7940e60293ae329f3f3c73dc41d9283642af1ab35c8be563cd9a9da6adf331b28169bbb1eb8e7ea6

C:\Windows\SysWOW64\Nggqoj32.exe

MD5 e26929b606f49036c3cb0160e9a36b29
SHA1 e8a6f21957f4793bcd15d7a724c4d4e7168441e1
SHA256 fea5e86cace087acae3f8a286f2b66a022dc66f73597b6ee41147ad48cc79b6e
SHA512 9cddf9309f9f41ed35eed33576f2b381e090bfd4d5a44938e28cb5802282e3b655bc0febf0d2bcaac9ef002f27b1026fb1cc426d74d52a1a9af7bf35ebc6577d

memory/2016-39-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2532-40-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5020-52-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ndkahnhh.exe

MD5 95a3ea651b3f2985bd216a231b691220
SHA1 16f5cb10c1efd543a96758944a83f42c87a3b34c
SHA256 a17520ac7d85d1c9ebfa2dba4cbefb338b6b8fbbaf5b74a4a8fd42a13c6e7bfd
SHA512 b848c19c3ee0c0cc86468a2e97e0faee3a3becfafd194163b679054165a622cd01411dfd422c3bfdd5f8cc173d52ee24df9f15c2999ab63df9d29e06b39a045d

C:\Windows\SysWOW64\Okeieh32.exe

MD5 6f9c5b5c38be981d3a4711cefddf06ec
SHA1 15de8a86b8adaec10ecc5089032b666324e1200b
SHA256 bb384f406d0d484d4061c5aac7b2a0e1f7c849ac26de941f70d06589ec5ef707
SHA512 89daa67160eced2894f83924c2dad4e8ca15f4025a5fc7bd346463850e8f5e9d069606faeac1145990545897fea5ac09581b6076f71b3391b7ddfeb0b347733f

C:\Windows\SysWOW64\Ojhiqefo.exe

MD5 da1bae9f9d70895fad8e29fa9c29f1bd
SHA1 0c3f3dbe7b4879d818a18345e6e55729d91e823e
SHA256 e503f9cca1f99280254fd79c7db3b491ad69f3dbbf0e368b7091682f35abc5d1
SHA512 f0451f2cbe257ac5eb4b04b37cc30fdeecc3a0768353a8c012461803b248a5c1ed3cb260fd1fab0dcfda8d7a5301c82fa8393ecb18ee96ef8a1e3bd55126d7f5

C:\Windows\SysWOW64\Oboaabga.exe

MD5 8dd2cc09795f80d62d5df672404b8af2
SHA1 7645e77dd70a2d03234c88a237b487245f5cb1e5
SHA256 1c659bcedd1ebad61b163f3d7efb7d5d03c677db2ff96ab7b88818ed19c340ad
SHA512 c240cd37a8d12a483f5b3aad046401b9bbf8b101f96ff1b70661b8a954ba8bf9c114222faee723bf3d39c3a3619c173fcaf5c2b81015f1adb88242165133dae3

C:\Windows\SysWOW64\Oqbamo32.exe

MD5 f3a1a572c0ca049ed8f66d1cdc18a31d
SHA1 ea4dcf0bbc1ad897fd8730f110c703eb9b4b4087
SHA256 60e3a7545bccf221cd63800a6b8b5fb7131ae8a4ce1198fcb562ecb94acf1fe4
SHA512 f784d285b16850a7711b13595f75026ab7d294ff4bc3043ece757f3a9250b225deb11d6121abc62c6efd5162c785eae336b2b2aea75fd38429c49e7cb3bf0d3f

C:\Windows\SysWOW64\Ocqnij32.exe

MD5 9eb499a6b5971460c599df6cab2bd9e8
SHA1 ed6e6fc227a4fca0a10b60cefbe951da4fccd2c6
SHA256 d207ff3aa5314d90fe8dd183826d500bf74eef7e9ce188f7ff7bad0c63dd87eb
SHA512 55c4c6dc7563188082cb57787051f161d6d41abe5a5f0d9fa315b47ad5991ab7515e1656a420cf4d4c12c9f6ae7a6baf27ce3fb0f6888fd95e9bc2bbcd117bea

C:\Windows\SysWOW64\Onfbfc32.exe

MD5 163a5e462b4c4d285c11e1fb054887bb
SHA1 bef8ee9fd5ad4d417569b6e1c0bc415e9ec68044
SHA256 6b2305b969ee24538bad78aa113e3aa5e073e71e757933a3089e2593a280db78
SHA512 b3e32ed61d89f12e90243cbdda10d9eb7a42ef454f66b7c82985d162020385978d4f14dce0ebfc196cf37013dd4c05d3030f853fcf205585a4e3c405266fe45a

C:\Windows\SysWOW64\Oqdoboli.exe

MD5 c538495ad144707249e049411751a78c
SHA1 a625e33701c2734e3be7d503e918e22ddd1f9e08
SHA256 5aac1ad275c4b64d178f796106024d9679e9553503765b86095c4b815185a4f9
SHA512 440ebda080e6772d2c0102912523ade02c8cb7098c6b02fc95218a1e6d35d5357a6f9e5b7a0bca8331c9b26cc79a50450fa89cd7d52bfeead44963c1ec942432

C:\Windows\SysWOW64\Odpjcm32.exe

MD5 6007415d4d0a044507d967d324b1ee37
SHA1 6b68919ff508a9124865f19e624cb93462cc19ee
SHA256 86e038afa3fd9eb12f8b8612abfc491eec538f0585e8cbd22ba8311388069281
SHA512 9268180a6439f0679ba0cf657fb112c14dda3e05776be94ec15c80348afd3160164ad7b9df6c87d66813c8399dfb026d1aa74e74cc0b69f8293febb54f30b005

C:\Windows\SysWOW64\Ocegdjij.exe

MD5 d5c4a7f700e466f4b4ec8a948a9830e2
SHA1 71c2cfb6a4d1af3c86b0790ee9185187b72cbd1d
SHA256 24234397f53a7cc94d01cce994fe862100725207668b33e0149c87e99c7a6822
SHA512 8c9bea107d0335ad39afc56a3c1c54638137ebe4ed802ff250c9ca32f12ebe8c5f01819c3a2694ca2b713f3fdc28734ff8f51c809c74670bf28b3a689ae82d35

C:\Windows\SysWOW64\Oqihnn32.exe

MD5 03df449dfa18c50dc558434841a57252
SHA1 bcb23611915660c76c73c45fae166acbc23bc036
SHA256 a4ebcfe71257bb43e9157ab387d525fd0f2a7703c65a5a98bede23fef55db310
SHA512 cf98da13d87fed85aa63b1568eabbe389912596a152847b73af484ff873b59000b3cece1b42ee44f46cd4e95cef34801772d378db4e4224bae4b5f0a4e1e0a4d

C:\Windows\SysWOW64\Okolkg32.exe

MD5 a601e51a9cf5c4c97a89d018ba5737e6
SHA1 bbef08a38d1f9cfe41c95ea8643b3139d4053be0
SHA256 67b6ea32e3258070b272a0b6da54e193f4fd09613099e4d80e3372bed42b1dff
SHA512 e2818cbdf11ff6bf49a64045a34e74a3565bc160b0ab5e8718ac77b0405afab5954b7c54f2beafe0fb803108e70a34f47443970422e3269c6753303e49801d14

C:\Windows\SysWOW64\Obidhaog.exe

MD5 92ad2817506bcfb059e41b48a41e3437
SHA1 3a94a9bce8d699d130da87e33d12b2ce991bd340
SHA256 3ae8270219c06a58e607ea4affea7d50bcf3ba1c14ced7964b200429f98f52f2
SHA512 92e086670388064f99f254e3b50757d20b215aef2a8bac324ae105707e247a6ae0c39e0a0c1f8c747a45261f136d301af3887950ecbd1adb4bd6b3b385b72f49

memory/4464-451-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3856-453-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3704-452-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2036-458-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1720-462-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4008-461-0x0000000000400000-0x0000000000434000-memory.dmp

memory/748-460-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1860-459-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2516-464-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4792-463-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1940-467-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4204-473-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4636-478-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4396-465-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2344-480-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2884-486-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5000-481-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4548-488-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3908-494-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1824-495-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4520-500-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ojalgcnd.exe

MD5 f6754605626b8dcc3d310d83c20ac7e9
SHA1 1e4e96f99e44a499c5257902bd67366bbca99429
SHA256 0f30f7505863475fa74f2f5874c278f39f353174df57fb2b4ef86d36dcf17a5a
SHA512 0fb768919d753b4d0d4a996b2dc3850ecbf9e88d7caa7f102e5f60ee620ddad295b10c65501647bdc2ec6654efe269d7267cfb99ee7b02cf11f76fd97ddd1211

C:\Windows\SysWOW64\Ogcpjhoq.exe

MD5 0caac00c7938e0a67ba3f0d9f12d1d1a
SHA1 32ed2e0ba54cf66c94077453a87720987ca13665
SHA256 5fcf0d0998be15401b078788267ef73244636b7b75533d537f1325e938bc11a7
SHA512 c42b2e0e8cc680744ca1921b55e9003bb4d9aca4cc36d3abcea4f6229a52632eaab9ead66476e66a8a00fa0d89dd9e3b15f5d660175b986204b1986c0975673e

C:\Windows\SysWOW64\Odednmpm.exe

MD5 4ad0d6ac68b097aa9cdba4b49cb19916
SHA1 e839777d8d276ce78f13f595b4086e10b9cff196
SHA256 517baede1bb8fdafd454a3ebdce833fdf331795d60f7c3d1aedc299a5f767e72
SHA512 ecabeb68bc2d70e0a39fc39d899e8f3e2ed7755d95db02029162208c70e174d188d8fda8245790fbc85b8a3093b60b89bab703534575bedfed0bb566f9084814

C:\Windows\SysWOW64\Obfhba32.exe

MD5 6f1afb361f0bb97aa8bf909d7212d330
SHA1 eda790f9490eda00483ce7e8e8cfba40033deb2b
SHA256 fe701d7aab858ebfe65e8466519e393e9d0298b44f8f48aa449e384754339420
SHA512 5c7ba0ebf3d5e163e080ddf3d3f7a30d9bc028cbac646e4efac50e099be5693c032e92187da655dbfe642dafff3c9b529e9123a54613e80b71a918351e155900

C:\Windows\SysWOW64\Ojopad32.exe

MD5 67003c4be4b06e7e51cf1d7a11f9c322
SHA1 9114d56398b0b25677c3eaf454bac9ad085cedd1
SHA256 5051b56cd7676815dc158d46456d7063fe78a5a59ccc1e1b45a0fc053dc9b237
SHA512 e6cb277c4f257987d97e5724a2f19b14f2d9366b7c2769bdb842cb51c11e2cb50e46e49242461fe005c2364dc9fed77e68fbc5cdbda6f5ba7dac2da127c1ee3f

C:\Windows\SysWOW64\Okloegjl.exe

MD5 dd715534a9580f323a83c273a2285f20
SHA1 bdd9df4a75183c2ac6edcf882c9fa0d2acdb0731
SHA256 a845ccea09951cf713d6ba0bb1aeb0e453dd7ff20daf4bab8805a149436fd7d9
SHA512 3be82a12feff21e050e4d891802dc54462a7b11e23d6de4861f2b2c409dcf79e791dda6096d6a83e73fb8a290936d17c2226342cb0d8b0415adbb33f608b645b

C:\Windows\SysWOW64\Odbgim32.exe

MD5 32cd0b573cbcaa0ef4c69ea7776a43d9
SHA1 0d06d8409b2818cd921d87ed5ac9dd6070e95688
SHA256 093a2239a7d073674522536ed0d771fd5fa862b25f19a7c3c3d0d25b13f12bff
SHA512 30d29b850745211a03b914841ef4a447ef25ca1cd19935e2c7e0af83326790a10a0681314b1f8cd98fa92846220f85aaf3d688d569c8984d40289906322b7e20

C:\Windows\SysWOW64\Ojmcld32.exe

MD5 c3b4f663c37591707613782d86848b51
SHA1 1742c94663db8dd787899edfd767a48e74e1af59
SHA256 ed805c3577567132f95a8529b5b2531f8133c5c5ccab1ad02be1ef728e017bf5
SHA512 0795bac3dc010b7106514236850c08c1045918fc226f9c1c1f90101104328819198c54a8e9fedde1b511bf05f985ab1f484fe69ca44460e0b2f26a7b75dc95ce

C:\Windows\SysWOW64\Okjbpglo.exe

MD5 8d90d17dac6549f73dda072a1fe5429e
SHA1 5566cb7b6c31509b526cb40c96f167cf67005296
SHA256 0b9f29004be74c7694273d8cecd96cab16585cdca781aadcfc53121b04e8ab9c
SHA512 8cc8f514a44d4b31d0d0586673b9dd4d122b891e743804e767b478ac8d8ccfa08fa0a6861fa56730e760ec47477648575b4de96336979c20bdc9e49f0bcd2665

C:\Windows\SysWOW64\Ogogoi32.exe

MD5 0df4c71b1d15163ddd821d9987cd6fb5
SHA1 b3169fd4d2ac93ae5340e61d3124ae1223ed00dd
SHA256 226bc029aa5cc52fe7e9a2c642857792667a1dcece4c014da9af636a75ddcd70
SHA512 1d18d854716a9074f436a2edd1e5f637f409aaf9339ead6c3c5b2cb2030883a3cd41fd45b29b7882772de36c4b1e6d9cc5efb0b23998d2d9e6ea924dcaabf1bc

C:\Windows\SysWOW64\Obangb32.exe

MD5 07e1dde5c4a605285c540d1077a54473
SHA1 fa3824a40da7aba718a6822dfe48d4c52f0491ca
SHA256 8b60fb408266a23b9f20bff0bd0cb5304caee35f97ed4e0fad52f061e37b56a8
SHA512 8be66676e48e5e12c545c25861e39fcce9b863cede43bc684d8875d897ff71ef9c8c082d4443ca08f157c3120bef1c406d2f381f35095bd221e51d1cbf527a09

C:\Windows\SysWOW64\Okhfjh32.exe

MD5 966c61413e79a44ab2e83ded24607267
SHA1 28c2e44c977251b77a8b4c2e21395a415eedfde6
SHA256 e39ffa73f039810af89a650e8b0cba0d28bc77ec3d2b61f0a0902eb39e1379f2
SHA512 dd70472c0c262ef9b2ea17d97d28e6bfa79868425f47b9df5cfe9d9a39e575d4be7182e12ca151284a4214bc53dced2f507e5cc15cddd112f7f7dcb7b5ffef69

C:\Windows\SysWOW64\Ogljjiei.exe

MD5 dc2ee0011cdd5ed12515194735315730
SHA1 3da4ad5bec0264e4199a6b72e60cda0b4117937f
SHA256 4ff6342a72e5d6f5064df68d16fc8b6306d69bf5ad280ee697250baeecae928e
SHA512 079f435cef5224a4a3e5657967fd9452472c81148261dd87652dafce6447e6f7e064ab60be873e3c34ab2cbdb7ccd78cf93f29afa797dcb4c86831ba79f8860f

C:\Windows\SysWOW64\Njfmke32.exe

MD5 a20933aa12f93220bec4399d78e04949
SHA1 dcf1a09deed7cdbed96ee8a9ee206bab7b31f8ff
SHA256 751289c1f9cc05e2ab119a672f671a8efd41fb648021e473df106922d17778ae
SHA512 9fad51f0eed330e5a324802681e09eed1320230e25492a49cbdd793034a06fe993b5406237062f83024880742a9cf232376ee7e721720bb7b23b6dde06475c49

memory/2772-24-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3264-20-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njcpee32.exe

MD5 6caf414a99ca7f6dd3fde12a78e5dbb6
SHA1 94e5a45d9ca26b81415a3e29caa4a6a3d20d2d44
SHA256 e0ac3421d0f9f0ec3e440167424d0fbe3bdba0076e95aba855b77ab5fd2ca05c
SHA512 38f92e38fc7e63558f83f5534d957e67cdbfe66b0475492ee4cd69ddb8365bdf1dc39fba5ec072b0418cf93771373200b9c213d68a46a568ba3924b5a6ac40b8

memory/1112-504-0x0000000000400000-0x0000000000434000-memory.dmp

memory/972-513-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5076-515-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4144-521-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3940-516-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3360-508-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2000-525-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5068-531-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4344-524-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2008-532-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4320-523-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4104-533-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1496-540-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2248-546-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2948-547-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4440-539-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1468-548-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1628-555-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4912-554-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3640-564-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4052-557-0x0000000000400000-0x0000000000434000-memory.dmp

memory/900-562-0x0000000000400000-0x0000000000434000-memory.dmp

memory/996-556-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1692-565-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3052-570-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3468-573-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1876-574-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2896-572-0x0000000000400000-0x0000000000434000-memory.dmp

memory/940-575-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4816-579-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3120-580-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4424-584-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3656-590-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4292-583-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4868-592-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3604-591-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ckcgkldl.exe

MD5 5ea145c7a2b81e67b99c3684fec90672
SHA1 bb54ceb93aa0e639f9c53b4f7c788e617bad4b1c
SHA256 380cdf0cd19e2381e973f4c514670c4ae9dd8aeff6c5f900b59fb29831126567
SHA512 06f6297178b57faa2de8ce6a239cba7f47fccb35e38ccdbf469c9ec0c16f67c65f7ae484c3885517fa23acac3dd5d6cc1defaf05a0ef5fe8458af1e47430d1ca

C:\Windows\SysWOW64\Doqpak32.exe

MD5 19e15e49aca24f5c6ff9ced277042a32
SHA1 86564a32acd4ea4472b33d4baa387a7e7d2409f9
SHA256 afe595abbbd9340f955b24ca31407a301a0226240f38bce8544d2129e79eed05
SHA512 613a11945ddb6120768933a36e6c79c6bcd168efb14d0c2e60869a266b2dcf6810bc248d50e95f3837731267c4a98254d9f8c7c256f630069ca80b456b32bcfa

C:\Windows\SysWOW64\Edpnfo32.exe

MD5 554589546a2b605eaf75babfd32598b6
SHA1 29bd62ddae307b495c8189fc6d1b30d159ac0825
SHA256 9d0330b517f76fda3236252cf43019bc403d33fc205877ad1c46df160f1608b6
SHA512 8f2e61049cd619bab4b5fc5859baf0968e9a19e6a80457572258c5a029fbecac08fc94d6c77ea2e45764b3f329f3db0a873c1646fe85d8c7e9fcdfe0dc01459f

C:\Windows\SysWOW64\Eadopc32.exe

MD5 0ddfe1340e18539849006bd97f2dc587
SHA1 b3ad4b0af4551414f48e916b6e9d2a1aa83ea72a
SHA256 bcfc19955ef55d178dff3bc6c448da0be59d84a652e10cd619604fecb9caa244
SHA512 d52ab24fa0ef2b9e144338798d9d7f83ae61e584063406939187b785d0c2d8eb71c61fa7f9cf0635af24f3eb599efaa6c75c5ed2a892733111ebef2538704c4e

C:\Windows\SysWOW64\Fcckif32.exe

MD5 5202c7e27a6417074e1b205b56a3deab
SHA1 ac8631690921e928a5672d888a6bac9f9dc98822
SHA256 5a3d23817e4a878792ce0ceb3d42ae22d03e5307326a56a24afa3f602f49ed2d
SHA512 aad6dea4a3d07c7e715d47fbca8d682c85d3c42230830f461fd72b72f820955470465c763c9f3916df1cff32fb97a46d7ee4be74128ca050ab2fcbe3addd39ee

C:\Windows\SysWOW64\Kefkme32.exe

MD5 f288d79c009874c80bf5f3aa63a575cf
SHA1 3f659393e476d9bdfbfeb51a5dcb8e1d7e035e67
SHA256 8d5bb869e9995250481daee2acad0b82d42cef1ff92823b869a0195f4e6b53df
SHA512 98796f0527a6cd544f6d634832b17c48ce7d322a5942e1924906cd376638056d3f86cfcd7e968d0e34202fabdeb6daea10f008a22e10a2ab3e0c5eb7ff03b484

C:\Windows\SysWOW64\Ldleel32.exe

MD5 d01a7682afccdefcdc808773ea950d30
SHA1 358465d5f25baf44de5b9571cc60e29c43b389f5
SHA256 013174b8af03fc39fc42d4bcfeedce851ade43cb69d605e9f487a5aad76cff30
SHA512 6da76e246946c8bb524200c0df01f5b92498a6222e77ae4cfcaefb7d18555f735ea9e8d8e03f2dc9600c659a5eae97c835b6af3b4fdd110eadbfce68b2e349ab

C:\Windows\SysWOW64\Lphoelqn.exe

MD5 0755ea086abb6fd95280c8e569ebe3f2
SHA1 e2af78627b19795cd83b8bc47631eed3a38a8daa
SHA256 605d2b219aa9da1a9fceaa403c72eb68b8fa362551e652a7deb176676c4d1617
SHA512 c4d21b7a540d14d91e9febda15f35f09a1ae6e264364d41242b151e68427ff863110ae895b9c50776d0a5ea767f8883c8ec9da85fb5f9166752f432a69854214

C:\Windows\SysWOW64\Mpoefk32.exe

MD5 03656026e091c0b4ca46b3de60ae0f1e
SHA1 925717ebfdce16159c02053734ba47856527e277
SHA256 2226337725ed7f94d30dfce4232b881cd6d49672b451fdac1c63a953d27c5cd8
SHA512 bbe66244fc3df8442127e37ffcccaa9a45dfa2f07ce1ec44d23d3a35cdf46e2037f28d2be7eae5623087babde9fec6417c9a1acfbb4ec781a5f9f6f3a8632384

C:\Windows\SysWOW64\Mgkjhe32.exe

MD5 63ce134ca6c3ed40d05d9fe48b596d05
SHA1 0ad26c90db110f667fd292ad68d23397f28840b2
SHA256 7877c7163464ee7ea634f950a238f3526ed9eb219fde907ca535e92c00cdd2ec
SHA512 1b3ce7c787281b7bb9aaca92edf9fdf1f1b00d55a7493e94c1d8cad36d0cf9acd80121aea546f5ef5516e8d1d85fa44890ea732f0b90adb18f07349fb52bf697

C:\Windows\SysWOW64\Pcbmka32.exe

MD5 b5b1ec66decca09e066ba87721a060c5
SHA1 0ba35d5e7b05cbfe60c584adbd691530143628ef
SHA256 d279d0be100bcf910552f58a332f62227b4f106143a843e0102d18e26a9e3e8b
SHA512 b5a4de19b8552726c3086c31252080c0c39bd113458588ec4a4944a1b326685bc91893d8e3a26465ebe8d939c8276e508543a72d3fa2bb56f1b102faa79c20dc

C:\Windows\SysWOW64\Agjhgngj.exe

MD5 3cee6af52db915b5d017e13307034b30
SHA1 13e95d825cedce72a8017e23f7cc29d7fb60ce5f
SHA256 10a1373c2a298fcc869aaa72341728c2a15abfd88169dc4ea38fd4015f24737c
SHA512 b6946656463e22cc3863746be61c9a19cd2a101aed6a9c89cf26dc698b299b40f8ca0c95c05dd402d63c11f850b474ee26d4f33a426a2d30c0d8332361cf9248

C:\Windows\SysWOW64\Cjkjpgfi.exe

MD5 6184880e9ff68f97dc8b36b9acb07c98
SHA1 3a9ec9cc9885e4bf789e90c0c6817000841a5c75
SHA256 63e351030e357f313c2adcf02671eaae6973a1cf5cc6f8e4083c588f928cf916
SHA512 8c5d7142bdba14b57508be60af3b9cdb5799802d82308e78772f6740bb72b4f2ea0b261cf2e2ebaa606bd680d5d57cd12fef1acf647a12850def64ae899d782d

C:\Windows\SysWOW64\Dkifae32.exe

MD5 3d8bdc651040869dcbfcac071a8af414
SHA1 be418304346433e22ceec82744a1024e1eb6e0b8
SHA256 48b16cd2918a29c97b074912f446f2dce44c3f2bed389b36b91879391974ff8c
SHA512 3caeb649e0581f4de7702b66bdfaf26346a306a1cd9f5c136448506f60bbb2dad372079befe47311703fafc50418fcdc43661245f772752d7352b08e7ed21838

memory/10768-2865-0x0000000000400000-0x0000000000434000-memory.dmp

memory/10292-2867-0x0000000000400000-0x0000000000434000-memory.dmp

memory/11188-2877-0x0000000000400000-0x0000000000434000-memory.dmp

memory/10612-2885-0x0000000000400000-0x0000000000434000-memory.dmp

memory/10352-2888-0x0000000000400000-0x0000000000434000-memory.dmp

memory/10244-2889-0x0000000000400000-0x0000000000434000-memory.dmp

memory/11192-2891-0x0000000000400000-0x0000000000434000-memory.dmp

memory/11148-2892-0x0000000000400000-0x0000000000434000-memory.dmp

memory/11104-2893-0x0000000000400000-0x0000000000434000-memory.dmp