Malware Analysis Report

2025-03-14 23:13

Sample ID 240407-xfmh5abg34
Target 137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2
SHA256 137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2

Threat Level: Known bad

The file 137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:47

Reported

2024-04-07 18:50

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqlafm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gelppaof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obnqem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Apcfahio.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pipopl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Piehkkcl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afmonbqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pigeqkai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahchbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oghlgdgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Afmonbqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dchali32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfinoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dgmglh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebbgid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gegfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ojieip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Piblek32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afdlhchf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhffaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oghlgdgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjpqdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apomfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bnpmipql.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbpodagk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Paejki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Apomfh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfinoq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckignd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qljkhe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhahlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bdooajdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ongnonkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Amndem32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aenbdoii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enkece32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fckjalhj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faagpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Paejki32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccdlbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dodonf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fphafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hellne32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Oghlgdgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Obnqem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojieip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omgaek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ongnonkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Paejki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pipopl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbiciana.exe N/A
N/A N/A C:\Windows\SysWOW64\Piblek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmdbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkpna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piehkkcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pigeqkai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Penfelgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qljkhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qagcpljo.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahchbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbdna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambmpmln.exe N/A
N/A N/A C:\Windows\SysWOW64\Aenbdoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmonbqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagpopmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbflib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccdlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjndop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbpodagk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddagfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghlgdgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghlgdgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Obnqem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obnqem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojieip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojieip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omgaek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omgaek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ongnonkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ongnonkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Paejki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Paejki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pipopl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pipopl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbiciana.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbiciana.exe N/A
N/A N/A C:\Windows\SysWOW64\Piblek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piblek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmdbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmdbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkpna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkpna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piehkkcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Piehkkcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pigeqkai.exe N/A
N/A N/A C:\Windows\SysWOW64\Pigeqkai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Penfelgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Penfelgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qljkhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qljkhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qagcpljo.exe N/A
N/A N/A C:\Windows\SysWOW64\Qagcpljo.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahchbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahchbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbdna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbdna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambmpmln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambmpmln.exe N/A
N/A N/A C:\Windows\SysWOW64\Aenbdoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Aenbdoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmonbqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmonbqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagpopmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagpopmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbflib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbflib32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ebpkce32.exe C:\Windows\SysWOW64\Ecmkghcl.exe N/A
File opened for modification C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Dqlafm32.exe N/A
File created C:\Windows\SysWOW64\Eiojgnpb.dll C:\Windows\SysWOW64\Ahchbf32.exe N/A
File created C:\Windows\SysWOW64\Bmeohn32.dll C:\Windows\SysWOW64\Bdooajdc.exe N/A
File created C:\Windows\SysWOW64\Obnqem32.exe C:\Windows\SysWOW64\Oghlgdgk.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fphafl32.exe N/A
File created C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File created C:\Windows\SysWOW64\Ongnonkb.exe C:\Windows\SysWOW64\Omgaek32.exe N/A
File created C:\Windows\SysWOW64\Hogmmjfo.exe C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Bagpopmj.exe C:\Windows\SysWOW64\Ahokfj32.exe N/A
File created C:\Windows\SysWOW64\Aiabof32.dll C:\Windows\SysWOW64\Bcaomf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe C:\Windows\SysWOW64\Ccfhhffh.exe N/A
File opened for modification C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Cpjiajeb.exe N/A
File created C:\Windows\SysWOW64\Njcbaa32.dll C:\Windows\SysWOW64\Dodonf32.exe N/A
File created C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Ebbgid32.exe N/A
File created C:\Windows\SysWOW64\Bnpmlfkm.dll C:\Windows\SysWOW64\Eiomkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qljkhe32.exe C:\Windows\SysWOW64\Penfelgm.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Chcqpmep.exe N/A
File created C:\Windows\SysWOW64\Gangic32.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File created C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Hkkmeglp.dll C:\Windows\SysWOW64\Hkpnhgge.exe N/A
File opened for modification C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Cjndop32.exe N/A
File created C:\Windows\SysWOW64\Andkhh32.dll C:\Windows\SysWOW64\Afiecb32.exe N/A
File created C:\Windows\SysWOW64\Bibckiab.dll C:\Windows\SysWOW64\Eajaoq32.exe N/A
File created C:\Windows\SysWOW64\Ghoegl32.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File created C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Pbiciana.exe C:\Windows\SysWOW64\Pipopl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe C:\Windows\SysWOW64\Ebinic32.exe N/A
File created C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dkmmhf32.exe N/A
File created C:\Windows\SysWOW64\Lkojpojq.dll C:\Windows\SysWOW64\Ebbgid32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebinic32.exe C:\Windows\SysWOW64\Ennaieib.exe N/A
File created C:\Windows\SysWOW64\Cjpqdp32.exe C:\Windows\SysWOW64\Ccfhhffh.exe N/A
File created C:\Windows\SysWOW64\Oeeonk32.dll C:\Windows\SysWOW64\Cdakgibq.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Fpfdalii.exe N/A
File created C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Ajbdna32.exe N/A
File created C:\Windows\SysWOW64\Bcgeaj32.dll C:\Windows\SysWOW64\Piblek32.exe N/A
File created C:\Windows\SysWOW64\Ndabhn32.dll C:\Windows\SysWOW64\Hicodd32.exe N/A
File created C:\Windows\SysWOW64\Omgaek32.exe C:\Windows\SysWOW64\Ojieip32.exe N/A
File created C:\Windows\SysWOW64\Bdhaablp.dll C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cngcjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Elpbcapg.dll C:\Windows\SysWOW64\Gacpdbej.exe N/A
File created C:\Windows\SysWOW64\Kjnifgah.dll C:\Windows\SysWOW64\Hiekid32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gkgkbipp.exe N/A
File created C:\Windows\SysWOW64\Opanhd32.dll C:\Windows\SysWOW64\Bbflib32.exe N/A
File created C:\Windows\SysWOW64\Ljenlcfa.dll C:\Windows\SysWOW64\Emcbkn32.exe N/A
File created C:\Windows\SysWOW64\Hllopfgo.dll C:\Windows\SysWOW64\Ghmiam32.exe N/A
File created C:\Windows\SysWOW64\Afmonbqk.exe C:\Windows\SysWOW64\Apcfahio.exe N/A
File created C:\Windows\SysWOW64\Jfpjfeia.dll C:\Windows\SysWOW64\Dnneja32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Filldb32.exe N/A
File created C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Paejki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajbdna32.exe C:\Windows\SysWOW64\Ahchbf32.exe N/A
File created C:\Windows\SysWOW64\Maphhihi.dll C:\Windows\SysWOW64\Emhlfmgj.exe N/A
File created C:\Windows\SysWOW64\Cmbmkg32.dll C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File created C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File created C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Obnqem32.exe N/A
File created C:\Windows\SysWOW64\Ohbepi32.dll C:\Windows\SysWOW64\Filldb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe C:\Windows\SysWOW64\Fhffaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe C:\Windows\SysWOW64\Qljkhe32.exe N/A
File created C:\Windows\SysWOW64\Bbflib32.exe C:\Windows\SysWOW64\Bhahlj32.exe N/A
File created C:\Windows\SysWOW64\Ojdngl32.dll C:\Windows\SysWOW64\Bhahlj32.exe N/A
File created C:\Windows\SysWOW64\Iegecigk.dll C:\Windows\SysWOW64\Bnpmipql.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" C:\Windows\SysWOW64\Idceea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfinoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" C:\Windows\SysWOW64\Emeopn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fphafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagmdc32.dll" C:\Windows\SysWOW64\Apomfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiabof32.dll" C:\Windows\SysWOW64\Bcaomf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dnneja32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebbgid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gangic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggbcg32.dll" C:\Windows\SysWOW64\Obnqem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppiecpn.dll" C:\Windows\SysWOW64\Claifkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egdilkbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afmonbqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" C:\Windows\SysWOW64\Bagpopmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afdlhchf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Chcqpmep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chcqpmep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fmlapp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bagpopmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll" C:\Windows\SysWOW64\Aenbdoii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" C:\Windows\SysWOW64\Cjpqdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnneja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Apcfahio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Clcflkic.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ppmdbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonlfkdd.dll" C:\Windows\SysWOW64\Pbkpna32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ahokfj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dchali32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" C:\Windows\SysWOW64\Efncicpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Piehkkcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cngcjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" C:\Windows\SysWOW64\Fphafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pipopl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ppamme32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Emeopn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egamfkdh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Enkece32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjlhneio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pbiciana.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qagcpljo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahchbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekklaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fjilieka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbflib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" C:\Windows\SysWOW64\Fdapak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pipopl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bnbjopoi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gpmjak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pbkpna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" C:\Windows\SysWOW64\Ahchbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" C:\Windows\SysWOW64\Ejgcdb32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe C:\Windows\SysWOW64\Oghlgdgk.exe
PID 2240 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe C:\Windows\SysWOW64\Oghlgdgk.exe
PID 2240 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe C:\Windows\SysWOW64\Oghlgdgk.exe
PID 2240 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe C:\Windows\SysWOW64\Oghlgdgk.exe
PID 2028 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Oghlgdgk.exe C:\Windows\SysWOW64\Obnqem32.exe
PID 2028 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Oghlgdgk.exe C:\Windows\SysWOW64\Obnqem32.exe
PID 2028 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Oghlgdgk.exe C:\Windows\SysWOW64\Obnqem32.exe
PID 2028 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Oghlgdgk.exe C:\Windows\SysWOW64\Obnqem32.exe
PID 2272 wrote to memory of 2644 N/A C:\Windows\SysWOW64\Obnqem32.exe C:\Windows\SysWOW64\Ojieip32.exe
PID 2272 wrote to memory of 2644 N/A C:\Windows\SysWOW64\Obnqem32.exe C:\Windows\SysWOW64\Ojieip32.exe
PID 2272 wrote to memory of 2644 N/A C:\Windows\SysWOW64\Obnqem32.exe C:\Windows\SysWOW64\Ojieip32.exe
PID 2272 wrote to memory of 2644 N/A C:\Windows\SysWOW64\Obnqem32.exe C:\Windows\SysWOW64\Ojieip32.exe
PID 2644 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Omgaek32.exe
PID 2644 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Omgaek32.exe
PID 2644 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Omgaek32.exe
PID 2644 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Omgaek32.exe
PID 2876 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Omgaek32.exe C:\Windows\SysWOW64\Ongnonkb.exe
PID 2876 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Omgaek32.exe C:\Windows\SysWOW64\Ongnonkb.exe
PID 2876 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Omgaek32.exe C:\Windows\SysWOW64\Ongnonkb.exe
PID 2876 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Omgaek32.exe C:\Windows\SysWOW64\Ongnonkb.exe
PID 2468 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Ongnonkb.exe C:\Windows\SysWOW64\Paejki32.exe
PID 2468 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Ongnonkb.exe C:\Windows\SysWOW64\Paejki32.exe
PID 2468 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Ongnonkb.exe C:\Windows\SysWOW64\Paejki32.exe
PID 2468 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Ongnonkb.exe C:\Windows\SysWOW64\Paejki32.exe
PID 2452 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Paejki32.exe C:\Windows\SysWOW64\Pipopl32.exe
PID 2452 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Paejki32.exe C:\Windows\SysWOW64\Pipopl32.exe
PID 2452 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Paejki32.exe C:\Windows\SysWOW64\Pipopl32.exe
PID 2452 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Paejki32.exe C:\Windows\SysWOW64\Pipopl32.exe
PID 2960 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Pbiciana.exe
PID 2960 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Pbiciana.exe
PID 2960 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Pbiciana.exe
PID 2960 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Pbiciana.exe
PID 2752 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Pbiciana.exe C:\Windows\SysWOW64\Piblek32.exe
PID 2752 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Pbiciana.exe C:\Windows\SysWOW64\Piblek32.exe
PID 2752 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Pbiciana.exe C:\Windows\SysWOW64\Piblek32.exe
PID 2752 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Pbiciana.exe C:\Windows\SysWOW64\Piblek32.exe
PID 2840 wrote to memory of 556 N/A C:\Windows\SysWOW64\Piblek32.exe C:\Windows\SysWOW64\Ppmdbe32.exe
PID 2840 wrote to memory of 556 N/A C:\Windows\SysWOW64\Piblek32.exe C:\Windows\SysWOW64\Ppmdbe32.exe
PID 2840 wrote to memory of 556 N/A C:\Windows\SysWOW64\Piblek32.exe C:\Windows\SysWOW64\Ppmdbe32.exe
PID 2840 wrote to memory of 556 N/A C:\Windows\SysWOW64\Piblek32.exe C:\Windows\SysWOW64\Ppmdbe32.exe
PID 556 wrote to memory of 1784 N/A C:\Windows\SysWOW64\Ppmdbe32.exe C:\Windows\SysWOW64\Pbkpna32.exe
PID 556 wrote to memory of 1784 N/A C:\Windows\SysWOW64\Ppmdbe32.exe C:\Windows\SysWOW64\Pbkpna32.exe
PID 556 wrote to memory of 1784 N/A C:\Windows\SysWOW64\Ppmdbe32.exe C:\Windows\SysWOW64\Pbkpna32.exe
PID 556 wrote to memory of 1784 N/A C:\Windows\SysWOW64\Ppmdbe32.exe C:\Windows\SysWOW64\Pbkpna32.exe
PID 1784 wrote to memory of 772 N/A C:\Windows\SysWOW64\Pbkpna32.exe C:\Windows\SysWOW64\Piehkkcl.exe
PID 1784 wrote to memory of 772 N/A C:\Windows\SysWOW64\Pbkpna32.exe C:\Windows\SysWOW64\Piehkkcl.exe
PID 1784 wrote to memory of 772 N/A C:\Windows\SysWOW64\Pbkpna32.exe C:\Windows\SysWOW64\Piehkkcl.exe
PID 1784 wrote to memory of 772 N/A C:\Windows\SysWOW64\Pbkpna32.exe C:\Windows\SysWOW64\Piehkkcl.exe
PID 772 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Piehkkcl.exe C:\Windows\SysWOW64\Pigeqkai.exe
PID 772 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Piehkkcl.exe C:\Windows\SysWOW64\Pigeqkai.exe
PID 772 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Piehkkcl.exe C:\Windows\SysWOW64\Pigeqkai.exe
PID 772 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Piehkkcl.exe C:\Windows\SysWOW64\Pigeqkai.exe
PID 2980 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Pigeqkai.exe C:\Windows\SysWOW64\Ppamme32.exe
PID 2980 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Pigeqkai.exe C:\Windows\SysWOW64\Ppamme32.exe
PID 2980 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Pigeqkai.exe C:\Windows\SysWOW64\Ppamme32.exe
PID 2980 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Pigeqkai.exe C:\Windows\SysWOW64\Ppamme32.exe
PID 2096 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Ppamme32.exe C:\Windows\SysWOW64\Penfelgm.exe
PID 2096 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Ppamme32.exe C:\Windows\SysWOW64\Penfelgm.exe
PID 2096 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Ppamme32.exe C:\Windows\SysWOW64\Penfelgm.exe
PID 2096 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Ppamme32.exe C:\Windows\SysWOW64\Penfelgm.exe
PID 1368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Penfelgm.exe C:\Windows\SysWOW64\Qljkhe32.exe
PID 1368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Penfelgm.exe C:\Windows\SysWOW64\Qljkhe32.exe
PID 1368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Penfelgm.exe C:\Windows\SysWOW64\Qljkhe32.exe
PID 1368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Penfelgm.exe C:\Windows\SysWOW64\Qljkhe32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe

"C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe"

C:\Windows\SysWOW64\Oghlgdgk.exe

C:\Windows\system32\Oghlgdgk.exe

C:\Windows\SysWOW64\Obnqem32.exe

C:\Windows\system32\Obnqem32.exe

C:\Windows\SysWOW64\Ojieip32.exe

C:\Windows\system32\Ojieip32.exe

C:\Windows\SysWOW64\Omgaek32.exe

C:\Windows\system32\Omgaek32.exe

C:\Windows\SysWOW64\Ongnonkb.exe

C:\Windows\system32\Ongnonkb.exe

C:\Windows\SysWOW64\Paejki32.exe

C:\Windows\system32\Paejki32.exe

C:\Windows\SysWOW64\Pipopl32.exe

C:\Windows\system32\Pipopl32.exe

C:\Windows\SysWOW64\Pbiciana.exe

C:\Windows\system32\Pbiciana.exe

C:\Windows\SysWOW64\Piblek32.exe

C:\Windows\system32\Piblek32.exe

C:\Windows\SysWOW64\Ppmdbe32.exe

C:\Windows\system32\Ppmdbe32.exe

C:\Windows\SysWOW64\Pbkpna32.exe

C:\Windows\system32\Pbkpna32.exe

C:\Windows\SysWOW64\Piehkkcl.exe

C:\Windows\system32\Piehkkcl.exe

C:\Windows\SysWOW64\Pigeqkai.exe

C:\Windows\system32\Pigeqkai.exe

C:\Windows\SysWOW64\Ppamme32.exe

C:\Windows\system32\Ppamme32.exe

C:\Windows\SysWOW64\Penfelgm.exe

C:\Windows\system32\Penfelgm.exe

C:\Windows\SysWOW64\Qljkhe32.exe

C:\Windows\system32\Qljkhe32.exe

C:\Windows\SysWOW64\Qagcpljo.exe

C:\Windows\system32\Qagcpljo.exe

C:\Windows\SysWOW64\Afdlhchf.exe

C:\Windows\system32\Afdlhchf.exe

C:\Windows\SysWOW64\Amndem32.exe

C:\Windows\system32\Amndem32.exe

C:\Windows\SysWOW64\Ahchbf32.exe

C:\Windows\system32\Ahchbf32.exe

C:\Windows\SysWOW64\Ajbdna32.exe

C:\Windows\system32\Ajbdna32.exe

C:\Windows\SysWOW64\Apomfh32.exe

C:\Windows\system32\Apomfh32.exe

C:\Windows\SysWOW64\Afiecb32.exe

C:\Windows\system32\Afiecb32.exe

C:\Windows\SysWOW64\Ambmpmln.exe

C:\Windows\system32\Ambmpmln.exe

C:\Windows\SysWOW64\Aenbdoii.exe

C:\Windows\system32\Aenbdoii.exe

C:\Windows\SysWOW64\Apcfahio.exe

C:\Windows\system32\Apcfahio.exe

C:\Windows\SysWOW64\Afmonbqk.exe

C:\Windows\system32\Afmonbqk.exe

C:\Windows\SysWOW64\Ahokfj32.exe

C:\Windows\system32\Ahokfj32.exe

C:\Windows\SysWOW64\Bagpopmj.exe

C:\Windows\system32\Bagpopmj.exe

C:\Windows\SysWOW64\Bhahlj32.exe

C:\Windows\system32\Bhahlj32.exe

C:\Windows\SysWOW64\Bbflib32.exe

C:\Windows\system32\Bbflib32.exe

C:\Windows\SysWOW64\Bkaqmeah.exe

C:\Windows\system32\Bkaqmeah.exe

C:\Windows\SysWOW64\Bnpmipql.exe

C:\Windows\system32\Bnpmipql.exe

C:\Windows\SysWOW64\Bghabf32.exe

C:\Windows\system32\Bghabf32.exe

C:\Windows\SysWOW64\Bnbjopoi.exe

C:\Windows\system32\Bnbjopoi.exe

C:\Windows\SysWOW64\Bkfjhd32.exe

C:\Windows\system32\Bkfjhd32.exe

C:\Windows\SysWOW64\Bnefdp32.exe

C:\Windows\system32\Bnefdp32.exe

C:\Windows\SysWOW64\Bdooajdc.exe

C:\Windows\system32\Bdooajdc.exe

C:\Windows\SysWOW64\Bcaomf32.exe

C:\Windows\system32\Bcaomf32.exe

C:\Windows\SysWOW64\Ckignd32.exe

C:\Windows\system32\Ckignd32.exe

C:\Windows\SysWOW64\Cngcjo32.exe

C:\Windows\system32\Cngcjo32.exe

C:\Windows\SysWOW64\Cdakgibq.exe

C:\Windows\system32\Cdakgibq.exe

C:\Windows\SysWOW64\Ccdlbf32.exe

C:\Windows\system32\Ccdlbf32.exe

C:\Windows\SysWOW64\Cjndop32.exe

C:\Windows\system32\Cjndop32.exe

C:\Windows\SysWOW64\Ccfhhffh.exe

C:\Windows\system32\Ccfhhffh.exe

C:\Windows\SysWOW64\Cjpqdp32.exe

C:\Windows\system32\Cjpqdp32.exe

C:\Windows\SysWOW64\Chcqpmep.exe

C:\Windows\system32\Chcqpmep.exe

C:\Windows\SysWOW64\Cpjiajeb.exe

C:\Windows\system32\Cpjiajeb.exe

C:\Windows\SysWOW64\Cciemedf.exe

C:\Windows\system32\Cciemedf.exe

C:\Windows\SysWOW64\Cjbmjplb.exe

C:\Windows\system32\Cjbmjplb.exe

C:\Windows\SysWOW64\Claifkkf.exe

C:\Windows\system32\Claifkkf.exe

C:\Windows\SysWOW64\Cfinoq32.exe

C:\Windows\system32\Cfinoq32.exe

C:\Windows\SysWOW64\Clcflkic.exe

C:\Windows\system32\Clcflkic.exe

C:\Windows\SysWOW64\Dbpodagk.exe

C:\Windows\system32\Dbpodagk.exe

C:\Windows\SysWOW64\Dflkdp32.exe

C:\Windows\system32\Dflkdp32.exe

C:\Windows\SysWOW64\Dgmglh32.exe

C:\Windows\system32\Dgmglh32.exe

C:\Windows\SysWOW64\Dodonf32.exe

C:\Windows\system32\Dodonf32.exe

C:\Windows\SysWOW64\Ddagfm32.exe

C:\Windows\system32\Ddagfm32.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dcfdgiid.exe

C:\Windows\system32\Dcfdgiid.exe

C:\Windows\SysWOW64\Dkmmhf32.exe

C:\Windows\system32\Dkmmhf32.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Dchali32.exe

C:\Windows\system32\Dchali32.exe

C:\Windows\SysWOW64\Dfgmhd32.exe

C:\Windows\system32\Dfgmhd32.exe

C:\Windows\SysWOW64\Dnneja32.exe

C:\Windows\system32\Dnneja32.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Dfijnd32.exe

C:\Windows\system32\Dfijnd32.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Ebpkce32.exe

C:\Windows\system32\Ebpkce32.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Ebbgid32.exe

C:\Windows\system32\Ebbgid32.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Eecqjpee.exe

C:\Windows\system32\Eecqjpee.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Egdilkbf.exe

C:\Windows\system32\Egdilkbf.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Fckjalhj.exe

C:\Windows\system32\Fckjalhj.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Ffkcbgek.exe

C:\Windows\system32\Ffkcbgek.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Fphafl32.exe

C:\Windows\system32\Fphafl32.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Glaoalkh.exe

C:\Windows\system32\Glaoalkh.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gkgkbipp.exe

C:\Windows\system32\Gkgkbipp.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hellne32.exe

C:\Windows\system32\Hellne32.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 140

Network

N/A

Files

memory/2240-0-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Oghlgdgk.exe

MD5 09e671573db4bffdcd8e3bb6edc3ee0c
SHA1 208968930f754a36db1f22e9c2bcbf7f25793e38
SHA256 f042a09d3d63c3e7f3735ce8ae8d477bf6b27996ef11c81bf86bc5daec06aa63
SHA512 05612e36145564614453be558e8d420406ee233be35d2f945b54bfd38a4a3adb0dea6f9ca3e1a609fa5a3482ccd15f432c7eff0542e4a90adba67d3200c02f79

memory/2240-6-0x00000000002B0000-0x00000000002F2000-memory.dmp

C:\Windows\SysWOW64\Obnqem32.exe

MD5 1970f0b3f79b019bdf35fbe6b7ad68a4
SHA1 87f817d01d311b899e2c57cdbadba659c5ca7bb9
SHA256 406943fb360601fdfed970ddaa0915fb9b510d436d083c4476c7ded7b3f4cc75
SHA512 02f03f56d499939fac2a673435040016c6103cf56bfbc2a5017f5f34cbf9bec1a19438334ebd3b52b53c57daca32734c72d0fddb189ad5342bc1bb185386770d

\Windows\SysWOW64\Ojieip32.exe

MD5 4e2d422e218cc7479f7f82d6ce193c17
SHA1 b420b5a0c564941972757a4bcddc9f2192c39973
SHA256 f69c5e2be7ee66a7830bebc2254aec6e82fd5a9ee4c1bf0142ebece60604c240
SHA512 64ecb97a6b2e9cef2c217aad8018f25d9705386ee47768e5f534e1032bd2029f3392f03f3180b1f6f078f7844475bbd427bdfc273869a59df4f8175cc19b212d

memory/2272-39-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2028-32-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2028-25-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Omgaek32.exe

MD5 6122c0b2ec056f43526d538a01a13ec0
SHA1 fcce035e31118e349d8f46211ddcd7ecce5f3bcb
SHA256 0be80fccd3a009a21f9e0d7d57ef3fbcc6839ffac8ddf6c11b51303bcb729fcf
SHA512 f7dca8e4e4fe070be61979b68c1ba06e79363bc44d0d852e1fd91e822ec7a2c4885ad0947f75265dba7d0f2c7b67412f5b20ce2254fca6cef03d11262553c96f

memory/2644-54-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ddbkoipg.dll

MD5 dd154afd18de1654185bf0773db6ad6e
SHA1 6a14c6884b1bdfe54d54c2e0f55add91c2568029
SHA256 0f4f779838912f22fbac0da34e9e6d8b38b4ee2533615b3d0a296ebb016da056
SHA512 ec5230ca16cceb5207b3b745532be906e33a2fb047559f21451ffdc890758d74d7d3ff3422ec6f5a4a30fe61ba9adbab36db7ac5b2b18af9e3381cf6baecbe83

C:\Windows\SysWOW64\Ongnonkb.exe

MD5 724f4f49658c47a3e523587665a3a33e
SHA1 379e3bdfe4bd1d11d31142f212a8eb851cf62cc6
SHA256 70603e2aa5a735699b7ab97a8c5e69b1fc976ed7b79e227ed7afff874c2eb636
SHA512 52daa2deabcf0729f0267d698d731b31b7172484ba0336cea2803d3e770e340527ffb4b5d8bbe3fa7ac1eed81a6b555b44d6dc67eacccb89e19ed76d0b712cad

memory/2876-65-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Paejki32.exe

MD5 d9f42591412617159583f4fb27eb5556
SHA1 7ed142d009cba2e34feaa850055512f40aae2eab
SHA256 65c42331c52a86af863ab044d37c6f35dd37f6fdbe0e102a8ca0e679df62674e
SHA512 5c1c13a65bd2451882a922517a9290590d9922369c31707615a0ad2393b166057a0c380a4e316340efcce0c14ee9cb2394817488ed6008636bd68f90899d32d7

memory/2272-52-0x00000000002F0000-0x0000000000332000-memory.dmp

memory/2468-78-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Pipopl32.exe

MD5 f9cc8d5892812f766497e7011165fcc9
SHA1 22279d05e26365645ac8ae505f20d816214c0da1
SHA256 4dc6ce0f666a99e4cbec27312bb4583b6466d2e0490e6955566e63cb11b16519
SHA512 fb977b86056e7c264df9062841aea76f0b2d3d01a75acf5df783b82bbe5628cf2dcd2ca09c3fdfc2809441896cbaf12c4b0eb6cb1832c40892ccd53f672254ea

memory/2452-85-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2960-93-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pbiciana.exe

MD5 5a5862ad791eda9cd51f859366673fce
SHA1 80bb4e3ae7bccc03f92a5d2ecba18601605cd873
SHA256 255a707fe0fc50f9f393e0a2c89b5fe75d668ea11b1b00a4fac6fcb2cc1bbc82
SHA512 86f9d8ef236f88d74440b288c27e23c0742f4fb3235b81eb417040548659eee9749b351ec68c90ba8f2a31eb67a2d8763e697981c71381146f7a898e9d484da7

memory/2752-112-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Piblek32.exe

MD5 972003cf81d6cb5528ea2901b856dac0
SHA1 8705e9359e8f9aad32cc72dcfebfe618e0741764
SHA256 2e1c1be11aed0c7f8235c9f0077171596736596a6511b878c1e3a776ca105c16
SHA512 d899584861ca31c7c601e5cae8b361b0ae3d8142a2b76eb566685ad576a1d651dbd33c9eecff6f9b24cad858c863a52ef3f8ddcf608c82cee9c11572f576ff16

C:\Windows\SysWOW64\Ppmdbe32.exe

MD5 11306737648d1c8b0c0d920ecf68f74b
SHA1 94bb383b7acb1d26349a2d1ff61e1b3a49b80b9d
SHA256 3368f3e9d5c21a6a1e341a4aba160d5cd1b82315990a26025941689e59182c46
SHA512 d2aa5a8389aa10cb46fc14bee5aa6b26a962874103729c60022c7d08832391fc4f8b1a9149c1e148ceecf285af7b72e7e07cf3badeb9329baaeab2d9eb9f5d32

memory/2840-121-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pbkpna32.exe

MD5 c0f1f906b43d874c83eaf4be0aeb4683
SHA1 aea0dcafa5a49c013d23048689e6c6f3d2f3877b
SHA256 666525cfbee30ecda16cbb86da121b518f6fc504d519169c847359d6dd18c52d
SHA512 da9dea5973cfeb48f59f4ec85db48be49352b53d2865b541f2ec689a510551ad6b6a5f6337fe43db899aebc5881ca9dc465f52cea0eee11b1ff7ed3fa6c29b46

memory/1784-150-0x0000000000400000-0x0000000000442000-memory.dmp

memory/556-140-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Piehkkcl.exe

MD5 10090de286c48411cd636c1447104f41
SHA1 f5d8644c3e6a01e0ffde9368b96b3383d0b85053
SHA256 e297529e1049e454e979308d2d9ce6ba46c366f598d39918c41dabf766441454
SHA512 bab682b659ead040f98d8ddcc2ad028770af091adc1421ed8eb0d2cb079bbce3480833b267127788b3eb22670616c65bd98a70550c2babc0c94f7e99b18b24df

memory/2452-105-0x0000000000250000-0x0000000000292000-memory.dmp

memory/772-165-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1784-158-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Pigeqkai.exe

MD5 6e555ab8237720822e49bcacf453b0be
SHA1 ff927934801aea402ae4c84f337d21712e5dd355
SHA256 f47032288b7fa7c3dd76b9b8a79d61aa35c161086b79894e746c872f11108c8f
SHA512 a5eb4cecc7b8c862e3496340fd5f2ec56206c5c4520e9a5a4d304e5deac04120f8319d7178cbb847c0d9e52d0c8d40cda50cef8400417e6737003574e83888c2

memory/2980-174-0x0000000000400000-0x0000000000442000-memory.dmp

memory/772-168-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Ppamme32.exe

MD5 3e100e156779fce125e68f30c10e96d6
SHA1 fe4d11c5be8aa0406eccfca4f0b2fe1759ad5abc
SHA256 530e16b05fb2e752eaf84fa133c6bbb681cce956618be1c178e46c26600fd6e5
SHA512 c7b308dbb9eb30e8e75e0b4dd199e5b7932cdfec45ec9e07168c0dc7cf5b501a3508cfbc7457d437f9765f4a4b4fe9c5cedee95e68d137bd5ecbb106c356e17a

memory/2096-192-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2980-193-0x00000000002D0000-0x0000000000312000-memory.dmp

\Windows\SysWOW64\Penfelgm.exe

MD5 cc489c1ddcc3daaebf6af9666d31010b
SHA1 bc6278ce46a54e38298fdfeb2c12c998d93c0f68
SHA256 9b4c277de5288bdb874e8727d002f03ec567155ac6cbff2b7effa5972c6cc604
SHA512 200c9e492bf9771e3fd337145442cca15fde539b55dd75712acc828705c7e45188ba09ed466d9fc2d9065fafb6ac82c91b2e4cf1807e331cdb2d875c8d3440b1

memory/2240-195-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2096-196-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2096-208-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/1368-209-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Qljkhe32.exe

MD5 bdc76225c49a4ffe573b94662c1fce23
SHA1 6078dbef70c143e4f37f99c470b8437588282fc3
SHA256 6532679ec1563f6a1b77a1183a2aaef8069fcdab5d6914059d3b0ba8bae26959
SHA512 ebc12a963db1a9d46e5cc4e952745771a35ee901dc86c051da160e0a252ccb12232a44c04f83c904080def0ab63d7c07822fed4693fa240730919eb76606abef

memory/1860-222-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2960-227-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Qagcpljo.exe

MD5 b649e4464fd20f60e972fcb0bc2bb8cd
SHA1 005fe4e143aeff686766fe81ec2ec810d0c2e8c7
SHA256 8719c44f568ec43ef3bd16291398abc97177885cffcff096052666ddbb0ea9bf
SHA512 9b840420a9cab87f67612e7e0c49486b3a411ed9290371f3c7eb7a5276c49edbd6007f1e703d8a986af9cddccfa996d23460145e0b28111f4faee35bf217ed42

memory/1860-228-0x0000000000300000-0x0000000000342000-memory.dmp

C:\Windows\SysWOW64\Afdlhchf.exe

MD5 3f86735d308d9f46e8a545526e250b6b
SHA1 d0a4f41787e7ec0a94247012232610e800ef1634
SHA256 cbdac4c3701de29b41a5888d2d48a9a025dd0474f942d76434098e76ca42cbd0
SHA512 2067eff2d54f947975bad17faf133516d3165ccdea94db61bb5d224cd00795cf291d23c08b1dab8af7256bc3d88e0f420709cf2f3009abd908db44504fbaa1a6

memory/2092-244-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1784-243-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2840-238-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1140-234-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1960-250-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2980-249-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Amndem32.exe

MD5 1c06c1ab5c73bbbfe1ffa22963d12582
SHA1 6d820f3d8a34deae187a17d46502ba30c5342a3a
SHA256 75c352f439d514916a6b9ea87d3f6bf5e506d50d4433932b4a9eebec30ff2f98
SHA512 9e1a00c4323cbddcbdacde0b185fe879362a097d02caeaa3f0d1961367b397ad1c617e11fc41f823097c8bf343a6ee8a7e7d619219c7141f9607225ae482aaa2

memory/772-259-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1824-265-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2980-264-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Ahchbf32.exe

MD5 415038519bf166455a756fe3b194eeee
SHA1 ddf60ace1d1bdcf284e3e88e066f4c1313a2ce5d
SHA256 70c13083717efa9c81f6a2cbf1658debba6051f0e7f5088a4cdac90fcdd1c52a
SHA512 3eab5c8c58037bd0a5cc7a7fdab27836c696a31a91cc0d539e33768754bb5d33a053886fbdcb62b5aa486e9d1803cca2108735cbb498a2f09bba168f9ed4e326

C:\Windows\SysWOW64\Ajbdna32.exe

MD5 6d0a105b43fa1517c5428c26aa66bfd9
SHA1 fa6061d53cba1a40a67b192c113c85a79465f70a
SHA256 82fce9be92febdd0f8b120ba8b45d7cd0b04103dd3794eda4b527bb7f4142dbf
SHA512 060fb449878e4069b3b645c36cd882cb1eea3424ee7ea22442527d5efd5c8b44cc6d0ebaa5f752b3fd2f918189cf27528f43f0a8f1e823e932520ba8b59b7820

memory/2096-270-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/928-277-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1824-276-0x0000000000390000-0x00000000003D2000-memory.dmp

C:\Windows\SysWOW64\Apomfh32.exe

MD5 2f259dff632229de81cefc5e90ec63c5
SHA1 395e6ac8be857c7251898320c6aec8dc4490cb38
SHA256 93befc18a3f91b6aba35c46be4b3fd10b1345f3fd85941789879d1477753c96d
SHA512 aa21e1d5ab69614195d992cb0b8581b5b8de5e19aef9d42ec65b4ce82cb1dfa3450a66dec9a469d4d5a2218230ef97c8c714366acca940c0a3ac4658063d3a3a

memory/2928-281-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Afiecb32.exe

MD5 243a7c5042a3e151a84db1485541cf3b
SHA1 353db9265576caca7f53a61f491ad660403ce947
SHA256 8ec76439c408e2a62f85e6d6c8ef9117ef9ab56e89542aa4f2b2b9b42ea294cf
SHA512 ccd4c7a2256f37f369841471f5ec1f7b527342709f8d21568f9c39e13e42d3f8e22c5f609a6a4e12d9a85e640036b682dade1aba8d30efd337092bcb641d8965

memory/1284-294-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ambmpmln.exe

MD5 4ff0e1915eb399be53e715f274c9a409
SHA1 26224c399216217af2f0711b8447937ee029532b
SHA256 ac72af57223e6d46b630e3a080f4f4daea4f6ca518798fe48f982a000ba121f0
SHA512 bfd8367149c583365849f9861114aa7337c4c98a007a0d16ea7ee8feee56c7ad59d6c36233c3d48d116a995d3e1280bdb14e65080ed92859d2e0e93a9b718532

memory/1960-299-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1808-303-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1824-309-0x0000000000390000-0x00000000003D2000-memory.dmp

C:\Windows\SysWOW64\Aenbdoii.exe

MD5 fe93b2ae36e167c00b2dd06bc3b473a4
SHA1 d3b13cda914065fd6c6f8553015e9d1ad75aced0
SHA256 b9ebad5d9b84f2531514ba4dfceef7ae698789a60634c72e47407c2e7fe2fb15
SHA512 eb2bf021f147e42ba66780dbc156c2ce589cc7f24d75755f5ce3bbbc80e3214c8cae396547efdc7cf12044aade3d9989ab9bc8b1878c0cb658062348867278b0

memory/1808-314-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Apcfahio.exe

MD5 82c2468d67fad0cb5c6caf73a9abdd57
SHA1 338753af14821908be73a3cc93ac494e7911bb2e
SHA256 0c83d7a97fccb4b7d93817fd1bbb1e3447f74098cda6a4986c8748cafc75c66d
SHA512 24789ceeb78b2b690883b918d194e74ce347af753386fc6f2e09d4cf14d7e164cc25322104ee0a4c0f45f1a2f6f51dbf47b4ec7f9db3b6549505c6ae34efca55

memory/2400-320-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1608-326-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2400-325-0x00000000004B0000-0x00000000004F2000-memory.dmp

memory/1824-319-0x0000000000390000-0x00000000003D2000-memory.dmp

C:\Windows\SysWOW64\Afmonbqk.exe

MD5 d4b313bcec68e93a116ec98d7e5720a8
SHA1 20426876ce536a5dcff7842fe7d147bb7a72db06
SHA256 4383f0dfc45f2297a99e07658c33a8e4a530ae148e63e753cfea91d968ee65c7
SHA512 44a91c75f7cc350457b6e0ce404046c0e568c570e253bec73f55678944328483341986fbe9fba1d36701fbd2ea7a22d2b0f0ed2338cb9bbb79f5ed909e9cd3eb

memory/1608-335-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2392-336-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ahokfj32.exe

MD5 8156375f6b0398d40a1b8dd0270b4cbe
SHA1 317b819b23c44ffb303244423c2bdf8c77733237
SHA256 83657c53175ebf84a0352d27ea16e566a01bc38eda8379e92f9deb9ab6cd3c58
SHA512 0e4a1c273151a03302b6b36c2d0fdba87c8663e377b2b55d1c509af8245e0b88b22e031201028c83aadd467103333f51e2bf33230b6285a60da588f28f294773

memory/2392-345-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2648-347-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2928-341-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bagpopmj.exe

MD5 15d9e2b69be4502f9a08fefcb8d86e9b
SHA1 f0a9fc92463ea02b997809d86561c661fdf6bf3a
SHA256 166f5fda6802602c44a78646733763b6da2e864d6282162189378ee0213509c4
SHA512 7922af9f7f0d019ae98dfbc443086739b39270a81edac6cdd870fab63be2a7976b35cb8e0b0972108bfbe155afdcabe96c3849e7710947a12bd2952b22b0fa98

memory/2664-356-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bhahlj32.exe

MD5 1e40e7148ba66af33b344bd9834ea500
SHA1 d2e8b716b8ca895bbcc9cf5225b0aed6d396e147
SHA256 8ca19ef13d4a1f2ca36fb7d949a3c6e15e91ecba8b58ccdfafc259b884b47778
SHA512 94969218eff9b1854041677fcec4e2850392d49581fc99e7c6005e764c7e159db384cf881a50106bfd978bf2a5973fb4ffa14d7b7113de8d00f74ff028f44842

memory/2464-367-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2664-366-0x0000000000260000-0x00000000002A2000-memory.dmp

memory/1808-361-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bbflib32.exe

MD5 dca208b9fca7169745eab2a7113f1896
SHA1 98f8a9be79745165a72807e2c0768fe3f5a3caed
SHA256 8eaadaa6df6e36fffd6ef75bf2e8b6acc0093c3b02a9334f723a3c88e08472a5
SHA512 5877c93251e7f3e134b20fea0013eead86a0068830bb307c763751ed55ad0d8ba2a60fc8b70f72cce8008d4afeef377b95ff5bd37ce1e73b48a29977066eea09

memory/2760-376-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bkaqmeah.exe

MD5 db4c95b5ae1899e79984b7743ad1b2a4
SHA1 a2a9e50197293a0a54829d5eef185d2a192f391f
SHA256 dd641d767e52486cc4114562dc669a1a0840aadc672b297cac170b05cfb038cb
SHA512 774bb14d6e12671242a3c9c19489e8de7a9c78b2e613e68f88b47da0d8de09f78774e6cf40af02f362862a0c685472decf5af98357de688b418084d8c00ed99f

memory/2760-381-0x0000000000340000-0x0000000000382000-memory.dmp

memory/2496-385-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bnpmipql.exe

MD5 d75c0c66a1203b1e5f64079467fa4b8b
SHA1 1e15b452b4496cfff090fe5ca40a847c22f61025
SHA256 3794ea493581a58dfa2e16b09e751076e304ef6e77003c633ab9084eaaece455
SHA512 a2da45b56f3c4fbc1f2871e7c63fd7ee39976bb5899c1e1d4f5f0e211b7cf60ea35bf138f102168593506242305f9ce10054d69a0c1bcdeb0aba7aa582c1feda

memory/1608-387-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Bghabf32.exe

MD5 cf16f8a1b07b19a6ad2297c944872705
SHA1 53ae0c1a875b0d34a28026ea253326bd751c46b4
SHA256 e2a367bf0f24ec32e546ba62d8b6d80999841e7d1d34f806bbe8a0f20fc882cc
SHA512 3cfb24fa3e9d8479989df17a81b9edd6c6dbde6f1598a580fad76fb41679083d8a0ba7de84d019bb1449b2f1a08c12cb7ba79b70f9de1a0cae97f649c72a3d41

C:\Windows\SysWOW64\Bnbjopoi.exe

MD5 96ea39b7df66643ed28d32edbe8c24bc
SHA1 7de9388cbc2324240a49525e958947615d000872
SHA256 1b597a5fa9429d5c832c0254c14397d7d92fd80214b5e4745de51e2fff659b63
SHA512 14b32d676f5b52b665595207f43e2bce77a88322c125e8b69b6ae3361f9e943db56ac632150fba9027666f64c8ba6a641ad5fd850ae523a133151b5ede6c5391

C:\Windows\SysWOW64\Bkfjhd32.exe

MD5 c590d5438adbc2be5df83ad68e7dd229
SHA1 70b0ff4b051e1736f516c36585137bc266e6e4fc
SHA256 582cc266bf437b00f2c2aa885905c6de89d3f9dcd129cd03361e9244d384b209
SHA512 04ba86a5675215befa18cf583bdcb249bc884d7a482e1e5aeb974332793704be328774351d8a26811a08de86a214aa92839ce1f1cd385a36b106cb0158ae43f6

C:\Windows\SysWOW64\Bnefdp32.exe

MD5 e13db6430e12b907ba9cacf87a0453ae
SHA1 0475cf9f80e53ae9bcfbef1d568c6cfad0efd8da
SHA256 4e0cda7e302e2acac48995eb44263367de8857efbb58f641443e6f5a7115c1c6
SHA512 d549787a4109ae2f364e7fc17424e5f368dac07bbfb795a80f15c1bb840603d89a9b5b99c5c602138f27c505fe8b0f697e6056b24c561864143f5354be522ec2

C:\Windows\SysWOW64\Bdooajdc.exe

MD5 731cbf1d632242d0039b295a1c029ebf
SHA1 41ce1e7a8efc62277127d3b3846249d6c6d1b0fd
SHA256 e9fc5fbf41037a9fdba6d2bf3dc4e72de7bc581bfdb6b6db9ade5aa37b32cccb
SHA512 0f079b81edd83e117be93c2aa1799652a4f96d200d2a413d51fef19dec288adfcda39422d1fc7be634119510b417b7d926d3ccd2f4024535575bebc7203cb416

C:\Windows\SysWOW64\Bcaomf32.exe

MD5 6e7f53a9385954374900d09f2ee45933
SHA1 c63bfb8889f92902fd72fe723bf3d5cb6d72bcdc
SHA256 4178f696200681128adc7ce0a2aeec253ca6f937e34ce0688869d4f5f3b1e1ff
SHA512 61bb03fa4e41eb8ce3519387b7a038d18eb3b2f4a6a938ab485c407f91708e45aa24e36bc71d0a17c091ff450a59015ae8bda740548f5be29e57c1e9727413ed

C:\Windows\SysWOW64\Ckignd32.exe

MD5 4159c0c61eb10434439a193e66f05286
SHA1 3ee5f41976b3986123002bfbf8dfed591afb5311
SHA256 b3b0139bcf9b6d4c012ab32ebfcd52c12250728d4910e0a2e85d0bc6b1077081
SHA512 7a9c1f90d82b7dd3db224a95923d40de81c7b3e6185f24954c95d900367ed963f0ea835fe657e0b92c3e410670420a8e09f7e5f6c43019601f35ff9376898649

C:\Windows\SysWOW64\Cngcjo32.exe

MD5 9252b8191ede439fa46d24a2087cf299
SHA1 73a3a1157f918c6b2b6d94ffffda2a80f68b7abb
SHA256 65ac47071dee54fbc2b74ce6c3bb2e13a364a295ee92abcf186b9846150c941f
SHA512 d349b4ce02977e2e0921de45cca383607c0f7597b3f46becf647dac3eb176b3f0fbb44e979643b59e351adfc8965e248ebd8132522c39ffed0a5be9da48a6223

C:\Windows\SysWOW64\Cdakgibq.exe

MD5 c14bdb40e9db960609d63ec23b6bca99
SHA1 ad9bfc7490f7db4d8871f27792d402181c67fe2d
SHA256 dcd6d001e148f7d02ada212de7fddf684762f0e22ecbc862a98689b5f9cce124
SHA512 4f49341d4eb6ca97d8bf4cd8ade8ebe4f3c6aa3ff8611673d7c03941bbe33ef308e8a31f1927a9e65c5ee8fcad3891eedb86e7b53d9d3b699a90761b7760f951

C:\Windows\SysWOW64\Ccdlbf32.exe

MD5 cd3c40d49035dd651941176bb7da261c
SHA1 f34436dcdd9cea19245e288f873e997ed4487d1f
SHA256 ae25e87eab8f36135a35a22945cb4f22aa381c8c2ba6bb837c927716fed6fdc3
SHA512 66904b1014a912e78a1c16b3637f8e5b92edf35d88f3ac4b54f6448a2f8a34c8c98095fa922c252520b977a5fd941ff6305c9ae065b20efd51ad1f960efafc17

C:\Windows\SysWOW64\Cjndop32.exe

MD5 b6a0a6bf6bb4f4ac4518b2cb496cf171
SHA1 bde1e9b04b5c3d666914f92a3db3e64c30eb17d0
SHA256 2e28d07f7f824c51d70759e33e6e67766cb3388fb3954da447ceac43809ac617
SHA512 f717c8f102918416cbb9cdd071d5c837d8d273a00532c7f6a7dd2272bea4921e4c2b975cedfb797b27592ec6927a7d8f23de942254d77d2a1a9354ad931d0433

C:\Windows\SysWOW64\Ccfhhffh.exe

MD5 507755101e3835a81f005d78eed99cda
SHA1 cbfc2f64fb959107e051648530e9f222e03cad2d
SHA256 e7376e4ac7533f367dad02e1842fe3d413fef1496ea3d8f6683a70f4be0b9997
SHA512 875e953cd2552f26e711c70dc60a96a806656461e8da5e764723d6bf0861d329cc4f5c0ead41886f481122ab13d966541a1a51e9e28b9eab0c958832adbaf86d

C:\Windows\SysWOW64\Cjpqdp32.exe

MD5 e019ef7f1c69a1ad51d721c11b78fed0
SHA1 ea1d7937194b6db9b79f97d5f01f9706b5ad879f
SHA256 af0b42e761b90551e34c7799df0cfff14d6ac1b0a059625bde6fe041252ea632
SHA512 1b7bf312778084caae096e9351dee98658bbf0020c306358567860a126a0627470b300570ff1e892fe079990d11de975d2eee415676995c2011960ea0b7b9f5a

C:\Windows\SysWOW64\Chcqpmep.exe

MD5 06c9e50e20cc774e65b488ca5c8a7cdd
SHA1 b15e2af93a4b19799fd474e81b9e405bbf4de991
SHA256 1a590e17c1119b10151bdcb608392bcd4dcc77bd2c1368428aebbd573553f7e5
SHA512 bf638256f135bce3e3ecc54d1cb90666f9c9628a394a1eb93c76a0cc185c25e29b32bd089290ec4983968a422b5796b5f3f666e3b7dfdfaa76d370c07a1ba7f1

C:\Windows\SysWOW64\Cpjiajeb.exe

MD5 329c52a13182d64fd085641fa42b9ec4
SHA1 ee8dea03b055f47aa57c38cfd164fce819082608
SHA256 39458d832dbaece11547b53e48ac87e219af909172fbf3619b109fe576391d1a
SHA512 67112db7c9d39dc999237580560d58ea2968ffe6e6a09a6eb855629292339e1ca79fffd31857118c72b162c96af678e26c26a41a0da448e7e76fa64720e035e9

C:\Windows\SysWOW64\Cciemedf.exe

MD5 6f29030d383e53d226f656370a7e2e48
SHA1 c290a8fc1a5956302fa11fbe55693e696eb541b4
SHA256 644ffe0240d57aa6c5e2161a75081c258e9532cddd6a49143f0242eeb5e9fd18
SHA512 5fdf7aa56f746ed9ce886bd5973de7fd2e87640ade49187d737bf82106139cc5dc324a37fbd2b3bb8af4c22f3e00307a83b3f06f0accdf643b0250431f81f96f

C:\Windows\SysWOW64\Cjbmjplb.exe

MD5 8b553669e06931982259154743349ef3
SHA1 c2ec1db8cefd8e4adbcc24d29c7511800942715a
SHA256 04ce50984038551fa0a0d06f52b034f4239d02947374e39015d703d0ed003a13
SHA512 7875fa93943be3355f7a04056c6b243eb0d7c281ed61c66d3a3ce55008437e306ae88b9007f300855c978c2e814f6407a9a69cc9905ccd322a5c3481f1a115c3

C:\Windows\SysWOW64\Claifkkf.exe

MD5 e01ab72a59e32d41271b3d31a9c5916f
SHA1 cf515f50bce8cb232c4470526d6435c0b7ff9101
SHA256 0db45f36e64601f1f453da939fbdfdbec35bd023d8b9a696ce3f938e3e3a7b44
SHA512 0dbf9b816b10da7043042d0f1295f7b143ff569f0d0aaf6410569422b8e105b284f38e922fa46766202cd21516e791cfecb296e601b8cc1e30a6854a972303b7

C:\Windows\SysWOW64\Cfinoq32.exe

MD5 c1359382e2ef79e7597b95bacdcf603d
SHA1 db4634beef95daf4bcddfac375c0c8c05191db71
SHA256 01be0f98eb67235fa11698457d8e0f9c6a4acd8b85a074a3b2cd06ad6dec3d6a
SHA512 7ece5d5af6762adf158e91947ee9f8a10bb4decbd3f814c35fa82ec9dd4ffe785e5ab933e465617e2f9aa990787142fea38b5314ba00d73604abbe4a98dd76a1

C:\Windows\SysWOW64\Clcflkic.exe

MD5 0a2b700635a2977bcd927ddc93572e85
SHA1 cb419bfcb34023679dcb2582a89e64588c92a64e
SHA256 f62adc57d2c05992a31b756712663b5c0649c72ca7d9fefbef2719c878148ae3
SHA512 8c7e381e713715b9f93d9aac95e6c76950325a6ef23a4b17695c76e386109e3b1754226c25a03dd7bb3b4aaf434bba9532c55aaaf2ee5243b55453b67bcce4fd

C:\Windows\SysWOW64\Dbpodagk.exe

MD5 629e1bfcbac1a72d1316fbad9b9aac9c
SHA1 46ab1a1feaa8b2e9340358a81683155de8799bf0
SHA256 cf5bb3ef71e64547c3566ad565cd6dda690bf848291874beedc5ca0e00e9db2e
SHA512 40a46dea2756e28b85e347f791987d83bd64a2801b6f7fb76bc36825b47e349db3876340ed966092a09e47a4450505b1e5a115efcdd2cbbd2882b744e61ce1ea

C:\Windows\SysWOW64\Dflkdp32.exe

MD5 b632643b48e60a4d8b3ee77b7a88b908
SHA1 3baee1a0be67ba5282aeae293920612eaea05be6
SHA256 85153525390e136dcceb6153a56acb9ab05068ec4cdb4bc55e87d7a9754cf1ad
SHA512 d5edbc8367276c1f8a02753fe02c19665845c8a761f942e31d823f18ad63b8015be9504aa11bb67d7f7aa2d3445152c457e5331b47fcd25fe93f407ae2eca19c

C:\Windows\SysWOW64\Dgmglh32.exe

MD5 27b0dd7b16d3e9f7ebc17ea0dc93f234
SHA1 6cbd7889a56f8f566c844db3fb0add02a521fd17
SHA256 87f3c9271f0cdfe85585faed7de8d3779020e7519750cbf81b4645261f828a1b
SHA512 c7bd7bad6c6dfcb061322c21e700a0cda53497be4b542bf8591fb810e1267ea903fd9e71137f59b746f4264c344449208170d8d3fa33e84561a7fd6856957f91

C:\Windows\SysWOW64\Dodonf32.exe

MD5 bcbb17932e3e8200e5e1c3e3c4027a04
SHA1 c833500e279f8d342de3ec51d9ad697d24c15652
SHA256 d73f69ad59dbcd4cda6154514dc35b2d6c8c3865882b9d278d3f01b60b0c7d47
SHA512 c1d9122c34b5e5dc9dec96604c6294d6daf00398969015b4d973ad8d3aadb61c210e944fd68754493b8cca8c1dbb8ae5c08520066ec9193faac3242d45f766df

C:\Windows\SysWOW64\Ddagfm32.exe

MD5 961d0f1633110175c386f5b680d485d3
SHA1 e5259e55b258a4238def8b661f517dcba3768f90
SHA256 89145833b98bf956d0f10ce633cfeaa1b6e8ce51d05870b692e584aad989f06f
SHA512 30980d7999573aa06ab249ec67a988aec059416be775bdf29efa1329c0db1314714e1423b056060bb6a234ed781236edd2207109513c32b690ba8ae22b715949

C:\Windows\SysWOW64\Dgodbh32.exe

MD5 b207926670e3c9322fd61c2bd9cb3e44
SHA1 8c98de603220544469d4c0ce6100fec8672a6e2c
SHA256 cd9d8ae1653ce15b4d84f9c3e8d8df271ffc40cc0459c5d1038e51f0866b2405
SHA512 286ddb2735f7c5c5dabe3b1b2b5d001adad3760066b4b49da4740fbff5c4e9b7a1696f184968f69f49e7e3617854b59a7cb08fea892e76ced7990fcb0389bbb7

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 374bdd1d53d36b5326d9a22d47d464ca
SHA1 d2f39165d24e5c4f2634119d58bdb150a06cee44
SHA256 1aa7bec2b829e1f7a847ce6cdab546b621d9f2795239a1d7b4fba198883bd6ff
SHA512 7cc1b91a9b5df50e493efeceaa9f658aae2edb488ddf81426404fa86af66865d4904c0d9b2998263dd00280ab86a24a6d122475ab4ad81a9799684716b08fa1e

C:\Windows\SysWOW64\Dqhhknjp.exe

MD5 84c774f6732bd5de1cd83af9bcd8114a
SHA1 1a57a13fc4c21a09b36ad44bcbbc78bf2460263b
SHA256 76c9d11e6cd0d5deab8eaf17146a7af6826acc6af1ac9200bf6b597eaee5a397
SHA512 0cf84eca4a1db11ddef3a59937413451f98e21f064f633925d018e0866bfcf2b4f0c6dbe73f6e825b4d7580141099a97de5ad880f803baba460241cfbb79ee37

C:\Windows\SysWOW64\Dcfdgiid.exe

MD5 32b547252f8d437283ea58f214d3f1f4
SHA1 33d0796b111c458f9a9bd2410d635bebc41f347b
SHA256 1e6dae950e2923bf6a62ada4b7e6d2f764f5831c5d55f829318a16ef0aaf984b
SHA512 74352ebeca45bf9313fe088672bfa35ec83056fe6b56bbd0c32aa5a4a4530a8c54adb1f9ce2e22ebeb8491103f6f39d682112d188d3c37cce2746adfa9cce18b

C:\Windows\SysWOW64\Dkmmhf32.exe

MD5 35357527face504eb00600b67bd92081
SHA1 6e6a18feb7ed319fb388e0553aa511ead4c96190
SHA256 d3fa1fbb89314e7e9c96ccc3aac5c3c00f42c030b279f8da5952d4e6b7246012
SHA512 06b163f5c3f9e60279bd21b8953d1d88f683773fbaa4bddb99a63f6401df97d2590368d5963739f40d5966473e3946f1836d74068416e5caf8baca107e37b4ae

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 2ca0160ab3cad28a3865e37730dba0a3
SHA1 218b58a577a649ed9305af990e90f5e619e66f5e
SHA256 40ba3683b9089895c4cd54d997ba9e540a5eeb99c20c3cf9ace68d1f8586a3ab
SHA512 375fc932c1538b757843e2002ce48f6ca95de777b985a69b479657e00fc28434f4fa24f0db9edd1ec270367b35f705071afe40f74bc6245bb5f01245573496d1

C:\Windows\SysWOW64\Dchali32.exe

MD5 0ad6ab8ee00e677dd6775a3200aa1909
SHA1 2a6946ae3747cd9d55fe25752aa6646e4f5abac3
SHA256 ad447795c9a0a7f0001dbfa65734f602eb92b625f95b7a1b16db013fd05e2bfd
SHA512 18d3c0e33c422ad3b5632b7410cdf15bd0d6ca9bf965982c4d084e028bb51a143e26625dbf761a2196e248ccf3aae345cb5a3a81ca70c22365bf04589ff3eb8e

C:\Windows\SysWOW64\Dfgmhd32.exe

MD5 936aada2f260c8c71c58ffdeac24468c
SHA1 c28536328b955540fa48d53c4c343c7a1d8c0128
SHA256 2cb34786053e5906b4d1fb41ed456fd8c1d3c26b56fe61a60c302e92fd55b384
SHA512 e66248d97780d922bdabfe6cc05672ef48909e49548bfac67af32abebdc6eb5f75c1a4ae3269d89ebe0f18266196cf9a8dc67fecf6ff379002322b07d4e81815

C:\Windows\SysWOW64\Dnneja32.exe

MD5 e4b55e0cc48760abef23f49d96f11c47
SHA1 aa33e5eaf7ac359f442dec45407335985c0fd8e4
SHA256 84e832962a092483fa04d7a1d825028efb4410bf40858a56407372d898c5a901
SHA512 79cc3f561a3a3386a061d7e7f3e14878b15c306db7c0e599150cb3b593d0b5c92191fe42347c6190193e344d9a2d7ecb9e1dba2ff3efe3657ef8d0aa7d7c1e1d

C:\Windows\SysWOW64\Dqlafm32.exe

MD5 8003133426414aa227af304dba5fcce1
SHA1 6613ea7c5b8c5ab177c920b7a1875e1a9b2dad38
SHA256 0cf57f08cee302a5f45aceee757b63d6e281f9e755e22df11b1083d3251de5ae
SHA512 0e83c13d09cd9669dd39326d90449720d95206a57047f149580d1588c400c542bf16caa84cb9b5c2f51c90eaec86aee908f896d59a53f18d902305ba2868de95

C:\Windows\SysWOW64\Doobajme.exe

MD5 470346b9b4dde81cdace2ffffc2a2f3d
SHA1 c5dd16c7bedc9a711785a8a292ff879af612885b
SHA256 a0bab57e740f3685fe3d3dcbcbb58f1d518ad113c538205933c527724b129493
SHA512 8d92c835ac7097b39c04f7da488307455a893ba459fea601febb055c1efb78a74a0c42925e04b959e6221befde3a5e44d06a4ccf5d65f4ef7e922c45a54c7e8e

C:\Windows\SysWOW64\Dfijnd32.exe

MD5 b7ed343ac1c416a33cb53ba3865423ed
SHA1 f6c002767e7b70a3d785ad680797068252636b2e
SHA256 1b5e75c218f028e913bd0d48d56181ae9c1ef34f171ed4614541764e0177d1d2
SHA512 7c71b79473fd80a427610878ba030e4d2f5c54730c5e0bf124da1069200638d8c23deb279567f248454d24e8b0ec6d91f6333e6bce6452ee3b8369561dc4463b

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 c6a7602cb1bf14ba3a7e18285033802e
SHA1 53b5db2f2b749ae74dded6698a01d1092c612f8d
SHA256 d9589f2af47bd79bf8161c384345383d9de272cb6e4c8671b8fd360482445c51
SHA512 d212c582e20d1d5798a353c8acd44f5efddd8fb157eaa4ecfbfd5e1959a072cb2164c67f657baa6215ee4291a20b100ee0ac22adc8a2ed33e984353ae6aa24bb

C:\Windows\SysWOW64\Ecmkghcl.exe

MD5 f905731d2336ec44d1dfd4407be7bfb1
SHA1 8ce870b26b553d358ad5c5ddc19227a46b2a8f53
SHA256 d26c23e1cc0f170f43b4731d48b2fe38194a04866c858359ebac0c22e75ab3c5
SHA512 2f57f888d0c0177c0f79b3c47c3718595227b226a45a71a36f803efb78bd16e81fb49f181796261d43a1a52e84c075b445ba60e3b90d9d636ee89c7a28f5267c

C:\Windows\SysWOW64\Ebpkce32.exe

MD5 34636393efdfcf8e2dec3232dd0109b5
SHA1 214b63d6ee23762512838fff6bb1c72bcac5bc34
SHA256 dd5632d08023b85c8433a26a5addfa5e490a458f4a1198b7a4ec2752e3a05b69
SHA512 5ce6b287bb1bc2aed528f9d0607103039393daad0a6ae6422c23e615b4b4510c5022bf6366ff817fc28df2714c0c2716bd3a7ea827e03a08cddad5dd3c174530

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 48c6a264c378ed9b99e9776db5b27c0a
SHA1 5ba2af03859e2de87486a56152f992fc79b71c36
SHA256 85a7f32d91de6bab68e2c355b9bba2c4c243524ff81d9b8abbcbddb6842a231b
SHA512 13c6128b874dc35cd8fb6fe1c54eaae8585e7d5f0fb0aa7d61902f046de228fce007e19c5a3a3ff3f2b6495e2351fdc1c681e77a58a95fb64f42bac181d2e648

C:\Windows\SysWOW64\Emeopn32.exe

MD5 7a3ecd7329432775a715c5ecd257fda4
SHA1 497e422bfc831c09728e5f1f98fe1e43bc57305e
SHA256 3c42f2d0116e5dc4ec0fc4131639bbc1419166f2c48a3afc01fcad7ccc12cff9
SHA512 9ac40bb4c90b11357e05f80d7660e55ef08ac3b3e1c1cce60c8ba7e0b41c87367518c1da1c223afc63826e0f9b2a8695c6397356d59a77d945ea9ac0c6a0d1ec

C:\Windows\SysWOW64\Ebbgid32.exe

MD5 c5beae025db87586f2743cf72b460fdf
SHA1 ec7395dbd67d6b2f6bef438f952eb431db8d5d57
SHA256 690a4f964fcc12bb322207aaaf68da2b9d979a2776b39c362e980e2004547e99
SHA512 7ccc722b35e524bb96575d5a47cb08da775039db011c6f5ce6690e706cb500b60a920c3a36767ecbde6dcebcbdcd2bde9e4231f7fe2bedf99f072f3fc3fc3a33

C:\Windows\SysWOW64\Efncicpm.exe

MD5 ef8fadd9b58ad52b291a672300ce09f7
SHA1 56b0244050a0a29340c260f587349b639b23b915
SHA256 5afd1b40e5c3d31ac15b2cfa9e0c7dba7dee4a20fd171bfb0e86e5c5375eef27
SHA512 af65bb89ce5d1c3572a034920409bbd9f170489e24baa8e560244d7c3bed54a91ce7c530231a469c41096af9cc0364b1ecef9879a472f7f43bcdd550bf3a2975

C:\Windows\SysWOW64\Emhlfmgj.exe

MD5 3d29c85910b4a4ab98e4ca15d22c4ef7
SHA1 aca38969d61bc231e10df0091407fe614a76eca7
SHA256 93ec4e82017b5b6c46f70e80afcb4d176f6092615d2cea8b7b216b1bee23fcf3
SHA512 82356ea8fe5eeef06a800ce7b0fba0c81e0f2e233459935999ea2e307fad952f6c57fa135498230900d62c33cf8f906293798638299d1dd0943fb55fb9429822

C:\Windows\SysWOW64\Ekklaj32.exe

MD5 111601bf0f8f869c727d296d120138b5
SHA1 e0f511baf84f855f15a84ef4df975a0e41de53c3
SHA256 547ba395687b12b2023813fe31725b17ed7adf228aa399912ddf3e4d171bf38a
SHA512 c1ce43eab7cb7132eb10fc5188b01f6ba3755453628e2c912c4ca826c70ff6822bcdb103ab50625f6eaeb60f14bcea6bc2ae138b63b60b1a2ecdf51e92485870

C:\Windows\SysWOW64\Enihne32.exe

MD5 d6c06a95435ddfe762130f55ecb27198
SHA1 f12eb25c73c2d0104fd1ede1cf93c3a92258d187
SHA256 0d604daca1d0d820181f1f9743478a7305eb53a26a397ec49edd11757fba569d
SHA512 be4f86628a65b84a9807b28967517d4420300c965dfcafbe24377b71cacf8fe57129d6f94f624f3106d97dec685128860aa61892a7f5d4e751aee526fb6d8f1e

C:\Windows\SysWOW64\Eecqjpee.exe

MD5 2d7a8d5c5d83593b95211a2394367a41
SHA1 34a844d9635c8405fa340ba565eec0e215463b51
SHA256 d8ebc7f26635b2bb0be1f87845a3e1e0c4a431ecf4b02afd1375ca27e4d3f955
SHA512 42f399cfcd7973d9b87153b9dd1032821359b43615dca34088fab13291ef3317cc2a455b4a48157cdca90f851a80b1047766873bf71062c1d141f6b111a4aa67

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 4922f1cc421d24550154f710612872f8
SHA1 20b4498b279ddf4861293e3fa2366737f4d499be
SHA256 f2488dbd0bab5a3e1220cdcb7916abd84123990ad4e22048d32ffc122df8cf05
SHA512 b930316405042878b97e3ea5d1b12325fe84ee0669e74f9db4a1472fb407e33703b4f299fe98a27b6620a2dad047f1a57a9e0ddf669de9320dde0d9f2d1f2919

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 d1a01b03ce74fb5443dbc27214f4c9f8
SHA1 9ac1ca4ddd761c6ba92b3e83540bf73e05ce200e
SHA256 2f3a167101515ddcca3be2b761bbbefe29534973489c577f643b935169f15e16
SHA512 56d04b111473d85e1e80d628b11f25c92237e68ad8a45b485339c4c8ab40054f7a621a3242f24e49b68abcac6407aa95325e1275d446020c9fb4539c48ae027d

C:\Windows\SysWOW64\Enkece32.exe

MD5 c35713d1bdeeb796593df6897ded472d
SHA1 e374b1c11b3058a6f2c3426af4666426e0df36a3
SHA256 1461d61bc2d2e5eadf4d3c93ddd15992ddd4e2dbc1e63421bf349018a8ccd14b
SHA512 33d0f23528f69813cda606e6d3d88e2db5ddaeef83bdaca894bbf2d0ec3d0e4a95123ba955aceec5e413eb35e877c2166aa6cfb3dc14c621773bf12a48fa9309

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 3122de22f9be20c72517425819e2eec4
SHA1 80be272518b2f234b3613095160de81daf9b3d77
SHA256 a3972ffa4de5dd4dc74937ff2c3ca14a35d7ebdae39d7af59e571e82d3ea25f7
SHA512 119aa5b848fc0e652af950a4a0161ac4514bd9c1b5f5c40a562a17ae8cf1ccee633579c2402f150559cfa2f4d18ae7bb1b11e86ef7b9f31a2b2bbbf93f3eebee

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 f729f553f49f901b3b7d486013d3e3c3
SHA1 bd8211f9702f6f72bc4c73948515fecad383b2cc
SHA256 f1e9a3501fb67b072ae1c598e492eaa59ebec6963d2e5a629422877d08e51d17
SHA512 6e6eb95a9a3ef3e43fe1ba910ed7e0930c5eddc6567394dd0887aa60e11909d998312421444cbd99bdcb8e48898ea1a88ad32e79465f3f4ae62369aac69a48de

C:\Windows\SysWOW64\Egdilkbf.exe

MD5 c4c9b07b34f9335adb271a34f5e46226
SHA1 7f3aa03930434bd5605461aa4240e52e56e47da7
SHA256 97a93bc22a34653e2d051c03c35fc5bdb33e19eedb800ca05f0c9a8e556886bc
SHA512 d6bf624371a40bfaabf46df293623192723a5691d25851d042a90c52d5845c46d5436288863a65da29f1d1ebb3579f287c7292b0865782cb30efecf1626f03c3

C:\Windows\SysWOW64\Ennaieib.exe

MD5 c9e64c50fe6f7f75e08f1aa23444ee94
SHA1 5cb1b45f6235e619c9b510a75c6dea472b69a6aa
SHA256 6784f224d26a65760ffc1a2cbaa946f8d19d65e6bf221a106e3604453952e9ee
SHA512 d127c07ee2cf44e2e0d2d8969effc6ccf11042dfe2ffea9a37736f317802453aa837ce50894df4aa54406ab6a86c6f61da3144d8abaefdd4955947bef558e9a1

C:\Windows\SysWOW64\Ebinic32.exe

MD5 f3019dfc59374c1c7d1549ba8b5dcd93
SHA1 51b174513e27e3816cd77a05a4e0b9f82399352b
SHA256 e24013f7ef3828098da8b691e391483150667861da78289f117517177b3dc0d0
SHA512 233a539ddda9788c7093c62def538303561283ae9bec157ae517e0efeda8bf364e9b31936a7adb67eec749bf789e88e50f7793d7090dca1fe25d61fe3c75a918

C:\Windows\SysWOW64\Fckjalhj.exe

MD5 61075a60813f7ebec282162777df84c5
SHA1 e52871a911abe0a7d2556fd6d9d2d9e4ea4d2b50
SHA256 112a774cddb0f847fa01935abfad884d58b8d3387ae907b6ecb8b559e4ced0ca
SHA512 f92aedb9fcb58b892936a8ba1fb2ade0bbdccfafbd568b760e9d21583490f1838f096748bb4fa7c4bc8d626d6c1731e038240298174b1fd7ae6ebdf405ae05db

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 2c00af2e646221e097b9494093bae1a2
SHA1 85e764dec17a3c6b213cd2129c08123ad3fc6a58
SHA256 a7725adf9752e355aa874a8b3d08e531de71c39b0262835465294aa68a27303c
SHA512 69cf1f243523fb3e94db128e529d4084d31efa175164ec4e85551b39bfd863f3c84241ed00ef9d6ab6e092354186ebbb6c1f2d9c23dba895c33cdd5268e6ea7d

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 d9dd593b9dfa99303271bc73a879fc8f
SHA1 8fdc63b153186d62d33841fd963e8c87d84344b3
SHA256 f3a298c6874ecde06c1f2ee583094b751ad38a10863922e58ac99c36978abfd1
SHA512 603a178346c884e8bfa5ff032b1c3e7924411f383ea291d70dad96f32c43e7689696fc67dbac94ecc95b7509b3d55308a6f06c8e862a77db666ff5ea25d404ec

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 3ed0d3ba92eb675d407d4a5ffb22fb79
SHA1 30c28b586eb4a610dbf02369b5374d5cef539946
SHA256 03c82fad91d715b3e45b89b0813a12aa57055fa960fbe602e6c67539ff21b945
SHA512 9221a97a2e333526d84c3e074ca30713b8da441d496742a338d7790f54f0bae847285e18683431735e0468fe1d20591652ee789404ebf670e8da0635cbcc9a80

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 19e013274c28229eb54661572e995fdd
SHA1 80a3bae9d4a5f9dd4e1f7793f92eafbd37a62131
SHA256 972762ca33d8a9598d51683db6e639cf936f6bb6fc9ddc48eafe8bb45fb03f74
SHA512 176a9520b9acb0403f22c74dadd534fe5a79ddd892bd5da662d382673787038b9f945c54a91b1ecc3fad46009264dc4b0ef89625c9acfcfdfe4af0c5d6491b2f

C:\Windows\SysWOW64\Ffkcbgek.exe

MD5 6159376e02dd559aa5fcdb9088c465a4
SHA1 6cd44f2013208e0bbd92f95685a438cecc40d569
SHA256 903e8d1a57f86c0ac0c12b94b7503d4ee6147c99dbf0e470886e57f51189826b
SHA512 42153c656a83d4985b69ba826a4824884894cf219f3d0df0a53dde9d2a570e31ff6a243c236ec2a20d706a3aa949cb6e0b5c295778c3c8dc105db35f8ea42d53

C:\Windows\SysWOW64\Faagpp32.exe

MD5 a86935bb03efe078e6558a974bf4176e
SHA1 d63b90c4ef21f4de36889b60a6afb3246a816630
SHA256 6fd4bf4c6d9bb7da05ce479025b383ba496d7d3a811dbb4eeed0cae0be2a296f
SHA512 35bbaa50f4d8759fcae16a9ebd6251cc4b41247f617eb4533818a947bd56892ff3071e47f0f77ff5db298c7285b3b04e68a9f43c3b638f83515f0f3c88034d1a

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 feb0090eae646551501f12dc4bd8ca52
SHA1 2069a57937e295c11f40339ba80ea723959cbb6b
SHA256 5e213c63a6c258337b5832496ea3a26fe987c907218ebf33335e819d6e0f89d7
SHA512 3f34dd9de62dc65a7c779be51c81bf6952480533e3d066a3eceafa2acbb92daabf5f2aed78923dba40e454b5dc98ec3a6052680cd6b15126f15617eef1f5a343

C:\Windows\SysWOW64\Fjilieka.exe

MD5 6d1c11f23d4cccc8b9fc9d02c2483894
SHA1 8b650f5517d035b6944ad20faa21230e55e2454f
SHA256 d8395357947c3a23016c2383219bdf03450809ee9b86d2d134a826afccfe56e6
SHA512 1e7cba09ade6fb3de0a2580c123b306edab04605111b162ad21d2c12093c56b038fef00b952ead4e58f29f71e5dca0a27f54a3cd93a2f7e7d4c8b51b362a7e7f

C:\Windows\SysWOW64\Filldb32.exe

MD5 73532843c88a9cf7370e03955feac129
SHA1 d323df3593b667505f5e38a45cbd514e99cd39b9
SHA256 174124f04f8920265a11a32ed2c84a9ed3e6ae5063f29d4903824cd3b09eac0d
SHA512 6f5b142901ebf77d383fae9c99d8d2c06c1960d1f776ad52550a0483c0fce85900dfbbcb80681fc1c6a0f6ebae66538da2685021df733b86caa8454a7f448b6f

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 c686f4fd9612067125a1c35317689552
SHA1 1a6b7b39c2515e649a33fc5fd4924902d43d9c3c
SHA256 5da9ebb810672616f145a8de1ac2f559df37505c622bab0483ba608280d029e2
SHA512 19585cd84c1ecb3692e29ef24ca7099cc84fe4358e44f631cd50abcdd05f742502c3fa374624a7332a8f8040d0b54b76e9dfc6e384416c045569dbc2cd91f93e

C:\Windows\SysWOW64\Fdapak32.exe

MD5 825c7f64a85e6d1bfaeaf4c3f736ca3a
SHA1 818115cc670fae685fbb56ddeaf503288b0fb9dc
SHA256 1f517422e3cfc41513c59d2f7e4d03f7f3e9b0693e00b721c3544d11c69e825f
SHA512 19737a68866368ac392eb5b8ac15f9a34db7ca80c646f2c74fccc4f133eb13a10585ab715febfa87c19c5b2a4c780f1bc6afb15d71bda8e684037e8703b0d67b

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 d60d431042e679dae50b087725579f2d
SHA1 a2e606bd9d0d08034ddfec74ba3d4e40f0693392
SHA256 e509829eb63ab805557ec90c53ad6194d78c64fb55bb16d03dff9987640d81e6
SHA512 c713fd877a7a5725c7a9d8123db928fc0af9fb7de500810344c388040a46eb91c726aa3ee23fc57bf32975b79da3b9f179a0627a2dc60490e6b0f3f3b99df2dc

C:\Windows\SysWOW64\Fioija32.exe

MD5 e1cbcfbca2dc6c23c9625e3cd6354b38
SHA1 f8906f01c5b7057c2b3674f350f3b6731f96ebb8
SHA256 a2c3da4ee642d9b4038fe6fb73fd4e9eb558bcff251ae39b67785a5944b37568
SHA512 c6a9608dba4a3eb33018599ba38fb1583a6fa6bb68f2f4182e92205b31a662a4d8c6658cd27fbe7b99cc76babb09e0dd6184aa1388eee24978434c8550fe5d68

C:\Windows\SysWOW64\Fphafl32.exe

MD5 1a8205d4fab334e7d0a72696ebca8b55
SHA1 49ea4e110aec9e0bb93e36cc4cf59242e8f72b0b
SHA256 2337339ecbbd621991c41791a448132c871db358b2e14821f2dbeb7735998411
SHA512 40efc1851b1193161f2de70da84de1285b186254c4c3befa747fc54553fc07e7e977a776fad5a2681c5917d10b233768b06a42e9204973ca83676873c58c09a3

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 048f3286efd1c1e6a747067fd04e2b90
SHA1 8bd19a03612081328793153398232c732f0dd919
SHA256 62d87a2c14e4ea0db91cbff2130ad8f6807e8afbf51983a95f713dd5123e6521
SHA512 28d6078c77dfa45f22e46ecb969128cfc321b1d84d32cd935983538027b3bf7e1efe0de1e32fff977596ded85980bedee7000f5faa1ff6c0d48fef1a01a41c39

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 d551e3b0643076e2a78223269705d525
SHA1 b4e9c163067b86aa0ac25a44d20a1f522b2c7c10
SHA256 f6ece392f9366044e108e089d34e17c24ef79a75880cac4855b754aeea35c73b
SHA512 3a8cc026f12cf5d8d1fd8aabe304e21c3e7cb092d5d121b079361ffce43912b8868789a61c16409279574c48d922d36ba7cade31bbd8220b764920cc15e7feb0

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 7d21b1a90df6fbcafa8b7ba1c7a311d3
SHA1 d67a9a67dc890abfd43a5ede7d35c6d717bd4a39
SHA256 7cf80c905d24e3c573326eea675c7d5c80f2c2f5c28fd4be3dd1ab2feae6e2b9
SHA512 1d7dbb3d43788b61fefe44f9ff0276ff9187e2387da8bfa5d29e03fb7b7a0a0750ca7fce5f3fa099f5a5ce3318082d15e5c3bc1137a6fcc7d5d031f599dd08f0

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 e109de399f09639827839fcb90e8028e
SHA1 1995b58454c4ae2b7116c8e19cd9ae819a01ba9f
SHA256 0ecd90a788d548fef6a77acdab76081eb1e2e9b85fcacfdd491e7df8999c740f
SHA512 30681f73f3377aa30a80b34c48bcfb0a5e3c35ca0de66dedb0272247df50ae4cdb9ad6e4042d29e076537865c49ef3adae8150df0f4312dd6d0298c269506848

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 f7a40efc3ca2b0a0a94b4db301b6d84e
SHA1 2499e30827b030b29cf2d0db93339299294e0343
SHA256 4fedbbc9e97fac16dffc06444ec168bbb478f43f036ce7b86a53834789727a4b
SHA512 7747061fb6519a9dd5b1390f029d36941e572642e04ad86dc7b85f02596aa2d79972bca4b37e577db3ce8a6645d72afa484402d98b4d079d579d14cfb803a8ba

C:\Windows\SysWOW64\Glaoalkh.exe

MD5 9ae4abd426ec7898e259c92cd731a14b
SHA1 ae2fc2a8883fb4736a235082a8273a49915f9ace
SHA256 0a7751a0fcf91bb818c400477a68eaec3452f8fef3d5f038ad7e7a0a2f9d5add
SHA512 f26f2b811837f02faedbc5a2c5fee43a1a8e71b9d724df79fdd61d2f19879da1ebcd53706653201f4f211bc9f5840d35fe8754edfd83889506d6fa6f5d64e171

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 3aa0453755699a25ed792f086cdf4bc0
SHA1 a73c8e561376564c2e42354249c7ae4ed1500d78
SHA256 fbca2c1f47a60bb8276da0794fb77421390730ed1b87ff967886e660c8c94749
SHA512 4d2116803c36fef3d3ff703ff0ef230c77c464df9428dfe0d69f4ed4a84b12473264d2b3102169b5f94b17f707b6fd2269f9f6be88ff4f75dc7c0ee3cb3c9011

C:\Windows\SysWOW64\Gangic32.exe

MD5 9f33b900ba812cc262e8f7c2594f5b98
SHA1 a268c89c67c67c3ca022fb7a3c6974a345aa68ed
SHA256 c3941692655318e9840d3eac153fceaf744f0f4b2235a37129462d2eb135517b
SHA512 4ee240d7f17d73bc00ddaa945965d6e4d3fa3c2f57b4d392c451461790cc711ff804bfaa182642e95974762396e9825e5484c620f630cadf3e4dba5d29a9dd43

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 6e6bf1dba0d71efaaf8caa09da3ceeb5
SHA1 0e511f3544bc20eb5d908eba83fb04c3043c6b5b
SHA256 17da1cabf7ac4c1b864e0000ef098c8fcd5e41b25d9765e18f2dedd6cf24bfcb
SHA512 bc1be6460ea03d9c89bfec5065f3c13a037e010a87c92d12711753ea770056cbe85696c8bb1a0b069ce75c318fd55af896fd28ee4ed8fadc3b91ed12975ccdc6

C:\Windows\SysWOW64\Gkgkbipp.exe

MD5 f430f57a7953da1cdcdb6d3c9908e711
SHA1 d9cc9e6482d4643b09605f12eb0e146dd5dfca0d
SHA256 315d9047fddb021fa21f5c1d68dbe6b19127582fa4a6e74e28a6a849207d71cc
SHA512 137f842c108c0d9a4953323cb1fe6521eb40a7f79c61866e4b21d017142c8105ba109a166408b79df53ff6c16bb3c561fbdc2ff8a12062b79c60663bb0d32220

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 19d0029a951fe5d586954b65a8992907
SHA1 77e83c070deb6718d1cfa2cfc113b1718316e9f3
SHA256 37ae5a39e890ef61930a1abc1e1f300d19f48f47f7929b0d0b09636792ab6232
SHA512 9353114b65cbbf561ae2a46ab60f2b874f95a055ab9e2b2bd5eb27d0431fa4999c910dab74d921812feac5c2f7f5a7da1afa6f8670f401ba22c3b6d8ddb59b0b

C:\Windows\SysWOW64\Gelppaof.exe

MD5 3bbab5596c380e6c82c4740b2b8877b9
SHA1 75d8a5087a62f3b1b3c7fd1ebed67c6907a9f274
SHA256 434267df9da8f8a4e3fadd23dd8e3dc210a156141391dfa148a4a793ba4907b1
SHA512 36a876c4b04e5c7c9274a4ff54d340ec6caa669f6214aed7a3b93173f1d16272430aa8552fc6e00b14b613dbe2f67cd8d5f273c50609630bffae79438e82c1df

C:\Windows\SysWOW64\Glfhll32.exe

MD5 eed6177db0add10019b678db970dc16a
SHA1 a238d23811bfb2cb248b02bdc8aa0dfa4b93f1cf
SHA256 ce18a67afc2cbf26bb9b24645915622a1507497198fc5c20930a09a398f60e32
SHA512 39fcb0e51472be16d4623ffabbf0775d05e95579928ac1cdb615e4c2c2f373b77e8f001cd574c0d9f05c17cf2c981d55a6efe644462cf5509936ab84c9c65204

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 2cc751e9672f287cd3d5067279961264
SHA1 1c59db3fe9f24767cf8a239cf54ac265dfd220ab
SHA256 da5f312387b49ad505590fc4b27a55675b3b6acac9efb56e688849fe944cea03
SHA512 64bacddda3db24743c5d9951699dcc5b30feba1d2ae477d0461a099da1ce16ec88a4cb5f962bd21368590cbb820a5fbd83533433e2703277456856d4c8ad6248

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 dccc15cf82fd34b1e04433f5a19ef4b0
SHA1 42f359e0bf67d45a2ef43b442b2d636451018117
SHA256 8106c0a6942efcda8bbc4d3a196477b18f00b704911b017fbbc477c15fbbc92a
SHA512 824aa483745cff5492b7c7de835c912627699b55549860b5ef249271e9fd9c0d46d1ecc0e52fc4088b98100bf8e812f9bc26cbc0f8c37a4bf5b8a5c7b870f381

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 adad31591e8a372b960b9690cac74d73
SHA1 416e9510b4d10050a89c5e2c004f6c26f063b11a
SHA256 074e071298021cf4d561f2d4231c053f9365bbaa3f99ca51940201ea62ec680d
SHA512 a575be2e8ccc172dcd88a8d3398d7b8c7db33051e38a3b55d8a8937088345386f947071199b936507f827341723df8f88f476c6779da62a2eb66f90388edf062

C:\Windows\SysWOW64\Gogangdc.exe

MD5 58579a1428f079f4d49dc881c044315b
SHA1 6420b5d20a5c15fd8ce6ba214484f21e0aea4602
SHA256 8ea51f83b26087e9e33809f3be94be886d97a84f613a0433a0a8cb92983097bd
SHA512 017ff91e1eef534343c7420f55d981cc9d1652eddf4cf15332153b3090cefb033974ab9bc3d21539821ef8ab54e8304d1fb449d5e376fe000557fe40a723a6b8

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 f639a35083c25a2ab86e2a112c188f68
SHA1 9d3630ea1c205238bffbd491581a7656428846ab
SHA256 40af4a4f668530a55620dc97d4fc05624784fd8d7e16ca00ae10a4c5a1b589d2
SHA512 d9e4d0d8b26891c76a98730cf297760061a0e82221373a1499b5a2dbca49696552adf0333660dba2c4952c4df54a77f626a7b9dc8f635166903b3032a0b0f969

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 f47cb79edd37685b7751391333f564eb
SHA1 71b8512fc1b849456dc538fbd23358aa99676a80
SHA256 635f615d0e7f5abefa86ff6288100449ede39030c801a8ef6550fd24bc50963a
SHA512 83b2685d2ce7c4833a52a71108e8d1666002145b278a5bb6744bdf56b7a2ced4b16b77c479a02776b5b318d6782471d7650e6799692744a869e2399d8f5c5736

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 1096d7fdf184cf3339990934f8c3997d
SHA1 7fc4b03c5e7d9c6aa821b1aa2cfb65614ea5259d
SHA256 a9b52a67ed0a3146496f5165d50a27e8050ef13511ba12bca85c2fd9f152e0ac
SHA512 b9df290cfb7db13857e3a00ca5a84f5088f8308f8a1afefdd2fd978ab5d9a72ef612e7fa393e4263ae2ab54ac661b6e3ac8864b35f969734fa73d7fede3a2172

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 fbbd34cfb2fa32a2090cfd2bfd15729f
SHA1 c2da73c561f5c24dc2e1a9df06b775fca9368f5b
SHA256 ceef7241bdc39c53046a47e64bf7e11b7bb58750bb2b8b96d821ab7c90f83c89
SHA512 f4abe1f6065890f97eaceca8e4608e9007b9bcbade69d83be19475d87d73e98d938cf7a4a1defaf99a84912bdfe3edd531256c4d5da2c915b45b0ffefa5f9b7e

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 39d05de1be95af8f90d585bdad99a5be
SHA1 951b02cd2c569bd2fc12a58e8a7475d66f1eaad6
SHA256 dd5063223e26750f213a51eb8604ff7a558fd0c64d01b6c7999962a0bd430197
SHA512 1a9dbe0494e3acc71f095ace3c2a10578fb2ceb228b3bddb1afaa8e5e3aaa0121d4f0a88d536db462c7b6b759e09f97499eec35895040e6a5f87fe6af88ab9ae

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 49957dc2400efa43e5227796b1a7a33b
SHA1 0b90dd0d99c224c095800c97df56f38118875f06
SHA256 e886e6fb9a862b2625e8b301b7dd4774d6bc34389f199be31bffc40f864df804
SHA512 1c9660e745fcb69cdc6d16c7e7e813c8a9995cbb363d42413645a8eae43681b2bd6fe59181793964512f6a157f8ce140c2d91e9b1bd593487e8133a762bf4d48

C:\Windows\SysWOW64\Hicodd32.exe

MD5 c0a618795d730e65e8209787b06e10a4
SHA1 1114a95d1f881a953196a38b26049992734b557b
SHA256 ca3bb276334224518ec1643f79e7d181f536d362afbdc1aee95ed8900ba6d4e9
SHA512 a1e3b5321a625cb9e843092172089a4b0430e31682c77e1375c261741d7aac1d783983f7e875d6f8cbda94474ccdf64f359cf6da5908cd540c7796aac161ff96

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 76c1e147cc05b93aa3219678a0af46ce
SHA1 782ff00d6f02847cda0184cfecbbbec221c29c30
SHA256 4bed5550341da2c37de9faa85e5d4d54a6f54442fc052959e2b3fc3c4f79f36a
SHA512 fcc03c2b9af712f552dd405847ce88a1377130c5f3c54c06de31a24d186be06b70d8c9ba0b8d15ffa917156e04754c64ed4673024756d6d676f3cb1de506355b

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 6182b93a781be976e83c4de38f5a4c2d
SHA1 ee98e39ce4b027c3f49a84db7acb736cf9558612
SHA256 42d63f06f57009251bafd87c22c4bb5ec21bfcedf73a92b2f847fd01155836b3
SHA512 250f52f8bc78cc10c1683691e980e955e1c4027873d697a3518d9a2f18a359287fa8a9590343fbae577a06c101e9c7b070131c740a35fd29a9e0d1b9eafc0658

C:\Windows\SysWOW64\Hiekid32.exe

MD5 8709acfaeaa7a97b933d894d9d5c345c
SHA1 ed48bcc33969badf7e9027c653f5e472d288ebd9
SHA256 6417a16f45eb333081d3a4166d05f563c4a093827338c41d9909c73af55bb87b
SHA512 72e73470a4b817ff8b9b59b4488ca985ba13f289312f76df5b4f8918637826bfdb3be8536f9ca2b736cd3f9762529caea26e097437473ecaf520b4a28d1d48be

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 23ed24e67746ac593a16d51240391968
SHA1 05b262f96f62221d470497286ffaae164e4f40f3
SHA256 13fc77b46b3f2ae275b48b34dc0dedbaa4404fb61d39a6c734772c667d3696a2
SHA512 837ecb3731ab331358e25339af0f073a3d42c5a015e329961bc82bb1475f12e2a56c818b1f139c66245f8cd576414c1436ee67a8c57cdcbd3ef7ffe170ce9a35

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 c2efe5b85f390c01ad48e85d45e12fdc
SHA1 2b265a5b989f3f982212c7f373a7a6633afd4e2d
SHA256 4a161bbcbd2dd48e6b624986f86cb3f77d3184b9b73a5623bd2adc84746db3ac
SHA512 57444936e6eb24c8865e05928ccfeeb08b22b77d7317a9dd058317104115d31dd475a89a29e4616b57a651fcdd96ecc61becf9fe27df9ceb0749be877c1a5fce

C:\Windows\SysWOW64\Hellne32.exe

MD5 69cec09e13a85616abbbce4a12ad50ef
SHA1 92a643b9117c9c8f1ef71fbd1d37c34d1863abe9
SHA256 59bdb63da968b46a82d1cae93846cad04ef05e5f06fe143e180115e319c82c8d
SHA512 a2ecce09aff867aea75309353bd898a072a2b96103aec63661b8da5076f64450294246ee08adb0cfcbfca5fd5721a36fe48fab17468f855d4db7c0e49755dc74

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 8988d48a555bddc1186616970e14896a
SHA1 6111b9addb746e8b79886a7d06539d4f555d6581
SHA256 46934f342e91d3ae636fd4f92fd85fa707a39f7fdfc0bef03d55693bdb7386aa
SHA512 acd53c56a20a0c95d96b03db59817ab85115f5bf652822a52969fbd4d302d4d53066a087caf9afbd0f79c460a78b44862a2958cf68b5de4c697bc77a240ef890

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 b76f804a4f63c5beb057b2a3f37895b0
SHA1 1fdc48557a3faf61eefd75ec9d9f1159c7d78b7c
SHA256 aa98ec0d494d0150d5085f480742cd994c4c6afaeb069508a2b78df5c1e3ccd5
SHA512 389776552451c03f0bd5c425a7778679b399ab2b0ac23a8b28fcbeab0a085fcc35064aa3cba3c69a5b447da8a13030acd808b508a3a035a97ed1a68e0dd58fd8

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 877b11d19aad54afe2eec5fef02ceef8
SHA1 e909209528272b2c5d2ec1b195a289fe10daeba2
SHA256 1ed0aa1d91ce406cb42df0f0ea7ffa56388232e357bffb480c79f8b19645955b
SHA512 f8d260ee7a493db806888b1c2efd118294ef46fcec42653252ea838b1324d9ddfbc67c992f5e513fd0655f723f789ba5ddadb965bf604d84a9b780bf27400996

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 cff4689b6a8192197730f30b6b773896
SHA1 ce4e2932d67cb9a6aa4b8217f10c1f8e9912bf4c
SHA256 29f7659b7dadcd407dc48d328ed968c01af7768b89b6aa5557c4c27ef7d3fc9f
SHA512 f3f8a637c643d188617d3ec0d26ea658b1f532ec0af0638dcc460c55f286cf119081df9c0bd9119ad60844cd36f835d4273f2c3990f38cf629a62fba1022e1b1

C:\Windows\SysWOW64\Icbimi32.exe

MD5 e00a52147fdff99acbf1877d069f09c2
SHA1 bf8da8e8eb4f7ab9bbda8d15391c3df350198a47
SHA256 7530167166304066c0be289fb1054571be4f9eb3f33c4bcef50d0e78757d42cb
SHA512 bba62ade4e0c3d48faf83691c9f8c8586184e1bc38f14c8136b07b008d2cdf288fc2dca320023e40510a4808d3527f6ea65f424ab4b18064c4a38fac8a65f5e3

C:\Windows\SysWOW64\Idceea32.exe

MD5 01cb6f41124a031479996a1745b4ed92
SHA1 34dccc1aa320439914ad5cc0848f82a9af06e179
SHA256 c068c0461802228aa7feda9552bc8e967c5115c1d3ef0ef85630518b9833b109
SHA512 492cc9e072f8e2e10808d3c2f7764432dcc58d8c0a15fe5aac49b233c08edd2f694c298b915223a418aa6500581ab643ff5d1297df02948f7370aed475f40ca9

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 8e8ea27be23a681a150dcd7843d08bfd
SHA1 cd083903f1651bbd7a131d94afb15c0fc4686035
SHA256 9f557237ecef97b0fc7333b9fe5dfc3f6c31f0eefa8c3296044872b5e17e2741
SHA512 bd08cd410be64d3eddd9587f95e3bbbfef9dfabcccd4a7d2251570c1d7230e8d0990682e8dd803e090ff684b61d51f6d4add544dbd566c485d4954f40f35ddd3

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 82c75384e0a87e19b8d62c25a37e3328
SHA1 9bc98401dae82c0b7c83862790bd189f4db762cb
SHA256 efb4e6957884bd7051ade42bb67914c1e090c86433d4c142feb2270638fee76e
SHA512 f2b8017c6708a93d5414375c47e22549d32d59e0daaaf3774d317749e3e766f3ebcbd1b83e6531a0c8d6fba93ba6a27e5545f9cd6199d4d276a431247cd28e25

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:47

Reported

2024-04-07 18:50

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nddkgonp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqmhbpba.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File created C:\Windows\SysWOW64\Lfcbokki.dll C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Njogjfoj.exe N/A
File created C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Cknpkhch.dll C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Ndbnboqb.exe N/A
File created C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Njogjfoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File created C:\Windows\SysWOW64\Dihcoe32.dll C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
File created C:\Windows\SysWOW64\Mlhblb32.dll C:\Windows\SysWOW64\Ndbnboqb.exe N/A
File created C:\Windows\SysWOW64\Majknlkd.dll C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File created C:\Windows\SysWOW64\Ndbnboqb.exe C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndbnboqb.exe C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
File created C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Ndbnboqb.exe N/A
File created C:\Windows\SysWOW64\Jlnpomfk.dll C:\Windows\SysWOW64\Njogjfoj.exe N/A
File created C:\Windows\SysWOW64\Bghhihab.dll C:\Windows\SysWOW64\Nnolfdcn.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll" C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 768 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe C:\Windows\SysWOW64\Ndbnboqb.exe
PID 768 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe C:\Windows\SysWOW64\Ndbnboqb.exe
PID 768 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe C:\Windows\SysWOW64\Ndbnboqb.exe
PID 2140 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Ngpjnkpf.exe
PID 2140 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Ngpjnkpf.exe
PID 2140 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Ngpjnkpf.exe
PID 1352 wrote to memory of 3464 N/A C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Njogjfoj.exe
PID 1352 wrote to memory of 3464 N/A C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Njogjfoj.exe
PID 1352 wrote to memory of 3464 N/A C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Njogjfoj.exe
PID 3464 wrote to memory of 652 N/A C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 3464 wrote to memory of 652 N/A C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 3464 wrote to memory of 652 N/A C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 652 wrote to memory of 4340 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Ngcgcjnc.exe
PID 652 wrote to memory of 4340 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Ngcgcjnc.exe
PID 652 wrote to memory of 4340 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Ngcgcjnc.exe
PID 4340 wrote to memory of 3312 N/A C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nnolfdcn.exe
PID 4340 wrote to memory of 3312 N/A C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nnolfdcn.exe
PID 4340 wrote to memory of 3312 N/A C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nnolfdcn.exe
PID 3312 wrote to memory of 1416 N/A C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nqmhbpba.exe
PID 3312 wrote to memory of 1416 N/A C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nqmhbpba.exe
PID 3312 wrote to memory of 1416 N/A C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nqmhbpba.exe
PID 1416 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nkcmohbg.exe
PID 1416 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nkcmohbg.exe
PID 1416 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe

"C:\Users\Admin\AppData\Local\Temp\137377a024ae6c91449f93591a6b9c0e9056b863488b66d88662e2370b32e4b2.exe"

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2344 -ip 2344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 416

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/768-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ndbnboqb.exe

MD5 69789fadeb4002d7e4b49f70d77f9e74
SHA1 63326fa974ee5ca1380ebfb0238fadf58c478cde
SHA256 820bc26af6899f1cefff873a00ba69f3ff481132e745c538e772c82cd9a9d0d5
SHA512 1e526ee4ff1254cce4ae77b85ab5fbfe81a35f25299a57a02c947d9117bb6412b4a1ced9154c5d5c379188127a160d8cce87ef73220e8c570974b6a212c0579a

memory/2140-8-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ngpjnkpf.exe

MD5 10463e513c8d4f91fc9b1a21bcc6cc7b
SHA1 71818b0e149266f034e1ffc68476cf2eee119513
SHA256 cdac4139a8a87bf862ed8bbed148e3cf15b9fc2aa1c3300cdef4886ce1c29083
SHA512 210cfef2033ecc68bb6aea0598bccb65232f1820146b09d0e9c05f5f04e6c582840d0c0c895ad46c1a5b65d8fcc674e7603a8da8da53db043987dbdbab7bb77f

memory/1352-22-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Njogjfoj.exe

MD5 76359120832bef260b1d5693fa0612e1
SHA1 29a90468ec66f74de79878b00b7e472685635eaf
SHA256 145bbd5ca7a4921203d092e9e0049af81676329ae5c9e6dca1899eac37e2112a
SHA512 fbf1858c57cda3b6565f2b49a8b5a72ae524f5bd7c95a3e479f758d4858e4ddf0a4b3218c25c3c4cd37acd6dec53900bea0f87767fe9c170ad70100e01c88072

C:\Windows\SysWOW64\Majknlkd.dll

MD5 f51cc2e77ab6b79361070ca8ac30bdd4
SHA1 8f875d1e9479ab65d001d96e0ee6545c676854a9
SHA256 0f009b7c7701a998d9cdb0004bf6995fcaaf68d760be89f2e3993bb5f3988471
SHA512 f3843501edd624579f27598ccfa59a62c2638378defc9b6d21b9c123323325d02162eb815913907b2f5c6b6e01e8dadb0d0cac9b04510cc740e33190b5b52636

C:\Windows\SysWOW64\Ngcgcjnc.exe

MD5 febcfa64a034fbd206b2c8a73889361f
SHA1 adc8ca235c8f566bd098563774121936e63a11e2
SHA256 fcaac59a2efd097f97cb5c831dddb25a7d3d537c2772f9595d3b8387dcf1953a
SHA512 8c949532ae0506da4e432540280ab41db97a3d07a9b668f079c1ab60e466fd4a419bc9e90491160ec2f4a5269fe896c9475e099e531e798c67c98814275c6b05

memory/4340-40-0x0000000000400000-0x0000000000442000-memory.dmp

memory/652-32-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nddkgonp.exe

MD5 a1e7286e70b297af68057b3eb47e6d33
SHA1 45ac4982f2439250cfa20d93ca5227af5a0c88c5
SHA256 64a85adf3338043d10bc0bb1278728b0572af2aa17c4fcf32e9eeb3b76cc9114
SHA512 002bc561c741f746ab628d10d1e59e5342fe917d96dabee8322c8f8f5c289a84f131d0e18fe012f0ac37bcb96ac14cc975c7e2292090cc5b6ca2442f5f9cb92b

memory/3464-23-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nnolfdcn.exe

MD5 327f5df467be7b8ff5af060d7a7122fa
SHA1 ec66c1483e293db06c80475d0ee959acb82890ab
SHA256 b42c017aa6a8c413c0f77d533346e465072152b208cdd90097fb971afb018dcb
SHA512 89d3946d7d6c86067075d5ebb302edc983d56955da6716e44a022e1d9eaa8632abe16a752ab3f87253fc4eaa0415249b692e34f98874638a97851de26a40478c

memory/3312-48-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nqmhbpba.exe

MD5 c528f959b285bdbbc0fe6741d2953951
SHA1 ada51596818215447113556798483c30957b33d3
SHA256 f14e858689762a8f50e9e18ee3afa073af4ec381dc2408ba4b8a1ec1cfe50e2e
SHA512 09210feebb75d62d83cb430f9f56571b950a17c9afe4ded2b89729d66b96d91094885855a457c0c293f87469678de22a4050e749abe7170800ee49f248a4f7a8

memory/1416-56-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nkcmohbg.exe

MD5 b11c39f210b24aaefc03a8c5071d9ab4
SHA1 cb80fe3a55f4dfcd672068dfa83770e262ac3e88
SHA256 442cd7137923248db05bf784bbec134d6a214bdc955a1990b6599504c7ec1c3a
SHA512 cd1874eacaa691204a0cc3cefcc947eea63582764bb768319365b745918e271a6e2cb1969097623acd5f5d6075a9347814cf305be3274e56032ca9590d967e3d

memory/2344-64-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4340-68-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3464-70-0x0000000000400000-0x0000000000442000-memory.dmp

memory/652-69-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3312-67-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1416-66-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2344-65-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2140-71-0x0000000000400000-0x0000000000442000-memory.dmp

memory/768-72-0x0000000000400000-0x0000000000442000-memory.dmp