Malware Analysis Report

2025-03-14 22:31

Sample ID 240407-xq7baacb47
Target 1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c
SHA256 1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c

Threat Level: Known bad

The file 1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:04

Reported

2024-04-07 19:07

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fhffaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Globlmmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beehencq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enkece32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gangic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dngoibmo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cbkeib32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dngoibmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgbdhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fdapak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Beehencq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gonnhhln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Epdkli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjgoce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcknbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eijcpoac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdapak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbkeib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Djefobmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhjgal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dkkpbgli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Enkece32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Chemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ggpimica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dchali32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epdkli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Djbiicon.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ennaieib.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gangic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hhmepp32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkkpbgli.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjgoce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Feeiob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gonnhhln.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glaoalkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdopkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkihhhnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Geolea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggpimica.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gphmeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdfflm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hobcak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjhhocjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpapln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcplhi32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe N/A
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkkpbgli.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkkpbgli.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cgbdhd32.exe C:\Windows\SysWOW64\Cfbhnaho.exe N/A
File created C:\Windows\SysWOW64\Pafagk32.dll C:\Windows\SysWOW64\Djbiicon.exe N/A
File created C:\Windows\SysWOW64\Fjgoce32.exe C:\Windows\SysWOW64\Fhhcgj32.exe N/A
File created C:\Windows\SysWOW64\Dbnkge32.dll C:\Windows\SysWOW64\Gkihhhnm.exe N/A
File created C:\Windows\SysWOW64\Cbolpc32.dll C:\Windows\SysWOW64\Dhjgal32.exe N/A
File created C:\Windows\SysWOW64\Hfbenjka.dll C:\Windows\SysWOW64\Cdlnkmha.exe N/A
File opened for modification C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Emcbkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Fmjejphb.exe N/A
File created C:\Windows\SysWOW64\Nokeef32.dll C:\Windows\SysWOW64\Hiekid32.exe N/A
File created C:\Windows\SysWOW64\Beehencq.exe C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe N/A
File created C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dchali32.exe N/A
File created C:\Windows\SysWOW64\Flcnijgi.dll C:\Windows\SysWOW64\Dchali32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Epdkli32.exe N/A
File created C:\Windows\SysWOW64\Hpqpdnop.dll C:\Windows\SysWOW64\Feeiob32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hlakpp32.exe N/A
File created C:\Windows\SysWOW64\Egadpgfp.dll C:\Windows\SysWOW64\Fmcoja32.exe N/A
File created C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fjlhneio.exe N/A
File created C:\Windows\SysWOW64\Amammd32.dll C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hckcmjep.exe N/A
File created C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dhjgal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gangic32.exe C:\Windows\SysWOW64\Glaoalkh.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Njgcpp32.dll C:\Windows\SysWOW64\Geolea32.exe N/A
File created C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cngcjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dchali32.exe N/A
File created C:\Windows\SysWOW64\Glaoalkh.exe C:\Windows\SysWOW64\Gegfdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fjlhneio.exe N/A
File created C:\Windows\SysWOW64\Chhpdp32.dll C:\Windows\SysWOW64\Ghhofmql.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Cdlnkmha.exe N/A
File opened for modification C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Eijcpoac.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Fdoclk32.exe N/A
File created C:\Windows\SysWOW64\Ikkbnm32.dll C:\Windows\SysWOW64\Fdoclk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgbdhd32.exe C:\Windows\SysWOW64\Cfbhnaho.exe N/A
File created C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Chemfl32.exe N/A
File created C:\Windows\SysWOW64\Nfmjcmjd.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Enkece32.exe N/A
File created C:\Windows\SysWOW64\Blnhfb32.dll C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Lponfjoo.dll C:\Windows\SysWOW64\Hpapln32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Hpapln32.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File created C:\Windows\SysWOW64\Jaqlckoi.dll C:\Windows\SysWOW64\Cfbhnaho.exe N/A
File created C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Epdkli32.exe N/A
File created C:\Windows\SysWOW64\Ocjcidbb.dll C:\Windows\SysWOW64\Gonnhhln.exe N/A
File created C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Ggpimica.exe N/A
File opened for modification C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Eeqdep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File created C:\Windows\SysWOW64\Gphmeo32.exe C:\Windows\SysWOW64\Gmjaic32.exe N/A
File created C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Fdoclk32.exe N/A
File created C:\Windows\SysWOW64\Glqllcbf.dll C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File created C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Fjgoce32.exe N/A
File created C:\Windows\SysWOW64\Ghhofmql.exe C:\Windows\SysWOW64\Gangic32.exe N/A
File created C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Ghhofmql.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Kifjcn32.dll C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Imhjppim.dll C:\Windows\SysWOW64\Cngcjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Eiomkn32.exe N/A
File created C:\Windows\SysWOW64\Jkamkfgh.dll C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File created C:\Windows\SysWOW64\Cabknqko.dll C:\Windows\SysWOW64\Hlakpp32.exe N/A
File created C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Beehencq.exe N/A
File created C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A
File created C:\Windows\SysWOW64\Fndldonj.dll C:\Windows\SysWOW64\Gobgcg32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hobcak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll" C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fjgoce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Glaoalkh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bdjefj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcknbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhhnli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" C:\Windows\SysWOW64\Fjgoce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eiomkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" C:\Windows\SysWOW64\Gdopkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Chemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emcbkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgbdhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" C:\Windows\SysWOW64\Enihne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhjgal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gonnhhln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghjoa32.dll" C:\Windows\SysWOW64\Dngoibmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjgoce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Emcbkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hobcak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epdkli32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" C:\Windows\SysWOW64\Fdapak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" C:\Windows\SysWOW64\Chemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll" C:\Windows\SysWOW64\Fhffaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dngoibmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" C:\Windows\SysWOW64\Fmjejphb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2948 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2948 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2948 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe C:\Windows\SysWOW64\Beehencq.exe
PID 1992 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Beehencq.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 1992 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Beehencq.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 1992 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Beehencq.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 1992 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Beehencq.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2928 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2928 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2928 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2928 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2692 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bhhnli32.exe
PID 2692 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bhhnli32.exe
PID 2692 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bhhnli32.exe
PID 2692 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bhhnli32.exe
PID 2772 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Bhhnli32.exe C:\Windows\SysWOW64\Bpcbqk32.exe
PID 2772 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Bhhnli32.exe C:\Windows\SysWOW64\Bpcbqk32.exe
PID 2772 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Bhhnli32.exe C:\Windows\SysWOW64\Bpcbqk32.exe
PID 2772 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Bhhnli32.exe C:\Windows\SysWOW64\Bpcbqk32.exe
PID 2228 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Bpcbqk32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 2228 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Bpcbqk32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 2228 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Bpcbqk32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 2228 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Bpcbqk32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 2456 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 2456 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 2456 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 2456 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 2600 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cgbdhd32.exe
PID 2600 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cgbdhd32.exe
PID 2600 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cgbdhd32.exe
PID 2600 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cgbdhd32.exe
PID 1536 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Cgbdhd32.exe C:\Windows\SysWOW64\Cbkeib32.exe
PID 1536 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Cgbdhd32.exe C:\Windows\SysWOW64\Cbkeib32.exe
PID 1536 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Cgbdhd32.exe C:\Windows\SysWOW64\Cbkeib32.exe
PID 1536 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Cgbdhd32.exe C:\Windows\SysWOW64\Cbkeib32.exe
PID 2724 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Chemfl32.exe
PID 2724 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Chemfl32.exe
PID 2724 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Chemfl32.exe
PID 2724 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Chemfl32.exe
PID 1704 wrote to memory of 888 N/A C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cdlnkmha.exe
PID 1704 wrote to memory of 888 N/A C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cdlnkmha.exe
PID 1704 wrote to memory of 888 N/A C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cdlnkmha.exe
PID 1704 wrote to memory of 888 N/A C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cdlnkmha.exe
PID 888 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 888 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 888 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 888 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 1396 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 1396 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 1396 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 1396 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dkkpbgli.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dkkpbgli.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dkkpbgli.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dkkpbgli.exe
PID 2616 wrote to memory of 692 N/A C:\Windows\SysWOW64\Dkkpbgli.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 2616 wrote to memory of 692 N/A C:\Windows\SysWOW64\Dkkpbgli.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 2616 wrote to memory of 692 N/A C:\Windows\SysWOW64\Dkkpbgli.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 2616 wrote to memory of 692 N/A C:\Windows\SysWOW64\Dkkpbgli.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 692 wrote to memory of 580 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dchali32.exe
PID 692 wrote to memory of 580 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dchali32.exe
PID 692 wrote to memory of 580 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dchali32.exe
PID 692 wrote to memory of 580 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dchali32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe

"C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe"

C:\Windows\SysWOW64\Beehencq.exe

C:\Windows\system32\Beehencq.exe

C:\Windows\SysWOW64\Bdjefj32.exe

C:\Windows\system32\Bdjefj32.exe

C:\Windows\SysWOW64\Bkdmcdoe.exe

C:\Windows\system32\Bkdmcdoe.exe

C:\Windows\SysWOW64\Bhhnli32.exe

C:\Windows\system32\Bhhnli32.exe

C:\Windows\SysWOW64\Bpcbqk32.exe

C:\Windows\system32\Bpcbqk32.exe

C:\Windows\SysWOW64\Cngcjo32.exe

C:\Windows\system32\Cngcjo32.exe

C:\Windows\SysWOW64\Cfbhnaho.exe

C:\Windows\system32\Cfbhnaho.exe

C:\Windows\SysWOW64\Cgbdhd32.exe

C:\Windows\system32\Cgbdhd32.exe

C:\Windows\SysWOW64\Cbkeib32.exe

C:\Windows\system32\Cbkeib32.exe

C:\Windows\SysWOW64\Chemfl32.exe

C:\Windows\system32\Chemfl32.exe

C:\Windows\SysWOW64\Cdlnkmha.exe

C:\Windows\system32\Cdlnkmha.exe

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dkkpbgli.exe

C:\Windows\system32\Dkkpbgli.exe

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dchali32.exe

C:\Windows\system32\Dchali32.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Dcknbh32.exe

C:\Windows\system32\Dcknbh32.exe

C:\Windows\SysWOW64\Djefobmk.exe

C:\Windows\system32\Djefobmk.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Epdkli32.exe

C:\Windows\system32\Epdkli32.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Feeiob32.exe

C:\Windows\system32\Feeiob32.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Glaoalkh.exe

C:\Windows\system32\Glaoalkh.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gdopkn32.exe

C:\Windows\system32\Gdopkn32.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 140

Network

N/A

Files

memory/2948-0-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Beehencq.exe

MD5 ac9a1d2eb4348a9bcf5f5b801874148b
SHA1 f88521ba0a82072f766456040c197ca6fa4fa267
SHA256 9161d2deed217fdc14a4a515d765c210597df2c2963e2eb9096b0048753700b4
SHA512 9da374a2ec7f9ab74785a3401fa4070136cf98513ead207b532bf6db434fb4b8bf262b8226d572ba25b395d9950c6d2e8f3b899df532caa113b6b6e565ff235f

memory/2948-6-0x00000000002F0000-0x0000000000325000-memory.dmp

C:\Windows\SysWOW64\Bdjefj32.exe

MD5 d11f24832ae4ec62b16a0164bee12a45
SHA1 b4a48748373dddf59c55c206b4c8470a3601f38d
SHA256 1fcd3aa7b9aab700685f6a0de4951c6eeaa8ce09ca29228243a456195eb7a03b
SHA512 928b4833759c1a248669cb89bfbb0c8012e6ace30b1a501f25971d0b884b0d8826fa22a2144f48e640d5b75361cb90a78ccdc57e8fba8c885f3ef1a364591588

memory/1992-13-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2928-32-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1992-25-0x0000000000250000-0x0000000000285000-memory.dmp

\Windows\SysWOW64\Bkdmcdoe.exe

MD5 07a478f644a5c5e212a12145b6169b73
SHA1 71f7d1c6ca4c8374e53a062be35678655e3dfec2
SHA256 caf2547fbbc68aa563c1f8b6d4178d8dc8cb9fea97381e71d61c8e8dfee4c43b
SHA512 50ff2fe3b7715264230f4088313a1d1cf15dd4b9f79fd24da5a26947cce5105ca1ab73ff856ebef8c208a02506fa304c86195516155ecd5698b375c43f14a6d6

memory/2928-39-0x0000000000250000-0x0000000000285000-memory.dmp

memory/2692-46-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bhhnli32.exe

MD5 11bba847fc26cdab2d033c4748072aa3
SHA1 a6da2cae00363b6530f2da33cc46b271c6f2df9c
SHA256 c38f038edebda43899bd1b11b202a702b997b70d2189b239d2b31b9d4f257b43
SHA512 ed4d1d6fa02171bb445fa7a19a1f742c0bbb049514852f044119587153557f777735a19572c103c3a2aaf09e65a35e30f524f97e81b126de31e34880ec3a9ff6

memory/2692-54-0x00000000002D0000-0x0000000000305000-memory.dmp

C:\Windows\SysWOW64\Qinopgfb.dll

MD5 05300107c54571b411d8fc554d8cb5e3
SHA1 dcf72e73f0d3a9aca1622bc686e0a5b72dadfe03
SHA256 1709bc105202280021ad695bb689493273f39fe2c4f70d668ade5741cb48c789
SHA512 3477132d7e2742769977463e4cd4561cc187e8697913cddf9489e1238cfb8a8af7c1010625c4a4026796f4a10069eb45f61925eb525f4a31447a9951f74934bd

memory/2772-60-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bpcbqk32.exe

MD5 6a5055b2f50a63b21a4ec2f4d792aefa
SHA1 71bb6eec1592c60d699b40cada109a831ae3b8d1
SHA256 c87c39bb63f06b4f827083ffe65d2e1d4bf38b722cfa8cc57c63be98ff7bffe2
SHA512 2aad2b8c361bfd8c4018800bc386a0457f12463e823b5030b2c528e31f0b2b26101c94d07a2da2f293bcab956fc09d0730ac34a4687331bed069783452354e33

memory/2228-68-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Cngcjo32.exe

MD5 f1598e711b688d98d62677fc3cca77b2
SHA1 cfc38f56460e300f9193eeb9145bb7ef53f49418
SHA256 fb70313173bded304768af868d72b49bb8f595ce3d26fce788a58ef7047ba338
SHA512 aaa8090ce3822a022a77d020288fd4b2d320d81d63c0e92aac7b6bf853b6240fcfe8ccdfad8344aa3a19d3cf53acff222105638f028ffaa4675ac3ae0d125515

memory/2228-80-0x0000000000250000-0x0000000000285000-memory.dmp

\Windows\SysWOW64\Cfbhnaho.exe

MD5 3b2ff74424c677ec92e8ce2930ca9cb1
SHA1 3a4b7ca433b6f7c0bdd47b916e892068d0f044ec
SHA256 749377f5420778280a737d06a7907c64c740bc0fbca1f39e6fdb55ba5140f6d8
SHA512 dce612fdb95ea0867bae8a076c1b97d11ba96a5a324464bd519c2f6a562ecbbb98bf784107dc2d06cbf53a7cf5b4a2ddc6acefbc694d483f7e5d3938c77d056d

memory/2456-94-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2600-100-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2456-101-0x0000000000290000-0x00000000002C5000-memory.dmp

\Windows\SysWOW64\Cgbdhd32.exe

MD5 6a285b5169f2246d47f93a4efc28c5d9
SHA1 b0d22c8fb24dcdc1e7510476ad92169321ee378e
SHA256 ef101c85c025f0893c60f9d7a4da6c7574e9ed9489139d07075a3b578c0b316d
SHA512 3d5a3f7c2ee5c5d7be2727ab54b8355cf43aacc1cde232d5caec0442dd1f70eefc704a5171c8b5cd673db19e77c16b47aa421b06a3ac4076c6b15826ee5b33d1

memory/2600-104-0x0000000000250000-0x0000000000285000-memory.dmp

memory/1536-114-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cbkeib32.exe

MD5 80715cd96a893defbb682e7dd614335a
SHA1 2e7a0b613069b83316938c18f11931670db127f7
SHA256 bddcb9adede9a17e55fa40cc1cc2701c357c99b267eea3dc31c169dfe8607945
SHA512 d980309458c88b5d580df0bc5aedc5e898b5d06cbb4f83ad9de62aa8a4ab94b0341c7489013a4a887e6c7561eda7ad7c21665036201ab7f4084361e1c8cce053

memory/2724-123-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Chemfl32.exe

MD5 cddd3c796358ca5d6b89b835cd899fe6
SHA1 7bc631cccfe68ed4e0b13b4f76dab44d96018b4a
SHA256 3466e08bce33acc955ecc3fa942f3b2e93629c53c4a3a7f339c267b449c98814
SHA512 c0fa114ab0484352332ca9cc2b187ab3d5bcb2d61a7db36a97121ecc21f5de0a04b0d65603c0052dd013e7a31b9a3d8ea2938de1f0fcfe0f36ba18c2684b8517

memory/2724-131-0x00000000002D0000-0x0000000000305000-memory.dmp

memory/1704-141-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cdlnkmha.exe

MD5 d95caaa5ff8463a7d8a51f5d209903bb
SHA1 0088e2781c6dc7d3a49b78aaf8691321bdd1fb7f
SHA256 be31de17deaab5997112a425e44e5e9e69d5f369b91a3afe2580056601e93fa6
SHA512 74e22cad6083740921a8e13e4ccc8a910c096a638e0c96a8acc33620fea7c77c9d58782efd2a33a87c522aac650e4692739108ac7849571cc34c2af2034dd4f6

memory/1704-150-0x0000000000260000-0x0000000000295000-memory.dmp

memory/1704-156-0x0000000000260000-0x0000000000295000-memory.dmp

memory/888-157-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dhjgal32.exe

MD5 964f56a3db00a08996c8f0be61b76379
SHA1 3730f5cd9ef86f021c84dcdf25e5b57382e8330b
SHA256 9a6625c2b5d373b9d04aa04fb86d907c3971cdcdfa3c001a95c178da2f026d19
SHA512 36a784250da886bc6c45449e138fb3714d8fe54d37e6cbd863434f237bf7e7b5c74a34e313217e97677424ce48f6d8c3837d48bc671b86871720170b9fc61a99

memory/888-165-0x0000000000270000-0x00000000002A5000-memory.dmp

memory/1396-171-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dngoibmo.exe

MD5 4bb118fcdfdcfb128418eaf676052a4f
SHA1 91c6a3a5d54cef81bd5ef88b875244aad72ed14b
SHA256 06720b6362e5aee6b9cf76654325974b724053c9dd477752daaf949c0b88355c
SHA512 7cbaef494c410a85ccdcf270dd2976da2faedf6394e015bf030219323c850b9bc9c6091ff887f975a46c6d89e763df763f7566cc7ab3095298a759475490d79d

C:\Windows\SysWOW64\Dkkpbgli.exe

MD5 7b0f7a7a0e241154dd68693f6984b3ad
SHA1 8d5da7e60b5d16564ce1cb7cc1baa4dc876a7a11
SHA256 70aabcef2851b069256ed8a838bc0a3b7184e153b7ea285eaeba543e586c2f3f
SHA512 8286536b56e64b8ca1182a5f4ff60dd86c1a3c46a63746a2f55e15b14dd62f6f30e42cd5cf02cfc796290f534967b6a395a6bd97a91ef9691e0a22b7f4a9c110

memory/2848-193-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1396-187-0x0000000000250000-0x0000000000285000-memory.dmp

\Windows\SysWOW64\Dqhhknjp.exe

MD5 38eddf3d0439965beb60033d57d3ab43
SHA1 24f7f1940769c237d3ca8447858fbd271aa02a09
SHA256 8357983c0c1bb58f7700305377d156548e856904bc7dc1513adb6f53861db60a
SHA512 7b0c549b1b163d8f821722a46aa6b50be76df12e0b630f76d29063012de36b10f00361006bdaa31e5e3e5dfc861353ea4ab26946e4f711aeec798236ab6cdc12

memory/888-172-0x0000000000270000-0x00000000002A5000-memory.dmp

memory/2616-206-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dchali32.exe

MD5 0c60514e25d287fd991afdd260a6de56
SHA1 dda1bdcd74882cb5dc3830c134d3ed5c80b9db1d
SHA256 8f2ef5335559aff2918b4b230caad3a0f53832d031077839abaca8eb0daa670e
SHA512 0d450157474223c09a99d0d43c8b51b96df55254df7c53bec050aa16bf1edba06f6a1d3f53ff0fd1f203f5abc8dbcdf8e4da941be16e82e931b5fd1033ebc960

memory/580-221-0x0000000000400000-0x0000000000435000-memory.dmp

memory/692-214-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Djbiicon.exe

MD5 8c44cec7877d4ce23baae43ee2611e36
SHA1 8e9ec71e525788bfa8171606606989f5623040ff
SHA256 e0dfacb7075d5cfae7c5a3f6a423c04fc545dd5d905c8646fef00af2da318cb8
SHA512 34a4bc0836d3f216e1ca63a9e445c070348f85b4a8bc5f5aa570677e3516623cb2cbfb354d061c8ee79a9d242d82ccda6b9af6a56f125b65d0ffa927b05591e0

memory/1788-235-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2616-212-0x0000000000260000-0x0000000000295000-memory.dmp

C:\Windows\SysWOW64\Dcknbh32.exe

MD5 b61851c4c66626802f8c8ba2a945bb1c
SHA1 b791dd84682433b04db7ad8e3decb154cbca4951
SHA256 a6eb757e3347546eef66d59eff7c14f2d886df35bd3c484eee4655d526087e18
SHA512 8adfa7e85533a200e8c02ee4ca8035de7f056aa7b67a42f81bb9aee29c2730065b5bafe2813d18181a4f3db6d813b9849d59219965571b5aa21aec9fc83342dd

C:\Windows\SysWOW64\Djefobmk.exe

MD5 bd2ffd18eebbe96d9b68efb7602c93f4
SHA1 f6455eee08d3f15760e2408d00b71f66aaa2dcac
SHA256 707da0db5ee2826483562bd728b45b8d5aae5f0df001d69f1c60409f9e619314
SHA512 b2692c9199318e8802cbab4013dadc6c7ee33b0a245d186147003a8a98cef662c84424be13ef0544fd322b1ac208a2105619702bc4dc5bdef97cfc29370b105f

memory/2996-254-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1788-249-0x0000000000250000-0x0000000000285000-memory.dmp

memory/1788-244-0x0000000000250000-0x0000000000285000-memory.dmp

memory/1776-255-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 f8d06d85984310ea91803a083d42a997
SHA1 343f7a1d6cd5b0de33c87dd6f139896ad4cc76d4
SHA256 0639ae83b4e3bdb0db7e9208653747bbd3f732edadbd150bf5dd8496c385b245
SHA512 bbcf070a4f7f61cb659a223bfa0a865e30a48f2ef497e15781074a2a0a9c99d1193d419049981ffa9d0b8f1af6cce3f25a2f5f749e6097a341f69f0c61dda696

memory/1092-263-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1092-269-0x00000000002D0000-0x0000000000305000-memory.dmp

C:\Windows\SysWOW64\Eijcpoac.exe

MD5 eeb502bcfa294734383a42f4062cfc46
SHA1 a77d8a02f5620627f3aa456c6bc33f45fd77fa2b
SHA256 30985e469751a6de853d3b61cdf7793df5710a725db4bc4fac97ba4728238ed1
SHA512 410bccd60871cae228c9b40f6488ea01006b61db7aa167960f860ca49cb0a34d2d340f04e2654b3159d80a31104fc5c54799119e464f29c6ffb3ddfa303a6a07

memory/1336-274-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Epdkli32.exe

MD5 884a7d7142dc6de243f66970ea224a49
SHA1 565651e6745f385aa2438729dd936a63e5091bd6
SHA256 23dee8e802bfe32da7f8e77b1a3ce354d9ef728812aa1afc2540a1ca9f9bdebb
SHA512 7a9d6312412ac092248a1c6e8df95266758964a74f17f3d7b66c4d724c2ebc4b3a689955806ac368b9436f26b142c29b19c059b268738e0272f78746b3edd7b7

memory/1336-283-0x00000000003B0000-0x00000000003E5000-memory.dmp

memory/2116-284-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 506ee5ed3b716a51a38d8aed2b5ff8dd
SHA1 16b205ad5b3f3c9255b4b24999ccc41cea5874fd
SHA256 8662c0706b61e833a50c33c0509eb5a346721f6a6ba340d859835fed0178561d
SHA512 284f7dfc445cca3d974f52dcf916315cccc13e1b77c6fd2cc8c5c4cbcc8880c74240cb5808f311ec6f745027b815ed3ecd2ea8a3b48cf52c89f9b6e1e8026a89

memory/2116-289-0x0000000000250000-0x0000000000285000-memory.dmp

memory/1752-294-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1752-300-0x00000000002D0000-0x0000000000305000-memory.dmp

memory/1752-299-0x00000000002D0000-0x0000000000305000-memory.dmp

C:\Windows\SysWOW64\Enihne32.exe

MD5 a182da408d304e480b5a05eb82d14e92
SHA1 9c223d4a10e5ea33024a828140b608305c47e01e
SHA256 633cf88f8dacb4a97cdc6350ff38089ddd90c4da78ff811f68ceb0673304dff3
SHA512 210800ef5b5bd04465ca1cfb508f2305d424e51dcdb608511e826e982f483afb66a89ef9affda2a08413a4c5ca71df75e3aa09a9fe5b277b52408bca85c0711e

memory/1928-309-0x0000000000250000-0x0000000000285000-memory.dmp

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 de50f557dd87509d1dbd765129a6e6cb
SHA1 29928ae5a0c0a41b8ee97a235284a0f1f7c3cd71
SHA256 a41e8c5a3c8514a7fc20be42a2d9c9f4b3bb442fc9adb7635272d0cd8bb680d6
SHA512 92c3dc48ccf0d1681a43a031fadb71bf7303f5f61452a6eaaa1ba5e316e146574a267385f92f558a78210d7433160197d8fbd16dcda44740cd61c47fde5526c9

memory/1928-314-0x0000000000250000-0x0000000000285000-memory.dmp

memory/2024-315-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Enkece32.exe

MD5 3d6e26f7e3686b167595b86d0044a63a
SHA1 54414b6663d129bb762b6613ca0cb1a8a4d38f98
SHA256 2293249931b3bb98a03c3fe39b5287acd4669ce86bfd193e5b2476e7fe1ea4bb
SHA512 059f31fabc42fec59305e2106d754680f3b5505065f304bbd558f8ec00aa15085da527e6d1d8a179b55bdbeb78b031c2d63e26bae922c360d44208d0d93bdc4d

memory/2024-324-0x0000000000770000-0x00000000007A5000-memory.dmp

memory/2024-325-0x0000000000770000-0x00000000007A5000-memory.dmp

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 f0781b3404c30f86c208989b7deb9fde
SHA1 9d2b8e22bc1eb5fafed253185e4d31864ba3842f
SHA256 9dd5a52fed988c6492e17bb121200fccce1aa0922b8ac5dd026cf9291ad30cd7
SHA512 f5812ad367568d93e502ffdaaa0a3667aee168f2f6679cb891cc0cc75a4e0824918bf6bbdb764d6e03e1738ceb825c107203c093d97a182d0d720b7effee88b3

memory/2816-326-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2816-334-0x0000000000440000-0x0000000000475000-memory.dmp

memory/2816-336-0x0000000000440000-0x0000000000475000-memory.dmp

memory/2832-337-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ennaieib.exe

MD5 8a7bbe746ac30f482630d0740dbc34ca
SHA1 11be9a9c9f430c1bec6d3cc637e1eadb80bca5f7
SHA256 d5ffed6eb15ad0c24271a4a7d4e3379499784faab92f9cd39036bf09d0175d94
SHA512 e5f1c8a7f0f3823f486de4d7a4bf8cffe029eceebbd7189f1e787b38f112a22b1328a5757d0b781881bcc23accf5f07c76fb2687feab2bd5e38ba36c8f2dfa1b

memory/2832-342-0x00000000005D0000-0x0000000000605000-memory.dmp

memory/2832-347-0x00000000005D0000-0x0000000000605000-memory.dmp

memory/2708-348-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 d542f52a3aedbe42495ea437879cb186
SHA1 881bb8067880989b2f1ec53468d58fe946dee951
SHA256 0e1913fcbd200acb0ecfba83d9854f151dd47bcc457d492c2d3973f0f91fffd6
SHA512 842fae17b55d88df5bb53aae0c8bbfc4011a44cc94a47b069482b82f8f9261c0888ee7aadda1e4f93a44fe1e2af95b05c0dfd848915efb96e2857a04d414659a

memory/2708-353-0x0000000001FC0000-0x0000000001FF5000-memory.dmp

memory/2708-354-0x0000000001FC0000-0x0000000001FF5000-memory.dmp

memory/2656-355-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 17b84336c8cf3bb76f6db2cafca7adbd
SHA1 6e51250a91a68076c69b0577d71af5b0205a6060
SHA256 b9b962bd1e2b3aa933977871481ae6dbb74a0fb6081973d15bad4f2e85910c1d
SHA512 4a0f0da76dc6e5d54bc9172808294fe4259acb65bfc6b5119f11958038179c718c18d8516a62accc3d7359fe500e02e76b392ba054b6afd9a863b7f98d37eb71

memory/2656-368-0x00000000002D0000-0x0000000000305000-memory.dmp

memory/2656-369-0x00000000002D0000-0x0000000000305000-memory.dmp

memory/2556-370-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 732356c2459ea1cf5adc1d5239ffb11b
SHA1 b0652ece2fb7f8776b7e1c2f472bf477a0bd9aac
SHA256 6ada762c1b3819efc818cb5f3d997bda6f3aee3c00c943eb3f6e4b624f69cd1f
SHA512 daf9173686ef7016b127a8423c0895c053fe35b80cd5089e9dc6d196cfb3b881c9635cffb42d23518daff6d1f1f50fe1d25a1265325cf08ccf434bbb5e6ee4ba

memory/2556-378-0x0000000000300000-0x0000000000335000-memory.dmp

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 ebc6b396763fbd49beac8ddbb9210e07
SHA1 2ce582bb76c9bf2e489114365b1f5a66dbbe4336
SHA256 3ce2051a93d2a84c7e4f6a240e765f73442b4f06aed6c135316b8ad762ccc597
SHA512 689ce66c6264c7da397bf1b56da8a197b87a009b93e627c8c61ac029dc35a6a0e547f28e64f752e4d8d91385c397f033e4c91f5147e0dd0b6c87a5f839cc5e25

C:\Windows\SysWOW64\Fdoclk32.exe

MD5 a3bbe3465996607059c5163cbd19168e
SHA1 16feb9c0769b02af5dd7d7aa9c6f92b4eaf86e99
SHA256 55e29fe8b215fe9149eea0d2a50d7baa3c188d7bcec7c0d757d1ff79902fbe44
SHA512 35559119fc61f9750e403c40c8eedd0e717d64f02a410f853653643ef2c8845b8c41491c227839738fd041c8c55a61d4e88e46c02ab3ad201dec1f5f6d2a74f2

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 d8fbe511000c71ded8f2d627560db2f1
SHA1 24f5a0aef69d9352f9f0774e9bf08ea702a74bd1
SHA256 9ab89dfe4c4e9c10987c28e6a90bacecdb8143db6be33cf9129136737a3e36a3
SHA512 d68d4cd554f53c771980167d47769a06cc9a72ea0db5b8dd3c0de823b5e7c6cd9dba5bf08a260142408862b4b2e16af1a6b21bbb78b9c5c6ff74b7a65204829d

C:\Windows\SysWOW64\Facdeo32.exe

MD5 323d0a44f8a940d76202dc009dfd7ddf
SHA1 e17270fe6f0eb5bf10683e3c9e2981a4e9a4aca7
SHA256 f740e6678039a0d039cd6c2a7b5421f3724034891b6c8993bf60177cdbcd9f36
SHA512 5127df728556ba1352dc70936fde94f8a0f932a60255cf79d96b5f85e8ea8fb76b1ccb3dd17c0d10470cefe51a333f9b14b985e401028face8827698944f2b0e

C:\Windows\SysWOW64\Fdapak32.exe

MD5 948ff5cb7366558cec42164853298ec9
SHA1 809af3945b34f20ed8617aa17cf71b736d07a219
SHA256 7b54dd94b5f9cf9ee74c19acd8eb82445db5b497905df1fa231ca0e25e1e3ddb
SHA512 090a077b0b694dec60fe0b6680d270c4936b474e53d8cfa2aacd09168f43bdd5e7c4276dfbf63dae01797ae533e99f2772d153fad551b659e705cbf37b719a77

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 7a9b1c92d42e39ef2c0ed312bb6405c2
SHA1 59b6b7273ef975368e27b95c1e8bd35a428b403f
SHA256 864623968c60851872f40204118c66acd392a8d25eadc3578093ac558a1cf2f7
SHA512 199fc8cac2cae3954313340cfe3eee32e2efc42ebc1962d3e1a7fb64dacabcaa5ffbfbc01e919e211905d6bca791f124b7d179aea82a59ab555f03a2cf857a0f

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 90e0ac0c043aea53b07751439514435d
SHA1 66a000a16cae87a5ced78991e838bde57901f8ad
SHA256 e0ef669bba125c5f22f7a87756a6748f5d3b2f0e7f8ceefb2db2ddc859300561
SHA512 5fbc5d4d9f7db52d1802d155d3a68bdc11c21467311c13a3364aae7f2213bd263b6030e03b97cb025701e6932ea8f91e7b4ee74b37ea9ae11598036a0bbd0dbe

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 3dce141222f7058030f210e4d8695391
SHA1 15729c12cd6901f473d68159214d2b916f8fc1b9
SHA256 c45528c5a15bca2770398017ffc1ed4df424099a6ec944d8c92c4ccb6842d2bc
SHA512 656cd2a3cd4e9d631d35b653a754f7d85b89f2646adffb4e49dde12a529b7543e77cd296c6fd0a31132e84f301a7ba4515d760019b974fa369dd3764ea934ed5

C:\Windows\SysWOW64\Feeiob32.exe

MD5 e5e572b179cce0914a5d0f7aa8d203a9
SHA1 a56da5687abb81d32eadff2e3a142f961cd1112d
SHA256 a6ea507d15eb9a56fdf1d84c0b8ff3ea620f3097a4c1fb97bec2ab60391b1fad
SHA512 1b9eb6f82f5c3dee2bf72bc9baf47049508a178c02830074dc8ef0a24de9f38adad09e9056ef6f5650ea0f9e423125c1eab06233b93d7848437ee5007fcde0bc

C:\Windows\SysWOW64\Globlmmj.exe

MD5 bf1d5a53bb94e7f3a236191367d1c8f7
SHA1 ed62e0792f8a00467f130b089fe4d9a491bf3fb4
SHA256 b0504dad9d140c471f21723afac02e79e353496da4497074eca2b3f2201bec97
SHA512 6daf21408ef6356ab5a3e968f872b730ac6b5c0aaabe4c9cced07d69867ef5dcea3afaebdaa6fbdb4a3a7f0ed5a96154ff3003ed5deb4ed114bb3f5b06723bb1

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 1552c4b29bd5f36731668fce43609ba1
SHA1 56c5a6839a84c4950cde385f0c5ea5b690024ba9
SHA256 513c0026028ecdd783bacf4d7446272d42a3d5fcfba28ef8f0045d6e2ab1692d
SHA512 e2494d7c76ff3fc0d9090a4d601ac7c560faaddd3ccd52d250e866f714c0b40a1f45b68d4c379ad11b2b5ac41947c007ff695eb27d4aefc8c35a93b6da420397

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 a8598eeabad77284d00e85bb7b3372d0
SHA1 e1650a4a9fad1c3eead1cefd5e7fad4a82beb46a
SHA256 b6ccfd7f2d48bcaafb7df18569baca769e542d3801afb137fe53a5f605a28511
SHA512 5648d9119a9cf19fa7487e6730c25e8eeb75869d5319abe53c410f2efca34bb5a5c6e97c1c428c9adb4229660fd74eff9c6df59e8fa8c9bb97b4b50a92dba992

C:\Windows\SysWOW64\Glaoalkh.exe

MD5 c4a53854e1ec51e9e4bc594d837c8ef7
SHA1 599b265d6898c46a8467aa4781ba5aee5c498404
SHA256 2755a947b582a0eb77d22e952f4d56ca23737e3bd8e2944a3877bea45fbb6f61
SHA512 8402b0605fd6ec58ac831b0b00a1a3bf0e82fa25fa7c51a808c0e62193ce5967b572626fbc6d022ec4b5050a96f4d5ef246b48e7fe70ac266fece21ad0c302ef

C:\Windows\SysWOW64\Gangic32.exe

MD5 943e21da8847c75ee781981099f4675b
SHA1 88efb77572c05d5b803342271c3a52c2ff0a8e56
SHA256 70c93039af03d454efa3da859a9d86ee4b642316023bb88f447722e7d8a426d6
SHA512 5c78a96a229973043c92d600a74380d71fddb404c1ff65996f139f53f7f0d3510559bcde8e6b43a10abb20f2259167f9ad04a8b436d62243d5c9bb382af0b5f8

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 ebcf35eb72d51771dea45dc2dd08438f
SHA1 dd2dbf23548f7f59cfffebfd3c776ce7435c372b
SHA256 92c7d31c6f99b38044947d1b9e7d2c9afad98051b62c9b2ae7b480e0283fb4c5
SHA512 f87b292ae388e38c834f0b65b340aa64ba3cc8d0d00a92920ed1218df6f7472c5664f192184f1b91be31bb500af874bdcb1ac14765b7b8df87ccb8b2a9935458

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 66de84a1762a19b8f979b483d575309d
SHA1 1e5a882ed14a4a469da34eff27b525df2ef20921
SHA256 1cb5ff0952e6007b8601121d9508c327c6215eb4a559dbae741eecad52834a85
SHA512 f49fb029a8e7b477870fc871d21a03393e4dab3ac780c85554799dad6d6214fe7c4718ef2e55b9f14bf78cb2a99b28193f9da9ef5ca3d01e89bc031fc5a9e4cf

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 ecd51bc8c0474f1f4d940160906e68eb
SHA1 596a2bd722a2a9497700bbe63328ae75bed58b72
SHA256 72bbf3a8c1d3b1afe1db0dabb92e0c97e2095cd99bebc3289fb76189d192263e
SHA512 e3ae8a3720af821f702955b573d19a66283250793d22ebfc2fd4577d5e1ee50f220f3d825f882e9fe8389046dd11108bc4075c8f8c341df731848667b8619039

C:\Windows\SysWOW64\Gdopkn32.exe

MD5 e8800b76c53b865a40f597732f8393cd
SHA1 791ca6166add8d64e1b0b526a24dc316173f3dd7
SHA256 7a6804f4f9bb0c5baf88d28364255f5e4369a1c688bdf5200465d93265be4b82
SHA512 802280c78c08b59e01538281ed64f868b5a2d9866f30738519a8f98b0c7aabe03232f9c78375405d1ce1f7dc9fcc332b34fc07147b6078be9d95a9e9cd30727d

C:\Windows\SysWOW64\Gkihhhnm.exe

MD5 6bdc14132b9ba162c8072b4dbe084d2d
SHA1 93419e4d68aa90342761746c5919a3a560696f07
SHA256 14a2c1cbc3bbf47635f6f1c2ffafe5e3b145f537f9a896e78fa987b9fc4c66f7
SHA512 c2cec0f04dbe878336fbd77d2732b276d5518eeff17177956dac7e35d56c66c47191ac0e011a5a229cb368285e27a0a99a4e4eed73819e7a79592b92c8503a18

C:\Windows\SysWOW64\Geolea32.exe

MD5 ce34908d835596e12684b5182c837b62
SHA1 c10e43bb47e36be0219d17b464e9f859a3a5ad21
SHA256 b75a3c57076b6ad5098332bee9579ed979946b19523511670208c2c380a38793
SHA512 4ede24cbcb01a84cff4bfe71de4c045b4381e534ebdc1ebd697465f9593ba5b39f89c32e7f1e54f4e34621084223dc0f8bae8b106a7606f668d2bf52a9ad1f75

C:\Windows\SysWOW64\Ggpimica.exe

MD5 ffdbe46599a035b16e09021909cddf88
SHA1 13fe2fe6007948220c401987b5b1943e33b6486d
SHA256 91141354f5e5f203d6b55fa0a2365b946d955854fcb8e0e6ebb256dcecce0e61
SHA512 cb1640a0ccaca37a141d1cdf88240d88b79455d3419258cb051d53d0cd1df4b23010fa73f9d26624fac51f0ddf838ec1632c342ef462418bb985be3932b72415

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 06ebd246148436f93eddda5632f543a3
SHA1 d4d67facf055918af99c3497044cab98efc98054
SHA256 22df9c2784228f0188340b407ee6d8447dc967e933079311122c2bb456cf1de1
SHA512 e4ada120913f86af0e39115bf1eff459f33486807900ef7442f2d2526a480616c5932d0fcda74e4533f90193e4121500201151395b10fc680db41db5a2533b9f

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 e8292064f5e554f1caed92ce505119e8
SHA1 005dc8712221290cfee0f0af6dea684dfa28e335
SHA256 0e559bd4b1b604439a6d593b410475452671de898e1b4e87cfc38327646f3c48
SHA512 b2d1c2e473c4c75fa865f96bcaa651ca4c9fcda6314afffa1fedc1f751fc0dec2a7edbd28892451ad50c8f5d1c1a9abfc8871c5602c66cc3a9e5a6bc89988cec

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 93586083ea84061edf989f967e8d38bb
SHA1 f4521d68f4a7b1b5c0cc16f2ed94f002cf17aef4
SHA256 48feb7d2d31345112f91df4bf9aead4b7de5d1e23e8c35f3fe59ba108c986372
SHA512 2d0576647eae908558d636ca7fa7aa4f414ec23e0108ffdf17987709fcf1199bf17605ed1ec428eb44f1b05dfd2c71221fb461a238add7bb4fd467d6d61fb0d0

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 e1df48bec6b534d0c6fe8fd85b0fed3b
SHA1 b5fd13479e8d0e19142b0640b3ad4d1bb08ee09d
SHA256 4aaed5e736b5e72e98361f87f56b0a9fbff8dded7748916ef7af7179f801e5cd
SHA512 c98d2758a7038e5c45a2604a0a37652d3357d91cd7e1b62db35a4070dae9fb959cea58811d9ed5f8c983e5348ddd048487246934f88d91dfa7793e067f4e0556

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 af2134c865efe3d8ed06f3ba1b479266
SHA1 62e50075fe160cb4a7205782f2bef14e0e8c3dea
SHA256 4ec9686763508be4a07b69addbab58ccadd31eafdf1e3d316059c4b01bd1b864
SHA512 54efe4aef6056d5aea1a8d3d7c93b1f075933ce1900a14444a2d0d35bce5ca4228a0cce394b4f1eed92959eb6bbe5694c35513dbbad3608eea89be91922cd9f6

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 f3f38b7750f0d8bbd70d930028b4b1e7
SHA1 a80d0bcb0cd4648f59c6625b915e3c4c53915a28
SHA256 a2a649703977ba528da642193a69dea71d2be2a4fd46e6f9ca3e6ecc2677a528
SHA512 99d112857536c344f62e490d7b9e1684eae9f5d8775be2e656941dd6ba552dc07c3bd969f533d1e9661897cc3a15779812eb276bac520bc4c964062281dab8e6

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 bbb4bd66233ba3507e5aa7cf9a8c26a0
SHA1 01f661424881acd1ab8a0ced986227431d30a8b4
SHA256 5715b4d27ad8cf74ec86be9770dc523e5ffa31ca7296a56b34d11aeb2dbefb32
SHA512 1dd743778bb135e70ec9523140c07e9df826c3500c2f548b9e49f1b1320cea4ce74a5a269bc77d9412d0dc8f3567ae4fc10cdb53a2c349fb40ea559b016e6f3b

C:\Windows\SysWOW64\Hiekid32.exe

MD5 ed99e94aa367fc6b3f73cff960f5f57d
SHA1 784892187182b0ca9102594d5b44348c1f0e9c59
SHA256 75f4a99a695f09af1d5477345d33b2cd275d78cf4e7b1d87b16ca0ecb822afa4
SHA512 2cf62db75c4fbfd9633c9e2f9a449f079d29cbbf39fc7701c533bdfb71aa82b8b5cafcd0c641c7d42f4403da12ec02e827d77d4ad594d07a05ba829b1cb30696

C:\Windows\SysWOW64\Hobcak32.exe

MD5 738d790519cd52dd5a8e1379334083a6
SHA1 787e4fdfd8a6fe90ebdcba0af224fd7547225695
SHA256 5b7a67ca3eca11b4eedd43e2f69976c40160de0033be4d68b4513958b1a61035
SHA512 3d82a0b62679f3a2b832028964410629ca7f41d45c526fe3231f407c7e81dc6e97137e6fbe335f54426a809d2a61c4a7cd246517b2ac728278336bd3c7ee2510

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 bb07702df93ce6c86f2b2c0b8147ee70
SHA1 861c60910232b4f48242d92c4ea6fb38b1e33859
SHA256 6bb34720a7c4942c3d22ff9b8643932356d05e7667ca1d03a540754d0c5da9d7
SHA512 b03648aa1162880c107312ce01407c291800ad798b634e87c89ef1b7428f08731fcd6b3c123078c3c3a855e63f8240a0d89f1f1ad5ab65cf47756abd88431add

C:\Windows\SysWOW64\Hpapln32.exe

MD5 c45c776e4dda8c333aa11c03e43de839
SHA1 959480a5b74e85cd7c00e84b68906f7374419b41
SHA256 086c804eb07797ccfbb1f8038542f9ad45b84d50f00eac8cee0504dea9260880
SHA512 a24ba2e35e7f19e800025358c0c58cab57c6f194cd98f49d30b1ccb90614c41bea17a553a8a3c87403dbb4adefeddf4d0f760699de42aadbe3754cf85f77054c

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 f067f100a04173bf6ef87122720b4861
SHA1 ee4b275d85d5e06784a697103bb5edd4f8ff5c50
SHA256 f20000de16238d69c2704cc6aca00f1a0d851a83c8d9f557b1881b1f09028c15
SHA512 9585f5e427147f8f2d809543e9b99124aaa3384adbbd6e67d59b41ec88294df0e2c68c535669a984aec84564e44751ac6f6be214670cc7e23da84299e269f80a

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 7c2e94486895dd7cef41c3ba6bf4c12b
SHA1 99b20ae410960c035a0a16511797fbe61fa06455
SHA256 5340dee939356d1f525987b5e300b5f9cdd31b5533936ec64a1aaae94a17d403
SHA512 c15031e3721bbe3cd6a7845ce5ec5f1b2854e3d0f14abfa494e64320ac1daa2ca859506f4cf22878a74f6708aabc4b7fa8cc648a543da3589ae2c88f74c1d226

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 5d990c052df8f87bc71b11e97b3061fa
SHA1 6125238c5a8f39dae8a314ddec36cc96ba810cd3
SHA256 8aaa6dee84a2eeabf6fe2425a1f54ddb16848ec90873fefecac0da477b3c1b4a
SHA512 44b0e8b47b1b93a575d814641c25b48fc55e0ca49a25e99c444cc4c84dcb6eac565019db05ba91e7143aad27594f9c94fc643b288b7673851931eedfdb82530c

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 b790242660fcffafe2bfbc5e9390ad74
SHA1 3331cfab2279ee6e008512ef859ff90c1ed8ac22
SHA256 6d4481b5697128eb5a3a5a0ee04488d9701c53312f73c52fb7e4612823892137
SHA512 02e972424e3804809d7b746b5ed1711c68fdd6f5bb701a0e21e19216235f2a2e11f46556488cc268291f26b2f1a68dca2e51af67cf4437439c90066ab324d09b

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 00b71375dd7ff863b268823075b1ee9c
SHA1 ccd7196c42a676f3ed80c9bf7b30fc9528e9a9bf
SHA256 3ce058759d22229f4772807f2c59bc0247582f07d87ee9ecb738370b5e91239f
SHA512 f3b02de03218c7212b0bb382fe83544b6ec7701f07e8fefea9034bfc05d619ebe0f0b7225ed51a1192d7cd55987936172782a88908840222107114de8a2b7b2e

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 cd131157042ca83538d5e935990bbdaa
SHA1 58a22cb9f5d15ec2033388eaa533ca57a0bf1af3
SHA256 263db27ec35b5bf7c1108d6e740d135960fd50a7f25f58a40d1f88040cdfb208
SHA512 7692276f59231bc938e0d18c6310f92bf60bb9a1919aadad671eb147842fef6bbc6a0d4adca9f0f1db7234bd1849646eada6182e3a181bc22a7c214df785084e

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:04

Reported

2024-04-07 19:07

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chphoh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efikji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Elccfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Capchmmb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffjdqg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jpojcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lilanioo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iiibkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kilhgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mpmokb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dlegeemh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Denlnk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfkoeppq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqalmafo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fflaff32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfjmgdlf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijaida32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkdnpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Laalifad.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldaeka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cidncj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dpacfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fqkocpod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jangmibi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Chphoh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dchbhn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gppekj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbanme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mjjmog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lknjmkdo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfdbojmq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjqgff32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lgneampk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Clqnjf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dpcpkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dadlclim.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcfebonm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ffjdqg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fobiilai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpgqpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceibclgn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dabpnlkp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eckonn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jfdida32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dcalgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Domfgpca.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goiojk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfachc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dokjbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fjqgff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ibmmhdhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laopdgcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epmcab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mnocof32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Cccpfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceblbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chphoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clldogdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpgqpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfmla32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cedihl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chbedh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnadfbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Commqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cchiaqjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Cefemliq.exe N/A
N/A N/A C:\Windows\SysWOW64\Chebighd.exe N/A
N/A N/A C:\Windows\SysWOW64\Clqnjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Coojfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccjfgphj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceibclgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Cidncj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chgoogfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpofpdgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Coagla32.exe N/A
N/A N/A C:\Windows\SysWOW64\Capchmmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cekohk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Digkijmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjkdg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlegeemh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpacfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Doccaall.exe N/A
N/A N/A C:\Windows\SysWOW64\Dabpnlkp.exe N/A
N/A N/A C:\Windows\SysWOW64\Denlnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Diihojkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhlhjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlgdkeje.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpcpkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dofpgqji.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcalgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dadlclim.exe N/A
N/A N/A C:\Windows\SysWOW64\Djlddi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhnepfpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dljqpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpemacql.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcdimopp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dagiil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Debeijoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnaji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dokjbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfebonm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfdbojmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Djpnohej.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhcnke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlojkddn.exe N/A
N/A N/A C:\Windows\SysWOW64\Domfgpca.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchbhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dakbckbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbkehcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehekqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epmcab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoocmoao.exe N/A
N/A N/A C:\Windows\SysWOW64\Eckonn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebnoikqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Efikji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elccfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmlcmhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebploj32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Clnadfbp.exe C:\Windows\SysWOW64\Chbedh32.exe N/A
File created C:\Windows\SysWOW64\Domfgpca.exe C:\Windows\SysWOW64\Dlojkddn.exe N/A
File created C:\Windows\SysWOW64\Ehjdldfl.exe C:\Windows\SysWOW64\Ebploj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffggkgmk.exe C:\Windows\SysWOW64\Fqkocpod.exe N/A
File created C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kilhgk32.exe N/A
File created C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Ncgkcl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpcpkc32.exe C:\Windows\SysWOW64\Dlgdkeje.exe N/A
File created C:\Windows\SysWOW64\Dadlclim.exe C:\Windows\SysWOW64\Dcalgo32.exe N/A
File created C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Imbaemhc.exe N/A
File created C:\Windows\SysWOW64\Jaedgjjd.exe C:\Windows\SysWOW64\Ijkljp32.exe N/A
File created C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Nggqoj32.exe N/A
File created C:\Windows\SysWOW64\Jbmfoa32.exe C:\Windows\SysWOW64\Jpojcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kinemkko.exe C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Fkindkmi.dll C:\Windows\SysWOW64\Dabpnlkp.exe N/A
File created C:\Windows\SysWOW64\Ogaodjbe.dll C:\Windows\SysWOW64\Ffbnph32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kajfig32.exe C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File created C:\Windows\SysWOW64\Jdmaid32.dll C:\Windows\SysWOW64\Ebbidj32.exe N/A
File created C:\Windows\SysWOW64\Ijaida32.exe C:\Windows\SysWOW64\Ibjqcd32.exe N/A
File created C:\Windows\SysWOW64\Ihaoimoh.dll C:\Windows\SysWOW64\Kdcijcke.exe N/A
File created C:\Windows\SysWOW64\Fneiph32.dll C:\Windows\SysWOW64\Maohkd32.exe N/A
File created C:\Windows\SysWOW64\Fibjjh32.dll C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Jepjeoec.dll C:\Windows\SysWOW64\Clqnjf32.exe N/A
File created C:\Windows\SysWOW64\Doccaall.exe C:\Windows\SysWOW64\Dpacfd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fobiilai.exe C:\Windows\SysWOW64\Fmclmabe.exe N/A
File created C:\Windows\SysWOW64\Fflaff32.exe C:\Windows\SysWOW64\Fobiilai.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmmocpjk.exe C:\Windows\SysWOW64\Gfcgge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Laopdgcg.exe N/A
File created C:\Windows\SysWOW64\Aodldljj.dll C:\Windows\SysWOW64\Commqb32.exe N/A
File created C:\Windows\SysWOW64\Diihojkb.exe C:\Windows\SysWOW64\Denlnk32.exe N/A
File created C:\Windows\SysWOW64\Jfjdddho.dll C:\Windows\SysWOW64\Dfdbojmq.exe N/A
File opened for modification C:\Windows\SysWOW64\Dchbhn32.exe C:\Windows\SysWOW64\Domfgpca.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File created C:\Windows\SysWOW64\Genjanmh.dll C:\Windows\SysWOW64\Djlddi32.exe N/A
File created C:\Windows\SysWOW64\Dpemacql.exe C:\Windows\SysWOW64\Dljqpd32.exe N/A
File created C:\Windows\SysWOW64\Efikji32.exe C:\Windows\SysWOW64\Ebnoikqb.exe N/A
File created C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Mdmegp32.exe N/A
File created C:\Windows\SysWOW64\Dhnepfpj.exe C:\Windows\SysWOW64\Djlddi32.exe N/A
File created C:\Windows\SysWOW64\Njcqqgjb.dll C:\Windows\SysWOW64\Mamleegg.exe N/A
File created C:\Windows\SysWOW64\Gbbkdl32.dll C:\Windows\SysWOW64\Mnfipekh.exe N/A
File created C:\Windows\SysWOW64\Ejlmkgkl.exe C:\Windows\SysWOW64\Elhmablc.exe N/A
File opened for modification C:\Windows\SysWOW64\Lilanioo.exe C:\Windows\SysWOW64\Lgneampk.exe N/A
File created C:\Windows\SysWOW64\Khehmdgi.dll C:\Windows\SysWOW64\Lilanioo.exe N/A
File created C:\Windows\SysWOW64\Bbgkjl32.dll C:\Windows\SysWOW64\Ldaeka32.exe N/A
File created C:\Windows\SysWOW64\Cnacjn32.dll C:\Windows\SysWOW64\Mdkhapfj.exe N/A
File created C:\Windows\SysWOW64\Nqklmpdd.exe C:\Windows\SysWOW64\Nnmopdep.exe N/A
File created C:\Windows\SysWOW64\Ccjfgphj.exe C:\Windows\SysWOW64\Coojfa32.exe N/A
File created C:\Windows\SysWOW64\Jfdida32.exe C:\Windows\SysWOW64\Jdemhe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kilhgk32.exe C:\Windows\SysWOW64\Kbapjafe.exe N/A
File created C:\Windows\SysWOW64\Dhjkdg32.exe C:\Windows\SysWOW64\Digkijmd.exe N/A
File created C:\Windows\SysWOW64\Gfqjafdq.exe C:\Windows\SysWOW64\Gogbdl32.exe N/A
File created C:\Windows\SysWOW64\Bpqnnk32.dll C:\Windows\SysWOW64\Iabgaklg.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbfpobpb.exe C:\Windows\SysWOW64\Jaedgjjd.exe N/A
File created C:\Windows\SysWOW64\Jeiooj32.dll C:\Windows\SysWOW64\Jpojcf32.exe N/A
File created C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mpkbebbf.exe N/A
File created C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cedihl32.exe C:\Windows\SysWOW64\Ccfmla32.exe N/A
File created C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Dpemacql.exe N/A
File created C:\Windows\SysWOW64\Fobiilai.exe C:\Windows\SysWOW64\Fmclmabe.exe N/A
File created C:\Windows\SysWOW64\Fopfdhej.dll C:\Windows\SysWOW64\Ccfmla32.exe N/A
File created C:\Windows\SysWOW64\Qonnknli.dll C:\Windows\SysWOW64\Capchmmb.exe N/A
File opened for modification C:\Windows\SysWOW64\Dofpgqji.exe C:\Windows\SysWOW64\Dpcpkc32.exe N/A
File created C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jbkjjblm.exe N/A
File created C:\Windows\SysWOW64\Qknpkqim.dll C:\Windows\SysWOW64\Jbmfoa32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jangmibi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll" C:\Windows\SysWOW64\Mglack32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Chgoogfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dofpgqji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dfdbojmq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Epmcab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkindkmi.dll" C:\Windows\SysWOW64\Dabpnlkp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ejlmkgkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbldaffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll" C:\Windows\SysWOW64\Laefdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll" C:\Windows\SysWOW64\Elhmablc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fokbim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgpagm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nggqoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Domfgpca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll" C:\Windows\SysWOW64\Fqkocpod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffjdqg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jfdida32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kknafn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cedihl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll" C:\Windows\SysWOW64\Fmapha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbfpobpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kaemnhla.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll" C:\Windows\SysWOW64\Lpcmec32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ldaeka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Clnadfbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dchbhn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ebnoikqb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ifmcdblq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdffocib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Chphoh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dhjkdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll" C:\Windows\SysWOW64\Gcggpj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll" C:\Windows\SysWOW64\Kdffocib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldaeka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djpnohej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmapha32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hbckbepg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Laefdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dlegeemh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jbkjjblm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lgneampk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nnmopdep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fqaeco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll" C:\Windows\SysWOW64\Jmpngk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dhnepfpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejlmkgkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll" C:\Windows\SysWOW64\Ijkljp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfifijhb.dll" C:\Windows\SysWOW64\Coagla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epmcab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll" C:\Windows\SysWOW64\Iiffen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll" C:\Windows\SysWOW64\Ifmcdblq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll" C:\Windows\SysWOW64\Dadlclim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ehjdldfl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe C:\Windows\SysWOW64\Cccpfa32.exe
PID 4464 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe C:\Windows\SysWOW64\Cccpfa32.exe
PID 4464 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe C:\Windows\SysWOW64\Cccpfa32.exe
PID 1596 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Cccpfa32.exe C:\Windows\SysWOW64\Ceblbm32.exe
PID 1596 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Cccpfa32.exe C:\Windows\SysWOW64\Ceblbm32.exe
PID 1596 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Cccpfa32.exe C:\Windows\SysWOW64\Ceblbm32.exe
PID 2104 wrote to memory of 3916 N/A C:\Windows\SysWOW64\Ceblbm32.exe C:\Windows\SysWOW64\Chphoh32.exe
PID 2104 wrote to memory of 3916 N/A C:\Windows\SysWOW64\Ceblbm32.exe C:\Windows\SysWOW64\Chphoh32.exe
PID 2104 wrote to memory of 3916 N/A C:\Windows\SysWOW64\Ceblbm32.exe C:\Windows\SysWOW64\Chphoh32.exe
PID 3916 wrote to memory of 824 N/A C:\Windows\SysWOW64\Chphoh32.exe C:\Windows\SysWOW64\Clldogdc.exe
PID 3916 wrote to memory of 824 N/A C:\Windows\SysWOW64\Chphoh32.exe C:\Windows\SysWOW64\Clldogdc.exe
PID 3916 wrote to memory of 824 N/A C:\Windows\SysWOW64\Chphoh32.exe C:\Windows\SysWOW64\Clldogdc.exe
PID 824 wrote to memory of 3848 N/A C:\Windows\SysWOW64\Clldogdc.exe C:\Windows\SysWOW64\Cpgqpe32.exe
PID 824 wrote to memory of 3848 N/A C:\Windows\SysWOW64\Clldogdc.exe C:\Windows\SysWOW64\Cpgqpe32.exe
PID 824 wrote to memory of 3848 N/A C:\Windows\SysWOW64\Clldogdc.exe C:\Windows\SysWOW64\Cpgqpe32.exe
PID 3848 wrote to memory of 988 N/A C:\Windows\SysWOW64\Cpgqpe32.exe C:\Windows\SysWOW64\Ccfmla32.exe
PID 3848 wrote to memory of 988 N/A C:\Windows\SysWOW64\Cpgqpe32.exe C:\Windows\SysWOW64\Ccfmla32.exe
PID 3848 wrote to memory of 988 N/A C:\Windows\SysWOW64\Cpgqpe32.exe C:\Windows\SysWOW64\Ccfmla32.exe
PID 988 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Ccfmla32.exe C:\Windows\SysWOW64\Cedihl32.exe
PID 988 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Ccfmla32.exe C:\Windows\SysWOW64\Cedihl32.exe
PID 988 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Ccfmla32.exe C:\Windows\SysWOW64\Cedihl32.exe
PID 1648 wrote to memory of 4920 N/A C:\Windows\SysWOW64\Cedihl32.exe C:\Windows\SysWOW64\Chbedh32.exe
PID 1648 wrote to memory of 4920 N/A C:\Windows\SysWOW64\Cedihl32.exe C:\Windows\SysWOW64\Chbedh32.exe
PID 1648 wrote to memory of 4920 N/A C:\Windows\SysWOW64\Cedihl32.exe C:\Windows\SysWOW64\Chbedh32.exe
PID 4920 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Chbedh32.exe C:\Windows\SysWOW64\Clnadfbp.exe
PID 4920 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Chbedh32.exe C:\Windows\SysWOW64\Clnadfbp.exe
PID 4920 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Chbedh32.exe C:\Windows\SysWOW64\Clnadfbp.exe
PID 2092 wrote to memory of 3624 N/A C:\Windows\SysWOW64\Clnadfbp.exe C:\Windows\SysWOW64\Commqb32.exe
PID 2092 wrote to memory of 3624 N/A C:\Windows\SysWOW64\Clnadfbp.exe C:\Windows\SysWOW64\Commqb32.exe
PID 2092 wrote to memory of 3624 N/A C:\Windows\SysWOW64\Clnadfbp.exe C:\Windows\SysWOW64\Commqb32.exe
PID 3624 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Cchiaqjm.exe
PID 3624 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Cchiaqjm.exe
PID 3624 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Cchiaqjm.exe
PID 1780 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Cchiaqjm.exe C:\Windows\SysWOW64\Cefemliq.exe
PID 1780 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Cchiaqjm.exe C:\Windows\SysWOW64\Cefemliq.exe
PID 1780 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Cchiaqjm.exe C:\Windows\SysWOW64\Cefemliq.exe
PID 5004 wrote to memory of 4292 N/A C:\Windows\SysWOW64\Cefemliq.exe C:\Windows\SysWOW64\Chebighd.exe
PID 5004 wrote to memory of 4292 N/A C:\Windows\SysWOW64\Cefemliq.exe C:\Windows\SysWOW64\Chebighd.exe
PID 5004 wrote to memory of 4292 N/A C:\Windows\SysWOW64\Cefemliq.exe C:\Windows\SysWOW64\Chebighd.exe
PID 4292 wrote to memory of 4564 N/A C:\Windows\SysWOW64\Chebighd.exe C:\Windows\SysWOW64\Clqnjf32.exe
PID 4292 wrote to memory of 4564 N/A C:\Windows\SysWOW64\Chebighd.exe C:\Windows\SysWOW64\Clqnjf32.exe
PID 4292 wrote to memory of 4564 N/A C:\Windows\SysWOW64\Chebighd.exe C:\Windows\SysWOW64\Clqnjf32.exe
PID 4564 wrote to memory of 1952 N/A C:\Windows\SysWOW64\Clqnjf32.exe C:\Windows\SysWOW64\Coojfa32.exe
PID 4564 wrote to memory of 1952 N/A C:\Windows\SysWOW64\Clqnjf32.exe C:\Windows\SysWOW64\Coojfa32.exe
PID 4564 wrote to memory of 1952 N/A C:\Windows\SysWOW64\Clqnjf32.exe C:\Windows\SysWOW64\Coojfa32.exe
PID 1952 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Coojfa32.exe C:\Windows\SysWOW64\Ccjfgphj.exe
PID 1952 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Coojfa32.exe C:\Windows\SysWOW64\Ccjfgphj.exe
PID 1952 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Coojfa32.exe C:\Windows\SysWOW64\Ccjfgphj.exe
PID 2592 wrote to memory of 4668 N/A C:\Windows\SysWOW64\Ccjfgphj.exe C:\Windows\SysWOW64\Ceibclgn.exe
PID 2592 wrote to memory of 4668 N/A C:\Windows\SysWOW64\Ccjfgphj.exe C:\Windows\SysWOW64\Ceibclgn.exe
PID 2592 wrote to memory of 4668 N/A C:\Windows\SysWOW64\Ccjfgphj.exe C:\Windows\SysWOW64\Ceibclgn.exe
PID 4668 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Ceibclgn.exe C:\Windows\SysWOW64\Cidncj32.exe
PID 4668 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Ceibclgn.exe C:\Windows\SysWOW64\Cidncj32.exe
PID 4668 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Ceibclgn.exe C:\Windows\SysWOW64\Cidncj32.exe
PID 1068 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Cidncj32.exe C:\Windows\SysWOW64\Chgoogfa.exe
PID 1068 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Cidncj32.exe C:\Windows\SysWOW64\Chgoogfa.exe
PID 1068 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Cidncj32.exe C:\Windows\SysWOW64\Chgoogfa.exe
PID 2356 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Chgoogfa.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 2356 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Chgoogfa.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 2356 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Chgoogfa.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 2392 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Coagla32.exe
PID 2392 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Coagla32.exe
PID 2392 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Coagla32.exe
PID 1692 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Coagla32.exe C:\Windows\SysWOW64\Capchmmb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe

"C:\Users\Admin\AppData\Local\Temp\1b04f7fe5af009adc93f687f99d876e1f6f91e77261ef5e809f4d4b4f00fb25c.exe"

C:\Windows\SysWOW64\Cccpfa32.exe

C:\Windows\system32\Cccpfa32.exe

C:\Windows\SysWOW64\Ceblbm32.exe

C:\Windows\system32\Ceblbm32.exe

C:\Windows\SysWOW64\Chphoh32.exe

C:\Windows\system32\Chphoh32.exe

C:\Windows\SysWOW64\Clldogdc.exe

C:\Windows\system32\Clldogdc.exe

C:\Windows\SysWOW64\Cpgqpe32.exe

C:\Windows\system32\Cpgqpe32.exe

C:\Windows\SysWOW64\Ccfmla32.exe

C:\Windows\system32\Ccfmla32.exe

C:\Windows\SysWOW64\Cedihl32.exe

C:\Windows\system32\Cedihl32.exe

C:\Windows\SysWOW64\Chbedh32.exe

C:\Windows\system32\Chbedh32.exe

C:\Windows\SysWOW64\Clnadfbp.exe

C:\Windows\system32\Clnadfbp.exe

C:\Windows\SysWOW64\Commqb32.exe

C:\Windows\system32\Commqb32.exe

C:\Windows\SysWOW64\Cchiaqjm.exe

C:\Windows\system32\Cchiaqjm.exe

C:\Windows\SysWOW64\Cefemliq.exe

C:\Windows\system32\Cefemliq.exe

C:\Windows\SysWOW64\Chebighd.exe

C:\Windows\system32\Chebighd.exe

C:\Windows\SysWOW64\Clqnjf32.exe

C:\Windows\system32\Clqnjf32.exe

C:\Windows\SysWOW64\Coojfa32.exe

C:\Windows\system32\Coojfa32.exe

C:\Windows\SysWOW64\Ccjfgphj.exe

C:\Windows\system32\Ccjfgphj.exe

C:\Windows\SysWOW64\Ceibclgn.exe

C:\Windows\system32\Ceibclgn.exe

C:\Windows\SysWOW64\Cidncj32.exe

C:\Windows\system32\Cidncj32.exe

C:\Windows\SysWOW64\Chgoogfa.exe

C:\Windows\system32\Chgoogfa.exe

C:\Windows\SysWOW64\Cpofpdgd.exe

C:\Windows\system32\Cpofpdgd.exe

C:\Windows\SysWOW64\Coagla32.exe

C:\Windows\system32\Coagla32.exe

C:\Windows\SysWOW64\Capchmmb.exe

C:\Windows\system32\Capchmmb.exe

C:\Windows\SysWOW64\Cekohk32.exe

C:\Windows\system32\Cekohk32.exe

C:\Windows\SysWOW64\Digkijmd.exe

C:\Windows\system32\Digkijmd.exe

C:\Windows\SysWOW64\Dhjkdg32.exe

C:\Windows\system32\Dhjkdg32.exe

C:\Windows\SysWOW64\Dlegeemh.exe

C:\Windows\system32\Dlegeemh.exe

C:\Windows\SysWOW64\Dpacfd32.exe

C:\Windows\system32\Dpacfd32.exe

C:\Windows\SysWOW64\Doccaall.exe

C:\Windows\system32\Doccaall.exe

C:\Windows\SysWOW64\Dabpnlkp.exe

C:\Windows\system32\Dabpnlkp.exe

C:\Windows\SysWOW64\Denlnk32.exe

C:\Windows\system32\Denlnk32.exe

C:\Windows\SysWOW64\Diihojkb.exe

C:\Windows\system32\Diihojkb.exe

C:\Windows\SysWOW64\Dhlhjf32.exe

C:\Windows\system32\Dhlhjf32.exe

C:\Windows\SysWOW64\Dlgdkeje.exe

C:\Windows\system32\Dlgdkeje.exe

C:\Windows\SysWOW64\Dpcpkc32.exe

C:\Windows\system32\Dpcpkc32.exe

C:\Windows\SysWOW64\Dofpgqji.exe

C:\Windows\system32\Dofpgqji.exe

C:\Windows\SysWOW64\Dcalgo32.exe

C:\Windows\system32\Dcalgo32.exe

C:\Windows\SysWOW64\Dadlclim.exe

C:\Windows\system32\Dadlclim.exe

C:\Windows\SysWOW64\Djlddi32.exe

C:\Windows\system32\Djlddi32.exe

C:\Windows\SysWOW64\Dhnepfpj.exe

C:\Windows\system32\Dhnepfpj.exe

C:\Windows\SysWOW64\Dljqpd32.exe

C:\Windows\system32\Dljqpd32.exe

C:\Windows\SysWOW64\Dpemacql.exe

C:\Windows\system32\Dpemacql.exe

C:\Windows\SysWOW64\Dcdimopp.exe

C:\Windows\system32\Dcdimopp.exe

C:\Windows\SysWOW64\Dagiil32.exe

C:\Windows\system32\Dagiil32.exe

C:\Windows\SysWOW64\Debeijoc.exe

C:\Windows\system32\Debeijoc.exe

C:\Windows\SysWOW64\Djnaji32.exe

C:\Windows\system32\Djnaji32.exe

C:\Windows\SysWOW64\Dokjbp32.exe

C:\Windows\system32\Dokjbp32.exe

C:\Windows\SysWOW64\Dcfebonm.exe

C:\Windows\system32\Dcfebonm.exe

C:\Windows\SysWOW64\Dfdbojmq.exe

C:\Windows\system32\Dfdbojmq.exe

C:\Windows\SysWOW64\Djpnohej.exe

C:\Windows\system32\Djpnohej.exe

C:\Windows\SysWOW64\Dhcnke32.exe

C:\Windows\system32\Dhcnke32.exe

C:\Windows\SysWOW64\Dlojkddn.exe

C:\Windows\system32\Dlojkddn.exe

C:\Windows\SysWOW64\Domfgpca.exe

C:\Windows\system32\Domfgpca.exe

C:\Windows\SysWOW64\Dchbhn32.exe

C:\Windows\system32\Dchbhn32.exe

C:\Windows\SysWOW64\Dakbckbe.exe

C:\Windows\system32\Dakbckbe.exe

C:\Windows\SysWOW64\Ejbkehcg.exe

C:\Windows\system32\Ejbkehcg.exe

C:\Windows\SysWOW64\Ehekqe32.exe

C:\Windows\system32\Ehekqe32.exe

C:\Windows\SysWOW64\Epmcab32.exe

C:\Windows\system32\Epmcab32.exe

C:\Windows\SysWOW64\Eoocmoao.exe

C:\Windows\system32\Eoocmoao.exe

C:\Windows\SysWOW64\Eckonn32.exe

C:\Windows\system32\Eckonn32.exe

C:\Windows\SysWOW64\Ebnoikqb.exe

C:\Windows\system32\Ebnoikqb.exe

C:\Windows\SysWOW64\Efikji32.exe

C:\Windows\system32\Efikji32.exe

C:\Windows\SysWOW64\Elccfc32.exe

C:\Windows\system32\Elccfc32.exe

C:\Windows\SysWOW64\Ecmlcmhe.exe

C:\Windows\system32\Ecmlcmhe.exe

C:\Windows\SysWOW64\Ebploj32.exe

C:\Windows\system32\Ebploj32.exe

C:\Windows\SysWOW64\Ehjdldfl.exe

C:\Windows\system32\Ehjdldfl.exe

C:\Windows\SysWOW64\Eqalmafo.exe

C:\Windows\system32\Eqalmafo.exe

C:\Windows\SysWOW64\Ebbidj32.exe

C:\Windows\system32\Ebbidj32.exe

C:\Windows\SysWOW64\Elhmablc.exe

C:\Windows\system32\Elhmablc.exe

C:\Windows\SysWOW64\Ejlmkgkl.exe

C:\Windows\system32\Ejlmkgkl.exe

C:\Windows\SysWOW64\Ffbnph32.exe

C:\Windows\system32\Ffbnph32.exe

C:\Windows\SysWOW64\Fmmfmbhn.exe

C:\Windows\system32\Fmmfmbhn.exe

C:\Windows\SysWOW64\Fokbim32.exe

C:\Windows\system32\Fokbim32.exe

C:\Windows\SysWOW64\Fbioei32.exe

C:\Windows\system32\Fbioei32.exe

C:\Windows\SysWOW64\Fjqgff32.exe

C:\Windows\system32\Fjqgff32.exe

C:\Windows\SysWOW64\Fqkocpod.exe

C:\Windows\system32\Fqkocpod.exe

C:\Windows\SysWOW64\Ffggkgmk.exe

C:\Windows\system32\Ffggkgmk.exe

C:\Windows\SysWOW64\Fmapha32.exe

C:\Windows\system32\Fmapha32.exe

C:\Windows\SysWOW64\Fckhdk32.exe

C:\Windows\system32\Fckhdk32.exe

C:\Windows\SysWOW64\Ffjdqg32.exe

C:\Windows\system32\Ffjdqg32.exe

C:\Windows\SysWOW64\Fmclmabe.exe

C:\Windows\system32\Fmclmabe.exe

C:\Windows\SysWOW64\Fobiilai.exe

C:\Windows\system32\Fobiilai.exe

C:\Windows\SysWOW64\Fflaff32.exe

C:\Windows\system32\Fflaff32.exe

C:\Windows\SysWOW64\Fijmbb32.exe

C:\Windows\system32\Fijmbb32.exe

C:\Windows\SysWOW64\Fqaeco32.exe

C:\Windows\system32\Fqaeco32.exe

C:\Windows\SysWOW64\Gimjhafg.exe

C:\Windows\system32\Gimjhafg.exe

C:\Windows\SysWOW64\Gogbdl32.exe

C:\Windows\system32\Gogbdl32.exe

C:\Windows\SysWOW64\Gfqjafdq.exe

C:\Windows\system32\Gfqjafdq.exe

C:\Windows\SysWOW64\Giofnacd.exe

C:\Windows\system32\Giofnacd.exe

C:\Windows\SysWOW64\Goiojk32.exe

C:\Windows\system32\Goiojk32.exe

C:\Windows\SysWOW64\Gfcgge32.exe

C:\Windows\system32\Gfcgge32.exe

C:\Windows\SysWOW64\Gmmocpjk.exe

C:\Windows\system32\Gmmocpjk.exe

C:\Windows\SysWOW64\Gcggpj32.exe

C:\Windows\system32\Gcggpj32.exe

C:\Windows\SysWOW64\Gfedle32.exe

C:\Windows\system32\Gfedle32.exe

C:\Windows\SysWOW64\Gbldaffp.exe

C:\Windows\system32\Gbldaffp.exe

C:\Windows\SysWOW64\Gjclbc32.exe

C:\Windows\system32\Gjclbc32.exe

C:\Windows\SysWOW64\Gmaioo32.exe

C:\Windows\system32\Gmaioo32.exe

C:\Windows\SysWOW64\Gppekj32.exe

C:\Windows\system32\Gppekj32.exe

C:\Windows\SysWOW64\Hfjmgdlf.exe

C:\Windows\system32\Hfjmgdlf.exe

C:\Windows\SysWOW64\Hihicplj.exe

C:\Windows\system32\Hihicplj.exe

C:\Windows\SysWOW64\Hapaemll.exe

C:\Windows\system32\Hapaemll.exe

C:\Windows\SysWOW64\Hbanme32.exe

C:\Windows\system32\Hbanme32.exe

C:\Windows\SysWOW64\Hikfip32.exe

C:\Windows\system32\Hikfip32.exe

C:\Windows\SysWOW64\Hpenfjad.exe

C:\Windows\system32\Hpenfjad.exe

C:\Windows\SysWOW64\Hbckbepg.exe

C:\Windows\system32\Hbckbepg.exe

C:\Windows\SysWOW64\Hfofbd32.exe

C:\Windows\system32\Hfofbd32.exe

C:\Windows\SysWOW64\Hmioonpn.exe

C:\Windows\system32\Hmioonpn.exe

C:\Windows\SysWOW64\Hfachc32.exe

C:\Windows\system32\Hfachc32.exe

C:\Windows\SysWOW64\Haggelfd.exe

C:\Windows\system32\Haggelfd.exe

C:\Windows\SysWOW64\Hmmhjm32.exe

C:\Windows\system32\Hmmhjm32.exe

C:\Windows\SysWOW64\Ipldfi32.exe

C:\Windows\system32\Ipldfi32.exe

C:\Windows\SysWOW64\Ibjqcd32.exe

C:\Windows\system32\Ibjqcd32.exe

C:\Windows\SysWOW64\Ijaida32.exe

C:\Windows\system32\Ijaida32.exe

C:\Windows\SysWOW64\Ipnalhii.exe

C:\Windows\system32\Ipnalhii.exe

C:\Windows\SysWOW64\Ibmmhdhm.exe

C:\Windows\system32\Ibmmhdhm.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Imbaemhc.exe

C:\Windows\system32\Imbaemhc.exe

C:\Windows\SysWOW64\Icljbg32.exe

C:\Windows\system32\Icljbg32.exe

C:\Windows\SysWOW64\Ifjfnb32.exe

C:\Windows\system32\Ifjfnb32.exe

C:\Windows\SysWOW64\Iiibkn32.exe

C:\Windows\system32\Iiibkn32.exe

C:\Windows\SysWOW64\Idofhfmm.exe

C:\Windows\system32\Idofhfmm.exe

C:\Windows\SysWOW64\Ifmcdblq.exe

C:\Windows\system32\Ifmcdblq.exe

C:\Windows\SysWOW64\Iabgaklg.exe

C:\Windows\system32\Iabgaklg.exe

C:\Windows\SysWOW64\Idacmfkj.exe

C:\Windows\system32\Idacmfkj.exe

C:\Windows\SysWOW64\Ijkljp32.exe

C:\Windows\system32\Ijkljp32.exe

C:\Windows\SysWOW64\Jaedgjjd.exe

C:\Windows\system32\Jaedgjjd.exe

C:\Windows\SysWOW64\Jbfpobpb.exe

C:\Windows\system32\Jbfpobpb.exe

C:\Windows\SysWOW64\Jjmhppqd.exe

C:\Windows\system32\Jjmhppqd.exe

C:\Windows\SysWOW64\Jagqlj32.exe

C:\Windows\system32\Jagqlj32.exe

C:\Windows\SysWOW64\Jdemhe32.exe

C:\Windows\system32\Jdemhe32.exe

C:\Windows\SysWOW64\Jfdida32.exe

C:\Windows\system32\Jfdida32.exe

C:\Windows\SysWOW64\Jibeql32.exe

C:\Windows\system32\Jibeql32.exe

C:\Windows\SysWOW64\Jaimbj32.exe

C:\Windows\system32\Jaimbj32.exe

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jfffjqdf.exe

C:\Windows\system32\Jfffjqdf.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jpojcf32.exe

C:\Windows\system32\Jpojcf32.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jmbklj32.exe

C:\Windows\system32\Jmbklj32.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jdmcidam.exe

C:\Windows\system32\Jdmcidam.exe

C:\Windows\SysWOW64\Jfkoeppq.exe

C:\Windows\system32\Jfkoeppq.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kinemkko.exe

C:\Windows\system32\Kinemkko.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kagichjo.exe

C:\Windows\system32\Kagichjo.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lkgdml32.exe

C:\Windows\system32\Lkgdml32.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lgneampk.exe

C:\Windows\system32\Lgneampk.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Ljnnch32.exe

C:\Windows\system32\Ljnnch32.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mnlfigcc.exe

C:\Windows\system32\Mnlfigcc.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mnocof32.exe

C:\Windows\system32\Mnocof32.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7152 -ip 7152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 420

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4464-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1596-8-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2104-16-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Chphoh32.exe

MD5 6bf91cc672c49bcc10b2e83c1ceaf29a
SHA1 b08688fd56a1ff6123fed486028dc68a730dd18d
SHA256 ef852ff1782adced99d7192726713dc72f6d52319a83cac5ad854e2ad01977cc
SHA512 4b73c51fbf9063b962e4f6a50e7b558a3eaa188e0c2503717478cb905db210c47e5a84ccc9473365d1d0f8e4cffd8a842a36b8f8cc5b9e9acad153ddfa9c4ff4

C:\Windows\SysWOW64\Clldogdc.exe

MD5 a3e03e9eee6912931eb479dde6350dbb
SHA1 27e04e7c8a1d86422aa75e5ec6ae23ba219f19eb
SHA256 a62a39cb9d7c5e10abcc2080b26969e6c54efdc0c7d651324539c2e97a2433dd
SHA512 7167a9e2956031d45ce3614292beff30b82a66bc2ffc0433f692425435b5321a43a1c2ae7c5ac5dc2898c6b076398f2fade737baca5c80134ae51864e0bf1b52

C:\Windows\SysWOW64\Cpgqpe32.exe

MD5 a6aef97af3a81ddad5922bd05ebd87a0
SHA1 b1d3de4df1ba6864ff2bd3409de7be60df6da903
SHA256 3869b5466d1e1d1be5113331557c77839bf03d785ee056b86d87f0f01e2d7c7b
SHA512 edd81ab400a5506fdf783edeb3ec970d8998d000df9cfdd816e62095f9d01028efc323163fdf0eedc5f2d6b8e057cf0c859c680ce453b3de748a09addfa45e66

C:\Windows\SysWOW64\Ccfmla32.exe

MD5 bb08c2639d90c4685118579b9f94ca04
SHA1 0e3e7374da3b5ef82c9068a4958671998274ec38
SHA256 9acb7c7cd699a85a4510247f8ac485fabf03170813890494c1363951bf9adaa9
SHA512 b222926d957e67ea06ed2da797caa7f6807b726c2b0e3b66f01fea36a114b38e046acb0a01fd0a529c125d5cc7de795c504c37735c504aa5664b0ba0b1ee529b

C:\Windows\SysWOW64\Cedihl32.exe

MD5 73a6827ef9ed969e89a429f60db99c26
SHA1 83e9edaf5bc410fd901682b83d01eaed42e52edf
SHA256 99cc3ec37a4599eff8a2ff48b2778ba122efd9d03161b143c407f7fe44aa14e1
SHA512 05eef44fc6f168acff907cf6e29d5dfb8658eae3b8bea146bf6a170d11e03fe13df46cc646611385bcf73d4be1e712206875402d015508d315cf82b6ad3214c4

C:\Windows\SysWOW64\Chbedh32.exe

MD5 f933a7cac0a4090ca9e0fcaaf64806ab
SHA1 162bda58fe9fc43a0d7adceced0f8d839faad785
SHA256 c03ffd05c9fa0b00e66647910a263e8ae8caad96ee71a9e8dd507c157ddc5547
SHA512 9a8929b1ad4cd5f1c94e7be14b37753e51609622fccd34764efca4561a8e611bfa6dc47d7d1ddcbb982d8512e2c64b3be52388d0f907afda4315da52828b1a99

C:\Windows\SysWOW64\Commqb32.exe

MD5 c86006da6ca485e7429f0d6ef0614ce3
SHA1 70c4c874fb003b42c9d119be5180606ab2fd2fed
SHA256 bfbf8e7d37d672a8b12fc8767f304eb7efd93cb10023b0707f57c544032298b5
SHA512 be9e80b4c83868f1d32eed272c894a6b319be14b21dc52310f67224bce86a37821f0ee3b592dd14240987d740ffe7e5d6619d638eb60757ee22e39ef60c905bc

C:\Windows\SysWOW64\Ccjfgphj.exe

MD5 48e511ce41da64d4f7527e279dbbf6d6
SHA1 7c4505053e444d677057614b266535b4489f7534
SHA256 d0364bbff1762febbb267c4360312cd7e203b51195cf37a749164c06bdb7f20f
SHA512 bab3a0b81c426d7d10da38ef5dbab5a6e41add270da3dfabe57d12e131761fbe5183624c267e8369dfd5d437e4174d36881e4a02a52c26b7fdc5b5a79ccecf9c

C:\Windows\SysWOW64\Ceibclgn.exe

MD5 86b01168dea13206d79951833f7b6731
SHA1 cd13017e6e6c16d7d7f4f9ee52ca1f028d0da0e8
SHA256 47fba2e8ac4db1ea9d5e3406799e89e3e80d385f442a521e445e878af90998e9
SHA512 971ffb69c779f1b9b6faf2c272ee24f256a0d63078189024a4fd5fb0c037d026e3097a373b4654bd6e9ca9105b2f9efdad803925cec6c5e32ad542106b472a56

C:\Windows\SysWOW64\Capchmmb.exe

MD5 086eddaf78728ac852e8f8ea0e4f8a95
SHA1 dc7a397450b11c6f7d913fccbf8680b8a11f0d3f
SHA256 79677aaebd6e85ca2b1f6b725424125f7473b174a0d08e69ba019b6f044ae27a
SHA512 f97f1b7b06aab4ab170ea4a27c3998b56ef3e9d1937ad640df3e3ef1cf5c362d6b170682edf5fc419e65ef77ed2b10005540914c5a7d7718416ab6c1af77c97d

C:\Windows\SysWOW64\Doccaall.exe

MD5 f2cfd40844cead5f6ea7e33f8d50d5b9
SHA1 48cb4075192aaeef8dd7d48db65a4c91ae6e68b0
SHA256 09a046efb9f46e600a91bcd0bf1ce42681dd3161c6a1ee8a11a40dd09300d135
SHA512 785799e8a27db53bc77893e7953b3fa001513aa92faa5187e3d227a0f4212e352a6b835f3510e469a4790b7dcfe310b8ec640938db6583d4e125d7686aa9fa2d

C:\Windows\SysWOW64\Dhlhjf32.exe

MD5 922fa07b842e0699015862c57d802497
SHA1 6b8d51ab314991cba6e0d18e553b19b5d1d8fd18
SHA256 cb99eacc1522905bc761922713e9bc258ac2d5b0b75a5403380842913b3a120a
SHA512 85c1d924668fd82496f93183e1518a70db6f15797a27252c8b3ec7493fea1a57336a03a1757acdf41ec22b804caff4f5366e5f9f8d8a3974482962e2f47ee7ba

C:\Windows\SysWOW64\Diihojkb.exe

MD5 1078dfdb94f41ddce1058bae19c767b6
SHA1 f116205d031047327f49c0282b7a0adacfb56073
SHA256 501d66593baa66ad8f244659669cae74faa7d6271b2bb1fd280e5105120d388b
SHA512 5abbbf492df54e2c1744f01765e7f3641222fb46d7bea22d08bcae12c828b964e5977a67987ca040e3e5a14e5b0c60bb99afb5ce0bd906c090ff5ec497bfbe38

C:\Windows\SysWOW64\Denlnk32.exe

MD5 a29adb90a24fbc0709875d2c8325ce1e
SHA1 c0f1f35977680ed8d0e25cd2b136911bb21461cf
SHA256 18bc146672a52aa1c79422bfd53ccef5dadcdd9c28407c430ac3ad1ab0db5434
SHA512 875dec036228e6625917e5c21380ffd81df930162264309cf9416246f0749c57ae58d471574118e2aa503b9a080acfb083aac87ac593f94326e7b28e6a1b43ce

C:\Windows\SysWOW64\Dabpnlkp.exe

MD5 73e003ab70d791cbd7a868360c727b40
SHA1 5f3140bf7901f7b9081fa26936e2c0cc7b19b513
SHA256 225f60b40f72b2e8ce9d89529534dea9ed6587580b6e386b9a99aaab91d8aa67
SHA512 c14dbd92230312b47ca12e48171d1f1794b765c98cdfbf81bdcea4e796240df61ff571d83bb98b50541ae02504c88d771a2c8351a3e5bcd9b3ec2a8bf56fd21c

C:\Windows\SysWOW64\Dpacfd32.exe

MD5 d2ed4dadb6309a1dc5f68f97537010fd
SHA1 1bd8d46ed0b6d8d8fe8f0c6e5bd3132e29f54a51
SHA256 22afc1951db53a186e3a6ddc11bb53230d1866892f7814dd171a9ef816484413
SHA512 e6e02d346df470a354592fdef25c22e5336259d3d74fb93d206b5d857c3e23ebbd6d29b0d00e7a25151421136d76caec522a4d1e554d5fae8836b1cd0fdc2352

C:\Windows\SysWOW64\Dlegeemh.exe

MD5 b9a1540f13849fe80b4d6ff96dc4e2be
SHA1 de6bda2985e3df33bd778337ab05af1280ac714e
SHA256 e3e8fcf8074960913cb61e8e190d7dac8d7b432f0fbbc8b6aaf7f2a25454f0b6
SHA512 190d0a247bb1359bf056ed6c19c191efd31ea49abd5623bf5b1550c25a1e744ebcab9586f16def35d0c406cde74d0d1d764d2b99fd2fdce7742e6c3ca8e17bc5

C:\Windows\SysWOW64\Dhjkdg32.exe

MD5 f8c0b6417d6d41e5bd7d927ba88cd470
SHA1 f524013ba1f88d3eb13c973391ab3656e0c2e449
SHA256 93c2457039352c8ba33f9da45e5af2850444b49b6d494ff1b90420dc09242043
SHA512 ea894ff1c8e196639fd45c8dc8d7b4ac2d5a71179d547d3c657b3f5f91db6e798fdd1b45d6a7ef5a4c83bb01f1d7b966a429ff42ead55825398a9e5af78bd189

C:\Windows\SysWOW64\Digkijmd.exe

MD5 b7a11bab2368cc933268493b829f8ec3
SHA1 7918bd55b9ead1e03ba25ace804353c84ae18690
SHA256 bebda67e51c2f2a3d4eefd1b0ba65401a3ca1e297dee69befaeec6c8a89e6368
SHA512 79ac3f61733c6f0b9dc91ff1cb4597d8831c3aa6fb7d30e15cc2c64a805acc7bf4f519204ee7410ee49b9560ec850a3ac368f440cd1f530106d464f576111982

C:\Windows\SysWOW64\Cekohk32.exe

MD5 cfd24e081f755ccb32f90fbfdd517681
SHA1 0e167071c2e88133ea3826989b676ece6930bcdc
SHA256 cce09ef1c49fe65e35369cf698254807e42c1aca23d576784b92c956bb15506e
SHA512 c4105e04aea2f6e8db97f232f17ded4fe9026f0c959bf8c8adf88c6d7dd6eeb4092bb5e03cc5320f18f8ad268452cd4846190d39edc1f0c0d31ee34b678450e2

C:\Windows\SysWOW64\Coagla32.exe

MD5 bc13dfe225df95d1308892ec4fb2b766
SHA1 7c235faa46790d37cb28c62464979578850da7e1
SHA256 c9016c47ca4bb40a09dc96a47434c7b3a6a23fceec011c3bb863d5ae59e92673
SHA512 f4655d2ca02f5607d9819a4b7fb10bc50fc6469e3346eeebb89e651c38bf141f9826b118fff5636a7868bbae1fc1121a4b50e7b860599e30a315139b76028a1d

C:\Windows\SysWOW64\Cpofpdgd.exe

MD5 cfbbe71747908822dd355a07706ba106
SHA1 22ab592ca691540ae581f161daa63b9db49013bb
SHA256 fa455d9a5497d19337e0cd68bf4b329a0193c7823e2f9416c96eca6df3b62f1d
SHA512 0deb2edd2425ec67428999a0f20f097474f70395d3d088590107048e1657e2fe43edf39adedbe4e2fb8a23a10e0d61d479485a1420dffbd93a0f523f4247c747

C:\Windows\SysWOW64\Chgoogfa.exe

MD5 21dee079f9ea967c9687c1c89ee862c6
SHA1 3f743ecd4bde7423cf01dbd835a75f8625f5b082
SHA256 4f438ce49ad89b7727f9a0fd693b6bc7d0dd56895a221b74487f5e8705291182
SHA512 331a85fffddb67e4ec763d9a4d8c5bb38ff6bfc204bc1e441075e99506cfdf4d558f3a699070c9bad2326c6d1a6bf28af800ee1f674f83ba6c8c1992db693b84

C:\Windows\SysWOW64\Cidncj32.exe

MD5 74aead6529c90e983de721f1087b21e9
SHA1 837dcd772910b5b8b5d60991e06285fc4bd55324
SHA256 facfa763cce31ef1573cbfed6d0059439fff4934a13b4f1db069ef97ffde1caa
SHA512 311e6085e875c997de5b2a3d4df679305b2182db24822605588b2985c48688fc3c004ab44592e1760559e6d563b6624bd9bc59750423a005492f10a2f857ace3

memory/988-374-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Coojfa32.exe

MD5 298aa083b1dcee01f05b5ca0706f8b0e
SHA1 0906959b4d66a141ea47b6ad6f561b976b941a36
SHA256 af6dd04d28e05250511c0586da90441511d896bc2408ef3291709b1c681bdcdd
SHA512 f78d0b88b92b39c0a9784ed817ea780e777199719e895d04acece5269b76d29fe9044c5d27f92ee8ed281f0d02f91a2382fb02f68be34f2532068260b30b6eee

memory/2092-382-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4920-376-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Clqnjf32.exe

MD5 18409f5a2447b6932482200108bb01d4
SHA1 172b5eeae5863e78c639dd3d0c680651a590bb47
SHA256 bcdadc7088989af9bcc5a2cb8858885d84b941ef9e98372ae7a27a7330118c5a
SHA512 a5349156290f3665e3f04119a6ba307c5813d3e05bd5c11bc74c1bc70cbf2be0c9777c59dc3b9c48f64559026db2cf9690aa8e362c16eca559e706f7748c1326

C:\Windows\SysWOW64\Chebighd.exe

MD5 d90c8aa7751d0433714d46832861c069
SHA1 139965ab8d93b8942ac45ec5f446e17a5f6597b0
SHA256 66cd1f763eac6a2127f77843cad3c6720ca11b39df195ae9ece1e18b9ce9b0bf
SHA512 9f60353d4f797c382cddb42f9f119d579f1e3776a60dbd0458399de0ec47af0df8e24fa4d64452b0adea3c560d14b167771db66e632b337f14dc04ae90b7ce24

C:\Windows\SysWOW64\Cefemliq.exe

MD5 cda10dea70be7026f9b65ef603612661
SHA1 bc399f18f02cdb876786214f86f830cf5ed8c35d
SHA256 2dad085111d2c154e279a9ec13b4f07c0a84579a8b6b7a8ab2b82ddf8084e344
SHA512 1feded69436fdf19b91a19b7a76aafd0f713b14eefeb76047226830382b43eebe637314d31766354c8278beb7412e78c215a405b43aec2e0221ad040c77a6382

C:\Windows\SysWOW64\Cchiaqjm.exe

MD5 6ae86e193b62f5e221fccd44a901ecf7
SHA1 22aef5f0d838859bd26a33d70c044054047bf922
SHA256 6225f25f0f3f05ac60e152fcded91393d058ce72fdf5e046609f59f0a0469c58
SHA512 55931058e04b983a948b148b35820fc0c1275ec2f317dc71fc9f12315e4ac32922b5dcd69971ec5292e50add0f9fd4d01974bd9a62e29b32fade8f03b4a8a9eb

C:\Windows\SysWOW64\Clnadfbp.exe

MD5 621a1f36505abef54d8e6a7fd01368d5
SHA1 16609a121bdb858576c0c159718c92b86efc0f13
SHA256 291652bc1666cdf3d9b286342eefea6cf7f6c5f5f90a53923b99a7b318894b69
SHA512 0eff5c3935ae019ab52656408ac0e98d0f2265bb38d25b5694f016845314302a652eccc5f32703fe80cf4948f51100eae4a4e1757445989303607a851a1cd180

memory/3848-47-0x0000000000400000-0x0000000000435000-memory.dmp

memory/824-39-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3916-35-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Jpqikhah.dll

MD5 ab3b33fe62fc33d737641c6551f95d59
SHA1 e8d56671752deb151bd59ec3138b3e32cd57b7c4
SHA256 59dcf8e412dfc057186bb64f589b1fd3ceecdcc34acb682e4880d49e3edaa27b
SHA512 959ff3670c01baebaef8e89fbbed22e07c889d4633c74100bb65d4914078f927c37880e0899c6b4e4a56bacd215575b336c90245c4e4bc76f3db6cc1d01e1a0a

C:\Windows\SysWOW64\Ceblbm32.exe

MD5 99b9b6bbf85ce58128e79151dac4695d
SHA1 5802ad19f3dfcb9487475a7e8293c00ea68c594c
SHA256 1186d5b0194bbd4a4637fde6f5a49d814c3b8e0c67f976c428f0ed1f7dbe4ad0
SHA512 98171617e7afab3620a1915d84381ad90671db33d58ca62acb730dbc8565fc805bfc0b3e1cf4a60439af81be21e75639fa5ee450df9173bf7f03b527a0e17c71

C:\Windows\SysWOW64\Cccpfa32.exe

MD5 4f5606d6acae5e732586aa4b72375cfd
SHA1 c36fb69cbb985f547acfdae0385451bf60136a0f
SHA256 e4d4cc65265738de19a18767723d18bd113d4aee7153549d82202f6cf94f256f
SHA512 540a4603ead1d704a922bee2dbf5cfee17b6e037f97f3f8e697d1d2ff090a752e68dd4afbdbd46af5f82c326427b650cb624dd5e8542af558a28a0594be682c3

memory/3624-388-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5004-395-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4292-401-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1780-394-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4564-402-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1952-403-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2592-409-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4668-410-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1068-415-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2356-417-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2392-418-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1692-419-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4808-424-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2464-425-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4900-428-0x0000000000400000-0x0000000000435000-memory.dmp

memory/636-427-0x0000000000400000-0x0000000000435000-memory.dmp

memory/396-429-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4024-430-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3840-431-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5080-437-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3564-438-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1912-439-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1572-445-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2300-446-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1620-452-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3492-453-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3436-458-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2012-460-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2572-466-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4948-472-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4616-473-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3008-479-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3424-486-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4960-481-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1840-480-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3088-488-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1900-489-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2728-494-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1012-496-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4104-497-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2680-502-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3208-504-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4484-510-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3028-511-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1784-518-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1880-523-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4992-516-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1716-525-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4676-532-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3064-538-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3644-539-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4824-531-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1648-545-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4988-546-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4032-547-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Lcmofolg.exe

MD5 46d684536fde3f9493fdce029c8928d1
SHA1 ad2c95e1b00e2a20c4742e550f0e3057e638cee0
SHA256 e4321a1c006a636496e45b658abe0d29eb0269bc1a25f718e4da32f31dd43fc7
SHA512 78a837cb9826be9fbc80faecb7641e3e1934b6e6ea59e135ee75f729718bba8ea12af64c73c1cd0c1b249fa704d00075fffee954b83d75f6f20f871e45896630

C:\Windows\SysWOW64\Mpmokb32.exe

MD5 dd2e15148d40f76762eedb4668ec256d
SHA1 67de95a57fc556bd00d562b3aa85d72a28bb8a45
SHA256 b32ae36eff653ec6dd09966082dfa93bbdf532ca8c948bdff8093baec85a6ea8
SHA512 fed6c534b883a23c59686b5ecc432e73ef9d19c95d421bdcb98f60e082bbd5c0913c3e571bf2b08116487a46640a7958855d55f7bbb307b9cd87af3f1410a71e