Malware Analysis Report

2025-03-14 22:32

Sample ID 240407-xwtmdacc86
Target 1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c
SHA256 1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c

Threat Level: Known bad

The file 1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:12

Reported

2024-04-07 19:15

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhnmij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dpeekh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dookgcij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecqqpgli.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Echfaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dookgcij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecejkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfamcogo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnoomqbg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecejkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Echfaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpeekh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfamcogo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dknekeef.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enhacojl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eibbcm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dndlim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dndlim32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dggcffhg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqdajkkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dknekeef.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnoomqbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dggcffhg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecqqpgli.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhnmij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqdajkkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enhacojl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eibbcm32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
N/A N/A C:\Windows\SysWOW64\Dndlim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dndlim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhnmij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhnmij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpeekh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpeekh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfamcogo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfamcogo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dknekeef.exe N/A
N/A N/A C:\Windows\SysWOW64\Dknekeef.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlnbeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlnbeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnoomqbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnoomqbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dggcffhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dggcffhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dookgcij.exe N/A
N/A N/A C:\Windows\SysWOW64\Dookgcij.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecqqpgli.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecqqpgli.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqdajkkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqdajkkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Enhacojl.exe N/A
N/A N/A C:\Windows\SysWOW64\Enhacojl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecejkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecejkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eibbcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eibbcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Echfaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Echfaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dfamcogo.exe C:\Windows\SysWOW64\Dpeekh32.exe N/A
File created C:\Windows\SysWOW64\Ecqqpgli.exe C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecqqpgli.exe C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
File created C:\Windows\SysWOW64\Jhgnia32.dll C:\Windows\SysWOW64\Ecejkf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dknekeef.exe N/A
File created C:\Windows\SysWOW64\Dnoomqbg.exe C:\Windows\SysWOW64\Dlnbeh32.exe N/A
File created C:\Windows\SysWOW64\Dggcffhg.exe C:\Windows\SysWOW64\Dnoomqbg.exe N/A
File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe C:\Windows\SysWOW64\Dnoomqbg.exe N/A
File created C:\Windows\SysWOW64\Efhhaddp.dll C:\Windows\SysWOW64\Dhnmij32.exe N/A
File created C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Enhacojl.exe N/A
File created C:\Windows\SysWOW64\Dndlim32.exe C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
File opened for modification C:\Windows\SysWOW64\Dndlim32.exe C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
File created C:\Windows\SysWOW64\Ejhlgaeh.exe C:\Windows\SysWOW64\Dookgcij.exe N/A
File created C:\Windows\SysWOW64\Nnfbei32.dll C:\Windows\SysWOW64\Dknekeef.exe N/A
File created C:\Windows\SysWOW64\Jkhgfq32.dll C:\Windows\SysWOW64\Dggcffhg.exe N/A
File created C:\Windows\SysWOW64\Enhacojl.exe C:\Windows\SysWOW64\Eqdajkkb.exe N/A
File created C:\Windows\SysWOW64\Bdacap32.dll C:\Windows\SysWOW64\Enhacojl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhnmij32.exe C:\Windows\SysWOW64\Dndlim32.exe N/A
File created C:\Windows\SysWOW64\Mmnclh32.dll C:\Windows\SysWOW64\Dlnbeh32.exe N/A
File created C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dknekeef.exe N/A
File opened for modification C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Dggcffhg.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqdajkkb.exe C:\Windows\SysWOW64\Ecqqpgli.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Enhacojl.exe N/A
File created C:\Windows\SysWOW64\Dpeekh32.exe C:\Windows\SysWOW64\Dhnmij32.exe N/A
File created C:\Windows\SysWOW64\Fkckeh32.exe C:\Windows\SysWOW64\Echfaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkckeh32.exe C:\Windows\SysWOW64\Echfaf32.exe N/A
File created C:\Windows\SysWOW64\Dhnmij32.exe C:\Windows\SysWOW64\Dndlim32.exe N/A
File created C:\Windows\SysWOW64\Dknekeef.exe C:\Windows\SysWOW64\Dfamcogo.exe N/A
File opened for modification C:\Windows\SysWOW64\Dknekeef.exe C:\Windows\SysWOW64\Dfamcogo.exe N/A
File opened for modification C:\Windows\SysWOW64\Echfaf32.exe C:\Windows\SysWOW64\Eibbcm32.exe N/A
File created C:\Windows\SysWOW64\Fileil32.dll C:\Windows\SysWOW64\Dndlim32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe C:\Windows\SysWOW64\Dhnmij32.exe N/A
File created C:\Windows\SysWOW64\Blopagpd.dll C:\Windows\SysWOW64\Dpeekh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejhlgaeh.exe C:\Windows\SysWOW64\Dookgcij.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe C:\Windows\SysWOW64\Dpeekh32.exe N/A
File created C:\Windows\SysWOW64\Ampehe32.dll C:\Windows\SysWOW64\Eqdajkkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Eibbcm32.exe C:\Windows\SysWOW64\Ecejkf32.exe N/A
File created C:\Windows\SysWOW64\Eqdajkkb.exe C:\Windows\SysWOW64\Ecqqpgli.exe N/A
File created C:\Windows\SysWOW64\Eibbcm32.exe C:\Windows\SysWOW64\Ecejkf32.exe N/A
File created C:\Windows\SysWOW64\Najgne32.dll C:\Windows\SysWOW64\Eibbcm32.exe N/A
File created C:\Windows\SysWOW64\Clkmne32.dll C:\Windows\SysWOW64\Echfaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnoomqbg.exe C:\Windows\SysWOW64\Dlnbeh32.exe N/A
File created C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Dggcffhg.exe N/A
File created C:\Windows\SysWOW64\Dhhlgc32.dll C:\Windows\SysWOW64\Dookgcij.exe N/A
File created C:\Windows\SysWOW64\Echfaf32.exe C:\Windows\SysWOW64\Eibbcm32.exe N/A
File created C:\Windows\SysWOW64\Gjpmgg32.dll C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
File created C:\Windows\SysWOW64\Mhofcjea.dll C:\Windows\SysWOW64\Dnoomqbg.exe N/A
File created C:\Windows\SysWOW64\Qffmipmp.dll C:\Windows\SysWOW64\Ecqqpgli.exe N/A
File opened for modification C:\Windows\SysWOW64\Enhacojl.exe C:\Windows\SysWOW64\Eqdajkkb.exe N/A
File created C:\Windows\SysWOW64\Egqdeaqb.dll C:\Windows\SysWOW64\Dfamcogo.exe N/A
File created C:\Windows\SysWOW64\Dinhacjp.dll C:\Windows\SysWOW64\Ejhlgaeh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Fkckeh32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dookgcij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll" C:\Windows\SysWOW64\Ecejkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfamcogo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dookgcij.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecejkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll" C:\Windows\SysWOW64\Dpeekh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqdeaqb.dll" C:\Windows\SysWOW64\Dfamcogo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll" C:\Windows\SysWOW64\Dnoomqbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Echfaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll" C:\Windows\SysWOW64\Dndlim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll" C:\Windows\SysWOW64\Ecqqpgli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll" C:\Windows\SysWOW64\Dhnmij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll" C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dknekeef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnoomqbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll" C:\Windows\SysWOW64\Eqdajkkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfamcogo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enhacojl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dknekeef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" C:\Windows\SysWOW64\Dggcffhg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnclh32.dll" C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dpeekh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" C:\Windows\SysWOW64\Dknekeef.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Enhacojl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecqqpgli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecejkf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dndlim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnoomqbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dggcffhg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll" C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eibbcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll" C:\Windows\SysWOW64\Echfaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhnmij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dggcffhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" C:\Windows\SysWOW64\Dookgcij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eqdajkkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll" C:\Windows\SysWOW64\Eibbcm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dndlim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dpeekh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" C:\Windows\SysWOW64\Enhacojl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eqdajkkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Echfaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhnmij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecqqpgli.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eibbcm32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 272 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe C:\Windows\SysWOW64\Dndlim32.exe
PID 272 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe C:\Windows\SysWOW64\Dndlim32.exe
PID 272 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe C:\Windows\SysWOW64\Dndlim32.exe
PID 272 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe C:\Windows\SysWOW64\Dndlim32.exe
PID 2308 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Dndlim32.exe C:\Windows\SysWOW64\Dhnmij32.exe
PID 2308 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Dndlim32.exe C:\Windows\SysWOW64\Dhnmij32.exe
PID 2308 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Dndlim32.exe C:\Windows\SysWOW64\Dhnmij32.exe
PID 2308 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Dndlim32.exe C:\Windows\SysWOW64\Dhnmij32.exe
PID 2828 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Dhnmij32.exe C:\Windows\SysWOW64\Dpeekh32.exe
PID 2828 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Dhnmij32.exe C:\Windows\SysWOW64\Dpeekh32.exe
PID 2828 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Dhnmij32.exe C:\Windows\SysWOW64\Dpeekh32.exe
PID 2828 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Dhnmij32.exe C:\Windows\SysWOW64\Dpeekh32.exe
PID 2144 wrote to memory of 2564 N/A C:\Windows\SysWOW64\Dpeekh32.exe C:\Windows\SysWOW64\Dfamcogo.exe
PID 2144 wrote to memory of 2564 N/A C:\Windows\SysWOW64\Dpeekh32.exe C:\Windows\SysWOW64\Dfamcogo.exe
PID 2144 wrote to memory of 2564 N/A C:\Windows\SysWOW64\Dpeekh32.exe C:\Windows\SysWOW64\Dfamcogo.exe
PID 2144 wrote to memory of 2564 N/A C:\Windows\SysWOW64\Dpeekh32.exe C:\Windows\SysWOW64\Dfamcogo.exe
PID 2564 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Dfamcogo.exe C:\Windows\SysWOW64\Dknekeef.exe
PID 2564 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Dfamcogo.exe C:\Windows\SysWOW64\Dknekeef.exe
PID 2564 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Dfamcogo.exe C:\Windows\SysWOW64\Dknekeef.exe
PID 2564 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Dfamcogo.exe C:\Windows\SysWOW64\Dknekeef.exe
PID 2692 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Dknekeef.exe C:\Windows\SysWOW64\Dlnbeh32.exe
PID 2692 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Dknekeef.exe C:\Windows\SysWOW64\Dlnbeh32.exe
PID 2692 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Dknekeef.exe C:\Windows\SysWOW64\Dlnbeh32.exe
PID 2692 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Dknekeef.exe C:\Windows\SysWOW64\Dlnbeh32.exe
PID 2968 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dnoomqbg.exe
PID 2968 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dnoomqbg.exe
PID 2968 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dnoomqbg.exe
PID 2968 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dnoomqbg.exe
PID 2432 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Dnoomqbg.exe C:\Windows\SysWOW64\Dggcffhg.exe
PID 2432 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Dnoomqbg.exe C:\Windows\SysWOW64\Dggcffhg.exe
PID 2432 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Dnoomqbg.exe C:\Windows\SysWOW64\Dggcffhg.exe
PID 2432 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Dnoomqbg.exe C:\Windows\SysWOW64\Dggcffhg.exe
PID 1684 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Dggcffhg.exe C:\Windows\SysWOW64\Dookgcij.exe
PID 1684 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Dggcffhg.exe C:\Windows\SysWOW64\Dookgcij.exe
PID 1684 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Dggcffhg.exe C:\Windows\SysWOW64\Dookgcij.exe
PID 1684 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Dggcffhg.exe C:\Windows\SysWOW64\Dookgcij.exe
PID 1708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Ejhlgaeh.exe
PID 1708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Ejhlgaeh.exe
PID 1708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Ejhlgaeh.exe
PID 1708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Ejhlgaeh.exe
PID 1692 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Ejhlgaeh.exe C:\Windows\SysWOW64\Ecqqpgli.exe
PID 1692 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Ejhlgaeh.exe C:\Windows\SysWOW64\Ecqqpgli.exe
PID 1692 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Ejhlgaeh.exe C:\Windows\SysWOW64\Ecqqpgli.exe
PID 1692 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Ejhlgaeh.exe C:\Windows\SysWOW64\Ecqqpgli.exe
PID 1792 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Ecqqpgli.exe C:\Windows\SysWOW64\Eqdajkkb.exe
PID 1792 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Ecqqpgli.exe C:\Windows\SysWOW64\Eqdajkkb.exe
PID 1792 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Ecqqpgli.exe C:\Windows\SysWOW64\Eqdajkkb.exe
PID 1792 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Ecqqpgli.exe C:\Windows\SysWOW64\Eqdajkkb.exe
PID 2780 wrote to memory of 1528 N/A C:\Windows\SysWOW64\Eqdajkkb.exe C:\Windows\SysWOW64\Enhacojl.exe
PID 2780 wrote to memory of 1528 N/A C:\Windows\SysWOW64\Eqdajkkb.exe C:\Windows\SysWOW64\Enhacojl.exe
PID 2780 wrote to memory of 1528 N/A C:\Windows\SysWOW64\Eqdajkkb.exe C:\Windows\SysWOW64\Enhacojl.exe
PID 2780 wrote to memory of 1528 N/A C:\Windows\SysWOW64\Eqdajkkb.exe C:\Windows\SysWOW64\Enhacojl.exe
PID 1528 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Enhacojl.exe C:\Windows\SysWOW64\Ecejkf32.exe
PID 1528 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Enhacojl.exe C:\Windows\SysWOW64\Ecejkf32.exe
PID 1528 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Enhacojl.exe C:\Windows\SysWOW64\Ecejkf32.exe
PID 1528 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Enhacojl.exe C:\Windows\SysWOW64\Ecejkf32.exe
PID 1264 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Eibbcm32.exe
PID 1264 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Eibbcm32.exe
PID 1264 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Eibbcm32.exe
PID 1264 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Ecejkf32.exe C:\Windows\SysWOW64\Eibbcm32.exe
PID 1980 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Eibbcm32.exe C:\Windows\SysWOW64\Echfaf32.exe
PID 1980 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Eibbcm32.exe C:\Windows\SysWOW64\Echfaf32.exe
PID 1980 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Eibbcm32.exe C:\Windows\SysWOW64\Echfaf32.exe
PID 1980 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Eibbcm32.exe C:\Windows\SysWOW64\Echfaf32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe

"C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe"

C:\Windows\SysWOW64\Dndlim32.exe

C:\Windows\system32\Dndlim32.exe

C:\Windows\SysWOW64\Dhnmij32.exe

C:\Windows\system32\Dhnmij32.exe

C:\Windows\SysWOW64\Dpeekh32.exe

C:\Windows\system32\Dpeekh32.exe

C:\Windows\SysWOW64\Dfamcogo.exe

C:\Windows\system32\Dfamcogo.exe

C:\Windows\SysWOW64\Dknekeef.exe

C:\Windows\system32\Dknekeef.exe

C:\Windows\SysWOW64\Dlnbeh32.exe

C:\Windows\system32\Dlnbeh32.exe

C:\Windows\SysWOW64\Dnoomqbg.exe

C:\Windows\system32\Dnoomqbg.exe

C:\Windows\SysWOW64\Dggcffhg.exe

C:\Windows\system32\Dggcffhg.exe

C:\Windows\SysWOW64\Dookgcij.exe

C:\Windows\system32\Dookgcij.exe

C:\Windows\SysWOW64\Ejhlgaeh.exe

C:\Windows\system32\Ejhlgaeh.exe

C:\Windows\SysWOW64\Ecqqpgli.exe

C:\Windows\system32\Ecqqpgli.exe

C:\Windows\SysWOW64\Eqdajkkb.exe

C:\Windows\system32\Eqdajkkb.exe

C:\Windows\SysWOW64\Enhacojl.exe

C:\Windows\system32\Enhacojl.exe

C:\Windows\SysWOW64\Ecejkf32.exe

C:\Windows\system32\Ecejkf32.exe

C:\Windows\SysWOW64\Eibbcm32.exe

C:\Windows\system32\Eibbcm32.exe

C:\Windows\SysWOW64\Echfaf32.exe

C:\Windows\system32\Echfaf32.exe

C:\Windows\SysWOW64\Fkckeh32.exe

C:\Windows\system32\Fkckeh32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 140

Network

N/A

Files

memory/272-0-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Dndlim32.exe

MD5 c7a049f42b0adbdb8dd2fad26d66b4f1
SHA1 4dab035cd7aa70dfea64985e13fc7eac07f91e79
SHA256 34d06dd458acf41f4185ab452d69e5485efe7d0508d927bca4870b0880b498ae
SHA512 1b89f5a619a79391904d3938b243c933cdc4b2fe6f0b64f13524162f5dbe9446d764f42da8c49df8f953cac580a13543eb6730ba9d00d6e88c3a8fdff7c89128

memory/272-6-0x0000000000220000-0x000000000025A000-memory.dmp

memory/272-13-0x0000000000220000-0x000000000025A000-memory.dmp

\Windows\SysWOW64\Dhnmij32.exe

MD5 871be0ef3ea8c4c1a8226a2a0c0286d6
SHA1 4e1c2819c20418894662856e213229abd736a66e
SHA256 edd1608a241d72bb9325d0d0a1c5723ec40c1aef390b713eaad6de66affed515
SHA512 bc3413bf975af9f66cdf539134715ea1b23c5322c3186609fc94035342ed413dda758bb1887e4928e38d21a09591e1c8200bf764cc723bcf8e86e26407a92da0

memory/2308-19-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Dpeekh32.exe

MD5 81301cf884d31c6df519a7ce2954f13b
SHA1 895540c9ab8cfa2166448e51a5fe04d6c3785707
SHA256 c8a5bb69c785d5bad1d382a4fedbfce3ef5b627d767c69d7b368289eac8e6d3a
SHA512 50074c065a8e1f75d331161b8049c0144e5978da66bb2738ba7dad27dbfb848090a9419bdd0f98686933c508332e5f42bd76538752b560b8ed35d16fda3298dc

memory/2308-34-0x00000000003C0000-0x00000000003FA000-memory.dmp

memory/2828-40-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Dfamcogo.exe

MD5 4d514868561e09e7374c0f4563dc5632
SHA1 6cbf6fb07a7d51586d61ee4efb6ccf2c63387915
SHA256 1b7ea1f91c9ac49395b8364c109477d25e582ad1c982e5326f648220c204b127
SHA512 e250a27b87d911f6a7ff380b0ed6f0577ada11d4b09e4182e9cbe91c543f29a3473e198236ff6c29d9852e8ee1425dd321f686ee09016a9eee9de1641c470a9e

memory/2564-59-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Dknekeef.exe

MD5 d997df85b097e2092d7198fac8f6c01a
SHA1 95c2dbff570ba1bd008b5e163e0cfe89b1e09b13
SHA256 7814ebbd4c33b6c4a9399af4dc3b482d39739909104c318abb7f9204406657c5
SHA512 6942df85cbf3b70fe969a621f7da45570cc1abe66a185f513e31c6a37ff1d558fead1390a46de79b111704d688daeb8845bcb76e05155d2e2685cf3fb2f30339

memory/2144-53-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Dlnbeh32.exe

MD5 d6247d47e941a1852b76b9e36ed64853
SHA1 11c97ffe90b80c7529eb060f9b202c009817dbbf
SHA256 86d47d91e3d2db9ea525ab0e6d61a39a135d7458fdd68df9d40fd4ed69ee23c2
SHA512 b603c1f51cf3f16529e504c73923b4210620d5df858b674702724ed609fc08b4e18e013d589a10200f9202b011b051e30fcfc09f5dd6eb0b5e13a8f869f08d57

memory/2968-85-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Dnoomqbg.exe

MD5 c822d17ec38dd8f6dc1856aa80c2fc14
SHA1 3d29ebd808b5323dc5985c38666263ef7479ccd1
SHA256 09bc5bb8b217be633d918566a05ede0405fc5226e9a283aeedb94ec0df67f632
SHA512 280860e01e0e17ba5783813b1b218fdc6e2b9a5e74ea2d9e046a751d216a6b13e47cb7d6a74983d4b7f610fb4500808350d29a69fda83a089405e5d88563df7e

\Windows\SysWOW64\Dookgcij.exe

MD5 095ec8ab90aa706c46ad243da91c4dac
SHA1 6148fe1f2d8abab2b74e0015c1208c43fee6527a
SHA256 a1ea80db1c9e3eb32e97b6dae20c790935c34ca7facdcd91ea869718286a5a99
SHA512 c8d17bdc8564897ecafe327cb54e2d69e56b93bd4f7a19b7b6b128a86a3a5237256b4ee8cc9a4c984fa3d978cbe79ce062fa9da8b17a1108cbd2366bb2aac0de

C:\Windows\SysWOW64\Dggcffhg.exe

MD5 f1293d73d575169a692f6d0fd902fd67
SHA1 c6522940610d8fa738a0574494eb135b8be2a8e2
SHA256 3c074a204a053730a735b6d61a9271a9b3e88f929e29ff672575f3e4baccbe79
SHA512 1a1c186640cdd3ba28426e6b5cc6c044883f5be914cd5bbe676df14802a7121aba5e6d536106c66b823549b88805c15299be3e7b7ee0790050051c032e058f17

memory/1684-111-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2432-104-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1684-119-0x00000000001B0000-0x00000000001EA000-memory.dmp

memory/2692-73-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1708-125-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1692-133-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ejhlgaeh.exe

MD5 7103a5dd7ef5e6d0491a0fdc2b8e5365
SHA1 e9a0ccdaa405f0f2c2d97f1781b7b66b9eb8a853
SHA256 03351ce66b2b2220b27189d593149799d2ed6a747882fa7fcf59429f7b779c55
SHA512 8abafea816d3de0c57673fed0736d0e80846c78fccec74de1da7da0f8c9c08e444723f00e206a85546455697e7df444ecf2d8307b876c853420815677a3ffd39

\Windows\SysWOW64\Ecqqpgli.exe

MD5 ec30c13caa70cd93f3b47e5a1bbc93be
SHA1 ed51b477bd5bb39a44586dd106d86c95932cca06
SHA256 87629bdfcbc2566387c291345e3722b9bf06423e5a2edf80b4df57ecbe541b6d
SHA512 38f51c7678c12ee28f8992cfb5f9f803e6611c61edf54263b9e6d64a0c5e8e41f00562764a050b0906a4c514f81e4ba3567c11cdf7ef6c49cb05ac8e8a11e16f

memory/1792-146-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Eqdajkkb.exe

MD5 8921de21498dab71d511b14192c562b6
SHA1 adcc4b3c76003ba3cf888b3b6e8b78fba4314384
SHA256 f51abe00fe925efd4b4798fe5ccc53f2b89ac8e43848b404b7b5f06039e5aa69
SHA512 d032e96a90c94a8c2deeda391071c484a3cba9451047586d68b616f49bda889e6d88fe8c9f5ca290cfcb4e0de59d7ee860f1e2418f8fff7cfac145830ca4f96a

memory/272-159-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2780-165-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Enhacojl.exe

MD5 8d82c73b0e51392714c4150fd1c1ab5b
SHA1 092832ddfc83f6fdfc5a5adfcb06f82afc1e42b4
SHA256 5a4e9a243a2d259d10e58057c71e9ae9211a61c86a0f747d84a95cfc083ef335
SHA512 50a958d5057db08f17753b78cafbcbecc09d098ed2d6b6a109747a178d71dc1e7c97d9a116d7da2aceb1e54d97a62c074eb2ca0e8354269f1121bab17b898d54

C:\Windows\SysWOW64\Ecejkf32.exe

MD5 631eb50bd22de2544ecbcaf5cbc871ea
SHA1 439cdb95e720dee11c60eae855e05e142d954a62
SHA256 549d329eafe506e5c6efeeb11bad2c4fdb09812165414315c5434a84a529844b
SHA512 5e342b5c252428f783786967e32046470e1c114e521fdfac39a7151318069026a21ab274f8f737afaceff45545fefeda6dce05e87192d9c3eef4ca3d962d441d

memory/1528-192-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Eibbcm32.exe

MD5 1dbb096542c978f4e11c106be6c274b3
SHA1 0c76f754203aef32353f7783b3a4e8375053601e
SHA256 95e3a06be53779ad5a37b6ce8cea66726a33e1d9d818008a1e4c51e3fc0485b2
SHA512 d5f08529356af5c9029fd34f11daf96071774ea1e5a5fff5d579772d8a357dcbd60286107a6894b8910623e55a487a714a1c7261237bf6699de29b8c26604518

memory/1528-202-0x0000000000220000-0x000000000025A000-memory.dmp

memory/1528-199-0x0000000000220000-0x000000000025A000-memory.dmp

C:\Windows\SysWOW64\Echfaf32.exe

MD5 da51405c1e8f6a1f7fb85c0a21ed0085
SHA1 3cacf8e62464d623b5324d7c5c37e5a4a5a6cd66
SHA256 3a84fed68c78a0145f19ce3c4607e2768a13f4e1660cc30f8b8e86285a6a01f4
SHA512 b57f8598b328f16a6f8c096f28040e61929dfd89a608dba6e991957c3358966bce855feebc4b89f10ff6726be5e0705372ba25dd67bbf0095463726d4bd34f20

memory/2692-185-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2564-180-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1264-218-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1980-221-0x0000000000440000-0x000000000047A000-memory.dmp

memory/1980-223-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1676-222-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1980-224-0x0000000000440000-0x000000000047A000-memory.dmp

memory/1264-220-0x0000000000220000-0x000000000025A000-memory.dmp

C:\Windows\SysWOW64\Fkckeh32.exe

MD5 9eea0c91a4f35d79e91ccb559648dc93
SHA1 80c00c24a458bd33b665093766833f1947750d71
SHA256 2799f310c1f99a80fdce7e114dc5d1cb6250ebd7fca6ef80af33561ab2ecfdad
SHA512 ccf28e1268723c36ee43324c46b871cab48a30de7bd1154533814cc7b4c07a57f61b91cb5bcdcd904b7cc8db8afefa0189d044a58bbca7f722eb573f8d62989c

memory/1752-229-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1684-230-0x00000000001B0000-0x00000000001EA000-memory.dmp

memory/1692-231-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1792-232-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1264-233-0x0000000000220000-0x000000000025A000-memory.dmp

memory/1528-234-0x0000000000220000-0x000000000025A000-memory.dmp

memory/1676-235-0x0000000000220000-0x000000000025A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:12

Reported

2024-04-07 19:15

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekgbccni.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omqmop32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiacacpg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efblbbqd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npgmpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bahdob32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgcihgaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oodcdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofkgcobj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eemgplno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inpccihl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlghoa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlambk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjccdkki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Daollh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jeaiij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Khfkfedn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fggfnc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hoclopne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngndaccj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnkbkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hehdfdek.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdpaeehj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkhnjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jhnojl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gjcmngnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qcgffqei.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajpqnneo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnangaoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojomcopk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbebilli.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hloqml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgqfdnah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnhgjaml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jhhodg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jelonkph.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kcbfcigf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npgmpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qclmck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iagqgn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jejbhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boipmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fibhpbea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Knfeeimj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oikjkc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpjfgf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qcgffqei.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iplkpa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nfjola32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doojec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkdpbpih.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckdkhq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laffpi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Elpkep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnpjlajn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Caageq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hnphoj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkegbpca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifihif32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhpiafnm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ploknb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcblpdgg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pclgkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqijje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcgffqei.exe N/A
N/A N/A C:\Windows\SysWOW64\Anmjcieo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ageolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anogiicl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmemac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daqbip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekgbccni.exe N/A
N/A N/A C:\Windows\SysWOW64\Eemgplno.exe N/A
N/A N/A C:\Windows\SysWOW64\Egnchd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eachem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdbdah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Feapkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fojedapj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdfmlhna.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkqeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fefjfked.exe N/A
N/A N/A C:\Windows\SysWOW64\Fggfnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnaokmco.exe N/A
N/A N/A C:\Windows\SysWOW64\Gekcaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghklce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhihdcbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hocqam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkjafn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbdjchgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkmnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idebdcdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikokan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iickkbje.exe N/A
N/A N/A C:\Windows\SysWOW64\Inpccihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ighhln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifihif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikfabm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jilnqqbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlpfgbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Npchgdcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Neppokal.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlihle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhpiafnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nojanpej.exe N/A
N/A N/A C:\Windows\SysWOW64\Nipekiep.exe N/A
N/A N/A C:\Windows\SysWOW64\Nomncpcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocffempp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpobg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ploknb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcicklnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfgogh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Poaqemao.exe N/A
N/A N/A C:\Windows\SysWOW64\Pflibgil.exe N/A
N/A N/A C:\Windows\SysWOW64\Phjenbhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Podmkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfnegggi.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgnbaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqffjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgpogili.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlmgopjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Agbkmijg.exe N/A
N/A N/A C:\Windows\SysWOW64\Amodep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdhbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amaqjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ackigjmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aihaoqlp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ipecicga.dll C:\Windows\SysWOW64\Bpedeiff.exe N/A
File created C:\Windows\SysWOW64\Cbkfbcpb.exe C:\Windows\SysWOW64\Cajjjk32.exe N/A
File created C:\Windows\SysWOW64\Pfnegggi.exe C:\Windows\SysWOW64\Podmkm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpmomo32.exe C:\Windows\SysWOW64\Gegkpf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnmmboed.exe C:\Windows\SysWOW64\Mcgiefen.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdhbpf32.exe C:\Windows\SysWOW64\Kkpnga32.exe N/A
File created C:\Windows\SysWOW64\Dlghoa32.exe C:\Windows\SysWOW64\Akhcfe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcegclgp.exe C:\Windows\SysWOW64\Pcbkml32.exe N/A
File created C:\Windows\SysWOW64\Abfdpfaj.exe C:\Windows\SysWOW64\Apggckbf.exe N/A
File opened for modification C:\Windows\SysWOW64\Fojedapj.exe C:\Windows\SysWOW64\Feapkk32.exe N/A
File created C:\Windows\SysWOW64\Cikglnkj.exe C:\Windows\SysWOW64\Cflkpblf.exe N/A
File created C:\Windows\SysWOW64\Hemikcpm.dll C:\Windows\SysWOW64\Kcbfcigf.exe N/A
File created C:\Windows\SysWOW64\Ddnobj32.exe C:\Windows\SysWOW64\Dndgfpbo.exe N/A
File opened for modification C:\Windows\SysWOW64\Egnchd32.exe C:\Windows\SysWOW64\Eemgplno.exe N/A
File created C:\Windows\SysWOW64\Pefhlaie.exe C:\Windows\SysWOW64\Polppg32.exe N/A
File created C:\Windows\SysWOW64\Dnonkq32.exe C:\Windows\SysWOW64\Dhbebj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecikjoep.exe C:\Windows\SysWOW64\Eahobg32.exe N/A
File created C:\Windows\SysWOW64\Bajqda32.exe C:\Windows\SysWOW64\Boldhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djjebh32.exe C:\Windows\SysWOW64\Dcpmen32.exe N/A
File created C:\Windows\SysWOW64\Kjccdkki.exe C:\Windows\SysWOW64\Igdnabjh.exe N/A
File created C:\Windows\SysWOW64\Lcggio32.exe C:\Windows\SysWOW64\Lqikmc32.exe N/A
File created C:\Windows\SysWOW64\Ejnnldhi.dll C:\Windows\SysWOW64\Cajjjk32.exe N/A
File created C:\Windows\SysWOW64\Policp32.dll C:\Windows\SysWOW64\Nipekiep.exe N/A
File created C:\Windows\SysWOW64\Hnbfbhoh.dll C:\Windows\SysWOW64\Amodep32.exe N/A
File created C:\Windows\SysWOW64\Mhibfmcl.dll C:\Windows\SysWOW64\Bclang32.exe N/A
File created C:\Windows\SysWOW64\Knfeeimj.exe C:\Windows\SysWOW64\Kcpahpmd.exe N/A
File created C:\Windows\SysWOW64\Dddjmo32.dll C:\Windows\SysWOW64\Pfiddm32.exe N/A
File created C:\Windows\SysWOW64\Edihdb32.exe C:\Windows\SysWOW64\Eajlhg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nomncpcg.exe C:\Windows\SysWOW64\Nipekiep.exe N/A
File created C:\Windows\SysWOW64\Aloccc32.dll C:\Windows\SysWOW64\Bpnihiio.exe N/A
File created C:\Windows\SysWOW64\Jocnlg32.exe C:\Windows\SysWOW64\Jlbejloe.exe N/A
File created C:\Windows\SysWOW64\Klgqabib.exe C:\Windows\SysWOW64\Kocphojh.exe N/A
File created C:\Windows\SysWOW64\Efbdhf32.dll C:\Windows\SysWOW64\Feapkk32.exe N/A
File created C:\Windows\SysWOW64\Hhhjoabm.dll C:\Windows\SysWOW64\Gkmdecbg.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmfhkf32.exe C:\Windows\SysWOW64\Kjhloj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmbiamhi.exe C:\Windows\SysWOW64\Bfhadc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Flqdlnde.exe C:\Windows\SysWOW64\Fibhpbea.exe N/A
File created C:\Windows\SysWOW64\Jlbejloe.exe C:\Windows\SysWOW64\Ibjqaf32.exe N/A
File created C:\Windows\SysWOW64\Igjbci32.exe C:\Windows\SysWOW64\Ielfgmnj.exe N/A
File created C:\Windows\SysWOW64\Laffpi32.exe C:\Windows\SysWOW64\Lklnconj.exe N/A
File created C:\Windows\SysWOW64\Gdcliikj.exe C:\Windows\SysWOW64\Gfokoelp.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnkbkk32.exe C:\Windows\SysWOW64\Phajna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Illfdc32.exe C:\Windows\SysWOW64\Ifomll32.exe N/A
File created C:\Windows\SysWOW64\Kghfphob.dll C:\Windows\SysWOW64\Iidphgcn.exe N/A
File opened for modification C:\Windows\SysWOW64\Nncccnol.exe C:\Windows\SysWOW64\Njhgbp32.exe N/A
File created C:\Windows\SysWOW64\Fggdpnkf.exe C:\Windows\SysWOW64\Edihdb32.exe N/A
File created C:\Windows\SysWOW64\Hahohdla.dll C:\Windows\SysWOW64\Nemmoe32.exe N/A
File created C:\Windows\SysWOW64\Hoclopne.exe C:\Windows\SysWOW64\Hfhgkmpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Affikdfn.exe C:\Windows\SysWOW64\Aibibp32.exe N/A
File created C:\Windows\SysWOW64\Deqcbpld.exe C:\Windows\SysWOW64\Dkhnjk32.exe N/A
File created C:\Windows\SysWOW64\Phajna32.exe C:\Windows\SysWOW64\Pagbaglh.exe N/A
File created C:\Windows\SysWOW64\Afgacokc.exe C:\Windows\SysWOW64\Ajpqnneo.exe N/A
File created C:\Windows\SysWOW64\Hbdmdpjg.dll C:\Windows\SysWOW64\Jpaekqhh.exe N/A
File created C:\Windows\SysWOW64\Lnldla32.exe C:\Windows\SysWOW64\Lgbloglj.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjlgdc32.exe C:\Windows\SysWOW64\Bcbohigp.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkcadhgm.exe C:\Windows\SysWOW64\Pefhlaie.exe N/A
File created C:\Windows\SysWOW64\Pofkjd32.dll C:\Windows\SysWOW64\Gjdaodja.exe N/A
File created C:\Windows\SysWOW64\Iefgbh32.exe C:\Windows\SysWOW64\Ipjoja32.exe N/A
File created C:\Windows\SysWOW64\Nceefd32.exe C:\Windows\SysWOW64\Ngndaccj.exe N/A
File created C:\Windows\SysWOW64\Flippejg.dll C:\Windows\SysWOW64\Qgnbaj32.exe N/A
File created C:\Windows\SysWOW64\Nlkgmh32.exe C:\Windows\SysWOW64\Lcggio32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbebilli.exe C:\Windows\SysWOW64\Lhpnlclc.exe N/A
File created C:\Windows\SysWOW64\Cggkemhh.dll C:\Windows\SysWOW64\Qjfmkk32.exe N/A
File created C:\Windows\SysWOW64\Indkpcdk.exe C:\Windows\SysWOW64\Igjbci32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ldikgdpe.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pakdbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfapnkp.dll" C:\Windows\SysWOW64\Boklbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bahdob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jemfhacc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kheekkjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll" C:\Windows\SysWOW64\Aabkbono.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pcicklnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfnegggi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll" C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apjdikqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggamk32.dll" C:\Windows\SysWOW64\Bfhadc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdlakbf.dll" C:\Windows\SysWOW64\Hlpfhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibajgf32.dll" C:\Windows\SysWOW64\Cflkpblf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkjdh32.dll" C:\Windows\SysWOW64\Ahqddk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qfmfefni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acqgojmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkegbpca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll" C:\Windows\SysWOW64\Qcgffqei.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aihaoqlp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jhnojl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Omfekbdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnaokmco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhmbqm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll" C:\Windows\SysWOW64\Klgqabib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dleglm32.dll" C:\Windows\SysWOW64\Ocffempp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Enkdaepb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lqmmmmph.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" C:\Windows\SysWOW64\Qdoacabq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ohnohn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbbdk32.dll" C:\Windows\SysWOW64\Hmbfbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apggckbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkhnjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahqddk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afgacokc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dahmfpap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lancko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghklce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dahmfpap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Omalpc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qclmck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdcdg32.dll" C:\Windows\SysWOW64\Aalmimfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fcbnpnme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkpnga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqffjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Phajna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpimcmab.dll" C:\Windows\SysWOW64\Ccchof32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdpmbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll" C:\Windows\SysWOW64\Ahmjjoig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ampaho32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnljkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popieg32.dll" C:\Windows\SysWOW64\Egnchd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cikglnkj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pefhlaie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lqmmmmph.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aalmimfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjjpbg32.dll" C:\Windows\SysWOW64\Ekgbccni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgpogili.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmbfbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdaleh32.dll" C:\Windows\SysWOW64\Epffbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbllbmg.dll" C:\Windows\SysWOW64\Phjenbhp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebjcajjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll" C:\Windows\SysWOW64\Nmbjcljl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofkgcobj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oqklkbbi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe C:\Windows\SysWOW64\Pclgkb32.exe
PID 3244 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe C:\Windows\SysWOW64\Pclgkb32.exe
PID 3244 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe C:\Windows\SysWOW64\Pclgkb32.exe
PID 1540 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Pclgkb32.exe C:\Windows\SysWOW64\Qqijje32.exe
PID 1540 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Pclgkb32.exe C:\Windows\SysWOW64\Qqijje32.exe
PID 1540 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Pclgkb32.exe C:\Windows\SysWOW64\Qqijje32.exe
PID 2580 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Qqijje32.exe C:\Windows\SysWOW64\Qcgffqei.exe
PID 2580 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Qqijje32.exe C:\Windows\SysWOW64\Qcgffqei.exe
PID 2580 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Qqijje32.exe C:\Windows\SysWOW64\Qcgffqei.exe
PID 4884 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Anmjcieo.exe
PID 4884 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Anmjcieo.exe
PID 4884 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Anmjcieo.exe
PID 1728 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Anmjcieo.exe C:\Windows\SysWOW64\Ageolo32.exe
PID 1728 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Anmjcieo.exe C:\Windows\SysWOW64\Ageolo32.exe
PID 1728 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Anmjcieo.exe C:\Windows\SysWOW64\Ageolo32.exe
PID 4912 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Ageolo32.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 4912 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Ageolo32.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 4912 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Ageolo32.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 2056 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 2056 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 2056 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 3068 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Bmemac32.exe
PID 3068 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Bmemac32.exe
PID 3068 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Bmemac32.exe
PID 1824 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Daqbip32.exe
PID 1824 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Daqbip32.exe
PID 1824 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Daqbip32.exe
PID 2320 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Daqbip32.exe C:\Windows\SysWOW64\Ekgbccni.exe
PID 2320 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Daqbip32.exe C:\Windows\SysWOW64\Ekgbccni.exe
PID 2320 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Daqbip32.exe C:\Windows\SysWOW64\Ekgbccni.exe
PID 2480 wrote to memory of 2276 N/A C:\Windows\SysWOW64\Ekgbccni.exe C:\Windows\SysWOW64\Eemgplno.exe
PID 2480 wrote to memory of 2276 N/A C:\Windows\SysWOW64\Ekgbccni.exe C:\Windows\SysWOW64\Eemgplno.exe
PID 2480 wrote to memory of 2276 N/A C:\Windows\SysWOW64\Ekgbccni.exe C:\Windows\SysWOW64\Eemgplno.exe
PID 2276 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Eemgplno.exe C:\Windows\SysWOW64\Egnchd32.exe
PID 2276 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Eemgplno.exe C:\Windows\SysWOW64\Egnchd32.exe
PID 2276 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Eemgplno.exe C:\Windows\SysWOW64\Egnchd32.exe
PID 1648 wrote to memory of 3232 N/A C:\Windows\SysWOW64\Egnchd32.exe C:\Windows\SysWOW64\Eachem32.exe
PID 1648 wrote to memory of 3232 N/A C:\Windows\SysWOW64\Egnchd32.exe C:\Windows\SysWOW64\Eachem32.exe
PID 1648 wrote to memory of 3232 N/A C:\Windows\SysWOW64\Egnchd32.exe C:\Windows\SysWOW64\Eachem32.exe
PID 3232 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Eachem32.exe C:\Windows\SysWOW64\Fdbdah32.exe
PID 3232 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Eachem32.exe C:\Windows\SysWOW64\Fdbdah32.exe
PID 3232 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Eachem32.exe C:\Windows\SysWOW64\Fdbdah32.exe
PID 2980 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Fdbdah32.exe C:\Windows\SysWOW64\Feapkk32.exe
PID 2980 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Fdbdah32.exe C:\Windows\SysWOW64\Feapkk32.exe
PID 2980 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Fdbdah32.exe C:\Windows\SysWOW64\Feapkk32.exe
PID 5044 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Feapkk32.exe C:\Windows\SysWOW64\Fojedapj.exe
PID 5044 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Feapkk32.exe C:\Windows\SysWOW64\Fojedapj.exe
PID 5044 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Feapkk32.exe C:\Windows\SysWOW64\Fojedapj.exe
PID 2608 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Fojedapj.exe C:\Windows\SysWOW64\Fdfmlhna.exe
PID 2608 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Fojedapj.exe C:\Windows\SysWOW64\Fdfmlhna.exe
PID 2608 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Fojedapj.exe C:\Windows\SysWOW64\Fdfmlhna.exe
PID 1800 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Fdfmlhna.exe C:\Windows\SysWOW64\Fkqeib32.exe
PID 1800 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Fdfmlhna.exe C:\Windows\SysWOW64\Fkqeib32.exe
PID 1800 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Fdfmlhna.exe C:\Windows\SysWOW64\Fkqeib32.exe
PID 1852 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Fkqeib32.exe C:\Windows\SysWOW64\Fefjfked.exe
PID 1852 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Fkqeib32.exe C:\Windows\SysWOW64\Fefjfked.exe
PID 1852 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Fkqeib32.exe C:\Windows\SysWOW64\Fefjfked.exe
PID 2348 wrote to memory of 936 N/A C:\Windows\SysWOW64\Fefjfked.exe C:\Windows\SysWOW64\Fggfnc32.exe
PID 2348 wrote to memory of 936 N/A C:\Windows\SysWOW64\Fefjfked.exe C:\Windows\SysWOW64\Fggfnc32.exe
PID 2348 wrote to memory of 936 N/A C:\Windows\SysWOW64\Fefjfked.exe C:\Windows\SysWOW64\Fggfnc32.exe
PID 936 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Fggfnc32.exe C:\Windows\SysWOW64\Fnaokmco.exe
PID 936 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Fggfnc32.exe C:\Windows\SysWOW64\Fnaokmco.exe
PID 936 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Fggfnc32.exe C:\Windows\SysWOW64\Fnaokmco.exe
PID 2124 wrote to memory of 1872 N/A C:\Windows\SysWOW64\Fnaokmco.exe C:\Windows\SysWOW64\Gekcaj32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe

"C:\Users\Admin\AppData\Local\Temp\1ed1006989b746e678e54f7a5e532ea7bef138b128331b36b1fd12d7ddc8093c.exe"

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Ekgbccni.exe

C:\Windows\system32\Ekgbccni.exe

C:\Windows\SysWOW64\Eemgplno.exe

C:\Windows\system32\Eemgplno.exe

C:\Windows\SysWOW64\Egnchd32.exe

C:\Windows\system32\Egnchd32.exe

C:\Windows\SysWOW64\Eachem32.exe

C:\Windows\system32\Eachem32.exe

C:\Windows\SysWOW64\Fdbdah32.exe

C:\Windows\system32\Fdbdah32.exe

C:\Windows\SysWOW64\Feapkk32.exe

C:\Windows\system32\Feapkk32.exe

C:\Windows\SysWOW64\Fojedapj.exe

C:\Windows\system32\Fojedapj.exe

C:\Windows\SysWOW64\Fdfmlhna.exe

C:\Windows\system32\Fdfmlhna.exe

C:\Windows\SysWOW64\Fkqeib32.exe

C:\Windows\system32\Fkqeib32.exe

C:\Windows\SysWOW64\Fefjfked.exe

C:\Windows\system32\Fefjfked.exe

C:\Windows\SysWOW64\Fggfnc32.exe

C:\Windows\system32\Fggfnc32.exe

C:\Windows\SysWOW64\Fnaokmco.exe

C:\Windows\system32\Fnaokmco.exe

C:\Windows\SysWOW64\Gekcaj32.exe

C:\Windows\system32\Gekcaj32.exe

C:\Windows\SysWOW64\Ghklce32.exe

C:\Windows\system32\Ghklce32.exe

C:\Windows\SysWOW64\Hhihdcbp.exe

C:\Windows\system32\Hhihdcbp.exe

C:\Windows\SysWOW64\Hocqam32.exe

C:\Windows\system32\Hocqam32.exe

C:\Windows\SysWOW64\Hkjafn32.exe

C:\Windows\system32\Hkjafn32.exe

C:\Windows\SysWOW64\Hbdjchgn.exe

C:\Windows\system32\Hbdjchgn.exe

C:\Windows\SysWOW64\Hkmnln32.exe

C:\Windows\system32\Hkmnln32.exe

C:\Windows\SysWOW64\Idebdcdo.exe

C:\Windows\system32\Idebdcdo.exe

C:\Windows\SysWOW64\Ikokan32.exe

C:\Windows\system32\Ikokan32.exe

C:\Windows\SysWOW64\Iickkbje.exe

C:\Windows\system32\Iickkbje.exe

C:\Windows\SysWOW64\Inpccihl.exe

C:\Windows\system32\Inpccihl.exe

C:\Windows\SysWOW64\Ighhln32.exe

C:\Windows\system32\Ighhln32.exe

C:\Windows\SysWOW64\Ifihif32.exe

C:\Windows\system32\Ifihif32.exe

C:\Windows\SysWOW64\Ikfabm32.exe

C:\Windows\system32\Ikfabm32.exe

C:\Windows\SysWOW64\Jilnqqbj.exe

C:\Windows\system32\Jilnqqbj.exe

C:\Windows\SysWOW64\Nhlpfgbb.exe

C:\Windows\system32\Nhlpfgbb.exe

C:\Windows\SysWOW64\Npchgdcd.exe

C:\Windows\system32\Npchgdcd.exe

C:\Windows\SysWOW64\Neppokal.exe

C:\Windows\system32\Neppokal.exe

C:\Windows\SysWOW64\Nlihle32.exe

C:\Windows\system32\Nlihle32.exe

C:\Windows\SysWOW64\Nhpiafnm.exe

C:\Windows\system32\Nhpiafnm.exe

C:\Windows\SysWOW64\Nojanpej.exe

C:\Windows\system32\Nojanpej.exe

C:\Windows\SysWOW64\Nipekiep.exe

C:\Windows\system32\Nipekiep.exe

C:\Windows\SysWOW64\Nomncpcg.exe

C:\Windows\system32\Nomncpcg.exe

C:\Windows\SysWOW64\Ocffempp.exe

C:\Windows\system32\Ocffempp.exe

C:\Windows\SysWOW64\Pjpobg32.exe

C:\Windows\system32\Pjpobg32.exe

C:\Windows\SysWOW64\Ploknb32.exe

C:\Windows\system32\Ploknb32.exe

C:\Windows\SysWOW64\Pcicklnn.exe

C:\Windows\system32\Pcicklnn.exe

C:\Windows\SysWOW64\Pfgogh32.exe

C:\Windows\system32\Pfgogh32.exe

C:\Windows\SysWOW64\Poaqemao.exe

C:\Windows\system32\Poaqemao.exe

C:\Windows\SysWOW64\Pflibgil.exe

C:\Windows\system32\Pflibgil.exe

C:\Windows\SysWOW64\Phjenbhp.exe

C:\Windows\system32\Phjenbhp.exe

C:\Windows\SysWOW64\Podmkm32.exe

C:\Windows\system32\Podmkm32.exe

C:\Windows\SysWOW64\Pfnegggi.exe

C:\Windows\system32\Pfnegggi.exe

C:\Windows\SysWOW64\Qgnbaj32.exe

C:\Windows\system32\Qgnbaj32.exe

C:\Windows\SysWOW64\Qqffjo32.exe

C:\Windows\system32\Qqffjo32.exe

C:\Windows\SysWOW64\Qgpogili.exe

C:\Windows\system32\Qgpogili.exe

C:\Windows\SysWOW64\Qlmgopjq.exe

C:\Windows\system32\Qlmgopjq.exe

C:\Windows\SysWOW64\Agbkmijg.exe

C:\Windows\system32\Agbkmijg.exe

C:\Windows\SysWOW64\Amodep32.exe

C:\Windows\system32\Amodep32.exe

C:\Windows\SysWOW64\Agdhbi32.exe

C:\Windows\system32\Agdhbi32.exe

C:\Windows\SysWOW64\Amaqjp32.exe

C:\Windows\system32\Amaqjp32.exe

C:\Windows\SysWOW64\Ackigjmh.exe

C:\Windows\system32\Ackigjmh.exe

C:\Windows\SysWOW64\Aihaoqlp.exe

C:\Windows\system32\Aihaoqlp.exe

C:\Windows\SysWOW64\Aqaffn32.exe

C:\Windows\system32\Aqaffn32.exe

C:\Windows\SysWOW64\Afnnnd32.exe

C:\Windows\system32\Afnnnd32.exe

C:\Windows\SysWOW64\Bqdblmhl.exe

C:\Windows\system32\Bqdblmhl.exe

C:\Windows\SysWOW64\Bcbohigp.exe

C:\Windows\system32\Bcbohigp.exe

C:\Windows\SysWOW64\Bjlgdc32.exe

C:\Windows\system32\Bjlgdc32.exe

C:\Windows\SysWOW64\Boipmj32.exe

C:\Windows\system32\Boipmj32.exe

C:\Windows\SysWOW64\Bjodjb32.exe

C:\Windows\system32\Bjodjb32.exe

C:\Windows\SysWOW64\Boklbi32.exe

C:\Windows\system32\Boklbi32.exe

C:\Windows\SysWOW64\Bfedoc32.exe

C:\Windows\system32\Bfedoc32.exe

C:\Windows\SysWOW64\Bidqko32.exe

C:\Windows\system32\Bidqko32.exe

C:\Windows\SysWOW64\Bpnihiio.exe

C:\Windows\system32\Bpnihiio.exe

C:\Windows\SysWOW64\Bfhadc32.exe

C:\Windows\system32\Bfhadc32.exe

C:\Windows\SysWOW64\Bmbiamhi.exe

C:\Windows\system32\Bmbiamhi.exe

C:\Windows\SysWOW64\Bclang32.exe

C:\Windows\system32\Bclang32.exe

C:\Windows\SysWOW64\Bfjnjcni.exe

C:\Windows\system32\Bfjnjcni.exe

C:\Windows\SysWOW64\Cmdfgm32.exe

C:\Windows\system32\Cmdfgm32.exe

C:\Windows\SysWOW64\Cpbbch32.exe

C:\Windows\system32\Cpbbch32.exe

C:\Windows\SysWOW64\Cflkpblf.exe

C:\Windows\system32\Cflkpblf.exe

C:\Windows\SysWOW64\Cikglnkj.exe

C:\Windows\system32\Cikglnkj.exe

C:\Windows\SysWOW64\Cpeohh32.exe

C:\Windows\system32\Cpeohh32.exe

C:\Windows\SysWOW64\Cglgjeci.exe

C:\Windows\system32\Cglgjeci.exe

C:\Windows\SysWOW64\Cjjcfabm.exe

C:\Windows\system32\Cjjcfabm.exe

C:\Windows\SysWOW64\Ccchof32.exe

C:\Windows\system32\Ccchof32.exe

C:\Windows\SysWOW64\Cfadkb32.exe

C:\Windows\system32\Cfadkb32.exe

C:\Windows\SysWOW64\Cippgm32.exe

C:\Windows\system32\Cippgm32.exe

C:\Windows\SysWOW64\Caghhk32.exe

C:\Windows\system32\Caghhk32.exe

C:\Windows\SysWOW64\Cgqqdeod.exe

C:\Windows\system32\Cgqqdeod.exe

C:\Windows\SysWOW64\Cibmlmeb.exe

C:\Windows\system32\Cibmlmeb.exe

C:\Windows\SysWOW64\Caienjfd.exe

C:\Windows\system32\Caienjfd.exe

C:\Windows\SysWOW64\Cjaifp32.exe

C:\Windows\system32\Cjaifp32.exe

C:\Windows\SysWOW64\Nemmoe32.exe

C:\Windows\system32\Nemmoe32.exe

C:\Windows\SysWOW64\Nhbolp32.exe

C:\Windows\system32\Nhbolp32.exe

C:\Windows\SysWOW64\Oadfkdgd.exe

C:\Windows\system32\Oadfkdgd.exe

C:\Windows\SysWOW64\Ohnohn32.exe

C:\Windows\system32\Ohnohn32.exe

C:\Windows\SysWOW64\Oohgdhfn.exe

C:\Windows\system32\Oohgdhfn.exe

C:\Windows\SysWOW64\Oeaoab32.exe

C:\Windows\system32\Oeaoab32.exe

C:\Windows\SysWOW64\Polppg32.exe

C:\Windows\system32\Polppg32.exe

C:\Windows\SysWOW64\Pefhlaie.exe

C:\Windows\system32\Pefhlaie.exe

C:\Windows\SysWOW64\Pkcadhgm.exe

C:\Windows\system32\Pkcadhgm.exe

C:\Windows\SysWOW64\Phganm32.exe

C:\Windows\system32\Phganm32.exe

C:\Windows\SysWOW64\Pcmeke32.exe

C:\Windows\system32\Pcmeke32.exe

C:\Windows\SysWOW64\Phincl32.exe

C:\Windows\system32\Phincl32.exe

C:\Windows\SysWOW64\Pkhjph32.exe

C:\Windows\system32\Pkhjph32.exe

C:\Windows\SysWOW64\Qepkbpak.exe

C:\Windows\system32\Qepkbpak.exe

C:\Windows\SysWOW64\Ajndioga.exe

C:\Windows\system32\Ajndioga.exe

C:\Windows\SysWOW64\Ahqddk32.exe

C:\Windows\system32\Ahqddk32.exe

C:\Windows\SysWOW64\Akoqpg32.exe

C:\Windows\system32\Akoqpg32.exe

C:\Windows\SysWOW64\Acfhad32.exe

C:\Windows\system32\Acfhad32.exe

C:\Windows\SysWOW64\Ajpqnneo.exe

C:\Windows\system32\Ajpqnneo.exe

C:\Windows\SysWOW64\Afgacokc.exe

C:\Windows\system32\Afgacokc.exe

C:\Windows\SysWOW64\Ahenokjf.exe

C:\Windows\system32\Ahenokjf.exe

C:\Windows\SysWOW64\Ackbmcjl.exe

C:\Windows\system32\Ackbmcjl.exe

C:\Windows\SysWOW64\Akhcfe32.exe

C:\Windows\system32\Akhcfe32.exe

C:\Windows\SysWOW64\Dlghoa32.exe

C:\Windows\system32\Dlghoa32.exe

C:\Windows\SysWOW64\Dbqqkkbo.exe

C:\Windows\system32\Dbqqkkbo.exe

C:\Windows\SysWOW64\Dlieda32.exe

C:\Windows\system32\Dlieda32.exe

C:\Windows\SysWOW64\Dcpmen32.exe

C:\Windows\system32\Dcpmen32.exe

C:\Windows\SysWOW64\Djjebh32.exe

C:\Windows\system32\Djjebh32.exe

C:\Windows\SysWOW64\Dpgnjo32.exe

C:\Windows\system32\Dpgnjo32.exe

C:\Windows\SysWOW64\Efafgifc.exe

C:\Windows\system32\Efafgifc.exe

C:\Windows\SysWOW64\Eiobceef.exe

C:\Windows\system32\Eiobceef.exe

C:\Windows\SysWOW64\Efccmidp.exe

C:\Windows\system32\Efccmidp.exe

C:\Windows\SysWOW64\Ejoomhmi.exe

C:\Windows\system32\Ejoomhmi.exe

C:\Windows\SysWOW64\Elpkep32.exe

C:\Windows\system32\Elpkep32.exe

C:\Windows\SysWOW64\Ebjcajjd.exe

C:\Windows\system32\Ebjcajjd.exe

C:\Windows\SysWOW64\Ffclcgfn.exe

C:\Windows\system32\Ffclcgfn.exe

C:\Windows\SysWOW64\Fibhpbea.exe

C:\Windows\system32\Fibhpbea.exe

C:\Windows\SysWOW64\Flqdlnde.exe

C:\Windows\system32\Flqdlnde.exe

C:\Windows\SysWOW64\Fdglmkeg.exe

C:\Windows\system32\Fdglmkeg.exe

C:\Windows\SysWOW64\Fmpqfq32.exe

C:\Windows\system32\Fmpqfq32.exe

C:\Windows\SysWOW64\Gjdaodja.exe

C:\Windows\system32\Gjdaodja.exe

C:\Windows\SysWOW64\Giinpa32.exe

C:\Windows\system32\Giinpa32.exe

C:\Windows\SysWOW64\Gpcfmkff.exe

C:\Windows\system32\Gpcfmkff.exe

C:\Windows\SysWOW64\Gfmojenc.exe

C:\Windows\system32\Gfmojenc.exe

C:\Windows\SysWOW64\Gfokoelp.exe

C:\Windows\system32\Gfokoelp.exe

C:\Windows\SysWOW64\Gdcliikj.exe

C:\Windows\system32\Gdcliikj.exe

C:\Windows\SysWOW64\Gkmdecbg.exe

C:\Windows\system32\Gkmdecbg.exe

C:\Windows\SysWOW64\Hloqml32.exe

C:\Windows\system32\Hloqml32.exe

C:\Windows\SysWOW64\Hlambk32.exe

C:\Windows\system32\Hlambk32.exe

C:\Windows\SysWOW64\Hckeoeno.exe

C:\Windows\system32\Hckeoeno.exe

C:\Windows\SysWOW64\Hmpjmn32.exe

C:\Windows\system32\Hmpjmn32.exe

C:\Windows\SysWOW64\Hcmbee32.exe

C:\Windows\system32\Hcmbee32.exe

C:\Windows\SysWOW64\Hkdjfb32.exe

C:\Windows\system32\Hkdjfb32.exe

C:\Windows\SysWOW64\Hmbfbn32.exe

C:\Windows\system32\Hmbfbn32.exe

C:\Windows\SysWOW64\Hdmoohbo.exe

C:\Windows\system32\Hdmoohbo.exe

C:\Windows\SysWOW64\Hkfglb32.exe

C:\Windows\system32\Hkfglb32.exe

C:\Windows\SysWOW64\Hmechmip.exe

C:\Windows\system32\Hmechmip.exe

C:\Windows\SysWOW64\Hcblpdgg.exe

C:\Windows\system32\Hcblpdgg.exe

C:\Windows\SysWOW64\Iphioh32.exe

C:\Windows\system32\Iphioh32.exe

C:\Windows\SysWOW64\Idcepgmg.exe

C:\Windows\system32\Idcepgmg.exe

C:\Windows\SysWOW64\Ijqmhnko.exe

C:\Windows\system32\Ijqmhnko.exe

C:\Windows\SysWOW64\Igdnabjh.exe

C:\Windows\system32\Igdnabjh.exe

C:\Windows\SysWOW64\Kjccdkki.exe

C:\Windows\system32\Kjccdkki.exe

C:\Windows\SysWOW64\Kdigadjo.exe

C:\Windows\system32\Kdigadjo.exe

C:\Windows\SysWOW64\Kjepjkhf.exe

C:\Windows\system32\Kjepjkhf.exe

C:\Windows\SysWOW64\Kqphfe32.exe

C:\Windows\system32\Kqphfe32.exe

C:\Windows\SysWOW64\Kcndbp32.exe

C:\Windows\system32\Kcndbp32.exe

C:\Windows\SysWOW64\Kjhloj32.exe

C:\Windows\system32\Kjhloj32.exe

C:\Windows\SysWOW64\Kmfhkf32.exe

C:\Windows\system32\Kmfhkf32.exe

C:\Windows\SysWOW64\Kcpahpmd.exe

C:\Windows\system32\Kcpahpmd.exe

C:\Windows\SysWOW64\Knfeeimj.exe

C:\Windows\system32\Knfeeimj.exe

C:\Windows\SysWOW64\Kdpmbc32.exe

C:\Windows\system32\Kdpmbc32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Knhakh32.exe

C:\Windows\system32\Knhakh32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Lgqfdnah.exe

C:\Windows\system32\Lgqfdnah.exe

C:\Windows\SysWOW64\Lnjnqh32.exe

C:\Windows\system32\Lnjnqh32.exe

C:\Windows\SysWOW64\Lqikmc32.exe

C:\Windows\system32\Lqikmc32.exe

C:\Windows\SysWOW64\Lcggio32.exe

C:\Windows\system32\Lcggio32.exe

C:\Windows\SysWOW64\Nlkgmh32.exe

C:\Windows\system32\Nlkgmh32.exe

C:\Windows\SysWOW64\Ohcegi32.exe

C:\Windows\system32\Ohcegi32.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Oodcdb32.exe

C:\Windows\system32\Oodcdb32.exe

C:\Windows\SysWOW64\Pknqoc32.exe

C:\Windows\system32\Pknqoc32.exe

C:\Windows\SysWOW64\Pdhbmh32.exe

C:\Windows\system32\Pdhbmh32.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Baadiiif.exe

C:\Windows\system32\Baadiiif.exe

C:\Windows\SysWOW64\Bdpaeehj.exe

C:\Windows\system32\Bdpaeehj.exe

C:\Windows\SysWOW64\Blgifbil.exe

C:\Windows\system32\Blgifbil.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Bohbhmfm.exe

C:\Windows\system32\Bohbhmfm.exe

C:\Windows\SysWOW64\Bffcpg32.exe

C:\Windows\system32\Bffcpg32.exe

C:\Windows\SysWOW64\Cljobphg.exe

C:\Windows\system32\Cljobphg.exe

C:\Windows\SysWOW64\Dkhnjk32.exe

C:\Windows\system32\Dkhnjk32.exe

C:\Windows\SysWOW64\Deqcbpld.exe

C:\Windows\system32\Deqcbpld.exe

C:\Windows\SysWOW64\Enkdaepb.exe

C:\Windows\system32\Enkdaepb.exe

C:\Windows\SysWOW64\Efblbbqd.exe

C:\Windows\system32\Efblbbqd.exe

C:\Windows\SysWOW64\Emmdom32.exe

C:\Windows\system32\Emmdom32.exe

C:\Windows\SysWOW64\Epmmqheb.exe

C:\Windows\system32\Epmmqheb.exe

C:\Windows\SysWOW64\Glkmmefl.exe

C:\Windows\system32\Glkmmefl.exe

C:\Windows\SysWOW64\Hlpfhe32.exe

C:\Windows\system32\Hlpfhe32.exe

C:\Windows\SysWOW64\Hmpcbhji.exe

C:\Windows\system32\Hmpcbhji.exe

C:\Windows\SysWOW64\Hfhgkmpj.exe

C:\Windows\system32\Hfhgkmpj.exe

C:\Windows\SysWOW64\Hoclopne.exe

C:\Windows\system32\Hoclopne.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Hlglidlo.exe

C:\Windows\system32\Hlglidlo.exe

C:\Windows\SysWOW64\Iikmbh32.exe

C:\Windows\system32\Iikmbh32.exe

C:\Windows\SysWOW64\Ifomll32.exe

C:\Windows\system32\Ifomll32.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Iedjmioj.exe

C:\Windows\system32\Iedjmioj.exe

C:\Windows\SysWOW64\Ipjoja32.exe

C:\Windows\system32\Ipjoja32.exe

C:\Windows\SysWOW64\Iefgbh32.exe

C:\Windows\system32\Iefgbh32.exe

C:\Windows\SysWOW64\Iplkpa32.exe

C:\Windows\system32\Iplkpa32.exe

C:\Windows\SysWOW64\Iidphgcn.exe

C:\Windows\system32\Iidphgcn.exe

C:\Windows\SysWOW64\Jcmdaljn.exe

C:\Windows\system32\Jcmdaljn.exe

C:\Windows\SysWOW64\Jekqmhia.exe

C:\Windows\system32\Jekqmhia.exe

C:\Windows\SysWOW64\Jpaekqhh.exe

C:\Windows\system32\Jpaekqhh.exe

C:\Windows\SysWOW64\Jebfng32.exe

C:\Windows\system32\Jebfng32.exe

C:\Windows\SysWOW64\Jnlkedai.exe

C:\Windows\system32\Jnlkedai.exe

C:\Windows\SysWOW64\Kpmdfonj.exe

C:\Windows\system32\Kpmdfonj.exe

C:\Windows\SysWOW64\Koodbl32.exe

C:\Windows\system32\Koodbl32.exe

C:\Windows\SysWOW64\Klcekpdo.exe

C:\Windows\system32\Klcekpdo.exe

C:\Windows\SysWOW64\Koaagkcb.exe

C:\Windows\system32\Koaagkcb.exe

C:\Windows\SysWOW64\Kcpjnjii.exe

C:\Windows\system32\Kcpjnjii.exe

C:\Windows\SysWOW64\Kpcjgnhb.exe

C:\Windows\system32\Kpcjgnhb.exe

C:\Windows\SysWOW64\Kcbfcigf.exe

C:\Windows\system32\Kcbfcigf.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Loighj32.exe

C:\Windows\system32\Loighj32.exe

C:\Windows\SysWOW64\Ljnlecmp.exe

C:\Windows\system32\Ljnlecmp.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Lnldla32.exe

C:\Windows\system32\Lnldla32.exe

C:\Windows\SysWOW64\Ljceqb32.exe

C:\Windows\system32\Ljceqb32.exe

C:\Windows\SysWOW64\Lqmmmmph.exe

C:\Windows\system32\Lqmmmmph.exe

C:\Windows\SysWOW64\Lggejg32.exe

C:\Windows\system32\Lggejg32.exe

C:\Windows\SysWOW64\Lnangaoa.exe

C:\Windows\system32\Lnangaoa.exe

C:\Windows\SysWOW64\Lobjni32.exe

C:\Windows\system32\Lobjni32.exe

C:\Windows\SysWOW64\Ljhnlb32.exe

C:\Windows\system32\Ljhnlb32.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mnjqmpgg.exe

C:\Windows\system32\Mnjqmpgg.exe

C:\Windows\SysWOW64\Mcgiefen.exe

C:\Windows\system32\Mcgiefen.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Mcifkf32.exe

C:\Windows\system32\Mcifkf32.exe

C:\Windows\SysWOW64\Nmbjcljl.exe

C:\Windows\system32\Nmbjcljl.exe

C:\Windows\SysWOW64\Nclbpf32.exe

C:\Windows\system32\Nclbpf32.exe

C:\Windows\SysWOW64\Nfjola32.exe

C:\Windows\system32\Nfjola32.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Njhgbp32.exe

C:\Windows\system32\Njhgbp32.exe

C:\Windows\SysWOW64\Nncccnol.exe

C:\Windows\system32\Nncccnol.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Nfohgqlg.exe

C:\Windows\system32\Nfohgqlg.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Npgmpf32.exe

C:\Windows\system32\Npgmpf32.exe

C:\Windows\SysWOW64\Ngndaccj.exe

C:\Windows\system32\Ngndaccj.exe

C:\Windows\SysWOW64\Nceefd32.exe

C:\Windows\system32\Nceefd32.exe

C:\Windows\SysWOW64\Ojomcopk.exe

C:\Windows\system32\Ojomcopk.exe

C:\Windows\SysWOW64\Omnjojpo.exe

C:\Windows\system32\Omnjojpo.exe

C:\Windows\SysWOW64\Ocgbld32.exe

C:\Windows\system32\Ocgbld32.exe

C:\Windows\SysWOW64\Onmfimga.exe

C:\Windows\system32\Onmfimga.exe

C:\Windows\SysWOW64\Opnbae32.exe

C:\Windows\system32\Opnbae32.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Ofkgcobj.exe

C:\Windows\system32\Ofkgcobj.exe

C:\Windows\SysWOW64\Omdppiif.exe

C:\Windows\system32\Omdppiif.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Pagbaglh.exe

C:\Windows\system32\Pagbaglh.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Pmpolgoi.exe

C:\Windows\system32\Pmpolgoi.exe

C:\Windows\SysWOW64\Pdjgha32.exe

C:\Windows\system32\Pdjgha32.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qjfmkk32.exe

C:\Windows\system32\Qjfmkk32.exe

C:\Windows\SysWOW64\Qpcecb32.exe

C:\Windows\system32\Qpcecb32.exe

C:\Windows\SysWOW64\Qdoacabq.exe

C:\Windows\system32\Qdoacabq.exe

C:\Windows\SysWOW64\Qfmmplad.exe

C:\Windows\system32\Qfmmplad.exe

C:\Windows\SysWOW64\Qmgelf32.exe

C:\Windows\system32\Qmgelf32.exe

C:\Windows\SysWOW64\Ahmjjoig.exe

C:\Windows\system32\Ahmjjoig.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Amnlme32.exe

C:\Windows\system32\Amnlme32.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Amqhbe32.exe

C:\Windows\system32\Amqhbe32.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Baannc32.exe

C:\Windows\system32\Baannc32.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Bmhocd32.exe

C:\Windows\system32\Bmhocd32.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Bklomh32.exe

C:\Windows\system32\Bklomh32.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Bahdob32.exe

C:\Windows\system32\Bahdob32.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Boldhf32.exe

C:\Windows\system32\Boldhf32.exe

C:\Windows\SysWOW64\Bajqda32.exe

C:\Windows\system32\Bajqda32.exe

C:\Windows\SysWOW64\Cggimh32.exe

C:\Windows\system32\Cggimh32.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Cnfkdb32.exe

C:\Windows\system32\Cnfkdb32.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Chkobkod.exe

C:\Windows\system32\Chkobkod.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cnhgjaml.exe

C:\Windows\system32\Cnhgjaml.exe

C:\Windows\SysWOW64\Dgcihgaj.exe

C:\Windows\system32\Dgcihgaj.exe

C:\Windows\SysWOW64\Dojqjdbl.exe

C:\Windows\system32\Dojqjdbl.exe

C:\Windows\SysWOW64\Dahmfpap.exe

C:\Windows\system32\Dahmfpap.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Dhbebj32.exe

C:\Windows\system32\Dhbebj32.exe

C:\Windows\SysWOW64\Dnonkq32.exe

C:\Windows\system32\Dnonkq32.exe

C:\Windows\SysWOW64\Dggbcf32.exe

C:\Windows\system32\Dggbcf32.exe

C:\Windows\SysWOW64\Doojec32.exe

C:\Windows\system32\Doojec32.exe

C:\Windows\SysWOW64\Dnajppda.exe

C:\Windows\system32\Dnajppda.exe

C:\Windows\SysWOW64\Ddkbmj32.exe

C:\Windows\system32\Ddkbmj32.exe

C:\Windows\SysWOW64\Dndgfpbo.exe

C:\Windows\system32\Dndgfpbo.exe

C:\Windows\SysWOW64\Ddnobj32.exe

C:\Windows\system32\Ddnobj32.exe

C:\Windows\SysWOW64\Eqgmmk32.exe

C:\Windows\system32\Eqgmmk32.exe

C:\Windows\SysWOW64\Edbiniff.exe

C:\Windows\system32\Edbiniff.exe

C:\Windows\SysWOW64\Ehpadhll.exe

C:\Windows\system32\Ehpadhll.exe

C:\Windows\SysWOW64\Ekonpckp.exe

C:\Windows\system32\Ekonpckp.exe

C:\Windows\SysWOW64\Eqlfhjig.exe

C:\Windows\system32\Eqlfhjig.exe

C:\Windows\SysWOW64\Ekcgkb32.exe

C:\Windows\system32\Ekcgkb32.exe

C:\Windows\SysWOW64\Fijdjfdb.exe

C:\Windows\system32\Fijdjfdb.exe

C:\Windows\SysWOW64\Fbbicl32.exe

C:\Windows\system32\Fbbicl32.exe

C:\Windows\SysWOW64\Fniihmpf.exe

C:\Windows\system32\Fniihmpf.exe

C:\Windows\SysWOW64\Fecadghc.exe

C:\Windows\system32\Fecadghc.exe

C:\Windows\SysWOW64\Fkmjaa32.exe

C:\Windows\system32\Fkmjaa32.exe

C:\Windows\SysWOW64\Fgcjfbed.exe

C:\Windows\system32\Fgcjfbed.exe

C:\Windows\SysWOW64\Gbiockdj.exe

C:\Windows\system32\Gbiockdj.exe

C:\Windows\SysWOW64\Gegkpf32.exe

C:\Windows\system32\Gegkpf32.exe

C:\Windows\SysWOW64\Gpmomo32.exe

C:\Windows\system32\Gpmomo32.exe

C:\Windows\SysWOW64\Gkdpbpih.exe

C:\Windows\system32\Gkdpbpih.exe

C:\Windows\SysWOW64\Gbnhoj32.exe

C:\Windows\system32\Gbnhoj32.exe

C:\Windows\SysWOW64\Ggkqgaol.exe

C:\Windows\system32\Ggkqgaol.exe

C:\Windows\SysWOW64\Gbpedjnb.exe

C:\Windows\system32\Gbpedjnb.exe

C:\Windows\SysWOW64\Gpdennml.exe

C:\Windows\system32\Gpdennml.exe

C:\Windows\SysWOW64\Hnibokbd.exe

C:\Windows\system32\Hnibokbd.exe

C:\Windows\SysWOW64\Hbenoi32.exe

C:\Windows\system32\Hbenoi32.exe

C:\Windows\SysWOW64\Hlmchoan.exe

C:\Windows\system32\Hlmchoan.exe

C:\Windows\SysWOW64\Hiacacpg.exe

C:\Windows\system32\Hiacacpg.exe

C:\Windows\SysWOW64\Hnnljj32.exe

C:\Windows\system32\Hnnljj32.exe

C:\Windows\SysWOW64\Hehdfdek.exe

C:\Windows\system32\Hehdfdek.exe

C:\Windows\SysWOW64\Hlblcn32.exe

C:\Windows\system32\Hlblcn32.exe

C:\Windows\SysWOW64\Hnphoj32.exe

C:\Windows\system32\Hnphoj32.exe

C:\Windows\SysWOW64\Hejqldci.exe

C:\Windows\system32\Hejqldci.exe

C:\Windows\SysWOW64\Haaaaeim.exe

C:\Windows\system32\Haaaaeim.exe

C:\Windows\SysWOW64\Ihkjno32.exe

C:\Windows\system32\Ihkjno32.exe

C:\Windows\SysWOW64\Ibqnkh32.exe

C:\Windows\system32\Ibqnkh32.exe

C:\Windows\SysWOW64\Iacngdgj.exe

C:\Windows\system32\Iacngdgj.exe

C:\Windows\SysWOW64\Ipdndloi.exe

C:\Windows\system32\Ipdndloi.exe

C:\Windows\SysWOW64\Ibcjqgnm.exe

C:\Windows\system32\Ibcjqgnm.exe

C:\Windows\SysWOW64\Iimcma32.exe

C:\Windows\system32\Iimcma32.exe

C:\Windows\SysWOW64\Ipgkjlmg.exe

C:\Windows\system32\Ipgkjlmg.exe

C:\Windows\SysWOW64\Ieccbbkn.exe

C:\Windows\system32\Ieccbbkn.exe

C:\Windows\SysWOW64\Ilnlom32.exe

C:\Windows\system32\Ilnlom32.exe

C:\Windows\SysWOW64\Ibjqaf32.exe

C:\Windows\system32\Ibjqaf32.exe

C:\Windows\SysWOW64\Jlbejloe.exe

C:\Windows\system32\Jlbejloe.exe

C:\Windows\SysWOW64\Jocnlg32.exe

C:\Windows\system32\Jocnlg32.exe

C:\Windows\SysWOW64\Jemfhacc.exe

C:\Windows\system32\Jemfhacc.exe

C:\Windows\SysWOW64\Jpbjfjci.exe

C:\Windows\system32\Jpbjfjci.exe

C:\Windows\SysWOW64\Jhnojl32.exe

C:\Windows\system32\Jhnojl32.exe

C:\Windows\SysWOW64\Jbccge32.exe

C:\Windows\system32\Jbccge32.exe

C:\Windows\SysWOW64\Jllhpkfk.exe

C:\Windows\system32\Jllhpkfk.exe

C:\Windows\SysWOW64\Jbepme32.exe

C:\Windows\system32\Jbepme32.exe

C:\Windows\SysWOW64\Khbiello.exe

C:\Windows\system32\Khbiello.exe

C:\Windows\SysWOW64\Kheekkjl.exe

C:\Windows\system32\Kheekkjl.exe

C:\Windows\SysWOW64\Kcjjhdjb.exe

C:\Windows\system32\Kcjjhdjb.exe

C:\Windows\SysWOW64\Klbnajqc.exe

C:\Windows\system32\Klbnajqc.exe

C:\Windows\SysWOW64\Kekbjo32.exe

C:\Windows\system32\Kekbjo32.exe

C:\Windows\SysWOW64\Klekfinp.exe

C:\Windows\system32\Klekfinp.exe

C:\Windows\SysWOW64\Kemooo32.exe

C:\Windows\system32\Kemooo32.exe

C:\Windows\SysWOW64\Kofdhd32.exe

C:\Windows\system32\Kofdhd32.exe

C:\Windows\SysWOW64\Lhnhajba.exe

C:\Windows\system32\Lhnhajba.exe

C:\Windows\SysWOW64\Lohqnd32.exe

C:\Windows\system32\Lohqnd32.exe

C:\Windows\SysWOW64\Lebijnak.exe

C:\Windows\system32\Lebijnak.exe

C:\Windows\SysWOW64\Lojmcdgl.exe

C:\Windows\system32\Lojmcdgl.exe

C:\Windows\SysWOW64\Ledepn32.exe

C:\Windows\system32\Ledepn32.exe

C:\Windows\SysWOW64\Lhcali32.exe

C:\Windows\system32\Lhcali32.exe

C:\Windows\SysWOW64\Lhenai32.exe

C:\Windows\system32\Lhenai32.exe

C:\Windows\SysWOW64\Loofnccf.exe

C:\Windows\system32\Loofnccf.exe

C:\Windows\SysWOW64\Lancko32.exe

C:\Windows\system32\Lancko32.exe

C:\Windows\SysWOW64\Llcghg32.exe

C:\Windows\system32\Llcghg32.exe

C:\Windows\SysWOW64\Lcmodajm.exe

C:\Windows\system32\Lcmodajm.exe

C:\Windows\SysWOW64\Mfkkqmiq.exe

C:\Windows\system32\Mfkkqmiq.exe

C:\Windows\SysWOW64\Mpapnfhg.exe

C:\Windows\system32\Mpapnfhg.exe

C:\Windows\SysWOW64\Mfnhfm32.exe

C:\Windows\system32\Mfnhfm32.exe

C:\Windows\SysWOW64\Mljmhflh.exe

C:\Windows\system32\Mljmhflh.exe

C:\Windows\SysWOW64\Mcdeeq32.exe

C:\Windows\system32\Mcdeeq32.exe

C:\Windows\SysWOW64\Mhanngbl.exe

C:\Windows\system32\Mhanngbl.exe

C:\Windows\SysWOW64\Mbibfm32.exe

C:\Windows\system32\Mbibfm32.exe

C:\Windows\SysWOW64\Mqjbddpl.exe

C:\Windows\system32\Mqjbddpl.exe

C:\Windows\SysWOW64\Nblolm32.exe

C:\Windows\system32\Nblolm32.exe

C:\Windows\SysWOW64\Nckkfp32.exe

C:\Windows\system32\Nckkfp32.exe

C:\Windows\SysWOW64\Nbnlaldg.exe

C:\Windows\system32\Nbnlaldg.exe

C:\Windows\SysWOW64\Nqoloc32.exe

C:\Windows\system32\Nqoloc32.exe

C:\Windows\SysWOW64\Nijqcf32.exe

C:\Windows\system32\Nijqcf32.exe

C:\Windows\SysWOW64\Nqcejcha.exe

C:\Windows\system32\Nqcejcha.exe

C:\Windows\SysWOW64\Nbebbk32.exe

C:\Windows\system32\Nbebbk32.exe

C:\Windows\SysWOW64\Njljch32.exe

C:\Windows\system32\Njljch32.exe

C:\Windows\SysWOW64\Nmjfodne.exe

C:\Windows\system32\Nmjfodne.exe

C:\Windows\SysWOW64\Ofckhj32.exe

C:\Windows\system32\Ofckhj32.exe

C:\Windows\SysWOW64\Ofegni32.exe

C:\Windows\system32\Ofegni32.exe

C:\Windows\SysWOW64\Oqklkbbi.exe

C:\Windows\system32\Oqklkbbi.exe

C:\Windows\SysWOW64\Ocihgnam.exe

C:\Windows\system32\Ocihgnam.exe

C:\Windows\SysWOW64\Ofgdcipq.exe

C:\Windows\system32\Ofgdcipq.exe

C:\Windows\SysWOW64\Omalpc32.exe

C:\Windows\system32\Omalpc32.exe

C:\Windows\SysWOW64\Ofjqihnn.exe

C:\Windows\system32\Ofjqihnn.exe

C:\Windows\SysWOW64\Ojemig32.exe

C:\Windows\system32\Ojemig32.exe

C:\Windows\SysWOW64\Omdieb32.exe

C:\Windows\system32\Omdieb32.exe

C:\Windows\SysWOW64\Obqanjdb.exe

C:\Windows\system32\Obqanjdb.exe

C:\Windows\SysWOW64\Oikjkc32.exe

C:\Windows\system32\Oikjkc32.exe

C:\Windows\SysWOW64\Omfekbdh.exe

C:\Windows\system32\Omfekbdh.exe

C:\Windows\SysWOW64\Pbcncibp.exe

C:\Windows\system32\Pbcncibp.exe

C:\Windows\SysWOW64\Pjjfdfbb.exe

C:\Windows\system32\Pjjfdfbb.exe

C:\Windows\SysWOW64\Pcbkml32.exe

C:\Windows\system32\Pcbkml32.exe

C:\Windows\SysWOW64\Pcegclgp.exe

C:\Windows\system32\Pcegclgp.exe

C:\Windows\SysWOW64\Pjoppf32.exe

C:\Windows\system32\Pjoppf32.exe

C:\Windows\SysWOW64\Pmmlla32.exe

C:\Windows\system32\Pmmlla32.exe

C:\Windows\SysWOW64\Pplhhm32.exe

C:\Windows\system32\Pplhhm32.exe

C:\Windows\SysWOW64\Pmphaaln.exe

C:\Windows\system32\Pmphaaln.exe

C:\Windows\SysWOW64\Pakdbp32.exe

C:\Windows\system32\Pakdbp32.exe

C:\Windows\SysWOW64\Qamago32.exe

C:\Windows\system32\Qamago32.exe

C:\Windows\SysWOW64\Qclmck32.exe

C:\Windows\system32\Qclmck32.exe

C:\Windows\SysWOW64\Qjffpe32.exe

C:\Windows\system32\Qjffpe32.exe

C:\Windows\SysWOW64\Qapnmopa.exe

C:\Windows\system32\Qapnmopa.exe

C:\Windows\SysWOW64\Qcnjijoe.exe

C:\Windows\system32\Qcnjijoe.exe

C:\Windows\SysWOW64\Qfmfefni.exe

C:\Windows\system32\Qfmfefni.exe

C:\Windows\SysWOW64\Qjhbfd32.exe

C:\Windows\system32\Qjhbfd32.exe

C:\Windows\SysWOW64\Aabkbono.exe

C:\Windows\system32\Aabkbono.exe

C:\Windows\SysWOW64\Acqgojmb.exe

C:\Windows\system32\Acqgojmb.exe

C:\Windows\SysWOW64\Ajjokd32.exe

C:\Windows\system32\Ajjokd32.exe

C:\Windows\SysWOW64\Amikgpcc.exe

C:\Windows\system32\Amikgpcc.exe

C:\Windows\SysWOW64\Apggckbf.exe

C:\Windows\system32\Apggckbf.exe

C:\Windows\SysWOW64\Abfdpfaj.exe

C:\Windows\system32\Abfdpfaj.exe

C:\Windows\SysWOW64\Ajmladbl.exe

C:\Windows\system32\Ajmladbl.exe

C:\Windows\SysWOW64\Apjdikqd.exe

C:\Windows\system32\Apjdikqd.exe

C:\Windows\SysWOW64\Aibibp32.exe

C:\Windows\system32\Aibibp32.exe

C:\Windows\SysWOW64\Affikdfn.exe

C:\Windows\system32\Affikdfn.exe

C:\Windows\SysWOW64\Ampaho32.exe

C:\Windows\system32\Ampaho32.exe

C:\Windows\SysWOW64\Aalmimfd.exe

C:\Windows\system32\Aalmimfd.exe

C:\Windows\SysWOW64\Afhfaddk.exe

C:\Windows\system32\Afhfaddk.exe

C:\Windows\SysWOW64\Bfkbfd32.exe

C:\Windows\system32\Bfkbfd32.exe

C:\Windows\SysWOW64\Biiobo32.exe

C:\Windows\system32\Biiobo32.exe

C:\Windows\SysWOW64\Bdocph32.exe

C:\Windows\system32\Bdocph32.exe

C:\Windows\SysWOW64\Bpedeiff.exe

C:\Windows\system32\Bpedeiff.exe

C:\Windows\SysWOW64\Binhnomg.exe

C:\Windows\system32\Binhnomg.exe

C:\Windows\SysWOW64\Baepolni.exe

C:\Windows\system32\Baepolni.exe

C:\Windows\SysWOW64\Bphqji32.exe

C:\Windows\system32\Bphqji32.exe

C:\Windows\SysWOW64\Cajjjk32.exe

C:\Windows\system32\Cajjjk32.exe

C:\Windows\SysWOW64\Cbkfbcpb.exe

C:\Windows\system32\Cbkfbcpb.exe

C:\Windows\SysWOW64\Cmpjoloh.exe

C:\Windows\system32\Cmpjoloh.exe

C:\Windows\SysWOW64\Ckdkhq32.exe

C:\Windows\system32\Ckdkhq32.exe

C:\Windows\SysWOW64\Cpacqg32.exe

C:\Windows\system32\Cpacqg32.exe

C:\Windows\SysWOW64\Cdaile32.exe

C:\Windows\system32\Cdaile32.exe

C:\Windows\SysWOW64\Dnljkk32.exe

C:\Windows\system32\Dnljkk32.exe

C:\Windows\SysWOW64\Dpjfgf32.exe

C:\Windows\system32\Dpjfgf32.exe

C:\Windows\SysWOW64\Daollh32.exe

C:\Windows\system32\Daollh32.exe

C:\Windows\SysWOW64\Ddmhhd32.exe

C:\Windows\system32\Ddmhhd32.exe

C:\Windows\SysWOW64\Ekgqennl.exe

C:\Windows\system32\Ekgqennl.exe

C:\Windows\SysWOW64\Eaaiahei.exe

C:\Windows\system32\Eaaiahei.exe

C:\Windows\SysWOW64\Ecbeip32.exe

C:\Windows\system32\Ecbeip32.exe

C:\Windows\SysWOW64\Enhifi32.exe

C:\Windows\system32\Enhifi32.exe

C:\Windows\SysWOW64\Epffbd32.exe

C:\Windows\system32\Epffbd32.exe

C:\Windows\SysWOW64\Ecdbop32.exe

C:\Windows\system32\Ecdbop32.exe

C:\Windows\SysWOW64\Ekljpm32.exe

C:\Windows\system32\Ekljpm32.exe

C:\Windows\SysWOW64\Enjfli32.exe

C:\Windows\system32\Enjfli32.exe

C:\Windows\SysWOW64\Egbken32.exe

C:\Windows\system32\Egbken32.exe

C:\Windows\SysWOW64\Eahobg32.exe

C:\Windows\system32\Eahobg32.exe

C:\Windows\SysWOW64\Ecikjoep.exe

C:\Windows\system32\Ecikjoep.exe

C:\Windows\SysWOW64\Ekqckmfb.exe

C:\Windows\system32\Ekqckmfb.exe

C:\Windows\SysWOW64\Eajlhg32.exe

C:\Windows\system32\Eajlhg32.exe

C:\Windows\SysWOW64\Edihdb32.exe

C:\Windows\system32\Edihdb32.exe

C:\Windows\SysWOW64\Fggdpnkf.exe

C:\Windows\system32\Fggdpnkf.exe

C:\Windows\SysWOW64\Fjeplijj.exe

C:\Windows\system32\Fjeplijj.exe

C:\Windows\SysWOW64\Fnalmh32.exe

C:\Windows\system32\Fnalmh32.exe

C:\Windows\SysWOW64\Fqphic32.exe

C:\Windows\system32\Fqphic32.exe

C:\Windows\SysWOW64\Fgiaemic.exe

C:\Windows\system32\Fgiaemic.exe

C:\Windows\SysWOW64\Fcpakn32.exe

C:\Windows\system32\Fcpakn32.exe

C:\Windows\SysWOW64\Fbaahf32.exe

C:\Windows\system32\Fbaahf32.exe

C:\Windows\SysWOW64\Fqdbdbna.exe

C:\Windows\system32\Fqdbdbna.exe

C:\Windows\SysWOW64\Fcbnpnme.exe

C:\Windows\system32\Fcbnpnme.exe

C:\Windows\SysWOW64\Fkjfakng.exe

C:\Windows\system32\Fkjfakng.exe

C:\Windows\SysWOW64\Fnhbmgmk.exe

C:\Windows\system32\Fnhbmgmk.exe

C:\Windows\SysWOW64\Gcghkm32.exe

C:\Windows\system32\Gcghkm32.exe

C:\Windows\SysWOW64\Gjaphgpl.exe

C:\Windows\system32\Gjaphgpl.exe

C:\Windows\SysWOW64\Gjcmngnj.exe

C:\Windows\system32\Gjcmngnj.exe

C:\Windows\SysWOW64\Gqnejaff.exe

C:\Windows\system32\Gqnejaff.exe

C:\Windows\SysWOW64\Gggmgk32.exe

C:\Windows\system32\Gggmgk32.exe

C:\Windows\SysWOW64\Gnaecedp.exe

C:\Windows\system32\Gnaecedp.exe

C:\Windows\SysWOW64\Gdknpp32.exe

C:\Windows\system32\Gdknpp32.exe

C:\Windows\SysWOW64\Gndbie32.exe

C:\Windows\system32\Gndbie32.exe

C:\Windows\SysWOW64\Gglfbkin.exe

C:\Windows\system32\Gglfbkin.exe

C:\Windows\SysWOW64\Gnfooe32.exe

C:\Windows\system32\Gnfooe32.exe

C:\Windows\SysWOW64\Hccggl32.exe

C:\Windows\system32\Hccggl32.exe

C:\Windows\SysWOW64\Hjmodffo.exe

C:\Windows\system32\Hjmodffo.exe

C:\Windows\SysWOW64\Hbdgec32.exe

C:\Windows\system32\Hbdgec32.exe

C:\Windows\SysWOW64\Hebcao32.exe

C:\Windows\system32\Hebcao32.exe

C:\Windows\SysWOW64\Hkmlnimb.exe

C:\Windows\system32\Hkmlnimb.exe

C:\Windows\SysWOW64\Hbfdjc32.exe

C:\Windows\system32\Hbfdjc32.exe

C:\Windows\SysWOW64\Hgcmbj32.exe

C:\Windows\system32\Hgcmbj32.exe

C:\Windows\SysWOW64\Hbiapb32.exe

C:\Windows\system32\Hbiapb32.exe

C:\Windows\SysWOW64\Hcjmhk32.exe

C:\Windows\system32\Hcjmhk32.exe

C:\Windows\SysWOW64\Hjdedepg.exe

C:\Windows\system32\Hjdedepg.exe

C:\Windows\SysWOW64\Hannao32.exe

C:\Windows\system32\Hannao32.exe

C:\Windows\SysWOW64\Hcljmj32.exe

C:\Windows\system32\Hcljmj32.exe

C:\Windows\SysWOW64\Hkcbnh32.exe

C:\Windows\system32\Hkcbnh32.exe

C:\Windows\SysWOW64\Iapjgo32.exe

C:\Windows\system32\Iapjgo32.exe

C:\Windows\SysWOW64\Ielfgmnj.exe

C:\Windows\system32\Ielfgmnj.exe

C:\Windows\SysWOW64\Igjbci32.exe

C:\Windows\system32\Igjbci32.exe

C:\Windows\SysWOW64\Indkpcdk.exe

C:\Windows\system32\Indkpcdk.exe

C:\Windows\SysWOW64\Igmoih32.exe

C:\Windows\system32\Igmoih32.exe

C:\Windows\SysWOW64\Iaedanal.exe

C:\Windows\system32\Iaedanal.exe

C:\Windows\SysWOW64\Iccpniqp.exe

C:\Windows\system32\Iccpniqp.exe

C:\Windows\SysWOW64\Ijmhkchl.exe

C:\Windows\system32\Ijmhkchl.exe

C:\Windows\SysWOW64\Iagqgn32.exe

C:\Windows\system32\Iagqgn32.exe

C:\Windows\SysWOW64\Ijbbfc32.exe

C:\Windows\system32\Ijbbfc32.exe

C:\Windows\SysWOW64\Jbijgp32.exe

C:\Windows\system32\Jbijgp32.exe

C:\Windows\SysWOW64\Jnpjlajn.exe

C:\Windows\system32\Jnpjlajn.exe

C:\Windows\SysWOW64\Jblflp32.exe

C:\Windows\system32\Jblflp32.exe

C:\Windows\SysWOW64\Jejbhk32.exe

C:\Windows\system32\Jejbhk32.exe

C:\Windows\SysWOW64\Jhhodg32.exe

C:\Windows\system32\Jhhodg32.exe

C:\Windows\SysWOW64\Jnbgaa32.exe

C:\Windows\system32\Jnbgaa32.exe

C:\Windows\SysWOW64\Jelonkph.exe

C:\Windows\system32\Jelonkph.exe

C:\Windows\SysWOW64\Jbppgona.exe

C:\Windows\system32\Jbppgona.exe

C:\Windows\SysWOW64\Jdalog32.exe

C:\Windows\system32\Jdalog32.exe

C:\Windows\SysWOW64\Jeaiij32.exe

C:\Windows\system32\Jeaiij32.exe

C:\Windows\SysWOW64\Kkpnga32.exe

C:\Windows\system32\Kkpnga32.exe

C:\Windows\SysWOW64\Kdhbpf32.exe

C:\Windows\system32\Kdhbpf32.exe

C:\Windows\SysWOW64\Khdoqefq.exe

C:\Windows\system32\Khdoqefq.exe

C:\Windows\SysWOW64\Kbjbnnfg.exe

C:\Windows\system32\Kbjbnnfg.exe

C:\Windows\SysWOW64\Khfkfedn.exe

C:\Windows\system32\Khfkfedn.exe

C:\Windows\SysWOW64\Kkegbpca.exe

C:\Windows\system32\Kkegbpca.exe

C:\Windows\SysWOW64\Kaopoj32.exe

C:\Windows\system32\Kaopoj32.exe

C:\Windows\SysWOW64\Kocphojh.exe

C:\Windows\system32\Kocphojh.exe

C:\Windows\SysWOW64\Klgqabib.exe

C:\Windows\system32\Klgqabib.exe

C:\Windows\SysWOW64\Lacijjgi.exe

C:\Windows\system32\Lacijjgi.exe

C:\Windows\SysWOW64\Ldbefe32.exe

C:\Windows\system32\Ldbefe32.exe

C:\Windows\SysWOW64\Lklnconj.exe

C:\Windows\system32\Lklnconj.exe

C:\Windows\SysWOW64\Laffpi32.exe

C:\Windows\system32\Laffpi32.exe

C:\Windows\SysWOW64\Lhpnlclc.exe

C:\Windows\system32\Lhpnlclc.exe

C:\Windows\SysWOW64\Lbebilli.exe

C:\Windows\system32\Lbebilli.exe

C:\Windows\SysWOW64\Ledoegkm.exe

C:\Windows\system32\Ledoegkm.exe

C:\Windows\SysWOW64\Lhbkac32.exe

C:\Windows\system32\Lhbkac32.exe

C:\Windows\SysWOW64\Lkqgno32.exe

C:\Windows\system32\Lkqgno32.exe

C:\Windows\SysWOW64\Lajokiaa.exe

C:\Windows\system32\Lajokiaa.exe

C:\Windows\SysWOW64\Ldikgdpe.exe

C:\Windows\system32\Ldikgdpe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7164 -ip 7164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/3244-0-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3244-1-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Pclgkb32.exe

MD5 c6648f386edf9cd04fb8995761bf6ab0
SHA1 7736c2e4d4f00707703e2dbf40bb804c2cc0939a
SHA256 37f60e240cbab7dc7e2944f5cc5574ada0bca32b005682aa8c67315512e4d4f4
SHA512 2a2a05423e81e39c8bf0dc184391fc4f57f8715243f2d71ecb2f539f16883c7dc9218807f831feac911bfb406d627ef97de44a952ac76b3bb9c732eeebe56f88

memory/1540-8-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Qqijje32.exe

MD5 4231d66c652035aa0854e7a70254c867
SHA1 214ce8d995906f39b0daf49374a2312b66499ac0
SHA256 1e2594d66f89af743cfaf9e2ccdc274e1e3704caa204ceda983025fba4cab446
SHA512 f2628220050ef5b7a4b992ed5b5f3fcc616a40b9ef618987f8d157cd352b6cf77f6a1f633eb11682ca7fa8093589c5804e3256e3a2036ddd491864ff7e5c4fdf

memory/2580-17-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Qcgffqei.exe

MD5 3603bd3df21b40a781b354ca4a1c2271
SHA1 1948aa2a7513aa3baf2a897f7d841c175154b224
SHA256 47e73ee1787e4828b3fb56150b583df8239a821ea796358cb2e13d8657b07f5a
SHA512 f8fdd3e31317e42f91cc94879042b71c0e760359ded460ee0b7ff218052eaaffdb877ebe3beaeb7cb8a7d9f4578e00a8e021fd6373223a50e2dbba35b5c18c26

memory/4884-24-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Anmjcieo.exe

MD5 a02ce1688ed1979100b90a3db27af539
SHA1 6d66b32f6d862e2607ac7c79ac8e2854f75bede3
SHA256 145e3e7f2035fd6deaa8023fa3b6a586b9a8a37488f555a4e2aff876b144face
SHA512 74313df64867cc4f9f36f309cf4bd1a657b9e62750df88dd7425e159d96a7b72f34e34d449c8d00767f89fa7d9c034baa877a95df0e87badec7c848d71a11b39

memory/1728-32-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ageolo32.exe

MD5 b31da74eecba3e7bf14dfc2a2e06f0c9
SHA1 6926a32914447e098c0688aae2dcb6a3b1bf4690
SHA256 a14aa454a6c103fa1a7fd185dd0d0298d1607a41dcffb2a3853936ebc4998658
SHA512 5817d90115ae163995333f4d8de06888bdf85b33fd0991f1f7b73e7ea94ce04010e331bffa2898aa7b4622bbdda8c3f88d3a94c0e75a8422f43c5ae73e15cce0

memory/4912-40-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Anogiicl.exe

MD5 273387097ebea620401f0fcb996b7e19
SHA1 d0225827ea8b10474e78d50f19e318f8e0f9e0bc
SHA256 06077215f1354f5214de78b744e0910121571881dd96cde39f7c51b6e6bb5548
SHA512 69fe6fbe84e34f90f557d75347323a73d0fd4d45ad061422cf8faeedd7a610e9c6db795e515c003c327ec6886ae19bf88b8acf93f30b666fdb18fbc15ff143b0

memory/2056-48-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ajfhnjhq.exe

MD5 f415682d844454b2427b7295e6d86664
SHA1 9fc11071ec33ae27624cfa4b3a034ca90e8cdf9d
SHA256 6bc434eae81b0add1ebaebc719920fe68d86651e80c1f8bd57f07aefdd6f9e01
SHA512 1c2d5b62c46cfac157fe24cd4231cf0849222964f52494f43c2915ff0bd5c656a5fcfab4a74ea68b52a3a37273c8e790134ff48922aafd00ccd9dd2d1fb24828

memory/3068-56-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Bmemac32.exe

MD5 7e980a02680acbbc1268c80de5d943e7
SHA1 b30306d6882bac2de757c54cd4764a311c0dbe28
SHA256 05081576a5e85dca85d20602a4b7427f6233912d7b90a4812525e9be1d18b17e
SHA512 aca0a6af6cdec431c8bc457134185fa354acd07ed3c1b3501ce5f74c615bd9322f1756d7ebde051c98cd2446a59d09790cb27f0319fdc1f603717856ab6e91a1

memory/1824-65-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Daqbip32.exe

MD5 223456bd5817ce64080490127fb4e17e
SHA1 e772cd86eb457632f5ef26ecc98a21a51ae0f341
SHA256 3bd1b8cba96fd18501be52ad5c6f0cbaf65461f369bc13687c46da003a67c6ed
SHA512 1ed8bd34d197fa8ea0a22d94cee833c94846a6b10c6a84a6412bb9b0e24be162b4c568bc5017b48a38e062734e31419f303e9582d4dc2f7448d748eb589894b2

memory/3244-73-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2320-79-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2480-85-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1540-90-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Eemgplno.exe

MD5 42aad4a8400ac0297e4681bd7e42066d
SHA1 15c9c947dbff0f35a13a982698461778ae9a57a3
SHA256 830d31b077e34bd8a2f61b4ea505827eae56b7924ffc7e15f2127bb8f4ea84ab
SHA512 194358f3ac6e83f21c692da9670df86cad1a2e7fb889579c62a909256ff74b30b4d8d1943789b021c960eee9eff70665792f25d4151fc9a5b0a6f0526dda87e3

C:\Windows\SysWOW64\Egnchd32.exe

MD5 fb470ec6cccbf4a5aeb83588118ec0f2
SHA1 402d6d79993c4d4136cf8d69559f99427005a848
SHA256 89be227e44d5f4ee842337dc47725a182f20b014a8cb6fffbc5edc0841a9cbb5
SHA512 c93a1a12edbee26dc421d9876d057e6530774bff1fbbc28df028a584f5a29b2102deb00308d5c316cfccf2269960192134feadc91b17530f4c8b79343226a0b0

memory/2580-99-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Eachem32.exe

MD5 4434df56fd7f5f205af683dda7345e2d
SHA1 5c54a3b896931cca28276f8e1e0d01c3652afb7c
SHA256 0ecec252f26a9eadb91a338f6cb16bebbeb97c6a9da385b380449b6f82807900
SHA512 1f97e4864fc1caa0c55a28006266f6dbec87243c6607bbe0c3b656d6d199f38d434a973a64cf2d0e143495a4098e8a4507541ee4aead976d64b41eb0ff386d06

memory/1648-111-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Fdbdah32.exe

MD5 ec50b4d415a537c77d115cec73c96139
SHA1 84e532c223ec8c438379198bbf9a2b9459ad085d
SHA256 15ba22b1b3c61aac147aa02d82b5fe7effa1b0343c9e93a9d3fe739037361be0
SHA512 aeb15ee988c9cf658c2ab4f2a0c8ff06b476c13c30e4e02efcba3369fd61b94ecefd1d3db5c64d10f35e708aee199929e1bd72326804fbd164d292b22651850d

memory/3232-113-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2276-95-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ekgbccni.exe

MD5 0ea8c05528911c1e212b0a7edee0b12d
SHA1 28ce38347a0e35eb92022d32b73577452fd98fc3
SHA256 987a1c843e22dda7c4f529a4a67275b1adddb7595efcc5246796900826b3b772
SHA512 783d26b40cedc331c26d019c36dfc49d29fce3ab7b06a0a8302718e3ca45dd72fe70fd58801e16393d97304a353c2faede57267194a49858e479d7528c50215e

memory/4884-116-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2980-121-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Feapkk32.exe

MD5 cfef55b25f78d5c8859813a5dacbd608
SHA1 0e4eb762edbb266d96d5d74ee032cb3bf956cbb2
SHA256 c4198954a4f70342343794be953f92b84e1fda89487d3bd03228b8c74780b920
SHA512 c8b14902426fcb3015a049a84687614e179b023f34ec32463dba38624e639e42bc145d72974e248a37007ed59dfc78d8dab7c5d6d7bdb514fa8d269fd84c26f3

C:\Windows\SysWOW64\Fdfmlhna.exe

MD5 7b22c1f0988730540ed1e70de42693e5
SHA1 ee270c52879c5fc071a0f3213d5e77880c0e8da4
SHA256 1197e5fd1bf0eb6f7302a2ad477f8cedfae71257af220549380238559ea4d596
SHA512 451d5ea3b15b269f7850d8fb686734b1132c417cbbf6f1420f648aaac042d12c0b916fa61e6c11c9f3d87c6f048e4f6b935eea55261f665aa7198ed604da8440

C:\Windows\SysWOW64\Fojedapj.exe

MD5 8a3124e56f3174629fc381a23dc521cb
SHA1 384c2b34c30e25fa039a0fe6455e400a07f920ac
SHA256 07a14a861ac6f92438394d0d22c1b87b021ef080fa648d44d257d213c648c24a
SHA512 81a4d0768f089f19d9a75e20c68302cf2ab201ab3ed138c6fbc86d6a4855ace49853a3f8bbb762f8ecb16554bedfea3ddb36fb62c58b0c07da4b798c89c57fa9

memory/4912-131-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1728-124-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5044-130-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2608-135-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2056-143-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1800-151-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Fkqeib32.exe

MD5 3042dba8a8376f14331fc8190f75abf8
SHA1 b05414137e242e96bccfc6ede149fe4ce3d927cc
SHA256 1e22bdbca2443f37856b6643598af5c791aeda936a776200b6f47d31ef055039
SHA512 ee38a24a184312ddef4a373930f409331ce72e7aa019cfcc64c2666a90c04ee26a130c98f84834030eba4c312942f656801eaf2972b0a2af0d1683e9322ad15a

memory/1852-163-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Fggfnc32.exe

MD5 4f833b558b5b651fcd246f709bb5dc74
SHA1 476ee30a5e9685b67cb1e0d5a29bbf7bb4b80dbf
SHA256 5b2568c9422a88f6caa117aa7fd9a022041500ad5fa369fce787678e9164c59b
SHA512 99c982c06dd13c3b65fa3ac1ead9dd1ea3094ef5bdc85c5de899b61f0d780aa21bc3ce3ef67d59bd5cd43e5504b0fdfeecce10938587d8f78a7fe90b0cad3a64

C:\Windows\SysWOW64\Fnaokmco.exe

MD5 bb55e702b81c37e508935e23eab178e0
SHA1 5bc7d980f946bfc628b26de1dcbe5fb2e2dd136b
SHA256 02750fc68638be101c03d5714d3ed65cb2e16368ba6e0baf9b261cfee63d26f9
SHA512 955f600c1d2d4c16c53bcfdf55a8b81d6d498efea22a067b81b49931deea154c9787010732ca7b09cce2cb7e40aab98d9dedfa307af5e485d3b471b4e7b32c8c

memory/2348-172-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3068-164-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Fefjfked.exe

MD5 43e9876642b42cf082bfd85f31030d72
SHA1 65f4aa0e17c6444ed53fdedb1124ce5c6d4dca61
SHA256 57ebbba09f0312cb98e93accc81b6331ca1382bd4d485dafae66557fecb4347c
SHA512 9e80051aa8b3d7989b911c65e1d3496e7b7a12f47f0e9d7290d31c85ce3d13a66d954c6926dfaad03a7d256e2db5ae0ad6bcb03fd21f688034a42cf05bbef4ad

memory/1824-176-0x0000000000400000-0x000000000043A000-memory.dmp

memory/936-174-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2124-177-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2480-179-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Gekcaj32.exe

MD5 10ad8da8f20d90a7b93492510338e423
SHA1 dc85331098ff85730a337e9f8faf3f98477f887e
SHA256 691125f4841519b7973db82ccc66d9dc36727693703e888680a3ea31219b5ef2
SHA512 b36d65168547a9b90272003363a49c4d6f37fcd99fd34e35b88b1f780daf5f0246e75613215fc4ce304a3b62d8fee6f30257c6446a61e4f9e29cd55b53333b51

memory/1872-186-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4440-195-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ghklce32.exe

MD5 37e25189efc0aa62ceeec49bd59f24b3
SHA1 0a07f18e648aa0d81e31c4f3480fb9917e519f3e
SHA256 aa425c8c3f31eb04f87d0e55c5b1d18681c5cee3f0e911785e32a93d45a8adb8
SHA512 906b88f71eb27c88e9de71e588c8eaae8f346e679d89f25acd45e01bb60e7fca8c7c25e9771eea620a0e6374154a71ef606a6a3ff941e3c325d5f363e720d85a

C:\Windows\SysWOW64\Hhihdcbp.exe

MD5 24d3b98eeb1c71033d875152240c6b57
SHA1 30bd3cf19fb6e93b3f962629c473fe5ff07b92ee
SHA256 c32e539416608647f9f4172c660964eeb0ed5ebda8858c75deecc49a74509198
SHA512 9cda4aa71589e1f3e93b4127f94d10d767638c8b872fd13537b4667dd230c9b92d15bf27e5b81ec69fc9b73a146a05f401578f805fe1f7c44a7a91f2b7bb23ff

memory/456-203-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Hocqam32.exe

MD5 bb75924c50a9903c3cb4511ac972d04b
SHA1 2d576430e9b1646cdd0140f95ad4f3269965636b
SHA256 c00e2a2e0913e07831a0f4c41ffa91a813c0832e0dbde1e68c14bbd2d3f130a9
SHA512 1097e562c1ef1af10ab31370d24b0d2edcdab8258b8503fb34a2bde7eeba36e2a174e1f18588ba6aea854a0271bc72afbda15d863038fa644e171d310861d370

memory/2980-214-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Hkjafn32.exe

MD5 17a444fd0b600fbb480b3ddeae2389f0
SHA1 d4173a232ababe6c4b38758ff20dbaae29ef4a34
SHA256 0569d061646f6fd971d02a83dfb5080b440062c8ce592a55bc856adc2f69d676
SHA512 5eafea87df27dd73aacb6d521bcd0768d701d6e218f5419808d84a3a058f951f580f0d9d88f8f1ea47f924267ac7c5fa1d197aebab61dd7e7f986188c55d3b56

memory/4872-216-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5004-224-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Hbdjchgn.exe

MD5 73fd21a59cf8a409d816308c074f7fae
SHA1 7f8215cbe33f15ba0e02feccfb351748f954d9b6
SHA256 6150de87363484f99b55796899588251637b9237f471caea5f826ef7997a8c6f
SHA512 2f225574dd9f882e980f22fe1414661dc29b9febc7e2b75963169d7d401fd85141489f420592d1ee6b0179e1b3d8e53e849255464fdb98c5094e475e7d42176d

memory/2608-232-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Hkmnln32.exe

MD5 dc625c25622ac34ab6601dbc9f1c6bf6
SHA1 84834e83ba998d5c954004f1356f80002779212d
SHA256 c8a3e0827009c880043d0f9d79b106f69780472bb3bdc977398e9bfcb0da1fd4
SHA512 2dbef573abf7591ff1d20c2b614022af084f9095162cb1ee0dc828521afe15b35dc2de36c995361ff06d16a47f8774217bfd3474b717ac6e23926cebcb6126b1

memory/2828-234-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4572-237-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Idebdcdo.exe

MD5 b759e6123ecfdf4dc8351da5a7b1d4c1
SHA1 4963346f302442bca7fed61af64167bc7b3c56f2
SHA256 3bc2edfc7d560191ec3d2b28a6a1f0f520ec146ca1ab2b08e4f7fa4349c8f7f1
SHA512 7edeb39c77ee93798eaebfd15f4b3e9a7cda34fc23a5c837fd9077103a2553bf48a15e173b085170b8a27f53a1b7201393e0227f9cc74920b72783c9c54ccddc

memory/2080-249-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ikokan32.exe

MD5 98ec0637096f2d605fb078e9719d07b2
SHA1 d0d97885b7ee7c22c9e7756416c047231e742232
SHA256 cb64461b9abcbc1189270516f5655f18db8f2fb7d7e7facdd847c72ff9689021
SHA512 f9c99ab26e446b9296fda4f9e7bc9270ffb116fc1bd3b77817958f061a1c50969257d592160d9adc5d53ed748c8b24656fd632bc307d0b518065052b96e36a4a

memory/1504-252-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2124-261-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2344-266-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Iickkbje.exe

MD5 84ed2bfa7349e6aaa2efaa8fac7815f8
SHA1 7c378ac2dee98575cedf422a112c2c4a12f3752e
SHA256 fdefd653b60ffe5e2107b1ac89e29e47766aa41fc04bfdca1887876ff92b6391
SHA512 911fd373a5912b6d46846ca5e550a8a21bf76db9fd4c183fcf780989d1c985d85de2071606a82ce57a482c40e90e8576424c84567a67fc956dde24d7a4ae6d58

C:\Windows\SysWOW64\Inpccihl.exe

MD5 17643a8fd83125c02335ff10056bc926
SHA1 4afb360eb2d6c8ab0326c865b25c5a6894602a37
SHA256 acee4bdec0348bc356d05f4c55183488ecdb6dca5a089cdf46b5293cfa813ba4
SHA512 e4e4f408080fb865020c177a13c17043cc71828b2cda1048add5ae2e31b9c47949ca1a919494c92a8930926a724a1b76c2cd343b98683a33fd7e85d6938d13a1

memory/1872-270-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4072-277-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3256-276-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4440-282-0x0000000000400000-0x000000000043A000-memory.dmp

memory/456-286-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3412-290-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1404-291-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1868-297-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4784-308-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4572-307-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1012-310-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1504-320-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2596-322-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3436-323-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4820-329-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4072-335-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4816-340-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1164-342-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Oeaoab32.exe

MD5 60118daa0f6a6588add6a4b4950656cd
SHA1 af4bbb5e36a294ef61983c908d359c6b0ef1d2c9
SHA256 7df704bac0783577b7b2945e164d34d46f306f10777f635599df9d8a8bd61a4b
SHA512 93b681beeabb678a9a7f67f5654d57752a987524e39f9030024c11205b9d62308532bfbf6f21451e2643ead4baf3c61791da70c5807c310214de5333b6beba7c

C:\Windows\SysWOW64\Phganm32.exe

MD5 ffdfa7a82935e34eaa9659db6a7ca8aa
SHA1 ce3bce41eb676ddce732424d0ce4063d2332d257
SHA256 4de6bf71c346d11d04125d5c6db7617ae586fb2a00ea191e3326019705ddf8a2
SHA512 8985a4639f31b8217953e82fd13c50880c16c2bebb506aeeb292a284a6c1e1db0b3d5b5563f4a8515048ce0ef558805b1c0a994bc17705853b6922cdd6957619

C:\Windows\SysWOW64\Qepkbpak.exe

MD5 cb325c57dd8f76ec67d7121c919f7868
SHA1 8f898aaaa09ede68ef8e96f074454a50cbb6e64f
SHA256 89c408b0dda31684cfeda55c8111408d3c04ee0ff6536e9752737101dcc181d6
SHA512 b3303c567d704078ac75946edf9aab70b641dea962f71ae1320b8d403c3fc88ffdfef798a6e05be9b9f8c658bc4f42668c79af0300bdbbdb0229ed2461676f50

C:\Windows\SysWOW64\Akhcfe32.exe

MD5 f88e79c01e1e078a26debac941bdcac2
SHA1 ec77c3bd3144c8d3b87e90a70b4cb915772caa3b
SHA256 01132f45ed8574c91dc2149bb858e8e5396efd075f43933f8caf5d465603e77c
SHA512 ad78967776461b686d2f0df4c9aafbc884911e022a54ae4fc907efda61b5ee76fe1c681ee8f73ef4f0218856ec724577bf79e3bbe9ff1d79c3c3fdd80bc858fc

C:\Windows\SysWOW64\Gfokoelp.exe

MD5 bd867f9de5cdca8fe53fad1778f693c8
SHA1 a302f62010e1cf4d32737a9ccf40a3e75186e58d
SHA256 a799fb3c55292604ffe3b83b277389616d1733b253c6d04dfa7c6d2b51d80e05
SHA512 32c7fced1f5da088170d727cb8e59fdded1dbe388b6f790c049372f26d42358417e746790d956e2d571d4b987335c0b75116d9a277686183f0a7619ad7f84762

C:\Windows\SysWOW64\Hloqml32.exe

MD5 a726ab66229e93e7337db7ee105bee90
SHA1 a2e9f7c58616124358e0708dc80a0caf61597719
SHA256 a5ae2ca064c38e9e43d73624c5cdd0ea59e503ede448476d83979aae63727887
SHA512 39642d6bd6d30c99aeeca1d7476236962229392a3a15e1ea7d55fe289daefeee8775af6337af447e5300d9830cbf837e84065bdb3035321dbb29c6d4ddfe34bd

C:\Windows\SysWOW64\Hckeoeno.exe

MD5 ddbec64bf7003a5a39ed933a13343639
SHA1 40db53544ceedb70239fbdaf8a60018766659372
SHA256 75312fcd769773b73a2d373a6534e51b434576b280343ec0fdcdbe21e3c73228
SHA512 1ee72f4e8d0d007750893d4f82e3c4cfe0c82e5e165d4b1b3e9411fec0c61d83011c865dfc495610f5374b71bae2738a9fbaf8b462e41e6b45786e8817f6daab

C:\Windows\SysWOW64\Kgninn32.exe

MD5 143711a6aace7908181bfe40d487dc92
SHA1 a5fcdf159554ef66ce984eddb692439ea2a181cf
SHA256 564b22251866e6d82b0b5bbd29f0b32efc5332acb48b0f117ee6a697cba67dba
SHA512 76f23e94556e203c4eba6cb92a5c2fcddb902b32c74eccf1e17e860bcd574f7925dace325f7f97ee635d90e43848528ae3ecee7dbcbf77c03cb6c5a823402692

C:\Windows\SysWOW64\Omqmop32.exe

MD5 c76a00f1ddfd15beef73ecf51a84ba90
SHA1 d2049401210bc7cbbe53c4b386f9da2d1d7906bf
SHA256 f5ce0e0ad793f77f48133e910feab68f7ed41ad874717c16c8bee8b020280420
SHA512 53fe866244337e8eed1870a7446b0a805a86833383ea6f98d16744918d227701fba7ca7d9db7409354fe10fe0f02c6e2c98a56e40c39745f9455a4cec2685917

C:\Windows\SysWOW64\Pdhbmh32.exe

MD5 aaaa9326ea8803274b3121c50e017c43
SHA1 5d00cbbdbb5e93797ffb813a0dd72a0a991d5d21
SHA256 9a3c5929144619d3d67d19b49aac8a5132315637d5b3fde0963c2c2301ad4677
SHA512 61a9bb9bbd62375373297e64c8e9e96e5536b6ec3ab2e0dcb4b071ecd4a7106c7e4dd1d07a385a84d8176902640b2ae55423a31dd6d2daefb6e7e6decbdda37b

C:\Windows\SysWOW64\Efblbbqd.exe

MD5 f51db206c9ec029e47a80ea1b8d9ca04
SHA1 05c72388a752a97cf73e361461a821d9c7f628d4
SHA256 265f6de4eaf22bf744d5f8fbbb556daf60611c9ba00e0caf1f623e0fd3a7789e
SHA512 8418abf552355d40bbbec89c07a93141b5bad033d1ec181372007da52fa79e802d62eba552388141507888910c9c40bae24b55109bca75f0d1a3361046c2ba47

C:\Windows\SysWOW64\Emmdom32.exe

MD5 b92b71e322a2a099b46d3738f56c72cd
SHA1 6264f0be5543f1493b42849958a41d2796bf0ca9
SHA256 c99fe0c56767c926c8ba2d4edca679c17437cbaa5aea79f08208825fa315a5c7
SHA512 da21328ace2cb456fc56ab058cea9f38e3a949ce94741fffcc820a6a8c849db7100ad427ebd4dee78d3239bbd69636a0968c388b6269ae8deea16e1dd2ce033f

C:\Windows\SysWOW64\Hfhgkmpj.exe

MD5 cdae4a7331dcbe93c49ca4c3bef3da4d
SHA1 394c2f87e6b9d9e0e2a2c59c75c17ddf4ba90cec
SHA256 a193214e796added805e56d2b270896f38988e5965a425572fea6563361cd320
SHA512 5013af7fd11b3386c7abe2486919e455e66f08ca7df523dbdb6911c631a1f002ea5b1041b9572d2b0f2c152080dfb666a740641d69eeb933c84eb906b4a3aa56

C:\Windows\SysWOW64\Kpcjgnhb.exe

MD5 30e814d328e0c2bac882083d78848ccc
SHA1 3e59a9dcf8f1be67f85fe2fed73f605f463131eb
SHA256 2ce997faa069c6f2c79e69bbd79a32b6f786cf2282f59d21a618576d7f9b1a33
SHA512 d699e9bda822fad3b2dd4dfa7322a8c44dc8e220941d5c48d3ac44f1dbd9617c5d28eeb8cf3411a46a4c4726dddb9cfa84ed51d98bcc937b775e6499fee104d7

C:\Windows\SysWOW64\Lobjni32.exe

MD5 1b3abde4d22ad0c4eefcfbac2fb61005
SHA1 b4f9845198332cf563bb9b5d733cc2c0915e0a6f
SHA256 d739e7add960f1497e959c637b9e7274abe3ecc41dc5755e8b6157bd7d071116
SHA512 01d09bed9b7c8e1403497ff81e3a3bb4f2e3e2a72e2bd842771d1e159d0dd29f8d3d91d826edcc649af0d68873262177f4d7d0578a3e1e461068300cecb0388a

C:\Windows\SysWOW64\Moipoh32.exe

MD5 ca653fcfa6822468f5c4da5f038c2148
SHA1 277ef5a30b99924aad5313e6b7422b6a1c10d7cc
SHA256 be12f12944b19c658c4c074a71bab9f512713a3a125a733154e25f310047f8ff
SHA512 e0722d5e9f7cd489324cea68cf44e3cdde03870a5af015fd8137b83c4c4185dc430598a933c7811ea57f3305757935f5b3ab42856f93be11465ef9fcf6a13119

C:\Windows\SysWOW64\Mnmmboed.exe

MD5 22aeb59e6f83dbd25ebe17a633cb6c7f
SHA1 67208defafdae433d4d3168172a41db5a4c4eddc
SHA256 554f0d49b3a027e19caa54f6cdcab165608b4545672cdf9640668f159230e6e6
SHA512 6ba2e604507252073ef0974325fc2c47f68185d957ff355024fa224dcc2aa0e9552fee672794bdbc6ced1fbd76370780c9908e7ab0e86f86092c0400e119ccdc

C:\Windows\SysWOW64\Opnbae32.exe

MD5 61fbb3d86300aa22086a49fca3999ef0
SHA1 907ac4376d399603e19a473ab99952b1c000d1c4
SHA256 4d6ec044a0956e8f7f3a7019d99f0487f9e6dcc8f56647ff1536be09d21fcfde
SHA512 98d84ec1a2b8b9bb9f3e0abb12cd24a4c29f8bf11924d085d9a986b88be413f507a871ef6836bf86b63509affb10d369e67a1ae21df47260097837f8e7dbfbe7

C:\Windows\SysWOW64\Omdppiif.exe

MD5 66ed50161644a2857f4408bc32c9673e
SHA1 21084bf90e90d04653acda39da617517c40d55c9
SHA256 9b07ec41d756ba064149a8d9326afde759c445ec3fb9fc7a8b2bc430e457a753
SHA512 5741df02c40bb8d17900412a15b38db6dbe723c573782dfdf77ad6dcc4e579b6f54c3988eb1fa6e75176c104bdd1a860c621035da464bc70ef3e5658b1710048

C:\Windows\SysWOW64\Aagkhd32.exe

MD5 ec63f5cf3803d8875410a20b5eb46520
SHA1 f40e93c217f7d411266055df3bf5e37ac538033a
SHA256 54bee4642688cb88dc726c0ad4868563eb7b717dfc57163aa33e35c1f8e96e11
SHA512 cea35bb978b774a8ced1a481d523ebfd861e7d0721549217c213f33f13d913206e227051c37ffd3169e516824bfe38298acc493b8aa2719ffcb811427baa9b8b

C:\Windows\SysWOW64\Apodoq32.exe

MD5 76aedbd81c7d06ed2c3ced70f3806fd0
SHA1 fe00db8dc15302587a0e03e7ba1b0d87e6b5da54
SHA256 8f1a664f58e99138b8223a2e79bff7c9dac93b121209f3f70a37653399cf08f4
SHA512 9d50d134804bbdb388a82686451323c8ca6728e05801620d72e21d8c9e1cf06c6fb44e815b2963d1bc3129c1f0c736db54a1ae9bd0f9bfc2e6a01917c69e83d6

C:\Windows\SysWOW64\Ihkjno32.exe

MD5 da1202f9b3ac149f7f2d5ab2ec66393c
SHA1 ff4ad6ebaa83568b24a110268c92037c9d6d7602
SHA256 0341093c328ab92034d238182d1b533e700f743d633fc70182fd72957c3b0e4e
SHA512 d5ab3cf045bfc357a0253f3be25336ce2c49b26398db07af2e4dbc52ad2ed9fbcd29ef005da45dfa7cc880f2cae5dc03e6debc745d13d20e5226578bc2508ed3

C:\Windows\SysWOW64\Iacngdgj.exe

MD5 15aebbd5dd4bcc6460834b8cd944a187
SHA1 63e6c95ef7f77595405bb2f9b433d5abd5eb4120
SHA256 8289aff947ecd75c1760132f250540866b0a3ffcfebed4ca896f8cd45d77d2a0
SHA512 bcc9f0306ce7a70667f74a34d198df108ec53ba12d628a841315cd2261f2750a4f3ebaa107fa06eb6f846bda9910d06adba5e1eb07e10f6c97fde67e8c526ea3

C:\Windows\SysWOW64\Jlbejloe.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Jhnojl32.exe

MD5 236a15952b4e87812452ba17243d1700
SHA1 b5427d8a1c5420e7b8468e51d26decba62f58197
SHA256 228c631febb97e125476261450500717a97ae0e14fb5bb7f96e58c9358047f68
SHA512 b691fb9bb7c1326295e7116af03b198a5d35f3fb9c51207e268045f5247015605d67e204978e2fd9b8b4dcc24b2b414bc8f9944dfc52bbb90394c51a9aa92bee

C:\Windows\SysWOW64\Kheekkjl.exe

MD5 934430facfb1650f28cdee2c07aead25
SHA1 e3e25ccdd432a417ded4da8e7d7ad9f417ea0718
SHA256 c3397045d2cb114af58f82b67a45fcfa92ca8472a9871ad65dff2b4062dfc3f2
SHA512 028dd547573f12215c89db2cbb640a51a059bf51a1b1859264560e8d25ef74220f09f7fedc6319ed78afad3dac847ac9a7a608373e2d813885c5fba52a7ddd08

C:\Windows\SysWOW64\Kekbjo32.exe

MD5 09bd1f338bb2a2cbebe263fa35ee6b68
SHA1 627cec8ee468f4788f9930380679c3e962b82725
SHA256 3567ae43091da999f5014ad757c3970a4bdaf1dcb6f02c8a5ffe3467c3b2d3c0
SHA512 d66d0b4c662f500615ed9b2496449e7df396c2a3646a2e41604ba7d1a11b992c95185c52bc6e874e89ec8b81b404087c625f32e7f8e13626b5c0bea38c096189

C:\Windows\SysWOW64\Kofdhd32.exe

MD5 a44c072d59e092f670f6784302cb3ed3
SHA1 9b44f8bb5306b8349d4ee22c1f6e6df9099b6764
SHA256 ef8a3caf3115f4ff1b8350706113cee35a2caef4a1d9e8b385620493efbfd4f2
SHA512 de8c23e717eaa1d2fc1d9b31d0ab5537e3982a6e530821979c4b21df7a49792f0305ebbda6109075702cb58434fa04cf65d32d335f23769431ebcefe344da232

C:\Windows\SysWOW64\Lojmcdgl.exe

MD5 5c4e26390f429295d3aa1a51b3027fc0
SHA1 8fee9cc1f787ada7fbd3bdcf46eea0e51d7771d2
SHA256 94f9537a54a09db7e2dfe1097873116d6fc2deada757b8c3624cc65a94af95c3
SHA512 d21e5506e69fcdce4a90b6ed5291c06b1e8e397abc4af24814a532e8ef686c3f6f6811acfa05513b182f82d16c02dead738d4535baf1b2ad9ebf308b2f24af8f

C:\Windows\SysWOW64\Lhenai32.exe

MD5 918f6600a8133b03c5cf2e2798d4a1a2
SHA1 9995039b853ecdd3c98dff0aab3548d4fef254ff
SHA256 b51ea259c1dff63c89ae979a762d859ba3e269bc2293aea6f087e9e266dbaa56
SHA512 8e53ac868e234ae6fad561ed6e20d5bda485fc7b28d25fbe70bae1a03892a5c96ad8ce472f3f70ca003e215288d08e035b94de95a01285ff899233e53f7ce33e

C:\Windows\SysWOW64\Pcegclgp.exe

MD5 e191ae8ea06ed25e1067ed27daf5a561
SHA1 bcc31ac33d72ba139cd6c8137c660688315386b2
SHA256 52d2dde7055ec58fa457922a2e7dee5a076c9b6e41d5d4e9e688d62d4dccfe78
SHA512 29771d45f3e0f456e34142f8de505968983d4dbea890a15541a3683d98dfcafcf9ff6412cb48929d1be4e44b3fcfdf511f91a32d567f6b1eb13c60b2d24e2c09

C:\Windows\SysWOW64\Aibibp32.exe

MD5 9e299056ad3afd8a12a764771ffd993f
SHA1 1ada25c18d110efcd6e7ecd90861e01e275ed4af
SHA256 a0e4d4304bf941d609d61b042c1667d0b253e91129f396b0aa6f8f847d4b42bd
SHA512 239fee898e02ec4558fdf5ea3226912fe27bb648c29f2c8eb1b554ce8faebc607b94da3f932d1403d5e55f43b51b4931e528805496a48b82eee325d566286e16

C:\Windows\SysWOW64\Afhfaddk.exe

MD5 6faed607094e92e9dcad9e03604a3a78
SHA1 8f50d4f0303d9aee8f2e5185bf54caa2a92fdb6b
SHA256 4d82a6460c2e652c82d218565d9db77a82b0fa2782ac6d6a6978cded9d280e1e
SHA512 82f72f23827b8b007b0c7a540d6578a8a0d3e1d60488a02b3f131fefaf787f6445a0f6320904707f97add79e7870429c8e92060052b6e09faa7fe6a4141e90bc

C:\Windows\SysWOW64\Bpedeiff.exe

MD5 78424e12b53a5d12bd59b6d47bb38264
SHA1 351134b19a0ef3ada3fe609fb1e47960dd21461a
SHA256 b7782555d156d14839c57838fe78463a33e74b48a3913a6914e67cd9fc9c0705
SHA512 3eaebcf62d13463e3a9e716a777852b5582d8bd9c624fff5b95f4256302f2cb62860caccc5b3bd358294b7d125624b7000e9d9e9b2d72a589b87c464a6ed8226

C:\Windows\SysWOW64\Cmpjoloh.exe

MD5 0fdc28f7cba701287b0df5ff1373cfeb
SHA1 f6f88477dcb829d6a2e7ca0711d2d243d4e125b0
SHA256 3f6c168e6957b10e220b5b56c2aaebbb1b40e8e80a7f1aeb142b588b8acc2541
SHA512 635eb13094704e91d86cf73e4c602a7130dc3ca29a0a5e12544190ea7fb083a1944372ca6e3ed874687059cbb4a1d9cff35de185557d899180b53ce73123c8de

C:\Windows\SysWOW64\Egbken32.exe

MD5 8d6c3aa7731e5c5b4ca4f0100fc8df8d
SHA1 61e13d7c2a5b34e9d547ce00b07c0fd90bb403b5
SHA256 a6793626af820907ca6040b3d310d8ef4f7d9c4a14c9d4c2a70a95e171746e54
SHA512 dfe5527acfc53afd120183b039d7770b592039256183f83c2b847e1d8e051e9eecf4833f11b040cb7f758042f9029db720528c62e411bdf9c3642064d508364a

C:\Windows\SysWOW64\Gcghkm32.exe

MD5 bd0fac215eea03c7af78f36c4e5717d5
SHA1 b7172a314ba243941d6dff75555f45b5fd3625f9
SHA256 9f455ef2c047cb8c310ee877858f7ef2e59c2fc82bf2d46a4e0caf9d19e61382
SHA512 79f1b73f877973e3a9120c311e3b6ca5ba9c456f30aa3e62322b067493e8745d2ffb2b79dd9e7f30ca3373e6baaf813ffcbe915a54acbc76b85217f6fa297717

C:\Windows\SysWOW64\Hkcbnh32.exe

MD5 88af49ad5a6b2b30d869a5ca6b9a0c1e
SHA1 6e3fc81f4f37b4ca802421fe478c4a39f74e5d07
SHA256 84cdaca2f2673df5aa5f719f6ec6262e18c0168eb9751a95a77b26f7d368a520
SHA512 9b8d699a3e8ba5b70c1083246e250e39790cf14534ec550df9199c39cab8a26922afe43875ab55145d44983eb2dfa0fee89a54153e0ecfc94027e8104c859b2a