Malware Analysis Report

2025-01-18 15:32

Sample ID 240614-d4w8paxepq
Target bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928
SHA256 bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928

Threat Level: Known bad

The file bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:34

Reported

2024-06-14 03:36

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaepqjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkgqfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogpmjb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qbgqio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojjolnaq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aclpap32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqkdcn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbpjhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alkdnboj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hmjdjgjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Menjdbgj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cenahpha.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cogmkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cehkhecb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iblfnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jblpek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nlmllkja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fkopnh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcfhof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nepgjaeg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baocghgi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cliaoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nepgjaeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abpcon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bahmfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfoiokfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpjlklok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oflgep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iemppiab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jlpkba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Anmjcieo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekjfcipa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghopckpi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llcpoo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lingibiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djdmffnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ambgef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Peimil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbllbibl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fchddejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kikame32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndhmhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dboigi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmhale32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kboljk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chpada32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iblfnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aelcfilb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Oqkdcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkaiqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Peimil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjffbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Peljol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhbgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbpjhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pengdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgmcqggf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pagdol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbgqio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeemej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnnanphk.exe N/A
N/A N/A C:\Windows\SysWOW64\Acjjfggb.exe N/A
N/A N/A C:\Windows\SysWOW64\Agffge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdbcano.exe N/A
N/A N/A C:\Windows\SysWOW64\Aldomc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anbkio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aelcfilb.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpcon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeopki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhhhcal.exe N/A
N/A N/A C:\Windows\SysWOW64\Angddopp.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbpem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaepqjpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Alkdnboj.exe N/A
N/A N/A C:\Windows\SysWOW64\Abemjmgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bahmfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhaebcen.exe N/A
N/A N/A C:\Windows\SysWOW64\Blmacb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjpaooda.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgipldd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bajjli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beeflhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdbhcck.exe N/A
N/A N/A C:\Windows\SysWOW64\Baocghgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bejogg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhikcb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bldgdago.exe N/A
N/A N/A C:\Windows\SysWOW64\Bobcpmfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Baaplhef.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdolhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhkhibmc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbqlfkmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceoibflm.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdainc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cliaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cogmkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chpada32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cknnpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cahfmgoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckpjfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbgbgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckcgkldl.exe N/A
N/A N/A C:\Windows\SysWOW64\Conclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cehkhecb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbllbibl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dekhneap.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhidjpqc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkgqfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dboigi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Demecd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Jifhaenk.exe C:\Windows\SysWOW64\Jblpek32.exe N/A
File created C:\Windows\SysWOW64\Deimfpda.dll C:\Windows\SysWOW64\Lljfpnjg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cfmajipb.exe N/A
File opened for modification C:\Windows\SysWOW64\Accfbokl.exe C:\Windows\SysWOW64\Aminee32.exe N/A
File created C:\Windows\SysWOW64\Keajjc32.dll C:\Windows\SysWOW64\Hmjdjgjo.exe N/A
File opened for modification C:\Windows\SysWOW64\Jblpek32.exe C:\Windows\SysWOW64\Jlbgha32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nggjdc32.exe C:\Windows\SysWOW64\Ndhmhh32.exe N/A
File created C:\Windows\SysWOW64\Ckpjfm32.exe C:\Windows\SysWOW64\Cahfmgoo.exe N/A
File created C:\Windows\SysWOW64\Fhjfhl32.exe C:\Windows\SysWOW64\Fdnjgmle.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieolehop.exe C:\Windows\SysWOW64\Icnpmp32.exe N/A
File created C:\Windows\SysWOW64\Memcpg32.dll C:\Windows\SysWOW64\Jfeopj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpablkhc.exe C:\Windows\SysWOW64\Mmbfpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aminee32.exe C:\Windows\SysWOW64\Aglemn32.exe N/A
File created C:\Windows\SysWOW64\Ejmcmk32.dll C:\Windows\SysWOW64\Alkdnboj.exe N/A
File opened for modification C:\Windows\SysWOW64\Edbklofb.exe C:\Windows\SysWOW64\Ekjfcipa.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbiaapdf.exe C:\Windows\SysWOW64\Gkoiefmj.exe N/A
File created C:\Windows\SysWOW64\Icnpmp32.exe C:\Windows\SysWOW64\Imdgqfbd.exe N/A
File created C:\Windows\SysWOW64\Abpcon32.exe C:\Windows\SysWOW64\Aelcfilb.exe N/A
File created C:\Windows\SysWOW64\Dccbbhld.exe C:\Windows\SysWOW64\Dlijfneg.exe N/A
File created C:\Windows\SysWOW64\Gfgjgo32.exe C:\Windows\SysWOW64\Gomakdcp.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnonbk32.exe C:\Windows\SysWOW64\Pfhfan32.exe N/A
File created C:\Windows\SysWOW64\Alkdnboj.exe C:\Windows\SysWOW64\Aaepqjpd.exe N/A
File created C:\Windows\SysWOW64\Febgea32.exe C:\Windows\SysWOW64\Fohoigfh.exe N/A
File created C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Opakbi32.exe N/A
File created C:\Windows\SysWOW64\Dejpjp32.dll C:\Windows\SysWOW64\Foabofnn.exe N/A
File created C:\Windows\SysWOW64\Gfbploob.exe C:\Windows\SysWOW64\Gohhpe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfbkeh32.exe C:\Windows\SysWOW64\Cdcoim32.exe N/A
File created C:\Windows\SysWOW64\Dekhneap.exe C:\Windows\SysWOW64\Dbllbibl.exe N/A
File opened for modification C:\Windows\SysWOW64\Eaklidoi.exe C:\Windows\SysWOW64\Dlncan32.exe N/A
File created C:\Windows\SysWOW64\Eifbkgjd.dll C:\Windows\SysWOW64\Jfoiokfb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Caebma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Ambgef32.exe N/A
File created C:\Windows\SysWOW64\Jfihel32.dll C:\Windows\SysWOW64\Belebq32.exe N/A
File created C:\Windows\SysWOW64\Flfelggh.dll C:\Windows\SysWOW64\Mdhdajea.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndaggimg.exe C:\Windows\SysWOW64\Npfkgjdn.exe N/A
File created C:\Windows\SysWOW64\Olhlhjpd.exe C:\Windows\SysWOW64\Ojjolnaq.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgmcqggf.exe C:\Windows\SysWOW64\Pengdk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aldomc32.exe C:\Windows\SysWOW64\Ajdbcano.exe N/A
File opened for modification C:\Windows\SysWOW64\Imoneg32.exe C:\Windows\SysWOW64\Ibjjhn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpjlklok.exe C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
File created C:\Windows\SysWOW64\Aeopki32.exe C:\Windows\SysWOW64\Abpcon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmcibama.exe C:\Windows\SysWOW64\Djdmffnn.exe N/A
File created C:\Windows\SysWOW64\Ffddka32.exe C:\Windows\SysWOW64\Fcfhof32.exe N/A
File created C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Accfbokl.exe N/A
File created C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bfabnjjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Abpcon32.exe C:\Windows\SysWOW64\Aelcfilb.exe N/A
File created C:\Windows\SysWOW64\Fdlnbm32.exe C:\Windows\SysWOW64\Fooeif32.exe N/A
File created C:\Windows\SysWOW64\Fdnjgmle.exe C:\Windows\SysWOW64\Fbpnkama.exe N/A
File created C:\Windows\SysWOW64\Jlingkpe.dll C:\Windows\SysWOW64\Njnpppkn.exe N/A
File created C:\Windows\SysWOW64\Jbeidl32.exe C:\Windows\SysWOW64\Jpgmha32.exe N/A
File created C:\Windows\SysWOW64\Mlhbal32.exe C:\Windows\SysWOW64\Menjdbgj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Ocdqjceo.exe N/A
File created C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Cagobalc.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqpgdfnp.exe C:\Windows\SysWOW64\Pjeoglgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Deagdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhaebcen.exe C:\Windows\SysWOW64\Bahmfj32.exe N/A
File created C:\Windows\SysWOW64\Dlgmpogj.exe C:\Windows\SysWOW64\Demecd32.exe N/A
File created C:\Windows\SysWOW64\Mgfqmfde.exe C:\Windows\SysWOW64\Mdhdajea.exe N/A
File created C:\Windows\SysWOW64\Pnonbk32.exe C:\Windows\SysWOW64\Pfhfan32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncbknfed.exe C:\Windows\SysWOW64\Mlhbal32.exe N/A
File created C:\Windows\SysWOW64\Nlaqpipg.dll C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
File created C:\Windows\SysWOW64\Qciaajej.dll C:\Windows\SysWOW64\Qqfmde32.exe N/A
File created C:\Windows\SysWOW64\Cahfmgoo.exe C:\Windows\SysWOW64\Cknnpm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ildkgc32.exe C:\Windows\SysWOW64\Iifokh32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll" C:\Windows\SysWOW64\Jlbgha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdgcbkb.dll" C:\Windows\SysWOW64\Bajjli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ainpbi32.dll" C:\Windows\SysWOW64\Gicinj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjgecbe.dll" C:\Windows\SysWOW64\Pgmcqggf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bejogg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbgipldd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gcagkdba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojjolnaq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfana32.dll" C:\Windows\SysWOW64\Aaepqjpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lmiciaaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncbknfed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmhale32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll" C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcdmga32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cbgbgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pengdk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dccbbhld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iifokh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdeld32.dll" C:\Windows\SysWOW64\Kdqejn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll" C:\Windows\SysWOW64\Anogiicl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" C:\Windows\SysWOW64\Djdmffnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pengdk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" C:\Windows\SysWOW64\Liimncmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll" C:\Windows\SysWOW64\Beglgani.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdqejn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjmehkqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cenahpha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mlhbal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" C:\Windows\SysWOW64\Aglemn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lingibiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll" C:\Windows\SysWOW64\Lljfpnjg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flceckoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcdak32.dll" C:\Windows\SysWOW64\Gfgjgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinpgcmg.dll" C:\Windows\SysWOW64\Dbllbibl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoogcin.dll" C:\Windows\SysWOW64\Hodgkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll" C:\Windows\SysWOW64\Lpcfkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pjhlml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bagflcje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll" C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aelcfilb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mchhggno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Likjcbkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qeemej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnnanphk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Beeflhdh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhkhibmc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dadeieea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll" C:\Windows\SysWOW64\Qffbbldm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Peimil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkhqd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll" C:\Windows\SysWOW64\Mmnldp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bejogg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abbpem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abpcon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abbpem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmfhig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll" C:\Windows\SysWOW64\Bfdodjhm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe C:\Windows\SysWOW64\Oqkdcn32.exe
PID 2944 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe C:\Windows\SysWOW64\Oqkdcn32.exe
PID 2944 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe C:\Windows\SysWOW64\Oqkdcn32.exe
PID 4848 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Oqkdcn32.exe C:\Windows\SysWOW64\Pkaiqf32.exe
PID 4848 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Oqkdcn32.exe C:\Windows\SysWOW64\Pkaiqf32.exe
PID 4848 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Oqkdcn32.exe C:\Windows\SysWOW64\Pkaiqf32.exe
PID 4356 wrote to memory of 916 N/A C:\Windows\SysWOW64\Pkaiqf32.exe C:\Windows\SysWOW64\Peimil32.exe
PID 4356 wrote to memory of 916 N/A C:\Windows\SysWOW64\Pkaiqf32.exe C:\Windows\SysWOW64\Peimil32.exe
PID 4356 wrote to memory of 916 N/A C:\Windows\SysWOW64\Pkaiqf32.exe C:\Windows\SysWOW64\Peimil32.exe
PID 916 wrote to memory of 3472 N/A C:\Windows\SysWOW64\Peimil32.exe C:\Windows\SysWOW64\Pjffbc32.exe
PID 916 wrote to memory of 3472 N/A C:\Windows\SysWOW64\Peimil32.exe C:\Windows\SysWOW64\Pjffbc32.exe
PID 916 wrote to memory of 3472 N/A C:\Windows\SysWOW64\Peimil32.exe C:\Windows\SysWOW64\Pjffbc32.exe
PID 3472 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Pjffbc32.exe C:\Windows\SysWOW64\Peljol32.exe
PID 3472 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Pjffbc32.exe C:\Windows\SysWOW64\Peljol32.exe
PID 3472 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Pjffbc32.exe C:\Windows\SysWOW64\Peljol32.exe
PID 1560 wrote to memory of 4748 N/A C:\Windows\SysWOW64\Peljol32.exe C:\Windows\SysWOW64\Pjhbgb32.exe
PID 1560 wrote to memory of 4748 N/A C:\Windows\SysWOW64\Peljol32.exe C:\Windows\SysWOW64\Pjhbgb32.exe
PID 1560 wrote to memory of 4748 N/A C:\Windows\SysWOW64\Peljol32.exe C:\Windows\SysWOW64\Pjhbgb32.exe
PID 4748 wrote to memory of 4556 N/A C:\Windows\SysWOW64\Pjhbgb32.exe C:\Windows\SysWOW64\Pbpjhp32.exe
PID 4748 wrote to memory of 4556 N/A C:\Windows\SysWOW64\Pjhbgb32.exe C:\Windows\SysWOW64\Pbpjhp32.exe
PID 4748 wrote to memory of 4556 N/A C:\Windows\SysWOW64\Pjhbgb32.exe C:\Windows\SysWOW64\Pbpjhp32.exe
PID 4556 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Pbpjhp32.exe C:\Windows\SysWOW64\Pengdk32.exe
PID 4556 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Pbpjhp32.exe C:\Windows\SysWOW64\Pengdk32.exe
PID 4556 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Pbpjhp32.exe C:\Windows\SysWOW64\Pengdk32.exe
PID 2692 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Pengdk32.exe C:\Windows\SysWOW64\Pgmcqggf.exe
PID 2692 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Pengdk32.exe C:\Windows\SysWOW64\Pgmcqggf.exe
PID 2692 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Pengdk32.exe C:\Windows\SysWOW64\Pgmcqggf.exe
PID 2732 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Pgmcqggf.exe C:\Windows\SysWOW64\Pcccfh32.exe
PID 2732 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Pgmcqggf.exe C:\Windows\SysWOW64\Pcccfh32.exe
PID 2732 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Pgmcqggf.exe C:\Windows\SysWOW64\Pcccfh32.exe
PID 2560 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Pcccfh32.exe C:\Windows\SysWOW64\Pjmlbbdg.exe
PID 2560 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Pcccfh32.exe C:\Windows\SysWOW64\Pjmlbbdg.exe
PID 2560 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Pcccfh32.exe C:\Windows\SysWOW64\Pjmlbbdg.exe
PID 2528 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Pagdol32.exe
PID 2528 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Pagdol32.exe
PID 2528 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Pagdol32.exe
PID 1468 wrote to memory of 4788 N/A C:\Windows\SysWOW64\Pagdol32.exe C:\Windows\SysWOW64\Qbgqio32.exe
PID 1468 wrote to memory of 4788 N/A C:\Windows\SysWOW64\Pagdol32.exe C:\Windows\SysWOW64\Qbgqio32.exe
PID 1468 wrote to memory of 4788 N/A C:\Windows\SysWOW64\Pagdol32.exe C:\Windows\SysWOW64\Qbgqio32.exe
PID 4788 wrote to memory of 3852 N/A C:\Windows\SysWOW64\Qbgqio32.exe C:\Windows\SysWOW64\Qeemej32.exe
PID 4788 wrote to memory of 3852 N/A C:\Windows\SysWOW64\Qbgqio32.exe C:\Windows\SysWOW64\Qeemej32.exe
PID 4788 wrote to memory of 3852 N/A C:\Windows\SysWOW64\Qbgqio32.exe C:\Windows\SysWOW64\Qeemej32.exe
PID 3852 wrote to memory of 3496 N/A C:\Windows\SysWOW64\Qeemej32.exe C:\Windows\SysWOW64\Qnnanphk.exe
PID 3852 wrote to memory of 3496 N/A C:\Windows\SysWOW64\Qeemej32.exe C:\Windows\SysWOW64\Qnnanphk.exe
PID 3852 wrote to memory of 3496 N/A C:\Windows\SysWOW64\Qeemej32.exe C:\Windows\SysWOW64\Qnnanphk.exe
PID 3496 wrote to memory of 3604 N/A C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Acjjfggb.exe
PID 3496 wrote to memory of 3604 N/A C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Acjjfggb.exe
PID 3496 wrote to memory of 3604 N/A C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Acjjfggb.exe
PID 3604 wrote to memory of 216 N/A C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Agffge32.exe
PID 3604 wrote to memory of 216 N/A C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Agffge32.exe
PID 3604 wrote to memory of 216 N/A C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Agffge32.exe
PID 216 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Agffge32.exe C:\Windows\SysWOW64\Ajdbcano.exe
PID 216 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Agffge32.exe C:\Windows\SysWOW64\Ajdbcano.exe
PID 216 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Agffge32.exe C:\Windows\SysWOW64\Ajdbcano.exe
PID 1848 wrote to memory of 4156 N/A C:\Windows\SysWOW64\Ajdbcano.exe C:\Windows\SysWOW64\Aldomc32.exe
PID 1848 wrote to memory of 4156 N/A C:\Windows\SysWOW64\Ajdbcano.exe C:\Windows\SysWOW64\Aldomc32.exe
PID 1848 wrote to memory of 4156 N/A C:\Windows\SysWOW64\Ajdbcano.exe C:\Windows\SysWOW64\Aldomc32.exe
PID 4156 wrote to memory of 3704 N/A C:\Windows\SysWOW64\Aldomc32.exe C:\Windows\SysWOW64\Anbkio32.exe
PID 4156 wrote to memory of 3704 N/A C:\Windows\SysWOW64\Aldomc32.exe C:\Windows\SysWOW64\Anbkio32.exe
PID 4156 wrote to memory of 3704 N/A C:\Windows\SysWOW64\Aldomc32.exe C:\Windows\SysWOW64\Anbkio32.exe
PID 3704 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Anbkio32.exe C:\Windows\SysWOW64\Aelcfilb.exe
PID 3704 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Anbkio32.exe C:\Windows\SysWOW64\Aelcfilb.exe
PID 3704 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Anbkio32.exe C:\Windows\SysWOW64\Aelcfilb.exe
PID 2580 wrote to memory of 912 N/A C:\Windows\SysWOW64\Aelcfilb.exe C:\Windows\SysWOW64\Abpcon32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe

"C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe"

C:\Windows\SysWOW64\Oqkdcn32.exe

C:\Windows\system32\Oqkdcn32.exe

C:\Windows\SysWOW64\Pkaiqf32.exe

C:\Windows\system32\Pkaiqf32.exe

C:\Windows\SysWOW64\Peimil32.exe

C:\Windows\system32\Peimil32.exe

C:\Windows\SysWOW64\Pjffbc32.exe

C:\Windows\system32\Pjffbc32.exe

C:\Windows\SysWOW64\Peljol32.exe

C:\Windows\system32\Peljol32.exe

C:\Windows\SysWOW64\Pjhbgb32.exe

C:\Windows\system32\Pjhbgb32.exe

C:\Windows\SysWOW64\Pbpjhp32.exe

C:\Windows\system32\Pbpjhp32.exe

C:\Windows\SysWOW64\Pengdk32.exe

C:\Windows\system32\Pengdk32.exe

C:\Windows\SysWOW64\Pgmcqggf.exe

C:\Windows\system32\Pgmcqggf.exe

C:\Windows\SysWOW64\Pcccfh32.exe

C:\Windows\system32\Pcccfh32.exe

C:\Windows\SysWOW64\Pjmlbbdg.exe

C:\Windows\system32\Pjmlbbdg.exe

C:\Windows\SysWOW64\Pagdol32.exe

C:\Windows\system32\Pagdol32.exe

C:\Windows\SysWOW64\Qbgqio32.exe

C:\Windows\system32\Qbgqio32.exe

C:\Windows\SysWOW64\Qeemej32.exe

C:\Windows\system32\Qeemej32.exe

C:\Windows\SysWOW64\Qnnanphk.exe

C:\Windows\system32\Qnnanphk.exe

C:\Windows\SysWOW64\Acjjfggb.exe

C:\Windows\system32\Acjjfggb.exe

C:\Windows\SysWOW64\Agffge32.exe

C:\Windows\system32\Agffge32.exe

C:\Windows\SysWOW64\Ajdbcano.exe

C:\Windows\system32\Ajdbcano.exe

C:\Windows\SysWOW64\Aldomc32.exe

C:\Windows\system32\Aldomc32.exe

C:\Windows\SysWOW64\Anbkio32.exe

C:\Windows\system32\Anbkio32.exe

C:\Windows\SysWOW64\Aelcfilb.exe

C:\Windows\system32\Aelcfilb.exe

C:\Windows\SysWOW64\Abpcon32.exe

C:\Windows\system32\Abpcon32.exe

C:\Windows\SysWOW64\Aeopki32.exe

C:\Windows\system32\Aeopki32.exe

C:\Windows\SysWOW64\Alhhhcal.exe

C:\Windows\system32\Alhhhcal.exe

C:\Windows\SysWOW64\Angddopp.exe

C:\Windows\system32\Angddopp.exe

C:\Windows\SysWOW64\Abbpem32.exe

C:\Windows\system32\Abbpem32.exe

C:\Windows\SysWOW64\Aaepqjpd.exe

C:\Windows\system32\Aaepqjpd.exe

C:\Windows\SysWOW64\Alkdnboj.exe

C:\Windows\system32\Alkdnboj.exe

C:\Windows\SysWOW64\Abemjmgg.exe

C:\Windows\system32\Abemjmgg.exe

C:\Windows\SysWOW64\Bahmfj32.exe

C:\Windows\system32\Bahmfj32.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Blmacb32.exe

C:\Windows\system32\Blmacb32.exe

C:\Windows\SysWOW64\Bjpaooda.exe

C:\Windows\system32\Bjpaooda.exe

C:\Windows\SysWOW64\Bbgipldd.exe

C:\Windows\system32\Bbgipldd.exe

C:\Windows\SysWOW64\Bajjli32.exe

C:\Windows\system32\Bajjli32.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Bhdbhcck.exe

C:\Windows\system32\Bhdbhcck.exe

C:\Windows\SysWOW64\Baocghgi.exe

C:\Windows\system32\Baocghgi.exe

C:\Windows\SysWOW64\Bejogg32.exe

C:\Windows\system32\Bejogg32.exe

C:\Windows\SysWOW64\Bhikcb32.exe

C:\Windows\system32\Bhikcb32.exe

C:\Windows\SysWOW64\Bldgdago.exe

C:\Windows\system32\Bldgdago.exe

C:\Windows\SysWOW64\Bobcpmfc.exe

C:\Windows\system32\Bobcpmfc.exe

C:\Windows\SysWOW64\Baaplhef.exe

C:\Windows\system32\Baaplhef.exe

C:\Windows\SysWOW64\Bdolhc32.exe

C:\Windows\system32\Bdolhc32.exe

C:\Windows\SysWOW64\Bhkhibmc.exe

C:\Windows\system32\Bhkhibmc.exe

C:\Windows\SysWOW64\Cbqlfkmi.exe

C:\Windows\system32\Cbqlfkmi.exe

C:\Windows\SysWOW64\Ceoibflm.exe

C:\Windows\system32\Ceoibflm.exe

C:\Windows\SysWOW64\Cdainc32.exe

C:\Windows\system32\Cdainc32.exe

C:\Windows\SysWOW64\Cliaoq32.exe

C:\Windows\system32\Cliaoq32.exe

C:\Windows\SysWOW64\Cogmkl32.exe

C:\Windows\system32\Cogmkl32.exe

C:\Windows\SysWOW64\Chpada32.exe

C:\Windows\system32\Chpada32.exe

C:\Windows\SysWOW64\Cknnpm32.exe

C:\Windows\system32\Cknnpm32.exe

C:\Windows\SysWOW64\Cahfmgoo.exe

C:\Windows\system32\Cahfmgoo.exe

C:\Windows\SysWOW64\Ckpjfm32.exe

C:\Windows\system32\Ckpjfm32.exe

C:\Windows\SysWOW64\Cbgbgj32.exe

C:\Windows\system32\Cbgbgj32.exe

C:\Windows\SysWOW64\Ckcgkldl.exe

C:\Windows\system32\Ckcgkldl.exe

C:\Windows\SysWOW64\Conclk32.exe

C:\Windows\system32\Conclk32.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Dbllbibl.exe

C:\Windows\system32\Dbllbibl.exe

C:\Windows\SysWOW64\Dekhneap.exe

C:\Windows\system32\Dekhneap.exe

C:\Windows\SysWOW64\Dhidjpqc.exe

C:\Windows\system32\Dhidjpqc.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Dboigi32.exe

C:\Windows\system32\Dboigi32.exe

C:\Windows\SysWOW64\Demecd32.exe

C:\Windows\system32\Demecd32.exe

C:\Windows\SysWOW64\Dlgmpogj.exe

C:\Windows\system32\Dlgmpogj.exe

C:\Windows\SysWOW64\Dadeieea.exe

C:\Windows\system32\Dadeieea.exe

C:\Windows\SysWOW64\Dlijfneg.exe

C:\Windows\system32\Dlijfneg.exe

C:\Windows\SysWOW64\Dccbbhld.exe

C:\Windows\system32\Dccbbhld.exe

C:\Windows\SysWOW64\Deanodkh.exe

C:\Windows\system32\Deanodkh.exe

C:\Windows\SysWOW64\Dceohhja.exe

C:\Windows\system32\Dceohhja.exe

C:\Windows\SysWOW64\Dlncan32.exe

C:\Windows\system32\Dlncan32.exe

C:\Windows\SysWOW64\Eaklidoi.exe

C:\Windows\system32\Eaklidoi.exe

C:\Windows\SysWOW64\Ehedfo32.exe

C:\Windows\system32\Ehedfo32.exe

C:\Windows\SysWOW64\Eoolbinc.exe

C:\Windows\system32\Eoolbinc.exe

C:\Windows\SysWOW64\Elbmlmml.exe

C:\Windows\system32\Elbmlmml.exe

C:\Windows\SysWOW64\Ecmeig32.exe

C:\Windows\system32\Ecmeig32.exe

C:\Windows\SysWOW64\Ednaqo32.exe

C:\Windows\system32\Ednaqo32.exe

C:\Windows\SysWOW64\Ekhjmiad.exe

C:\Windows\system32\Ekhjmiad.exe

C:\Windows\SysWOW64\Eabbjc32.exe

C:\Windows\system32\Eabbjc32.exe

C:\Windows\SysWOW64\Edpnfo32.exe

C:\Windows\system32\Edpnfo32.exe

C:\Windows\SysWOW64\Ekjfcipa.exe

C:\Windows\system32\Ekjfcipa.exe

C:\Windows\SysWOW64\Edbklofb.exe

C:\Windows\system32\Edbklofb.exe

C:\Windows\SysWOW64\Fohoigfh.exe

C:\Windows\system32\Fohoigfh.exe

C:\Windows\SysWOW64\Febgea32.exe

C:\Windows\system32\Febgea32.exe

C:\Windows\SysWOW64\Fkopnh32.exe

C:\Windows\system32\Fkopnh32.exe

C:\Windows\SysWOW64\Fcfhof32.exe

C:\Windows\system32\Fcfhof32.exe

C:\Windows\SysWOW64\Ffddka32.exe

C:\Windows\system32\Ffddka32.exe

C:\Windows\SysWOW64\Fkalchij.exe

C:\Windows\system32\Fkalchij.exe

C:\Windows\SysWOW64\Fchddejl.exe

C:\Windows\system32\Fchddejl.exe

C:\Windows\SysWOW64\Fhemmlhc.exe

C:\Windows\system32\Fhemmlhc.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Fdlnbm32.exe

C:\Windows\system32\Fdlnbm32.exe

C:\Windows\SysWOW64\Flceckoj.exe

C:\Windows\system32\Flceckoj.exe

C:\Windows\SysWOW64\Foabofnn.exe

C:\Windows\system32\Foabofnn.exe

C:\Windows\SysWOW64\Fbpnkama.exe

C:\Windows\system32\Fbpnkama.exe

C:\Windows\SysWOW64\Fdnjgmle.exe

C:\Windows\system32\Fdnjgmle.exe

C:\Windows\SysWOW64\Fhjfhl32.exe

C:\Windows\system32\Fhjfhl32.exe

C:\Windows\SysWOW64\Gcojed32.exe

C:\Windows\system32\Gcojed32.exe

C:\Windows\SysWOW64\Gdqgmmjb.exe

C:\Windows\system32\Gdqgmmjb.exe

C:\Windows\SysWOW64\Gcagkdba.exe

C:\Windows\system32\Gcagkdba.exe

C:\Windows\SysWOW64\Ghopckpi.exe

C:\Windows\system32\Ghopckpi.exe

C:\Windows\SysWOW64\Gohhpe32.exe

C:\Windows\system32\Gohhpe32.exe

C:\Windows\SysWOW64\Gfbploob.exe

C:\Windows\system32\Gfbploob.exe

C:\Windows\SysWOW64\Gkoiefmj.exe

C:\Windows\system32\Gkoiefmj.exe

C:\Windows\SysWOW64\Gbiaapdf.exe

C:\Windows\system32\Gbiaapdf.exe

C:\Windows\SysWOW64\Gicinj32.exe

C:\Windows\system32\Gicinj32.exe

C:\Windows\SysWOW64\Gomakdcp.exe

C:\Windows\system32\Gomakdcp.exe

C:\Windows\SysWOW64\Gfgjgo32.exe

C:\Windows\system32\Gfgjgo32.exe

C:\Windows\SysWOW64\Hopnqdan.exe

C:\Windows\system32\Hopnqdan.exe

C:\Windows\SysWOW64\Helfik32.exe

C:\Windows\system32\Helfik32.exe

C:\Windows\SysWOW64\Hmcojh32.exe

C:\Windows\system32\Hmcojh32.exe

C:\Windows\SysWOW64\Hbpgbo32.exe

C:\Windows\system32\Hbpgbo32.exe

C:\Windows\SysWOW64\Hijooifk.exe

C:\Windows\system32\Hijooifk.exe

C:\Windows\SysWOW64\Hodgkc32.exe

C:\Windows\system32\Hodgkc32.exe

C:\Windows\SysWOW64\Hfnphn32.exe

C:\Windows\system32\Hfnphn32.exe

C:\Windows\SysWOW64\Hkkhqd32.exe

C:\Windows\system32\Hkkhqd32.exe

C:\Windows\SysWOW64\Hfqlnm32.exe

C:\Windows\system32\Hfqlnm32.exe

C:\Windows\SysWOW64\Hmjdjgjo.exe

C:\Windows\system32\Hmjdjgjo.exe

C:\Windows\SysWOW64\Hcdmga32.exe

C:\Windows\system32\Hcdmga32.exe

C:\Windows\SysWOW64\Iiaephpc.exe

C:\Windows\system32\Iiaephpc.exe

C:\Windows\SysWOW64\Ibjjhn32.exe

C:\Windows\system32\Ibjjhn32.exe

C:\Windows\SysWOW64\Imoneg32.exe

C:\Windows\system32\Imoneg32.exe

C:\Windows\SysWOW64\Iblfnn32.exe

C:\Windows\system32\Iblfnn32.exe

C:\Windows\SysWOW64\Iifokh32.exe

C:\Windows\system32\Iifokh32.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Iemppiab.exe

C:\Windows\system32\Iemppiab.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Icnpmp32.exe

C:\Windows\system32\Icnpmp32.exe

C:\Windows\SysWOW64\Ieolehop.exe

C:\Windows\system32\Ieolehop.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jbeidl32.exe

C:\Windows\system32\Jbeidl32.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jcefno32.exe

C:\Windows\system32\Jcefno32.exe

C:\Windows\SysWOW64\Jianff32.exe

C:\Windows\system32\Jianff32.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jfeopj32.exe

C:\Windows\system32\Jfeopj32.exe

C:\Windows\SysWOW64\Jlbgha32.exe

C:\Windows\system32\Jlbgha32.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Jifhaenk.exe

C:\Windows\system32\Jifhaenk.exe

C:\Windows\SysWOW64\Kboljk32.exe

C:\Windows\system32\Kboljk32.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kikame32.exe

C:\Windows\system32\Kikame32.exe

C:\Windows\SysWOW64\Kdqejn32.exe

C:\Windows\system32\Kdqejn32.exe

C:\Windows\SysWOW64\Klljnp32.exe

C:\Windows\system32\Klljnp32.exe

C:\Windows\SysWOW64\Kbfbkj32.exe

C:\Windows\system32\Kbfbkj32.exe

C:\Windows\SysWOW64\Klngdpdd.exe

C:\Windows\system32\Klngdpdd.exe

C:\Windows\SysWOW64\Kdeoemeg.exe

C:\Windows\system32\Kdeoemeg.exe

C:\Windows\SysWOW64\Kfckahdj.exe

C:\Windows\system32\Kfckahdj.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Leihbeib.exe

C:\Windows\system32\Leihbeib.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Lfhdlh32.exe

C:\Windows\system32\Lfhdlh32.exe

C:\Windows\SysWOW64\Lmbmibhb.exe

C:\Windows\system32\Lmbmibhb.exe

C:\Windows\SysWOW64\Ldleel32.exe

C:\Windows\system32\Ldleel32.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Liimncmf.exe

C:\Windows\system32\Liimncmf.exe

C:\Windows\SysWOW64\Lpcfkm32.exe

C:\Windows\system32\Lpcfkm32.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lmiciaaj.exe

C:\Windows\system32\Lmiciaaj.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mmlpoqpg.exe

C:\Windows\system32\Mmlpoqpg.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mchhggno.exe

C:\Windows\system32\Mchhggno.exe

C:\Windows\SysWOW64\Megdccmb.exe

C:\Windows\system32\Megdccmb.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Mmpijp32.exe

C:\Windows\system32\Mmpijp32.exe

C:\Windows\SysWOW64\Mpoefk32.exe

C:\Windows\system32\Mpoefk32.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mcpnhfhf.exe

C:\Windows\system32\Mcpnhfhf.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Nepgjaeg.exe

C:\Windows\system32\Nepgjaeg.exe

C:\Windows\SysWOW64\Nngokoej.exe

C:\Windows\system32\Nngokoej.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Ndaggimg.exe

C:\Windows\system32\Ndaggimg.exe

C:\Windows\SysWOW64\Njnpppkn.exe

C:\Windows\system32\Njnpppkn.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Ncfdie32.exe

C:\Windows\system32\Ncfdie32.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Ncianepl.exe

C:\Windows\system32\Ncianepl.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Ocbddc32.exe

C:\Windows\system32\Ocbddc32.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pqknig32.exe

C:\Windows\system32\Pqknig32.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pdifoehl.exe

C:\Windows\system32\Pdifoehl.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pqpgdfnp.exe

C:\Windows\system32\Pqpgdfnp.exe

C:\Windows\SysWOW64\Pjhlml32.exe

C:\Windows\system32\Pjhlml32.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pcppfaka.exe

C:\Windows\system32\Pcppfaka.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Pjmehkqk.exe

C:\Windows\system32\Pjmehkqk.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8532 -ip 8532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8532 -s 404

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2944-0-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2944-5-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Oqkdcn32.exe

MD5 5061128f72d100e616c5eee0ad0105e7
SHA1 4ab5eaa6b708b6c3f220291df21b746da7d6bd0a
SHA256 83c007ad9a5c4d47464947665e9f1929e3a1008445528724b6023b91a67aeaab
SHA512 49e17d7b76be5274fdef854dfd85d7b82de598ab5d543c7fa85415a1c2e4c467b293b62f78f7207bd1865da4cd849a8670fb133a572d8728f4df62798e948431

memory/4848-8-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Pkaiqf32.exe

MD5 5fdb82066bc95e4ec01f79f1febac589
SHA1 b784b21f18e57cd7b8150367750df579b4b235db
SHA256 91efebabde688ca900b51070966855a69fa85f70e3d8ed116c9ceb5340c3425c
SHA512 f610cae74dbbab0ef23268cf416f3698f4ab130ecb6d64e2bcf48cb4ff725dd544dfa9dc8b1088eb1e2b9228bfa38ea6e8a206015e9e4298ad23d0a50d34285d

memory/4356-16-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Peimil32.exe

MD5 ee2a8c99138a429d4439cb272a27769d
SHA1 c78aaae5e17253c95d50028db8bb86ee6171e1e0
SHA256 1e4cff2453312c6b70cccfbe8e351aa69a05c6f3f673504804f49a167d5fbf19
SHA512 0354f190fb5077cb82522042b1d428d97c82ce8f6b560e2674a2b5e0bee73868381e175024651bf52f2e9c8037e77dc43416e48646651ff44e153635ed8deb2a

memory/916-25-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Pjffbc32.exe

MD5 4b5c5820c680b3fcdcc9b4efd1b1c411
SHA1 88686a0052b422d81d28328ba1cc42edeb44e54c
SHA256 a233fb2df25e3d3310c6e2441d6aca84db7a6a2dfd167607e4f69e35ce494acf
SHA512 e5b69ae64d5ba461d59f3db15f8e9b7fe6f5be9b265baaf1fcf73cd408ecab243f12461350cc374f6bbbe98b2883366f59feed857e365e2e834d080ba6d2f371

memory/3472-32-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Peljol32.exe

MD5 55420bc883f9bb28a7431143852d1842
SHA1 9d3528ea20aa9d02630e430d871d2b23c2966767
SHA256 95f9559e51fbebf92549b9671db9eb166b5bce6599ba02b492d2268b6893ffc2
SHA512 1ba4d78f19be9e9483f2c3184dbfa2c7e40971fd27a83e1bdac636f67cc79135893ed778192a29022a31eb529c9f48a2fa56ac51960a6f37bf78db43b43b5df9

memory/1560-40-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Pjhbgb32.exe

MD5 a42408a3a48074d63f9ca455390584b9
SHA1 e5b540001a88213e40c0df07f5069f3fe017d16e
SHA256 0c7a18a49deceeccd491f7229ff0475cde44681b19b26419b881c55b6742c760
SHA512 4411e92974224852ba93cb17875ff728e04cba46b255209d285ebd11200742e96ad52aee816e2b33b497ea3b342c81c4e3e4fbf5f636bdd91db900a05e254ff7

memory/4748-53-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Pbpjhp32.exe

MD5 e9ba6b577ae19ed9faa255402878ed91
SHA1 bc299eeb73c8adb43842d85e8339e152f07ce82b
SHA256 d54a126ce36552c383eac8d0c2d690e89acf36862034cc52d369505e985f00eb
SHA512 197f43f764fefced99891166a502a2d38bfe6c96ce76013bb3702a15769b3af1e751826a3e939345afa19887f1819b806c7a2cadd9e35d6462e7a1f73ed3afb5

memory/4556-57-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Pengdk32.exe

MD5 67fe2e1d1744408cf6a03082be8e040b
SHA1 8aee7e7ac8b9d1c2cdd5ed94cedb432c5a0a6591
SHA256 0a24a62a8b8b61bce32aa88ab120e8185c8cff7df2c55a455e0aef9f1dd4733e
SHA512 694205b4b52e246068a0b174b708a37c93141c1cacc4eb78b30195413c15065e19b80006099690d0898e714e5b1f83c661266762e2a974883cad5abbeec0d4aa

memory/2692-65-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Pgmcqggf.exe

MD5 3ba568fd8197968d7db808fed3600e3e
SHA1 0c027cf3977c558ba0c2168b4c7ba6c9a9a43c31
SHA256 37010883d63af175c7975ddcbbc6d5674159b028dc9ad59c36fdb6018f0842ab
SHA512 adda69f6d20c196d501117c7569431fd3e524075ee7f372338e2911389a04a2b1b20f73f9afc137169db101e9ad4cc6bae2a6bef905d2abb310f900f68ea70fb

memory/2732-73-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Pcccfh32.exe

MD5 717b2f0513e4e804bd880e5d03a0ea5c
SHA1 b8616f02775e3c2d1fef4487df2bc11f6fd153c3
SHA256 70839302e526b7a6591e6903d3e9f32d3a0570576cf46959450b45777e5ebba2
SHA512 7559cafa31dbc72b685e736eecd7fc2593c74d71ab25379906471206cacdab93ecd5639ef11831134d53cf6d61718a4e3d2826d6cd1c595768524b680411a352

memory/2560-81-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Pjmlbbdg.exe

MD5 07e5396d285345b9f46ac0b83b063e04
SHA1 03e29a82bf1fa21c26b8d52c5f8771b14940b595
SHA256 fa802d6d991669dcfdbd5e9cf890341acd67c9e741402840aaaf4073ac7cc607
SHA512 7a79fd75c77131f81d4562ff82a28e77b928097e7d073a7248a6a5dc119543a989f49009f7283cdc77abf5e49f363569266876ac6ac1194f2aedf6d4bd501bd6

C:\Windows\SysWOW64\Pagdol32.exe

MD5 fb0cf1de69261509da333336548a5d69
SHA1 0da2005ae5e44564985fa2dc8b557e7b714077eb
SHA256 5ba6a41be95a040526950ee4e7170a08b2a63589a51d5adfaca0475a3eb1ae7c
SHA512 1ae7b2616574b38afc45e9e250161deab70d17732bb0b48f051ce7de5337613beea91b92e79f2b7b3841a2040f54d6a3cf3fa1f339346835bd475b358c3479ee

memory/1468-97-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2528-96-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Qbgqio32.exe

MD5 c59e46e1173cc20746576accc7bb208a
SHA1 ed868e0e4b8056cad6e024927b5dbb930b5d9446
SHA256 d49ca6140d4f67575885974ed9cdff6e3483d3c26b1ae17cd7287764e9068f26
SHA512 d2f32d0aa57b87cf928e3a4b19f3f6722935054d1091400d971425a4204c4f4755117422d04048997426374b9da74a5652197b6f3256a3caf0029c315950ca64

memory/4788-105-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Qeemej32.exe

MD5 ca7c4aafd1bd03dc9d6502015cea276e
SHA1 b6804230b3c959830a1cb47546e46f63703fa30a
SHA256 2a255a6ae67d1bc38555c05f363b45861c28ef381059fd8a0962dbb9ca7722cb
SHA512 4f08c56442227790b71328863caabb413e113f4569e852687b58f348392b517b3ee33e1aa700271b41035d04b16537df9bb39aaa2c7c74cdfceb6b58cb07a4d0

memory/3852-113-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Qnnanphk.exe

MD5 cd9a16b3e6b575eef4dea7c9b36e0707
SHA1 c29567e5afa14cded5e1af0137889b3e4f2c2876
SHA256 371bc1a263cbfa5afce531326701491d432ca0947146b5433245b67f601e2d59
SHA512 343feff9907a9129177c7ad2b8b09dd5048a11e0c8c37643871d353ab2697497d6e448f3eae32a2f4571ada0feda8750ced725748c1532cd401147fd7a411f15

memory/3496-121-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Acjjfggb.exe

MD5 9f8fa584e7c7c92eef152de64668346b
SHA1 c7b68df1a170b4e3632a3506a50144708f9723a8
SHA256 9acd2d0ea278b40f970517c5e8ea8dba566b4b87192279b71b9bb0cb040c0775
SHA512 41067d4e6ebc3318688a46b43042e827c7deeca0c8a93a24c6db82eeb34ca194417d942b71ffff38bd8492e859225b85ceca453952e7c9897872ee2c6f9c0d76

memory/3604-133-0x0000000000400000-0x0000000000444000-memory.dmp

memory/216-141-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Ajdbcano.exe

MD5 de7c1fc12610a3e1c5d84d798417a112
SHA1 eeb7d949c1cefb14960350953cff4fa10531f423
SHA256 808a5c7490cafe02b7cbda7893678ec3dd23c2a3577a1d90431c05d662508157
SHA512 a97b8eb454e4c51a343e6f360b014299fde5383a16cc008357fb9ad40c2b109fea07b7d7a05c04eedb379a540cc2494ca3d2081776e69bdbfd05a2a10a8ee559

C:\Windows\SysWOW64\Agffge32.exe

MD5 06a489e7de6bd5823db6520230fa80c1
SHA1 268c9618362abe7d40c7635cfe0b95b605ed7772
SHA256 cc523b981f98105cc0ce0343604d9f61f300d4cee06eef2f6dcc09b9ac113870
SHA512 d9818f1f0b4592233826775ac674914a80a854be2d6d6dadfc50d2ee3c55281582949eb0034324f98e69cb8f63fb77ad1a73a43e8cfb852e7c5157eb6612113f

memory/1848-149-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Aldomc32.exe

MD5 36f01aee4c357790b0c643296f45af8b
SHA1 c117388b759c6b063768a7815e88e577da58834b
SHA256 01b7460d91a3e10ecb602b6277ca7316ed4769c86969a7154f0221c99f9ec42b
SHA512 d7b74d1cced7ffdcfa2d6d0057f864d043d1bb2765178838f8114945d70c582928ffa19dde0d0b7c4a06df25e7849ab5485b26d2a120d8d53c56dc06f5cb0c0d

memory/4156-153-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3704-161-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Anbkio32.exe

MD5 f320de347d69f7c7c414676ce2fd0c2a
SHA1 2d13827e601b37de18dfecc564df68ac4cdb77c0
SHA256 695536243de1b21a9c273f012b519eeca26e98feedcdad61afef4d556ee9d4e4
SHA512 3c34d8cac5becb331aeac3b70e42ace3a575f512ec0230114bf780321a9f8ac97bb1fc6914388d40e1dc8b4541934fdc09787e69173692ca480e323c75cf15a7

C:\Windows\SysWOW64\Aelcfilb.exe

MD5 1ff2210e021b7796724e53ed1bc73a2f
SHA1 7c69b0c796546a7f8fb89d12742820c9e7833ba2
SHA256 f354219da68b7d7f88ef20ac61117db8cff7347ae12f802d3ad5869ad373d897
SHA512 bac6b6d18b3a3af730afb0327013959c08bdad357e5041d2d8dd91ff8d7287130d562a4b72cf292b2979ec3f55dc4bc67bc2c9af357cf8124a37f3d9ad49a957

memory/2580-169-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Abpcon32.exe

MD5 33ea4978400f1f8b0ee7bb5da24c547e
SHA1 20ef28593dcdce300f206cf1db9ba6d982749511
SHA256 d1352c186271047ec5aa7bb4790fc6dbd11ff20e345ccdbeca8312d6ff82bb99
SHA512 5c309026a32300b6bd6aac8d792b42b3484bf4bdde17819340f316406da1cf866fa2e0d40aa831c60597416b6f2ae25a312e69925430d040de369c53ac3ccda2

memory/912-177-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Aeopki32.exe

MD5 401e57f4c75fdc98f43c08b9e7cbd863
SHA1 76ec0a8ee7eec6f093c253bcadb05034d750db8a
SHA256 66241fccc3d32bb87df07110b70e2a8a8df70e4630237f7279d34d5e627e890a
SHA512 6707e7ca3d945add2f318b84fd039ea854d6c685893cf5f036ba973fdde5941d9fea8dea18baf4914d0d0c6c524ef5383603a7b8710a6327b54025f5f3d4ad32

memory/1036-185-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Angddopp.exe

MD5 0c779f91ae9cf9f02c54248256d8f722
SHA1 7949fa8ac2731a6fa109d8ac82b7dde43cf24abf
SHA256 48de284324d8020e75edf5abe2dc9d456919d1f926fe81d7e30b9d8715bf2dcb
SHA512 7e1d606a4531f8d44417747b2263337e850120fdb3cff1bd1755bd8fa5fd95db8755c79829f28d19dd32a9a0b930ec74776c4c79151f5685c097ca4860132f51

C:\Windows\SysWOW64\Abbpem32.exe

MD5 ebbfc40ad556c1801aad8f11ef4833f4
SHA1 159eb8a77913cbe2b5286997c1c68b6cd4a9aab3
SHA256 ec658d32774decf6c3f3ec5c93cbf8a531abcd69a22a4122992c878d55767e0f
SHA512 5618cb0bc20067c32b9f3a8c003004e06b5b530910dec3279b0013eb78caa3a34d31849f0d702623e14c98d95e6193a47d6991e993b83b243e50877fe3cad091

C:\Windows\SysWOW64\Aaepqjpd.exe

MD5 13fcc28e79f9bde55ec917034a4e5a1f
SHA1 17751da32fb3b2023ba2309ffb060c9c2b7f416d
SHA256 91f817c5a44a7804397ad68b19ea8af29b1abed900285a990784904cd69ee2c9
SHA512 6c5db8e749f6f2cd579238651726bf82a329b9298e143b28aedb8f0059d4cc9c9d0bffa7f6bd19ff6fe09cd9f60f11c0409d81b38b047e4fb920a0f43ecc1872

memory/4608-217-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1012-216-0x0000000000400000-0x0000000000444000-memory.dmp

memory/876-215-0x0000000000400000-0x0000000000444000-memory.dmp

memory/536-214-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Alhhhcal.exe

MD5 d150dcd2942f48df9f3c4bd9240be34d
SHA1 95978f3b042041465e19d62cc9e325934b56ff1c
SHA256 6416c4489dbfdfea27412629681c65817a0c566319beb46ee83cd4dcbd7367c9
SHA512 4041d1f9c40bbd1574a5e8ff65cd38fa093faea63f2aa2799640752d76e395429611d6b8c2d21dd832c5a626fbde1196ce7fd69f8943e327a813691ddff09347

C:\Windows\SysWOW64\Abemjmgg.exe

MD5 2d819c458ebccb308d269e279279ea60
SHA1 396e3a6eadf22b796caf405a9365f303c3176298
SHA256 b338782780cafbaabe9cc00e97fccde5eb3dc4bb4b466175d6b2d33cab2d71f5
SHA512 f71878cd719c3940aeed292e00c39ea3deb95e5d0552be8d71493b8aaa774b38617d66b80a59a3cdd9fe9a3a2a063f1505b6783546d47a3c001a191c2d0386e2

C:\Windows\SysWOW64\Bahmfj32.exe

MD5 8fed1db856498e94833a213d12b8899d
SHA1 96136199079c498c1706609657ea60de5a8330e4
SHA256 26e930e186c1eaa69032c9668d9c2823c7ce164eaa5733b88d427bfa60f6e94b
SHA512 34226b13f88add62e23dceae438944534804e2b5fad7ca7e5bee5de652991eef14b71dcb5bfa781ef9cf7094d7c0d70a8971f278edc18b3392030c55d0b21e77

memory/2320-241-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bhaebcen.exe

MD5 69e43823c3c55bfeb2c95d9833507ee8
SHA1 a7f13072f8d047fbb613dba93d2298d98c53e562
SHA256 23a0fa3116860366c468f2ccbb9fa8eb02316c0620dafab779082001818ce82b
SHA512 36802174dc2787539c8fc809a97d15a6346902b36c8e23b16fbb15f79aab79fb6e67baacd327ec73f979fc63b871040a5bc6cfdb056f6a65a733b609a52f0bd8

memory/4404-267-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3516-285-0x0000000000400000-0x0000000000444000-memory.dmp

memory/936-284-0x0000000000400000-0x0000000000444000-memory.dmp

memory/680-283-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1912-266-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2120-265-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Blmacb32.exe

MD5 054051b871e1c16ce500bbaff07eb936
SHA1 fa508667ca9e0a1d5fa7c3746e52055e17328a08
SHA256 1bf32d756d98e8358083c4dc9f48aed6b55a3056c6bae1d4fe9d6730e0c4a366
SHA512 f8735a758280e05d5e1b1b30277da34de1f5962f1222cedbf3373ada3452bc6694c66003436f8ccf87cf83be02f6460d7b81ffaf39de80e0849742e2e8851205

memory/3968-299-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2784-293-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Baocghgi.exe

MD5 ca5451a5709ef66464e2a5de3e070c54
SHA1 247178ea2c3e2f77a12df6fa3cd7ad1cd19d5a2a
SHA256 2d5f83b289e5d1f1ef4677dd611bf3b81ed559c073061f01a02c2a7d17798912
SHA512 fad8d7ad10dc14dbcdd0dc8dca92f74ff53f4817072ca9bad67235d90346ae4667b12a78deeebe518237f0aa6b756db39d6e652df8a98ee93ab3cc6a41321bc4

memory/3672-287-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2312-305-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2232-240-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4032-239-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bobcpmfc.exe

MD5 ed9972d7076d8936ac81f649c63e7a18
SHA1 362cbb5efa78ab2e1f39bbe3fbc7735128d09a56
SHA256 f4e0d49e23de35fe85fef9f499000bd566027a0973aa435c8056b634465257de
SHA512 583348f09cb3fac313d4a53b0aa13c5a927dc38583d6f6d2cea48995335f16769443a48367d4f2140ee5e2c62d301ac729cb7ff50cd954002202b7c396cd4fb3

memory/2752-311-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3232-317-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Alkdnboj.exe

MD5 fbc5cb071e254bb316b226959404189b
SHA1 50cdad0386d9c40be4e5b848ca92405e2ce569df
SHA256 f68686907cd22e5b2ba6bddfa7d22943a6cfdb2e7b33db294c5e5254e34bcaad
SHA512 b9d235cbb0b94c5d238503082b21f3c4e95998e79f544566e64a75ba58b356f98c65f0ff38e8ba7648bf5189ef0ee01db64b55dabc94a9163c0aa4989a29e35b

memory/1840-329-0x0000000000400000-0x0000000000444000-memory.dmp

memory/908-327-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Cbqlfkmi.exe

MD5 273226143c5b9846e0126f72a94600b6
SHA1 841914556b7cc6a939ef99f445a427e1125e5237
SHA256 3c40caae5e08640e80d19378afb71c3050c940f23b437ac53a98835ecd9d88ec
SHA512 649255e466307b40a715077fa88ca634f258a8bcfad1321fec1f5db5dcbd28fc3a7d9db5454f5781eae1ff3dc53c289e5604efce5b4e0d5c942c4299ac518ce6

memory/4764-335-0x0000000000400000-0x0000000000444000-memory.dmp

memory/232-341-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4396-351-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4432-353-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5084-359-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Cogmkl32.exe

MD5 fb36f7b8b39451a6177a06ecf3b81b2b
SHA1 050fde4b7d7457bd68d90be269beec0db2751648
SHA256 3505e90c19c514e8bd265744bc2676be59460f39dcdce832a94933338de77f7b
SHA512 3ee1b9d86fa544f066efed36a98dfd65ff1d0e7b395dfab3a677c7e8cc3905f5afb1d43da2a97dfee5db4dc198352dbc5cfa12675bb2d2d7ba4e155a8ced4884

memory/2252-365-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2444-371-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4656-377-0x0000000000400000-0x0000000000444000-memory.dmp

memory/372-383-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Ckpjfm32.exe

MD5 db694341386adea9a36477550d627b61
SHA1 30c972ce678ae8b7455fc7666f99ec5314ec74e9
SHA256 53b65a1778347d4b3551ba087e0eee0524cb475c22bd7a08cb16a8515699c11d
SHA512 c8936171785780bc49b71ee7fd78acd6747c0949584bc1f55fbaf50c6d4533dac34c5451149540739a4f8e46a61f43a0418592fc638f89efccc73ddbb62a03c1

memory/2032-389-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3328-395-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1796-401-0x0000000000400000-0x0000000000444000-memory.dmp

memory/336-407-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4896-413-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4308-419-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4500-425-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3560-435-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3488-438-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Dboigi32.exe

MD5 c116389f93fcf71a14f973fb143ebbb2
SHA1 958fc521786ddf5a84ce1ca25245daf067463b78
SHA256 15027787111bf68498fe782a702f7c835d430584d27e0cfc754c5989515e7759
SHA512 3b66b41977fec098a966a3f0e3c3d73cea2f8a72f213b4c8297da2781b2f44fc21538f6015eb377c79d1b8ee3809aa9962a88f79fd1d38cc6435cc12d2491b83

memory/4684-444-0x0000000000400000-0x0000000000444000-memory.dmp

memory/692-449-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3108-455-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3056-461-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2812-471-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4232-473-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2100-479-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5040-485-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Dlncan32.exe

MD5 8cc06196b2612c0467b76a28bff029d8
SHA1 5735069d1e3b6486e919d10ccdc2b3697086187f
SHA256 f5543bd48bcfbfa7f7439f940d805b7e9309bbc738f7a011c268de9d0fd9cb28
SHA512 8246ce4345635c653f162a26de9f5b9372ebd59768ce896b7757baf256f2d48134b78fa380cd71e2a78f0f4d8efa87d667237490fb7310ab6b0be13ca6eb06c3

memory/2124-495-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3332-498-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2844-503-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2256-509-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1428-515-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3116-525-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2792-527-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Ekhjmiad.exe

MD5 f91352b8dc69d3b5a3ed9b84de583505
SHA1 32c76b19988c9e27b4a00d38f2d507d2746b290c
SHA256 b872431853a331c0b5f676c30ce93550ed92e4a2a4c4924c80be3a7209c57eb2
SHA512 dd466c714e0f70fd748907ad3d40fc89e09986327d76ac4ee3878c8203015ff90cabb8a9fcc05e30cf5dedeffacb4cdb97dd1b0a243de87ddc5e3b7989bf15ca

memory/1164-537-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2644-539-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1436-545-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3288-551-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2008-557-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Fohoigfh.exe

MD5 dbdb59ed31ac8879a0bb6bf4b88cef4b
SHA1 8d3ee68e323f7f81175d87f2a11220b4ad0511c2
SHA256 0dfc5e2cf21af6114495e0e79b3630c14cc504c977e07723a296a93a55eab8ee
SHA512 6b3ba040d826fabe5fb1c7849f13112997ca131946fb25469ed2beabd348746d02df2960c45092eadf86725acc9ef1f70fb5c518d1a24695192d7fc9e0162e85

memory/3424-567-0x0000000000400000-0x0000000000444000-memory.dmp

memory/64-569-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4980-577-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2412-581-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Ffddka32.exe

MD5 6b81d04fd9e624b216ec074f84011f35
SHA1 767fc21aab25f85afdd0a10dc254ea588d6857ea
SHA256 7653045755f30b18c95e608ef6b5bccc9d12d0879f879cedc333004d642723a9
SHA512 47453ad12b898c606116176e2ceb3b16785d74115b775813fcfdee29ae45ca2d879d0c3a7a9af6288a4ae5bec50159f4d2025cc9c6bbf6d05519c8e1ef8b3ba1

memory/4972-587-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2612-593-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Fchddejl.exe

MD5 b3230ec65c7779c3479162eb46521620
SHA1 be8b80c47a594a87036dcb246e40c47f4faf4abb
SHA256 b119f47fc7e4e020b93483e092de352a0945a9affc5d92478f83ea11863e54bd
SHA512 c0519e3934a56eb0d3c2d756fbe0fe1ac15f2f8fe919aa69e17e0022d611fa7192f33b261a511a03dfeaa0228655789102bf9fb47ac265daa269e75c1950cae3

memory/2944-599-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2428-600-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4992-610-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4848-612-0x0000000000400000-0x0000000000444000-memory.dmp

memory/440-613-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4356-619-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Fhjfhl32.exe

MD5 8e911f94bfd24670ea7a7f174928e74d
SHA1 e00190b92008f7e573ac5c9aa48aaed489ca5665
SHA256 b593e6ef090625138b62cddd968c8c075ccedbd9c80970b0c9e86840b177b7ef
SHA512 864da33e90eff9002bb13d0bc48744b2370324a082ac8e35e70f2bf1c428a3485d6620bfbf41a11e2488ba99b78d984172c3de5513d210b235efb9e6cf6790b6

C:\Windows\SysWOW64\Gdqgmmjb.exe

MD5 4dc6c536e3aa51cecbee24706bf141a8
SHA1 409435859280eb012700f59861b42a77f32b4c0b
SHA256 d5f9ae555cd5edbcc4fd6781d4f7339cc1a58e363223d2d327bb0be75d00a980
SHA512 6a60bf16e8e20e8d594b21b28e6de911188e70ea95731ad0c141a72d6afd551ea94927f0f6d827edefa781b14fc5d1a350868e42e9cf04b0d33f1b967f5ddea4

C:\Windows\SysWOW64\Gcagkdba.exe

MD5 a087b8493d6ae498a42657c17c3884e3
SHA1 8adca0e6e46dbfc993d981ace1cf856cc000c474
SHA256 502fc7198e4550eb3b5e2d44c97b7f0226235862d24331946bb4ced955b9e003
SHA512 af94dc43149f233511d2fbe83c4811aa7b605a95c4bfaaea2f1a25a988ea9d10eb868449f346c25fc6938297fe233127627c2f74a2ba6896e3067274f6972192

C:\Windows\SysWOW64\Gfbploob.exe

MD5 61a15c024b778e2dedb909f6346c4bcf
SHA1 07a45e3a6d2ed88395c16c0e1acbcfab176e7331
SHA256 47378fe0dc72c51eac7a845ab24f65c0b8a05c3aa36526d9c09e4ba6d8869207
SHA512 d44d5d51127ee10f5c21c47976c6099c6266c98c09e25d402e9d58df5cb37ce1264a59bb157e1f1bed48f38a3e37e074561a16a012ae0a22e6af3b77ffb207ad

C:\Windows\SysWOW64\Gbiaapdf.exe

MD5 8c859df8db11f41feb96a67c191d648e
SHA1 6c574e55fa84d3b8b0dd5d1163718b5f31939676
SHA256 150d3b20f9d11cf821f2e03aaab758f01b8bdf8998f3212543508a59c0e9a696
SHA512 e0e356d4057c7d01d8060f111772ac1f229c61f36e3558c0c5e6c567b4ac96b3d5badbc8c391842078b48c39625b3f181ae0b8c897c6d4912c70a95aab4101f9

C:\Windows\SysWOW64\Gfgjgo32.exe

MD5 164c7222d14d5ee270ae63b7634b647a
SHA1 05f4cb989fb50f1fd97aac3b3ee60af9c36c9cf8
SHA256 7b63129e380438e8f7880d4087e706bdd17892ac528abed12bece9bcdf716c34
SHA512 0b081362e256dc7e2c7572681dc5af3185a7c29d068fbbad52e1cd245952f3680ba871f67138521abb34701a6c208cd7ce2da1b5b944cccdbad32b988292f08c

C:\Windows\SysWOW64\Hmcojh32.exe

MD5 595549101c95584f9bca2016f9b4bac5
SHA1 ae1f93ff65d5770f8780d7e779bc8958085d35e3
SHA256 a2971a607531751cac249d0dcabc6eb7fcaa4e5e83412a8e046017fb7e1ddad7
SHA512 dbedd37d636558246d6c5e25f8bcf5551c19bfccedd6613f86722552cd6b20a313ecd6789f131e639b6e92de53a30c891d48aec220fc4e9a63ead3763c719ea8

C:\Windows\SysWOW64\Hijooifk.exe

MD5 f8f0ed8cc9de910a80c97bb6a50ad9cb
SHA1 7e84f9c13256b6027551b137e5f68f2da2de13fc
SHA256 d3d870b85ec7ee37a0f362ac6d5882300d59b46bd422a776f33b43df8b0ab777
SHA512 779041d91e7e113c1b831f75890f04c0212705dc5d9129d4660ff2afebc4377e0a8ec1851ae3db325b8f430b07467c19b2c8604ad53a8d289f895ea3c1ddb87d

C:\Windows\SysWOW64\Hfnphn32.exe

MD5 bccf7043b259d4ed20cc1e4ba8bd94fb
SHA1 14c07ef75e43f171c7e64dcb59325dc24204f92f
SHA256 3ce374560f3a9b156387983a752e9d64ef6e7d7f653c40226bce2c02d5e622c1
SHA512 36e0fb59cd28681b111427035429da73cdf7ddee64bf9cb75e3bba68365e43a97b310fd75bffb1df30abf6cdcccd0c267a0f1ed8c24923b1ac537e73bac59888

C:\Windows\SysWOW64\Hmjdjgjo.exe

MD5 e9a03f7a61ca29790f938c669c67e547
SHA1 8b7e6b8a5508ccf8372ab917ebe5dd90f26bc1c8
SHA256 b0c0cd83c4a8c2532aadebda87a51d10864d62ee188adf3203d2f49049eaaef9
SHA512 ad7fcde2880c9f7428570a31ecf457a9b398d31a32115a6347a49b413d16974ce8b44b0331a75bda7d10f4512506bbb39cb7549c14d70176b9f1a099969ad226

C:\Windows\SysWOW64\Ildkgc32.exe

MD5 ebb5c5724401b843552d6d5995a43d68
SHA1 af6a23d12e02837081d2bce19f40047c66a38021
SHA256 b1df2267caeba81228d989d96177908bc5ece7e7e74dc76319dbb63ad3887191
SHA512 ee49b68f2cd35f266b375876fe94d5fbc3469511f1f893c2d49bda4f493dd29b4541c0060afde6eb0290d5c67be1d2c59ad87addeb9d3fc6e269e3133eef3f49

C:\Windows\SysWOW64\Imdgqfbd.exe

MD5 c8f900c6af2ba946291a82669085dbe7
SHA1 7e3161656f6b6100074a8141491867c4c0901ccd
SHA256 1f36bd574494c27234702774394d4c3473312e44d6ac04282db0267c18cd23b4
SHA512 51a20c032757c7155b1fc59c26644cc16ef46d6fdba5c3e9d267d7e1c7bf6bd25e1f5fd6100f51c2bb3815f5c05044c3dce99ce7761a0581b9eddc7bdbc91a00

C:\Windows\SysWOW64\Ieolehop.exe

MD5 ef189a46fd9f43e94c10a1233e499f22
SHA1 d9b063b367126f1eb910f93c1b7fa0e0ecc4694c
SHA256 1ece150308520cb390033d1dd3bae528798f6da60899a5627f390bf14fd80134
SHA512 bc265957c51317f5b8f6c8179c06d87dd39c94b87b8e3dc2b1d1903976dac30891df7b8552da8084e950e34283125d9086b4fa827644f4f3d06880dc2881e61e

C:\Windows\SysWOW64\Jbeidl32.exe

MD5 afb1521088e989843683516249bd57bd
SHA1 5389d971e0b7ef5638b130a7dc2cdf84651c03a1
SHA256 95948e58f9fc41a649cc43778a29c824ec60761013ce269dc71f1697bef3a1b9
SHA512 8f965c210c82b069587a104be6e1e629204542e1205d66084eb6fb94d88c219d594ba82e75c6334b21b4a9270d03676aeb997f48f23fab7adc71fa06564463a0

C:\Windows\SysWOW64\Jlpkba32.exe

MD5 f273f6502bf6bc5f2145e97a9670de7a
SHA1 976de509faba70720c22b3b9ec32742f14a53128
SHA256 405935b6dcf4acd5ff92d876769c197e09d176ae3eb5da0818d0b590696ffda9
SHA512 9936aae873455e41fbb65bf3809f290dd6461a1ca62724bdfb0650f52a9bcdf0b8892056fb31e4702f4d299edfcc89c674eb765781b1783afa61e76ad2bb9a72

C:\Windows\SysWOW64\Jlbgha32.exe

MD5 6f01d9036d822015a99cc3601b6f3e9e
SHA1 c931635e5949946481af0a2a4efc8660889f9116
SHA256 a180d5df7bc29c8154ac4980ac1067d06eff29301e58252253817bbf02b6bb87
SHA512 f5e010048efd6ff18abc7d309ee7db2604e0daab84f3c2bf28e7208dfadd47a344579c2ee4526256bd88088ecbf6d2d42d008d3852e16ef920136b1e1ff96a3d

C:\Windows\SysWOW64\Kpbmco32.exe

MD5 51f4550f934feace58b1445b645042bf
SHA1 6ffedf33a8c2cee1194f4c499fc10fba2b25ca49
SHA256 7fe40c928856e56f9ce3ce39b2867c29798a626502ac53d51f778bb300dadbd9
SHA512 21a098779f48601179cc4f076511b28f548c7beb061ac999b1fab672427afdfdc5cf05f6a0422347457397121e05729ff2ab031f83b04cb842ecc591d7a0e8ed

C:\Windows\SysWOW64\Kdqejn32.exe

MD5 61e1a9115bf72db79fa4ed72a7b2d067
SHA1 669cbd6db448eba20e818011cf735cf22ed2d38b
SHA256 73bc9f98e28db429c2b6771c4947cd13a61055e3de65c654cdbc268278707d9b
SHA512 67588c0ddf834577a2e8ea8e6435f530807ec966f0940e5672445bb036772af7244814b5b27c4cd8ec609b54a3822ffb121895d9005849fd0fab2c017a7d9ff9

C:\Windows\SysWOW64\Kbfbkj32.exe

MD5 c49c27e2d88ad13a63678ed50f2421dc
SHA1 a9de71c7cb9ce8c566e8f6fc6a5ad34f5e3f7fe1
SHA256 ca24d009bc56ebb61bb4efc54df8e22ff4e0ee4d472677a72f87d6914c531e48
SHA512 f39b9e8ddb0e01206d48153e58ae43833866482bbb4fa04ee960fbde2480f7964dfcdd10738f7cd99babb7d4dea4661aaab66c2f7af905bc9e6fab4e8d784cf4

C:\Windows\SysWOW64\Llcpoo32.exe

MD5 302dadac38a2cb44874c2c36acd55be5
SHA1 9b9c34c7f8ee584f4e988021b4da07434ba65b9d
SHA256 14a7669ee6c2b74e4d3c3736ee6e9161da6f822ddf6ef4b04f608602042d3b8a
SHA512 e42f1f3ea9f7158456d585a4c369efee940cf11d5b33280b7b7a65bd00ddd8d7b9eadc0c22613d83a7e54dc9f3e9787aae054ce7336a23e8cbff448ab8639143

C:\Windows\SysWOW64\Lmbmibhb.exe

MD5 a39ec4f217e03b02f0317a49150eadea
SHA1 0f0623c7d0d74a4c8724dba1dfe17d3bdaa596e0
SHA256 c65c85bc7d5df197beeaad2eeb28677b315f13da93a7899df81de5bfc2f903c4
SHA512 2fe5fe8676eb4ffe8d297a9d67566634fb659a33bdbff4e8960b759d5a4e51c2733e7bcf33e0fa4fb0f4b3cf480236cdac00863c547e3a870a415394682bf898

C:\Windows\SysWOW64\Lpcfkm32.exe

MD5 16e2750e3396ed27ae1bc765d56baf5c
SHA1 f44d6fc071d63a4a9b94ccc233c04e43f87cdf3b
SHA256 b779ec3b53e020bb02d389285f5d16f7ed9943cd1555f0f298f39d3d308f3f44
SHA512 6d978e4b740dd631ba5ba282f3a932b37eb1fd9df8362420faa3a9733bcc5a5eaafb7100fd25cbc37532ec2b973af5c2419a5912ffb06f954a3d1ac67b53245f

C:\Windows\SysWOW64\Lbdolh32.exe

MD5 7dbb2964f2b6ba13dac3570c5cc73dfa
SHA1 4e7abbdc9ecd2170f8064062a8f7a0a9256e8fd8
SHA256 dda8f5b4fce58373a92268bb632d9c37548a38e8c8a0a8f848fe1f06e5452940
SHA512 195fdbb77c17f985e579216d5cc5cff84112558e89eccfbebb07c40f33733851c61abfe6f1c6e2f965c2bae98e3a198743a629f1220f2acb808eba0f2f9b88b9

C:\Windows\SysWOW64\Lmiciaaj.exe

MD5 72a3ab6dc2aab63a70e4bdbe544cd053
SHA1 3c4dc9afdab0d653c65fb2703d4476ab8bd1acae
SHA256 a1e4db006f7a859413547c92518b240dea13b5ffbe6eebacd590e79e1e686d16
SHA512 068d75b2e1fcaf491ebe2928b6bfaaec2ab4f0a277b3a71f222deecf5c5c29e4a55084177fa7b6f417e5acbde683e7c740a04120a88e561388ae06f69fc2d7b8

C:\Windows\SysWOW64\Mgfqmfde.exe

MD5 f0689083dccbea02c86ecf56904b39a1
SHA1 cadebac7c03b1376a50ec729a8b2f05d683dddf7
SHA256 b797066fc7b9900c16d9914df60f734c21aa8ff46a3c8da104d02eb301a3129b
SHA512 a1407c77ab46a41f531830fc0288657843a5d78cbd71539b66bc4f0617c9d861640d4cfd236303bf7a318b446c6eb1844ea7adf6f5ea40687d04d739f119eef3

C:\Windows\SysWOW64\Mmbfpp32.exe

MD5 0d8ed519055f15f2397aa389f283f09a
SHA1 849786557d74ec1daf4edbde526df048661c03f1
SHA256 e96a6cb9f4099200cbfb6481807cda2b6b6ae65a67ff7b36d571284c15a25786
SHA512 37caddb8370a814b7fd90d1d2c09a2e7eb715088b4aa31a979951e6e90e6a3e2236a6c51332993d9e25637d36c0f6ad3bbf0da7663fb58cf15e4834f8a74b7d0

C:\Windows\SysWOW64\Menjdbgj.exe

MD5 28fa6c020c61a9af01fe31acbb681aec
SHA1 0fd6e06a6b84c4e64cc7f612342d548aee77d433
SHA256 3d1f500595bbcfbaa1fc4552be5f7288588ac35fce8de99f068ac91c637505d4
SHA512 a20ff98f4f9e9ce56d51d1a92ebdfc67683aed94bcf11dc5a3676c663958244ea4115b4868378485c2fba2ccf825f51dbf90017dfcb45f2c6f82bd4d02c1926c

C:\Windows\SysWOW64\Ndaggimg.exe

MD5 0fcd022122ca58e192cf2e8248da821f
SHA1 10a14166de06780c91f48fdec73e1d6cf52456f4
SHA256 b28654e896940e55d6473c0eeff2d4a0cf4130f9406a77f2bc1ed282785ad594
SHA512 987728a85d9e71af7d55d576405d9a2c0041002f9335414ec5e4a7826228fe05cc4e0f50d412b9711bfdb734e777ae58682454357591fe88f0f96bec3ce4c8ea

C:\Windows\SysWOW64\Ncfdie32.exe

MD5 24b21fa4fb7e8e026b1894049f6bc733
SHA1 c024578dec28ad0e5e5b1519aa95887f9bdd201b
SHA256 d8113c3c048f4aa4804972c415a8d9653c0a5eb54dca80eaf348324911a1d86e
SHA512 664117e2e05df70a01bf06872582f31d87839a11a711658443d06fcf4d4e00d24b738b84942047f8fca267280d0109ed46215341cad86b4af77aa19a37e463cf

C:\Windows\SysWOW64\Ncianepl.exe

MD5 80296b8ebce3b75b7cf7566a7f564fb0
SHA1 834a4928b4a7c5cbc17a621799d9a5032cd8d44b
SHA256 344d2bb6cbe2aacee1659d80eda40d542fdfc14cec3938af615032bf4348b9c9
SHA512 504d3b55461bfd6e1c9a430c7bdd03f9b6655f31bf2c0aabb4f480b6f571cf94db74b874806f9c99275600eb7a232d20ce5d2bf381fb0bcc7fa0f5d7c3da7f8f

C:\Windows\SysWOW64\Nnneknob.exe

MD5 abbd22c4faf2bc523e0fed77c71240c7
SHA1 d3c4b132541f3dae2401f3f6b0e8c63b896124d6
SHA256 bf49205738fbfb12bf3b05351737662ecff8aebbbd18ce547cd9b4163bbf445f
SHA512 a1ab96116858bc08377174453e88b5f5ced1363ec50aced06ad8e37d321332359807646a5eba9edd4aa5b7aeaae19cef571d2a67057d7cd19708febee2e0cde7

C:\Windows\SysWOW64\Opakbi32.exe

MD5 07bad3ddf4f8bd4c12b6ad654d01ed2b
SHA1 807121aa2fd520a4b787326e00ca9b64062460c5
SHA256 44125fe5848cab4361f9b499d1999a5324c25d5dba1d3c678139a3bfd30f38fe
SHA512 c1e0535310f7a6d170790c5a08eaebf8e1ecedcbe851232ebc3d3b4e54b524da98a95be67ee3ccf34110cc4fd2b16da4cbb3db5203d5a5622e6c3270951a000e

C:\Windows\SysWOW64\Ocbddc32.exe

MD5 fca7e4f9767d3a7ea9ae725da2baeb2b
SHA1 2cf010fd584b43809be4a2fb9ff8b93996d8d492
SHA256 bd9ab20ac1f4ae6d8acc574e0c16db96e081da403dee587c5b58f1f373fde282
SHA512 db4865a2090937ffe7f756938974306daae1ce3d2acc590b4cdcfaa2619770f8704e3985b0b8d8451e173d179fba26ad1ad3f5e553497735ed68c5225eb8ac0f

C:\Windows\SysWOW64\Oqfdnhfk.exe

MD5 5676a36d64bc9e45c78b007bccfdd743
SHA1 8c6b4abb0c86cd5555a91616ad605d06f9f625cf
SHA256 49d61a9c45fb90e7c0bb1373eabdf27b53a653d0d881a96b96aa515c7a38ca8f
SHA512 cfd78583087c04bdf9cc0b8de6194cda4deaccae133749b219a6281887498eb039a75e3cf7be9d95712863e3ff0c19fd72440d36e4cbb7bcbee2afdeae4b844a

C:\Windows\SysWOW64\Ogpmjb32.exe

MD5 ed97e1292c1db728791f853727ed1944
SHA1 8840ba48e11a730a3b0230635a5e78421ec9e501
SHA256 5fe7822393746704dc8568bcab80645738db373c436ef48e7b9cf2ada83e4441
SHA512 307dd716da96ac7b6eb6f9edfe36e8374921bc2dd8856f032e914fb831214503bbc8b931ea976b480904d61eb4209c9a776ffa0a97c7117ad1d01ee5ccf67112

C:\Windows\SysWOW64\Pnonbk32.exe

MD5 7c4514c6aaee29c469fc40013de6d0d4
SHA1 1b27a30a1ab29dfd3757e2f7c6f917ea1eaeaa74
SHA256 036d4a6601ee846fec54ffbfbe50505c7852b11ed740ca99ab18eff2142223c2
SHA512 85b4fa41a73f79226f82efd388f750a44ee2bb2a166be51976d34b53f6be0ca754572ad7ca5554b459978516a9884a67c91de979b387fca306466b6959095633

C:\Windows\SysWOW64\Qnjnnj32.exe

MD5 901a2be705d12d238c5111ac95f72e04
SHA1 42a0c0ffdf9c8f9b894fb9d207e2f11f5e43c109
SHA256 7c16b97772596a1e2ec2cbe74b340e3a9750fc3a7df6ed5e8854a9a01e547632
SHA512 c6d7c1d46c069dd510bae5c3c5268b6a14e60d63a58190c07f54af901794f93164e2cf3ee5fef66baf0e172f928db72a708aa1c49b383cebf96f7714355da4b8

C:\Windows\SysWOW64\Acjclpcf.exe

MD5 79a77027b703b3a8ae92a2fce874f1d8
SHA1 c2c3bb6c348fa705e8f6ab7981431726d7186433
SHA256 644c1b04271d1bb55442ae80c06b7bba14b9a0950d6d7c8981afa465fbea0ef1
SHA512 47280946f11950f65a5b316cae0a177fd5956bc9e837344b3631e6acf40e147a8744b2fd30e45a07b76dd3885179662374eaedb98d2685f42efa3d9db638c3ba

C:\Windows\SysWOW64\Aminee32.exe

MD5 36d70c06046b778010b651cfabfdb8d4
SHA1 c8e58500a87d2bd9ebc5c2dd65022c77ebff3827
SHA256 03127db4cf93e1010f0dbde51dfefd11d726f81d1b5a01b2a19c289e34542df6
SHA512 00621ed3d5ee42bfb4ffd6b99fc270b2ef12e03d220332a3c44b1611f01dd28fab842ac77b3c8ab41536c50357cd384a10b419b8fc9d90b57d8c9192319c90c7

C:\Windows\SysWOW64\Bfdodjhm.exe

MD5 98c5fa6237828df39a609d22c56caa2c
SHA1 4ed0feee74c84a563d939452f360309d36503894
SHA256 378df8d739f031733426c054ef43c1494e024c8156a4f22ecbfefdc5bdd9b47c
SHA512 fdb4f993a84fdff5b55075d5410abc17d8ce39e4f8d21849fe4318115d5e6be68376cbe7e1fbfea29d2ad7ef9fed7b66ef39254ce04885735f6ded03f29be917

C:\Windows\SysWOW64\Bclhhnca.exe

MD5 da3043bb8c19ff84a296967998ac2108
SHA1 c0feb7f4b61eb6560ac2ef58158f3d5ef150faa2
SHA256 8da719d486ed9e4dbecd3faed7218af9dd88579352f1e94f752b2bedc39ee062
SHA512 17044f41bb5e296146a730e78533bad44e624d0da93ac6a509c7bbaa49337834d207e3e6e4c3f3db067bc84302730a246db87dc2afa35f2985504629d94f9b0f

C:\Windows\SysWOW64\Cenahpha.exe

MD5 f5a0bcc90e6cab6f6e96055f1df6bb55
SHA1 0fc16dfd6d45d19c301b44ff6036795c2620552d
SHA256 0deb023775e338b86a60350725bb254b4afeabf79e350a9db41d4490c8f076fd
SHA512 68af03bef90c3cbb78f8c292a702efa29497448f5dfc29b76e697e0b8eeb546092eaaa55591085fd6e3d630ead4dbad347cf290be27fd4d7e59fa8e2a29849dd

C:\Windows\SysWOW64\Chagok32.exe

MD5 728a74085e36535c29db582c8f723112
SHA1 e76ee74da46f112e1735624329b21570f95a1e07
SHA256 e30162489123451bbdd63f0776d74b54164ffaf535fcfb4c18fe9915ae97275b
SHA512 f3096429c3294c53b9c5a206051f39d9ee2d40c7b0f38f89bac30f85ddf929495edf1257895bf943de7d0232632761c3769577759ac70c708ba710eaf8171883

C:\Windows\SysWOW64\Ddmaok32.exe

MD5 1336bde2305f053a9447818631875ae5
SHA1 d0f79fc372d22adebd5e4bb417bca429fbd16c27
SHA256 933697e14334ae570b694e7c9d66f0ebc851fe7d6fafd648fab5e5391f5ea02d
SHA512 e796a10099574207d6975cc210a9669fba2f99e221c378b277f9b0ab913429878ebea1023f4e4f88a18c5f1f60624470b3b265516e11fed74eb83983cd57971c

C:\Windows\SysWOW64\Dhmgki32.exe

MD5 bee6d54b59c862e9e15a287901cfb2b8
SHA1 3b07cc14cd272e04749e90b9cf9aea70d5eb3c3c
SHA256 dd6d5ac96affa40a79855a6dd7ccee4df91b4774b415fa41beee1581c4a5d65d
SHA512 2d694713c077be3289014acbce259148266446c6c193cfb4e39b7236dff7f3c082d5f4feaed77b2f2418b45ca68866121a69b49f731cd42402d27123e9e8ea48

C:\Windows\SysWOW64\Dgbdlf32.exe

MD5 404b1ef58bb15abfad640d06b8c7e130
SHA1 467b812dfb44f34a6b8580a8746f1004884472f3
SHA256 7c1b10d846718630246beee6681bf04d7ad0f3726c6e6a00567fdc02f6e6bc18
SHA512 c49241ee02013c07ddd4aa9d9b9542fe84aeb874335bc4a09c949c1699acce78508b0a9f24ea005d9a8c471668e01eaba6f93acfcce0c3a5c850fa7047e887b8

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:34

Reported

2024-06-14 03:36

Platform

win7-20240611-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chhjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djefobmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebbgid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnbkddem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chhjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fehjeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbehoa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eijcpoac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dngoibmo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilknfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebbgid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Egdilkbf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hellne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Idceea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfefiemq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gonnhhln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fnbkddem.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hellne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhjgal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dngoibmo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hckcmjep.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fehjeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Flmefm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gonnhhln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlakpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Facdeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjdbnf32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egdilkbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gonnhhln.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfefiemq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gopkmhjk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieojq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gelppaof.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpkjko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hicodd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlcgeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcnpbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hellne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlfdkoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcplhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Henidd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhmepp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icbimi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieqeidnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Idceea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilknfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioijbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagfoe32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egdilkbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Egdilkbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gonnhhln.exe N/A
N/A N/A C:\Windows\SysWOW64\Gonnhhln.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Pdpfph32.dll C:\Windows\SysWOW64\Idceea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Ckdjbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebbgid32.exe C:\Windows\SysWOW64\Eijcpoac.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlakpp32.exe C:\Windows\SysWOW64\Hicodd32.exe N/A
File created C:\Windows\SysWOW64\Ejdmpb32.dll C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Gpmjak32.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Cbolpc32.dll C:\Windows\SysWOW64\Dhjgal32.exe N/A
File created C:\Windows\SysWOW64\Lkcmiimi.dll C:\Windows\SysWOW64\Dgodbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Filldb32.exe N/A
File created C:\Windows\SysWOW64\Bfekgp32.dll C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Bcqgok32.dll C:\Windows\SysWOW64\Fbgmbg32.exe N/A
File created C:\Windows\SysWOW64\Hlcgeo32.exe C:\Windows\SysWOW64\Hiekid32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Chhpdp32.dll C:\Windows\SysWOW64\Gieojq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gelppaof.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File created C:\Windows\SysWOW64\Keledb32.dll C:\Windows\SysWOW64\Ckdjbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dmoipopd.exe N/A
File created C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Djbiicon.exe N/A
File created C:\Windows\SysWOW64\Lghegkoc.dll C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Flmefm32.exe C:\Windows\SysWOW64\Fbdqmghm.exe N/A
File opened for modification C:\Windows\SysWOW64\Hellne32.exe C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File created C:\Windows\SysWOW64\Dgnijonn.dll C:\Windows\SysWOW64\Ilknfn32.exe N/A
File created C:\Windows\SysWOW64\Fncann32.dll C:\Windows\SysWOW64\Dngoibmo.exe N/A
File created C:\Windows\SysWOW64\Jamfqeie.dll C:\Windows\SysWOW64\Eijcpoac.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Fnbkddem.exe N/A
File created C:\Windows\SysWOW64\Hpkjko32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File opened for modification C:\Windows\SysWOW64\Hicodd32.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Pqiqnfej.dll C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Hfbenjka.dll C:\Windows\SysWOW64\Chhjkl32.exe N/A
File created C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Fnbkddem.exe N/A
File opened for modification C:\Windows\SysWOW64\Fbgmbg32.exe C:\Windows\SysWOW64\Flmefm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File created C:\Windows\SysWOW64\Hicodd32.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Hgmhlp32.dll C:\Windows\SysWOW64\Dbehoa32.exe N/A
File created C:\Windows\SysWOW64\Hghmjpap.dll C:\Windows\SysWOW64\Gonnhhln.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A
File created C:\Windows\SysWOW64\Hgdbhi32.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Gknfklng.dll C:\Windows\SysWOW64\Hggomh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hckcmjep.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dbehoa32.exe N/A
File created C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Dgaqgh32.exe N/A
File created C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Kdanej32.dll C:\Windows\SysWOW64\Fmcoja32.exe N/A
File created C:\Windows\SysWOW64\Cnkajfop.dll C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dhjgal32.exe N/A
File created C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Ioijbj32.exe C:\Windows\SysWOW64\Ilknfn32.exe N/A
File created C:\Windows\SysWOW64\Dhggeddb.dll C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File created C:\Windows\SysWOW64\Febhomkh.dll C:\Windows\SysWOW64\Goddhg32.exe N/A
File created C:\Windows\SysWOW64\Bdhaablp.dll C:\Windows\SysWOW64\Henidd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Chcphm32.dll C:\Windows\SysWOW64\Ebbgid32.exe N/A
File created C:\Windows\SysWOW64\Hellne32.exe C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File created C:\Windows\SysWOW64\Ecmkgokh.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Pljpdpao.dll C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File created C:\Windows\SysWOW64\Ieqeidnl.exe C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Flcnijgi.dll C:\Windows\SysWOW64\Dmoipopd.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll" C:\Windows\SysWOW64\Flmefm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gelppaof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dngoibmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" C:\Windows\SysWOW64\Ealnephf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfefiemq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" C:\Windows\SysWOW64\Dhjgal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" C:\Windows\SysWOW64\Djefobmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Egdilkbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpkjko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ebbgid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbenjka.dll" C:\Windows\SysWOW64\Chhjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" C:\Windows\SysWOW64\Ebbgid32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhjgal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" C:\Windows\SysWOW64\Epfhbign.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fehjeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Henidd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midahn32.dll" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djbiicon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe C:\Windows\SysWOW64\Ckdjbh32.exe
PID 1176 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe C:\Windows\SysWOW64\Ckdjbh32.exe
PID 1176 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe C:\Windows\SysWOW64\Ckdjbh32.exe
PID 1176 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe C:\Windows\SysWOW64\Ckdjbh32.exe
PID 2652 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Chhjkl32.exe
PID 2652 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Chhjkl32.exe
PID 2652 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Chhjkl32.exe
PID 2652 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Chhjkl32.exe
PID 2612 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2612 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2612 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2612 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2712 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2712 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2712 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2712 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2488 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2488 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2488 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2488 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2504 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dbehoa32.exe
PID 2504 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dbehoa32.exe
PID 2504 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dbehoa32.exe
PID 2504 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dbehoa32.exe
PID 2584 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Dbehoa32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2584 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Dbehoa32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2584 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Dbehoa32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2584 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Dbehoa32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2176 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 2176 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 2176 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 2176 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 1556 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 1556 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 1556 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 1556 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 1732 wrote to memory of 324 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 1732 wrote to memory of 324 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 1732 wrote to memory of 324 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 1732 wrote to memory of 324 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 324 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 324 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 324 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 324 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 1852 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Eijcpoac.exe
PID 1852 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Eijcpoac.exe
PID 1852 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Eijcpoac.exe
PID 1852 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Eijcpoac.exe
PID 2344 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Ebbgid32.exe
PID 2344 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Ebbgid32.exe
PID 2344 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Ebbgid32.exe
PID 2344 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Ebbgid32.exe
PID 1444 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Ebbgid32.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 1444 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Ebbgid32.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 1444 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Ebbgid32.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 1444 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Ebbgid32.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 2560 wrote to memory of 968 N/A C:\Windows\SysWOW64\Epfhbign.exe C:\Windows\SysWOW64\Eiomkn32.exe
PID 2560 wrote to memory of 968 N/A C:\Windows\SysWOW64\Epfhbign.exe C:\Windows\SysWOW64\Eiomkn32.exe
PID 2560 wrote to memory of 968 N/A C:\Windows\SysWOW64\Epfhbign.exe C:\Windows\SysWOW64\Eiomkn32.exe
PID 2560 wrote to memory of 968 N/A C:\Windows\SysWOW64\Epfhbign.exe C:\Windows\SysWOW64\Eiomkn32.exe
PID 968 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Eajaoq32.exe
PID 968 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Eajaoq32.exe
PID 968 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Eajaoq32.exe
PID 968 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Eajaoq32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe

"C:\Users\Admin\AppData\Local\Temp\bf9db0b4b85785c1e59e24ffbe99609a9e8a9a7906fdff6f93bd2ff840565928.exe"

C:\Windows\SysWOW64\Ckdjbh32.exe

C:\Windows\system32\Ckdjbh32.exe

C:\Windows\SysWOW64\Chhjkl32.exe

C:\Windows\system32\Chhjkl32.exe

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Dbehoa32.exe

C:\Windows\system32\Dbehoa32.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Dgfjbgmh.exe

C:\Windows\system32\Dgfjbgmh.exe

C:\Windows\SysWOW64\Djefobmk.exe

C:\Windows\system32\Djefobmk.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Ebbgid32.exe

C:\Windows\system32\Ebbgid32.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Egdilkbf.exe

C:\Windows\system32\Egdilkbf.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Ffkcbgek.exe

C:\Windows\system32\Ffkcbgek.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gopkmhjk.exe

C:\Windows\system32\Gopkmhjk.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hellne32.exe

C:\Windows\system32\Hellne32.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 140

Network

N/A

Files

memory/1176-4-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Ckdjbh32.exe

MD5 d448a8d9af890c103aaf5a20115e3f65
SHA1 4906cdec78242d75d4aee3f159948add2bd2a222
SHA256 3739ed2035913dcce983aff1f6cf06ff10b7d04c617d4c19237303cc9e0f62b7
SHA512 b109b4adf27c12863c0fdebf1e25f94465cd681006c2d341477b9111a27074854fff6763709a8c7e391818f2d39bc582fb96d2ca0928a60fb4386d3081963e4b

memory/2652-13-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1176-11-0x0000000000290000-0x00000000002D4000-memory.dmp

\Windows\SysWOW64\Chhjkl32.exe

MD5 dc48ba604641c3a0a7129265b5e5cd4f
SHA1 32cafd284165948850a3505ab0618a28e5dcefd4
SHA256 e917ed8b90fe39ee14d383e893c84d2ad6d82191632a69edcabdac8183390889
SHA512 acb6943581459728715bfcda81e09cbc32408300a1537d9c2bfd07ab1c0e9f498ca1af4279b1bf1e9bbee923e743e4e7175f4795175ebd967fe2109ebc8f4d5b

memory/2612-28-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2652-26-0x0000000001F50000-0x0000000001F94000-memory.dmp

memory/2652-22-0x0000000001F50000-0x0000000001F94000-memory.dmp

memory/2712-41-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Dhjgal32.exe

MD5 e8dc61f5784242e405296ca7e75a2d08
SHA1 7441faeb8bd6c796849d7e69a104c19adc0dffb5
SHA256 1f4800853bfb9e7de3d557e636521c5a0331c9c7f80149b08abe813b71965986
SHA512 ed2facb2600da3a6dff19095c6b2d1a5aed591cd1a8f6fee1e378147b1604a94a4f219d606172aa5993979c5c3579a93ed8a8ed1c77bcdd92a04eca3d34a16e7

\Windows\SysWOW64\Dngoibmo.exe

MD5 6ede9774e6b447b472d3138d26492d1e
SHA1 e4b3b466573e80d48227ebc49b7616ff41c3d8fb
SHA256 296930f4185f950ec54afe486f895a1cd173347da881f091bab7218d4e20e6b7
SHA512 e7fe76c28f51c7d472cd97ea25c6d2e551b0c1df469c02a2cbaf61c6f9eeab2f14693a7967498cae76dbd60de6ab5446ce41afc40d3d07355e831fa9c2e0699d

memory/2712-53-0x0000000000300000-0x0000000000344000-memory.dmp

memory/2488-55-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Dgodbh32.exe

MD5 3b715529286134b1255b54232fb3956d
SHA1 fd2baf5d6af5f8cbbfd6ab8871c8c443a66f2d8e
SHA256 18aa41927fb7d5265d05b351ee740204384cad377aa44b43017fd0a16d91db11
SHA512 09508a24ab3417bc2bdc1d4946e7181d0d73c07545719cc9779506100644c3226b7d6e898aab747694bb1a8da0c698a2520515efa14e0c20354dde7e6dc69354

memory/2504-68-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Dbehoa32.exe

MD5 b8fcb77ef96401eb0368414458122366
SHA1 04c9e904bebb863e59c3166dd0dddb08453482c0
SHA256 d68e005452a1260be83a347632ecc346786a2cba922616cf1e473389a5d334ad
SHA512 c7491d8ff47ace36fbeba227066db1ac76ce44f286b950103d69103cd367000e5959340a17f410cb628f731c82af0e2aa6760e7378c6f970e8a26c68411142c4

memory/2584-81-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Dgaqgh32.exe

MD5 36fba565f4b824d80576bfaf632111ad
SHA1 74f45f9748eb8b7b90613d7acc0a8be507e2b0e1
SHA256 77bf9d12c19114f34c3cda07677fbd17a55d75aadb83fad9ab9f55f42ca00f52
SHA512 92d74a9afdabdc9a60c81ef8ae1075a72a015032e82873ed66c1bb07824019fe8ffccdc9c0ae095262f2309c9634f59e7a377bef04fde44ba0f038b8aa70421d

memory/2176-99-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2584-94-0x0000000001F70000-0x0000000001FB4000-memory.dmp

\Windows\SysWOW64\Dmoipopd.exe

MD5 27175fc83a47d45e92005fda6fc1ad4d
SHA1 47765677dcdc8c9595e3f5a6ea096b2ae222f693
SHA256 9f5a91c0ed3a3a5130fb26d60e07ba618a8705abef48b961e5b282c211eb252e
SHA512 2e2c9ae9c2c16d753cb553fc358c88200279b7ba0163397b1ee5c28789911dd18d47f2d13d402f1d8f1d43f0880470942564a27fffd5d6cf88bb1b581d70b5a0

memory/2176-103-0x00000000002E0000-0x0000000000324000-memory.dmp

memory/1556-114-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Djbiicon.exe

MD5 f46cfd909a3b2338da5d28adde7a501e
SHA1 85c113badc14de032d0fc324b8cfd6e59b4a143c
SHA256 5b6ca5a6cc7844165896e86f1abb1fa3ae6a086cbc0b463d8c4dd4aac90aecc9
SHA512 4cbf0b725372f22565fc18ee938c7126cfdeaa02555ef135df232200bfb89b407fe2966f1b5ea0d8c010e1c64119d3ff226bf00097aaa930faa9c946e8f69079

memory/1732-122-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Dgfjbgmh.exe

MD5 01ab9550a67c6e64bfc9f689bb6f7a73
SHA1 c6dfd453d1ef82e703455223da827f6dad27962a
SHA256 d8f6b6261bc2068d3f7da76540093c43edb217150194744f9f107e35a8b70432
SHA512 c428a6a8b8b97311cd20878ff52b06a695916540de54e898e5507830d9440c235f4fc0075c62f2fee271e55de624ef47e09842b621e0f28b8d7ca49471ce8e3a

memory/1852-148-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Djefobmk.exe

MD5 5cba129259337da3eced02d242769b69
SHA1 76acc4c93201b36c55ec5a39ffa1eb4b762d47b2
SHA256 fbe2310a365e7ecadec29197e97fcac1df85eaed7288110225ed8e8395de161b
SHA512 bfd8116935da5a187542e4bbd7e8e1467b1c35f754e18019471fa325e92a605338106ec69ce83797224dc0afa0af4b7d4830ead0087bbd937b3dc95bb7b057b4

memory/324-139-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Eijcpoac.exe

MD5 580cae8a33edafc268084f632d2577b3
SHA1 e76dec23439df128390fd3d89b7db581fdde4e02
SHA256 228fb20883671a1430ce98a4ede9c65f60c1ed3cf898a4dca72c22bca181534e
SHA512 1462f17e673fbc0c66161210575646e79348de33a03a9202a328fe4ca2e4cf77ede4ab707451d7505acf0ccbc6970b288d8da84bf28bf0542ca59f9b0e4dd270

memory/1852-160-0x00000000002E0000-0x0000000000324000-memory.dmp

\Windows\SysWOW64\Ebbgid32.exe

MD5 94d07c74e855160b711773559f1b2e0f
SHA1 8ce8d47f6a5d2d7be27ab51eb6e6f952df3a44c3
SHA256 6f40d707458e0ec5b8cca502cd92329064bc1b37098a84e1d6c97a141464b188
SHA512 3a0c42c821ebb4ab9fba837143a53a3d5925273ef5f32a9cb64de0b20cf8292cee58e68b5666bc962acab6af0c7fd5b772fc8851fb367fdf0e7fef6c1a67c65c

memory/1444-174-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Epfhbign.exe

MD5 a1985a0f79a2a0214beff5dfd7084e22
SHA1 bafa59ec63bf8793f25e45a6521a97dfea2a623d
SHA256 de2d3ca54895c37322456139d0839400fc2baa49386525c9d2ff94747fdea1dd
SHA512 80b8081f69c4431f7ca0a17353a215dd5111f4d8dedeac2fa827e91d2b71e5f844d17507152a9aa6180d4e4c3622a3408bcf0e93bbe8c669f0be70e173815d7d

memory/1444-182-0x0000000000450000-0x0000000000494000-memory.dmp

memory/2560-193-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Eiomkn32.exe

MD5 5e8570a328771dcba4114d754ede1f6e
SHA1 e393da65302c8f04e7f9706e387683c0442a55fe
SHA256 1374cbc7d2080352ed5c1e2bf547009b099d5231976e5ec97946798e7430d19d
SHA512 6bec68ddb05d0d65390533d86199cd68f8686fad16b7485d5654fb776439a92e04a88f69bdbe0d8e43ae87ee8f603ecd1d5403180b11ec95eb29cb65e03a07fe

memory/968-201-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Eajaoq32.exe

MD5 90d2aadaa276e33ba2c2e8db945b5e23
SHA1 c050c7b96e4bcb10360a40681e7ab33111324f0c
SHA256 f60efc194209f410d9c576193b781164bc1de6b1e46a70b857d1046dbfba61a1
SHA512 0827516db1d06605703ed2d1092651a97ca65fad88ad72333d0137679fe5357e7718aad5894ce1069905a0296aed7f12c6051ba771c18000353268f56eeed9d6

memory/2872-219-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Egdilkbf.exe

MD5 287f20d35141d1ca0ccd695ce7a2ef3d
SHA1 802776dc33b79fe95ca14a67404e3e2f31893608
SHA256 047e2d09fdf0d42d291d5092d735aa9f7d0dac37b5e0e795c755ed5e637e44bf
SHA512 3e50a6d653fa8e29dca158fd9e6be4239f00f43201d90808cd7f8f38c4f10ce9449e73c3a6e579ee8c0001ebf51f1efccf11755aeaa91185dec0abbd30e974b6

memory/2148-224-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Ealnephf.exe

MD5 05823622e60c6d3053f2cefb22af6456
SHA1 a5a1c2a7df94f82b59d9f7f7fe7f209898594576
SHA256 1815c61617ac0469ba08a857ae4923f741d6e1b24b1392029fd76a0d82017845
SHA512 e52d5b5a7567b6f75a1c83987e34a9d8eb93dadbb056c1d9cd8fb3a0f6323eee13afe45e57702e338fc578db2e008c02d289ade0ece3f034a37c89129c3dd7ef

memory/3000-238-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2148-237-0x0000000000250000-0x0000000000294000-memory.dmp

memory/3000-240-0x0000000000280000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 70205ec837268433ccc72c61962fe7e6
SHA1 68a847114d3d3090db760e96a8db33e999b970e2
SHA256 d7b314ef492f80fb7a11ac8d81189a0466ce0d3091665d9393f76287425ae9f3
SHA512 e0f7ab191b50d8da494dd76669d3fc7bfe48dc788fc1f3b461b6802e708fbfcd0431485525caf3b6f4dfae23d8fd0ce9b5b5b15982896e7d2dc90086df4753bf

memory/3000-248-0x0000000000280000-0x00000000002C4000-memory.dmp

memory/3060-249-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 897bde7776fcc0761a25f65a96e10f14
SHA1 4040efeff3b2e5dcbbbe044589e236eec2b1d6ea
SHA256 a051353a07fd9f07d4177b2d89f0bc382416d97d865db53657b6578d8ecc9910
SHA512 490222712456442f88aa8c0edcca25039f7ba22eb3e4ac6f2ba036176c4a7f863de513ad9352458942fe05c23f71e804e1e6e772111e7e8d16cfc6caf8e5ea26

memory/2156-260-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3060-259-0x0000000000250000-0x0000000000294000-memory.dmp

memory/3060-258-0x0000000000250000-0x0000000000294000-memory.dmp

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 5d646ffacda25d613c007504fc2aac56
SHA1 ea581df1c49006dfe74bbb56b658f8da2b47d0b0
SHA256 bc4b65bc57460f4d3aee9b34b9807b84e10e71de4e5cf9396b039c090cb38bcf
SHA512 e7d028306fab0205147a675f6aaae2f23ca5b92d81b035d6b94d29b6f46fbfac4c75dd6a975c1f02659a47e7add0da98e76e4edddfa6385cc1de8ed868768028

memory/2276-267-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2156-266-0x00000000002F0000-0x0000000000334000-memory.dmp

memory/2156-265-0x00000000002F0000-0x0000000000334000-memory.dmp

C:\Windows\SysWOW64\Ffkcbgek.exe

MD5 77d84d14e1cb2fea03ab47c17b2f7d92
SHA1 7acad161d0f60b0b8ecea8ce2d2195d565d179af
SHA256 e6cb3d3958dd62107fb27e3bab01e4870265819e2a5bf91894bd7c8b019a9501
SHA512 8e9f72b7d423f5208e555b09c555bbf0965505957fa9ce73d1a7fae7f412ba1aa8be8c318d8ee6b39d45e65b6d9a52a591befc1b88eece219ed96027df08cb90

memory/952-282-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2276-281-0x0000000000250000-0x0000000000294000-memory.dmp

memory/2276-280-0x0000000000250000-0x0000000000294000-memory.dmp

memory/952-288-0x00000000002F0000-0x0000000000334000-memory.dmp

memory/848-289-0x0000000000400000-0x0000000000444000-memory.dmp

memory/952-287-0x00000000002F0000-0x0000000000334000-memory.dmp

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 bcff2e838c03d1d48441326f74c5957e
SHA1 a0d0340e74bc547093b97b340a41eb6e7027d29f
SHA256 f2cfa21c78bc8a058219a5bcef785d01a77ee4f115cf3948e93c6ccbb6a8bb7c
SHA512 d6bdee1f48d58e868c8fda61cf3799f9b639841c53d06a2fc0d2767f360e765ab6b5fd725bd179ef1bddfddbe457de52e41ec1dc5c5b7dbb2c7c280021a04943

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 21fc3aef5dc3f96a5d8cc5b8dc8d6100
SHA1 b69d3a7fb041f56de9c3d4ce6c8d703d70d2a835
SHA256 c927d5a22f35037c007ef758061a77f98c0fa10b807c4dcd0d1a28add4d4feab
SHA512 3618b707ed71c5edc15bd1034c4129b44463d2e2b486b49e6f8575b0649895310e63d3deb0befbcecf8f3b2c54e8015ccb907aa42ec58d9ab03399ca6d8b4ee4

memory/568-304-0x0000000000400000-0x0000000000444000-memory.dmp

memory/848-303-0x0000000000450000-0x0000000000494000-memory.dmp

memory/848-302-0x0000000000450000-0x0000000000494000-memory.dmp

memory/568-310-0x0000000000450000-0x0000000000494000-memory.dmp

memory/1636-315-0x0000000000400000-0x0000000000444000-memory.dmp

memory/568-309-0x0000000000450000-0x0000000000494000-memory.dmp

C:\Windows\SysWOW64\Filldb32.exe

MD5 be83e714ca5242af086006382534c144
SHA1 0732aab3e73b8b00b2341b3822502d31950774e9
SHA256 2de6b0a9a3d159782ea384b54d57cd22c7000448611a2e8653ce2bbffa0fd5c6
SHA512 b0cecb8d36bec1a6ed9ba613ecbeb5236e32a97ddb1888e7bbea51bde173a93ace26e63c3f489813f94e9907b3646da8c8ad55da4f884ce83a8f738f59c7f853

C:\Windows\SysWOW64\Facdeo32.exe

MD5 264a85f1de07042bd59836de2da4a152
SHA1 a467bac3a8186f4c88e68188217eae888427e6e4
SHA256 ee95e0187e602a1d301c8196fe149d936a39b821151b99102418a734c28557ee
SHA512 2a9f12948ba11043e02a49000cab55489837f3352af0822ee91119c7d51e1fa508db8dfb8b399be8b5c66ee60f8aaf5a96321df5dcab66c9629da61e221596d4

memory/2916-326-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 9cd1da054ba3ed50fd3eb4bb197ae372
SHA1 f4bae3ad507d9eb9e85592bfc7c8f767b76d253a
SHA256 521301d12bc449c5a3dd1b953d93ebb83b5e670549bb33dd66248728705e3450
SHA512 4b082a696b2746baa8dc47985f5314f8dba08d72e6d626977da9738a2fa669d7ac9c5afaca52fba4a241977236d96a23a7e7ce5db291d6316fce457fd1b75f6b

memory/1524-333-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2916-332-0x0000000000450000-0x0000000000494000-memory.dmp

memory/2916-331-0x0000000000450000-0x0000000000494000-memory.dmp

memory/1636-325-0x00000000005E0000-0x0000000000624000-memory.dmp

memory/1636-324-0x00000000005E0000-0x0000000000624000-memory.dmp

memory/1524-343-0x00000000002E0000-0x0000000000324000-memory.dmp

memory/1524-342-0x00000000002E0000-0x0000000000324000-memory.dmp

C:\Windows\SysWOW64\Flmefm32.exe

MD5 2042d7b4688b0f2cd64961d37131eeff
SHA1 2fa8064b292bea7f6cf8d7b13d774f559160534b
SHA256 0de5dd3de82bbd3a0e31f40b812ea04174f182d4a65cb56877b66fff847fda95
SHA512 71fa32e327d05611022a29a35534d94de5f1c877940d7e584757f1a9492c2321e3a535cb5d4d3bbf2d5037d078bbf61309d7d11468f82dbc475e1b34bc2d3235

memory/2328-348-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 c531bb146bd702610b096f7f94b37b6b
SHA1 d0543aaef29ea6b7d5db7ead5d42f4a073aede06
SHA256 e1b9966833acc41c5e43a34cf672ffc97028d97ed3f171ba23fc311224e5b125
SHA512 b80b28038475bc335d81da09582c61f75b3c35140c5f6602bb3d1e171a6018e92c4c9c6d166e49814062a8e72467dad9b596070a9d303be744c895a8c3e8632e

memory/2692-355-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2328-354-0x0000000000310000-0x0000000000354000-memory.dmp

memory/2328-353-0x0000000000310000-0x0000000000354000-memory.dmp

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 4fd7f8b1f8be28d4b756ff3fa6cde569
SHA1 e22f3a36fd61fc057fc1e133c5de14741d571862
SHA256 8b7c1186662c98662b5f37f3d7125a301fe4028858bf32e6be392668b19d8928
SHA512 77a8e3dd7a02cd39c9e4dcf4c0819de26c3ff9de6a8d9bf03a475ca3f156047074f11b6e34deb96092bbd510568e72b89b7cc3651d04df6d6bdacc26c0826a21

memory/2580-370-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2692-369-0x0000000000450000-0x0000000000494000-memory.dmp

memory/2692-368-0x0000000000450000-0x0000000000494000-memory.dmp

memory/2580-376-0x0000000000450000-0x0000000000494000-memory.dmp

memory/2816-377-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2580-375-0x0000000000450000-0x0000000000494000-memory.dmp

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 ecb63f191c54485921d341f3725ccd93
SHA1 3eaf58d2b7285b125350622bbe64efed3f4cd666
SHA256 3abc710273f02a6f8769bc7deb8b394c678fa2048e461be54078045d42b32d97
SHA512 3b4e10b87477c0eeeff2c368725d84c020e7b3f6a0f7909f2d5f180943350b1450138e9608be64e44c9a5335a32149537f13b55aa3b6632ffe1ef1e29073320a

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 766184dda570bb291a5ff2d44bf720c2
SHA1 c049380eff1678a213b241b8a76d7a21759d7284
SHA256 fe0883a32e8e8de9e244cf5aeea3968f1af11bcfd03ac636ae8f41c747a26b10
SHA512 dee6d7e5d6619802709a90dffc8b23446d9d67abc5afe909f8e351e602a7e62b0db74637e137fb1e2bf7649a42e6c9416174bd49c5c09ee6dec773468e801b28

memory/2816-390-0x0000000000280000-0x00000000002C4000-memory.dmp

memory/2708-393-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2708-399-0x0000000000310000-0x0000000000354000-memory.dmp

memory/2480-398-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2708-397-0x0000000000310000-0x0000000000354000-memory.dmp

memory/2816-392-0x0000000000280000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 44f46c01821e02e450f1c2283ca14156
SHA1 ffdd178ad8a847df8a6c5b012e92a0c5bbacc700
SHA256 1fb1decced1b40bd7bd897233cd8f3082eeb95024d5a246a58e3806d29a89e8b
SHA512 12323e7f445f3fd018830ec7294f662f8c317af93c9ffb9924f9b575816fed07e6a2d4e067940dd1935bbab6c180b88cbc6899c31106a126a57cafaad16ce709

C:\Windows\SysWOW64\Gopkmhjk.exe

MD5 a4e34e50341867e138c020f171b1e6ab
SHA1 c2588bdb9b19e90d38996be51deb2998064b12e4
SHA256 c5bfaed7e35b2d05456fe541d9f474404ea293ee90eb06d47272f671da4b7ec1
SHA512 6f7938879a90fc39e0e7025c9ad1f10dc42b8ced846891bb947c734be8d917a4837eeb12a5ed8647efed50a812e99f33e94f4b1684a1cff1070664a1c0d93205

memory/1668-414-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2480-413-0x0000000001F40000-0x0000000001F84000-memory.dmp

memory/2480-412-0x0000000001F40000-0x0000000001F84000-memory.dmp

memory/1220-421-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1668-420-0x0000000000290000-0x00000000002D4000-memory.dmp

memory/1668-419-0x0000000000290000-0x00000000002D4000-memory.dmp

C:\Windows\SysWOW64\Gieojq32.exe

MD5 73df316974d445c4eb14cea352f10f16
SHA1 ea7ea4bd0aacfd0d2bbe61778e83abe72c78c3b5
SHA256 8fa00de23f7e29eb596b75138956aa58e71ab7de32bbb77389104804fe146b71
SHA512 3d2cf18ebd4b10911c51d8c30144b6612542ce76a9b8d9514595381b9e6869adcca99278adeafcae29db7311e0de473ae6ca26fff923aaac349430cf09e0d952

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 c1faf2e55b93976eb928efe0c6af5eec
SHA1 31efb5ec4993f401aaae3d742291cc02918ad0dc
SHA256 1fde0103a2e2f92f190baea7e27c06a1ebe62dc2f1a73cc070f3acbacdd1ccdd
SHA512 07807ce7c4cd94e8ac90dd361bb334c82e4bfb48c6be321afa498ddc5500a7fa4a69608fcc4cfd115ed8d501790acdbd6683b11d4ae4d9d4ac1b4eae3da591c7

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 db1e21a6548ca14e0e00ec58f47ec7ee
SHA1 bba97eb1fc62b17c6a11263f8d07f5129b8ce580
SHA256 467a8385c0487e9e0443b03854e590604a42768723b35c4570b8cdf581d3a2fe
SHA512 679e6b3c3d0adc9bb1737cf50a51c1970c7a20beaead6b53212a7e9ab68a958ca280708359d26659e9086248d29c918d44c8f85afac155a7494733ef35fd6201

memory/1260-447-0x0000000000250000-0x0000000000294000-memory.dmp

memory/768-442-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1260-441-0x0000000000250000-0x0000000000294000-memory.dmp

memory/1260-440-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1220-439-0x0000000000250000-0x0000000000294000-memory.dmp

memory/1220-438-0x0000000000250000-0x0000000000294000-memory.dmp

C:\Windows\SysWOW64\Gelppaof.exe

MD5 46af3cdcda117691ceabb1cfe57a8685
SHA1 c9eb6defaa097ca9a1d46bd4f5254897dbd4c44c
SHA256 d29f2582c9c99aa235265bc615e18a3790eb63d0ab4e080a91b3c82e33cc6fba
SHA512 637c2bd04940a553f90b66400f9c3055173a84895657f152e763f89175ec2d3560c4e03bc052e31e34e846856d80cc81b385565ec314c4d9d2a45f720e409b12

memory/2388-463-0x00000000002F0000-0x0000000000334000-memory.dmp

memory/2188-464-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2388-462-0x0000000000400000-0x0000000000444000-memory.dmp

memory/768-461-0x0000000000450000-0x0000000000494000-memory.dmp

C:\Windows\SysWOW64\Goddhg32.exe

MD5 6cd995922be20fd776614c5f2808cfcc
SHA1 7c9d5e870dfe514a03b034ba84e378c977d347ea
SHA256 3868fe659647587bed736e7e9a2c089f060597b2fd7f3bd31321a008ec12dff8
SHA512 38b146af1714460c015617b8f93d64c6bbc24c5b931ed22da0e14d785f857632dbcd75c0ab821b56c61b5929b87f759836df4227b3fcce6d34ab79bb956c1aae

memory/768-460-0x0000000000450000-0x0000000000494000-memory.dmp

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 0ccaa7734456c28bfd0a3dcc6e0bf645
SHA1 15f53a31659f4cbf0076c32f3b396c71b7a15231
SHA256 3f7ab7751e824e3072df1207226aff1ee0af2cd0d9eaaef8d2a39b52a29e6df4
SHA512 ba634f3087629c1e162d9e8b11f7adbd0e1f629d9a4ebc78c201d3c8439315916426ebe72f45718caed74b0c8a9c365e92167967813a5bb2a796575fbb63c067

memory/2780-486-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1188-485-0x0000000000300000-0x0000000000344000-memory.dmp

memory/1188-484-0x0000000000300000-0x0000000000344000-memory.dmp

memory/1188-483-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2188-482-0x0000000000280000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 a44e12131f41934a2f46314b77590c44
SHA1 c4a73e7f6d2f5695e9ad2acad366b470057efa25
SHA256 577b0677ec89cb99a738571e338fa33d61070d06fe29cc4d2430f05bc6a0a1d0
SHA512 d3ffc8d99ca95c8038e9b9b1a67ebe32b746717c7917e8ad9a376e4ac34c4c01fe8ea7db76fe4e1de55a5ab0db5718dd7fdd36107630dbb83a9a26de8f03a99d

memory/2188-477-0x0000000000280000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 e732e6c223096f26ec054afafaba3bcf
SHA1 26a6d5cd8e2054555dd8ab6d4eddf00a7dfc990c
SHA256 d25d86b4cac734588ee533daa15464c07fe4f6276af9c0940e593ebb4f0f18cd
SHA512 52783c8173e3ac574029ec192d5a0a008575a44657606c6bdab0117ed439cafabc75691f64e6eda83938cd6c4a02d5f067f8eebe73a26c64b9626d47d6cb3374

memory/2780-498-0x0000000000260000-0x00000000002A4000-memory.dmp

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 4c2ee5007b5088cd0c9b8c11002a46b7
SHA1 8f67b9b75338901921eb0c2da505ddd36cf53977
SHA256 e83c46222d08542ff7f921ab4b67bacc8a1b462da142b731f99966ce270a6c80
SHA512 121f2048e1e209f6fa54578c11628eb2d5d76007c669292d9ab8caceedbf1e501f2214d955c837e044298c0778e3245684163a1011050eab6ded9092f4d7c2fe

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 0c122080e6a684714e6df8d76e847b25
SHA1 70c35b5555343f984a52141f78e3d4a92d990df3
SHA256 f510433d2acca756e5f25c8250a8c3f70ae1dfeec01fafc2763f05ff36a9499f
SHA512 c5a349f8f941112fc8ce117dbb9704ed6c2c664b63cac98df5974a58161c24f70363707197637cef6ac4ed00384720d25409013632aa9f221b117ffd6d11a4c7

C:\Windows\SysWOW64\Hicodd32.exe

MD5 8084067ff8c27bb514c56dd8a20acb56
SHA1 50c6ddae9c626d558ee9d3fefe09512e6ad2d183
SHA256 0b441500e715239449ec0b3281b0fb04a47ce1536c8a871647d6ff038de35f7a
SHA512 87ed8a5a43f7938975e8642d52995f09a8d8bf29f26dbf89d70f6753a63aee7109b4d579ae3e0065c8665b7349e0ceea8fe9f91cac47302394d1d56c96294b02

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 edd714395ddbafe88ba62eb55ca18732
SHA1 a7d0171e873c81ce77d1725f605e403ab25b662d
SHA256 e5890e4be3a76fe1d65f5bbbe17a55be674cefadad92976e25ff62b0b6ebd573
SHA512 b2cdc097aa5fd4e4472c3e25e718db76d9c79d1a3d4c1a7a6709cf9efe778fda2352d114b749530b0cc0f9d2b96a82070adcecdd71b4213d17dcdc0c86f2bca2

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 8c8ca5efaca80d0d2011118891eb0732
SHA1 fc9635d9dd4856a73c4a9d9b86571c5a327d0d2c
SHA256 a88e7337baac3586e369d3afbfcf400ee21e10e0fce7dfa6df15a505fb010ab4
SHA512 b1fca8220220465fc8743cbdfee3ef2614ec692f5e626fdfb23ed5f2a26459d3dfe91301cd22c4a56d3e84d9789ed99c469e980a017a914b79100b9dde706786

C:\Windows\SysWOW64\Hggomh32.exe

MD5 087e0c2465dbf40737a50adff5c447d9
SHA1 0ec5c5c85058368a3891790f74a3e593f1f6beff
SHA256 f924a9a6bd1acdb3b86aef4d2bc723aeb050db2ab4010d6abc956e85839c3cf1
SHA512 f6fb5ed8aef81d3828fcf276751c612fb5229c0b7b122893b4273e48d4399ddd19d760b00fae1fc67835396066a793840995f5f2314d0f6842a48f836d61b2f7

C:\Windows\SysWOW64\Hiekid32.exe

MD5 1ca824008ed8b678ae107cf999b2dd05
SHA1 e11db7645fdfacb5a0d108a28677d646c7a7c335
SHA256 abfb2a186cb9b78a60acd0942e59cc3b794f1f8f7d32e285917d72b1c216addb
SHA512 9ad6264d5d0cd4e92e94777e030f9c79b7dc7da2fde296afcca500a1b394d5fb131f0d143f498e0256f7e7004a7913eba964d9cbd7e8de35ce2e3bcd3af4e2e4

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 86a16b05025a9b1e43ff40af77b2c332
SHA1 e6bf61ebf2f2b1adbbccb4bd64fbc66f833883d1
SHA256 51bffa59123bc2f44901475ae47edf1e6be162842b067015e6457d0bf49cb621
SHA512 f269b18b5de1519b8c31e4c93a486097976e1a89fa4eba40ac2ce48972813fcbe8c82b93ad860dd11414d6a3ff5a52833b763a2bb7991260c01307cef86600c8

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 c3192eeb80807766b1ecb41d26935490
SHA1 1217ffd84b319bb785d82cf9e5834a8d228c19f1
SHA256 482909775c48f96a715465a1f4cf6f15a062ace91cc0ef2239d9db19c90dff63
SHA512 862b7a9bb12ced56bd4e74af526a57b497927af066ce5de658bcfd51421e319fc6f825752162030d3952f2f8197e1524233e0e4775d9c75ccce5cda9a39f20bb

C:\Windows\SysWOW64\Hellne32.exe

MD5 98b7c084f4e022911b5cbf75707a5a67
SHA1 2ef3810723151ee98b0db08fc43a142ba1fd1f35
SHA256 16f5f413e949514f4e4d26b1ca4634ab3c8781cde9ec2039225ff83e581fcc8f
SHA512 47613cc4d7cbc9af1f617134dd16bbdc1f09b57b2cea93d8244642876ac6d638f0e4531f60bd2ad62ca8118d09b3b60b9c28971aca96201a4d1845c9fb8e464a

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 6918b79ed3a3dec87fc87ebe49247a07
SHA1 8ae75568eea403ec0902bce9bbc0e0ca2122bb36
SHA256 573b1ad0b73beeaed7e42f06f673450de7b4493958cdf1a6e682aafa5b49a98b
SHA512 23291f068ac13bde10658a715872a153b397b541326a18cd3c45d983215957f42ae929c57ff12c6963bcc10f8309847b8a26274314d5080be952b47453e61814

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 ef4a0e0ddc0856b1e9b6eb6e4f5af826
SHA1 d5c94b540e4ced69cafcfb531df24282d194b3ef
SHA256 01a1f22879a9a83100622d838e5c63f7022d65622e28f04c9c4e169f24811bc4
SHA512 ace042e6ab5dc7d59ff320512cefd8c84c2508c42991e535cb2cd8b6d9f9e0cc6364c6bf0cf597067c016f83368e325f2f3184d45488acdce8d81c7e334e7c61

C:\Windows\SysWOW64\Henidd32.exe

MD5 08db45544a0f530efc0facb3b1ef62cc
SHA1 0972653506417edbb98df72e96dc5fa73b44c1bc
SHA256 a5609419e7a5d60e80d1da3ac3195f14990f9c7242928aefeeaee3ee283aa13b
SHA512 f7cd3deb8e0812b08a7e72982bb17e18fb15a04fb846902f230f9eeeb32a4494529bfadfec54ef52daf61627f52c0b2063c0253072f8475972d51fb5ca4752ed

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 b9fefc2f4e43b3e6499b99ee100544a6
SHA1 e97a26f7b34e017925a57be43c14871012dc909c
SHA256 1b8ca8e6903ca27d9eda8af271bd72fcbf57e981164b2af45fdac3850b50ec79
SHA512 8c2ca49a6b2021ddfec721f8eccd916279abfff475b4e006a0657dd0d224aece771d4e86feceb6a77c40d78b096f9e80b80c0f8146582839badc389be0e000c8

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 a6021c633473ac0ce447466e2b5a64eb
SHA1 296cd74dd3f28199ecb9ab82c1ad9f7c3f1aef23
SHA256 87d29fe6c4c2b855472869b5414b7cb6afee8b4494a6b6147776cab066eb9076
SHA512 f51822a1356af377b8fe77af4c92602c0528e6b7c937c67f78953e23e9b54797f418297d29774a9baae92ead90d8ae7ddbad41300e116ca5c347551dbd5b339d

C:\Windows\SysWOW64\Icbimi32.exe

MD5 73e384c184947be0d4f1093b57f3404a
SHA1 7d85f39940ce58a0b0eac0f943e62a6bd3211bd4
SHA256 f40af4d8866235ebea642d4b52c7f5288ecbff28b9bf5ff0e998b4ea80090587
SHA512 16264041a89a7417219c4f8fc2d84cd44306015e556ae40c24ada9e36ac9220d3fd952e30287a3b78b48019c8024fd4e2b6d151865d1505333bc361feb0fa681

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 e319526da5a616007d9363c3ba52d7bb
SHA1 66921ba6cd89c0c7b32022d0b0e5e4e802cc167b
SHA256 469bb9408a18450adcfd0269398c67229c8a292a2cc5fcdc887b446b31da6f0d
SHA512 3fd402b77cc8b1d9f3ecc1fb7791df78ccec56dd8a67d96c576b392de1aec8fb988bbf11b20b0772359bae17fe76e50fba920d32be8b0179739a1eb620e06679

C:\Windows\SysWOW64\Idceea32.exe

MD5 ecaf9e618b8dd8bdd24fd2dcdd353c13
SHA1 0d03bbb31bdab0b5ce2219c3262ac46e6500b528
SHA256 9d3fc1bef8c5123a03834fc2e50d8f783007547fb014dedc54c22f53b2f20ddb
SHA512 8674b88bfb8ebc77c7b2c9a643cefe81b7588909f3be85d70795d800f4b0ad253e38198f2a1c50098a72ade9e173d314cd5da8c81a59db602af2e0f229232e8f

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 b61e82e6532cac5fd8b5a46e813b4b3f
SHA1 9cf7d0287d17a935ce4f3a2a732716a374b8be8e
SHA256 319111f451712fc6cf68ea6ca97154e08c7167ea80a49b92907a7bab0598b13e
SHA512 69e5eab04fdab0efe5f854d7932afcb178583bf2dea4e7e96417136bd6e4b109c3d06dc3231c3bca2ffe4fda05daade6eb176aa28e9ae57b17539745703fdfc6

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 4c6a0d887bfa5e3cec445265d7c2b8c7
SHA1 712654ae34bee9922b73b1544e2588682eac590b
SHA256 65beb40cdf015be453eff34bbd8db814144140e95681c9addad47e98ab3006b9
SHA512 d51b92e87878432062aded112045399efa4c3fff69907e2e7e2cfcd57ac2b16f93665bd20a661da5f9d2a6fc3dbbbc56ab1dcd217bfcc5df63a04a9df3f0dece

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 99f2ad85010af4a41442ea20c62ecded
SHA1 a6fe43467a3f92965ae98c9a675a28635a6738c9
SHA256 1e175d64b9f240a718b0eddedf9ac990bc1dbf4772608bbe4a88716ffc778fed
SHA512 036990c6f8cb061e4ea4cb5a19c550d3af9144359a138b75ce6aea134959824b7e90f8056b0d147c28ee44351af431c1946b0141a89aeb65f940c30794ee0f9b