Malware Analysis Report

2025-03-14 23:01

Sample ID 240406-3xz4faef51
Target a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19
SHA256 a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19

Threat Level: Known bad

The file a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:54

Reported

2024-04-06 23:56

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pndpajgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaloddnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beejng32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aigchgkh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abphal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cddjebgb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beejng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cddjebgb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmclhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aigchgkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amelne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbikgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbikgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pndpajgd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abphal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amelne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmclhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baadng32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndpajgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndpajgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbbhgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbbhgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aigchgkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aigchgkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Abphal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abphal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amelne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amelne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bilmcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bilmcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphbeplm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphbeplm.exe N/A
N/A N/A C:\Windows\SysWOW64\Beejng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beejng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbikgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbikgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmclhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmclhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baadng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baadng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cddjebgb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cddjebgb.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Qkhpkoen.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbikgk32.exe C:\Windows\SysWOW64\Beejng32.exe N/A
File created C:\Windows\SysWOW64\Aoogfhfp.dll C:\Windows\SysWOW64\Cddjebgb.exe N/A
File opened for modification C:\Windows\SysWOW64\Agdjkogm.exe C:\Windows\SysWOW64\Acfaeq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Agdjkogm.exe N/A
File created C:\Windows\SysWOW64\Cddjebgb.exe C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Bhdmagqq.dll C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cddjebgb.exe N/A
File created C:\Windows\SysWOW64\Pndpajgd.exe C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
File created C:\Windows\SysWOW64\Aobcmana.dll C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
File created C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Bmclhi32.exe N/A
File created C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Bbikgk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Bbikgk32.exe N/A
File created C:\Windows\SysWOW64\Gcnmkd32.dll C:\Windows\SysWOW64\Qkhpkoen.exe N/A
File created C:\Windows\SysWOW64\Hpggbq32.dll C:\Windows\SysWOW64\Aaloddnn.exe N/A
File created C:\Windows\SysWOW64\Bphbeplm.exe C:\Windows\SysWOW64\Bilmcf32.exe N/A
File created C:\Windows\SysWOW64\Lgahjhop.dll C:\Windows\SysWOW64\Amelne32.exe N/A
File created C:\Windows\SysWOW64\Eoqbnm32.dll C:\Windows\SysWOW64\Bphbeplm.exe N/A
File opened for modification C:\Windows\SysWOW64\Pndpajgd.exe C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
File created C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Qkhpkoen.exe N/A
File created C:\Windows\SysWOW64\Ljhcccai.dll C:\Windows\SysWOW64\Qjnmlk32.exe N/A
File created C:\Windows\SysWOW64\Beejng32.exe C:\Windows\SysWOW64\Bphbeplm.exe N/A
File created C:\Windows\SysWOW64\Ljacemio.dll C:\Windows\SysWOW64\Bmclhi32.exe N/A
File created C:\Windows\SysWOW64\Qhiphb32.dll C:\Windows\SysWOW64\Pndpajgd.exe N/A
File created C:\Windows\SysWOW64\Kganqf32.dll C:\Windows\SysWOW64\Qbbhgi32.exe N/A
File created C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Amelne32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Amelne32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bphbeplm.exe C:\Windows\SysWOW64\Bilmcf32.exe N/A
File created C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Qjnmlk32.exe N/A
File created C:\Windows\SysWOW64\Napoohch.dll C:\Windows\SysWOW64\Acfaeq32.exe N/A
File created C:\Windows\SysWOW64\Aigchgkh.exe C:\Windows\SysWOW64\Aaloddnn.exe N/A
File created C:\Windows\SysWOW64\Mhpeoj32.dll C:\Windows\SysWOW64\Agdjkogm.exe N/A
File opened for modification C:\Windows\SysWOW64\Beejng32.exe C:\Windows\SysWOW64\Bphbeplm.exe N/A
File created C:\Windows\SysWOW64\Opacnnhp.dll C:\Windows\SysWOW64\Bbikgk32.exe N/A
File created C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Pndpajgd.exe N/A
File opened for modification C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Pndpajgd.exe N/A
File created C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Agdjkogm.exe N/A
File created C:\Windows\SysWOW64\Ebjnie32.dll C:\Windows\SysWOW64\Abphal32.exe N/A
File created C:\Windows\SysWOW64\Qjnmlk32.exe C:\Windows\SysWOW64\Qbbhgi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qjnmlk32.exe C:\Windows\SysWOW64\Qbbhgi32.exe N/A
File created C:\Windows\SysWOW64\Abacpl32.dll C:\Windows\SysWOW64\Beejng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cddjebgb.exe N/A
File opened for modification C:\Windows\SysWOW64\Aigchgkh.exe C:\Windows\SysWOW64\Aaloddnn.exe N/A
File created C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Aigchgkh.exe N/A
File opened for modification C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Abphal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Aigchgkh.exe N/A
File opened for modification C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Bmclhi32.exe N/A
File created C:\Windows\SysWOW64\Agdjkogm.exe C:\Windows\SysWOW64\Acfaeq32.exe N/A
File created C:\Windows\SysWOW64\Ldhfglad.dll C:\Windows\SysWOW64\Bilmcf32.exe N/A
File created C:\Windows\SysWOW64\Bbikgk32.exe C:\Windows\SysWOW64\Beejng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cddjebgb.exe C:\Windows\SysWOW64\Baadng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Qjnmlk32.exe N/A
File created C:\Windows\SysWOW64\Lfobiqka.dll C:\Windows\SysWOW64\Aigchgkh.exe N/A
File created C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Abphal32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pndpajgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aigchgkh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll" C:\Windows\SysWOW64\Baadng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agdjkogm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll" C:\Windows\SysWOW64\Aigchgkh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abphal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbikgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll" C:\Windows\SysWOW64\Pndpajgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" C:\Windows\SysWOW64\Agdjkogm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll" C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beejng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cddjebgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll" C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cddjebgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amelne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baadng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bphbeplm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmclhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abphal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aigchgkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" C:\Windows\SysWOW64\Bbikgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbikgk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll" C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll" C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmclhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Beejng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" C:\Windows\SysWOW64\Bmclhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" C:\Windows\SysWOW64\Cddjebgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" C:\Windows\SysWOW64\Amelne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Agdjkogm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll" C:\Windows\SysWOW64\Beejng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amelne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pndpajgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" C:\Windows\SysWOW64\Abphal32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe C:\Windows\SysWOW64\Pndpajgd.exe
PID 2208 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe C:\Windows\SysWOW64\Pndpajgd.exe
PID 2208 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe C:\Windows\SysWOW64\Pndpajgd.exe
PID 2208 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe C:\Windows\SysWOW64\Pndpajgd.exe
PID 2720 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Qkhpkoen.exe
PID 2720 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Qkhpkoen.exe
PID 2720 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Qkhpkoen.exe
PID 2720 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Qkhpkoen.exe
PID 2968 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Qbbhgi32.exe
PID 2968 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Qbbhgi32.exe
PID 2968 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Qbbhgi32.exe
PID 2968 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Qbbhgi32.exe
PID 2556 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Qjnmlk32.exe
PID 2556 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Qjnmlk32.exe
PID 2556 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Qjnmlk32.exe
PID 2556 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Qjnmlk32.exe
PID 2596 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Qjnmlk32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2596 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Qjnmlk32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2596 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Qjnmlk32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2596 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Qjnmlk32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2740 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Agdjkogm.exe
PID 2740 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Agdjkogm.exe
PID 2740 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Agdjkogm.exe
PID 2740 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Agdjkogm.exe
PID 2396 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Agdjkogm.exe C:\Windows\SysWOW64\Aaloddnn.exe
PID 2396 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Agdjkogm.exe C:\Windows\SysWOW64\Aaloddnn.exe
PID 2396 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Agdjkogm.exe C:\Windows\SysWOW64\Aaloddnn.exe
PID 2396 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Agdjkogm.exe C:\Windows\SysWOW64\Aaloddnn.exe
PID 2452 wrote to memory of 580 N/A C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Aigchgkh.exe
PID 2452 wrote to memory of 580 N/A C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Aigchgkh.exe
PID 2452 wrote to memory of 580 N/A C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Aigchgkh.exe
PID 2452 wrote to memory of 580 N/A C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Aigchgkh.exe
PID 580 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Aigchgkh.exe C:\Windows\SysWOW64\Abphal32.exe
PID 580 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Aigchgkh.exe C:\Windows\SysWOW64\Abphal32.exe
PID 580 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Aigchgkh.exe C:\Windows\SysWOW64\Abphal32.exe
PID 580 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Aigchgkh.exe C:\Windows\SysWOW64\Abphal32.exe
PID 1480 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Amelne32.exe
PID 1480 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Amelne32.exe
PID 1480 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Amelne32.exe
PID 1480 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Amelne32.exe
PID 2592 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Bilmcf32.exe
PID 2592 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Bilmcf32.exe
PID 2592 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Bilmcf32.exe
PID 2592 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Bilmcf32.exe
PID 2308 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Bphbeplm.exe
PID 2308 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Bphbeplm.exe
PID 2308 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Bphbeplm.exe
PID 2308 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Bphbeplm.exe
PID 1948 wrote to memory of 788 N/A C:\Windows\SysWOW64\Bphbeplm.exe C:\Windows\SysWOW64\Beejng32.exe
PID 1948 wrote to memory of 788 N/A C:\Windows\SysWOW64\Bphbeplm.exe C:\Windows\SysWOW64\Beejng32.exe
PID 1948 wrote to memory of 788 N/A C:\Windows\SysWOW64\Bphbeplm.exe C:\Windows\SysWOW64\Beejng32.exe
PID 1948 wrote to memory of 788 N/A C:\Windows\SysWOW64\Bphbeplm.exe C:\Windows\SysWOW64\Beejng32.exe
PID 788 wrote to memory of 916 N/A C:\Windows\SysWOW64\Beejng32.exe C:\Windows\SysWOW64\Bbikgk32.exe
PID 788 wrote to memory of 916 N/A C:\Windows\SysWOW64\Beejng32.exe C:\Windows\SysWOW64\Bbikgk32.exe
PID 788 wrote to memory of 916 N/A C:\Windows\SysWOW64\Beejng32.exe C:\Windows\SysWOW64\Bbikgk32.exe
PID 788 wrote to memory of 916 N/A C:\Windows\SysWOW64\Beejng32.exe C:\Windows\SysWOW64\Bbikgk32.exe
PID 916 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Bbikgk32.exe C:\Windows\SysWOW64\Bmclhi32.exe
PID 916 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Bbikgk32.exe C:\Windows\SysWOW64\Bmclhi32.exe
PID 916 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Bbikgk32.exe C:\Windows\SysWOW64\Bmclhi32.exe
PID 916 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Bbikgk32.exe C:\Windows\SysWOW64\Bmclhi32.exe
PID 1696 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Baadng32.exe
PID 1696 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Baadng32.exe
PID 1696 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Baadng32.exe
PID 1696 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Baadng32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe

"C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe"

C:\Windows\SysWOW64\Pndpajgd.exe

C:\Windows\system32\Pndpajgd.exe

C:\Windows\SysWOW64\Qkhpkoen.exe

C:\Windows\system32\Qkhpkoen.exe

C:\Windows\SysWOW64\Qbbhgi32.exe

C:\Windows\system32\Qbbhgi32.exe

C:\Windows\SysWOW64\Qjnmlk32.exe

C:\Windows\system32\Qjnmlk32.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Agdjkogm.exe

C:\Windows\system32\Agdjkogm.exe

C:\Windows\SysWOW64\Aaloddnn.exe

C:\Windows\system32\Aaloddnn.exe

C:\Windows\SysWOW64\Aigchgkh.exe

C:\Windows\system32\Aigchgkh.exe

C:\Windows\SysWOW64\Abphal32.exe

C:\Windows\system32\Abphal32.exe

C:\Windows\SysWOW64\Amelne32.exe

C:\Windows\system32\Amelne32.exe

C:\Windows\SysWOW64\Bilmcf32.exe

C:\Windows\system32\Bilmcf32.exe

C:\Windows\SysWOW64\Bphbeplm.exe

C:\Windows\system32\Bphbeplm.exe

C:\Windows\SysWOW64\Beejng32.exe

C:\Windows\system32\Beejng32.exe

C:\Windows\SysWOW64\Bbikgk32.exe

C:\Windows\system32\Bbikgk32.exe

C:\Windows\SysWOW64\Bmclhi32.exe

C:\Windows\system32\Bmclhi32.exe

C:\Windows\SysWOW64\Baadng32.exe

C:\Windows\system32\Baadng32.exe

C:\Windows\SysWOW64\Cddjebgb.exe

C:\Windows\system32\Cddjebgb.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 140

Network

N/A

Files

memory/2208-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2208-11-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Pndpajgd.exe

MD5 27c4451b2175a2c8c42cf7a4209b8496
SHA1 577bca5ba224bc700b14d82f0af637f8562ca7d1
SHA256 74eed16312c976c70180e13d1a70d17521199d8e6373aae2039622a157a49f0f
SHA512 d5bce834495731e22ee174f6cd4c9834df5f59bf5180fee7f8d7b870ef2af83511ad85fe3ecfe2fc982e25a6fec5fda8ea8c24aa6379854d6cafa27ed897e224

\Windows\SysWOW64\Qbbhgi32.exe

MD5 6bb6bc6583987860d429eb55cac948f0
SHA1 b7e5cb6fd73c5a9767b9738adb52eb1e6edd8685
SHA256 1995e56f6b156d301ac4fcdf09c334c862af61655cbf81b4f90c23aa971d75aa
SHA512 4b33d2dc81bd54292b25c31797968cf611642f280c29bba5e97b6cb7479a9ed63fe14aa22326b140b1d07203b7950152ddb1cf3b2a70c036f1ae73d2ba7d2007

C:\Windows\SysWOW64\Qkhpkoen.exe

MD5 f298f6df05d7dc6a757ce2c3e2fd2282
SHA1 f87fe30dfd8cbbce532ffafd66d03449f2f65914
SHA256 82b2e713da4b8cea61c4bef7ce6fd229e5c6f7e292f3f3ed0e0deebfb8a3bc50
SHA512 65616cb2187d782283e9d253481471f2f53f850bbb0f566af3ffcd18e23111e3ecef79f979b9f1949f32c608ba773a4ea8ba05be6e235ebd1270a83377f4d7d1

memory/2720-26-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2208-24-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Qjnmlk32.exe

MD5 3bdf71aeaab14c67225fce7ca97f3587
SHA1 e2a441f818667f0b62552f96c58bbd34e806fab8
SHA256 6b8f2dc5d03d26f87cdafc83afad4a0863bc074c16f0410273f01e4f31540efd
SHA512 672b9fbbe22e91558f8fc4e77e5f9831c40d48818e5a08ab45af8bf931e3d9b97a7ed1b25f3a89963180eecb959ffe7d6b037771626e0714e01e66cfcb9a78f4

memory/2968-38-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2596-63-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Acfaeq32.exe

MD5 8f7b8f3afc2fe48c7eb1f78282fd2e94
SHA1 4a76a49acd404890a839a0e6a7636542ac9a0f8b
SHA256 82440845516d7e6b98ff606a3c67b54bf9a164f220d9eda161a1b56c464004c8
SHA512 dafba18b69861af1ccd6b23009f5a698a570d6c58fa82a53305b973dd8dfc470d880c2126d37598ec379100e06961318205be5b1ef1c697b3a0fbf47f1a36420

memory/2556-89-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aaloddnn.exe

MD5 733d68f2cd8f00ce3e45ed653fd6c15d
SHA1 89ef04839dc4ac96012d92a2ec14c2c732685e74
SHA256 01fc7c4e5348f047446c81538aaf8feafe5813be61483f32afb368c321c99534
SHA512 ccc32ea7efdba003cc76473256c72409198e780d5735a91a535d8c82facc1db3115abf89b322f053f326ca879ff054a1d6e3262d744be941a894d52a202b3e62

C:\Windows\SysWOW64\Agdjkogm.exe

MD5 c7fc6766e6f2ca14d1d5aafa82771fd8
SHA1 9c5d880b54327d225af4427e591229098dc752ef
SHA256 e13c8d5f1441960a6df7ea7d10bfee3ceb89c0516a3ac54766f81fed89e803c5
SHA512 96a61219926f485e17090ca889f852f481158dfa6c92712306c094ded7325a94862b5e886cff7da604c550763d210d689a44f8e364f6e5b65bb7831a4403784c

memory/2596-76-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2740-102-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Aigchgkh.exe

MD5 db4dbdf688d99c478ef49ca6198cad19
SHA1 266e4d6e2b19a8f262735e12f23bc7720eec82b6
SHA256 4d1724a15d4fd01614763a84917c1013c864dc37409823e63ba5e8390b893b6c
SHA512 eac99a2ec0d9af501688b6104a76e0332bfec46a2cd9f492a411a326662573a34442d9f7628d8725b29ecb055828545b22dafa3ee4be9f9c90aabd19256e21bf

C:\Windows\SysWOW64\Amelne32.exe

MD5 00bc17eac0b19ddf4674d8a35c00d9fa
SHA1 20ee23187920ae9f414ba881238fd1df16611383
SHA256 26fe399733d92e0e37aed7e18022642e7bd1ca2d2e7c9ebd9bb26909cdfc1126
SHA512 f2fec6f9368eb671f4cc5cb6ada2ce9df57dfd954cfbf4704747efba2ddc334148cb411824674bf7e45f4fed038ebaa4486c86ec461770e1fdf44d31af0dcc4d

C:\Windows\SysWOW64\Abphal32.exe

MD5 d65a3601ea5d1e0f58748ebed24bd1b8
SHA1 db987c17d08a91daf7645fba03fa888931522fe0
SHA256 cdeff46140fa456a475fe24505a096fb16f295b81180398e8731f5e9d2a74dad
SHA512 8f5e2479ea191f5e7bfa1fff7e2afbcaa2e4331db5c0743f299dec5b16f5126b67883b9bbf9586868fc7151f46592ce21656dc3be0f037160605e3b3944b2d59

memory/2452-116-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2396-104-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2592-141-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bilmcf32.exe

MD5 d4d937a6055657f3b192f404c4aafc80
SHA1 fe5e79fc75fdbeb7bab97a35345cf965da0d0c7d
SHA256 69a54f32531834ffbb04ca6a57e03a2e6bf71e55e9a8ac079b149bf79e334b51
SHA512 283fd961ff77614d26a31ee7d98270cd29912a9c5bbdd885a604c3453034b9693ff624a12a1d48bf551c62eb5b2768b5d6006c4e4ea7fbbb56b1ed3b927a859d

C:\Windows\SysWOW64\Bphbeplm.exe

MD5 03a6c703d328e1c0e994dfeaf9b481f8
SHA1 7db6e2e0b56900b0d34c04ca82202d031007a1be
SHA256 78abdab726560bed740b6278534ec49959d8e2ed5c6c6ae1f13f3d8284610dac
SHA512 6780667428e6fdf961ad1c3e6f9a614048621787091d521ccb2982d0876b034d6bbf09563bbd5bcd260bb84b8701458dde26fc2af88dc1ee46d06af99b2c66a6

memory/2308-154-0x0000000000220000-0x0000000000260000-memory.dmp

\Windows\SysWOW64\Bbikgk32.exe

MD5 22c190fa7a091633de17fd76ab9da776
SHA1 37bdaa6813aba3e813ce6dd602bc343ab3f47ae3
SHA256 d5f4e5a9cd46b31258a4607e51882b6f3e71a6fb44d2fcdbe57df0f5171acfdc
SHA512 1f250e36f28739a4d301afea8a389393d98fd85e7e12d05299b1a55d15060eff78b5a83eb4a2c546d6b55082b771dfff860766771bc3aa474e2a58c0c6d11592

memory/1948-168-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Beejng32.exe

MD5 482262c6a657d53bd7d49c693d39ef11
SHA1 52d0a9db7b47adc17244299343ee98b634bad85e
SHA256 b4b64196e90bed28e23ed1b5b3af6a8de9480b19a48b13ba65a60913dd5e074b
SHA512 6a27a875a8d7e0aee29e0c173d3170023dab261feebced321fb8b2b77a352c486e692de1fe3e9049437844d7a9319ad5d658ba452d73f12da5a9541013bd6fae

memory/2308-161-0x0000000000220000-0x0000000000260000-memory.dmp

memory/916-193-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bmclhi32.exe

MD5 cb611641269bbcb21e9e4ab5e741bff5
SHA1 1dd6efabb27ff3c5276166e8fcf0c4cb0bd864b7
SHA256 d656b5e9cf9a6a2c052948d69be3dee18a0685e84ac293415011d764488d828f
SHA512 6ab9b642a4634d213cd62e918a031f229c0a373235b1484a06fbc723f5b19631342261eedca8b4f395d0664cb1472f9baf376db55dd8551d8e8b32e5711b5789

memory/580-196-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1480-197-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2308-198-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1948-199-0x0000000000400000-0x0000000000440000-memory.dmp

memory/788-200-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1696-201-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Baadng32.exe

MD5 930da22f2d86cd45357ea6cbfb13ac3c
SHA1 d376ac15c62bd56a612ef38624eeee513cbe6cb1
SHA256 36a7707a94d0ad13e0b7a2bd618cce79c3ca548205b101accb0ff98bc48b59cb
SHA512 6854a418a80dece20112f328ae2fc0a13873919f18b8d169f7e96b20b364d764cea9f091b29d02aefec7d1991f87d9517486ff26ef4cefdab162b7afa9dcb55f

C:\Windows\SysWOW64\Cddjebgb.exe

MD5 a4137e7a354d2af9c85128991efe0cfc
SHA1 b73279833de78ff499b7674278074fe7a9588b43
SHA256 5fad9d3928304bcb60b0c9bdfba191caff745239b4db61e6e6f4a087a1e89511
SHA512 187e009c733e6cc022cd4fdf7a34732273a19ba24f6fe34200555b705f91d70876db65976f2e03c514810793ea0b9e0f0b098aeb6fbca6e3982ef2036b4ee0fb

memory/2284-219-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2052-227-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ceegmj32.exe

MD5 dbb153e63c069eabc462a672c315dca7
SHA1 9b93fc8f6598e9825d548f8f1edb56e4662af357
SHA256 906692099f467070f18f0fb5c3402cb6935afbbc513184d4797c8c906b6a7c61
SHA512 f9d2f84e8cef521f21ce763910b5ea9c96aa77d9cca950e59555c5a7c6e9a0c481fe8ac055a8dbf7dacf06df7c461e734746f840a88116b148bfb851c7c0529f

memory/824-232-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2208-233-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1696-234-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:54

Reported

2024-04-06 23:56

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kagichjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdmegp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jigollag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nceonl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpcmec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkpgck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpolqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgidml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbapjafe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmccchkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljnnch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maohkd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgpagm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdmegp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkkdan32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpcmec32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mahbje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Majopeii.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbocea32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdaldd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpocjdld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jidbflcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jidbflcj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkihknfg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lmccchkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nacbfdao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbocea32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jiikak32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpjjod32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldaeka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcgblncm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jigollag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljnnch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldaeka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkgmcjld.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jibeql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jplmmfmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfffjqdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Jidbflcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdjfcecp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfhbppbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Jigollag.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpaghf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbocea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiikak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmegbjgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbapjafe.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkihknfg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kacphh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdaldd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkkdan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kphmie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgbefoji.exe N/A
N/A N/A C:\Windows\SysWOW64\Kagichjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpjjod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kckbqpnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpocjdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcmofolg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmccchkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpappc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijdhiaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Laalifad.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpcmec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcbiao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkiqbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpfijcfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldaeka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgpagm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljnnch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laefdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcgblncm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjqjih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mahbje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mciobn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkpgck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Majopeii.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcklgm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgghhlhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpolqa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgidml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhqjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Maohkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmegp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkgmcjld.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpdelajl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcbahlip.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkjjij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nacbfdao.exe N/A
N/A N/A C:\Windows\SysWOW64\Nceonl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njogjfoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nddkgonp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnmopdep.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndghmo32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ofdhdf32.dll C:\Windows\SysWOW64\Kckbqpnj.exe N/A
File created C:\Windows\SysWOW64\Pbcfgejn.dll C:\Windows\SysWOW64\Mjhqjg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kpmfddnf.exe N/A
File created C:\Windows\SysWOW64\Gefncbmc.dll C:\Windows\SysWOW64\Lgpagm32.exe N/A
File created C:\Windows\SysWOW64\Odegmceb.dll C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File created C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Mgidml32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jfffjqdf.exe N/A
File created C:\Windows\SysWOW64\Milgab32.dll C:\Windows\SysWOW64\Kphmie32.exe N/A
File created C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcklgm32.exe C:\Windows\SysWOW64\Majopeii.exe N/A
File created C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kphmie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kbapjafe.exe N/A
File created C:\Windows\SysWOW64\Baefid32.dll C:\Windows\SysWOW64\Laalifad.exe N/A
File created C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Mpdelajl.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File opened for modification C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kkihknfg.exe N/A
File created C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kkkdan32.exe N/A
File created C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jplmmfmi.exe N/A
File created C:\Windows\SysWOW64\Nnmopdep.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Bnjdmn32.dll C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jfhbppbc.exe N/A
File created C:\Windows\SysWOW64\Lgkhlnbn.exe C:\Windows\SysWOW64\Lpappc32.exe N/A
File created C:\Windows\SysWOW64\Fneiph32.dll C:\Windows\SysWOW64\Maohkd32.exe N/A
File created C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mdmegp32.exe N/A
File created C:\Windows\SysWOW64\Jibeql32.exe C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
File opened for modification C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mjqjih32.exe N/A
File created C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mahbje32.exe N/A
File created C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Jplifcqp.dll C:\Windows\SysWOW64\Kpmfddnf.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Lpocjdld.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mdmegp32.exe N/A
File created C:\Windows\SysWOW64\Lmqgnhmp.exe C:\Windows\SysWOW64\Kckbqpnj.exe N/A
File created C:\Windows\SysWOW64\Mbaohn32.dll C:\Windows\SysWOW64\Lkiqbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgpagm32.exe C:\Windows\SysWOW64\Ldaeka32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcgblncm.exe C:\Windows\SysWOW64\Laefdf32.exe N/A
File created C:\Windows\SysWOW64\Lifenaok.dll C:\Windows\SysWOW64\Mahbje32.exe N/A
File created C:\Windows\SysWOW64\Kkkdan32.exe C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
File created C:\Windows\SysWOW64\Bbgkjl32.dll C:\Windows\SysWOW64\Ldaeka32.exe N/A
File created C:\Windows\SysWOW64\Ljnnch32.exe C:\Windows\SysWOW64\Lgpagm32.exe N/A
File created C:\Windows\SysWOW64\Kagichjo.exe C:\Windows\SysWOW64\Kgbefoji.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbdmpqcb.exe C:\Windows\SysWOW64\Kdaldd32.exe N/A
File created C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kpjjod32.exe N/A
File created C:\Windows\SysWOW64\Mcklgm32.exe C:\Windows\SysWOW64\Majopeii.exe N/A
File created C:\Windows\SysWOW64\Lfcbokki.dll C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Ggpfjejo.dll C:\Windows\SysWOW64\Jfhbppbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Laefdf32.exe C:\Windows\SysWOW64\Ljnnch32.exe N/A
File created C:\Windows\SysWOW64\Ogndib32.dll C:\Windows\SysWOW64\Lmccchkn.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jdjfcecp.exe N/A
File created C:\Windows\SysWOW64\Lmmcfa32.dll C:\Windows\SysWOW64\Kmegbjgn.exe N/A
File created C:\Windows\SysWOW64\Lidmdfdo.dll C:\Windows\SysWOW64\Lpcmec32.exe N/A
File created C:\Windows\SysWOW64\Epmjjbbj.dll C:\Windows\SysWOW64\Majopeii.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jplmmfmi.exe N/A
File created C:\Windows\SysWOW64\Jjblgaie.dll C:\Windows\SysWOW64\Kkihknfg.exe N/A
File created C:\Windows\SysWOW64\Hefffnbk.dll C:\Windows\SysWOW64\Kgbefoji.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Bdknoa32.dll C:\Windows\SysWOW64\Nnmopdep.exe N/A
File created C:\Windows\SysWOW64\Gmlgol32.dll C:\Windows\SysWOW64\Jpaghf32.exe N/A
File created C:\Windows\SysWOW64\Kbdmpqcb.exe C:\Windows\SysWOW64\Kdaldd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Lcgblncm.exe N/A
File created C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Mkgmcjld.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lcbiao32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll" C:\Windows\SysWOW64\Jigollag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdmegp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll" C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkpgck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jiikak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jibeql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgpagm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Laefdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll" C:\Windows\SysWOW64\Kbapjafe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" C:\Windows\SysWOW64\Mgidml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jplmmfmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdaldd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpjjod32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll" C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll" C:\Windows\SysWOW64\Kkihknfg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpocjdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll" C:\Windows\SysWOW64\Ljnnch32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkihknfg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll" C:\Windows\SysWOW64\Laalifad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll" C:\Windows\SysWOW64\Lgpagm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll" C:\Windows\SysWOW64\Lcgblncm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpjjod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll" C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kagichjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll" C:\Windows\SysWOW64\Jbocea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgbefoji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jidbflcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" C:\Windows\SysWOW64\Kphmie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll" C:\Windows\SysWOW64\Lmccchkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lgpagm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ljnnch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpaghf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll" C:\Windows\SysWOW64\Lpocjdld.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 968 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe C:\Windows\SysWOW64\Jibeql32.exe
PID 968 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe C:\Windows\SysWOW64\Jibeql32.exe
PID 968 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe C:\Windows\SysWOW64\Jibeql32.exe
PID 2568 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Jibeql32.exe C:\Windows\SysWOW64\Jplmmfmi.exe
PID 2568 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Jibeql32.exe C:\Windows\SysWOW64\Jplmmfmi.exe
PID 2568 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Jibeql32.exe C:\Windows\SysWOW64\Jplmmfmi.exe
PID 2752 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Jplmmfmi.exe C:\Windows\SysWOW64\Jfffjqdf.exe
PID 2752 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Jplmmfmi.exe C:\Windows\SysWOW64\Jfffjqdf.exe
PID 2752 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Jplmmfmi.exe C:\Windows\SysWOW64\Jfffjqdf.exe
PID 2284 wrote to memory of 3808 N/A C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jidbflcj.exe
PID 2284 wrote to memory of 3808 N/A C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jidbflcj.exe
PID 2284 wrote to memory of 3808 N/A C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jidbflcj.exe
PID 3808 wrote to memory of 3092 N/A C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jdjfcecp.exe
PID 3808 wrote to memory of 3092 N/A C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jdjfcecp.exe
PID 3808 wrote to memory of 3092 N/A C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jdjfcecp.exe
PID 3092 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jfhbppbc.exe
PID 3092 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jfhbppbc.exe
PID 3092 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jfhbppbc.exe
PID 4784 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jigollag.exe
PID 4784 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jigollag.exe
PID 4784 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jigollag.exe
PID 5104 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jpaghf32.exe
PID 5104 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jpaghf32.exe
PID 5104 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jpaghf32.exe
PID 3756 wrote to memory of 4168 N/A C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jbocea32.exe
PID 3756 wrote to memory of 4168 N/A C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jbocea32.exe
PID 3756 wrote to memory of 4168 N/A C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jbocea32.exe
PID 4168 wrote to memory of 4524 N/A C:\Windows\SysWOW64\Jbocea32.exe C:\Windows\SysWOW64\Jiikak32.exe
PID 4168 wrote to memory of 4524 N/A C:\Windows\SysWOW64\Jbocea32.exe C:\Windows\SysWOW64\Jiikak32.exe
PID 4168 wrote to memory of 4524 N/A C:\Windows\SysWOW64\Jbocea32.exe C:\Windows\SysWOW64\Jiikak32.exe
PID 4524 wrote to memory of 3212 N/A C:\Windows\SysWOW64\Jiikak32.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 4524 wrote to memory of 3212 N/A C:\Windows\SysWOW64\Jiikak32.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 4524 wrote to memory of 3212 N/A C:\Windows\SysWOW64\Jiikak32.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 3212 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 3212 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 3212 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 4996 wrote to memory of 3800 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kkihknfg.exe
PID 4996 wrote to memory of 3800 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kkihknfg.exe
PID 4996 wrote to memory of 3800 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kkihknfg.exe
PID 3800 wrote to memory of 692 N/A C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 3800 wrote to memory of 692 N/A C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 3800 wrote to memory of 692 N/A C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 692 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kdaldd32.exe
PID 692 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kdaldd32.exe
PID 692 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kdaldd32.exe
PID 1620 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kbdmpqcb.exe
PID 1620 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kbdmpqcb.exe
PID 1620 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kbdmpqcb.exe
PID 5092 wrote to memory of 652 N/A C:\Windows\SysWOW64\Kbdmpqcb.exe C:\Windows\SysWOW64\Kkkdan32.exe
PID 5092 wrote to memory of 652 N/A C:\Windows\SysWOW64\Kbdmpqcb.exe C:\Windows\SysWOW64\Kkkdan32.exe
PID 5092 wrote to memory of 652 N/A C:\Windows\SysWOW64\Kbdmpqcb.exe C:\Windows\SysWOW64\Kkkdan32.exe
PID 652 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Kkkdan32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 652 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Kkkdan32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 652 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Kkkdan32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 2220 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kgbefoji.exe
PID 2220 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kgbefoji.exe
PID 2220 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kgbefoji.exe
PID 1708 wrote to memory of 4976 N/A C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kagichjo.exe
PID 1708 wrote to memory of 4976 N/A C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kagichjo.exe
PID 1708 wrote to memory of 4976 N/A C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kagichjo.exe
PID 4976 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Kagichjo.exe C:\Windows\SysWOW64\Kpjjod32.exe
PID 4976 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Kagichjo.exe C:\Windows\SysWOW64\Kpjjod32.exe
PID 4976 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Kagichjo.exe C:\Windows\SysWOW64\Kpjjod32.exe
PID 1936 wrote to memory of 4700 N/A C:\Windows\SysWOW64\Kpjjod32.exe C:\Windows\SysWOW64\Kibnhjgj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe

"C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe"

C:\Windows\SysWOW64\Jibeql32.exe

C:\Windows\system32\Jibeql32.exe

C:\Windows\SysWOW64\Jplmmfmi.exe

C:\Windows\system32\Jplmmfmi.exe

C:\Windows\SysWOW64\Jfffjqdf.exe

C:\Windows\system32\Jfffjqdf.exe

C:\Windows\SysWOW64\Jidbflcj.exe

C:\Windows\system32\Jidbflcj.exe

C:\Windows\SysWOW64\Jdjfcecp.exe

C:\Windows\system32\Jdjfcecp.exe

C:\Windows\SysWOW64\Jfhbppbc.exe

C:\Windows\system32\Jfhbppbc.exe

C:\Windows\SysWOW64\Jigollag.exe

C:\Windows\system32\Jigollag.exe

C:\Windows\SysWOW64\Jpaghf32.exe

C:\Windows\system32\Jpaghf32.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jiikak32.exe

C:\Windows\system32\Jiikak32.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kdaldd32.exe

C:\Windows\system32\Kdaldd32.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kkkdan32.exe

C:\Windows\system32\Kkkdan32.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kagichjo.exe

C:\Windows\system32\Kagichjo.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Lgkhlnbn.exe

C:\Windows\system32\Lgkhlnbn.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lpfijcfl.exe

C:\Windows\system32\Lpfijcfl.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Ljnnch32.exe

C:\Windows\system32\Ljnnch32.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mcklgm32.exe

C:\Windows\system32\Mcklgm32.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mpolqa32.exe

C:\Windows\system32\Mpolqa32.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/968-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/968-5-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jibeql32.exe

MD5 fc11d9c418e89ef94f6664a4010e5d46
SHA1 7abc6f8d892b80a4df62acdf959b23964c41d4c8
SHA256 095eed3936216d9f111b05d28cfddd61487065af75132a213c6f54b6c36183db
SHA512 d9b25d223958b1a022169e90cba17bc06074c044382fd1c1cad7e84f14261647516021f1fae1b5ffc6716d8e058cd15f1de4bf686b6b5b8daf73df6cf6bcd4ea

memory/2568-8-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jplmmfmi.exe

MD5 e9f1ff206dca9d7d293cf61a0df179da
SHA1 5c5b2535748bcdb82304f4f484538c84cab9c022
SHA256 41e5325f806f1ddb68cb18760557ad3ad4ecac93306f6680b7122f05f5415ec3
SHA512 ec0f9c88c13059b5b6b27f8d260a825627bbc30e581ad3f6b453cc033cb833dceaf8a40d5f05bc5363bd238336a41a3ae868912db516b0bffa00137772ad3cd2

memory/2752-16-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jfffjqdf.exe

MD5 be4c56979da805f81ef001162dc704fe
SHA1 b515d8dde4e8be0720c1fd692b1a4fa1b2a292fa
SHA256 caa6265d0adfe30c4500f1e9f873bf9b342afba8282c2a006c10b5351a44ad2b
SHA512 8c2a11553b825e5f07696253067f4965cef6bb85faa867948972073726fbc5a90afac47762ef630c87476784c0fcc1c7dc87fef04dda380eb38a3753d1386adf

memory/2284-24-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jdjfcecp.exe

MD5 92079b1774b162e4a1d141ed711b5e57
SHA1 096561feffa60a2e70840fda7c0519925d77550c
SHA256 39928f8201243076acb167207ea55470ac9b7e4745d311f2fe8787607f2186df
SHA512 5bd99814253fa770a5a41fea63b47fbba4f39b0b6ca0bc2134a41d0a490a42183a6962da0873d5a270740b9163e26aaa1f9a3f1938b37a66ad43f3ad94fb73f2

memory/3092-41-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3808-33-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jidbflcj.exe

MD5 7da5613ff5073c0db92b941e5ebe6d68
SHA1 02fcf7f34473d73ad43a27de0da3c7f2afd1b369
SHA256 562b7119b0c82d425003c463a434fd899484f65cf9a8409baf6a6de6c4d3e2b7
SHA512 c2a2335b0d3cdb384b74c342dfbea42e56e20942a0416472dadbba2318a18f33de8ef1f9e4e01afb880d544f78479c268928a9b0ae32fb663961314a757d4e11

C:\Windows\SysWOW64\Jfhbppbc.exe

MD5 ebc1be6076cc1e88b4228553263ab4bd
SHA1 d556dd63e47b34254a6d1a185261758dd0c2c9bb
SHA256 d8f392fdb754377cdb3ca0829a19e1116c7c3937a00b44b29a64ddb1d07312d6
SHA512 3b8902bf8981702f6b519bc6081d35e823228c35e16b0283b9b4c57ca5aa255d38b76245a853da392f2138533b0e3935d728d7c59bf6b073aea58fea4ea3edda

memory/4784-49-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jigollag.exe

MD5 0c67ae76ad63b5ebc30c1787f16ffc1d
SHA1 c1483bd2c2686c4b3897de21732618b198c4c57f
SHA256 d1d075d7ef6f08c777230d7c21b9e13fb4e85887a5877f3501ebffefe49fa097
SHA512 30da11e88aefaa2334b114dc236de7c52e1d99535a5a721123ef8c18914f2869d531754583118a06d56131b0168f60ccc590d86875e6eabc9aec7a3469107df2

memory/5104-56-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jpaghf32.exe

MD5 667a5347b72295e61079c3ceb0fb9d9a
SHA1 106fb0acf5ae65c8fd50ddf8ed934e385657ce62
SHA256 afde4794a230fe68beb6c4bbbb9a217ebb90ed45e89b990f5c0a93b1de07f10c
SHA512 7f1e902e71641d81b22c7a13b04d7e5850a15e5c4df49d585dbf55c0f2181a4495657c0fee3d2f83721c78cd17526dbf08d59bfb2a33aa863f848bb4db706264

memory/3756-65-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4168-77-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jbocea32.exe

MD5 ee2b430381da0b1173993108dd5ea8da
SHA1 660cf30012c5b49b6952f6c5080eb43b949d7567
SHA256 a0298dc449cabf6be1f33848a3320c7f00738b00d1cb71a3b3770c4e352a82a6
SHA512 b19f702bff49e583fa0dfe49e702b3a9470bdd24eb9bf60308588b0ea5ba10b4a1823c348d655db23810ad0dd2942d9a049d400ea782c075ca296b18367136e2

memory/4524-81-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jiikak32.exe

MD5 c770b1994d9a1fe235a1f2a6fa123dda
SHA1 673e53d8d5f82c189caf5e572d7b573c4b7e0659
SHA256 20898928477ea19cb6956f600e0e736c02d0d1b0d7350030b46431b78f7c21cc
SHA512 538e242bdb1268ecaa693502a04dac693d1cf4e357558a0009ae90fdc17c1a0a4d1bd7bdac18ce545d59e1320912c5e3b8e438075976223e6bca48f7bebc56a1

C:\Windows\SysWOW64\Kmegbjgn.exe

MD5 f2cd89b1a73c9a8814ca81a1d06dc67d
SHA1 6640a4328dbae8e801913959fe3ab365558e0563
SHA256 be8914a271884fd5744b2c5829ae05d2499e1a73fdf3642efea2ef204a84b58e
SHA512 189af651fa50cb6c5dccccbad3424296e9a3f3db40993ba89543faa8cbc08154dab930591c797e08bef31d8adcedfc00b40f01314fc0b0c5d23f9cf574461401

memory/3212-89-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kbapjafe.exe

MD5 b7730940a89a301f689b39b49e34edcc
SHA1 42919da5a2bc197f3bd17d38585cc7f4063fa3d0
SHA256 a48713bce042aefdad14ae7785efd27ebf789ea08d98036f2656d5a2c5709cd0
SHA512 1ade9a1e8b39add6c52dd3181984d533475c5f1e48e89abefffc3adb4e0d9283a6afe6c573d92b93ce792de40a657d9879697fed5b0a43c96500d836af696c26

memory/4996-101-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kkihknfg.exe

MD5 e3f47d80d765a9bcb1a5db00f991ebf4
SHA1 33b22ffef2ef62d999e2b5b0388f181ee1456538
SHA256 2757ec5ee61de8b231d325780a982c12e0728aaafc67dbf4c675c61244517b96
SHA512 7f409ecfc502527a1dcddb85e39389a4a21f33c82a49ac5dad71fd32ed53af6c519ca666dc8c3fcc83217c44dfc59ddecf5dc602c0c9d5e27353493ec835772c

memory/3800-105-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kacphh32.exe

MD5 34721f9c1ec28f5d0532e8de82deab5d
SHA1 52e43d5aeecdcee94f565ccc5237697d60e5c44a
SHA256 978b8f973eddd940c09ff6fd136ef8d2cc9eda3de9ed63c15b4efb0abd9653e4
SHA512 11562283bc5fa08164fc2b1e3caa9204ad651efb20f24ad5fc18546f363ffbb1df4e536821d24c7c96d29a607dc1d56defa21c952038e5a9380784d2dc7ef1ec

memory/692-113-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kdaldd32.exe

MD5 e99aac626a91965367c0d734446ada91
SHA1 475d484545ea5b5fa064bc1fd2a103aba0a25826
SHA256 ddf8d9370cdfdd5df373b5db59e5cb2b19446ad580b7410438e790c31216c639
SHA512 06182d0a14046a7d9cb446366196b93ed3fc0b156519937291e5d857234b3c7d55c1d055c1deddd25d9e65df17ff303878ed649823f41afc723c52e3ea0f46f5

memory/1620-121-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kbdmpqcb.exe

MD5 e3d2b56281e31b5448d8eb36c6cd54ff
SHA1 0ef12d5af4e31d95157d26abef0d20cf434a37ae
SHA256 abb80fa577f8a4d500d541e4b28143b9bce5fb7d81404ae4c223daede85866ef
SHA512 8dacb95e6bb35b1c4b656b6d217a789f9d2056008a7181ff822a09c8cf2e7f8a7fdf81cd75d15704393e65535a2952d80e871c38aa359b957a6c8ebfce23379c

memory/5092-130-0x0000000000400000-0x0000000000440000-memory.dmp

memory/652-136-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kkkdan32.exe

MD5 556749e4f2a624841d0884d738b75242
SHA1 39c09a924b01e19b4d1132c65743fa9fffc71105
SHA256 e379982894081ed07b369980a31195372fedde58ccf754fe1a72024d5a94976b
SHA512 307630c95aa9a3b76192c621e9e2e045b2efe4b6238fe5c993a6f6647207dd9a648b2064730d3cbe252c4a7f4c674b35e46a1794ed012734523f9b653eb8da54

C:\Windows\SysWOW64\Kphmie32.exe

MD5 d9a1617fc158e4b8f0bb1c9f553a02a7
SHA1 659a898461a65fd04ea82898d514d2d8d6c737f6
SHA256 c68cbb0608862924fc954d8af14a26135797bb1f9e35afd3c841feba77f04df0
SHA512 56bd9be0e74f89491cde04b864f4ce0a65a0ee47d57db48a024b63b4f36d33a09c77b7617015dbee14ee10b20f35a9de685f765d8e10c1eb6daddd1a21c4993a

memory/2220-149-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kgbefoji.exe

MD5 ea562c19e8fc77555e399bea59559612
SHA1 5d9b774171c823c912459b6f4894ca085dd00923
SHA256 7f52235f4e9c9feb7d64725325d0f8696f7661745735dde34d6fd19b15e0fa56
SHA512 a04b00c967387d0aa9c7ba9570a796221ef32fec50180549afedd10df5f8b4a88516ae1ebabc7c952d761b83cba682fe1741e5343489bcf47331d5bb6af155b3

C:\Windows\SysWOW64\Kagichjo.exe

MD5 4d5f417b236a456133ea728963065e7e
SHA1 2542ac753cd89992fd3e7767693b6e317afad1c7
SHA256 c26cc1d04a2d7fbe6a39e424e3705476311a417aa132c230f9250c09244b2bdc
SHA512 785d3eecf221a65239e61b7f5e515c12be8b4e476b3efec90f5d3f22d45839a56bb783411e779234e68db4e264180738154f5e85a4f60474736668f2b0115061

memory/1708-164-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4976-166-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kpjjod32.exe

MD5 f9e49e7ebcaa47f6e084f5216caeeaa1
SHA1 23df58e7aca2f921264e580acce4e3526b2df7e9
SHA256 513c20d33a64dac17c8f500fc4ca4bdd63d2e51934c953b0609c99013c3c2c7a
SHA512 79a92d267cf1189cc9ed600c165ca3d0f7e8481c0c8977a00815006b3df9d820a98ed953c26fafed1357caa3fe0a9ee54f7f9e5478a959cf8ce957f6397a5762

memory/1936-173-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kibnhjgj.exe

MD5 e53923c5f5bccdbb34e73f70eefed90a
SHA1 3950edc6613160922694ac0c48a1cc1703f3e9b9
SHA256 dae65396d73420d960a46ff7e73074ad9d304488097b4d736816b7c018c50f7f
SHA512 d586aabb78e6a44884a6721276f10b2055abe499341d3964013b21fc91e2d1ec4ec3dbff0c16f50099b5992837dc4b146e85e029281c978631adba6e3b52ca24

C:\Windows\SysWOW64\Kpmfddnf.exe

MD5 414284abe6f565bc5cfa1f8c60478453
SHA1 962e28b90a6b4b8a1bc5690104c4d0083aac97d4
SHA256 ea00887c5264082cd9524ed36f5c11ce883254b68a181072681550751374b619
SHA512 8eae505d2d4ec68571ab6159e6b0555401f6e39f3f450d0c4f0e84a1b3a439934040044abf8dc772cd7acd8211c55b7a5e7d73cc86aa6f3b6d53f3c2c62a69ae

memory/4700-177-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3420-185-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kckbqpnj.exe

MD5 e5ef1acc34fb58dd38427e76cf721d6f
SHA1 01d29b2873a5e8334e97849ac0aa471270287de7
SHA256 a4d8b46dae2f41b987f4328c560ef4a4b8e9e3e560617c4dfe50d68127f7c8af
SHA512 eccf4a92a7c3d1f0c12d823917a87c43bc5f0dfee1fb0f1b6d1079b3bd7f8dc08830a5959a584ce03820ecf280d264487ce378f7fa36336968eca1a7db461c35

memory/4528-192-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lmqgnhmp.exe

MD5 76687eb2a5cb2a21742e2b5906298892
SHA1 0d7df50021fad476fc44171db6c755fb08bc4ce9
SHA256 637f24d8bc70a7f54cc19290f115ae54d7fefa9e2f30dd517626f8b6791e098d
SHA512 d4c50e62a8ca9a9cfed9a58b88abfbba65176e2f17586e9ef0df8643292d8aa39cb468ba1b2b2d4cfb107d07534341e044228377cbfe7321fc9e47e058227878

memory/3540-201-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lpocjdld.exe

MD5 27a9f9e7608e1dc4ec370239d5d11837
SHA1 f5000ccf52c1a9681ad23fe2661f7534450086b7
SHA256 77dd8f666382c79f05c9b87c7a7829e7c2a03089c3a9cc0120c66274021a97c0
SHA512 8be95fae2a02095b25fa6c4630ffddf10ac2a8eb9f4a3bb128f7d2760b6f45ba8615f8331332e6e61f175153a9d7fdc23026e452ba6549b7e2d908eb7f5dee78

memory/3416-209-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lcmofolg.exe

MD5 2a12a4abe43424bb3d9e8cc5c8974b58
SHA1 585c8ec60bf3b61d96226831b38bf1829405abaf
SHA256 a97ec002b1fc74ed11551f82a4e691489d3f269e81620cfc4faf8a723a37faca
SHA512 04e65c0af64fa3473b8897b0b6f914ebc35ef4a9c2db652de1255e72a69bf38967816ce4d382c6465227474b511a09fb4f542da294740d53f2d8ea0cacb1fbfc

memory/2232-216-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lmccchkn.exe

MD5 5f9a85ca589d57ca26258467cfdcbd0e
SHA1 64ddaa22f744883f156493b72dea147c56668a7c
SHA256 46a803d03eba3881a82073739e573d434a3eab6498554ee97052d6171d9a6484
SHA512 62564981a435d74352906f1e9930d6c6340291e3c09cb17d8994b60a8d00946c276d65b245064706adcdde006ab264d798be5129d1e7ad3c95fd80b0ea3035c8

memory/1436-229-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lpappc32.exe

MD5 dcc67305691473599b8806520dc5ce6a
SHA1 7a74a13005018eb58a23b997bd3dd00e6d5a1e14
SHA256 6231334a0f6a6aed559fa9ce8e71941d1d3336c384bea8010929c1a529ff08b5
SHA512 01a7fc94c5118dbe31f0828397b8e9add6cf5ace79101aa8a54422ace1e46741fc0aa1fd56804ad23e6f4090c1d2904d95bbdcd5a8901712424ae76097cb2664

memory/716-233-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lgkhlnbn.exe

MD5 2c038442a610ff7553884d0e4c0f2d74
SHA1 1daedbc5b4736fb0a5d1f6e47359eca368da7512
SHA256 1f05e49e8947fdc900157614108ae7ec21adaf255fbb48923896e97ee15e5720
SHA512 becf7c8219fda0310756ea79ff3ecf830e7820753618fcfc1b49d444bfb3fe40418f01045b7c4a6e1ad6a2629aee6b622efa4778c02ec7306d28371337c14623

memory/1176-241-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lijdhiaa.exe

MD5 29a1399c47b2bb8a1c4fdbc570cea086
SHA1 44e1a17158ce34ca494228fb4283e6f69203ef14
SHA256 c77672afbba87acc2cc0d994857cc9f00630edb2f2eb47c472cc38b246a04836
SHA512 6efe4d8f0d8d9173e44ab45e26ad69ab38094b9d210047f449427a52643bbe13a10af28d857bb97d5f7109efa67b308772ea344f5da9ada1be5ab5bee1178ed1

memory/4400-249-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Laalifad.exe

MD5 0c1f25d9d557418e50da79ec0226a953
SHA1 feffb4a1165c5c11cda37986a78a16eaa591cab2
SHA256 925e220b1bb7ffbc23a2a57ae44abc447fa2a291590bf3125243e9375b1bba33
SHA512 a967d02e257782e881d4dc9c0ccf4f3b4489f3b47426597abd387807c4f1c5063a88e876e70f0abd8426f0996b4fe1611c005a938fd9bbf6542a0ef939d37c3c

memory/3044-262-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1200-268-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3164-269-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3128-279-0x0000000000400000-0x0000000000440000-memory.dmp

memory/780-286-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3880-287-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3840-297-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4468-299-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1684-305-0x0000000000400000-0x0000000000440000-memory.dmp

memory/864-311-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4636-321-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4408-323-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4872-329-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1904-335-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2908-352-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2040-357-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3588-351-0x0000000000400000-0x0000000000440000-memory.dmp

memory/396-359-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1108-369-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4024-371-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4980-377-0x0000000000400000-0x0000000000440000-memory.dmp

memory/916-387-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1576-389-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2144-395-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1484-406-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4268-407-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1808-417-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4412-419-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3440-425-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2216-431-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4772-441-0x0000000000400000-0x0000000000440000-memory.dmp