Malware Analysis Report

2025-03-14 22:31

Sample ID 240407-xtltrabg9w
Target 1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b
SHA256 1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b

Threat Level: Known bad

The file 1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:08

Reported

2024-04-07 19:11

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Efppoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Epfhbign.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Inljnfkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hknach32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emeopn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faagpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fdoclk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Faagpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Efncicpm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnbkddem.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efppoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fnbkddem.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Elmigj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fioija32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gegfdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggpimica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gddifnbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhffaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Doobajme.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efncicpm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glaoalkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbnccfpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdopkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggpimica.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gphmeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddifnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hknach32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hicodd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnagjbdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hobcak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhjhkq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpapln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcplhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Henidd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlhaqogk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icbimi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieqeidnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihoafpmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Iknnbklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Inljnfkg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glaoalkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Glaoalkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbnccfpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbnccfpb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Lbidmekh.dll C:\Windows\SysWOW64\Elmigj32.exe N/A
File created C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Fdoclk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File created C:\Windows\SysWOW64\Njmekj32.dll C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File created C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File created C:\Windows\SysWOW64\Inljnfkg.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Inljnfkg.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Inljnfkg.exe N/A
File created C:\Windows\SysWOW64\Iaeldika.dll C:\Windows\SysWOW64\Fhhcgj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Ggpimica.exe N/A
File opened for modification C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
File created C:\Windows\SysWOW64\Epfhbign.exe C:\Windows\SysWOW64\Eilpeooq.exe N/A
File created C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Eiaiqn32.exe N/A
File created C:\Windows\SysWOW64\Jeccgbbh.dll C:\Windows\SysWOW64\Fdoclk32.exe N/A
File created C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Hknach32.exe N/A
File created C:\Windows\SysWOW64\Jjcpjl32.dll C:\Windows\SysWOW64\Gddifnbk.exe N/A
File created C:\Windows\SysWOW64\Cnkajfop.dll C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Elmigj32.exe N/A
File created C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Efncicpm.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Inljnfkg.exe N/A
File created C:\Windows\SysWOW64\Hobcak32.exe C:\Windows\SysWOW64\Hnagjbdf.exe N/A
File created C:\Windows\SysWOW64\Nfmjcmjd.dll C:\Windows\SysWOW64\Icbimi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hknach32.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File created C:\Windows\SysWOW64\Flmefm32.exe C:\Windows\SysWOW64\Fioija32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gogangdc.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
File created C:\Windows\SysWOW64\Dchfknpg.dll C:\Windows\SysWOW64\Fhffaj32.exe N/A
File created C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fhhcgj32.exe N/A
File created C:\Windows\SysWOW64\Gogangdc.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Hllopfgo.dll C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Doobajme.exe C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hlhaqogk.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Egadpgfp.dll C:\Windows\SysWOW64\Faokjpfd.exe N/A
File created C:\Windows\SysWOW64\Anllbdkl.dll C:\Windows\SysWOW64\Hicodd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Henidd32.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Icbimi32.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Efppoc32.exe N/A
File created C:\Windows\SysWOW64\Lnnhje32.dll C:\Windows\SysWOW64\Fmlapp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Fmhheqje.exe N/A
File created C:\Windows\SysWOW64\Glaoalkh.exe C:\Windows\SysWOW64\Gegfdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Faokjpfd.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Fmlapp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fnbkddem.exe N/A
File created C:\Windows\SysWOW64\Jdnaob32.dll C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Gphmeo32.exe C:\Windows\SysWOW64\Gmjaic32.exe N/A
File created C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Doobajme.exe N/A
File created C:\Windows\SysWOW64\Aloeodfi.dll C:\Windows\SysWOW64\Fmhheqje.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe C:\Windows\SysWOW64\Gbnccfpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Fdoclk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Flmefm32.exe C:\Windows\SysWOW64\Fioija32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fbgmbg32.exe C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Ggpimica.exe C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File created C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
File created C:\Windows\SysWOW64\Hknach32.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File created C:\Windows\SysWOW64\Omabcb32.dll C:\Windows\SysWOW64\Hknach32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpapln32.exe C:\Windows\SysWOW64\Hhjhkq32.exe N/A
File created C:\Windows\SysWOW64\Ejdmpb32.dll C:\Windows\SysWOW64\Hlhaqogk.exe N/A
File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File created C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Emeopn32.exe N/A
File created C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Faokjpfd.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbidmekh.dll" C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll" C:\Windows\SysWOW64\Epfhbign.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" C:\Windows\SysWOW64\Emeopn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" C:\Windows\SysWOW64\Eilpeooq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" C:\Windows\SysWOW64\Fnbkddem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" C:\Windows\SysWOW64\Gddifnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" C:\Windows\SysWOW64\Gegfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gegfdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gdopkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enkece32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hlakpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fjlhneio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Glaoalkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Inljnfkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" C:\Windows\SysWOW64\Ggpimica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fhffaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" C:\Windows\SysWOW64\Gdopkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Emeopn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhffaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Efppoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eiaiqn32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2164 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2164 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2164 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2684 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 2684 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 2684 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 2684 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 2536 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2536 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2536 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2536 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2672 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 2672 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 2672 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 2672 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 2548 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2548 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2548 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2548 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2432 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Eilpeooq.exe
PID 2432 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Eilpeooq.exe
PID 2432 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Eilpeooq.exe
PID 2432 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Eilpeooq.exe
PID 2508 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 2508 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 2508 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 2508 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 1868 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Epfhbign.exe C:\Windows\SysWOW64\Efppoc32.exe
PID 1868 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Epfhbign.exe C:\Windows\SysWOW64\Efppoc32.exe
PID 1868 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Epfhbign.exe C:\Windows\SysWOW64\Efppoc32.exe
PID 1868 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Epfhbign.exe C:\Windows\SysWOW64\Efppoc32.exe
PID 2724 wrote to memory of 1512 N/A C:\Windows\SysWOW64\Efppoc32.exe C:\Windows\SysWOW64\Elmigj32.exe
PID 2724 wrote to memory of 1512 N/A C:\Windows\SysWOW64\Efppoc32.exe C:\Windows\SysWOW64\Elmigj32.exe
PID 2724 wrote to memory of 1512 N/A C:\Windows\SysWOW64\Efppoc32.exe C:\Windows\SysWOW64\Elmigj32.exe
PID 2724 wrote to memory of 1512 N/A C:\Windows\SysWOW64\Efppoc32.exe C:\Windows\SysWOW64\Elmigj32.exe
PID 1512 wrote to memory of 792 N/A C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Enkece32.exe
PID 1512 wrote to memory of 792 N/A C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Enkece32.exe
PID 1512 wrote to memory of 792 N/A C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Enkece32.exe
PID 1512 wrote to memory of 792 N/A C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Enkece32.exe
PID 792 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 792 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 792 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 792 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 2456 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 2456 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 2456 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 2456 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 2692 wrote to memory of 1416 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Ealnephf.exe
PID 2692 wrote to memory of 1416 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Ealnephf.exe
PID 2692 wrote to memory of 1416 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Ealnephf.exe
PID 2692 wrote to memory of 1416 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Ealnephf.exe
PID 1416 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Fhffaj32.exe
PID 1416 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Fhffaj32.exe
PID 1416 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Fhffaj32.exe
PID 1416 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Fhffaj32.exe
PID 2064 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Fhffaj32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 2064 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Fhffaj32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 2064 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Fhffaj32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 2064 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Fhffaj32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 2220 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Faokjpfd.exe
PID 2220 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Faokjpfd.exe
PID 2220 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Faokjpfd.exe
PID 2220 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Faokjpfd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe

"C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe"

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Eilpeooq.exe

C:\Windows\system32\Eilpeooq.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Efppoc32.exe

C:\Windows\system32\Efppoc32.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Glaoalkh.exe

C:\Windows\system32\Glaoalkh.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Gdopkn32.exe

C:\Windows\system32\Gdopkn32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Inljnfkg.exe

C:\Windows\system32\Inljnfkg.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 140

Network

N/A

Files

memory/2164-0-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Doobajme.exe

MD5 c2b7ea2cc95f7eeeabb5140e5d67f18c
SHA1 d3b994473b5b122d4692940e75ad6d3f4897e4b4
SHA256 eec6817c2e5d4e5d7603c3e13e135d72308502a467723860cf9358f14b1d78e4
SHA512 139adeba8d4d842fb80c39b9b67a874d2f4828b3935014b1faa802095356634523685dfe5ed8594b2fde459a536d32e45eb6ae8e0a508999740db5cdd68ea4cf

memory/2164-6-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2164-12-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Eqonkmdh.exe

MD5 afb2e107aded9615f7e6b53e8e677934
SHA1 0fbf94b59629b79c80b53ccd57a390da395769ab
SHA256 0f7f2b1ff18345a51bbe4698d172a40ab4c1a49485a4324ce28c0304a2c68054
SHA512 318533ff1c8540d1808ed53e90bd5a52fa12b468f61981bd6e6d7758813319b6260fac29a325cf1db8c992fdb87b910cf3e5d5814b75c5c66f9f237f348f4d4d

\Windows\SysWOW64\Eflgccbp.exe

MD5 b2c49247472a89e02862514172b6b763
SHA1 cbec9840c6c4995dcea02a41fa69ba8f935e27c3
SHA256 369ac473009b47fbc24c3afb1750d51934e6b7763ccff44854d5fe6b3bfd01f6
SHA512 ba070aa24f90d10f9c0b4c4bf0a799c8ac5335e4d3fa6bd7b2826246c157082761727c02029f8d7deb808142dded6c54dc9f5d1d7b5022e6e71c73da48761598

memory/2684-38-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Emeopn32.exe

MD5 3d3e872bff53242b23fd4c595bb4de55
SHA1 a51d6004269db039a2986b9c3c89fe3e106a7d9e
SHA256 f979553298f0e77494197f987841fccb9565d6cc39158cf29af7c8fc5c8dc170
SHA512 a7b133d311f405b5f02cedfdafa8fb2b73983d0d98a9636c7bf3ae5462e0552b3f04b027f13d49c94371ef815afefd62bdde566f03c2c59a609455688c057900

memory/2536-26-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lkojpojq.dll

MD5 398208d8cd0bfd92ae1c983be5c2b956
SHA1 dee84e00c51ac15246e3ef761ec8c479226c6fcf
SHA256 f16d75bf9f81778cfa68af3f3dacdd0e17a26b2a0dbaa5e78bbe84b820b19ef3
SHA512 c58f2596add7ae4865320328d44f6e5acdb2a4257840e9d27a641b634d684c03a41801268f2c077531dcc7ccbedaff014bec906472a81ff1dc3412b3776a4959

memory/2548-56-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Efncicpm.exe

MD5 262930c618852e5267fe4222c6050cb9
SHA1 bac8c8a4b37018bb149637ae5eb98095747aed57
SHA256 5706b04318591348f7a4c9f6e07ee141dce33d61e38db42f4084f5dee88de5fe
SHA512 573674e758fd98f2c95636c4e49f5d6fb0e144e2b8c90699350d9a484d4388724a64c811b092b271e4c5bf78088fc0bcec50b12590777a7b8ca0aa6f24c460ca

memory/2672-64-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Eilpeooq.exe

MD5 38580dbec5729b3a35290c869a632afa
SHA1 b1f0d91d8929b43cd32b0d4d2fa93605f827edb1
SHA256 d246ce3766052b5b5a74c4e165ea825fe5b29fcbb2ced5d063b0ce4bf30f1d5d
SHA512 29a405cd4123757baf0a32aa4c1125d9af170270db3fd42928c7eee435a4872745e229721b9635a2ed509a4aee8347e3a4243c63defd95afd493e9af395ba7c1

memory/2508-78-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Epfhbign.exe

MD5 60935a249b85445dd6a5a53fdadb0242
SHA1 24e7e2d6c0ef34ff9276b24ff45c2d430217616f
SHA256 39cf4b62cfef4218ed12306d5c44c773937ebe9e68d3afb36635ce38007e65c7
SHA512 4da8af7bc45380338eb3f03e76bc8cd2ca8229d83513e2792a423d848e6af1b6b29a3a1f59fe14204ada1f883c2f04f9bf4133fd52560fa70e216fb6122eb3f1

memory/2432-90-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Efppoc32.exe

MD5 9dcd2542b7dd938fd1495e28202cb8b4
SHA1 6c2908f272460e1e2bd71a94504eabe98e58138f
SHA256 3fcb52abf2c94c0b93c7d0c50138fffac87234efd5d01053ad3473b3ccbcce35
SHA512 2fb57b871c18c37ee41e57447d4c588f1f306a1bcae10d0b62bf64ace40787a264751073a52fc70606128a45e9c80dce8179f0a7698b0322a6f2639cf5d9bb2c

memory/2724-105-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Elmigj32.exe

MD5 e0a031ec5c51767c5541422a92a1669f
SHA1 1b93f533407143e246a7082206cc278c09c81b40
SHA256 7c1a2012d5426d3f7421ceda18e1b8270d5f27f2d47a63d272abb1f26ae2a2aa
SHA512 61e0eba9de766c3b8a2b52f58e6268aafdefc72be0535b059edeecfd6463ebcf1cf82c0cd88573da081756ca682959493615791cba06048ce748a6d58ad72058

memory/1868-116-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Enkece32.exe

MD5 3a946dd7d64a8c50328152b5904eaf33
SHA1 9a799cc176f90af8b3861e73ce808fd134113183
SHA256 419189f5001ff87cdb55078d7e6f7ce43eafc23190ed2df502168fa4c46fc72c
SHA512 eb6f46677965a1146dc344c221b48c081ddccdc35d7370cc279c73db816349089638587c3f59fa2d451c40a35c2b2070308986e658db8698b4c513eb3966066d

memory/1512-125-0x0000000000400000-0x0000000000442000-memory.dmp

memory/792-131-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Eiaiqn32.exe

MD5 4af21d54b0e72fd4c63fdf4e45248211
SHA1 6c226597b7542ece18cc9329e02c75a1361e2a4c
SHA256 690c9529d938e5cbf6ebfd0d08541d727e6b36f948218bc0ada43466d824dada
SHA512 6dc51f6ff9cf67a7152963094e5c5e90e69bd79ea94ab17a7395dd3a996def4c77afbe2d37a57659f07a04b64be73031bc5dc988f5a12eb5221da18fb11364cd

memory/792-143-0x0000000000310000-0x0000000000352000-memory.dmp

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 5245be154bc5a775399ea66a0ee418fc
SHA1 2819253e76a4acf466725c71f3ad02388eadb307
SHA256 85418e3f0b9140e122e6ac07c7021f79ed8c51c2091e4bcb8b17cab86bb11511
SHA512 c09110aa78d9158fbf7788b281000cae09148a5d5527ca6a8248e38dc3f3805377128f11f1b690f2277540ee58368d9a3db486a07b53a4216f48f76c6531f70b

memory/2692-164-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ealnephf.exe

MD5 5767efac5d8b24afa574a4a9f5261f8d
SHA1 29fd030d66be9d0ce7d35c3973fccad9733e891f
SHA256 9a06aef666f57664784e55b8533373d6f8e31eacbd536e0834a5a457b581e41f
SHA512 45cec834edd465b6a135b027638c1a69d95ef8714e1ce4b9cccefc1e40077bc9eb2fb57ebb85cecf56a3f4f15833e737708d02ac22a3c829cb14ffd5b29bf80e

\Windows\SysWOW64\Fjdbnf32.exe

MD5 2b2175faf10fa2f3d76c747badaab488
SHA1 8ebfa272403e69065000e2f1b66d0c04661ba284
SHA256 1a15f5ad4796093ccc81b9349ae05eda7194eb24022b55c4a8476a76835f0914
SHA512 a8c3cebb4b4708bbc26fe031dab1c2d8e89bf0b99dbc9a74a8f083d33aa3380589380a2df6398ebd88776cf2d07742603a2d22e286a5db0ea82149992f01a12a

memory/2064-196-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 2376bd6f5214d94e0f2e16c3d3cf4023
SHA1 58e442402dbdf18400f68d606393a8a954e112d1
SHA256 48777a1d2cc22bd7dd0d7fb657146b417c64c1ddd8bb749af7225d71d8913d9a
SHA512 0657dc88d48e0cc81c7821af9dd17b5b2ceca8a69bccde0ac96bbe86ce42e201fd617c238a081c141cb63bcda060f194612b42f0177300520a6b1c0efc4f722c

memory/2220-216-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2484-221-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 b73c2d3e606112f9624a63d1af4bc10f
SHA1 5b8d07c1de2b65ff3c0bdf70199352fe9d26ed32
SHA256 08170f852079dd8312afc2234231b37375ac74a55ff0d5f2429bc14c87de634a
SHA512 92e72d0e7158c97cc8e93dd83f83c98bbd347f3bddd4a1e8b0ecfd3268df7e3777808eacb8433052b38e6913ec53034c9b2de8bd425048591d04efb9331ae0d4

memory/2484-210-0x0000000000400000-0x0000000000442000-memory.dmp

memory/592-230-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 92c2504b137d828deb9d3ec70d493ea4
SHA1 7350433a7b409ec11ac55daa767eb73f9212c482
SHA256 f1ba7794579d13dcc425ab599b1b1cb9db72f9bc27f6a89de531605e32209009
SHA512 5f52d2d578deb2ff7c89ae3b339eac5b5f071b928c9d2dac2fd04c24113115bba5b4fad253fd83ee4067c08c9dba11643359b4bcdd8e85451a6b95ee1fbff09c

memory/640-239-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Faagpp32.exe

MD5 0155365e319d2dced24fe0291c35d060
SHA1 704e01800e85dd3f05edab6ee68f766224db92b5
SHA256 ee520967370d7dcd2e2f63ed59ae595ff6eb530719597dd65057d19429d0bf21
SHA512 2890f5a0d6c653a46c4b1ed914607dabfd4b3dc2faf8e9a9b13be8f44548fa36c98d5b184c1a6710639ad34dc00432cf06aa38ea92dc23fded753f72e33381b4

memory/640-244-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Fdoclk32.exe

MD5 6d40c2494c9f3b28642c49f79cfc86c8
SHA1 7a49ba3afa2622f9c4d074ac106da0634096d687
SHA256 e4358ee948afb8541179bb18c7a862da3b3c210ca02e44e61114be2081556818
SHA512 f849bf47113055a730637823d35dc3880d040add329a07db23825908bf57c576a421ef14019f4e566d57512c9cd38c5948f446bcda14ed045614c65e8dd0cca7

memory/592-245-0x0000000000300000-0x0000000000342000-memory.dmp

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 d145bd09ea9524f920f5caa8ee1fd5cf
SHA1 ccd282768080215b497c59cd8adfce9fccd9202b
SHA256 a62f5bc18dab024c7d099a9a5a184552f1c36b5b1192786421d00884ba129839
SHA512 16c3490e0026351e1ef9666d4fab7ce28d2b2199ca5a3c2cafb29ff18ce6f5127e7884f8e8f7e50bca01db8701db5ff62fb983593823672e40ac3d313e635321

memory/452-258-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1872-257-0x0000000000310000-0x0000000000352000-memory.dmp

memory/1872-256-0x0000000000400000-0x0000000000442000-memory.dmp

memory/640-251-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1872-259-0x0000000000310000-0x0000000000352000-memory.dmp

memory/592-250-0x0000000000300000-0x0000000000342000-memory.dmp

memory/1416-172-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 2e3af573203b02ef86bb34b36f4c1157
SHA1 68b6811d829539d8b125578d6a2cc23710d41e37
SHA256 0ee964e27737e96a92636a18b1a178386070b42d4b1b1efa20ac4d6b946170f0
SHA512 071f4db9bd1d72b72a55b0facff0504e163d5c4c0451de386860b1f2fc76546ba6ed2e5d6b0cd9cc084db878e2186aedb088c83f036f0f0b72ceb98c0a79ff9f

memory/452-261-0x0000000000250000-0x0000000000292000-memory.dmp

memory/452-265-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2476-275-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fioija32.exe

MD5 5613951142a1c62aed6b943f547b8089
SHA1 d676d5614fd9058aeee62ae3fef2c5e1c04bb698
SHA256 9c6be8186e462f92bd67155a2bf525e7cb21b7b6ddb4ff8a14d3bb0d4e2c33e5
SHA512 92a0cd7fb48638a3db53c97060ab47496c69ae1960a984ccb4d5e052766f67fc4f32796648ee1925fc6c95ed0757521b3c3cbe45358b93f4753d65464e29fb30

memory/996-280-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2476-289-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2872-291-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Flmefm32.exe

MD5 57d85818590fd189bc639a3c85dab085
SHA1 8ab9c24d1b6083ae8cbf9ca662927d2d0087966c
SHA256 d0ef4f9123de2838d203b00d50b20cc1a94b98ef27efd956be432f37f6b393a9
SHA512 6f1a05fe19c8ccb862c66d513aa3e3cfad5da24bf4eef2cee6340c6bc67b4ffc895478645c4ed72d15aa241c4dc20ac8ae3c72cff3fa9aba0d03b5b6be909aaa

memory/2872-297-0x0000000000260000-0x00000000002A2000-memory.dmp

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 de51c85361e0191e6964f4b54c5e6341
SHA1 d2dc22f7094bc91a17c9bff55d43a47f9e04d40f
SHA256 fa254a0eeb4f2981e1d4999262f1d3e5008b56c4a4b23de2a8a3204e520f99fa
SHA512 c170de72b032870b2a3771d0da6d1149e7de13fc7d418e2c09a23758bd9cbaf149953971c0aac34660428074aa0c85a74b820e8eefc0757ff81bc66aee8fb575

memory/776-302-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 ce6ae1a9e315bcd07fd88ebbaeddf7ea
SHA1 21c1466cf953910361de19cda87e4e22f37ae805
SHA256 bcf222609e1c91f305930dee4aa3489c2c5cea38e16a0c269fcf7d4975c3d410
SHA512 915abea3c2ab5a35b8bcf80223e353e78bd13b83e0eaab5b30317cc6b9e28fd4f6e81c022d37f5b33cd7aadf9adc65b7074e6b64ade7fd518d77603e4a81ada0

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 0d82bda234ef1538ca392f7c163f804d
SHA1 00c333f500524a7f639d29fef04f829fc6c172dd
SHA256 00bc26044f9e2a384e9f713a9f073ec1e9123a716a811516a8f8b1637685c5c2
SHA512 c4ab8f625b315035570a697d9f43ff405424e7d0e343d64bfe191321a2c6fc3118eae8052f0d06cf7f2fdf7b37b8433bae20a23ef7c0b72b126c4d473dd0debe

memory/2852-327-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2852-332-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1624-346-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2988-345-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2852-344-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1852-343-0x0000000000340000-0x0000000000382000-memory.dmp

memory/2988-341-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 91b31d3117b2a7af6dd284d1ac493380
SHA1 4f4660d266b1c1c57bef75587f9cf07dc07f8609
SHA256 460e558706a0f460b25c9423e1a07702716ee85b373512752e9bb8c314366bb0
SHA512 77362850ce68fc1745dbebcf3588edf0dba08ffd7e0d483c8b93311638a0b5e5034904cff8514f4d294c8cbba5ff3b6b6587efc784623b19ea0313bf17b26f2c

memory/2988-337-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1852-322-0x0000000000340000-0x0000000000382000-memory.dmp

memory/1852-321-0x0000000000400000-0x0000000000442000-memory.dmp

memory/776-320-0x0000000000250000-0x0000000000292000-memory.dmp

memory/776-307-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2872-296-0x0000000000260000-0x00000000002A2000-memory.dmp

C:\Windows\SysWOW64\Glaoalkh.exe

MD5 b3e41519bbcba780b5df23a00c2f4fb1
SHA1 d7a486a82c4ea87067ca015ee5e3bd8ea7c10bd1
SHA256 b07482d2db08cc4f5c0fa3bd5df5758c1260507b86169d52c641140f2a108faf
SHA512 f9ac14f0ccd1c5d17bfbe1934a9f0d721fb7ded947f0161d7096667b6d5a69bddaf66f9688b26b7c8ef09fed794ee705b6ebddcd9a3f17494dddb1b61d6e49b0

memory/2600-365-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1624-360-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/2600-370-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 40556bdc195b41453b7721a233d22b60
SHA1 c2a940e87afe61486540647235788dd04e7395f5
SHA256 cd7cf32dc33ea882b70df9ced77e6b503bd2ed8a45c6fa5052a7f34eb3ea8f43
SHA512 b25f20cc9e368a603cb0ddb4049f6900e48fa570fc300ce9ca9adb25699aeabb74955b349e3a859ae9d0584e77384f384e94f1ab11b1563f9f30d515ab04755c

memory/2492-375-0x0000000000380000-0x00000000003C2000-memory.dmp

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 9315bebdb4fa796f500e41d93c747357
SHA1 5e8bf8b88322003d3b504ee4758da26da90e2ed0
SHA256 d4950f61341cefdd23d0d249ef49f76238afd26f8dcdfdb8bb73ce4994ab00e4
SHA512 5b87790f488228294af332f9589c62e4d729ff1030dd73ed3189419223c64b27a75f6ab78e9bb42ec84b07cc4489ca4a23d92b19f74464a6aac171128fe81168

C:\Windows\SysWOW64\Gdopkn32.exe

MD5 3c1d78b9ad767f432b3ebf06030b0368
SHA1 598205228dad1083b53a766b1f3d92f5995e868c
SHA256 fe515baf27b4ca688f539bb53ee0bc2a1a7dabc12dcec12bd9c26366b046d480
SHA512 8d75e2c96fc8fb739e4e4e402b82f1e59607f2dd06e444ea185d5d408e02b5dff3c8b83e1cdbed70c9f4ad8c1295c966294c9ff4e14c87051c813e044334f3fd

memory/1624-355-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/2560-387-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2824-386-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2492-381-0x0000000000380000-0x00000000003C2000-memory.dmp

memory/2492-380-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2476-285-0x0000000000250000-0x0000000000292000-memory.dmp

memory/996-270-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 8b8af12e1aad859b2de87ed5b62e45ca
SHA1 3033b0156f5b673ff0742e8e624b6e51ee5ec099
SHA256 15f7ee726513c15a9d540914351d61d8b9e309e1fba7cb8da82fef579fdee3a0
SHA512 44f2b70ef1b28a88f8daa8eb72e35bad7cd61d7ebfdc19586f323024b06fe277c7e1b25477b3f99faf6393ada284da5b5970921e83bba61de04e81ee40cd2d1c

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 5208c0883cb348e06ccfcad714b9711c
SHA1 112ef2e1704375da323c75944932a0264c9ec73f
SHA256 4c42a1b7f345e4b6dd98e11265269db75f225352d9ec023f88868f2fe2e40fe2
SHA512 5287d9015af09bea223df64f4331d2f94ce90b03e930a716b14acde9a1213c9d65dac5d295b7f4650c3b5e0bc96992e553a1d30be1f953b556e34d3cababf6f0

C:\Windows\SysWOW64\Ggpimica.exe

MD5 bdfb22ccd08b5e04cd0dbd8747739822
SHA1 c1067b82e94667b7a5ef3a49746c83b128693a5d
SHA256 6da694f02ab71b0c6f90fd3bafac0d40f530d307866ac3fb269feb72cc883d6c
SHA512 dd2f4c01da32b1620d035d2ce4cbc31e7f343a181f8728784ec73fe075a19bc82a8a3dc4ff75052b906f00668dd49808cdb8e6615304c80df481d6f2f3353597

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 18b6877dce1e356faf57ba65deb5dfc9
SHA1 1c6306bc98696c89ce26a1126463f33f432eb8e4
SHA256 4e6716f597617d85d7faa9e213e62faff0acb4938ec9354f36e2a758a72eef5e
SHA512 7bcc7d81ac70c13d3b082742459a6a987b6e1eed99bb283bb5fdec06a507839c3ad9f407c7599b79f7c698b2e36207493c686c5457a5f216078a58e2f3723ee6

memory/2456-157-0x0000000000400000-0x0000000000442000-memory.dmp

memory/792-151-0x0000000000310000-0x0000000000352000-memory.dmp

C:\Windows\SysWOW64\Gogangdc.exe

MD5 e572fe8d057b2f5985c66e420e4e30da
SHA1 0118089d1e1c0ede66b5a51345d61736be5ee603
SHA256 f1648c6d59dadce8684b5a159aba6de1424c1fb931373b0fe3c84bb6a16d2e6d
SHA512 065147542386f76b5ffc3639e283738efac4557aeb62ec15a5ece5681b83c4c3ed872cb436ab386d2c4824a9867dc5347f319c3076f6d9b545c84a1735681573

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 90c396ed3a796e8f8cfbf3e1c26f0480
SHA1 eac9d76d3bbd8bc9e41b246711e12ae7b889af5a
SHA256 f70a4276e5d7e30622fcc340e173436e2115e5702c6fb313e0820763866f841e
SHA512 d71aff21c8a0e242b2800746304943b8e9e7e1970e32e6a1952667346daa9556a29e854adeeaf6fd0a36789562644f4690b087251d189829e2f0d2da7059b500

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 6a2decfc2efa055a4af1d1b885603d38
SHA1 95e130b46c82469c8b830f9d5982b76b774df6dd
SHA256 5ba1b74c4f48a51e84d9e63a96310cfaade0f9bc90d0b88f7749a675670622e0
SHA512 7dde8f2705d0a198d36bdcb2c53dddf8f432ce0beafa8fa30a350c1cb24c3b54aeb7094ca263e39699acf9649adf204c073bd34d032b5c6956aa073ca6791d70

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 2ecac3fb73e97d4980bd0a7fcc228eef
SHA1 2efecfd46cf1cb57acd533d821cab10eac2ec8b1
SHA256 0a1712c826bf06bb6d0d1c6ec315ce9958ea6c0b0a632da82c09eac1366d9439
SHA512 7d5dac49d0ca7e40c9724d99b5a0f181be5b6c8e40da57b10bd060d71a9de44e4b798d4cc1044816648743a920ae06db8b4fff59504c4006a64d60b4647c684b

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 206a42faa2cf9ef2f5cc293f748deaa4
SHA1 7262effad0f10ff618be696fb18f43dda58b90db
SHA256 1002b4d33dcb62929ade7c0bb23cc63a84e8d166c1a6d3d3418cea11dd4a53d8
SHA512 b542192ef4efaa3af05d13dbd9049b1f2169d56afe23d02b2997f14980e4e51b523426f491695615945bf13770efbb6d062082ec8b61231404c07bf34750d1fa

C:\Windows\SysWOW64\Hknach32.exe

MD5 54020b57427609b59c36607ca1c440e8
SHA1 6b17f05ae8c5c7851dce9e210befc8b4e52bd72c
SHA256 10536fd6582695111a42c37b1ac673157ca4014a370dbb7202eb368258cf27ff
SHA512 b8c421cc3c796fdb560603f0a18cf242d246d1a0f9b408655b0f76a466e9588a123ef998f649db3326effe2bcc297737369e4384b17f79497ab6e58f1851c87e

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 317ef215e8909052d3d9f4901826de3e
SHA1 9b994825d3b336deddad88fbc09c6dc630cbb339
SHA256 cff404a3043044c6e4cb0ba5ede35dbde29afdefb7dd87df31fbc9ceccfab8e2
SHA512 ace2c55c512b60aec3182d484209addd31babb322c29bc7b53594e3e06c30c528cddbb4d5235ba1e4364b5dbdd354a48ac0924d6f6563cc9af94d1e64d88e9d9

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 4553adfc42a94eaca3aba2a2c1f6cdc2
SHA1 e6986ec290b94b8f00bf7b4b8a18766902970723
SHA256 690282e3c0994b18b802cbef7de75365d3d9b718ccd3b67168882e577e0b06cb
SHA512 dd26a919db6346b4ec6e21c3708e1f7f282c70176e148cb2e1e9fda72bef4123d8d3d26250764b8b97c81cf087e3bbbed425f34e52c7708ca40f4c19f1aaae4a

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 09f43d9e1d0c96d7c4b3b43799d5afc0
SHA1 f73d196ff5f1ab272fa2fe51b14c45928a846baa
SHA256 b2d8ed983b805c0ee9748c5506d61aaf451bde19086ff089d3f2d947d9d529aa
SHA512 4b65dc6dd552098709a0f5cf83c786f0a2eae3eba8956f0235a0e44413a2dd12760416b2d1de86dd65f0cfd721d7b1cd0d9cffac6042058549b864227685e63b

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 2a85041cea4329d7886207c5ddf4f1ad
SHA1 0120f9029a34b27182d6e518afb8a15f3a4b2dc6
SHA256 2121f6deb99263ee11748ed3bf9350e60e111372f811733e692ef8a12ebf7e36
SHA512 ebe9b6bcbb9f4fa1fb43282ec24093c740d14e8840ce2307a896d1d0ca192d2b1ce5020812ef4d46db64e28fe9d778eb686244d8376fb70be03e6b007ed19353

C:\Windows\SysWOW64\Hicodd32.exe

MD5 15133fac8e4b794516ac083e30edca2a
SHA1 553ffd1d51b8aefd354f3f55736f0351a78726ac
SHA256 b6ae181bd9234bfb7d08717fd99c9a2a9ac02b275bddca09dd2e8227085f79d0
SHA512 e83dfee7171937cdb29817a3ac76c1cd4b03d9f2abe2618d92b13e5e0f3dc47998d41c781611d9d0ccc2a711011b8d5b2071056806e1206eb07d2638bf1fb17c

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 4244d1fb4e0c01a07831aaf3680a9fa8
SHA1 3d5a9d6c4eb2128f766f96a6dc7c2b89034cc039
SHA256 fa45207a42d9911cee9c5966d2613222ff97602a9679dc7c503f683431165c7f
SHA512 9f4d37868b23ffb0359e1c75a671ca2a4c29692c159828ab578de69460d828795c5a7fadc7b9c90a8014942d8158a038c3d216a416cb05a6220c4aa1be3a995c

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 9a17a64cedbaba354198f5e98a6ab3d0
SHA1 101e2d4cf6609c080006c0d2322cec0f097d74c0
SHA256 2b7bbad62a263c78fef3e116aac5acbe4faf44bc052e63f03f8b88530e24ebd0
SHA512 695715779619c9ff0775f9db1925abd211ab3bb279b33718b15660ad54df3f656b76d1e10e1ac15ff154d6fe0e50f8d6a5b73e81d69f3440c8c63490728d1e92

C:\Windows\SysWOW64\Hggomh32.exe

MD5 901ea0bc38f58a9dd99661ac22c0a4cb
SHA1 ea5a1ed1f19ba4040300e974e26b14a0b8eb66d2
SHA256 836c67b830541d3cd30bb6a1cb5e11fef6eb46d8864e068246de014fc073f172
SHA512 0f9bd25487af6ac58aa0431990e95555ecba663eabc9432cb5c6f017b11b3c994c362211cebdf1feecd5156dea50c2dcd27f2a1797dc032c13739328ed0cedbf

C:\Windows\SysWOW64\Hiekid32.exe

MD5 5c5b36cd1be0def94478ebdfaf98190d
SHA1 4eebf1dc0acd861c7b3fda5b86755b33f17eb7d8
SHA256 02b0ffa2780685a548b1a6298ec77b2178c13c4dd1157b5255532c005ee130df
SHA512 4ee2106ad8ccc4a56466a8837e613d6171131b74c81e880ff4f98046c52821f5fb6f07a4e0439c72b4a52a1bbd73dafff8ca17e84a543f1a47b26db0743904bc

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 baa9d6f4eff8dadc2562029064bfd53d
SHA1 de8d15b2b2fcde090d399d469088b14f35b60ed6
SHA256 5faf0a0b1f960c200b3712b9ff3ccbe4f933ee70d855d5776611d0e6112b0c47
SHA512 9c6f4a6d531f6c3f8d6712cacd0d3ab6f6e8c1c18a0fd002ef775b76fb90999d24f40636d42e94971a0ac8bb8566ca0080f0d0c7a2121585d4bc0b5f19c829ce

C:\Windows\SysWOW64\Hobcak32.exe

MD5 17010802b6bac06bbadd34cabbdca7f6
SHA1 a638fd99e7525e7b6a8fa97d326e2be1e800050e
SHA256 b583adf2ea16b2d92dd7c21094742cb195b1ea74ef4780fa224d0bd1957eb6ab
SHA512 04c0447587dbb459a09dc2f6df29e8cfc064b7d46684ef357ea4cf24c31338fd4158afce02acf44d61e1de7fb0999e588e2c6ac55a4c4953482f029d2f0de956

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 87a2eef8f697c4b221022d6323061bab
SHA1 b7497a75b585c803d3d8c183e2b24b24353255dd
SHA256 7877fc1cde059367b9d261b147f057bda76790d4bd4465c9aa62e34dcbf76fe0
SHA512 f74ec1f41c0c391997a925a7c32c876c2409d8e40ccc1b446e1ae48334b3fe07e68dc69abdfbca484df69d2b0828a2a3c0a0cf7bb879916b7904b584ca8c4115

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 49010e47809f5a4dd38861434fba1b23
SHA1 f3acb8a663b85355e24eb9db0b14f286ee6a8f48
SHA256 4fffb768b9dcfc6402b508094bb8f2e9a17c2f517de746777b44ef65e4cf3ced
SHA512 71c6935b5a726c76412a649c823e71d8623a8684bc29ac5528e7fbc73698ae4b45d650864442b28d1891d5db38900beccfdb5563657757337952165996dbf87f

C:\Windows\SysWOW64\Hpapln32.exe

MD5 54e45eade8ddfae75c6a4adc691f33ff
SHA1 892ff3a5ec6d0558444592457a061a20f904021d
SHA256 244d18bd1738b10bbcd402368044e03e5536858198b0871db1bfb45111f97f81
SHA512 4024afbb7a187b039ccfb38fc43bb80de98ce55c94d50dfbdc656200e70bb1f5e84d4a457659cb712b50638bea4d7812de080a5c35c03de9d7c82d469f3e7fee

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 24b1b522b829b747922129a7e97b4244
SHA1 4ecbbc4b9b9e7ff8bf0a8f41cc33bad2870150c9
SHA256 778452c1e7e66adf8d534ba694e36c71ae4bc33c13d961313fbfdca9fa08cc09
SHA512 885d32660c873078fdd7965c894375509d8c7e1c9c74bf0e7ee5853eccbe33ec8335de8b96ae00e03cab8752f9052cf6019cd374705ad13afcd9b52766409701

C:\Windows\SysWOW64\Henidd32.exe

MD5 4528f7094655519d371e9a4b7576356a
SHA1 38e03d9b8480820b33ec9520ffd3e7d41157dd45
SHA256 7d7303d4a39c6046cb405b84136f35f976b30b8a643268139f473d0607359346
SHA512 10f99ee0f54aa46104f9420c6c8f6855d73895cc0f46709dd4ba3634e2cbf7697ff04bd231ed9e6d75e8a5429daefe1e0e3ea574486292b37418161d87e3c410

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 2075f361bd39f3464b2cda94cb93aafe
SHA1 9af78dd4bb1130174121eeebef115e6ed86f831c
SHA256 824dc34eb54af7a007d8fd9e0bb9ed5aa3722d6e284463a72b2ef02005ff300d
SHA512 ef513adf21004c23c883a2b078ec7f79b3c303118ec73a9480d1369410da23e7dda3930cfa4b53401b274d048b91fedb0af847de6ce5f102616c50f93540d2ea

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 589d2dc0104eb877ddf7a26ad88e59e4
SHA1 578af4a26ad38d6f324d64ae17095c53de0b4882
SHA256 747ba87fec0843e1ea33726eeaf2575300aa8ff8a66540168be47cd9a35aa8d4
SHA512 41971f1b19fdb5798d2da5917f30c3012b7893f779c122c9f59d6a6c359347c8b73df8baa956780a06271f904940d86e95cd1fac9e404973434b587f97f08ddb

C:\Windows\SysWOW64\Icbimi32.exe

MD5 fcc3ae02efebe034eb76e8e8e8967e86
SHA1 c44f4549923f816e3301e99da9824ca91df02b96
SHA256 05153ce685545c8c4d878354e090ab19e4e1c8aae6fc7c102721892624f113df
SHA512 10f1f15ed87da9e8dda67ab9a4750beac34115105e5132a712a997ea443fe4f98556e2995faba9e305458b6253766afc3280d8f45709c07e0881f461a5a48363

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 4a7c1ed4bba0caaff4aa87e5058b2d55
SHA1 184332ca69b0918c45fd31be38a1ac46f55ab6f5
SHA256 a73e848172ef836ce02a0dfbc89f003cc7417fb3031ec679b89314691577d92b
SHA512 f24cc012b14773cd2bd0b0bde4a0e3143a5ca409c7a9b4cb4e3b32c3c43b04a10995fee477cadaabfeb3779c30e25db320762886ffd214db9f8d270eced4e33c

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 6ee97456b297e6383dd1ec7a59bc5fcd
SHA1 0e51a57da8c6e25bb13cdda7fcc27dd610b176c9
SHA256 9fd2ff6d4796498bf8873a48d2aa0ed510a2e8ddf65a0899ec56781a80761981
SHA512 4b630018b765b75da449fb71938fa5193e3944159badef980bdb33c89e362e7dca4fcacd32000fec83a95f790a393a190a794f46fa6732873536de02bbb3ba04

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 40f5471991cd1b3a0d64a39471fe35a7
SHA1 5af2e5da2771060744c9dcf48b3240f06e48705a
SHA256 7bf2c3a04bfb1461ba1a004b073e6c18a952c41fa67d50c0ad975ef4ae7f7d07
SHA512 d76770a25cec83df1c4d61e6a663d1fa9faa5d6c9b7ddcde61410e89ce52468ed0d278a103c3384b1d5a6159f5dd36811e5199d328b435dcf3b2f7f70f64119b

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 ffb7a64202dc2bcf9c16405065672d0f
SHA1 62e0d4dbde95d7b9798debdf5e8e533eb9f26d50
SHA256 169624444ba036b03322d2c80cc6f5152def53a3d78abf0eb489d25fa4595465
SHA512 71238c888395db744c8c331d840e99edf3cbcd4a2da5259ccad5365305a34e498fa0a3652af375dbaf504f09defe4169ca460d4adfd40ff432db0e4da36326a0

C:\Windows\SysWOW64\Inljnfkg.exe

MD5 bf8e97a28938ccc8039af1aeb135efb4
SHA1 24db93c81da3404f13391fff025652847423c561
SHA256 43f7b1cccb85aaf18e68908f330fdbb71770f0d7c1ca3016e37da22ba9374eee
SHA512 fb05721b2446e5d2f172bfa37dcb5d10cf2a144e7dc2cee3a0dedff82f5ed41dc106f4a5d9e4484115fd0c5f20858f1c8b9ca2abfdee75fd5de33f4474ed6db3

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:08

Reported

2024-04-07 19:11

Platform

win10v2004-20231215-en

Max time kernel

4s

Max time network

23s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jaimbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgphpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kacphh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lcpllo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjjmog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ijfboafl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iikopmkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jiphkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jkdnpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibccic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lnepih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mpmokb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mamleegg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iapjlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpaghf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ldohebqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iapjlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jdemhe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmjqmi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdmegp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdpalp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncihikcg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijkljp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkdnpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcgohig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mncmjfmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iakaql32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laciofpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lddbqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbocea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kmjqmi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgikfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Laciofpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iiffen32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imihfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfaloa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jjpeepnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ldaeka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnmopdep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iakaql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jpaghf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jdcpcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lcdegnep.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ijaida32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iidipnal.exe N/A
N/A N/A C:\Windows\SysWOW64\Iakaql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipnalhii.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiffen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icljbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijfboafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iapjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipckgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iikopmkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Iabgaklg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibccic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijkljp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imihfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdcpcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfaloa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiphkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdemhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjpeepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaimbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjbako32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmpngk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdjfcecp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkdnpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpaghf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbocea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkfkfohj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaqcbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdopod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkihknfg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmgdgjek.exe N/A
N/A N/A C:\Windows\SysWOW64\Kacphh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgphpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmjqmi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfiep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kagichjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdffocib.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgdbkohf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kckbqpnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldkojb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgikfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmccchkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcpllo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnepih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldohebqh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcbiao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lilanioo.exe N/A
N/A N/A C:\Windows\SysWOW64\Laciofpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldaeka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcdegnep.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjjdgee.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddbqa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgbnmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mahbje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdfofakp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcgohig.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmokb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgghhlhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamleegg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdkhapfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkepnjng.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Lgikfn32.exe C:\Windows\SysWOW64\Ldkojb32.exe N/A
File created C:\Windows\SysWOW64\Lmbnpm32.dll C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kmjqmi32.exe N/A
File created C:\Windows\SysWOW64\Jifkeoll.dll C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpaifalo.exe C:\Windows\SysWOW64\Mncmjfmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdpalp32.exe C:\Windows\SysWOW64\Maaepd32.exe N/A
File created C:\Windows\SysWOW64\Fhpdhp32.dll C:\Windows\SysWOW64\Maaepd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jmpngk32.exe N/A
File created C:\Windows\SysWOW64\Kdopod32.exe C:\Windows\SysWOW64\Kaqcbi32.exe N/A
File created C:\Windows\SysWOW64\Jjblgaie.dll C:\Windows\SysWOW64\Kmgdgjek.exe N/A
File created C:\Windows\SysWOW64\Kmjqmi32.exe C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lcdegnep.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgghhlhq.exe C:\Windows\SysWOW64\Mpmokb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File created C:\Windows\SysWOW64\Jcoegc32.dll C:\Windows\SysWOW64\Njogjfoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jjbako32.exe N/A
File created C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jmpngk32.exe N/A
File created C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kdffocib.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lcdegnep.exe N/A
File created C:\Windows\SysWOW64\Agbnmibj.dll C:\Windows\SysWOW64\Mpmokb32.exe N/A
File created C:\Windows\SysWOW64\Mgblmpji.dll C:\Windows\SysWOW64\Ijaida32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Iikopmkd.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kmjqmi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Njacpf32.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Egoqlckf.dll C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
File created C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kdopod32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jaimbj32.exe C:\Windows\SysWOW64\Jjpeepnb.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jaimbj32.exe N/A
File created C:\Windows\SysWOW64\Lmqgnhmp.exe C:\Windows\SysWOW64\Kckbqpnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Njogjfoj.exe N/A
File created C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ncihikcg.exe N/A
File created C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Iikopmkd.exe N/A
File created C:\Windows\SysWOW64\Jfaloa32.exe C:\Windows\SysWOW64\Jdcpcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmjqmi32.exe C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Ocbakl32.dll C:\Windows\SysWOW64\Mdfofakp.exe N/A
File created C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File created C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Mdpalp32.exe C:\Windows\SysWOW64\Maaepd32.exe N/A
File created C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jaimbj32.exe N/A
File created C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jkdnpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpmokb32.exe C:\Windows\SysWOW64\Mjcgohig.exe N/A
File created C:\Windows\SysWOW64\Lfcbokki.dll C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File created C:\Windows\SysWOW64\Phogofep.dll C:\Windows\SysWOW64\Icljbg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfaloa32.exe C:\Windows\SysWOW64\Jdcpcf32.exe N/A
File created C:\Windows\SysWOW64\Ddpfgd32.dll C:\Windows\SysWOW64\Ncihikcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Kagichjo.exe C:\Windows\SysWOW64\Kbfiep32.exe N/A
File created C:\Windows\SysWOW64\Jgengpmj.dll C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File created C:\Windows\SysWOW64\Kgkocp32.dll C:\Windows\SysWOW64\Lcbiao32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Lgbnmm32.exe N/A
File created C:\Windows\SysWOW64\Ibhblqpo.dll C:\Windows\SysWOW64\Lgbnmm32.exe N/A
File created C:\Windows\SysWOW64\Mncmjfmk.exe C:\Windows\SysWOW64\Mkepnjng.exe N/A
File opened for modification C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Mdmegp32.exe N/A
File created C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File created C:\Windows\SysWOW64\Ofdhdf32.dll C:\Windows\SysWOW64\Kckbqpnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldohebqh.exe C:\Windows\SysWOW64\Lnepih32.exe N/A
File created C:\Windows\SysWOW64\Jkfkfohj.exe C:\Windows\SysWOW64\Jbocea32.exe N/A
File created C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kmgdgjek.exe N/A
File created C:\Windows\SysWOW64\Kdffocib.exe C:\Windows\SysWOW64\Kagichjo.exe N/A
File created C:\Windows\SysWOW64\Fogjfmfe.dll C:\Windows\SysWOW64\Kdffocib.exe N/A
File created C:\Windows\SysWOW64\Bnjdmn32.dll C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File created C:\Windows\SysWOW64\Laciofpa.exe C:\Windows\SysWOW64\Lilanioo.exe N/A
File created C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Ipnalhii.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdmegp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll" C:\Windows\SysWOW64\Ldaeka32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nafokcol.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ijkljp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll" C:\Windows\SysWOW64\Jmpngk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kaqcbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mncmjfmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" C:\Windows\SysWOW64\Ijfboafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kagichjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mkepnjng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijaida32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kbfiep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll" C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mpmokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldkojb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll" C:\Windows\SysWOW64\Iakaql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iakaql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll" C:\Windows\SysWOW64\Ibccic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll" C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgbnmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijfboafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipckgh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kagichjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" C:\Windows\SysWOW64\Lgbnmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgikfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldohebqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll" C:\Windows\SysWOW64\Laciofpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpaifalo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfaloa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll" C:\Windows\SysWOW64\Ldkojb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll" C:\Windows\SysWOW64\Lnepih32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Njacpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iiffen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kaqcbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Imihfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" C:\Windows\SysWOW64\Lgikfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lilanioo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mpaifalo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kgphpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll" C:\Windows\SysWOW64\Lcpllo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jfaloa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mncmjfmk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ncihikcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ldohebqh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ndbnboqb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe C:\Windows\SysWOW64\Ijaida32.exe
PID 4492 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe C:\Windows\SysWOW64\Ijaida32.exe
PID 4492 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe C:\Windows\SysWOW64\Ijaida32.exe
PID 3260 wrote to memory of 3160 N/A C:\Windows\SysWOW64\Ijaida32.exe C:\Windows\SysWOW64\Iidipnal.exe
PID 3260 wrote to memory of 3160 N/A C:\Windows\SysWOW64\Ijaida32.exe C:\Windows\SysWOW64\Iidipnal.exe
PID 3260 wrote to memory of 3160 N/A C:\Windows\SysWOW64\Ijaida32.exe C:\Windows\SysWOW64\Iidipnal.exe
PID 3160 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Iidipnal.exe C:\Windows\SysWOW64\Iakaql32.exe
PID 3160 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Iidipnal.exe C:\Windows\SysWOW64\Iakaql32.exe
PID 3160 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Iidipnal.exe C:\Windows\SysWOW64\Iakaql32.exe
PID 3860 wrote to memory of 668 N/A C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Ipnalhii.exe
PID 3860 wrote to memory of 668 N/A C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Ipnalhii.exe
PID 3860 wrote to memory of 668 N/A C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Ipnalhii.exe
PID 668 wrote to memory of 3428 N/A C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Iiffen32.exe
PID 668 wrote to memory of 3428 N/A C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Iiffen32.exe
PID 668 wrote to memory of 3428 N/A C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Iiffen32.exe
PID 3428 wrote to memory of 916 N/A C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Icljbg32.exe
PID 3428 wrote to memory of 916 N/A C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Icljbg32.exe
PID 3428 wrote to memory of 916 N/A C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Icljbg32.exe
PID 916 wrote to memory of 4624 N/A C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 916 wrote to memory of 4624 N/A C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 916 wrote to memory of 4624 N/A C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 4624 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Iapjlk32.exe
PID 4624 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Iapjlk32.exe
PID 4624 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Iapjlk32.exe
PID 2144 wrote to memory of 4168 N/A C:\Windows\SysWOW64\Iapjlk32.exe C:\Windows\SysWOW64\Ipckgh32.exe
PID 2144 wrote to memory of 4168 N/A C:\Windows\SysWOW64\Iapjlk32.exe C:\Windows\SysWOW64\Ipckgh32.exe
PID 2144 wrote to memory of 4168 N/A C:\Windows\SysWOW64\Iapjlk32.exe C:\Windows\SysWOW64\Ipckgh32.exe
PID 4168 wrote to memory of 4200 N/A C:\Windows\SysWOW64\Ipckgh32.exe C:\Windows\SysWOW64\Iikopmkd.exe
PID 4168 wrote to memory of 4200 N/A C:\Windows\SysWOW64\Ipckgh32.exe C:\Windows\SysWOW64\Iikopmkd.exe
PID 4168 wrote to memory of 4200 N/A C:\Windows\SysWOW64\Ipckgh32.exe C:\Windows\SysWOW64\Iikopmkd.exe
PID 4200 wrote to memory of 540 N/A C:\Windows\SysWOW64\Iikopmkd.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 4200 wrote to memory of 540 N/A C:\Windows\SysWOW64\Iikopmkd.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 4200 wrote to memory of 540 N/A C:\Windows\SysWOW64\Iikopmkd.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 540 wrote to memory of 4688 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ibccic32.exe
PID 540 wrote to memory of 4688 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ibccic32.exe
PID 540 wrote to memory of 4688 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ibccic32.exe
PID 4688 wrote to memory of 4216 N/A C:\Windows\SysWOW64\Ibccic32.exe C:\Windows\SysWOW64\Ijkljp32.exe
PID 4688 wrote to memory of 4216 N/A C:\Windows\SysWOW64\Ibccic32.exe C:\Windows\SysWOW64\Ijkljp32.exe
PID 4688 wrote to memory of 4216 N/A C:\Windows\SysWOW64\Ibccic32.exe C:\Windows\SysWOW64\Ijkljp32.exe
PID 4216 wrote to memory of 4888 N/A C:\Windows\SysWOW64\Ijkljp32.exe C:\Windows\SysWOW64\Imihfl32.exe
PID 4216 wrote to memory of 4888 N/A C:\Windows\SysWOW64\Ijkljp32.exe C:\Windows\SysWOW64\Imihfl32.exe
PID 4216 wrote to memory of 4888 N/A C:\Windows\SysWOW64\Ijkljp32.exe C:\Windows\SysWOW64\Imihfl32.exe
PID 4888 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Imihfl32.exe C:\Windows\SysWOW64\Jdcpcf32.exe
PID 4888 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Imihfl32.exe C:\Windows\SysWOW64\Jdcpcf32.exe
PID 4888 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Imihfl32.exe C:\Windows\SysWOW64\Jdcpcf32.exe
PID 2280 wrote to memory of 528 N/A C:\Windows\SysWOW64\Jdcpcf32.exe C:\Windows\SysWOW64\Jfaloa32.exe
PID 2280 wrote to memory of 528 N/A C:\Windows\SysWOW64\Jdcpcf32.exe C:\Windows\SysWOW64\Jfaloa32.exe
PID 2280 wrote to memory of 528 N/A C:\Windows\SysWOW64\Jdcpcf32.exe C:\Windows\SysWOW64\Jfaloa32.exe
PID 528 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Jfaloa32.exe C:\Windows\SysWOW64\Jiphkm32.exe
PID 528 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Jfaloa32.exe C:\Windows\SysWOW64\Jiphkm32.exe
PID 528 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Jfaloa32.exe C:\Windows\SysWOW64\Jiphkm32.exe
PID 4576 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Jiphkm32.exe C:\Windows\SysWOW64\Jdemhe32.exe
PID 4576 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Jiphkm32.exe C:\Windows\SysWOW64\Jdemhe32.exe
PID 4576 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Jiphkm32.exe C:\Windows\SysWOW64\Jdemhe32.exe
PID 2468 wrote to memory of 3652 N/A C:\Windows\SysWOW64\Jdemhe32.exe C:\Windows\SysWOW64\Jjpeepnb.exe
PID 2468 wrote to memory of 3652 N/A C:\Windows\SysWOW64\Jdemhe32.exe C:\Windows\SysWOW64\Jjpeepnb.exe
PID 2468 wrote to memory of 3652 N/A C:\Windows\SysWOW64\Jdemhe32.exe C:\Windows\SysWOW64\Jjpeepnb.exe
PID 3652 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jaimbj32.exe
PID 3652 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jaimbj32.exe
PID 3652 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jaimbj32.exe
PID 5116 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Jaimbj32.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 5116 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Jaimbj32.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 5116 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Jaimbj32.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 2852 wrote to memory of 408 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jmpngk32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe

"C:\Users\Admin\AppData\Local\Temp\1ccf0b602eb08515efeacc06f98b133a33ae28a61ff16df0376f6dfe27231a6b.exe"

C:\Windows\SysWOW64\Ijaida32.exe

C:\Windows\system32\Ijaida32.exe

C:\Windows\SysWOW64\Iidipnal.exe

C:\Windows\system32\Iidipnal.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Ipnalhii.exe

C:\Windows\system32\Ipnalhii.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Icljbg32.exe

C:\Windows\system32\Icljbg32.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Iapjlk32.exe

C:\Windows\system32\Iapjlk32.exe

C:\Windows\SysWOW64\Ipckgh32.exe

C:\Windows\system32\Ipckgh32.exe

C:\Windows\SysWOW64\Iikopmkd.exe

C:\Windows\system32\Iikopmkd.exe

C:\Windows\SysWOW64\Iabgaklg.exe

C:\Windows\system32\Iabgaklg.exe

C:\Windows\SysWOW64\Ibccic32.exe

C:\Windows\system32\Ibccic32.exe

C:\Windows\SysWOW64\Ijkljp32.exe

C:\Windows\system32\Ijkljp32.exe

C:\Windows\SysWOW64\Imihfl32.exe

C:\Windows\system32\Imihfl32.exe

C:\Windows\SysWOW64\Jdcpcf32.exe

C:\Windows\system32\Jdcpcf32.exe

C:\Windows\SysWOW64\Jfaloa32.exe

C:\Windows\system32\Jfaloa32.exe

C:\Windows\SysWOW64\Jiphkm32.exe

C:\Windows\system32\Jiphkm32.exe

C:\Windows\SysWOW64\Jdemhe32.exe

C:\Windows\system32\Jdemhe32.exe

C:\Windows\SysWOW64\Jjpeepnb.exe

C:\Windows\system32\Jjpeepnb.exe

C:\Windows\SysWOW64\Jaimbj32.exe

C:\Windows\system32\Jaimbj32.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jdjfcecp.exe

C:\Windows\system32\Jdjfcecp.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jpaghf32.exe

C:\Windows\system32\Jpaghf32.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kaqcbi32.exe

C:\Windows\system32\Kaqcbi32.exe

C:\Windows\SysWOW64\Kdopod32.exe

C:\Windows\system32\Kdopod32.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kmgdgjek.exe

C:\Windows\system32\Kmgdgjek.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kmjqmi32.exe

C:\Windows\system32\Kmjqmi32.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kagichjo.exe

C:\Windows\system32\Kagichjo.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Lnepih32.exe

C:\Windows\system32\Lnepih32.exe

C:\Windows\SysWOW64\Ldohebqh.exe

C:\Windows\system32\Ldohebqh.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lddbqa32.exe

C:\Windows\system32\Lddbqa32.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mncmjfmk.exe

C:\Windows\system32\Mncmjfmk.exe

C:\Windows\SysWOW64\Mpaifalo.exe

C:\Windows\system32\Mpaifalo.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/4492-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ijaida32.exe

MD5 f437589a358242a7d2f80b21d7065c0f
SHA1 6f2a482ff26d3041c95c7261e217ce82d1cb3774
SHA256 71bcad1bb03b0e4059ca0d4cfa8c604e56075be934b3adc782a1e8e357b47253
SHA512 c8895fd961abde37c94db5286acd3bb9f222ed4e956d1ceef6782a8a47b0de92e739a73a699aa809f0cd5a717aa290cb6ccf5a941e287e64f8aa47354ae269d2

memory/3260-11-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Iakaql32.exe

MD5 bb82d4ad6bab315dbe02080ccf891c63
SHA1 b8a512abf7bb298de674e95960f51d8bcf929682
SHA256 29ed5dda658bdc8b343387cb6f7d8f402c629667347d67d35618f09a0148b85e
SHA512 551c7340da87bc180a42586eff225d75fbd3bf1624523e9b7017cab6e762767ad9f87884a8594dc56bfd4d3e139ce495326415923d5303329f0de377b403d3b1

memory/3160-16-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Iidipnal.exe

MD5 e86ce1b95598feed116558b379feb4f6
SHA1 8de3fc1bbf92b6c67125ebda49cffd0d5155d82b
SHA256 517fbad91a20d079f9fc3f631672dfce595be0104c7a3a8875e0fa87ed7922f3
SHA512 72935b114e8e6b38e8b237cd2e7729cd53ddabd14e636d2bc523a002b8bd73a0fd9549aec4930080aba3c8c5e3d181472841a87900a1717de7a758536b1ec994

memory/3860-24-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ipnalhii.exe

MD5 0a0eab4842fbf08afcebb7114e350b7f
SHA1 c90b79ba5ef8a7fc73a19e6f65e20c0b8d2293de
SHA256 c0f69dcaa592599d765db131f46fe3c0c4d4f62db138b6b011cb1661b3b4abe4
SHA512 5569678df4982e68ddcc751eb4f32b063ed47061935b359d1615e8ab4450b8846d65757f0cab936cb29666c669957ab395be2b87bb095924288fdf46a9f8029a

memory/668-31-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gkillp32.dll

MD5 a85de51aa1877c9377d2dfb487a495dc
SHA1 fea77c6847f96be625bc366022fff36b5e9079b0
SHA256 70d2e783a0bb4ee6d9577e5bbd5544482db253cacd4a9dea9a41b6cf03c0f3b2
SHA512 98c51a86dce7fd2ed7c51c0f2145ee46bca4ef8e40f690deae12c0f319734f417042c1a7485413fb949c36684349cc2eb419b3f011ee6db5686e177bd503171f

C:\Windows\SysWOW64\Iiffen32.exe

MD5 6c1bf5ac9230edceb789016eb56fc3ab
SHA1 32143a62f0ee120386733f8fe307590b91a0fafc
SHA256 4bbf9168cb79f74cb1f465af1d5f511c63cf7349f537b91396beb3b42d93e40f
SHA512 567a40c45587aa97b652704fc4c9b05368e1b811ee2db1bb5ae706f9bebf4135702c3a473d7a11783e83c5e14d61d3d895c17053cc39996bb35522ed630e6898

memory/3428-39-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Icljbg32.exe

MD5 20897b7d85f7f23231817153fccf3880
SHA1 00a72251948652a785187ea0e98bb42ccf4d333c
SHA256 64e022e287094f16b3a11d2dd9258cff39a69f68acabe6f7e9947357628eabf6
SHA512 f8d1b8604a9ac6516a9cde2f759867bbeb583d450922eb7a478a430bee4ee90ec4de004fa3b0dd8dfbeb405dc4534a366869adb4e29e7034cb4f1f504997a94e

memory/916-52-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ijfboafl.exe

MD5 91b57c01519a5d8d5d93d051067e0142
SHA1 61c736d290b3e554840726e37d8c2849c2d13ef6
SHA256 5524a7818f73cdf22733f56b9a4946d6b54a87f51f6fca6b1f3ab83f6f005c2b
SHA512 e65fdff2e1b8351618689ff8ca99e69f117dd7fe1147d1c76ff37b5ff5f0453bf31a504ea86597ebed9e4105a5949e1cabe2f2842bb52e666562dd51535a1a17

memory/4624-56-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Iapjlk32.exe

MD5 d2a08bd6dbd927432c7f11c2f880f984
SHA1 309c3e4fb740dd22505df1915137e1da55a09d40
SHA256 ac92dbc1f9496058b01f5672318e2cbf963d96f4e64697ab86ad6f203f67e619
SHA512 a71c407589d56618d600f39f9ec7d4b5e873781a120e1353b555f5dd6b04ebb2d0b3c501c98cd193799ff9907ce512a05200d2d7799e020858a535734de38792

memory/2144-64-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4168-71-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ipckgh32.exe

MD5 b03e38e5898140a03d43311770a53cdb
SHA1 81409bfd16051147a9fca31434e3fa2449a90032
SHA256 f47487a0759ffea813aa07b71635084bb5a9aefa8b5ab611ff507a86a27871f9
SHA512 1f3eb71872577214f2c5ed0d1ca8169f97ce7f393f79538551d478112fbfbcfdf079dd3a50687ff2b6022d320b5a94f5c0c9ccbf688f1667c408bdfc16e9537a

C:\Windows\SysWOW64\Iikopmkd.exe

MD5 d94590b127c117858a4f0eef66c9e79d
SHA1 1b044fee6fc6bd689d1ab845873e2005eb3561fc
SHA256 11c0e8d85c9ee08d205c3579ccc68041fd1b203ce467482647115524cfdf06e5
SHA512 e4f8fddfb11086ac03a02d11da958e0e72002295a48ffaf03f6afc38a4f79b8ed2498eec4453fcd780c8da52920c4a118be3541f39612708647590304be09430

memory/4200-84-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Iabgaklg.exe

MD5 8d0c016195dd9bf6b915f891f3fa2bae
SHA1 93774caddfdf2df6964798edf26690e31ef8fff6
SHA256 1e9a5aa962485c252dabcd7414aa8f52244232f613baa892628b3c0e09efa3d1
SHA512 cd6209685d5dce23f8eaf7007085f09291d19dd3811e51b650d7fbc7e1c8f6a4cc4b3c8e80f32084f135c43fa1f1d4c527d1d0c8c4407a95fb6602a555cb9a14

memory/540-88-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ibccic32.exe

MD5 162b36e13dbd24e5b1244ded6df6371f
SHA1 74c9d5ebc54c9128f82dd4aad5a51772faec9d08
SHA256 f86328e50bff3c2986b92facf25c7f41e20ae7aca06ab78e7b05622163ff3824
SHA512 85d9371855a08bfd44e50f0a6b4ba381ed0289214fec4f45f5d637b9e93fb78c54059c5a95f45c4ec765bcbb7f7b8ed68971ae3cc2585ddc79bc16f13d5fa021

memory/4688-96-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ijkljp32.exe

MD5 26b730ab7de88cdd56268622a7ce5072
SHA1 2aad0d79d7a9ddc4893030fbee441f2c924aa250
SHA256 2a3937eeb7dab0f028d124dda5843d813ea87a291ebb06fc8e1db4132a874f51
SHA512 4ee006321dfcc1d3295e7845ffe7e814a1b95556a756206f840318395729e3ce53a9b71865903be5c88960c7925c203d774113877e5c87cb0b179b6be671b592

memory/4216-104-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Imihfl32.exe

MD5 76e28cb834d1965e17f7c9a2e93c113d
SHA1 ab7638bcd12832d0de7d5e28273c8fe604c96074
SHA256 c78424bfb801d9d9822fcb8a8bfa0a86925a92b632ab40575bfb6588eaf3e91c
SHA512 13ff520b20930d07a1f3b3430e70fe1297e17ef9e3a6ecc83a98f4925015703084026560fb83b2a764502cf9dbb7466c3bb1675e75e21d5ab4bc5b4d20098cdd

memory/4888-112-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jdcpcf32.exe

MD5 386eb5414080a740b98f3950e41582aa
SHA1 6a2ba7acac011ac12628dbf512de71d31b11f9e5
SHA256 42b24de1922a6c1dbc6304ef9baa3c45cf1083b000e906865f4cbe6219292afd
SHA512 b9661a39400c78b0fee490d13ef44fd8585376f1b6001869a088f2dbaf7a8a02e86f4634eed55f843058e579cc29cfc784e0e1f0642588a4edd100102427e784

memory/2280-120-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jfaloa32.exe

MD5 b66df8125c2a3700abb4cd56f9ecc554
SHA1 8dca39c84f39a84dc12091a48fa19f246882d079
SHA256 cfd9fb73255d806c3898e5ec8b7c5de0378dc262a6fa0878d6ace34c8b70c6ee
SHA512 efddbb63e7a8c0d10249607be8a24311098643173bfdc6fc98f861c59ded4e07bd85e987b8e6fdc4f86a3a87910024c60ace8f2f8362ad2557b2ab84254362db

memory/528-128-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jiphkm32.exe

MD5 ac7f4f651f555b80e956ef249f2d8071
SHA1 4946d7f3b791c35a5d4e889464e5c151ae09f356
SHA256 ba931b53356af545aec364d4678bb88e234b015adcf1ea6859a094a56afd1dec
SHA512 aa82c12d1ad65958f24e3c1cd9220f9e22892d3885f349999863f53a6d62b0b3c38fd7e72251f83639468005278b9376ef7a79c859df9a36e352cf2cb277a88b

memory/4576-136-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jdemhe32.exe

MD5 ec70f0cea6afb0ee225eb8fd4eb8580f
SHA1 e5a4215603baa120fbee343aae727d67029ffe38
SHA256 3f969a1f095c55dddf22cbbfb8b098179f628b6fbd8039abcbe13be7a20a30fa
SHA512 8a994b2a600a0648b88e346c3024dc28b4b0a5116ce7acd11f9ec1e23fa83f9aa82d688dd1ee731ee58fefec3ce37f41c9f60c93783371280461b3ae1cc80335

memory/2468-143-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jjpeepnb.exe

MD5 fea10ebd40c2ae2b92a065165d8da913
SHA1 6c0071c2a6bf0ea4a2afa2c9a68b1c06b2af4667
SHA256 a4f03ac691cfb4ade18d2c7aff5bb020bc916b4df9fde0644b1d13a7d0ab42ae
SHA512 d73cf04996077c34eb225f6a598edb6b441469f6d6a74d2e2fcb3ad1bf1b25bb7a9707874d60c1a3f0b6df15373d3926ff58181747195a0768991c4fa316f099

memory/3652-152-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jaimbj32.exe

MD5 933ff644d41cdaf6afd6704a0030ca6b
SHA1 48ef0b42cbe4d7602a1457b89acf6166b8d9a323
SHA256 1cc3bd56de35eb7e80d3fa4c4f63f04e3a4b071f16d8e4b4a7881673bd651f1c
SHA512 f852b8c863272aa86a337e44dc09805a19c449573a44f6890b48e0dfec0d4f59254fb7f74bb7f58e74a61ca1a2b6a54bf203b0d97dd6f1629d1b658849a589af

memory/5116-159-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jjbako32.exe

MD5 d8bc3f3afb77de39c0d77dc0d9a386f0
SHA1 a8e838475687c798331689a0b25c4f7fd7f7a33c
SHA256 365631c33d3ef0fc1fc932e6ad4cbc6181d4791f3dbe5eb25f2a82a41917cb40
SHA512 4f3270d965afaf6368c637feba4c0acab07863475a8f349d56a3ec0619b426844546c45818675d8df20125e33c5272707324485284e1b9a224055db97d1c50d6

memory/2852-168-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jmpngk32.exe

MD5 9c670651797121075423b3d051611b8c
SHA1 b9816961002cae2efbe082c045f718f61018443d
SHA256 db0ec09aeabefdea266e08d2ffd53f70b50d4fecee8a378153aad0e80df66707
SHA512 5b1cacaa15c2f61718e1a749dd7ab0baa496cca5ae332fcac4173d74bffd24d88cf50c8b574fecb5e2b624e1b996131ec4ece73d4757955081ddd09376bb323c

memory/408-180-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jdjfcecp.exe

MD5 bcf37d520827586f4514794bba8e4768
SHA1 d50bfe7c3a8605e07769ec7caca3a54f8a8e092e
SHA256 c07d4fd3245cc7a67c74598d70b68a48e1e603318867dfa5426f6a51110f106c
SHA512 b2bad6d1e5704c09a9fce56d8b59ee6909a8aabc1df7fb1ba59ec192c636bb1d659f11bc927f0c9441c9fe1609f830d3699edb97ff6d8c5f5527e27d12129460

memory/836-183-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jkdnpo32.exe

MD5 2968ac0dee4babaaa221898a66aebd35
SHA1 674f6d4e0caabb14326c92e0aeeebb4b2148fd01
SHA256 302e58a6ba9b0239c4dedb54baf53fa913fe096b259f4bf4a20991b9d5607401
SHA512 26e1ed154b829ccbc16cc44ac6f5a23a092d771adedabfbb15c3d8abda7b4998b08ff79d47689962cb8ecfb9f7139ebf24925dcca34966108f320ab743b0cfa2

memory/4040-192-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jpaghf32.exe

MD5 c8587019474846ddd9db9c4ae6e6f560
SHA1 01ec52c1ec036e53946f0526d1971cefc3efd19a
SHA256 2d7d28b93cb5cb18f5760fdd392a3e48f25a5715ad566292c584dcb8700b65b7
SHA512 aed32f3771c100e955aa24badcaaf071d031674a98cf329e253eb50b82218fb75808054de02ee5e917b5caaeb87ccb6523911fc73119e787016560497c77787c

memory/1896-199-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jbocea32.exe

MD5 cef40942aa932b7419fe09e0308f7d98
SHA1 a4d427dd03d525f8adbce8c8f2b35c6373acf886
SHA256 237fbd833be2ac25615cf728c24454bd6337101b5e6833732ca453b90140a671
SHA512 4d1c9126d3cf34d456beccf368197b0a5f12c80d1c9fed5cc5280a42f7f9bdaa45391ae144d5330db88093ebd2959386d3348a6ee2eca63c36c31d104653b7e7

memory/3952-208-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jkfkfohj.exe

MD5 6f0706df5a2095ebda12a77c2b2dbb6f
SHA1 537f039055f5ccc1458ee23647b157b0ad23b1ca
SHA256 e25a01342e657f02c0246f9539dad295b00094441ba7ef8c33e3d25ea64d8a6e
SHA512 9641ddf695d890afde6929403c440c1c184099d478a61839adc0122a5f3262fbaf8ea88957665ba069c88f9b59f02c93759a189a1a1ae2f2ffdde7e91b0b1df5

memory/4208-220-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Kaqcbi32.exe

MD5 310ff7861c59020d829244510e2f9c2a
SHA1 b52903163dfb0a2b27b6ae0f1f56d9bb5d932bdb
SHA256 aa360a1c2dc7eb82f3349090ce83007f74ebbb16f47abaff2a8c76ef69b909f6
SHA512 f2d5d5818e66a74624bd6b14068b8a9b7675c8cf27dfb7fa1b024197cd3e082d2521ee722f6194d8b909b414188333f6cbbe8da4fe80344ac6b1931b8317b8e7

memory/1084-228-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Kdopod32.exe

MD5 883fb399adc6e308885a39d1728fa831
SHA1 0929952bf3bf6d0948ddf3db1e2b415b6ef8e14d
SHA256 81f5dddf6280647a9f20cbd0eca9819926cc340d0dda93e9bf279b12d5dc63fc
SHA512 a635c656c4342db34c8557d5f40367d1a5dfc645598d6f5da2c0cb934a3eb15073c8cd1cc1588f19ab2266fa5fb942a576e77497d61e76b667372c6b5048564a

memory/3648-234-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Kkihknfg.exe

MD5 91387a285e6f7e16c1a0bd4ce656474d
SHA1 95ade02e0294e6d0f2b169d3600ddacbbeb43c72
SHA256 c5db6be7c7aa9a23d7814dc84a16ec07f989d6459049ac693fa4491fbae291de
SHA512 ecba0cde4121a6252f253b782564502b369317f3c7655b649882bfd27141bcf1b36ccfd0eeeb57e89ba19528b3c4b7e8c06e360558627ffc0ee03033bde708c2

memory/2336-244-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Kmgdgjek.exe

MD5 31128b04aa8bedf331c7a0745be39334
SHA1 f69cf5ff58574cf43fc4365b87bce076ee6e6600
SHA256 29666df4fb6dae4abca80699b5d907b672379bb63be8dea1a8818cd2fa4aab7f
SHA512 56f02221154b53c71c768a1b0712ab591d9a0d40e522ce8598fbd3b98324e82924ed8b4556382c48ade99cd6a0362d6e1554325a745c10f3b10c4d220e151742

memory/428-252-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Kacphh32.exe

MD5 3b84b8db432b70897abb7949cad5cb0f
SHA1 2393b4604004c20eae161031cde1fa13ad4f520f
SHA256 7077d7473698078f91df7d595273c5409f4e949035c12b1c2681acafb97d07c1
SHA512 04777a4fd06ab5108b1fcae03212126eb3d70ef59092cbaba6736c3c173bf1b89c31f393d6733eb43fa716997a89faf55f945f2ddebdd7f7d8fe431ee071938f

memory/3840-255-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3692-267-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2508-272-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1528-274-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4448-284-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4892-288-0x0000000000400000-0x0000000000442000-memory.dmp

memory/216-296-0x0000000000400000-0x0000000000442000-memory.dmp

memory/936-298-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3904-304-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5072-310-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lmqgnhmp.exe

MD5 29b6ac995911129dc985e84b0d490b3f
SHA1 f038397910744074b4de4e52b006b8fc7d231e37
SHA256 e645b3eba1bd256be57f065b41abb81b848bf2cc76a247548ce2e0a33048d6d4
SHA512 3f66c752aebfc48e8a084739fc29548f9c2978d5db54bf99049d6d6ecd4a10db5178e8e3f299034ff1e82c46527b285017fe7d2809d6d4bd891fef9e38d93daf

memory/4756-316-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4056-322-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lgikfn32.exe

MD5 ce906ee8277cb95dc9c704aca266a342
SHA1 a5c48026e8414d7229c517ecb829bc50c4ddc81b
SHA256 c8eb4c756ce403b4b925b102d93913fb21add6769edc4bf6c20689eadd2d930d
SHA512 8388d6d8bfa499f828b2d27bb1b521cd3df2b8a4408a004417f65f0ece0d22212418f042c94d6da86284b55a715cf38a17b9fd50a01ad1bdf1c426701f001a53

memory/4848-328-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4856-334-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2060-340-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4764-346-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1072-352-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4544-358-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3588-364-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3424-375-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1328-380-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1316-382-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lnjjdgee.exe

MD5 54280b310f7d7ddff172dedc99772ef7
SHA1 ba8617f51acb47d257c455ef4966802f1415bb5a
SHA256 5855d832e48a90ccf5735c670584a1a6a7d5cf373c4d5e84a207784173d142a3
SHA512 9fc58c0208d974e4373c2c8a38918b8853b195d2b46e67dfb2e7c5a79431be1376cb63e07f0bbec311bb9fecfee33cb1c28461fe2c2c723c0cd8d2176e801c77

memory/1228-388-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1620-394-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1720-400-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5036-406-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mdfofakp.exe

MD5 4ca6db6522f9e88f06ff221c0c98304a
SHA1 a21adf9607c21326d30599cf6382e51fadc2b18f
SHA256 ff96a302aa98ed5aa4505fc79360326757ea1c438d4d0b3297ae45a7eef9e88e
SHA512 646d4fc8fae8693166fc09facea0b35b6d99f841565e1157aeb4f8756351b14772b1812a228d56bccee948f2afbce43bfbb04ca6975c1d937cf6cd3aa8e52ac6

memory/4572-412-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2372-418-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4368-424-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mgghhlhq.exe

MD5 a9af47dc428ae0782907b2632d9d3cf8
SHA1 ac560a3097135d2461114d76e2757334c226a1b3
SHA256 e956bf885c93acda8bbc0517e4d139ac5113e099a32017681cad567db4b8214a
SHA512 b85447f190e2644529a21eb197b18a1b8ab31b82c49ccd0175a997e70abcdedecc2c30852a07f3b7ee3e262e25fd450d9ab95499377aff55734b78e1837e7a64

memory/4528-430-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1472-436-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3768-442-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mjjmog32.exe

MD5 87dcf92e1a51d76103afd600c602dee3
SHA1 11000cdff5104d21d65ee9c6110d9e79697b0046
SHA256 e1f033513024321a56245b971baf1ad1ff245fcb3855b72f554ee3bef0266ae5
SHA512 48dbebf8050fd514056b618ce5a2d6cd8ad1781b14c86f4d3922d21b640812636931dd88ec052c7018babe63304146469b8d0fc07bb0f94ad4667807bafd8586