Malware Analysis Report

2025-03-15 00:11

Sample ID 240603-2a7dkacb26
Target 642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9
SHA256 642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9

Threat Level: Known bad

The file 642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:23

Reported

2024-06-03 22:26

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekklaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gegfdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hacmcfge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eflgccbp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebedndfa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghmiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Henidd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flabbihl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inljnfkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdapak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efncicpm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpocfncj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ioijbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekklaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gddifnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gegfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdapak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gldkfl32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmiam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddifnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghoegl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdfflm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdhbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpocfncj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hobcak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjhhocjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhjhkq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlfdkoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpapln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hacmcfge.exe N/A
N/A N/A C:\Windows\SysWOW64\Henidd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhmepp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icbimi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieqeidnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilknfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioijbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inljnfkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagfoe32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmiam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmiam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddifnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddifnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghoegl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghoegl32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Gegfdb32.exe C:\Windows\SysWOW64\Gbijhg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Glfhll32.exe C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File created C:\Windows\SysWOW64\Hciofb32.dll C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Ejdmpb32.dll C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Icbimi32.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fbdqmghm.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fbdqmghm.exe N/A
File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File opened for modification C:\Windows\SysWOW64\Gddifnbk.exe C:\Windows\SysWOW64\Ghmiam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Cfeoofge.dll C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
File created C:\Windows\SysWOW64\Inljnfkg.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Eqonkmdh.exe C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
File opened for modification C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File created C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Ecpgmhai.exe N/A
File created C:\Windows\SysWOW64\Hkabadei.dll C:\Windows\SysWOW64\Ekklaj32.exe N/A
File created C:\Windows\SysWOW64\Qahefm32.dll C:\Windows\SysWOW64\Gpmjak32.exe N/A
File created C:\Windows\SysWOW64\Lkojpojq.dll C:\Windows\SysWOW64\Ecpgmhai.exe N/A
File created C:\Windows\SysWOW64\Pfabenjd.dll C:\Windows\SysWOW64\Ghmiam32.exe N/A
File created C:\Windows\SysWOW64\Hdfflm32.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File created C:\Windows\SysWOW64\Fealjk32.dll C:\Windows\SysWOW64\Hdfflm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Pdpfph32.dll C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Eiaiqn32.exe N/A
File created C:\Windows\SysWOW64\Hmhfjo32.dll C:\Windows\SysWOW64\Gegfdb32.exe N/A
File created C:\Windows\SysWOW64\Gbkgnfbd.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File created C:\Windows\SysWOW64\Nokeef32.dll C:\Windows\SysWOW64\Hpocfncj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Hpapln32.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Hacmcfge.exe C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Odbhmo32.dll C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File created C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Flabbihl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gldkfl32.exe N/A
File created C:\Windows\SysWOW64\Ghoegl32.exe C:\Windows\SysWOW64\Gddifnbk.exe N/A
File created C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hhjhkq32.exe N/A
File created C:\Windows\SysWOW64\Polebcgg.dll C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Nfmjcmjd.dll C:\Windows\SysWOW64\Icbimi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
File created C:\Windows\SysWOW64\Lnnhje32.dll C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hdfflm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Hojopmqk.dll C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hhmepp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Jdnaob32.dll C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Fdoclk32.exe N/A
File created C:\Windows\SysWOW64\Gpekfank.dll C:\Windows\SysWOW64\Gddifnbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Hpocfncj.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Hhmepp32.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Inljnfkg.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Glqllcbf.dll C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Nbniiffi.dll C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Eflgccbp.exe N/A
File created C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File created C:\Windows\SysWOW64\Bdhaablp.dll C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Inljnfkg.exe N/A
File created C:\Windows\SysWOW64\Lpdhmlbj.dll C:\Windows\SysWOW64\Egamfkdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" C:\Windows\SysWOW64\Fdapak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Faagpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hobcak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gegfdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebedndfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmjejphb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghmiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epieghdk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Faokjpfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fdoclk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Goddhg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Egamfkdh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Inljnfkg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" C:\Windows\SysWOW64\Faokjpfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gddifnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" C:\Windows\SysWOW64\Hdfflm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" C:\Windows\SysWOW64\Ilknfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" C:\Windows\SysWOW64\Ekklaj32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 620 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 620 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 620 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 2980 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2980 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2980 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2980 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2676 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Eijcpoac.exe
PID 2676 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Eijcpoac.exe
PID 2676 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Eijcpoac.exe
PID 2676 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Eijcpoac.exe
PID 2688 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Ecpgmhai.exe
PID 2688 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Ecpgmhai.exe
PID 2688 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Ecpgmhai.exe
PID 2688 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Ecpgmhai.exe
PID 2052 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2052 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2052 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2052 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2656 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Ekklaj32.exe
PID 2656 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Ekklaj32.exe
PID 2656 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Ekklaj32.exe
PID 2656 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Ekklaj32.exe
PID 1352 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Ekklaj32.exe C:\Windows\SysWOW64\Ebedndfa.exe
PID 1352 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Ekklaj32.exe C:\Windows\SysWOW64\Ebedndfa.exe
PID 1352 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Ekklaj32.exe C:\Windows\SysWOW64\Ebedndfa.exe
PID 1352 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Ekklaj32.exe C:\Windows\SysWOW64\Ebedndfa.exe
PID 1440 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Ebedndfa.exe C:\Windows\SysWOW64\Egamfkdh.exe
PID 1440 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Ebedndfa.exe C:\Windows\SysWOW64\Egamfkdh.exe
PID 1440 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Ebedndfa.exe C:\Windows\SysWOW64\Egamfkdh.exe
PID 1440 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Ebedndfa.exe C:\Windows\SysWOW64\Egamfkdh.exe
PID 2760 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Epieghdk.exe
PID 2760 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Epieghdk.exe
PID 2760 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Epieghdk.exe
PID 2760 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Epieghdk.exe
PID 1548 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 1548 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 1548 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 1548 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 1568 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 1568 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 1568 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 1568 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 2116 wrote to memory of 332 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Flabbihl.exe
PID 2116 wrote to memory of 332 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Flabbihl.exe
PID 2116 wrote to memory of 332 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Flabbihl.exe
PID 2116 wrote to memory of 332 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Flabbihl.exe
PID 332 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Faokjpfd.exe
PID 332 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Faokjpfd.exe
PID 332 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Faokjpfd.exe
PID 332 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Faokjpfd.exe
PID 2820 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Faagpp32.exe
PID 2820 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Faagpp32.exe
PID 2820 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Faagpp32.exe
PID 2820 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Faagpp32.exe
PID 2920 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fdoclk32.exe
PID 2920 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fdoclk32.exe
PID 2920 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fdoclk32.exe
PID 2920 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fdoclk32.exe
PID 2220 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Fdapak32.exe
PID 2220 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Fdapak32.exe
PID 2220 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Fdapak32.exe
PID 2220 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Fdapak32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe

"C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe"

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Ecpgmhai.exe

C:\Windows\system32\Ecpgmhai.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Inljnfkg.exe

C:\Windows\system32\Inljnfkg.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 140

Network

N/A

Files

memory/620-4-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Eqonkmdh.exe

MD5 6b4fc628f75cbd0a8ff4bcefd2ad4dbb
SHA1 878eab0b96bec3e067d344d8443a5906cbbb63cf
SHA256 5aa8ab783831b9029bc4ad848ecad8df7d07d3b0a9d53073e707b67ba6215147
SHA512 3bbf77106495228d0547459a19739bfd6175e841a12dfb5354afc5895d240a84dc5ca631f5ff61399c315f3eb303fb1e8f27ed263b86e82f358d8dadf5268ca1

memory/620-6-0x0000000000280000-0x00000000002C1000-memory.dmp

memory/2980-18-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Eflgccbp.exe

MD5 15d08c8c1de2da5b3858fd8aea375cfa
SHA1 4c9333a66502432e9ecd6772514d10b1c1ec40a2
SHA256 650694d395a7edb2e99f50f3043a318764ff287d9781ed6894bf569bbe7b35d5
SHA512 6fc036deb3daf5d88a0269aab142b2b8c013a4f3208398471ba9ec61f3de69a57dd8a0e1d1750a3849c9f6d38d746461a19dfc0d01d01ea72ec28ab481d3c7fc

\Windows\SysWOW64\Eijcpoac.exe

MD5 83e404fdfb0411b84ee066c6f14ea76a
SHA1 6901acff5d83a03a15426d27200681024aeb307a
SHA256 852a8da1b32b7ecea039b6895ae94e9e3f0d28653c5253d672b5446f05feebd8
SHA512 f1b9dabbb7bbe792a1228400e719c90d4d0d24639c23c7c67cc891015c6e7f47cfded37ec9e836c721d0d58489c8b59a70d4b2dfe02c46f71ebc1ab4333105ca

memory/2676-32-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2980-25-0x0000000000250000-0x0000000000291000-memory.dmp

\Windows\SysWOW64\Ecpgmhai.exe

MD5 51f1f3390014691e7b23059a0e71dfa2
SHA1 732cf08e884a755df840765812b977eb0135f953
SHA256 fdd5be8b03a75ec82a16ce65de3327454eb9a585cf1537057e4849a15c883fb1
SHA512 0bc38f6b82187f93c4d8584e1a6d6086701c08c2134430317cd70b9c871c4c66c47573202067f0edcd06515d5c4fcf07289178fd96df401fbb5fcf07ac2ce69b

memory/2052-58-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Efncicpm.exe

MD5 7bed7c10ed7e4df92105dbc11ae5a17d
SHA1 b90a8034487a6e92869de1f53c0468b4e6929128
SHA256 c63cf0f4be2e0d26eb85cd90bee2a37aea4fe92306c33ecde32af224cacc6701
SHA512 784345009a6c1b90ef79881865ea09254143d958ff402cd3d2ec2fb4c9cbec53b3476576cf00ce6e12623018fc557c18d819b5c9bb7b55b281c9967d0014d9ce

memory/2688-47-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2656-71-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Ekklaj32.exe

MD5 1fea8e533de2570553a19d309d01db73
SHA1 5f7d15eeb8f8c87b907339c691bc0678f689515f
SHA256 caefbc2f099b9900344d77a9f60ce6b98a2a9a8b4e6842da9537536d25f72ed1
SHA512 00e9eec50b249d6f2b987f20ad049d2393e18ed465d9d13cae9dd74d22b007d4d18bbf3a8b0c14221f9c41a9dd542ea09e6669e1e9410231a3790c5f22fd5729

memory/2656-74-0x0000000000310000-0x0000000000351000-memory.dmp

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 a94c93cebcacf5576f273c53660dcbe3
SHA1 428d792731298b21b7b2afb12fdf3de38adf235a
SHA256 7bd5f0242d3a26e0269af6735c0d1e0041c0bf65f1caf75664bbc53f82f0d221
SHA512 6a76dd02c0fa5fa3b5d32a8c957f113cdc53219f528ac317071588b3b91d50e1443fc5c95881e8957524759cbf202abd2c5a04baab2e95a639efba9ddd6fe840

memory/1440-94-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1352-93-0x00000000002F0000-0x0000000000331000-memory.dmp

memory/1352-87-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Egamfkdh.exe

MD5 6f0b7c57d0e53193285339812546894a
SHA1 45b8832bbad3b5fa7265fc66f9138869f204fcbf
SHA256 e51e5ed36ab9d37242611930262224741c478bd94c9630b4de54a60f6d841ab2
SHA512 1798f6333e01cdd58e11852ccd2bffd98be19392297d99d4fa3be2f0cb427c1187d7251689252f70b784fd6037f91285db6c8a06b6a385ef4bddbca2c6da75d7

memory/1440-109-0x0000000000300000-0x0000000000341000-memory.dmp

memory/2760-119-0x0000000000250000-0x0000000000291000-memory.dmp

memory/2760-118-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Epieghdk.exe

MD5 5f1121e0ce616e301475f0a2ce348c70
SHA1 1f8fa47a163d80529367914a208e401b29ffde4e
SHA256 e29e8eb10cd1926a2370b6799652d1fd86bb78af1aadbcfb084872bd5d6162a6
SHA512 9ec4069ab49d08bfb1eca241bf8e141ca900fec7cd87346a1b0021ef0f2f1665cbe61b1b8ee2739a225f4701f3f0a180dfbe0ab99ba4d4090b162c39d2ab495f

memory/2676-102-0x0000000000250000-0x0000000000291000-memory.dmp

memory/2688-108-0x0000000000250000-0x0000000000291000-memory.dmp

\Windows\SysWOW64\Eiaiqn32.exe

MD5 58ca0bfbcf9965f8b85c73860c8dc5e2
SHA1 291d4b7c9f7b6144b01701e13a2cf0282ad7a306
SHA256 0beca4e4d726b78c4832abff885871a17e6e579bbc9f4d3233a407b5d5671127
SHA512 9d2821bdf9772c08bef8e4ce377fefbe36529691ef7fa5947e15aa52d705b887c16788c873060f6dcbfa81d39497d6bcefd2587089a827fc47ba20ef7e2d410b

memory/1440-107-0x0000000000300000-0x0000000000341000-memory.dmp

memory/1568-149-0x0000000000250000-0x0000000000291000-memory.dmp

memory/2656-148-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Ejbfhfaj.exe

MD5 f50f69927bcce97e3a353a78dfd7b8f4
SHA1 6d9ec0a24416182d5b08a26d74eadb24241691dd
SHA256 0f86709fbbb40930956d033f6f856d42eb60c282b9d73d7e31f14c6e464bfea2
SHA512 425e3535d234eb8054b6cf66e100ccd88871f43c49d7ed28e1d5c03fdd11cd770940e6f92e8e81e61488f3ab044b23e9d0a6ac48060f5afca28022016f21afc9

memory/1568-145-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2052-138-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1548-137-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2052-136-0x0000000000280000-0x00000000002C1000-memory.dmp

memory/2116-156-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2656-155-0x0000000000310000-0x0000000000351000-memory.dmp

\Windows\SysWOW64\Flabbihl.exe

MD5 cb285beeca9db17fad4b2b6de3b45769
SHA1 5515dba43794bf0ef24b978a4f2af8bcd508b8bd
SHA256 f429acc7d178a4fc07bfe985a8afdc7b63999c314b05ca89e658ce3e5bdf7984
SHA512 21d9a6313f3305118784b4ae7c25d5f308b03ea8e2c246b53092aee5ebbee8d1eac3b065fe43d09db425b3d34780fce87ba9ca2ba3b1a194c37af11d4dc54fb8

memory/2116-169-0x0000000001F80000-0x0000000001FC1000-memory.dmp

\Windows\SysWOW64\Faokjpfd.exe

MD5 fb381af597a2467601e970f140836d11
SHA1 970f00c89b68c1b06f48e93dc24d1e3869cefd53
SHA256 e29396f2f3fb770dd18768bbe9ae938f4be554ffc857ebdaec9ea5648ae004bc
SHA512 5dfb59731cc20ebea468e95b636ad2fb9a735cf405abfb4bc598b9cfa74df108a83a2b0dd452cd04783fbd9354fccbd8a45d780a14f93d1058d2852ceb81e924

memory/1440-173-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1352-172-0x00000000002F0000-0x0000000000331000-memory.dmp

memory/332-171-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2116-170-0x0000000001F80000-0x0000000001FC1000-memory.dmp

memory/332-185-0x00000000002A0000-0x00000000002E1000-memory.dmp

memory/2820-187-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Faagpp32.exe

MD5 da6a2da816c576442c8c81418ab1b3d2
SHA1 79f884bd8f0705674d79efe3c42528e7c36a276a
SHA256 99614d7352ba047146c424765df6cee37c3f5d5d604722cf65e4b35288835827
SHA512 7b039d90d28fc6cdec789f946948d0f6d426d775d5a4c9a93eb2826fd5fecbca5b0bfa6f27577ecc6499d3e74f1c7d2f932b0b83c6aea45975a901241ce573a0

memory/2760-196-0x0000000000250000-0x0000000000291000-memory.dmp

memory/2920-205-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Fdoclk32.exe

MD5 0dddcf5ec21b430992ef98ff1a289df3
SHA1 9d208c06f650a7b5d7197098c1adc4cd9b91b63d
SHA256 724c64080de10f8d57f69e98df2f1dab3ada984a68b4194b4c53e43666caefc7
SHA512 6b9589ad2463643437aa01980a9d54ff071c3715dea1d1b78af7b767a470997aa57e4c673fe53b7e0f7b09e8619b100742680d2b90c69a0ff2502f5a9ebd364d

memory/2920-209-0x0000000000280000-0x00000000002C1000-memory.dmp

memory/2220-216-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2116-215-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Fdapak32.exe

MD5 e816ae5a8ac6a3014234c8e18b5ffdd7
SHA1 28689dec89d4cf2088ed66e080241e14a3492a35
SHA256 03e404ffbb6dacea9fd55758edde05ace465b39b80b884c81b1cf4c81691baff
SHA512 9200cc6acea4d9a1cf93398879c4d9e66634fee084169f2ced6387698ae171fd9691773b8b24e8d73c369b9652aebaee00692b4cfc0e8d7a98a697b95c8b4f1a

memory/332-238-0x00000000002A0000-0x00000000002E1000-memory.dmp

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 df6582975e87ac411d0d1babb80c7265
SHA1 841a680536bb482f037c4331a022af996b30a3a2
SHA256 4e98b3c26167735fa8465d5b7c13d4a0b99aaf7fb0e3990b2b2080f1894f8686
SHA512 e718919293977f5ef34b0c88860532fc34051e0b41e88a85559e76216b9de072f904a697b8f3d50e6d69ca8d2cd20d1f3dad67a1588231d94a36e703326ecd73

memory/2256-236-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2840-245-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2820-242-0x0000000000400000-0x0000000000441000-memory.dmp

memory/332-229-0x00000000002A0000-0x00000000002E1000-memory.dmp

memory/332-228-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2820-249-0x0000000000450000-0x0000000000491000-memory.dmp

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 5ae52872299fa4380720764b114ffe80
SHA1 be6f2a5ec848073928fdb58da9b86027aa65fc4a
SHA256 0e2f4c1345a70fb1047af8622a864d231512e883d60a3a31d525def78923d8d6
SHA512 95a1ed37fa5279041295b1f30f5dd7f84276a50091e9d451fe3e112427d411f0ba89682a8092746771ba584cb109ab44a88bb9148f9168cddae17aa9dd77b77c

memory/1776-253-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 1f3532f3c929904d8b0c3ba0ed8adbb6
SHA1 ff07e39b23715e6987a9511b52f5e609d204f5ba
SHA256 55f4aafdecfad6bf2df89bb3fa3ebf23816f29763c3ce6a71f89884477da1291
SHA512 ff20c7603c04b51dac469ea21f4fe1648cc5270963db4ad0619290bf411e205032315c700ac17a2cd3e315d26ae183a2c26754b6a1699884499a24503b68c338

memory/2920-262-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2220-266-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2920-265-0x0000000000280000-0x00000000002C1000-memory.dmp

memory/2148-264-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2920-263-0x0000000000280000-0x00000000002C1000-memory.dmp

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 e0f26994992f8d27b763170ea469e44a
SHA1 1bc712ad7a3c842b9edee07b8ff5205a0e718743
SHA256 537adfa830e4e84a8a862a2f6e2ba0d9b77a9c9bdb0e2411d4940019ada85776
SHA512 a1bb4d2a406c608c873de62770442fc5a75d8a127f43ca18bb568cf41c3879bd67ae5492c605b08125c7f7b0d17b99b8f0eff55f1ecd3afd6283d04f13a677d6

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 d9ca68724e44fbf9de2fde87124d4a69
SHA1 3a94ea395743b2504989595c6c7e311dc1735034
SHA256 175cd846ff43a99677296b95edeeae7e9b3fe525e9d37f85d0f5f4b396d41888
SHA512 4faa64a6e9fbe351b6282d41847697859f404a92569cbe734f0e964c4b38b8799641c2f36969f5563920913f64596c8771710d448c215ecac5a1a50132b51570

memory/1232-279-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1296-285-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1232-284-0x0000000000250000-0x0000000000291000-memory.dmp

memory/1296-291-0x0000000000450000-0x0000000000491000-memory.dmp

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 a53f7690eb20a3ee0d82af615d046144
SHA1 dfc0756564d22b44514290f0f8a05d851cd7a4a6
SHA256 afbced68e6aa57fa9ac5ed7851e22c739a603fb969c861eb46cb2230f2567654
SHA512 15c5d2ce98813c248f6a46ed11a8ecbcc1abea46e8b8993c16bd51b78e6e6b787ab4bbc1b2afbfbb3648ec81fab4f128278b85a26833286673640e442b04323e

memory/2256-303-0x0000000000280000-0x00000000002C1000-memory.dmp

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 d92b081c3abe3856cb745bbcc9417ef6
SHA1 e5ddffc134d9f6a1f852221b032f21d3fd4908f5
SHA256 f6a1422db88afaa41a3424b0c9f0a2b446207f98fe0473bf7ddb7ba4e6091292
SHA512 e7b99d96fc7a435aef47968ed19e8b6e7979dceee85f10d7367f34def3af53efb38fed3dfca06203011dc46d6945df6d0d4ee7a588ac9700bbfbea0b313e4c3a

memory/2136-308-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2840-304-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2928-302-0x0000000000280000-0x00000000002C1000-memory.dmp

memory/2928-301-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2256-299-0x0000000000280000-0x00000000002C1000-memory.dmp

memory/1692-319-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2136-318-0x0000000000250000-0x0000000000291000-memory.dmp

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 276c1ca21da94e6184981de7bfc6c792
SHA1 069a89005874a6072776f3fa59189e8e3acd7609
SHA256 0fb278e1f23bd59b3d58e7324dbd3048e63e14eec8f7d9898c9114b91c2e1ffe
SHA512 8941680d23aadca65c5a968cf65b8fc15f0ae5fe9507603e1555044c0ba9c9e004b9e7ed8ebc5a48ea7b0e622b04efa4da0fad9cb7469344977d6743b5673786

memory/1692-329-0x00000000002E0000-0x0000000000321000-memory.dmp

memory/1776-328-0x0000000000250000-0x0000000000291000-memory.dmp

memory/1776-317-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 7283eaf3dd1371b1c2fb2f2827f1f449
SHA1 a2d8e7406cbd641bd77922b7fd29c1f8994b1e30
SHA256 4d47d56d783a59f165ebf6c4587c9bb275365b93d577a9640be793860ea103e6
SHA512 561aaf4eac7f052bb73c0a0d8a18fb3a65088c7fa395640709b7baa079aaa0cc5fee10a7c335becf188ed16d2eae93b430bdef11ade94eca4d8b579cdb8acc43

memory/2148-331-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2216-330-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 6a27e6758c27cf4a9b2165e35548ca89
SHA1 320f7dddbc508aee82cad0c7a94c42222a3259bb
SHA256 da67e7794ecba249132305e04fedea6b4fdcf949f3d5150ca4374e236323ce8a
SHA512 740ee66ed0d0fefa06b5f9828556c375981638189a6b7588f378cf99bda92ea88e4104a516d29c45ee253cad264a536cced2cdaec5ff2a3f1d98d618995bdcab

memory/2588-349-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2668-353-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1296-352-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1232-351-0x0000000000250000-0x0000000000291000-memory.dmp

memory/1232-350-0x0000000000250000-0x0000000000291000-memory.dmp

C:\Windows\SysWOW64\Glfhll32.exe

MD5 9f522a470d3cad01871d2c7233308809
SHA1 254357a4d6a4d2412ef800a5149ca551b0626823
SHA256 181b6c3eb07e1b9468207328e3b26ebef9dc66de38eb26a5caef180e4ab99d31
SHA512 a42b3cba1a875b146e7090f02125354bcc2a0acdb670b74a0cbf747582bd43694cdf572d67929ee5c9f7ce139818fadeeb6d6c3c3b86ddf0815c54bc77617292

memory/2148-345-0x00000000003B0000-0x00000000003F1000-memory.dmp

memory/2620-368-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2136-364-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2668-363-0x0000000000250000-0x0000000000291000-memory.dmp

memory/2928-362-0x0000000000280000-0x00000000002C1000-memory.dmp

C:\Windows\SysWOW64\Goddhg32.exe

MD5 2088d5e7eabdc14ea37724883401c7bc
SHA1 93708c490abacb3ed6ed89b9f79c905b99482011
SHA256 aa9cfc1f46d0efeb84b32a215ef19bc57155312ad28caee7cfd217354daadce1
SHA512 49abbb6b374d910b65d27093cccbf27f01f06d20111c2b6299dd5bca9204a52e114ffcf536038059c84c2b7d8b4b9e31c3f1c432e36a4f80ec54e65602473492

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 afa2b2eb98a9d6e7caeef16e28a137a9
SHA1 3e081694ed78a7da193f4f7f33a2fdbdcecba3ca
SHA256 d2b65b20f8e1af381764e09677c873409fdf0cb061f5be4419e2678b967e05ab
SHA512 7779882f1427537fdbed4adb67b5d32fbeb42fbf857f3e5be967ba24e261c60a5fa5b45b8366c0ea68dec16c7d55260dc7e5c54de96e828970e11bc071791348

memory/2480-375-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1692-374-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2216-388-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2480-390-0x00000000002D0000-0x0000000000311000-memory.dmp

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 a6dcebe3f80031a3948b04499da573bc
SHA1 8235470408128f14373216c67b42abcdae30b1c5
SHA256 b9477ebd4703932730e8959befa3acca01f6c6eb1cb140e33c7d4ebc3ea1cbcc
SHA512 1b6be898d7a78157fd6be1b5fa24fc97cf69cf1b145c768b502a5846146052d04661048759308cdad2d1e5bed08245352434c69bdcaf2f980d7e24db184e018f

memory/856-398-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2216-397-0x0000000000250000-0x0000000000291000-memory.dmp

memory/2580-393-0x0000000000250000-0x0000000000291000-memory.dmp

memory/1692-392-0x00000000002E0000-0x0000000000321000-memory.dmp

memory/2580-391-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 1319c5d77bfd188bcd7ad7a47d318ada
SHA1 7b5f6fa819a084d543749a72e68051deed1db00f
SHA256 b0f13afddc45f97d4560c76e1d45f5c2b008d4ce7204ee583e526356c2a8025c
SHA512 7996353f19842d022467b93210e2305161c27c66d295d97cd329d489fa2f374c2f77a5f8d7a620400d6a26efe1f1ed9314c96e2e313539fb39d7afe6f2264a24

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 062df4e2a0e386f3dac1f083596c9120
SHA1 a9e5d3b72679163f4d249facec3ea9a38570c117
SHA256 c33a037b14759d2394a533c0b92a5c0377db8c4639a6c7c5e96e4d23293ecf97
SHA512 c902576e34d3d95c13e67ed9f981b5ee5814a5bb8d638134c1f6e12950ce0ae62204b99376f7ac8c37b4d65ab4a79a56193267fa405012bca8f86ba886193153

memory/2764-418-0x0000000000280000-0x00000000002C1000-memory.dmp

memory/2668-417-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2764-416-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2780-419-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 5e1f97787316143aa0f2da43f9b830e0
SHA1 9ec5430f2bcee5e9881cf71144f3007f21dfde60
SHA256 f4d7e3b3f774473e9fbcc6fd3f05efdeb6729a252e0af31491b11bf43dca017c
SHA512 d0649058bd3b6813da3305f6560740707902053d8ebaf70a3d3dbb35f2164a64c3d13e639c8b78a9efd10428384646d5f288e8b7fbf29b714d6db445e0c6d051

memory/856-412-0x0000000001F70000-0x0000000001FB1000-memory.dmp

memory/2780-425-0x00000000002F0000-0x0000000000331000-memory.dmp

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 1e5f5ec0c9530941d9dc27b341a0e930
SHA1 dfc489c2c16947b82d2c80eabb817b19c8731fbc
SHA256 872041c13757daa3b277c0a9828c2984ea4af5e5b35f8f60eb39fa8f3b49f822
SHA512 04de223fb0f0838df6d274ea7461f38da23beb335cc4ae5c7feeb32a282815a8d9886a25e66998555256d37b2e190872280796692e6f795ef30ef014cefff1ee

memory/1644-434-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2480-439-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hggomh32.exe

MD5 6926006b078194a7676144ac62bd4e24
SHA1 e0ee7c6391c9f14ea6484d01056ff53148c2cf55
SHA256 0dac6b287cf9d77dde78336004870b67d23324840ca978ebb5ccb5e569e67de8
SHA512 06b70594484322a0be7f3a14154deb9a6d4077779a3fa1cc500403ba85dda5c64d7dc93e6ccf55857188c87ce0087a24ed72e53cd6c1000804f0874d5a5945de

memory/2620-433-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 01e503552858fc3f381e21357216a1e3
SHA1 7f4d4706e286013b53a1458bc881a8d52c3712c6
SHA256 1117e374a3003bcb13eaba14e29a66a707a93078b9a01ad08369cbef4925efdf
SHA512 0792b25391070ca9b6be8ffad6a1dbd4ac36b8608d290db410131c7ee4b76016ab587a2352715688dc53ca479c3b12baf1014fb055252aa3263aa355e99bdea3

C:\Windows\SysWOW64\Hobcak32.exe

MD5 6d89d4d2138a2d484c7d817cacff9af6
SHA1 605fa5c9205571083bf117280d6daad7df909b64
SHA256 3e04baab4fa072b15a7be557050d085336adf656943ab2bda78dbe69ab7c2021
SHA512 de2ebe38ceaf6ebe90ed7ff7b1322503011b3e558334887a405f64a5c8562566800f7a09dec24788f8295c6b3bae52709b6feaf0d16930bff65539268d1f981a

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 112deff738769144170680a480a8c075
SHA1 71519c9ebc54b39ccbb73427f5fef82ce60880da
SHA256 14249f9901c89852c36cfeab8994dd465dbbe5d96ba610816286a4efa13bf253
SHA512 e5493ac56d8b052aabefd8e9658da683abfb8b55eac0d4e4e3bad3247acb2b5cc7ac9c3da516e9f51695984e94cb070e529e0e3f163617c6968315828129f843

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 84abfe0aed13d17815accc50a1eb8087
SHA1 da7ea1dec48c0fd759a048ed891c30177117e641
SHA256 8eaf917fe0d968b7efa8c6a8af85db46d1d8b0260d2e43f42c908c3d4b4ab9b5
SHA512 71dfcbdd2266f42d7831cce65f822d0f30ce03b7a898514dae171ff66115174364b88d779d402969489f88665a85e27b197dd7f93906390b9804dc276ca3f44c

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 5250c9b0de348880bcffb7b792f5711c
SHA1 cd9d05fbe4f937166913275e43c1b56098a1b34f
SHA256 13314277dd38b608efc1a8a303948c18581eeb6058a2af74cae0527c344f5d5a
SHA512 b0b9a4726748f563102562de488c886cfa8c7ab64c9cc4d1af018b374e67863483166a3a62ebd39b7bd5556aa29e88d83e65c9687ec8118a22ee8a976cdf48ed

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 e0c8b452f8ade27737a7065b2e1944e2
SHA1 5a4254ed83405fda0a74ab6ea5d21afe232faf2e
SHA256 c2d968e2b3854b5395f810b9a2c07ad69c672278f314c30027db8fd702cc9e60
SHA512 a84a7876d1e346e4e71668a9470a61b2f197bf483498a4c38f3ba412af97dd3c84a3c4853f64b180ff95f812af55e77472afd8f011f00108ec552c8b152f0dbd

C:\Windows\SysWOW64\Hpapln32.exe

MD5 6d9769015eca85d06685cea41dbe2ef1
SHA1 d2187ab02d377c7c9340473bd47bf27cadf7e0de
SHA256 b6aa3b8fe186ac73f28e6b330047fbee386f88b1e42c65caf6a2053ec49261f8
SHA512 2acc6f78d50b0e5647b7288d83dd50dfb7489c36f8dee2bd1c5218f94a21bf4c84327c471fb4b6211f175adb7f873501d8706db16fe25a13588da11ce757d230

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 423b196ef4cbfcafa6f445b5e208ed71
SHA1 e1c6371091b00fcb8256bfc515a74f43d0518ae4
SHA256 00e84668327ed7b177b8a55ac21a1a6af8f48bd21e5e04aa190f5648db937491
SHA512 b5e842b9cd41c28aa0e8e73d30b1469578daa793cfbf3b806e70e15ce2470b4cf75a0d8e84dadf370ef1d0a25cc1adfdc56fc00c8b4663d74e5e97b2d7d61674

C:\Windows\SysWOW64\Henidd32.exe

MD5 d836ceac8ecbc2c71096e5e52ab47dfd
SHA1 26be1a67e5ec14f4104e1487b01f46fcd0dfc63f
SHA256 790d91b85ceac099d27f8eb2320d83310cdc0a39c71b867c12e292b6f487fe0a
SHA512 a56768e342d7a2bd50ac0686c3a668a9516c976a60b7a2ef75497cfeff32d4686ad1138faa3e1d40b1a751f61eb1aa6879473066432e3a9c075b033209cefc6e

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 6e70e462b8af3ed68439ed36f64176f0
SHA1 2d5e8161d14fae962b699a8b406b93dbde9a7c67
SHA256 f416d029e4cac7e8925c5ccf9d6a02f070da19752b4d44b43258abc6b58867b2
SHA512 0503acc80e6153c0d1f722ed0eb1f16dfbfee08d5c3c6556bdfb4f4abcda34ebdaea34406f566ce66df3745c88e5fec14f19a8b0b3531ad604e2a6c0be47c860

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 0dfdb0eccff8f5e1df475edae916a70c
SHA1 4c5e9b111f3d98e7453cfa4a9c673629b6df578f
SHA256 45fcb689112675b796cb842d64b878aa05c2883a5158de90654fd55ccae35ca0
SHA512 0f667074580d5b82fcfdb52ee7989b4a336b76a980d6b86f99b395304716ccc67a67b65ec550c64f36ec9ed1296320d91069aaecc5e9fd01dcf4e19a17a5c25e

C:\Windows\SysWOW64\Icbimi32.exe

MD5 a878f996cb2d6fe882565bf0f580cc91
SHA1 79e404820ec4c50881889762071fe9e1f26a0d2c
SHA256 756b10778343d41b38bb6e7923213952ef1b37a9cc7135d0f19c681071b786ac
SHA512 aa596c6020ff698730828287a9691496c5af1afff60eb430b3bc587309bdfbe2b1c076f7858a3adf5415229a7dd1858addae9d8685f077c620dd37344e41d378

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 743be36dcee711b53452e98f5b798092
SHA1 6ae8d01fbcc05cb2e50ff882127beffa21aca600
SHA256 066f119d67e65731f0727dbe3f55cad8ccdba5e06e5b9336314cb18366c42cdb
SHA512 75f482fbb6edf6475ac5c33871490baa192d3365613e544272142d1e9e2547a2374d002035830f2f4f8ed8f42a684f0893ed1347c2a2b04f6dda99a932c686d1

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 950e10a450eaaa03cf6a7acc65204cd7
SHA1 9fe31a5e75055d013b60161a2a66371250a1239e
SHA256 884fb07a43f0d4cee46cb79ee6b0d2cf4c936576a868ddecbe1f579c0d712170
SHA512 3fc3e3de2cfcff5046562827036966fbf2288d4421b1ebb395edf3206d4912bdf58f272d9b29a811baf08d4e571c1d0b4892d97e41bfa6a8bf0cd1fb5f773af4

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 0b4e46962abe335c62d5bb2b0279eff1
SHA1 f13c6a640fe2cdf9219e2c647fb1661f11578a2a
SHA256 a0b93db24392ae4d93ad11d99b7609a1dcc68af6e65045152017c9005164154e
SHA512 5a667f517a012f35f7fd8dcc555dc9bf94088e64f27cf1085372577d539d0c18686b6d0bb086c0c1e83a3bbf29455d6d7feab56105c641fe3369b74ac8a27c81

C:\Windows\SysWOW64\Inljnfkg.exe

MD5 b6540be1ad43897f2728cb3322a4a134
SHA1 f250aa92f20e46149c0b5bc64d0de3e2dd0c618f
SHA256 b70850fac12ddbd2a5a1d8cda90847c585af67231154a6b16d12fbdf7699148e
SHA512 b8b7ac7b9bc49e74a144abf49a8653f4a99a4836d33ceaffeaccc05088fd0d295b9670ed514ddb6a4b925890e33326bd18b6159d385b2e4e9477e60d4ee2cce5

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 fad9fd8c3bf2b5d03e0b9d1e16a72aec
SHA1 ebceb3fef26bc3df746c0933fddb0a0a902c2cac
SHA256 54a075002acf8aff59ee537c82599ca934a93771f7932f24d278fc500b98d465
SHA512 927a8e66cbb81706a5c684f32dc5f307da4c897b40a1efbdca9734129502ced31c9d3b99d25eaccb223a39b8e2626b928f126f256f8c87e09d7d1fc55f6da0ed

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:23

Reported

2024-06-03 22:26

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kaemnhla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdaldd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkpgck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpaifalo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njacpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iabgaklg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Liekmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lalcng32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnmopdep.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kcifkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqiogp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ifopiajn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kaqcbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbfiep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kknafn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdfofakp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkbchk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ibccic32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfdida32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbapjafe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgneampk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljnnch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iinlemia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldkojb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcifkp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjbako32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnocof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaqcbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpocjdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdmcidam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbapjafe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kphmie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifopiajn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdffocib.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgneampk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncldnkae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ibagcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iabgaklg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibccic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifopiajn.exe N/A
N/A N/A C:\Windows\SysWOW64\Iinlemia.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjmhppqd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmkdlkph.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfdida32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jibeql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjbako32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmpngk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbmfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jigollag.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdmcidam.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkfkfohj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaqcbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbapjafe.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkihknfg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdaldd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgphpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaemnhla.exe N/A
N/A N/A C:\Windows\SysWOW64\Kphmie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfiep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kknafn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmlnbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdffocib.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcifkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkpnlm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kajfig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liekmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lalcng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpocjdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldkojb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcmofolg.exe N/A
N/A N/A C:\Windows\SysWOW64\Liggbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcpllo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijdhiaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpcmec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgneampk.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpfijcfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldaeka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljnnch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphfpbdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgbnmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjqjih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdfofakp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mciobn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkpgck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnocof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmokb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkbchk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnapdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgidml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhqjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpaifalo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjjmog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpdelajl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnnhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njljefql.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Njogjfoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqiogp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngcgcjnc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ggpfjejo.dll C:\Windows\SysWOW64\Jbmfoa32.exe N/A
File created C:\Windows\SysWOW64\Ihaoimoh.dll C:\Windows\SysWOW64\Kbfiep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgidml32.exe C:\Windows\SysWOW64\Mnapdf32.exe N/A
File created C:\Windows\SysWOW64\Akanejnd.dll C:\Windows\SysWOW64\Kknafn32.exe N/A
File created C:\Windows\SysWOW64\Ipmack32.dll C:\Windows\SysWOW64\Ibccic32.exe N/A
File created C:\Windows\SysWOW64\Majknlkd.dll C:\Windows\SysWOW64\Nqiogp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njacpf32.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Lphfpbdi.exe C:\Windows\SysWOW64\Ljnnch32.exe N/A
File created C:\Windows\SysWOW64\Fnelfilp.dll C:\Windows\SysWOW64\Mjhqjg32.exe N/A
File created C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kaqcbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Mjjmog32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kbfiep32.exe N/A
File created C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mdfofakp.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mciobn32.exe N/A
File created C:\Windows\SysWOW64\Eilljncf.dll C:\Windows\SysWOW64\Jdmcidam.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkpnlm32.exe C:\Windows\SysWOW64\Kcifkp32.exe N/A
File created C:\Windows\SysWOW64\Gcgqhjop.dll C:\Windows\SysWOW64\Lcmofolg.exe N/A
File created C:\Windows\SysWOW64\Geegicjl.dll C:\Windows\SysWOW64\Mpaifalo.exe N/A
File created C:\Windows\SysWOW64\Ddpfgd32.dll C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Gncoccha.dll C:\Windows\SysWOW64\Kgphpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kphmie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kdffocib.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgbnmm32.exe C:\Windows\SysWOW64\Lphfpbdi.exe N/A
File created C:\Windows\SysWOW64\Mkeebhjc.dll C:\Windows\SysWOW64\Kaemnhla.exe N/A
File created C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ibagcc32.exe N/A
File created C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kaemnhla.exe N/A
File opened for modification C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Kajfig32.exe N/A
File created C:\Windows\SysWOW64\Ichhhi32.dll C:\Windows\SysWOW64\Jkfkfohj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mpaifalo.exe N/A
File created C:\Windows\SysWOW64\Gbbkdl32.dll C:\Windows\SysWOW64\Mjjmog32.exe N/A
File created C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Njljefql.exe N/A
File created C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kbapjafe.exe N/A
File created C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kdffocib.exe N/A
File created C:\Windows\SysWOW64\Hbocda32.dll C:\Windows\SysWOW64\Lpcmec32.exe N/A
File created C:\Windows\SysWOW64\Mglppmnd.dll C:\Windows\SysWOW64\Ljnnch32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jjbako32.exe N/A
File created C:\Windows\SysWOW64\Pponmema.dll C:\Windows\SysWOW64\Njogjfoj.exe N/A
File created C:\Windows\SysWOW64\Lifenaok.dll C:\Windows\SysWOW64\Mdfofakp.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mkbchk32.exe N/A
File created C:\Windows\SysWOW64\Ibagcc32.exe C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
File created C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jbmfoa32.exe N/A
File created C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lpfijcfl.exe N/A
File created C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Lgbnmm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jmkdlkph.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kaqcbi32.exe N/A
File created C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mpmokb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Mgidml32.exe N/A
File created C:\Windows\SysWOW64\Baefid32.dll C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Ljnnch32.exe C:\Windows\SysWOW64\Ldaeka32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbmfoa32.exe C:\Windows\SysWOW64\Jmpngk32.exe N/A
File created C:\Windows\SysWOW64\Lmmcfa32.dll C:\Windows\SysWOW64\Kaqcbi32.exe N/A
File created C:\Windows\SysWOW64\Nqjfoc32.dll C:\Windows\SysWOW64\Kdaldd32.exe N/A
File created C:\Windows\SysWOW64\Kdffocib.exe C:\Windows\SysWOW64\Kmlnbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Liekmj32.exe N/A
File created C:\Windows\SysWOW64\Pkckjila.dll C:\Windows\SysWOW64\Nnmopdep.exe N/A
File created C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Njcpee32.exe N/A
File created C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jigollag.exe N/A
File created C:\Windows\SysWOW64\Offdjb32.dll C:\Windows\SysWOW64\Ldkojb32.exe N/A
File created C:\Windows\SysWOW64\Dlddhggk.dll C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjmhppqd.exe C:\Windows\SysWOW64\Iinlemia.exe N/A
File created C:\Windows\SysWOW64\Hjobcj32.dll C:\Windows\SysWOW64\Iinlemia.exe N/A
File opened for modification C:\Windows\SysWOW64\Kajfig32.exe C:\Windows\SysWOW64\Kkpnlm32.exe N/A
File created C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lcpllo32.exe N/A
File created C:\Windows\SysWOW64\Anmklllo.dll C:\Windows\SysWOW64\Jjbako32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkihknfg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdffocib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll" C:\Windows\SysWOW64\Kajfig32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbmfoa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lalcng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll" C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jmpngk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kknafn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcifkp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njacpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll" C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lalcng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" C:\Windows\SysWOW64\Mjjmog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibccic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll" C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpaifalo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kaemnhla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll" C:\Windows\SysWOW64\Kaemnhla.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lpcmec32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll" C:\Windows\SysWOW64\Mdfofakp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Liekmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll" C:\Windows\SysWOW64\Kcifkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kbfiep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll" C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jigollag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll" C:\Windows\SysWOW64\Jdmcidam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll" C:\Windows\SysWOW64\Lalcng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ibagcc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkpnlm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll" C:\Windows\SysWOW64\Mpmokb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgphpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" C:\Windows\SysWOW64\Mnapdf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jfdida32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iinlemia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll" C:\Windows\SysWOW64\Ibagcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" C:\Windows\SysWOW64\Jigollag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" C:\Windows\SysWOW64\Lcpllo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jibeql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjjmog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldkojb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ljnnch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll" C:\Windows\SysWOW64\Njogjfoj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3380 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe C:\Windows\SysWOW64\Ibagcc32.exe
PID 3380 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe C:\Windows\SysWOW64\Ibagcc32.exe
PID 3380 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe C:\Windows\SysWOW64\Ibagcc32.exe
PID 4004 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Ibagcc32.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 4004 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Ibagcc32.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 4004 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Ibagcc32.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 3052 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ibccic32.exe
PID 3052 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ibccic32.exe
PID 3052 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ibccic32.exe
PID 2520 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Ibccic32.exe C:\Windows\SysWOW64\Ifopiajn.exe
PID 2520 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Ibccic32.exe C:\Windows\SysWOW64\Ifopiajn.exe
PID 2520 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Ibccic32.exe C:\Windows\SysWOW64\Ifopiajn.exe
PID 2820 wrote to memory of 3100 N/A C:\Windows\SysWOW64\Ifopiajn.exe C:\Windows\SysWOW64\Iinlemia.exe
PID 2820 wrote to memory of 3100 N/A C:\Windows\SysWOW64\Ifopiajn.exe C:\Windows\SysWOW64\Iinlemia.exe
PID 2820 wrote to memory of 3100 N/A C:\Windows\SysWOW64\Ifopiajn.exe C:\Windows\SysWOW64\Iinlemia.exe
PID 3100 wrote to memory of 3888 N/A C:\Windows\SysWOW64\Iinlemia.exe C:\Windows\SysWOW64\Jjmhppqd.exe
PID 3100 wrote to memory of 3888 N/A C:\Windows\SysWOW64\Iinlemia.exe C:\Windows\SysWOW64\Jjmhppqd.exe
PID 3100 wrote to memory of 3888 N/A C:\Windows\SysWOW64\Iinlemia.exe C:\Windows\SysWOW64\Jjmhppqd.exe
PID 3888 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Jjmhppqd.exe C:\Windows\SysWOW64\Jmkdlkph.exe
PID 3888 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Jjmhppqd.exe C:\Windows\SysWOW64\Jmkdlkph.exe
PID 3888 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Jjmhppqd.exe C:\Windows\SysWOW64\Jmkdlkph.exe
PID 2808 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 2808 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 2808 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 2396 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jfdida32.exe
PID 2396 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jfdida32.exe
PID 2396 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jfdida32.exe
PID 4988 wrote to memory of 884 N/A C:\Windows\SysWOW64\Jfdida32.exe C:\Windows\SysWOW64\Jibeql32.exe
PID 4988 wrote to memory of 884 N/A C:\Windows\SysWOW64\Jfdida32.exe C:\Windows\SysWOW64\Jibeql32.exe
PID 4988 wrote to memory of 884 N/A C:\Windows\SysWOW64\Jfdida32.exe C:\Windows\SysWOW64\Jibeql32.exe
PID 884 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Jibeql32.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 884 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Jibeql32.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 884 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Jibeql32.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 1516 wrote to memory of 4132 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jmpngk32.exe
PID 1516 wrote to memory of 4132 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jmpngk32.exe
PID 1516 wrote to memory of 4132 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jmpngk32.exe
PID 4132 wrote to memory of 3684 N/A C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jbmfoa32.exe
PID 4132 wrote to memory of 3684 N/A C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jbmfoa32.exe
PID 4132 wrote to memory of 3684 N/A C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jbmfoa32.exe
PID 3684 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Jbmfoa32.exe C:\Windows\SysWOW64\Jigollag.exe
PID 3684 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Jbmfoa32.exe C:\Windows\SysWOW64\Jigollag.exe
PID 3684 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Jbmfoa32.exe C:\Windows\SysWOW64\Jigollag.exe
PID 1260 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jdmcidam.exe
PID 1260 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jdmcidam.exe
PID 1260 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jdmcidam.exe
PID 5056 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jkfkfohj.exe
PID 5056 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jkfkfohj.exe
PID 5056 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jkfkfohj.exe
PID 1932 wrote to memory of 3536 N/A C:\Windows\SysWOW64\Jkfkfohj.exe C:\Windows\SysWOW64\Kaqcbi32.exe
PID 1932 wrote to memory of 3536 N/A C:\Windows\SysWOW64\Jkfkfohj.exe C:\Windows\SysWOW64\Kaqcbi32.exe
PID 1932 wrote to memory of 3536 N/A C:\Windows\SysWOW64\Jkfkfohj.exe C:\Windows\SysWOW64\Kaqcbi32.exe
PID 3536 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Kaqcbi32.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 3536 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Kaqcbi32.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 3536 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Kaqcbi32.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 1548 wrote to memory of 3884 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kkihknfg.exe
PID 1548 wrote to memory of 3884 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kkihknfg.exe
PID 1548 wrote to memory of 3884 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kkihknfg.exe
PID 3884 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kdaldd32.exe
PID 3884 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kdaldd32.exe
PID 3884 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kdaldd32.exe
PID 1628 wrote to memory of 1388 N/A C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kgphpo32.exe
PID 1628 wrote to memory of 1388 N/A C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kgphpo32.exe
PID 1628 wrote to memory of 1388 N/A C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kgphpo32.exe
PID 1388 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Kgphpo32.exe C:\Windows\SysWOW64\Kaemnhla.exe

Processes

C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe

"C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe"

C:\Windows\SysWOW64\Ibagcc32.exe

C:\Windows\system32\Ibagcc32.exe

C:\Windows\SysWOW64\Iabgaklg.exe

C:\Windows\system32\Iabgaklg.exe

C:\Windows\SysWOW64\Ibccic32.exe

C:\Windows\system32\Ibccic32.exe

C:\Windows\SysWOW64\Ifopiajn.exe

C:\Windows\system32\Ifopiajn.exe

C:\Windows\SysWOW64\Iinlemia.exe

C:\Windows\system32\Iinlemia.exe

C:\Windows\SysWOW64\Jjmhppqd.exe

C:\Windows\system32\Jjmhppqd.exe

C:\Windows\SysWOW64\Jmkdlkph.exe

C:\Windows\system32\Jmkdlkph.exe

C:\Windows\SysWOW64\Jbhmdbnp.exe

C:\Windows\system32\Jbhmdbnp.exe

C:\Windows\SysWOW64\Jfdida32.exe

C:\Windows\system32\Jfdida32.exe

C:\Windows\SysWOW64\Jibeql32.exe

C:\Windows\system32\Jibeql32.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jigollag.exe

C:\Windows\system32\Jigollag.exe

C:\Windows\SysWOW64\Jdmcidam.exe

C:\Windows\system32\Jdmcidam.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kaqcbi32.exe

C:\Windows\system32\Kaqcbi32.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kdaldd32.exe

C:\Windows\system32\Kdaldd32.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kkpnlm32.exe

C:\Windows\system32\Kkpnlm32.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Liekmj32.exe

C:\Windows\system32\Liekmj32.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lgneampk.exe

C:\Windows\system32\Lgneampk.exe

C:\Windows\SysWOW64\Lpfijcfl.exe

C:\Windows\system32\Lpfijcfl.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Ljnnch32.exe

C:\Windows\system32\Ljnnch32.exe

C:\Windows\SysWOW64\Lphfpbdi.exe

C:\Windows\system32\Lphfpbdi.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mnocof32.exe

C:\Windows\system32\Mnocof32.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Mpaifalo.exe

C:\Windows\system32\Mpaifalo.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/3380-0-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3380-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Ibagcc32.exe

MD5 da8a66cf087a9cb44fe0d56194ad13b1
SHA1 966f1018ccd8a50cb4f4835bac3f227cd578d830
SHA256 8911a6fac838a0db0c7677ec2e7e256c0a0013f257eb670e98b395fd105c938b
SHA512 d6ee8e6ff62f831ce7b299ddcb1cbee5e1266a50cc5114ed5e484f32477a49ce36108ea74936b46ef44aaca43c51567ea4414eab0cfafbe9006d2dd15a86587f

memory/4004-9-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Iabgaklg.exe

MD5 610df322211ea13d3da0c66782155152
SHA1 17ac471b88c996fd6add72468c7209bd95ede4b8
SHA256 373ddfadd4aa4fae825c1d6afb6504cd0a420fd4bc639fc88be187ab780bb993
SHA512 d37aca6b3467845dd6f6ef4b5a75a63ab32da885af5a3118140eec6a0f5ff3cd75701e47fc0dfd2a9e746a70280e618b0b78a4cedbbeb4cfb186be6fe043c475

memory/3052-17-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ibccic32.exe

MD5 1be01c5e1e4f5dfd6b8c2a68bd6cbc36
SHA1 40cf22d2b278e752f67416db8e6dad926a9c5761
SHA256 febb024d756e0204d52cf24cdae6306777151f04cfa6f038ff800e071f5e1a35
SHA512 173b49f3f08de3bbd3ef22ec0a793f4a64ffcd1eff6aa9be27b90efd8f2a348fb05effa6af67abf4346ab82b1bcd9e2eb511e213089520d6579f7b6d0d519f05

memory/2520-25-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ifopiajn.exe

MD5 44bc04f6cd097a58b1d474447cf23727
SHA1 a5546a426e134ee058ddd514d33f3faab5679d43
SHA256 aeafe09fd43025aa50d28f63b1d63aeeeb895b3ff210bd1796d3d0a9f5b7e5ab
SHA512 1707721f661ecc890fc2f6df90367e8739ce3de0b095b1e8864d87cd3e94963780e97a005fa676757fffa09fd010bd348c855c676410d1464e0e9153c97778a3

memory/2820-37-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Iinlemia.exe

MD5 e712667152e6fc6700c5abd29a4d5f3a
SHA1 29dd8f0d37e6099cbfa1725c6942aea3adfb1f19
SHA256 dd145b047355b586fea8f6540858fd9ef5fdde9a97697d46bb1307295eb5657d
SHA512 7eb503965a837df39c951b8e85586f64f6eb8d40505c0adfbbfec1c6f76f50a1768deb1df162c23e67966f6cde3f353e668a68cbc4de9993a7bc751d6ce0ff74

memory/3100-41-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jjmhppqd.exe

MD5 4ff554b976ccdcfc47eaf0bcb42b76b7
SHA1 525b6bd66f2ea8449a8059ec77ca5a59a2593759
SHA256 6e7a5dc2d00d2e45c337e3de0df682547279c7ad84e278583c435a317c2a451a
SHA512 6303d4ea1bdd6aafe90f323681b0ad02e2bd6acbece578e9b9425aa246e418a6d197a553d7d46a2d425381ba6e9dac719086ed0224382710cb96dd541a02a193

memory/3888-48-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jmkdlkph.exe

MD5 0e0dc85e64b0972c3f85d6dd7f46dc5d
SHA1 a691ae202cbb87e18a165c5b8693d15d3b06d3e2
SHA256 4c136a2578317935ecb820885bb51f41e6f3c8ecc38ec72dafc0c8d93b42f172
SHA512 253d402037364f94222395b3db21375e14c210633f31e882d11ed38dae5580162973f904cad660da6cdeb32a415560b02ec46cb4a360c9ebcd134a0ad3601252

memory/2808-56-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jbhmdbnp.exe

MD5 20053c46fa4cad4a34ba5e5934881dd3
SHA1 f259ab1ba6555c02da1df18119d3a1970ab547d2
SHA256 f29a7e43f04c7917c0a8f1fda7cd18b0d2c92d4b6b7dd60dbd5d0c8e3df081b6
SHA512 de87414948669cce350b4ba2d7315428db15de0e743410d05e4d9cf26e0f81457befdad17f00010cbc9da27206ac2b864cc84a8db5a08bbeb05c088d6c17c257

memory/2396-65-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jfdida32.exe

MD5 535bebc67dd8588dee085c4cfc02e00e
SHA1 f5e35ad0da9806e21048e22b7688aa82f91b5436
SHA256 a23272c5dcb83b3186aeed2bab1dd73971ae0ab155fd198c67ee2c61a02453ba
SHA512 727ead23d888b56e9e99d6d224c7e43b968bb5d4d9b2fad22d151e6acb5e9189b1d20021797a39c0b9fcd27f2dfde6b6cd6417f0b0e47f02f348c95f103faf60

memory/3380-73-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4988-74-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jibeql32.exe

MD5 4cedd9310c8a90f49923fa33b54b40dd
SHA1 307212fc0426ae8398019322d73c7decdd0c5314
SHA256 047f3fb4e82842329f0340ded1d26b59503c116979cf3ed0c9b5fa9a5b113430
SHA512 a7de91e9b0dc25f689e93f5d654a12e93f44c2775a25caa9c3e678be6fae04f73410b497e1aa0519e04efff390b08bfdcc87a9e0a4f596a2f909e270c329ee6a

memory/884-82-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jjbako32.exe

MD5 1d8e3931b2daef97edf2ced6ad1c8671
SHA1 15643385e613152ee9fecca12dacadd196458c07
SHA256 37ee2bb938dac62a1f046c51a6b039ff4f7f92bbaca9008b3b49394a63874173
SHA512 6f4393489d76279a564572d665fcdd0f9a5568a87537c99c348494921c596f4fc63b0e16d182994ac802df3acef4188015a0e253a114c79d4eb22ecf3ebd59e0

memory/4004-90-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1516-91-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jmpngk32.exe

MD5 6586733f648e93aa1dd728c04a2db825
SHA1 d46e1916b5d77221f1287451098ec819cfb01170
SHA256 dd01a4128e46e05e2e794c4cf41e40080faa6b5c3adc3e82fdc241940544f942
SHA512 5fcd79151ec0f3150bdf2a6aa727771c46c972fb4867562989c29b23f51cedd8429c703d72caf3bff929b4c56ae8f24b6b8ef76e4373c4595944f77da1bb6d5f

memory/3052-99-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4132-100-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jbmfoa32.exe

MD5 353951728ae3620711fd5d1c2cff4d29
SHA1 c2dfd2f3e8ccc741254560940dbd96134f154ae6
SHA256 45baf3c7334a4ccfabae4b56692d357819e1342e941f6cacb5e06c87c42dfedc
SHA512 e73c4c9bf16707ebddc5c65bfc051f46f035a4dd0728c205b2a7e86a33603656da5c2e643cd0e52455a2557c5317bf0fce1474f8ce3ed47665a2deb7843d11c0

memory/2520-107-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3684-108-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jigollag.exe

MD5 6ff68a9993fdd0d696ad37bdd9359c20
SHA1 1ed8151c80f4e18b8dac9d1c9fd5c340457beea3
SHA256 5cc31a5151b32b10358cd6122d6ba3dbe1e9815e3842849aac1790c2bccb9a03
SHA512 e0b081d558603af04805a532e194d67bf8d845d3caa208eefa8c639f148a266f973311f0819c074d6ed743ad374b693d7eaa5ebbdb68d443d1c8f76ec0f62aa3

memory/1260-117-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3100-125-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jdmcidam.exe

MD5 17aae0db44ba80975c9d50de04bf6a64
SHA1 05139d50f379c60a5709dd9b203844839cac0444
SHA256 8dd52167701b350977862bbdd19e2832cc456728b497ea2a57ecdcb19d14a3a7
SHA512 69704097c87e8c4c750ba322f933c8956cd781751b086fc6fa8ff7586cc0e47b1f5ba067d31603f68f21128eaa26a07fb93c41fbab2e083f4db602e673db26b9

memory/5056-126-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jkfkfohj.exe

MD5 5492c6ef864bfce1ce6e918543d2827a
SHA1 b455baf3cd55ee007bf9ed6c28fc12a79b060dd8
SHA256 d97c106e327c0760f16b32609cd3056da3b5fd88b7b36565acd2ed9ade3555f1
SHA512 58edd580901ed00c743c2ab37fd2408028e0f887fa649bea555ddcdf3e09a4d2336e802aa9432392c1d1887bc69bcdd73b8ed0e196335b9ac0e05630d769a6a2

memory/3888-134-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1932-135-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kaqcbi32.exe

MD5 8b0836db93fd6652a48d83d476068c42
SHA1 73fc74ed70df223d123f7b75ce63c2cfb8cf0a76
SHA256 c0d3b80e409095487f71d07eeca79d4b003c5da98cdbe56e23efe8ae44f06b69
SHA512 fc8082930cbb9b4b391a906ab3159db5ff057a4ae1c4c087aa4759608d1cc014f5e877f763c32b313ddc90ee797c3b9ebfdcf4d78006549929c0f912244e0d93

memory/3536-144-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2808-143-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kbapjafe.exe

MD5 9f75a7ff5521ddbb4c2ed3fb1b01bcef
SHA1 e962cdfc9a51e4cde88cbf66f4a6c8934285e0c6
SHA256 563491bc6c07b80cf96a94bef3a54f1bc6aa6264c163e42e99ba885f90756b1f
SHA512 dded0ab3bb1fc56804faee29c036fbba9926c277b9950b353828a09bb2b56ec1a0017a3bd39bf31d0ae12ae88b15c80991beb26c1af795d2f60cda051e6268b0

memory/1548-152-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2396-151-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kkihknfg.exe

MD5 b95f56df9827b92debe6c3f547f49c87
SHA1 79c59e0aacbddea762160f228fe26f0b05189651
SHA256 d5927feb57e6e26eda9e57a069067d3c11a2a98d084e2fdbb00064618b4c675a
SHA512 7fb6e0fe9ef0f609bf192d12d059cca9e0efb49bf31c5ec786634419478429ca11334f5fae019b1834d2cd22f774933dec0af98b1f537261c9cb087c8eff0c94

memory/4988-161-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3884-162-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kdaldd32.exe

MD5 e374930ceecc07a2822f615b8f0166fc
SHA1 dca5b03f69f82331b14ac117f091d828d79f1291
SHA256 4fae8afc362a0252388ef6b9aaa80bd980c677a56a821dee06ca2cf06fc331d6
SHA512 8479797433bd6b1a16b05df624a32c65d8a47920f15d71ac6708d87e4d723d4c961ccc7e1f75fc9ff54e2d79846ecda1dba0c9df09760a969b67edb0a20585fe

memory/1628-171-0x0000000000400000-0x0000000000441000-memory.dmp

memory/884-170-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kgphpo32.exe

MD5 2977692ca5b9c147f27f3ce7ebdafa6a
SHA1 2fe817c2195ec2a7e5edb051b68a922fee369291
SHA256 45541e61d8dc2c0fad5906c9017b0fb07b5b9d07077d7f0e9bd45781a48785b9
SHA512 167163a84918d51b8d3900608cf4c9bbe3a7f3d6b962c03242dadd4f3baa81b246e8d21540641b36152cc5f6cc445d294eb5a37f454a60c88e1608aea21988a0

C:\Windows\SysWOW64\Kaemnhla.exe

MD5 bd978624354a2df79658d25e14083a40
SHA1 bd4fb4914f14a755cefbd8b20d9c0acc85ebee7c
SHA256 4af29722034162b1e809971dfb9afe8a43d4dedffc1f95e321156868df6bbfa6
SHA512 20f08416c8771c1567a19f79ed2c4f51da1939baeb816e384976739fcb32a54fd4c92744aeb0add283d8ee28a7ea47ec4fe12a4cb3f19656e30bee0e8ae6230f

memory/1388-192-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3980-202-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kbfiep32.exe

MD5 a4d31ef50ddbb9628b634567fa6921a8
SHA1 ee2488070bd15f6281690e5d510b5a47122e64a5
SHA256 d1045a6d615dcabc711d4b3d0586f560d6d35a9d034fd374da87c0df0cc29b73
SHA512 d095b088a45887ed2c679a057baccf0fca9f190595a5fd62064c371aa9921ac73bb2e04b143fa11a5e05ead914b41af61aa6fbf7fae668d62c9c936c6535cea9

memory/3068-206-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kmlnbi32.exe

MD5 adc4c39be85ba01042799982c7232a7d
SHA1 343c3ce5112da6adbd588ae8ba548ebfae0d4539
SHA256 105f7eeed9b2be3bb8e49ac5a56ed28a4f338b69e78e10eb1df2360cc6d65b7d
SHA512 f743b8f3d26dabb0c4d4ea45232b86af50a5f493367425cc8d4cc96a9fafdc6b0b33caa56d16985a9433626084e752d961b72499d5d7ca8695616047fee05d1c

C:\Windows\SysWOW64\Kdffocib.exe

MD5 ca690cb66535ab2be844be4c789b91aa
SHA1 952d13a3a1be85707e81928ccb63f8cc3af72269
SHA256 c944a925f40db4be4075a83e11c917e34e62b387a478a7b96eedf22a24ca4a2c
SHA512 878b2206753c26cc701c60ae984754d67bc78d35aec4c38e663be150829cfce7edc2c8d1c4b004902079935a39b5549ef27392b458fb36b113fb98eb4d31d525

memory/5056-242-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1932-252-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kajfig32.exe

MD5 38a1fe276b326dcb22d633f41e9caa1d
SHA1 91d23c19eec831ed57f57b4a1a01ed1e9be957e4
SHA256 4488f4b3570df61a81f62447223b83be0acea2801e28636c66b1fe88c288c39c
SHA512 1259e9c1b8330dfbb13f44b5e07cbd2fbf64136ef8ae19efb83dd75c1e16ccb3e1e758ef427544cefe5e51786ff4aa07d1094cb51aa4d8a474bf634466ec2482

memory/3692-253-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kkpnlm32.exe

MD5 1290ebe60b31baffbecfcba339277983
SHA1 7d7992d197c328efc80032fb778a09edf4094aba
SHA256 73e103613fe8c302dee707e61c80d4c43cc70cc43d2d4ae72d79704758a969d2
SHA512 a158251915c5f3810bbe968cb93b03008ffb55eb5c1efb77ca4e7339aa332b1fb0c4fd1fd7895b63268575f2424082932dd8430a77934faca369fdf84f517183

C:\Windows\SysWOW64\Lalcng32.exe

MD5 7d74cdf603b1a4f4eff21632b67ad1e1
SHA1 50f0b40a3c9416d911f6ebe11f0263babd8b36ca
SHA256 4a87037e77b1cb25b17ab199bab8bee74604bdaf6a051547ec24c8a79346e989
SHA512 56793c88067177d048c15874a8b119f0c934dbe46f29fa8e2f7e31aa0300382f91d5ca7abae9fd364f27f22801c495fe61e2873ddbfb5d32ba7c2bfcf1cd43cd

memory/1584-291-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3112-290-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1548-297-0x0000000000400000-0x0000000000441000-memory.dmp

memory/116-298-0x0000000000400000-0x0000000000441000-memory.dmp

memory/436-289-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4332-288-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1996-287-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3120-300-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3884-299-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3536-285-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Liekmj32.exe

MD5 df4bf8098ed707fd16a4ecbee8c34b9d
SHA1 8568ca4dc3f47096f6aa2d5e82e75706d6963916
SHA256 c90eed5192a729f44514802f686445b56ab3ab19bdc7200f6b467783ea793aae
SHA512 7e4a57080ad847d3e18e33129b4c6a90ad2e40c177403babaea39d0e4c9ec32eba9fa2b7d63e6f17c6bbaeaa40ff205eb957a414949c7bbf3a36bc3c02ff4466

memory/4416-245-0x0000000000400000-0x0000000000441000-memory.dmp

memory/456-244-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1976-243-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kcifkp32.exe

MD5 9c2f9f8c7e078a7c9cfb1f6ab9616b61
SHA1 ea4e6a4c008a5bc2f2daf1e00725ead9209386ce
SHA256 7f75e1f02b288604b7f274d188df2a315691f402fc431b0c7bd6352ce87fc296
SHA512 d30874a97739c411ce61ac0a8691e7cd17c009e8c81b7d95c24ca17e595418739104d427e67867a2cb8fcba269194039482a627c682439a7326f4bd2494c08b8

memory/2032-220-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1260-219-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kknafn32.exe

MD5 cc5a87e4dc6bc71e055dbf972269e7d2
SHA1 d85b9d4abf92ccb7833a583e6d8c41355cd8ba91
SHA256 82157ff781618566f7dcd5985179282ab26642c28e40ea05e07f2f70f5b3c3a4
SHA512 55d258dec28ed4fa5259044183fc812fc5e481f4c3293822640a8ada118d6803c86468b94df0fd3fdb8344fd2154f0a0491a43d96e12bfd676ab92f3dd958d70

memory/3684-205-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4132-201-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kphmie32.exe

MD5 237bf150ba3163bb30c96c39eed18518
SHA1 32ebef0a1450e801e1d573aca0b2ac5deb3bf13b
SHA256 1a44425670583a95d2d55c2898f1b9dd61594044756426c7629972b510b0237d
SHA512 745900c72c9d398d288416e75a3e3083b7c04717b6055dfc75201fd3500195f0bc8951ecc1e4493fcb6a20d5a532072499fa657c0626a1cd483ec18fd1a2aca2

memory/1492-195-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1516-191-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1628-310-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2540-312-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1936-313-0x0000000000400000-0x0000000000441000-memory.dmp

memory/372-319-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lgneampk.exe

MD5 552e02560754294d0bc4ada358f79f20
SHA1 821ace64aac53c9664652c29dc6ea23416b08d99
SHA256 49efd8a0ce3d3e7595997be1f40c3b6d098fcff379da389598052d6fbc759ffc
SHA512 32131f59af0f10c421bf8d7677bffcfe3b4cf0e253b00cc9d5e249b67c56e53de2b3b8dc7b532c7c08e779615d9a200121b59efa11faf948a8b457d9338a89c7

memory/4796-326-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3068-325-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1008-332-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4408-338-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2700-348-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1656-350-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1528-356-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1692-363-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3120-362-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3180-373-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1936-376-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3708-380-0x0000000000400000-0x0000000000441000-memory.dmp

memory/372-382-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4008-383-0x0000000000400000-0x0000000000441000-memory.dmp

memory/924-390-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4796-389-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4592-397-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1008-396-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2800-408-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4408-403-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1280-411-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2700-410-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1952-418-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1656-417-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4532-425-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1528-424-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3264-432-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1692-431-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3784-438-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1016-444-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4008-450-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3364-451-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1588-458-0x0000000000400000-0x0000000000441000-memory.dmp

memory/924-457-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4592-464-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Nqiogp32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Njcpee32.exe

MD5 b95aa43b666b7d9ef8f53c1358a8bd09
SHA1 414ac1ee2576725550dcaf23aab11eaf9d63be84
SHA256 b3b5380799f9df94a4dc48147e9780b15bd13e53db73cb57a27ef0b777b6e791
SHA512 c8a1ef933d4f80428b50e61e417c26f18cbb31199a41cff192e666802bf6783567598911d9fb9e3a1db61b61f6df9d1a65351b755064f37f4eafb23b4d816b75