Malware Analysis Report

2025-01-18 15:32

Sample ID 240614-d4mz1sxepl
Target bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8
SHA256 bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8

Threat Level: Known bad

The file bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:33

Reported

2024-06-14 03:36

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idceea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gejcjbah.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hellne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilknfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdopkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gangic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdopkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmjejphb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpfdalii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdamqndn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Globlmmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fphafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlakpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghhofmql.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdhbam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hicodd32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fphafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiaeoang.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghfbqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbnccfpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdopkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdamqndn.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hknach32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdfflm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hicodd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdhbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnagjbdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcnpbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hellne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhjhkq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hacmcfge.exe N/A
N/A N/A C:\Windows\SysWOW64\Henidd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjjddchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlhaqogk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hogmmjfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Icbimi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieqeidnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Idceea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilknfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iknnbklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioijbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inljnfkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagfoe32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fphafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fphafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiaeoang.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiaeoang.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghfbqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghfbqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbnccfpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbnccfpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdopkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdopkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdamqndn.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdamqndn.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gldkfl32.exe N/A
File created C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hdfflm32.exe N/A
File created C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe C:\Windows\SysWOW64\Gicbeald.exe N/A
File created C:\Windows\SysWOW64\Gangic32.exe C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File opened for modification C:\Windows\SysWOW64\Gangic32.exe C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File created C:\Windows\SysWOW64\Jpajnpao.dll C:\Windows\SysWOW64\Gmjaic32.exe N/A
File created C:\Windows\SysWOW64\Mhfkbo32.dll C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Ojhcelga.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Dhggeddb.dll C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File opened for modification C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gbijhg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe C:\Windows\SysWOW64\Goddhg32.exe N/A
File created C:\Windows\SysWOW64\Gogangdc.exe C:\Windows\SysWOW64\Gdamqndn.exe N/A
File created C:\Windows\SysWOW64\Anllbdkl.dll C:\Windows\SysWOW64\Hicodd32.exe N/A
File created C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Fpfdalii.exe N/A
File created C:\Windows\SysWOW64\Qhbpij32.dll C:\Windows\SysWOW64\Gdopkn32.exe N/A
File created C:\Windows\SysWOW64\Pdpfph32.dll C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Dgnijonn.dll C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Inljnfkg.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Fiaeoang.exe N/A
File opened for modification C:\Windows\SysWOW64\Goddhg32.exe C:\Windows\SysWOW64\Gdopkn32.exe N/A
File created C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Polebcgg.dll C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Ieqeidnl.exe C:\Windows\SysWOW64\Icbimi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Icbimi32.exe C:\Windows\SysWOW64\Hogmmjfo.exe N/A
File opened for modification C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File created C:\Windows\SysWOW64\Ghfbqn32.exe C:\Windows\SysWOW64\Gicbeald.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe C:\Windows\SysWOW64\Ghfbqn32.exe N/A
File created C:\Windows\SysWOW64\Ldahol32.dll C:\Windows\SysWOW64\Gangic32.exe N/A
File created C:\Windows\SysWOW64\Pnnclg32.dll C:\Windows\SysWOW64\Ghhofmql.exe N/A
File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe C:\Windows\SysWOW64\Hlakpp32.exe N/A
File created C:\Windows\SysWOW64\Khejeajg.dll C:\Windows\SysWOW64\Hnagjbdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Henidd32.exe C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Hjjddchg.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Inljnfkg.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Inljnfkg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghhofmql.exe C:\Windows\SysWOW64\Gejcjbah.exe N/A
File created C:\Windows\SysWOW64\Goddhg32.exe C:\Windows\SysWOW64\Gdopkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hiekid32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Nfmjcmjd.dll C:\Windows\SysWOW64\Icbimi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
File created C:\Windows\SysWOW64\Ikkbnm32.dll C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Fbdqmghm.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Pqiqnfej.dll C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Ipjchc32.dll C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gbijhg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Hknach32.exe N/A
File created C:\Windows\SysWOW64\Phofkg32.dll C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fphafl32.exe C:\Windows\SysWOW64\Fmjejphb.exe N/A
File created C:\Windows\SysWOW64\Qlidlf32.dll C:\Windows\SysWOW64\Fphafl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Globlmmj.exe N/A
File created C:\Windows\SysWOW64\Fphafl32.exe C:\Windows\SysWOW64\Fmjejphb.exe N/A
File created C:\Windows\SysWOW64\Fndldonj.dll C:\Windows\SysWOW64\Gbnccfpb.exe N/A
File created C:\Windows\SysWOW64\Hlakpp32.exe C:\Windows\SysWOW64\Hicodd32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" C:\Windows\SysWOW64\Fphafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fphafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Inljnfkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fpfdalii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" C:\Windows\SysWOW64\Hdfflm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hknach32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fphafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hknach32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdfflm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpfdalii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Filldb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hellne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" C:\Windows\SysWOW64\Idceea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gicbeald.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 788 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe C:\Windows\SysWOW64\Fhkpmjln.exe
PID 788 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe C:\Windows\SysWOW64\Fhkpmjln.exe
PID 788 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe C:\Windows\SysWOW64\Fhkpmjln.exe
PID 788 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe C:\Windows\SysWOW64\Fhkpmjln.exe
PID 1584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Filldb32.exe
PID 1584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Filldb32.exe
PID 1584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Filldb32.exe
PID 1584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Filldb32.exe
PID 3020 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fmhheqje.exe
PID 3020 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fmhheqje.exe
PID 3020 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fmhheqje.exe
PID 3020 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fmhheqje.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Fpfdalii.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Fpfdalii.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Fpfdalii.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Fpfdalii.exe
PID 2724 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Fbdqmghm.exe
PID 2724 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Fbdqmghm.exe
PID 2724 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Fbdqmghm.exe
PID 2724 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Fbdqmghm.exe
PID 2520 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Fjlhneio.exe
PID 2520 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Fjlhneio.exe
PID 2520 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Fjlhneio.exe
PID 2520 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Fjlhneio.exe
PID 2512 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Fmjejphb.exe
PID 2512 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Fmjejphb.exe
PID 2512 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Fmjejphb.exe
PID 2512 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Fmjejphb.exe
PID 2288 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fphafl32.exe
PID 2288 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fphafl32.exe
PID 2288 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fphafl32.exe
PID 2288 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fphafl32.exe
PID 1964 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Fphafl32.exe C:\Windows\SysWOW64\Fddmgjpo.exe
PID 1964 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Fphafl32.exe C:\Windows\SysWOW64\Fddmgjpo.exe
PID 1964 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Fphafl32.exe C:\Windows\SysWOW64\Fddmgjpo.exe
PID 1964 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Fphafl32.exe C:\Windows\SysWOW64\Fddmgjpo.exe
PID 2552 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Ffbicfoc.exe
PID 2552 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Ffbicfoc.exe
PID 2552 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Ffbicfoc.exe
PID 2552 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Ffbicfoc.exe
PID 2020 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fiaeoang.exe
PID 2020 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fiaeoang.exe
PID 2020 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fiaeoang.exe
PID 2020 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fiaeoang.exe
PID 1384 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Fiaeoang.exe C:\Windows\SysWOW64\Globlmmj.exe
PID 1384 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Fiaeoang.exe C:\Windows\SysWOW64\Globlmmj.exe
PID 1384 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Fiaeoang.exe C:\Windows\SysWOW64\Globlmmj.exe
PID 1384 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Fiaeoang.exe C:\Windows\SysWOW64\Globlmmj.exe
PID 1988 wrote to memory of 480 N/A C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Gpknlk32.exe
PID 1988 wrote to memory of 480 N/A C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Gpknlk32.exe
PID 1988 wrote to memory of 480 N/A C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Gpknlk32.exe
PID 1988 wrote to memory of 480 N/A C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Gpknlk32.exe
PID 480 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Gbijhg32.exe
PID 480 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Gbijhg32.exe
PID 480 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Gbijhg32.exe
PID 480 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Gbijhg32.exe
PID 1620 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Gicbeald.exe
PID 1620 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Gicbeald.exe
PID 1620 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Gicbeald.exe
PID 1620 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Gicbeald.exe
PID 2808 wrote to memory of 884 N/A C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Ghfbqn32.exe
PID 2808 wrote to memory of 884 N/A C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Ghfbqn32.exe
PID 2808 wrote to memory of 884 N/A C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Ghfbqn32.exe
PID 2808 wrote to memory of 884 N/A C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Ghfbqn32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe

"C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe"

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Fphafl32.exe

C:\Windows\system32\Fphafl32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gdopkn32.exe

C:\Windows\system32\Gdopkn32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hellne32.exe

C:\Windows\system32\Hellne32.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Inljnfkg.exe

C:\Windows\system32\Inljnfkg.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 140

Network

N/A

Files

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 96cbb4ff310ae82c9b99404ba4450f12
SHA1 f54c57bc8520ca9be67e093d492bf4020a1307a2
SHA256 bfacc572c816b20985250b149278e0621db83690ec5c8bad0a6268d828938ae4
SHA512 70749b12cadf344b07ce392f499a5f83188da87c7aa6e7d139bc9abdf46e59b54ce311892a98a0f9df1f4edf75db15d5c020f4bc00d4efd0774c922c2627a45b

\Windows\SysWOW64\Filldb32.exe

MD5 d3b8d5f5369b995cc7b47870525b6db9
SHA1 e40437671ebdc2f9a311e5720e013a9d63459da7
SHA256 863c3f3a57c2c1937b8e00238f602ac17cb79fa135aef78609629231192c38e0
SHA512 f5aeef92e69187d6aa1248c3c8925790d7c935aa583d1b73a481143d77f9a5d36344201f88634c2493ff0d160f4af9036ee9928f1ed041f46ca35be038ad233b

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 b9ae3d1245ac5c685fd430ae3b997e46
SHA1 031ab8d8b721497af27905bde90f1d05dec7f5f9
SHA256 3ee78ef0e150dd5e928fe48706348f8e9c270e04973d4830db496cc26332b5a7
SHA512 141fa290d63c28dadab215d4f16e486a627d8456334987e331c476ea09d44e9907fe2ba5a234f4d961917f783b0168d616598a186842c2bdfb635d3bc7eedde9

\Windows\SysWOW64\Fbdqmghm.exe

MD5 65484a323e89a351ff9607691cf48246
SHA1 238dabd9703b868d7b8fcaae3d0f32092d7b739d
SHA256 2733be2326bb4cbcf77f5bc84391fe746db3f39fbcd9a9e034712de160039422
SHA512 bffaa57803493d058ece986647273211626f3c4a78fa7bdc73ec7960d0f54fd7dbd6dc20adb9031e6ddd7cbe480892d5f987ccfdeb76a7a6422716525d81e09a

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 ee5f4918a80a2fbed3475d84e4f04273
SHA1 c417f72f1bc34bd1f48bbf361ab366219e6e0479
SHA256 532f23cada6d45005105c64d90de58f61d49e5e0f64dc4d17b5ed088d33aa496
SHA512 a026884c16f2521c9d45bad76fdeff8c4d491feaa641356e6b998a524566e532c6cf4707fa4eaea7611038022e2c01dc5a2ad5c3b14a0e1dac2794bfe6f90d23

C:\Windows\SysWOW64\Fphafl32.exe

MD5 04e15a292a9a7668fc646dad804d4167
SHA1 217fcc115a5808cb7c546293a63405c769ec9508
SHA256 39bcbb415691750a6192dce46f948019a7df7fcb1fec55c2ac4ee86b52cf4803
SHA512 7694acb653c85260b2a4cc540faf563184988a7c2ee916030ff5f4d7d640cc50f92dc1b6805e2888473e2350cc2e3c867067db9e26851edddd619f1880138218

\Windows\SysWOW64\Ffbicfoc.exe

MD5 c291c3faefefea5e92ca49e416803565
SHA1 09b244f536c40b5b0dde90a34393f003b8c7eb3e
SHA256 5f7c4975ba3863fb92bd6a4197644c09070e443daf6b787b3ca9c7f357e74c44
SHA512 213a79f365362fd6d3c03a9d2ade8a582448316072199a680068c49cbf18770752ae4402e78f29eb075ddf635e9a63ca7a7b1e1cc7a80efbdae08d903c81750d

\Windows\SysWOW64\Globlmmj.exe

MD5 7699cd4a670d7f13cc2fc27a2b563126
SHA1 a0dcfcecc0fe4cd049f7cfe71b701ba9e208344c
SHA256 77d7a820f3138e0484205b8e1bca5ba3dade24e19a37daae46d1b09a99824167
SHA512 ed38019b777fca2301c4c16d8c728de592169d8e9d0a097c8e4ea615fc7d30b70dd94ba24a9065c025a4d8d6c2441bc1da21a6a7e2191bdf9f653e34eb043258

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 7f124a265adc0fbf85e7773c0da94939
SHA1 f936a9a3e50b9b4870c43ba1f4e90e01ef016086
SHA256 335c8c0847d8414a2f80ac1ac5d4745c00720b3bfed2404bd8d94189d3f70593
SHA512 a85c8c38696ff21b312e3e2286f05d84e105972aa24153512b94887f1ff72e12287fd50b4d8c37a34f96b872b498600ae63548fb72d3a216d6195c0ca65475a5

C:\Windows\SysWOW64\Gicbeald.exe

MD5 93d20093bf917b8bdf1d2fc6b151c4b2
SHA1 c78d995a52c52d703c4e3fe8635d5608166e7495
SHA256 5d203aeacd352c53b36b20dbe04674534ccd9c50dd3dba218f661b11d06c8c90
SHA512 0acbd554ceed797dcf716159792ec22fa46d7241a2fa8c96ee21cb7138d569249205c038f301c7337957a923aa6d278017100f78214b9378933cad9cf80eca7a

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 b1cbd640c331d93c0daf016a1c29d6a5
SHA1 24750cbc8d5985c3d11376929e4217cff73c1876
SHA256 9b2c2866d9b91d2abf15c344d181de2e6bc6e579d21b1ed568e9564452fa333a
SHA512 41bca240c22d54d42b86cfba710d6b9168e3937bbad9a8b78e6e8b60079e10871c8544a0499f31ed88801926ef6d9d7219d600cbac6a3d7e7a9b6b4fba468648

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 e03c0b9a900b52fd5d2730c59e65b0dd
SHA1 0287a30f078407be5b72781d84e81ad695de5fc9
SHA256 cbb0b6f2fca1e02d9a1598552314e21d2e1667f7bf1ae435745337487d9c429f
SHA512 4c022bcea5e8a44e35627438af70b4feb7510abe8027fe52dc31e13f3559853b3a906636dd0dc28fa15acf18b3f6df6e14bad2ed58d8a867658c4581747f1cae

memory/2452-260-0x0000000000440000-0x000000000047E000-memory.dmp

memory/936-281-0x0000000000250000-0x000000000028E000-memory.dmp

C:\Windows\SysWOW64\Gdopkn32.exe

MD5 fe58d6a3dc97ab2d020e082acb31f86f
SHA1 2f9da41d7da1f199b2bb6b91bfa4afe71194e5d9
SHA256 7feaaddcc638c191c2c321b644042177939ec5df0659850427b681f7d30d17a4
SHA512 ac2c0d50155a4e4b58e2ab45bac4824715ada4ae867c395a9e596f43f5378f9408dbb30ab659e2be853810f67eba725458bae13d84a1cbc213791c7bb49b64a4

memory/2760-332-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 a3ed5f7b53c0765e672fa230d5248216
SHA1 2153c2bca84d3141b275c4725122f0ebf5ae2ce8
SHA256 ab702d945d601ec2c47820178426b50eef4b9dd032ec045d26d6bf5d1148483e
SHA512 f4cd9c34a17fc464322f15f7f3eda849367d8d99fbef16795469eda6bf018f622a44dde4b242e09194501f9c7c16f50b550c6521a73a24eaedf63522cec290a9

memory/2628-346-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3004-357-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 975fd2230a68a2955f685717a3a00180
SHA1 ec736abb97dc4826b11c36e7910a6f9dd6346e6d
SHA256 5ac666ca538e8b4fdf0bc7b142dada508f61a292846b95e25b3e6a5b9f7b0b3a
SHA512 4dacede1ca4027bfd73820b7fcab57912271de41317c9a90f2e4fedd9238a593c7f834c788ce304349e497482d1e7e0db69e484ecb0cab1b00cf28f1c61957da

memory/1528-368-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2592-397-0x0000000000400000-0x000000000043E000-memory.dmp

memory/668-419-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Hicodd32.exe

MD5 71ab47d815eb050da3c8915af24598b5
SHA1 9e7c49fca5f4036a0ba046413f8ce2fba394da47
SHA256 e852e648546a7752797636cd35b8a16be73b1e182ad713488d0197159e885074
SHA512 75a96e0b62ab6abe46121da9d1561bb817971b438d36739258b5a8c208fca5a342a9e8840f3816f56d9b4faa271ae1e85458b0643ba9d0ba93951b68ed8206a3

memory/2864-466-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2448-484-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2448-493-0x0000000000270000-0x00000000002AE000-memory.dmp

memory/2344-503-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Hellne32.exe

MD5 e4c1d6f224b646fd1157a5a80f1f2e1a
SHA1 ab7f6ac3726b00626f04560ae5dafc1861d5b900
SHA256 3438c4e3ab4ce63e6df6da53a8da822dbc1b215bed447005832d9b99e4e6a951
SHA512 48eebef7498dfe04d6ed421617b93016b3622f8749cadf60c206f6ad7b2bf6ee10ecc775b71cba333f2d5370744913306438b240b23ea18ef58b6b0a5b881c20

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 0670a4d12a293cc93828b3a6d2d08f90
SHA1 39ee4b8cd842aac49f45f772bc64f1f693836348
SHA256 8c6e13b4553c76c062e23f487f13378f55072490d78be8c467415ff558a26207
SHA512 00dcd0cda67e1e6302c2c045d0dfab35a9124bfd22fb3585dbeed8a9cf49f969dc26caad1297d9d9e6f4be13ce19b4c6f3fb8d20436edc77185aec4460602361

C:\Windows\SysWOW64\Icbimi32.exe

MD5 9f4e02dbf44430677c4d06b0dedf17ca
SHA1 6063d834836c62eaf0f07fc9520600e643402bd3
SHA256 053c48469481549290218fb38820f015aae48272949c3098dd226e021d385125
SHA512 6e0a4024f8bb95483639e266243784dccfab13facb6e4ef810b558fe8acdbb8fed8798199e2d35104a7a1f2a42cde473003d5746f2cc2145781b401ad47a6cca

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 b18afdbf26ce94a380e90cde89c25bbf
SHA1 cb77bac3266c2ac14bd52c7f5ff6b1f1766d29e2
SHA256 296bd3488df3c0bc9b36e97c27e0fce7aeb80b3f9a3b49f4d998a33d8ecd7b21
SHA512 42252819fff3bd905fee30da45e54c45bbfd97252611c5ec22d91004c26775778462ec0fe44dfe56a7b655a28ed3c2726635c50b340899a34b42768eae45a00e

C:\Windows\SysWOW64\Inljnfkg.exe

MD5 cb94170bb7334f2616921eda5f50cf64
SHA1 6a7ddcccb0d7deb7a77e57831acac93906ca61be
SHA256 721a27cef679c2c4b6830475aea03c71a645fabc9ff56b7be18a120e32373aa3
SHA512 5b3c820c5d6f34295448a34dda65c40a045bdf3d36622446e64f58aa131e01592872ebfabd57faeb108e1b636869e7c33b42a8cc89e373a2c975cf62e812dad0

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 406d0dd753ef9833b8a131116ac197aa
SHA1 6435bee29387518171e3b7675b832ed6685fc209
SHA256 70d59f710b8c11e7a1716dd8cbb9d3a4c7967a8469b2b6f7b1afbec3cf09aea4
SHA512 9093e964719e4ed95b0d14a2e8368e12c188a7a7ee8c4c3a81e98130fba3ccf76bbe326ca0be5225766487f8c7d7ea5bf52d2e63cd3b0f3791a2cd6393635656

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 c5f3da158196c5a071a84a1996436004
SHA1 1d1d919449f5f8dad056a059eb5032b0e7359c6e
SHA256 e69f5b675afb8d2ef4f7b0678c31d86914669f72caa55524eae8610c983971af
SHA512 896fef55167186a2a16a1dc5de4a367afee0fa7985ed2f7ccdb71397a2e5a4a8d74b015083cef01b8e8bf4ea9e56163e21d550db50df39660e13662bf570f37b

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 379e0de10ae7053ff20c81db3fa4a2c8
SHA1 c51d7ed93a9b193e946132d6ab98b113bfa2e7e8
SHA256 6b2bb6217aee9fe6370d1bfd2828273409d4eb7a51416ee959f754ad47dfa027
SHA512 add1ff275051587821315628c284481607cb5977467f37bae245f031503982d4698826714157b7da85bdded270c283328967052bb41fea5b34a06fb5aeb738d6

C:\Windows\SysWOW64\Idceea32.exe

MD5 c742d700cc2581ec8b178fe1f5b6684a
SHA1 c024b9472d170e4501b1539f8b7c99288fc1716b
SHA256 c59efe58dd91259e6fab59733e7da3a39f5a3db25a384de9c82632fa2e168002
SHA512 e5644d0174eecbda0eb08ee667a1fe74c2f36dc376d6bba4d3a80eb58183c48f94ac8e64dedac9db04c4f431c373b4924cb96dc54dbfa6e890a66e93333d8013

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 d44c4b634f92cc8e1774a5bb5ae82b72
SHA1 f0864f2b37b92ee346e2a7568cc1f3bb75766718
SHA256 3381b8a13f0f95e4e75f23e09ce203fd22b8459b4bfe8a1f4151a57b307a825d
SHA512 9cafba763f6b634f10df1437c74955473efbd2ab357740cc040d28c4445ace51d8c82b48920d69643401569f9f1b2111ebf4d39911b94853a51f891b120d515d

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 39090eaea2396fb14247fa6b352ab94b
SHA1 923f693c9b682b3faf9dff3999dc37cf6a4c170a
SHA256 86e679af012744e06bd22bc2ceb266b4ba2a27c704126be18392f9ce69b99176
SHA512 013ecd69468c3254b9fafbf7c694ad5302090a60ddca4d0cd9cce7b6c43d031afa59175bdd89b0b708b02ef3c2a578c718e644502d0cf2054d86e27f5f6be96a

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 e1b64b5e90666b60cb313a3482f9a0c7
SHA1 28e24bee357ffa541e69eb5fa3f1402a0bcde6c1
SHA256 2eb824c7c4206d4593a018fcd9ebe321cca89f48a852d1ecabaf2417d06db07f
SHA512 e4da24271d46edd9019b2ae374b04adca25f835dd9cba2deeb1f1e54c4e8811734319b740d43de43a4d09da52f45ed1559f525211feb0953c7e2525b1e46a70d

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 abc588f7e89b55259034e2644c4106a4
SHA1 9b62bdff6b42ee495a5550490f87c2a044ef8bc2
SHA256 116584014c285a783e8478cd0741ae597621a05611bb537b2c85e0f84ac722cc
SHA512 f9d7b6530c1879ee124fbc2c3a3a6b9a8a7bbff75a8c6a47b9ae16fff89eda383c506afb52333f0e463c3c6f707bbbd749d3b54dbf62c69bd7be98e71585e331

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 466f1ff4b81b1889669621249b4b5dcf
SHA1 6e1850511e12338ef7a46faaef36e54121439fe2
SHA256 991077a9a5c6933c2d49db49acaa0a3e0d0653360a768c660c60de0c33278e4a
SHA512 b5d7608bc3f26bfcf475e98b8974c42d769bce70dc3dd9aa3a433a8a8a6337f7e029f9da5cc12e25de2ab17c9a0e21b05dbe0af2346fb23ce71eacbbbbad7a8d

C:\Windows\SysWOW64\Henidd32.exe

MD5 384c35c1842e2edd44be2c9db152bdd2
SHA1 eb4736f207ed04199da1a2d1d275fd884509ba13
SHA256 dc85e54d83a18f97bce32aab147470e6518bdb741a614c1b9c7a4786b6b97944
SHA512 01a077b47dae65076fdb15e57a50ff2e3817e26df19a58cf08ff70835163f9534ad5586cb43ff1cd753067c8a54975ceef63ba7e6353ba78424f7963865d6410

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 63dc835e8eb0068628e61d8208015274
SHA1 7b2fb4e69fbf83efd42030bc126b14d7567dce26
SHA256 ee61a6f605b1081eab194464c719c892bcbd9cf5accc3d604ab147eee55eb2b9
SHA512 5ab9fa6af7f420bdeadddfee36b62443bf5305bcf4d1405338f7ea7baf5e16495ea0f67f0594d781c920e0ae753ed68c8e41d629c0fa918c25cf216d173b2e87

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 37eddb1a9dc95ef6e418e8223781af99
SHA1 379bfac192513c32ff2c530e0883db5ef73b851b
SHA256 b41e9e861c728ee3d575e4cc4c63c51dd0dd74aa833d23f2d2a18e3bcbaba019
SHA512 1a6b559a803a64a38a3473bd8305aa98751d3d8b5ade793384b427a2fc6d08a647da4cba68806b142c48c0697d726348522e4c8ceac4cdefc9f81a7a63e1a8b4

memory/2448-492-0x0000000000270000-0x00000000002AE000-memory.dmp

memory/1760-483-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/1760-482-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/1760-481-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2864-480-0x0000000000300000-0x000000000033E000-memory.dmp

memory/2864-479-0x0000000000300000-0x000000000033E000-memory.dmp

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 d055496ca9a9a03a088e0948d0d401fe
SHA1 8d09703fa92e1282a6ea9e80e47aa0b0ec8161b8
SHA256 83eb23ac4738b0f77cfb980b0c082aa42b61a8c320fd1b3c30ed14953cbca7ca
SHA512 8c2e03a169f8db212c844f85d5a85fc3458642e1c7b31f12cae1e9039dd4d99ccc011da4aa813866a3469fd4d908b2098a38ad971c58fb078360499d50bf29f0

C:\Windows\SysWOW64\Hiekid32.exe

MD5 fd0434c8e1734d1251bace9c9858953d
SHA1 b89072410ef64590d95e5c03a800aa82b6677fcd
SHA256 8a2d171e9f241a96ee0969d29a2f5f0c83b008efd8abc30848d11e58beb5b71b
SHA512 822aa77d41ea41f788978c25317b6a17b61fbdfeda75a28ea8e0cbe24fcd37d294630505b2951b3c878d7b86903999fd5d893be64a71805ded538f063f235a0d

memory/872-465-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/872-460-0x0000000000280000-0x00000000002BE000-memory.dmp

C:\Windows\SysWOW64\Hggomh32.exe

MD5 57b6e115d3d7d7a4453030bf743cc06c
SHA1 6e404307b29fb7bed343a06d5e91c0bd59df7d92
SHA256 f4d6c354bb147c0aabc94eda8df32690a5a48512000132a5cebe6f4854c907c3
SHA512 54dc3fc59ea161b074a2c6d3c40261c378a84cca56efbef619c3d5e7184e737f0d291efcdafb2c9a5ebe62181c53d792c7c1aa5471e84057102753c0692aa3df

memory/872-451-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2584-450-0x0000000000250000-0x000000000028E000-memory.dmp

memory/2584-449-0x0000000000250000-0x000000000028E000-memory.dmp

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 5f47e0ce4a4703ce725ee590727a9dcc
SHA1 bf805a3c703dab956402657a903991aac9b08fb8
SHA256 98a6c94d0e7eac1907412ea5a278f135a658a9a93cdc0e04eabd908c21546445
SHA512 505c22e3d4708b607bdc19b3b40652316c2c7ef90d8efa269d6aa249ac72d44a0874d8f66e13719be786315b412489f6044dd0cd848d9fa1c213f6c972c8e966

memory/2584-443-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-439-0x0000000000250000-0x000000000028E000-memory.dmp

memory/2560-438-0x0000000000250000-0x000000000028E000-memory.dmp

memory/2560-433-0x0000000000400000-0x000000000043E000-memory.dmp

memory/668-432-0x0000000000250000-0x000000000028E000-memory.dmp

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 bff36f60da5b865c8653c0b2ff2316e2
SHA1 968dcb75f1913f420995eee2c04c5466cf03b6a6
SHA256 7cc3354235aaaceb19993731f0017be181238ab6f7749c8f27db1d3dd465d4e9
SHA512 b2411d8b963d616e2d9f7e907647e824d40e93f402949da7fddc48b03612977f6a356eef8cdae51cde09e73e38f6ea1d2c87f14207e0ac618249b10e60701482

memory/1780-418-0x0000000000250000-0x000000000028E000-memory.dmp

memory/1780-417-0x0000000000250000-0x000000000028E000-memory.dmp

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 eeee1b60b05e9f1ad5e6fcacd47f6aea
SHA1 27b28fe67825b2d6181533759b8f4f166c4a79c8
SHA256 2f254aec05d1c25979625bae833e4a463eba85a1a4ee60294b9d171978f4f651
SHA512 e98b04c0c28583cb9c334eabea7393e1627c1ab9e470c3e047d51e2bf4d72c5aaa211521e669dfc46a7ed7484b6eb20a4bb583219205221a689b6ccb56662382

memory/1780-412-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2592-411-0x00000000002E0000-0x000000000031E000-memory.dmp

memory/2592-410-0x00000000002E0000-0x000000000031E000-memory.dmp

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 738c79180ff368f201b787f12084d99a
SHA1 7ffe2d0cff76967972ad291bfdb2598aadd8cc9f
SHA256 bae5542b855a7ae9e001e871c4f5be03728391ce06b5e0cd5fdac4b08b54747f
SHA512 3e91029405ea048286d63fa8943dfbbb0f502dbd6a40a5310832cc7b252f58e49246695629b7b1a1a1ac62bdc19f9426610c9fe8d32dbbcef49346caa37f0ef5

memory/2540-396-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/2540-395-0x0000000000280000-0x00000000002BE000-memory.dmp

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 bf539ec5b1a33d51bef04756cbef4801
SHA1 0780fd269f19c364bb3b7405aa4f647be1d9f195
SHA256 c50c55ce08574d7ab6c3ffc1d544a44c9a480d1ed456995852aea6b17313042b
SHA512 2b0a7a5fa4eb87dfaa222e318cc36d7b945fd63cd715a6a4ecff98cffc6487c0a3eed763386b517c3d440c432c0d1162041c551814fa61abc0ef3f0d67c2e482

memory/2540-386-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1828-385-0x0000000000250000-0x000000000028E000-memory.dmp

memory/1828-384-0x0000000000250000-0x000000000028E000-memory.dmp

C:\Windows\SysWOW64\Hknach32.exe

MD5 29230c6e90602e4fc85ff922ac153f3b
SHA1 fdd68330d963ab021da916e2e44dfc9ab6b7ef0b
SHA256 2dc4aab16e4ede3e9e2c6afddeb3fee180a9e6668d898289db335c1851c8c40d
SHA512 032bd5b34e34ca1485bc2a77d1e82785fbe0fbff29dabf7a32565987ac7cc76a9174e55cf61e6d6f51ff6bce85e0099ca007b5bec07d7db5fc02dbcfbbfb267e

memory/1528-375-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/1828-374-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1528-373-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/3004-367-0x00000000002F0000-0x000000000032E000-memory.dmp

memory/3004-362-0x00000000002F0000-0x000000000032E000-memory.dmp

C:\Windows\SysWOW64\Gogangdc.exe

MD5 66409698aa574eee24784a19e9b82934
SHA1 5470f368b6d0c430d107931fdaee25dba010183c
SHA256 558ff0c55c3c8d9ad9af6ad191e911dc6c92578f88105f8970531e5bb89f0fe6
SHA512 6f5277dc5850956c76c00f5a9b52dce1547866ee36896f43ff36b620adb1c0ab9e5052474d98610e7065af6b1139fdcc2ccd085ddf953783e6717e521aa0f800

memory/2628-352-0x00000000005D0000-0x000000000060E000-memory.dmp

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 ad8988ccfdd81cf6f153c332f985a5b0
SHA1 16de0ec5eab7f230d60b41457480971b82ef1efb
SHA256 f7026b892e058dd68f94468ca9f88fd2c73041536ec813fde5facbf531cad44a
SHA512 5ef07c3b420f5c3368c8fc43d7e0d28e0e4fe2588274b627099791ea05c3485a7bbc6818873c7c030d3729712ada57fd67a39fb70d2305eb331fcecd5615a75d

memory/2628-348-0x00000000005D0000-0x000000000060E000-memory.dmp

memory/2760-345-0x0000000000250000-0x000000000028E000-memory.dmp

memory/292-331-0x0000000000260000-0x000000000029E000-memory.dmp

memory/292-330-0x0000000000260000-0x000000000029E000-memory.dmp

C:\Windows\SysWOW64\Goddhg32.exe

MD5 b358a5de0eed1163a0b841379776c73b
SHA1 28b0c2503a7e389a0665c5a69a7983c58e5ec30c
SHA256 795c6d42a46feca363d430d4fd4987f151e166c88b47af97aeea06515bd10943
SHA512 4bb334707c124f3425a2e4a805edbbbadfbafc5fa90901ace0a73f4cd9b8a4866325553429bb29e2f8913da019b1d0c9d2e7f76f9f1514fab983f8793ec3be98

memory/2084-324-0x0000000000260000-0x000000000029E000-memory.dmp

memory/292-326-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1480-311-0x0000000000290000-0x00000000002CE000-memory.dmp

memory/1480-310-0x0000000000290000-0x00000000002CE000-memory.dmp

memory/2084-309-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1480-308-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 7125348b35a710814b504bda9eafdc07
SHA1 e038e3655c293e43c7000ce13572ccfc2bd10db8
SHA256 17484bf75a9e56033b1d93d8754382a8d69c2f6ab81d6a61a277964bfe989d52
SHA512 6d0a2ffb4c8b37c934d660339aa93563f506738b5ef107543ffdd8e46ccbe0742b1dc1bcb8eb0a2e4b1e3dc82863bdc7d11c87aea05a23ff37b59ae33c10283c

memory/2024-304-0x0000000000250000-0x000000000028E000-memory.dmp

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 ec5530ab051f3e5ff5a52831c7fbb17a
SHA1 0c059eb59fb4297a264d0dd12c62ca352cd78ae3
SHA256 74ba0008ca84c2f2436bbfd63e1d2e27ff931f52592afb5212b3bcd8b8859e76
SHA512 fada666ef44c13d84de18ff208777b532bbdab08a84ee353cb07dd928fa7a8a715e4197f486d17120f3a31762ede4d5193dcd97e554bb485877caab9b7173298

memory/2024-290-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2460-289-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/2460-288-0x0000000000280000-0x00000000002BE000-memory.dmp

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 906b8f1b43e7c8290d27ba3f77a1f9e1
SHA1 86c44529158fca8c25d01f32096b2f1ba5ee54b6
SHA256 f94f7b654cfbf0229ad19b9211ca56b17c779e17008bcfdc3a689618b72118c7
SHA512 7cad425586b3fa49dd504ad4faf05a22ed30ce0fda88b0079039765f02ef5a7a2c520633306bd38429db060ee55b26dae0c302c5d532c0c56c3eefc135a3baab

memory/2460-284-0x0000000000400000-0x000000000043E000-memory.dmp

memory/936-283-0x0000000000250000-0x000000000028E000-memory.dmp

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 f7648144cc15ea2b8503ef880e754ac6
SHA1 d3177ad932ccdf2499bf40c2037c3f11070b6d7f
SHA256 70928faa22dedb3f694c8c30d612130e325b5c9a2f7466cf1196f8884226a587
SHA512 263e4601e93ad6f796b6aed0389aad67882ca217c06fa9e28a0ca508669c9fdd0b62552bf98466cd4341e8dd0ed8edd4b7658a3c6753fd1520c8f592794251d1

memory/936-268-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2332-267-0x0000000000260000-0x000000000029E000-memory.dmp

memory/2332-266-0x0000000000260000-0x000000000029E000-memory.dmp

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 9803168419334bfb854ca94e2c90d710
SHA1 07d73c8fa000859f78e823858e481366e97d316e
SHA256 7fbda7ca82be9f2e0a7e7d4421c342635d57419ac6f3fd99c50bfe19a3aaf7b3
SHA512 9f159e5d482cdf02e2cf0819cacdaae4f92b02cde7fee5769c5598bbd084f5aff547028dcb6fbbd55145dc5c0934ae8e45c94d71b9779f2d2c63ad5e1dd73786

memory/2332-261-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2452-255-0x0000000000440000-0x000000000047E000-memory.dmp

C:\Windows\SysWOW64\Gejcjbah.exe

MD5 778fde85aec4d02c7105122b76162243
SHA1 618558e785feef53a5de70cd16501e99fb7c741e
SHA256 ded4b7de6f9c8d0103f453e84efcc1dbc82df5164e5f1790a7b11001e47e63c3
SHA512 d18b020d8a5866181cec1b529e9cc8177ca4586e2833162a0009d17bc572fcac53f48fb169e3ffab67861c9222640bba8806cc2120004305435254efec711221

memory/2452-250-0x0000000000400000-0x000000000043E000-memory.dmp

memory/828-249-0x0000000000280000-0x00000000002BE000-memory.dmp

C:\Windows\SysWOW64\Gangic32.exe

MD5 eb19f8f435d6e66f0a918e6f43e8c100
SHA1 2f15e8be89403fcc3d3dddeaf4f45672d09254d4
SHA256 1f334ba0fe0f0130b96c3c105759e066ec50cf9cb37a4fcc2b7bcde2e59b27dd
SHA512 3497937181919164680c19636f4cf8b8013996ae6803c45aab1327337ef058d6bf6dcbd63d521e51944115f33643c0cf10389dd511355f03cf7504d7e18adfbd

memory/828-236-0x0000000000400000-0x000000000043E000-memory.dmp

memory/752-235-0x0000000000250000-0x000000000028E000-memory.dmp

memory/752-234-0x0000000000250000-0x000000000028E000-memory.dmp

memory/752-225-0x0000000000400000-0x000000000043E000-memory.dmp

memory/884-224-0x0000000001F70000-0x0000000001FAE000-memory.dmp

memory/884-223-0x0000000001F70000-0x0000000001FAE000-memory.dmp

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 da8199573e122c8115b54e5f329ef9b0
SHA1 a131641ac6f90ddd490e48591703eb1bd587980a
SHA256 0bfac956630f978990157a22c485a112318afaca3fd193357bbf325d8dd02b9f
SHA512 0363a72876857251afc303a21c9f45fa9a6e5da64a87c187bba5a58eda8e982b8d376501b851f0cb24e5304b35ed6e000c033980edea9897f32a3f4b40768630

memory/884-217-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2808-206-0x0000000000260000-0x000000000029E000-memory.dmp

memory/2808-204-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 35451159d2a60be72a3aecb689f595b2
SHA1 e9a36532ec8dcfdd9f7515c0c9c82ff491cc09d4
SHA256 44ff2d2db4667caa7bd2727c495ac29424bfa9d93ff3d3af21f8ed7392e32078
SHA512 669d1c5b3a923d7fa4656cec1efde9e1fa97386c4ba34182be2fae833e58ea92f77032ed9fcbaf72c4eb85fc2bab1c91a631767edab8305b69320c36304a5b89

memory/1620-186-0x0000000000400000-0x000000000043E000-memory.dmp

memory/480-173-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1988-160-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1384-158-0x00000000005D0000-0x000000000060E000-memory.dmp

memory/1384-151-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 5305ba6cd089a7dd1a9028bb07b65353
SHA1 7145a5ea2613dd6a8a49b79ce41c142d6aa63b72
SHA256 b874a6b6f2768bc9886ce02293b5f584e0b7fb2a930d638ce76d014622f24ed0
SHA512 b06a7051263d072d21b8a80e0bc2217617794a93f51b43a9d5d542446eefde90d2aa8b7d5a39912e09c79ed65658cf6fc697fc45288a301e2e19b84532a5ee22

memory/2020-133-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 c90c6f74cdbff7d878b80626d7e1127a
SHA1 dd45ff22e607120619643470d6f4369cb0993cd7
SHA256 55e70a10288944ad97a1e7f1cc79bb6c08c257cf575a553e9aaeb5d60e2f3628
SHA512 9a2d2588d73d3af99a20c77ce50c6f11b105a8109db16c6db936519bd3e1b5404ac748fddc79995e56cc33539889f433601cddb2d4b224dedc97d67495683ab4

memory/2552-120-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1964-112-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 8675214542638153b1de298fb8dd6f78
SHA1 d03b4daafed8b62ba0c6303f07b6274866f77497
SHA256 0522c5b17d6546a60569ba6b3de329faf591d70d20d42d81bb5351fbba0b89b1
SHA512 7446f12b70f085e757657350a20c7e4430c4089f8651371e51000e4c16d9f5884bfbf49c44cc165f21bb8ab095be8d1e6e7ef840f985425da8105f92162c2bb2

memory/2288-94-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2512-86-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2520-75-0x0000000000260000-0x000000000029E000-memory.dmp

memory/2520-67-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 77e44bccf1251496d5acc8170b98a9cf
SHA1 7bb987bfca039a96dd1c3330b011bf6fc065751c
SHA256 32058373e752a2b97ffd8cd81120fa1c1ba5c0a1fc73e58384f7427ab9503f80
SHA512 bbcd3638e6809c99cbc46548e068bf10d6c80d9b4062a2ab88d3388d8835336696ebf507456481be496918ead689049360fabc8a269fc2588ca7165f9c8745a9

memory/2724-54-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3020-36-0x0000000000270000-0x00000000002AE000-memory.dmp

memory/3020-33-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1584-22-0x0000000000250000-0x000000000028E000-memory.dmp

memory/1584-19-0x0000000000400000-0x000000000043E000-memory.dmp

memory/788-14-0x0000000000440000-0x000000000047E000-memory.dmp

memory/788-6-0x0000000000440000-0x000000000047E000-memory.dmp

memory/788-0-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:33

Reported

2024-06-14 03:36

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kajfig32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lalcng32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Majopeii.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibojncfj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaqcbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lddbqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iabgaklg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifopiajn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdcpcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kinemkko.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaemnhla.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nklfoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idofhfmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgbefoji.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcpllo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnepih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lddbqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jdcpcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncihikcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jidbflcj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipegmg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Idofhfmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnepih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmccchkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljnnch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpepcedo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kipabjil.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mamleegg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjpeepnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ipegmg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laciofpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ipqnahgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jplmmfmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcpllo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jidbflcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jaljgidl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Imihfl32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Imbaemhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipqnahgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibojncfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifjfnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiibkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imdnklfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Idofhfmm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijhodq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imgkql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iabgaklg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipegmg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifopiajn.exe N/A
N/A N/A C:\Windows\SysWOW64\Imihfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdcpcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjmhppqd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmkdlkph.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjpeepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaimbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jplmmfmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfffjqdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Jidbflcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaljgidl.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbmfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jigollag.exe N/A
N/A N/A C:\Windows\SysWOW64\Jangmibi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbocea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkfkfohj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmegbjgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaqcbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdopod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kilhgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpepcedo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kinemkko.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaemnhla.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdcijcke.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgbefoji.exe N/A
N/A N/A C:\Windows\SysWOW64\Kipabjil.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmlnbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpjjod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcifkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgdbkohf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kajfig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdhbec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kckbqpnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkbkamnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lalcng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcmofolg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkdggmlj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmccchkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpappc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcpllo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijdhiaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnepih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laalifad.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgneampk.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkiqbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lilanioo.exe N/A
N/A N/A C:\Windows\SysWOW64\Laciofpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgpagm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljnnch32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Mdpalp32.exe N/A
File created C:\Windows\SysWOW64\Imbaemhc.exe C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
File created C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jfffjqdf.exe N/A
File created C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kpjjod32.exe N/A
File created C:\Windows\SysWOW64\Fibjjh32.dll C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File created C:\Windows\SysWOW64\Bclgpkgk.dll C:\Windows\SysWOW64\Ijhodq32.exe N/A
File created C:\Windows\SysWOW64\Qnoaog32.dll C:\Windows\SysWOW64\Jjmhppqd.exe N/A
File created C:\Windows\SysWOW64\Lgneampk.exe C:\Windows\SysWOW64\Laalifad.exe N/A
File created C:\Windows\SysWOW64\Lppaheqp.dll C:\Windows\SysWOW64\Jigollag.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpappc32.exe C:\Windows\SysWOW64\Lmccchkn.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Nqfbaq32.exe N/A
File created C:\Windows\SysWOW64\Majknlkd.dll C:\Windows\SysWOW64\Nddkgonp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Nqklmpdd.exe N/A
File created C:\Windows\SysWOW64\Imgkql32.exe C:\Windows\SysWOW64\Ijhodq32.exe N/A
File created C:\Windows\SysWOW64\Jdcpcf32.exe C:\Windows\SysWOW64\Imihfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jbmfoa32.exe N/A
File created C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Lalcng32.exe N/A
File created C:\Windows\SysWOW64\Hnfmbf32.dll C:\Windows\SysWOW64\Mdpalp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Opbnic32.dll C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Jaimbj32.exe C:\Windows\SysWOW64\Jjpeepnb.exe N/A
File created C:\Windows\SysWOW64\Ojmmkpmf.dll C:\Windows\SysWOW64\Kpepcedo.exe N/A
File created C:\Windows\SysWOW64\Ghiqbiae.dll C:\Windows\SysWOW64\Kpjjod32.exe N/A
File created C:\Windows\SysWOW64\Nqklmpdd.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Mglppmnd.dll C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File opened for modification C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mjcgohig.exe N/A
File opened for modification C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File created C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File created C:\Windows\SysWOW64\Kkdeek32.dll C:\Windows\SysWOW64\Kdopod32.exe N/A
File created C:\Windows\SysWOW64\Kbmfdgkm.dll C:\Windows\SysWOW64\Kgbefoji.exe N/A
File opened for modification C:\Windows\SysWOW64\Lkdggmlj.exe C:\Windows\SysWOW64\Lcmofolg.exe N/A
File created C:\Windows\SysWOW64\Qekdppan.dll C:\Windows\SysWOW64\Jidbflcj.exe N/A
File created C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lnepih32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lilanioo.exe C:\Windows\SysWOW64\Lkiqbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File created C:\Windows\SysWOW64\Jibpdc32.dll C:\Windows\SysWOW64\Ifopiajn.exe N/A
File created C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kdcijcke.exe N/A
File opened for modification C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kgdbkohf.exe N/A
File created C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Lknjmkdo.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mkpgck32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File created C:\Windows\SysWOW64\Npckna32.dll C:\Windows\SysWOW64\Mgnnhk32.exe N/A
File created C:\Windows\SysWOW64\Ebkdha32.dll C:\Windows\SysWOW64\Idofhfmm.exe N/A
File created C:\Windows\SysWOW64\Ggpfjejo.dll C:\Windows\SysWOW64\Jbmfoa32.exe N/A
File created C:\Windows\SysWOW64\Ofdhdf32.dll C:\Windows\SysWOW64\Kkbkamnl.exe N/A
File created C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Honcnp32.dll C:\Windows\SysWOW64\Jfffjqdf.exe N/A
File created C:\Windows\SysWOW64\Lgpagm32.exe C:\Windows\SysWOW64\Laciofpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Lphfpbdi.exe C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File opened for modification C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lnepih32.exe N/A
File created C:\Windows\SysWOW64\Mdemcacc.dll C:\Windows\SysWOW64\Lnepih32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljnnch32.exe C:\Windows\SysWOW64\Lgpagm32.exe N/A
File created C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Njacpf32.exe N/A
File created C:\Windows\SysWOW64\Bgllgqcp.dll C:\Windows\SysWOW64\Jmkdlkph.exe N/A
File created C:\Windows\SysWOW64\Kilhgk32.exe C:\Windows\SysWOW64\Kdopod32.exe N/A
File created C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Lkdggmlj.exe N/A
File created C:\Windows\SysWOW64\Jgengpmj.dll C:\Windows\SysWOW64\Mjeddggd.exe N/A
File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Ncihikcg.exe N/A
File created C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Njcpee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Imbaemhc.exe C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe N/A
File created C:\Windows\SysWOW64\Bdiihjon.dll C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
File created C:\Windows\SysWOW64\Bbgkjl32.dll C:\Windows\SysWOW64\Laciofpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kdhbec32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll" C:\Windows\SysWOW64\Kpjjod32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll" C:\Windows\SysWOW64\Jbmfoa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpepcedo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lphfpbdi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iiibkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjpeepnb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jaljgidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbmfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngedij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iabgaklg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" C:\Windows\SysWOW64\Lcpllo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll" C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lddbqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll" C:\Windows\SysWOW64\Mjcgohig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll" C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll" C:\Windows\SysWOW64\Ijhodq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll" C:\Windows\SysWOW64\Laciofpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Imdnklfp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jdcpcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kaemnhla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll" C:\Windows\SysWOW64\Lcmofolg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll" C:\Windows\SysWOW64\Ljnnch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngedij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipegmg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kajfig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ifopiajn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll" C:\Windows\SysWOW64\Lpappc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ljnnch32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mahbje32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll" C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kilhgk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kipabjil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Imgkql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcifkp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgidml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdpalp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdcijcke.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lilanioo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nklfoi32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe C:\Windows\SysWOW64\Imbaemhc.exe
PID 1564 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe C:\Windows\SysWOW64\Imbaemhc.exe
PID 1564 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe C:\Windows\SysWOW64\Imbaemhc.exe
PID 2208 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Imbaemhc.exe C:\Windows\SysWOW64\Ipqnahgf.exe
PID 2208 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Imbaemhc.exe C:\Windows\SysWOW64\Ipqnahgf.exe
PID 2208 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Imbaemhc.exe C:\Windows\SysWOW64\Ipqnahgf.exe
PID 1340 wrote to memory of 3608 N/A C:\Windows\SysWOW64\Ipqnahgf.exe C:\Windows\SysWOW64\Ibojncfj.exe
PID 1340 wrote to memory of 3608 N/A C:\Windows\SysWOW64\Ipqnahgf.exe C:\Windows\SysWOW64\Ibojncfj.exe
PID 1340 wrote to memory of 3608 N/A C:\Windows\SysWOW64\Ipqnahgf.exe C:\Windows\SysWOW64\Ibojncfj.exe
PID 3608 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ibojncfj.exe C:\Windows\SysWOW64\Ifjfnb32.exe
PID 3608 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ibojncfj.exe C:\Windows\SysWOW64\Ifjfnb32.exe
PID 3608 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ibojncfj.exe C:\Windows\SysWOW64\Ifjfnb32.exe
PID 432 wrote to memory of 740 N/A C:\Windows\SysWOW64\Ifjfnb32.exe C:\Windows\SysWOW64\Iiibkn32.exe
PID 432 wrote to memory of 740 N/A C:\Windows\SysWOW64\Ifjfnb32.exe C:\Windows\SysWOW64\Iiibkn32.exe
PID 432 wrote to memory of 740 N/A C:\Windows\SysWOW64\Ifjfnb32.exe C:\Windows\SysWOW64\Iiibkn32.exe
PID 740 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Iiibkn32.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 740 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Iiibkn32.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 740 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Iiibkn32.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 4636 wrote to memory of 4196 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Idofhfmm.exe
PID 4636 wrote to memory of 4196 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Idofhfmm.exe
PID 4636 wrote to memory of 4196 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Idofhfmm.exe
PID 4196 wrote to memory of 4308 N/A C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Ijhodq32.exe
PID 4196 wrote to memory of 4308 N/A C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Ijhodq32.exe
PID 4196 wrote to memory of 4308 N/A C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Ijhodq32.exe
PID 4308 wrote to memory of 4480 N/A C:\Windows\SysWOW64\Ijhodq32.exe C:\Windows\SysWOW64\Imgkql32.exe
PID 4308 wrote to memory of 4480 N/A C:\Windows\SysWOW64\Ijhodq32.exe C:\Windows\SysWOW64\Imgkql32.exe
PID 4308 wrote to memory of 4480 N/A C:\Windows\SysWOW64\Ijhodq32.exe C:\Windows\SysWOW64\Imgkql32.exe
PID 4480 wrote to memory of 5040 N/A C:\Windows\SysWOW64\Imgkql32.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 4480 wrote to memory of 5040 N/A C:\Windows\SysWOW64\Imgkql32.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 4480 wrote to memory of 5040 N/A C:\Windows\SysWOW64\Imgkql32.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 5040 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ipegmg32.exe
PID 5040 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ipegmg32.exe
PID 5040 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Ipegmg32.exe
PID 1996 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Ipegmg32.exe C:\Windows\SysWOW64\Ifopiajn.exe
PID 1996 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Ipegmg32.exe C:\Windows\SysWOW64\Ifopiajn.exe
PID 1996 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Ipegmg32.exe C:\Windows\SysWOW64\Ifopiajn.exe
PID 1728 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Ifopiajn.exe C:\Windows\SysWOW64\Imihfl32.exe
PID 1728 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Ifopiajn.exe C:\Windows\SysWOW64\Imihfl32.exe
PID 1728 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Ifopiajn.exe C:\Windows\SysWOW64\Imihfl32.exe
PID 2236 wrote to memory of 1000 N/A C:\Windows\SysWOW64\Imihfl32.exe C:\Windows\SysWOW64\Jdcpcf32.exe
PID 2236 wrote to memory of 1000 N/A C:\Windows\SysWOW64\Imihfl32.exe C:\Windows\SysWOW64\Jdcpcf32.exe
PID 2236 wrote to memory of 1000 N/A C:\Windows\SysWOW64\Imihfl32.exe C:\Windows\SysWOW64\Jdcpcf32.exe
PID 1000 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Jdcpcf32.exe C:\Windows\SysWOW64\Jjmhppqd.exe
PID 1000 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Jdcpcf32.exe C:\Windows\SysWOW64\Jjmhppqd.exe
PID 1000 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Jdcpcf32.exe C:\Windows\SysWOW64\Jjmhppqd.exe
PID 5032 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Jjmhppqd.exe C:\Windows\SysWOW64\Jmkdlkph.exe
PID 5032 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Jjmhppqd.exe C:\Windows\SysWOW64\Jmkdlkph.exe
PID 5032 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Jjmhppqd.exe C:\Windows\SysWOW64\Jmkdlkph.exe
PID 2796 wrote to memory of 516 N/A C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 2796 wrote to memory of 516 N/A C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 2796 wrote to memory of 516 N/A C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 516 wrote to memory of 1448 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jjpeepnb.exe
PID 516 wrote to memory of 1448 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jjpeepnb.exe
PID 516 wrote to memory of 1448 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jjpeepnb.exe
PID 1448 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jaimbj32.exe
PID 1448 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jaimbj32.exe
PID 1448 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jaimbj32.exe
PID 4808 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Jaimbj32.exe C:\Windows\SysWOW64\Jplmmfmi.exe
PID 4808 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Jaimbj32.exe C:\Windows\SysWOW64\Jplmmfmi.exe
PID 4808 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Jaimbj32.exe C:\Windows\SysWOW64\Jplmmfmi.exe
PID 1196 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Jplmmfmi.exe C:\Windows\SysWOW64\Jfffjqdf.exe
PID 1196 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Jplmmfmi.exe C:\Windows\SysWOW64\Jfffjqdf.exe
PID 1196 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Jplmmfmi.exe C:\Windows\SysWOW64\Jfffjqdf.exe
PID 1668 wrote to memory of 4940 N/A C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jidbflcj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe

"C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe"

C:\Windows\SysWOW64\Imbaemhc.exe

C:\Windows\system32\Imbaemhc.exe

C:\Windows\SysWOW64\Ipqnahgf.exe

C:\Windows\system32\Ipqnahgf.exe

C:\Windows\SysWOW64\Ibojncfj.exe

C:\Windows\system32\Ibojncfj.exe

C:\Windows\SysWOW64\Ifjfnb32.exe

C:\Windows\system32\Ifjfnb32.exe

C:\Windows\SysWOW64\Iiibkn32.exe

C:\Windows\system32\Iiibkn32.exe

C:\Windows\SysWOW64\Imdnklfp.exe

C:\Windows\system32\Imdnklfp.exe

C:\Windows\SysWOW64\Idofhfmm.exe

C:\Windows\system32\Idofhfmm.exe

C:\Windows\SysWOW64\Ijhodq32.exe

C:\Windows\system32\Ijhodq32.exe

C:\Windows\SysWOW64\Imgkql32.exe

C:\Windows\system32\Imgkql32.exe

C:\Windows\SysWOW64\Iabgaklg.exe

C:\Windows\system32\Iabgaklg.exe

C:\Windows\SysWOW64\Ipegmg32.exe

C:\Windows\system32\Ipegmg32.exe

C:\Windows\SysWOW64\Ifopiajn.exe

C:\Windows\system32\Ifopiajn.exe

C:\Windows\SysWOW64\Imihfl32.exe

C:\Windows\system32\Imihfl32.exe

C:\Windows\SysWOW64\Jdcpcf32.exe

C:\Windows\system32\Jdcpcf32.exe

C:\Windows\SysWOW64\Jjmhppqd.exe

C:\Windows\system32\Jjmhppqd.exe

C:\Windows\SysWOW64\Jmkdlkph.exe

C:\Windows\system32\Jmkdlkph.exe

C:\Windows\SysWOW64\Jbhmdbnp.exe

C:\Windows\system32\Jbhmdbnp.exe

C:\Windows\SysWOW64\Jjpeepnb.exe

C:\Windows\system32\Jjpeepnb.exe

C:\Windows\SysWOW64\Jaimbj32.exe

C:\Windows\system32\Jaimbj32.exe

C:\Windows\SysWOW64\Jplmmfmi.exe

C:\Windows\system32\Jplmmfmi.exe

C:\Windows\SysWOW64\Jfffjqdf.exe

C:\Windows\system32\Jfffjqdf.exe

C:\Windows\SysWOW64\Jidbflcj.exe

C:\Windows\system32\Jidbflcj.exe

C:\Windows\SysWOW64\Jaljgidl.exe

C:\Windows\system32\Jaljgidl.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jigollag.exe

C:\Windows\system32\Jigollag.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kaqcbi32.exe

C:\Windows\system32\Kaqcbi32.exe

C:\Windows\SysWOW64\Kdopod32.exe

C:\Windows\system32\Kdopod32.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kpepcedo.exe

C:\Windows\system32\Kpepcedo.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kinemkko.exe

C:\Windows\system32\Kinemkko.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kipabjil.exe

C:\Windows\system32\Kipabjil.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Lkdggmlj.exe

C:\Windows\system32\Lkdggmlj.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Lnepih32.exe

C:\Windows\system32\Lnepih32.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lgneampk.exe

C:\Windows\system32\Lgneampk.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Ljnnch32.exe

C:\Windows\system32\Ljnnch32.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lphfpbdi.exe

C:\Windows\system32\Lphfpbdi.exe

C:\Windows\SysWOW64\Lddbqa32.exe

C:\Windows\system32\Lddbqa32.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mgekbljc.exe

C:\Windows\system32\Mgekbljc.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mncmjfmk.exe

C:\Windows\system32\Mncmjfmk.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5516 -ip 5516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 420

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1564-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1564-5-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Imbaemhc.exe

MD5 aee08a641ffeb338aaf282fd3558ae1d
SHA1 12b20b0f1fa3aac4365d481960cb7491ca7fa6da
SHA256 773e2d06c354d317e96032103cb4221288736ed532b55e00a15a228b42c677c2
SHA512 b3cffb672308cd60d780bd1d1d790a3b03df73acd575d4b4c6a123fbd8f4016ca531147c5108298abad98f8e833f418d957c745c90f4938a6d3c28ea55c4aa6e

memory/2208-9-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ipqnahgf.exe

MD5 24f6e17b3d67853f00eb7b417bb91e3f
SHA1 278c9ddb0369aa2324b2edb964213957e9441602
SHA256 ea5e26e1f97064ca177ee64cd9d01b2b3c4c15d739252cd3cc5c1992989f04a6
SHA512 06a998bcab12a40db243ae06a41475a8151ead8836d78c2fcc7e78406835c1a12ff4fff4290b4575d14bd8fe0e951001e5aa6412d6cf0a12cb7bc36f4f326a68

memory/1340-21-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ibojncfj.exe

MD5 dc4305dc652e8f9fed6674cf0da88544
SHA1 27e699a92b1eeeb3f07bcd4925a0ed7fd3f3f397
SHA256 d5023b398ad053dba225685fd953c29d555a2dbdc3f48b426f6c667f351b7be3
SHA512 250ad8114106c9625f2e299b93a8f9b355f9f46710160f6a5a7afb84c3ac5b560dcafc1839dd25d3d5340b6336a1cc41ba5151cc747e027176a68df004436ebd

memory/3608-29-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ifjfnb32.exe

MD5 0358d6897cbebf19a491af0482976257
SHA1 ca52dfbf67e47cfeb7189a342da7a6e46a3c9c36
SHA256 fcf455526bac9a76dca878ea76084b2a96d86d08a55c76171f50b934fc1e13b7
SHA512 406789bea1f15e5ba1b033953f32540ad25954ce4ae14525b3b64c0a1740849535005584361a150e038c4a2955178e0b6b50ef003e190def0f5f265df4bf30da

memory/432-33-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Iiibkn32.exe

MD5 a4da7169cdd00a6e7cdb4533eb5167f1
SHA1 a1f1673d372773658a7238ca8cad4a9dddbd669f
SHA256 849465e6c88d259d7efa53562faebaf9cf52f4b46fdfda3054fefa03a69b4e72
SHA512 b790b055b1f2eaf8ac2a56b2bf0629eeed3144642e6ef1bdc0fad8c60aedd6fa01a5f014bd11060c3f89cfeeb2b7cfbdbfbe0bf32ba735fd1e1418e04c6748eb

memory/740-45-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Imdnklfp.exe

MD5 6a2e0a34e3bdd6d8188346a0eb5e6156
SHA1 6ebaff41447f99890d01012387e4c05277032be1
SHA256 99a7fbb1a10f6cd9a8b46cbf456f5b6e6ea7bb7d6b9c6a03d5c55a2c54dc78b5
SHA512 2993361b154e49d82f78f4a32cbf1dcce0ce45ecef91a1f680527aa80930baaffe6e59e699a4cf86b3ea52cb9ec5f8d5c8b2cb039d95cc944f107a1fc1d3e940

memory/4636-49-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Idofhfmm.exe

MD5 a21322d969ea48c1eee1cc8fe63ba818
SHA1 f28e6da265b8acf83ad5497aefa71ea9fe699a59
SHA256 9153bc894c75281fd31c68ccf899308be951d56f7c86b4ce4a0820aba1c85587
SHA512 6a71c6342182cbf16b844ed0db98021532e0b0c8675c22d59ea7f82918aeb319d2a9bd1f1d9c510e05d3eed872d32d9a263fc4ba8ee64cc6674282a5decb1f30

memory/4196-57-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ijhodq32.exe

MD5 a23a3d6894c702524b54f0c3a72b7b99
SHA1 2454ddb6ae725a74eba653623a0f72b35f2e9de6
SHA256 eb267bbd2c82e0c5f7edc4c9d50bc5e7970f83f82b1b7254228d653fc8c8f66b
SHA512 4b915e805830eb8a47b0d5aaab6ca767f08cd62d3e35e28b5cd641033d43fb3565ed0429b564eb730abdf806d8406dfee0d10455c16c6d2097ca3ed6fee2ac4d

memory/4308-65-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Imgkql32.exe

MD5 139de2d99ab715f6233158bc1efba7c8
SHA1 00b03d369f6b11c7919c4107d763e32c07791759
SHA256 590f1b121c06b50e4b17884eeda39e7dfd263d06321c933c11c5952440df9a26
SHA512 a7407702265d482765197192019140d370a0816b4d702a132ed8dbc9bbb152939e1c126a3edefc879476927b25dee604834ff817dafab14aa27301b8f870569f

memory/4480-73-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Iabgaklg.exe

MD5 08228fc94fede2a8a3ff959e73b43aba
SHA1 c60cfe6d8a0d2439229281d0af46a25dcb6324f5
SHA256 7e0e71a47434b2ef38def418600d69d899ce90554199eef048fd76f32705f9d2
SHA512 ca3f2cc16963f21f9b1771f5c6b8ecc17839b587cb30ea923ecc7844783cfafb05e2dc7183ccdf10c5fbc3e58cf9c96644118b934a4e9c170bb37dbb954cfbf6

memory/5040-81-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ipegmg32.exe

MD5 724e6b0a1cae0567b41c057973e3bb6c
SHA1 0c027c53970c6e907a5e52523920804822c89ece
SHA256 5c76ede6ed27734145c96af917735f1e85d3741514642e506b4639e8b820da92
SHA512 edf2962fd75b6cb892c6ac945fa9c0052d31472faebb77e2f31e31ea4f597f7f6248d7db321ff963399badac236a5a20384d4b5a2c236c9ca79cea3de5a01ca3

memory/1996-94-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ifopiajn.exe

MD5 eb48bc6e0dcc19e97680a3294d7cb7eb
SHA1 fef8bc077b07f791da60a497ff3a7af0af74010d
SHA256 4bfd22f9aa81da953168b01877719b97e1219186ea9043de2c864eb375f0b1a5
SHA512 33ade0de39a0863c2fb5e3fabd324713ef2dc2631c0fa31863be3cb5d4ccc7fda6b560a42b2edc9b0aabc39444323f551d35b5123031780eb152e32349f82623

memory/1728-97-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Imihfl32.exe

MD5 8f9eb763f2a976b13702d4d416b8ba6c
SHA1 b3a74fb422240a7edfab9a7a8c10e17fae2fa1d0
SHA256 57d9d741862b0f3ab48ab14b88b2c09fdc396d03bac2ca7affd249a3f89ab8d4
SHA512 40d41f9c023cde58b670110029b5bf3df1c2c4f703a492b345cf6ac47ed864a40ecaf16f2ea519295fd49af83fb066c8adeb7110dc652484f4d00beabf508a0f

memory/2236-105-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jdcpcf32.exe

MD5 b58722ec93b2e741718ee4dfd9b5f0cc
SHA1 ebeece6f4d63b04e47a6bc202be86bd7930590bb
SHA256 86da68a2048e5b55a4f2d5014cae28cd03e674d8eb4077be7a774892dc5c1e41
SHA512 8c8fd992724701275435628a5e8f681f71a35f8f14ca99ae5de0831146e7edaa776098761c483e1efa553e2d66a14d8b66909d6630c71aa4f34245af051befa6

memory/1000-113-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jjmhppqd.exe

MD5 259332703ada1be343a0880671d5b48a
SHA1 922bf9ae3e5e7ebb220392ef48beb632671aae01
SHA256 496d2b464c96c0a358edcc1364c60c5da6f487399f1aa041e7084ba348c86865
SHA512 1f9545915e42f26b1ca39b8276f603439079334c00986c482806daa19589f887ebaed24d3ad9da864113c49286cb180f9c9957f74eeb41cb7baf6cda3e40d748

memory/5032-121-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jmkdlkph.exe

MD5 ea6fe27d5fb7206543443d30bf7395a3
SHA1 83cf7f63c18ed1d12d4ede076316090970a77057
SHA256 8b40b0a7b5941eeee687268f7d2d079c11ea1d40cee8261efd506bbd27627700
SHA512 3ed87999d2b16fe9185df65062e03f1ed3bad78928c497786dafddcf1b9baf0ee863a2f0b5ef30c9389b3606803c092df2e629622194b09fa1d56116fd6aaf02

memory/2796-129-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jbhmdbnp.exe

MD5 e648f47b111224afc86e2e53fd068c00
SHA1 eacbdc7a8978ffbdae8ac3be94735b939dedd79a
SHA256 baef285571b8fb7ff08cdb7c4bbf22bc5c1d23d20a01ddf7448d8a43ebcfbf18
SHA512 5796dd2dcc3fdfe0a55933eb043f704536818cb775c4085f5db62a84024bc72219ab52b672efa858a0029b63c557973a9b3b3437e48875f5ca316349db94c5df

memory/516-137-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jjpeepnb.exe

MD5 76b5d37fad1c587bef8f252e7928f1f8
SHA1 15062350193eac74a36365d392902d11ba365a32
SHA256 d8078cbf734c3fe50a2f8f599f3628f03521be00933d1252a93a8aad0e17d683
SHA512 1d75407498f20fccc1a8c2b7f41a3319a733be7a9be109a60135fb83c2598fbe79e0d833833d955abe182782fda43e3f15ca3f4fc06b94ffa514c46c1e1e0d85

C:\Windows\SysWOW64\Jaimbj32.exe

MD5 701652069e11caad1c52069e433b15d7
SHA1 5549fb13ff805fdedd444b9adffc1f0d45a221b7
SHA256 bad430b2aef5548901dfa8f9e9e8e0c458102f7965aa7a6f9bf7edfdb4c566e6
SHA512 60e637295b33445a429674cb39f8671a20e349b462c6a1955de49df3c00bc6eb4ff8bcb23e139df492320042f669eace29860ac9daf0770c92723796e6e52fc9

memory/1448-152-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4808-153-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jplmmfmi.exe

MD5 ca192ea26beeac58cc871bd76eecd370
SHA1 ff6a87834db05798a583736597e02eeb18d53713
SHA256 94b85228a7a94942fd7360092c880dda2804dc16b18c66bbe051dd9dac944dd9
SHA512 fc8813caf7ae3e020f69fe2377884ca089d708126c547f7e4b7d10b0cdd3404b8c936f011883e044efdc71c5ff95ef8405b375d93ce3d69cb56c14479733ef42

memory/1196-161-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jfffjqdf.exe

MD5 76fc63bf1ecfb4fe04c0cecb8cf9f429
SHA1 19870399b06a198d5a49c31f1474953a2b7b48f2
SHA256 02c58aab9072798d06c2b7c2e128782d5d6add3c819d426010c98853afabf183
SHA512 66d84f01dc0da204c7b1167f245035ebbc8547bcd5e23ff3661a7edc77d6bedd75348f3fa748cad7d77662b8026b548218378960b6b2b8ef68cbe2ecee327547

memory/1668-169-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jidbflcj.exe

MD5 c8c4749d21dd54235efc091b52985877
SHA1 297bba4314f3ad907a24ae1ddac5b3cc889fd292
SHA256 8956e875f5f4bb81d48d4390fff0da7faafcdf60391224fe41b93f09fc6d81fd
SHA512 6280893508128f94a73efc3c97726971d54fe6ab98ade40b1dc3e2ddc9ef5985a12a54e42806ca9c0482b6fb6281314349fff30f4194f485f4624acb35438ea8

memory/4940-177-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jaljgidl.exe

MD5 54c2398a8b58428279ce83ea6c7c8fe2
SHA1 0bc852de6036fddce36f7d8cf723ac7b6039089b
SHA256 472b71a34a2bbea23264eb9770768f7aa137afa03886cb76ceaf82977969e717
SHA512 13f1ef2632c44284ef0c7ff6b488fae94593519b6eea570cc42c1ab040b2b8ce17453f93842f69d3395ba0b015af843fa0399a6bd361e5b792fa2330d040e1cc

memory/3076-184-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jbmfoa32.exe

MD5 1791a8c539b81279a503824af5d59e80
SHA1 0ac26025c9e8d1533d73564478cc6d4c9dea6e18
SHA256 1ed2be40595af76e811665156b63c87c8824b829d3d79c740894b79f82380b5e
SHA512 a52554aba8e4c5306499b7c262bc85697e975b57bda0c9104fb3432346afb34867769d54f311494aa3ea9e3db9c78dbfa7a5cd5bdb629891f11fdc852461b5d2

memory/3060-193-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jigollag.exe

MD5 604b621ee4a6cff6eb1b91cb8bf420aa
SHA1 cfa73abf94b9884a616254790668b1e8acdc2be5
SHA256 2e1ad13c4a1d5a5083fe3e532c4ecebc8d4f3604531c38f7f2c3c0ebb08189be
SHA512 8db9820d988ea1d606b5dd15e73497c974d3190658ecfea5e2c76538df82b0faf99eae92721bef3325adcc888879ded20dfe87f283acd3cfe07da069ff2e084f

memory/756-205-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jangmibi.exe

MD5 2c7e6aeb8b17f306829c0cf4591574a2
SHA1 d851f67a4ed7f0b428b1d7cb9efd06c112ddde4c
SHA256 aa0dfc99244e9a1167ecadffcc6ea7add8a6fe8580625304e187c6dabae34824
SHA512 052ce0b6c2715e63bd12765e167dc3119cbf36b6c1a004c30451b32aaf6fe051d9123ac094b2ea5eeaf8d77cc31b8efa152a9d8e4cad12f6c087e7b8493358e5

memory/4892-209-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-216-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jbocea32.exe

MD5 9678b064379f6d55e2a936fd99b09708
SHA1 f8f62fb619f174e0578c12a2737dbee2e270d3db
SHA256 b4a757b2239da8bfefe8b693e199883ef9f828ce04e2c52e9ea91efee1c86b8b
SHA512 5fc675f3704a123c5494dc2507a760d04cda0887194ec2cb111dbbea169860e54ec04e73f49a5478aed3bb55e367c8645161d3af4930f0092cf7f6e4358b5d3b

memory/3956-224-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jkfkfohj.exe

MD5 79b511c95ca77bb26617a011f202ee07
SHA1 6df01a3052afec371cc1424d8dc7098a9bb84276
SHA256 f0fb1bd57f271574c001e6b579bd10fc12258c6a2148e5f456c7d99009f32219
SHA512 12a06dd085dde3316e51a24e6e21912dd7ea22a023d2d65c7474a3f62d6f066395eabb5fbf8f739a7803e67f4336b8013b809ce87bfc51979cb7ca81341a4e93

C:\Windows\SysWOW64\Kmegbjgn.exe

MD5 9b9ba78e4529acd857e2f3a7c93472b6
SHA1 163596e55f5106cd8d58c9f962a6d4e8d03ce5f5
SHA256 41fedba4e619ffca686cb7497568c491cb95db5b47748439ed54d1021494d0ba
SHA512 1983a52d919e6094f16f8fc9e9d33e6a85fc0f5d528ff1e3f341e30fcdce1ea981667eda3ceb6f8a36e29a81ee33a0b60ac72e647338343498f985e8505f5b27

memory/1444-233-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Kaqcbi32.exe

MD5 e2bcdf3e17b2776b30da68a456c218f7
SHA1 a9210a6a9dd04ae12e91db389a06fb40183c0671
SHA256 785957dec48f66406942ad31305b09a40dc80bf026ff5cfe5c2ad2e43ac1e6b2
SHA512 3de4bb2db3e0bfa897ae0fbcb14c8629facc40ec35ffb03c10e7b0ebbd7bda8c45415a854098eef33e00c473248a577f602f9b255c64beb498c61a78fb118206

memory/3052-241-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Kdopod32.exe

MD5 4b98dbb21234d79e1fbe23a660f537fa
SHA1 5a860995965ade3744c051ba5a834d036731f6c6
SHA256 372f7e381d1f40edbed8faf24197c0c18952990b231e7a0848b311c31acc8e72
SHA512 1d7ed31320eaa2915b676c13bbf48d97a0cb4bd854e398d000eab287dc90caa4c4a2d1629d0db3761353ff0613cad7d444505d95614c4f00cb6d85ab1cf892ac

memory/944-249-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Kilhgk32.exe

MD5 ebcb37e0ade30576267d1a0cc42508b2
SHA1 d5361bd974abba63cf936367b0627db96d5bd155
SHA256 a527ed2268d0d003d23e427c704c97971d4925b1208cd18d6a82622e0d1a4702
SHA512 35c3e3e1d3fca1047f883defd5eb8a11db09fe3d1a709d9b30429bb551941213482c3c76a4e0b77fca5dbb2a51cdd7d4a3e84f6ac55b3c02e2d03a337a06a3c3

memory/3568-256-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1940-261-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Kpepcedo.exe

MD5 c0c784100d9ac9c6ffbda7ebc8ec44f9
SHA1 1df52de153633ab6c6b4f1612c132681e7b11c5e
SHA256 00df54dddb0338c61a64d1726c20a9db3c76d6aa1d020495603a74af885b2bce
SHA512 76dc1deb014240ecafeb417c746a27649ef186a3d402ccda445d09a3fd3bb6dcc96028c5a0ba2c5e0cc3d26a37b3dacfd2ddfc4851c1f77fcc8cf65b992e4968

memory/1616-264-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Kbdmpqcb.exe

MD5 95ece670fd2a80fc03a586f285bd2eb1
SHA1 ebaabada906f3b2b1a9b83867b679725eed482ef
SHA256 3c86284575fee5a3a46ad82eafcbca9af44877c5069a4f9bd0a6c0422bc200c3
SHA512 821c7d3ba0029ceae5a35cd05d62287135e42f565af5441da1c66b144cf05979fa84f255ff7d8d3ab97d167fc1d942cf352574c9ad2bb8bcb7306d56f588d3fa

memory/696-274-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2204-280-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3196-287-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3880-288-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3944-294-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2248-305-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3340-310-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1816-312-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1648-324-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4432-323-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2472-335-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3644-336-0x0000000000400000-0x000000000043E000-memory.dmp

memory/220-342-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4616-352-0x0000000000400000-0x000000000043E000-memory.dmp

memory/540-354-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1368-364-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2556-366-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3920-372-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2452-379-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2172-388-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4408-394-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4160-396-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4584-408-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5044-407-0x0000000000400000-0x000000000043E000-memory.dmp

memory/372-414-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1780-420-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1280-426-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4508-436-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5100-442-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2200-448-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2624-454-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2468-462-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3444-461-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1352-468-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3100-474-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2056-480-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3636-491-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3424-492-0x0000000000400000-0x000000000043E000-memory.dmp

memory/820-503-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4404-508-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5056-514-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3692-521-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4420-522-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1044-532-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5060-535-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1564-534-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4048-541-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2208-547-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4648-552-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3952-554-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4296-560-0x0000000000400000-0x000000000043E000-memory.dmp

memory/432-570-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1612-572-0x0000000000400000-0x000000000043E000-memory.dmp

memory/452-573-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4636-583-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4712-585-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4196-586-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4464-587-0x0000000000400000-0x000000000043E000-memory.dmp

memory/860-594-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4308-593-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Nafokcol.exe

MD5 3c932a97a35ef4f8022fe91d2ba692ca
SHA1 4ae24542895dbbb0367f981450f5a42af913a965
SHA256 133e0bcbe13a62e1345ec0f34c585fa7e82ec11dbc4c098e5e183329693b7a38
SHA512 35902e1e1cf40f6e02fb96192df1e27c455469747c93d50bee104a7ee7cf4939b4c49a6fcdefb3a0aea2a0f46f318aaddd0ab376b329916cea2d0a4fbc779ba8