Malware Analysis Report

2025-03-15 00:31

Sample ID 240603-2cerbsbc4y
Target 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26
SHA256 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26

Threat Level: Known bad

The file 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:25

Reported

2024-06-03 22:28

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfgmhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Globlmmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggpimica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Facdeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glaoalkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ennaieib.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbpodagk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilknfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ioijbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebedndfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doobajme.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eilpeooq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Dbpodagk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djpmccqq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Feeiob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiaeoang.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gonnhhln.exe N/A
N/A N/A C:\Windows\SysWOW64\Glaoalkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbnccfpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gelppaof.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Geolea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggpimica.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddifnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghoegl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hknach32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmlnoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpkjko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hicodd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpmgqnfl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbpodagk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbpodagk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djpmccqq.exe N/A
N/A N/A C:\Windows\SysWOW64\Djpmccqq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcmgfkeg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Mmqgncdn.dll C:\Windows\SysWOW64\Djefobmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Fpdhklkl.exe C:\Windows\SysWOW64\Faagpp32.exe N/A
File created C:\Windows\SysWOW64\Pabfdklg.dll C:\Windows\SysWOW64\Ghhofmql.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
File opened for modification C:\Windows\SysWOW64\Henidd32.exe C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Klidkobf.dll C:\Windows\SysWOW64\Dgaqgh32.exe N/A
File created C:\Windows\SysWOW64\Odbhmo32.dll C:\Windows\SysWOW64\Ecmkghcl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
File created C:\Windows\SysWOW64\Acpmei32.dll C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ggpimica.exe C:\Windows\SysWOW64\Geolea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Hlakpp32.exe C:\Windows\SysWOW64\Hicodd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Eiomkn32.exe N/A
File created C:\Windows\SysWOW64\Ncolgf32.dll C:\Windows\SysWOW64\Hknach32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File created C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Djefobmk.exe N/A
File created C:\Windows\SysWOW64\Gbnccfpb.exe C:\Windows\SysWOW64\Ghhofmql.exe N/A
File created C:\Windows\SysWOW64\Gmibbifn.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Djpmccqq.exe C:\Windows\SysWOW64\Dgaqgh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Doobajme.exe N/A
File opened for modification C:\Windows\SysWOW64\Gddifnbk.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hicodd32.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File created C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
File created C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Ecmkghcl.exe N/A
File opened for modification C:\Windows\SysWOW64\Glaoalkh.exe C:\Windows\SysWOW64\Gonnhhln.exe N/A
File created C:\Windows\SysWOW64\Gpmjak32.exe C:\Windows\SysWOW64\Glaoalkh.exe N/A
File created C:\Windows\SysWOW64\Glqllcbf.dll C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Njmekj32.dll C:\Windows\SysWOW64\Hmlnoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Pnbgan32.dll C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Niifne32.dll C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
File created C:\Windows\SysWOW64\Amammd32.dll C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dngoibmo.exe N/A
File created C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Djnpnc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File created C:\Windows\SysWOW64\Lghegkoc.dll C:\Windows\SysWOW64\Flabbihl.exe N/A
File created C:\Windows\SysWOW64\Dgnijonn.dll C:\Windows\SysWOW64\Ilknfn32.exe N/A
File created C:\Windows\SysWOW64\Cqmnhocj.dll C:\Windows\SysWOW64\Fmcoja32.exe N/A
File created C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gmjaic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hmlnoc32.exe N/A
File created C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Eeqdep32.exe N/A
File created C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Dnoillim.dll C:\Windows\SysWOW64\Eeqdep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Fiaeoang.exe N/A
File created C:\Windows\SysWOW64\Hpqpdnop.dll C:\Windows\SysWOW64\Fiaeoang.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File created C:\Windows\SysWOW64\Ggpimica.exe C:\Windows\SysWOW64\Geolea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hejoiedd.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
File created C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Djpmccqq.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbkgnfbd.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File created C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
File created C:\Windows\SysWOW64\Ejdmpb32.dll C:\Windows\SysWOW64\Hlhaqogk.exe N/A
File created C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dbpodagk.exe N/A
File created C:\Windows\SysWOW64\Ljenlcfa.dll C:\Windows\SysWOW64\Emcbkn32.exe N/A
File created C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Fmcoja32.exe N/A
File created C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Fpdhklkl.exe N/A
File opened for modification C:\Windows\SysWOW64\Gelppaof.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Feeiob32.exe C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Nbniiffi.dll C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dgodbh32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Doobajme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll" C:\Windows\SysWOW64\Emcbkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ilknfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmafennb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbhmo32.dll" C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhffaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" C:\Windows\SysWOW64\Fdapak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll" C:\Windows\SysWOW64\Eilpeooq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbidmekh.dll" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" C:\Windows\SysWOW64\Ilknfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dngoibmo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" C:\Windows\SysWOW64\Ebedndfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghhofmql.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe C:\Windows\SysWOW64\Dbpodagk.exe
PID 2324 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe C:\Windows\SysWOW64\Dbpodagk.exe
PID 2324 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe C:\Windows\SysWOW64\Dbpodagk.exe
PID 2324 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe C:\Windows\SysWOW64\Dbpodagk.exe
PID 1848 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Dbpodagk.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 1848 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Dbpodagk.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 1848 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Dbpodagk.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 1848 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Dbpodagk.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 2128 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2128 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2128 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2128 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2764 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2764 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2764 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2764 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2380 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2380 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2380 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2380 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2872 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2872 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2872 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2872 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2568 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Djpmccqq.exe
PID 2568 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Djpmccqq.exe
PID 2568 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Djpmccqq.exe
PID 2568 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Djpmccqq.exe
PID 2348 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Djpmccqq.exe C:\Windows\SysWOW64\Ddeaalpg.exe
PID 2348 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Djpmccqq.exe C:\Windows\SysWOW64\Ddeaalpg.exe
PID 2348 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Djpmccqq.exe C:\Windows\SysWOW64\Ddeaalpg.exe
PID 2348 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Djpmccqq.exe C:\Windows\SysWOW64\Ddeaalpg.exe
PID 2940 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dfgmhd32.exe
PID 2940 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dfgmhd32.exe
PID 2940 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dfgmhd32.exe
PID 2940 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dfgmhd32.exe
PID 2080 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2080 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2080 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2080 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2936 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2936 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2936 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2936 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Doobajme.exe
PID 1608 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 1608 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 1608 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 1608 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 2928 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2928 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2928 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2928 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1812 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 1812 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 1812 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 1812 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 1340 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 1340 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 1340 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 1340 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2064 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2064 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2064 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2064 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Epdkli32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe

"C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe"

C:\Windows\SysWOW64\Dbpodagk.exe

C:\Windows\system32\Dbpodagk.exe

C:\Windows\SysWOW64\Dkhcmgnl.exe

C:\Windows\system32\Dkhcmgnl.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Djpmccqq.exe

C:\Windows\system32\Djpmccqq.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dfgmhd32.exe

C:\Windows\system32\Dfgmhd32.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Djefobmk.exe

C:\Windows\system32\Djefobmk.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Epdkli32.exe

C:\Windows\system32\Epdkli32.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Eilpeooq.exe

C:\Windows\system32\Eilpeooq.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fcmgfkeg.exe

C:\Windows\system32\Fcmgfkeg.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Feeiob32.exe

C:\Windows\system32\Feeiob32.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Glaoalkh.exe

C:\Windows\system32\Glaoalkh.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hmlnoc32.exe

C:\Windows\system32\Hmlnoc32.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 140

Network

N/A

Files

memory/2324-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Dbpodagk.exe

MD5 865c67d0e3ed78bfdf5c1dc6af376e7c
SHA1 005c8e7a2df9fa7dcdca865c3e3dd1903dcff572
SHA256 327c783b598b9bb6e45527531c3904710131c04d0605089a28a3a9a7bd626289
SHA512 6b6f3ea02c745159203411b32622258653b55df4607fafa0bac4192d8e455ac27fee75c2c260d59fb73738b9905c1fb5a6a099030e1ba4522153835a10249989

memory/2324-6-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/1848-13-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Dkhcmgnl.exe

MD5 36f5acbdf144bca54441f5af0b35cdc3
SHA1 8616665be5dce8319af2e4a5b372500272c034de
SHA256 01794c2bc396d469b1be4be5318c18bea0c025df2c4e9ffffd64491f7ecc8b09
SHA512 972ea2189de3d9fab31389efe3b4fe67284098a4dfcb49b38e544ec7a07afdfab93712412885e8f3ff1d57c9a400df03bf6abed12d2d6c0fcd37e9e45c028768

memory/1848-27-0x00000000002D0000-0x0000000000304000-memory.dmp

\Windows\SysWOW64\Dngoibmo.exe

MD5 eafff0b6ca6fd15945564bb0131f258a
SHA1 c27b7f988f9c1ad1b98389ca33a7c451d732f25e
SHA256 45589d0bef1f4ec0e5134043547de7bd57dd0489ec8c0900c4574924295c1f58
SHA512 8ab38cea55eb5f08d0d61f09ca78ecc6aad57f365c3f51f7041ace6b8cb5e1e755b0341c05e6610585afa0847e2270c699a967ff6fa88c422d4cabaee21d6499

memory/2764-40-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2128-38-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Dgodbh32.exe

MD5 56c5d364b4df6286268a953aad9e0906
SHA1 774b7634b94ef4ecdf6901f5884557f070b08549
SHA256 ef4ca82e6a7c339788f50b4fe9df8a0cf4deca191e7561c86609d7cff3d5fd21
SHA512 d0fe17830c8f75c601819fbff3c4d5c4638bc6c7cbcbcb653bf024c3ac876b44cb2b34780d1a02cd907ab888bd0a1a953ff81099c187b06b9158b88377a9da44

memory/2764-53-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2380-54-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 b122e720081d97a4daca4f45ec21b180
SHA1 f29ec5c9b774434b806f16df0ac839c95734feff
SHA256 098117df8a011cc4ae88f9b06e058259ed24adbefe53c956609337915728badc
SHA512 b7fe4e835e5ca423c6cc93fd34fdd91789b35dd03eb620fa631458d9d5fef161a77834ea28332ef54f925885723ab673179c46afc78b2245ffce863fd3116ad7

memory/2872-67-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Dgaqgh32.exe

MD5 47f31770917f8b1a9c68ebb0a8e89172
SHA1 dc3236013cd1cd575b01f6ce3ba8c25968d28adb
SHA256 3bee88e6c88e722fd03c01187e8944d22004438aff33516b4da9b475b40eb3db
SHA512 1df3036edf7c02ebc2941ff8d47dda991002ef2a3f4fde961f94b88f13c24437aeeb178b866dd366b15f49c71beaf1aa6b8eb54c48b690d3241e12172a898217

memory/2568-80-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2348-93-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Djpmccqq.exe

MD5 55b8cb78b5899efbbfd3728f22e496be
SHA1 ce877325cc2928b7f978c6448b90d06b31a8d8d6
SHA256 feb9a8a7716c33e4c5350a7f889a9947e5b6112f679b5cd891cb13c42d7adcfc
SHA512 f714f7de94e628ec303fa8eb8ab128c56e1377cebdd4125111a5e0e522ceccbb70a52933b755900505d563be7719d4d3a85608d9279ba95e54a4a1291dfefb5d

\Windows\SysWOW64\Ddeaalpg.exe

MD5 2a3b5e0bc6d30c801fc7fbaab9b4393c
SHA1 e6c2a03fc8ec78733adf96cf926a82f1d3ded372
SHA256 0eb06083204eba0056c270bd1a77143fe5f1925edb3d011b144d113a79bbfbdc
SHA512 6bc5f86fc2ec21cfd2bf4bb42f6d2674a3950b919898f5f82f3e713fe6f480aadec7e13d46789b47d107071255f0f1babbcfe9145485d1d55029b05bc17286f9

memory/2348-105-0x00000000002F0000-0x0000000000324000-memory.dmp

\Windows\SysWOW64\Dfgmhd32.exe

MD5 6431e279fb483ad4e449affe545f932d
SHA1 08282e1fa58e148e535412478860479dbac02455
SHA256 ff0e21dd9e545c307798739555011bbcec642f207952386ee94a15986fdc82f4
SHA512 bfcffb0aede074fd4dd193deaeecbc0aa72ebe7cdfb1db85f6458c64661ad86f1f70a689bd06afc0ff72fa718b02265c191ce2a673bc695a4b0c69a4bf5a5d08

memory/2080-119-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Dmafennb.exe

MD5 e406d6314cd761e61fa3ea006bf5e006
SHA1 7862a4378231677215cf44e49f9e73b88c893325
SHA256 f0987cc53f0caf01f7a1c8e46001fb855289cb329f39fe31169c34b6a4e083fb
SHA512 7014e4d40ce1be2c30d55807e9f3540e7050a054b876b48b28ab6eeb1be7719f402bc872469bdbc064a7921be9e80b54c97b5ad4adce53e1b96d39d0a29b1a3c

memory/2080-128-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2936-137-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Doobajme.exe

MD5 5fd3c15a96ce92959228f141a70f5942
SHA1 0c42038e59f461120607473690e083b1a2a73812
SHA256 92e65eebdb618094a0083eb52c9e9a77831abcdb0f87ee758c5dc15ae96ff0c0
SHA512 c471c175dfee8fe352be1a2afb20019ee267df22cd8d6ce311981172e16c8a76f9fbc6263451a21e3f32bf2575409b38a073f3bd9d0c4a2b5724e66adcabee53

memory/1608-146-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Djefobmk.exe

MD5 64a36b6b4d61b5277b8aec6fffb7a5f7
SHA1 f24264d51e47ffc8b27bcbd268090cee226384d6
SHA256 74ee610ca902d0e0627e5d1a5f92ee170fcce847cfe6b31fac6d4f4fef8f3f95
SHA512 a3aa309f8969632437267baa0385ccc2edb84402de3cbc6874961382e886020634e16eb07289dc84bf34a32d70141ddb4832a49e827de03390f27b5f7395c732

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 b00fe3ee46fc96745f7457e0c0ca0e70
SHA1 8109cc6cde23f21f980b423ec5df907feef93e1d
SHA256 8833d528784bfb88af6ef603741f3120072d0390733bd76b3be99af749347be4
SHA512 b77b7bb9bf0f965cb9f594c05e545c2b7aaddd7d45b895944c9f091555f1043d0a80f6c403b497e3d8938bf36fd2f58760d8529f0696936f9b7368d91cc78add

memory/2928-159-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1812-172-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Ecmkghcl.exe

MD5 ea6882f69167cbd9f97079da71fac854
SHA1 3b041523396c85c2ca5f7df234a13cd0f7934163
SHA256 777db4643ac93ffac84db2556fbe1cfba9db443ba82f4b14f1a35710edf96f1a
SHA512 ca5377b42e31fc9f138a487ea2ed26375a823672ab2f9e4931382917fd958ee5fa7d66e52f3c3d0d4a5ca7e2edf69be7bc18020d3e6295be17c3bbcdc807e55c

memory/1812-184-0x00000000005D0000-0x0000000000604000-memory.dmp

memory/1340-193-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Eflgccbp.exe

MD5 24815c06ebaa3d890310e16a88be8805
SHA1 ee2bd9c7bafde441fbf529f8076a0990d16d74e2
SHA256 dd3cb9971da99ce4b2ebe8731bb60f72799b4bc75ff28023b854f8ce725b2323
SHA512 5b4f0bb0e51af7553cb0962a82b575862d34d4da8157e063db7948ba919307aa384ed987d5fc32812d3fbc2db7eafb003a70ff8cd217f68f36cb2d31ae06e586

memory/2064-199-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Epdkli32.exe

MD5 cfa04e3b1eb98ab652d65287c177742e
SHA1 7af174122224ea57f95c7c3c53004ba265e0b8aa
SHA256 bd63cae88bf8b164579651f1c255333fb8e1a4f6b509173d4e1bfd7d8af8c738
SHA512 4bb3bf25d694e95dde3f12853421b3682ba01aed0fc79709fde46ee3b6ffdee3c17c9956b8bcbb6c903de7f6dd0ec648a9649fed54b6f5abc06a380384082cff

memory/2904-212-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 6fba12b4b08d72ad83f4ba4e9b5218c8
SHA1 dc4049206239d3086b17e750077c8556429a4d60
SHA256 a7fb06b36f23ce60df7f180ff40d3d27691aaa683eefdda5da5442bdedbfcfdb
SHA512 fc9ec0f75e8804ab7858c35a1799a1129b05978de632f822fd09bce025eb8eece2b82d38bd34f9fe06510fcd6e94a6dead91b9571e1fca1d167080295753f45d

memory/1720-222-0x0000000000400000-0x0000000000434000-memory.dmp

memory/576-231-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Eilpeooq.exe

MD5 7d5983deb92bc852a43fd24f9b44536e
SHA1 0741f9b6cee095a3ce83c4fbf58471e4afc71871
SHA256 e8310e450a25a0015f6f409c693c9704cf3128f4ac85e057ebb3d2afd888882f
SHA512 a32f01322379d5ca5a9bfbb9e1e6f500f0c0e2c1208b0b3f5352a58038f9a2e1fa7d65a4b0ef57b06cd824c7aa22f2e53c51b9cd6a20dc478881c42a9f26aead

C:\Windows\SysWOW64\Ekklaj32.exe

MD5 e4d8ff5502340694c51ca07a99092fee
SHA1 8d9e528c5c247e13cbc7b2368deab56520574691
SHA256 15ad3213a5c8cd53d335d4368b7e4e4f6a7ac52d5796df4702596356bb851f08
SHA512 c96d500b12d1b68d644c18b2b0c2dc2ea4ccb7c1fde6165627f431a25ca2b6b13a0ac225b0654e5790d42140b3c13b0c867f04cd33873a17850c82c8ef7d2940

memory/340-241-0x0000000000400000-0x0000000000434000-memory.dmp

memory/576-240-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/1344-252-0x0000000000400000-0x0000000000434000-memory.dmp

memory/340-251-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/340-250-0x0000000000270000-0x00000000002A4000-memory.dmp

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 97955033ae48604afb1bfbfef9808115
SHA1 626d4915a0724ae6010460c805be1e1ee0fc6856
SHA256 8693a81f671ed9233bba5b69ceebed3fba3075ec649399cfb9e5aede4a7bbda1
SHA512 a4ff5f166ae9d6a40b9057a9212222056f8dca44e6536ba24ff5ea8fa0d7792955b40f91c01d246538b9a289e0e3d178a758d09142bde63548c133dab8468ca5

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 1660085c8792a8f68f6f8d28688ba39f
SHA1 5ac695047b459a400f2447bda4759aba9db31149
SHA256 8da7d5f40b6bf8530a61dd45467da570dc8a61ced1060837f1339e07a900ebf6
SHA512 67b9d29999c0d23ba77cfe84ac35be881a848ae4a86d46841fe6df0e532c53076ab245e53455f982cc5a91802ba794454eacf6424ca2d544ce174adcd11fba52

memory/2304-261-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Enkece32.exe

MD5 1795f554008858061bf353d57fc46d82
SHA1 5929c0a7d83c032568506abd615077f08a57a630
SHA256 c8355eb05fc68e4d2ab56e6259c1ab56a9bca0eff3d2747385341050525c3d22
SHA512 6ad2ed66716e9b6500b657492cade259c653f56ac9be23f26e8fb789ffcb09336f28bf9407b9f8e60ce100289466ec20d6e5a6b48a6910881bade7d3d29a56cb

memory/924-274-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 74ebfc4cb8889a405512e36d76cc5507
SHA1 367bfdf66692b971fc412c8bc0c89ffa993fbb17
SHA256 ef3ae33e8f58c1af7283848f585dd3540cc05e55f1536c3d7ccfe39a419a5296
SHA512 26e09a37895674cd98b3e0d681181e50d1970dd02015f7d654899d3f848cca0453e368852909b63212ce9edaa65a21caf1bfbb38be6ca48493c8cc46d42244f2

memory/2984-279-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2984-284-0x0000000000270000-0x00000000002A4000-memory.dmp

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 0d9f18ecf3ad5837a540bd0468f31260
SHA1 ede1d7713980af48f714cd1ab034cd8e09ea1412
SHA256 b7395708b6e6fb1ccc945c990ff760d1e073eb6b343edb43e482f4c9dfe6a684
SHA512 2940cc55e7a4920a6bdaff3ce2433c9fec88f7b9388051719a0d23e7632e5e341b91c0d7770ae50971d42bc35cac3740c62b749740f62d9c4ce8337dfd3b72f6

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 7ad0c8e5dbde7f5cacccf93e52a10bce
SHA1 98c0ad16e9164c370c66ab3c380ddf37ef131067
SHA256 abae2a955b5858495b15145a4022d91225fbb68f88cd6f691504b381177e1f68
SHA512 7d1710557e76e8c6faf075eab917a0193542e7a8aed01db241ad4ea30175c0d3a13b2c7e56dfb7c88cb958ac15c1f5d57d8821baeb3cbcee6c8354e258fc6cb4

memory/2108-294-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2108-300-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2108-299-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2984-293-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/2272-309-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Ennaieib.exe

MD5 27cf3ba9b41f469f7181a1297f3c4b67
SHA1 5adf0f13cfd4241ef436b06f0e381ba6fa868b01
SHA256 dbfd5555af1dc27dc7c4dd087c90d3bf8f7b8d14ecde8ee5002791411bb54d16
SHA512 df9d20afa8b63474581fce7e600324198948008c1d8448bcd85ebe3dfe91379899d48e0fde732f182d28d1a80d50b35e655cfbf4e93ff139a316eada66fe9c74

memory/2272-310-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 2d08673cd2333a00c7a20454e0a14291
SHA1 336920079d94e8daff3ba7e524bc2ebececda108
SHA256 8ff291f7367a655317bed4745a6ede800aeb2e3c20fc6985d369c4e5b3f8783f
SHA512 92e32a5518480b466819eb9b6610845931f8f07557de1dda625d7c19a24dffe5e061b72a14d8898c2fb6850f073263b648ef5913d95153e42ae535a194bb4a1a

memory/1564-322-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1864-321-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/1864-320-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/1864-315-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Flabbihl.exe

MD5 2017d405cb4e74bd925bbf34613bc56c
SHA1 c7530f901f31bfd68fbb6a1843b73e510c5c4368
SHA256 526738751cb5a022768024eeeb92809bd02743f66942c6a9fd2f3bb4ec95375b
SHA512 57c24adacccc04b030d3133c0b62e89efe5126f3d992301b9a7478632edc2c1362a45da49d9e192f492f2b0ba721cf5f42e2e0670b1bf4ec213b88d581afa359

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 2055ba77bb00301945106f8c3f6bbafa
SHA1 f6008524a4d040be7c9e6a043d6cf9699cf0e268
SHA256 9bbb2637e43b61c34a883df82aaeae13034250a1f86eac935c88e49484875d38
SHA512 2b5d3098adf9e5bf826195fe6bcdcd6fad997852700d4dc4a4de8a82b07b17752324c7eb4436a5efcddcfa6a00673aedb66e3741d0a2be3aa188ffc318a09d4a

memory/2752-358-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2684-363-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2912-364-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Fcmgfkeg.exe

MD5 f38e48973570b01fcfaf09a32f974f87
SHA1 453a060fc47aec2772c5506aee662c8b6ccdfb94
SHA256 7713de968da344b07ea6961fecdec0def95148fa25d54400e344cf20a9d3d08d
SHA512 c21e3b5011c2b50ee6c493b291039d22246ec783acdbdbf320dfba8db6021e949b87ca348255e96dff0c5fcbf6a153e6f77aa89cd984eb189191af92210741d8

memory/2752-357-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2648-344-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2648-343-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2752-342-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2648-341-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 f781151f65702e6ea579c40b7ff8bf21
SHA1 2902d3bf1376c3f2a81892eddd883e1de742a0a4
SHA256 0208f5c7c8459e07fca198fd4bee07640998292c374541f6c281e14c51a41264
SHA512 87056d1178bdd75cd229bd661feed1206956d9963da1ad11f85e21221908a7aa9438916311fe67ae130bc086ab2f6ca8e3641dc75e87d9919a71876b14dfc3d8

memory/1564-337-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1564-336-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2596-376-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2912-374-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2912-373-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Faagpp32.exe

MD5 028f216ec7648deaa75f52b1ab60977b
SHA1 38ff8db88fa13094b4952e258c9175345b9400b9
SHA256 a448eaed98aac36ba07deb87abd4ce5727d23c2c825acf0d607b502b4486a273
SHA512 6aa2bd4c6fbe3563132f7b04249f19c3d4e9d376ffca7ea5d6316ac43677c14a5920eab8556ae3fe261b41b34ba9b99beb31d5e0b0a16e3f4e2502083c447e36

memory/2596-385-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/2596-384-0x0000000000270000-0x00000000002A4000-memory.dmp

C:\Windows\SysWOW64\Fpdhklkl.exe

MD5 58344b6ea900906f10c9288c121527aa
SHA1 c732ba4b95df1c42ab193c4e2d7a46e7eb7fc753
SHA256 a6bcdc3d3f461fb3bd4a8350f2baeb74bf3c1008c2c1e68aba922afe1e40f0f9
SHA512 bc1ffbc6a7ff5d373c5a15cbbc69978450f46abeeb4ff280b54b8ff43087591656e3637824dbb8b85f76ff977390c941cc6a3ef060598a22a240b0941a0d74b9

memory/2628-386-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Facdeo32.exe

MD5 e34f4607fb616fd3c60ed05751d41610
SHA1 1fd17d4ec1ba037982b9ee765adb3263bb484836
SHA256 807628c48723a059125660a24965d96c31afd298311d78c8aa2439f0b8242185
SHA512 f176fc8e8c18fb8c483cec6ab4a952459f0490c8b899e767a13b3be5e39d726bc676fd505e0b64e6085f99196a7aecbd038efb10e1f8e97ed97b7fa29b1c153d

memory/2628-395-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Fdapak32.exe

MD5 543b61da61ebc25a751e200166d46872
SHA1 279602bd9e32b844b9c367d1987587e01ae40af2
SHA256 b288e8cc36a7bc0277cd2ccc01a263e9bc331d5bd1cd27316aad09d21c8e22df
SHA512 4580a51e7e477a67c770a58b9ff9c7de63d923ea6ecfa787e8b7dd06236ba700804285079afb2ec269a35ac7967bc39ee3b75260b19be07662ef1f1fed030d26

memory/3068-408-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2168-407-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2168-401-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2628-400-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2168-406-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 c138961fe9f797d40bfe330959050dc8
SHA1 9746ef29c56be8e7f3fd3c6373c28f3bf5dfcf09
SHA256 0f3d881ea5dacde3795bc75aec0272c82bfb7dec0a3d8855b33aae04704f874c
SHA512 795ff492af9d657af84f279d84d3d2c347c2f115d4e8e2ce20109d67d2223382e14ae0c4f71859fe521394ef4e8eb6ebec600db22b7b2145d8d12afed7a84e2e

memory/3068-422-0x0000000000300000-0x0000000000334000-memory.dmp

memory/1692-429-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1692-428-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Flmefm32.exe

MD5 8d31b5777202fb9d74c316fd5bb485dc
SHA1 7bc2839be77c9bd63b5f4b0a48a3a65a6a5671e9
SHA256 da3aed7a3a52c1cc5ab605144c9b0e3deec07e9a9f3ec5db08be45333603e265
SHA512 3aa9cea024613b677f8452ebdbdd219ea5302cd1752c861456f1a296d5f5d65b8f08c03d7ccf97c774037b2c0a5f435768fe1f2f5a113b1d8b64df505e42fd7f

memory/1692-424-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3068-423-0x0000000000300000-0x0000000000334000-memory.dmp

memory/1660-430-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Feeiob32.exe

MD5 3a284edc02326a83aa211ae343fa7f74
SHA1 dcaeb49e97592d3b4c362b1897cd05b9e0492da1
SHA256 acb16aca462691e2bdd4b56f7a6c4ebb62ee1c091c96b8e4935cec87251d5136
SHA512 256ec29b6bb1dc0735a81971ee5641e687fa2efafc68365747a0444dcbd639eebfc69540099b4bc7522a6d06bc720a021acde34c51e0cb500ed711d935c11227

memory/1660-440-0x00000000005D0000-0x0000000000604000-memory.dmp

memory/1660-439-0x00000000005D0000-0x0000000000604000-memory.dmp

memory/2816-445-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 edf227b70974000b78e324d5057a3804
SHA1 2871a43ddfbd357e60f6411c9f7342a8e4ca8c69
SHA256 aac508d11a1ceebfbe3b65ec1cfca948c8695859520a0edaa54680071b22291a
SHA512 429e9585dd4da6b41d67539a20b76ef8f65b8acc6210c52dac618766af75f10506686f9a95a6f960f657867d529e9e2e4a7c308220667f4d8d27f3a6fe5686b3

memory/2816-450-0x0000000000250000-0x0000000000284000-memory.dmp

memory/532-460-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2816-459-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Globlmmj.exe

MD5 84946276a219cd682ffe34775cd76e3d
SHA1 789eb2b293008ddfcfb96123e6b5d1ab0c975297
SHA256 183990fb43123070e421f452a00b360b049eb9966b5b865f0684b3eae367b3af
SHA512 57453453bde7da98bcb94a1131365f7a37f39d1971845d161873d74de998b4ff04ebdea4c18a28085be4de8f1a312f718347b5a182c113ecc3cd28c5f5d691bd

memory/532-471-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/1872-472-0x0000000000400000-0x0000000000434000-memory.dmp

memory/532-470-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 41252c30030c81df421f470136aed7a8
SHA1 02f84b22fd07cd31a1888a1ca001445bbe67beaf
SHA256 70723cc42d259e798533c7ecbdeeabf1db032e97487f63aa63e86300ae379c5a
SHA512 2b7b38f06a50ca4c4a42314bafa8e30107306252f3e41fd404102e03cb14b4f39e1c958d117e0fbb9a5a2f6bb6640d71372277fc3d2d78d4d53a5f765613939f

memory/2884-466-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Glaoalkh.exe

MD5 c0cd951789694a10cd01e10b239c1ed3
SHA1 bb22fb7f54840fb5197cbad4c965bc44293de31c
SHA256 c6fa637d2e1c7a6926048a5b6fa81221537eea740cec00ee6c2b62efca82426a
SHA512 41f73e231115960ca9b0c05c64bfa9996cd58d0d9257a959d8a8dfc3b09b5ca079db6bd3cebad5fdfde61fbcbc1a4fefcf823a4ace8c9920935cb615e27c40c7

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 e2bea16750318235693fa65de7f12ba7
SHA1 06fef6ed2b5fb06017b1963b933e344fa3926b5b
SHA256 07decc5cf6f8eae5c61dc8a141e16eed46e094d37688563dc87849d12b482c3d
SHA512 cdf9e7b44c9e23d15a92192ee32db30c4c76a45b61d16a31210e94d80f743f3bc0d524a4fa0b0708d95a82919b4221964c0db156c613b898fc5a3912c2f9106e

memory/1240-492-0x00000000005D0000-0x0000000000604000-memory.dmp

memory/1240-491-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2104-493-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1872-490-0x00000000002F0000-0x0000000000324000-memory.dmp

memory/1872-489-0x00000000002F0000-0x0000000000324000-memory.dmp

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 24a98967e8367d018421760eb70c1ad1
SHA1 93b164c0ce18067230cee40bb600221701550f0f
SHA256 d7389948028adcb0a670a134c953b5f8a34289883b266749a8c76afbb4c3ad20
SHA512 2c3c9e94030a8c1f2f1f9db9d34e8353386e3f2421660ffd2a2ca52335d8f043411a4c2cc3c2804afd7bfb8db6604042a593946fb618017d4eebfc8c9044c994

memory/1632-515-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3012-514-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/3012-513-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 65f44c71ae445bc07dbfdfaed7c09960
SHA1 f3a1656e35d78bbd895cbf92f078f1bed16a4dd1
SHA256 80a278986cf15f7349960e14267b76f45548719f9b0af22984d3d60209918042
SHA512 c49a437ff4f706c4712e69b7dc22932c43f23842123a0fdb129eefb2e4c502c65e6c00a23eca0d040e278dc5555ed4775220986739697847f0abcf5e942565e2

memory/3012-509-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2104-508-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2104-507-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 b80d81a0120839b20cb204444bea0777
SHA1 a4c4c80ddbb6c022cf8ab758decd40d0511dfde2
SHA256 c3742ecf0a3ebc3239a99cbe2a8b8d409c165ea570b7b464ad59ecc4e137df6d
SHA512 fa181bd5c55fe3e517fa9951665ade0c80eab91cda898a66ae89cc25e303c2527cb689d729434d1b8e8a436dbfe48586ba411abe6c9d5474d2a2d9c0e12caa0c

memory/1632-533-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1356-535-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/1356-534-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1632-532-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 937fefe1d7c0ad50d160b900f80bc534
SHA1 041758ad4cbe944ea1beef9271ab407a012b8575
SHA256 cc3c2ab4838d63ef4935e12f65f3f32d0befff8bbad1469904cb370735b9b96e
SHA512 bfe1f69aac91313a65dfbec713bcb1c24f4f2552e06060eda03c253e07ffdd2464430a68db844103c714c0c982d147712cde47020a62c193c73bd30c835cde23

C:\Windows\SysWOW64\Gelppaof.exe

MD5 4a755085a2d71542a68bc4ffb0bde0a4
SHA1 c1dca66b8ba6b6c5d0460276b6227f9bbbe53651
SHA256 c24e5fa062b642a7a625d3125457c484602b68f0899082d39de049157ba0a04f
SHA512 d31cfcfd3ce11cb3fcc982cc6598c5f9184d2d1b5e2b7082e339b0735d58c3a910fdfd687e254ca937a796b723851526169bc09d1a3b04fba9da5be95737679b

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 adeb4e383fdf42f72a18bb9e51acba12
SHA1 c1ec47e01e6d3fdad2d6626c3d11cd77ed2d1ff8
SHA256 f886e4f3d5f6a1068ab96e3fdd50be52dd62e760535905942a291fd2542939e1
SHA512 690558fbbf793eddea2919e825d50f64e354d001dce22c0854fe55bb39164c0f4256694b063e0ab9a2426d32e97c1b541f394fc485af312ce37cac6f48156e79

C:\Windows\SysWOW64\Geolea32.exe

MD5 28edc66b983954679adb6771ca15011b
SHA1 564830325c88128b0a72302e1a5466c9d4372828
SHA256 888cebf9fc036d4629fa1e6fc01d48ded07f9a242ae4365c11b53593861dfc1c
SHA512 4a89a204ad28c83f8032d61b2b3fe35626d02bdfacb33b6b94a56c1f53c1b11b0d889f13d0fa9eebed343e4819aa1673dd43770ccfed6f7ea73aba270b6f382e

C:\Windows\SysWOW64\Ggpimica.exe

MD5 182fcabf3c9660532fee6772e3ca8e0c
SHA1 c6e6604c0dc6102ac23be9f62b95e30713c87f5e
SHA256 f5338fa55e9b7d3b891a1e9c0cb4cd43bbf2c138bf2a9f8132209cf0d74d7b16
SHA512 30f7197fab66682016455d7c55d07bc28781f60e5cced8116a3a7101f0f47d8b5e87857ada9445b2f970c9dded494eeba027d6ceb1a9a82c9d8fc8c3e908c1f1

C:\Windows\SysWOW64\Gogangdc.exe

MD5 7524c010bbd12482f4fde371ad3ce4d8
SHA1 4732b33d530c52684176c696031a4249aff51704
SHA256 e39e02ff329033b0bedbd7c764280ece0ac5515b7e76407ac7e98b73ac6179e9
SHA512 5bd44555457773fa3b7e9989d2429fd3edfbb2b96817cc5962430279c66942b469e0c3be6e967e5d9d2fe17169d2cd1c77e655328b7f743cadc7fdd9b5ce386f

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 f89d3954cd4141364358d57a689eff5d
SHA1 92e19576151ea9f02126224914e4d95c5bed4341
SHA256 39b66cc91ea50e110f11ace44f1241dde29d5f8820bef9726d27efdf1bc72309
SHA512 84c665b8fa884a187bbb115db1afb054b1d7ccf61d91f514eac124801cb239779a725c3e032b54594487abc4d5ae24d24d30716ef127729bc6fc3e268da528ae

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 d7aa63374462485c421fcf48952fed59
SHA1 d83d06c73c38953e66264ec65a217ac4831eda7a
SHA256 e777c7d61205f8e5371056e5578f5e2ed70eecacada0d0f886e964b290957bb6
SHA512 d4239a55630fa9b54b5e834dcf17cd34e8f997b377539d1fc30edb128315aa2d4edc57aa14eeb579675848c937414e8801de1ff1cc7328d588a72a5b95da4c6b

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 992e023e3241e73c5641a859a33f60c5
SHA1 0a723813a981514acd68914bb39a6efc9a6ce024
SHA256 c0a9b3e62134f33cde6181b2955f3854db34abc27451f919aebacea8a6e73309
SHA512 d0ff85d421c29fc01ce15b7e51d2ba87571dcf87a18d3f3f277ac8ca00168fd46b23926d9a08b1c51d1b45af02269fee13f1323b208f5faf50f4ad803a1bb8a6

C:\Windows\SysWOW64\Hknach32.exe

MD5 4c11cbf272fa3e10077761716f2fc9d0
SHA1 d7d9db1439a69e4ecfe3bcead5e95df89c592c1b
SHA256 e7ef9f5ded0c82311bba1a159e2c1b004cdc8c6bfe3fe314de77cd73f47696e4
SHA512 9a21eb722c6d52bba79be1b186ac7995517f76a755917ee238dc24aa94a1514885a7cf1a91413d81ea2a61eb9bef7b9da50b47f235296fc84589f5610c4ff642

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 d6c900046c5897af15abd19b12cb1362
SHA1 1533f47a30318c31b5eb393a5c0d111a279b9731
SHA256 845bba04adb6228cde4a59b82c861e187ce405fa6e5185d1de0d261ab8a062de
SHA512 1e47ce09e6b4d0d4d6e0a10fff9abd38588f0e3fca2992936bbc5aff9a3cfb55419aafaca46b3a0ae16823046c22df82b0149b88eacec1838880144de528931d

C:\Windows\SysWOW64\Hmlnoc32.exe

MD5 ef8b11fbb7d0277683cf2aec8a0c231e
SHA1 8c38abfc593ed85af62be86020635a5e0b65ff29
SHA256 1b97a30ec3ff2c56b6fea7be3410f5712384a1fa683384002027c44f1052c66d
SHA512 1666faab843985d9b798543baad9d49b5b2969abd70b2d9e160e3fc4e64a5db2d7e31eebbeea04e7479c4b76f1347c5d99dbb24fcd60ccc6ba4d30d8794ccd18

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 9df981a0bc529ab43bdfbc0bc98efac3
SHA1 c133fa14d55ae9384becb01cffe3b5efb57da5f5
SHA256 37941eac4a718ee02e3a04484e5517db7c16818da4f1ad47b6e75cc405455eba
SHA512 4861a84c4bf98c0692e4e91b14713fb7222db5e654f5672dcaa3fe2e7aa06d645d0c22ad1116ceb14276d3c9816adf491e45326ebaf4ffa6c9443455c76490e7

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 d91fd965dd9c368f06456f07e7fd25df
SHA1 54e15e98b3ea70700820e4a0c9bdee0da1611d48
SHA256 e661e2b032662c8038b092c7b9974479200c95c0d322a1e34083d3467ddfdb23
SHA512 64bdf8fb05627a0b269df09a668abe6eb277715bd8c87a25262f2be6671e6da6bf0142830c6acc4468c7e98e3729a78bbe4592b93a9de514c3a8a5f52248ddea

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 4d3bf0902c9b02450708618b2ac6ded0
SHA1 000530152e376b650d3a341e6840114792f2b201
SHA256 09a84da5b83afba820186852b05314e815d916b41abc2e0a42a83a27e20157f0
SHA512 1f3e4d9c22420f5d6d2956c545a20a5bffb2e872c0f4901275f435b91a71ab85ec479b62e8b95fc7577b1ce665c640d1b58b47996456bd66cd6345af281d62d3

C:\Windows\SysWOW64\Hicodd32.exe

MD5 26f51d7a6eb02b1457195f9ad1bc1aa5
SHA1 440b9b1dc99aed6305c783ef27d96d1c61497adc
SHA256 02db9eb0d5578d1311372069cd9106ce39d6006075f87c210980cdd072da0db8
SHA512 3782689da0cd616da24f7b82a09793e7becaa5a738ac4dce81dbfced0b1534440f707357c6dce57387e5419ccfd765b0e9b5dcb64bedd5420622f4e6acc3c977

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 92cee1f1d68dac89e0c4e32624f9d931
SHA1 5a801bded93289bd9995a1d68a563e9ef69464bf
SHA256 dca262dffa77445743beb50ddde1ca1af3b00bb3314a8c4d8297ca58719689b5
SHA512 b1a0d8676c8aca9d1985224b35ecafc591fbd8c5dd634c81490934d4b5ae85f1e9b16a9bbcb3429c200d27a7c93d108b478b759944cfd852d50c4def7caa3011

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 448d2fba200b53e29a535b960df3e8cc
SHA1 0917f568836963e0b16beb1eb83023a2fbf38c3c
SHA256 0390694a4b17ba5ddc0df4d039afb955753a7f954665de5a34d278fbaf4296e4
SHA512 1719be4fe665a87a1c809ff55a4c7ccf0fcbdb3479cefc15e0db3711e160a953e93cdc1bb5e1db61de6630908925f60fa144ab2a80caf82cf5049bf0fdf6b134

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 0d5ba1df95e1daca5df3f534ab2dac07
SHA1 08516dedd0c5e21ffb299380defafa072ab8fe4f
SHA256 bdd43f7f76de17d283e838a74972613d6fbb9614b1db9221ed42174bf903956d
SHA512 9e5b91bab901118a6b5c6e5fe38bf2a4ad248dd6bd561cf68ddd46a88ab1410a0ae1437bcc762c51ff1a5a8abb903c682a00d35b1bf3d935f1dd0acd41e9d38d

C:\Windows\SysWOW64\Hggomh32.exe

MD5 396294173f2d0a10ef15e63ce614bd73
SHA1 328d36d409f98c2d42dd5556dfe9348a3c171c6d
SHA256 0a92169e4b48fb6edfb235d1ceab525610a26e3b505d0b689f1de67fa8dca2c4
SHA512 313cdf658b3e796846868d85b6e1f7d9dbfe2261f3e6bdd0c202f166790aa96335e8ef62826167a15e0b95572eb2840af2235f964a68a3a489541c8272e3a43c

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 e1904ae2a085250d95a900817fd2adca
SHA1 77d6d0ef57d7cf34a3563154750a5a153117e801
SHA256 5f4619eb695e566ad997b21fa5f0a1dac7ad3c8c4e077663ce9a23a8003a5101
SHA512 a22cc296b0d0fbbc23071c81e6a1b426e5fb7d088570e237c460f7f449de7f47e703298856b01abf566826bb12e2af32427346fb03361356aecd8b90af8d21a3

C:\Windows\SysWOW64\Hiekid32.exe

MD5 92c40ff2c7d573f8e58b678bc7445642
SHA1 162be158d9187503e559f6739e2996a72576fdb3
SHA256 5cd3fd5b7dd5a6242758b61892aa484973d5131e4cd6e08a2b2a7cbccc974d6a
SHA512 653a519ecfb174243898d9bf54e4c134d6a470cf4e4f1a5d131436796671d80e03cbae43a5061817bd84aad99359698df3571ba60211395e39892bf744ea77e6

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 c769f121cd11ccfc841e9ac0bd683371
SHA1 deeb9ad3a5c137f84ae5c53668ee113b703d2e99
SHA256 1f203bc8235c841b849f0bf192770fc49b1cb631684574e2c9662b63f844653c
SHA512 3b58296b6c57acc07afd58d2a22e22b3f2a86be237f75ca1b2094cfcd5d7778bab79453fc6f60d5debb59c89b55dc32a76d3189bba1c92b0bfdbadc6ef712b95

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 61d4ac3bc977cf6fac13ec3c1416d450
SHA1 fa047ebcc72aa4080e7d6bb5d3bf3be451570bab
SHA256 1c5d6568473f658d0de828a7538efaae9f98be04ac1885e808a6a78523d4d818
SHA512 1b4df743e8ec1a15a45bc498b2bb2c7f55874184012e9daa7e508123876422439c35ede8fce2515d186145217339a8261be0677fcdc1b12002381d28fcc43671

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 8e6f49b92004c4ba25e474037790c1c8
SHA1 2362e8b7e565d21203b3c52e70b62e1d6d226cc1
SHA256 e84a0c0b138f229351a5adc40b5a87c8aad1505bc77dda996ee7e86dd163f204
SHA512 4825daf83f3266867428b9a22e5fcd408218f73812e2b44e3550b70afbe001804da0fe9a537067aeb3371ab9961406d1f6de7893ced6e3a9cf31aadeed21aa1e

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 bca5c503f1eaade2183f60483ca680e7
SHA1 21750c7f3575cd454a635265cb38e3be7eac3869
SHA256 4924b5e66cf35af13d982419b20f909d1299f6fb1b443454c2a653f226b7d9e7
SHA512 576684d26242e1b20c1bbc424f16ffbd8f876473ef4bb50f7b2ede347e6f48e205d665a8e9c172f8c7ee1a83f2e016e7a59e312e3c1108b1864b1cc061b98f47

C:\Windows\SysWOW64\Hpapln32.exe

MD5 adc6f9228c4a3c2339ade264826000d4
SHA1 d5cfdd35142577d38fca59b2f21fd207232293b7
SHA256 5df30e1487a9e179e6409aff63efa037708e555044cb1ed6d8b6570634c695f2
SHA512 7957c3b945510fd3aa8e1a9e17581e7315e1e0a262513943d801d7479e4ac9725a8a15c87e8f1ad1465f600c25b3d014ab28dee0368a2ac6bb012a6a61502758

C:\Windows\SysWOW64\Henidd32.exe

MD5 d4a9f647a1a82ac7d6566751bb18d31f
SHA1 36ad928873ca6c3c7e174e85ba764fffb6f427ca
SHA256 cba319398bb3433888a36749cb245f3a6314c4183b9ee48751ba793513ab770e
SHA512 219438d263c6cb195a123bc199bfb0b25577237b19082035acc942353b7434320456f92996c2caf42efaac412b029ee9118120a1e02e2bfad5e7afba72733a90

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 b2e6d0ed8fe7426d6f1e945f683b54ff
SHA1 b3e96a34d9b352fd39c02ef965e954d33485d2df
SHA256 116a239e2901ad3d5cf997cc4c902e798ff5185ffd5cd65162532096340d38c9
SHA512 cb2cf69d08f129db750dc02403bf7813ef80bdccd647f93e3e6e1ca0495014aecf4b67e847576350e78d179ad3e955dfa1555d6729eeed9d9ae025380deebd08

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 a5383558c6089437e47abcdb3c30f6e6
SHA1 5377474ce63071717cf9f9a5829cf0992e92e75d
SHA256 dacf088e5b38202bbb70dab67cc3f6ceed1d8ff0a9c551441d921c43839d0eb1
SHA512 e99e32e8d108f8bff2260052b9bebe1643db52f8857dac69ebdf59bcbf605437dcdbf1e53fed429bb016fe66346a47e066e63c8c0eccd59edb9404210cfa88ed

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 7a875a8b3f98540bc2950ad58afc7f87
SHA1 40b36b1c25d034cb5f15822ba3ed6656120c7ef3
SHA256 e4eda9119473d9bafa8f6a039d3894eb028908f46ea73ade61bcf2c5fa9ab49b
SHA512 78d8cd78d52b5b3ca71df80b6bc7cf564f127092617e1b4ed62ab256c4c0e1d4248cbdc135ce5a24e8c216be3a2e803c2381d6322c032a932eb71b1423a892d2

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 c6606d537abfa0e32efff578326f402b
SHA1 8c4a32e092c8178b2aa89335d6899a9b0447f646
SHA256 cfb746c5f6214e1780cefce907c2d0e557c790622db8677847d911b0e26724c5
SHA512 49ac0a09e81a490f619247ca26dfb4f3931f53a77eb86bf16b31119e2a2d422356821b28dabc8bdd2f10aa2835c4bdd55d99f7a6ebd594b5fd8a77fc51c8b63f

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 e6952ce17dc7b0d62175e9c3f7a23b96
SHA1 8b4956af942bc23589400a4dffd547afb7e9ff50
SHA256 57a1818d4780ea53289e1a320e89aa360ca44269d8942a7895321b6194defd47
SHA512 516cafb120258ba6ee6ac31ce227e6ed6568a679f1a0da8c1d4fbb17f2f13487820a253eb53c2c0715a28dde03dc2b463d71f0c70797763d5f58353cef5e334c

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 cc6fa5cb89ee150e801edc67834fd58d
SHA1 5da01a065c9bcee29b415111c277e69d8efbd0d0
SHA256 16e6cf166dcad7f4a50fdaacc403b60ffe9bcbc4bada99d1cd9487479199a30c
SHA512 b3d164a570801b806fdafd60584b92398b43f0b3db57e55d04dc7fb9e821066944a4ab26e28acb28ca3c58d9b4167b9e2fbb1e43598d054938d25ebf0c371e52

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 089849432fee52abec696f53393d143a
SHA1 0e3d7072eb1c5f5bb72675c10956640e49bd86ad
SHA256 a645078cda7e79cb7ce336b555788ae276882883ecc8e156cf27bc37d04909ec
SHA512 4b4b52bba04b6c849ea266bdb1294ccd1b8a81314808f2c452e4fd95230ebb3ee042fb1488768ce58947de25d516bc01ad748b858bf8116fc246a23ae8740444

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 e0789173ced4aa66052263bc3bb0b055
SHA1 792d76677d36870f21698e0f76dfbf7c298a9904
SHA256 ef515c54deaf8ab5436c7353eba52bf2f976c4c5c814a044b748b1455a094555
SHA512 1dd5c1151db7ce7f5c0debbcfe0cb811efc56629bb510f70f961017562c7266be8c2ba5724defb2106690d94f00e141952bd7cc1e332b7de1e1345b1921993c4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:25

Reported

2024-06-03 22:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nafokcol.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncihikcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhfee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nafokcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncihikcg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njcpee32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Njogjfoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nafokcol.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ncihikcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File created C:\Windows\SysWOW64\Majknlkd.dll C:\Windows\SysWOW64\Nafokcol.exe N/A
File created C:\Windows\SysWOW64\Egqcbapl.dll C:\Windows\SysWOW64\Mpdelajl.exe N/A
File created C:\Windows\SysWOW64\Opbnic32.dll C:\Windows\SysWOW64\Njcpee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Njogjfoj.exe N/A
File created C:\Windows\SysWOW64\Gbbkdl32.dll C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File created C:\Windows\SysWOW64\Fcdjjo32.dll C:\Windows\SysWOW64\Nnhfee32.exe N/A
File created C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ncihikcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Njcpee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpdelajl.exe C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
File created C:\Windows\SysWOW64\Hlmobp32.dll C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Jcoegc32.dll C:\Windows\SysWOW64\Njogjfoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Ndidbn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mpdelajl.exe N/A
File created C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Ipkobd32.dll C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Pkckjila.dll C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Ddpfgd32.dll C:\Windows\SysWOW64\Ncihikcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mpdelajl.exe N/A
File created C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Mpdelajl.exe C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
File created C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nafokcol.exe N/A
File created C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Njcpee32.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Lfcbokki.dll C:\Windows\SysWOW64\Nceonl32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nafokcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" C:\Windows\SysWOW64\Nafokcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" C:\Windows\SysWOW64\Ncihikcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncihikcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nceonl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnhfee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncihikcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nafokcol.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njogjfoj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe C:\Windows\SysWOW64\Mpdelajl.exe
PID 2004 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe C:\Windows\SysWOW64\Mpdelajl.exe
PID 2004 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe C:\Windows\SysWOW64\Mpdelajl.exe
PID 1236 wrote to memory of 4652 N/A C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Nkjjij32.exe
PID 1236 wrote to memory of 4652 N/A C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Nkjjij32.exe
PID 1236 wrote to memory of 4652 N/A C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Nkjjij32.exe
PID 4652 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 4652 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 4652 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 1072 wrote to memory of 4780 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 1072 wrote to memory of 4780 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 1072 wrote to memory of 4780 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 4780 wrote to memory of 4152 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Njogjfoj.exe
PID 4780 wrote to memory of 4152 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Njogjfoj.exe
PID 4780 wrote to memory of 4152 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Njogjfoj.exe
PID 4152 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nafokcol.exe
PID 4152 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nafokcol.exe
PID 4152 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nafokcol.exe
PID 2936 wrote to memory of 2992 N/A C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Ngcgcjnc.exe
PID 2936 wrote to memory of 2992 N/A C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Ngcgcjnc.exe
PID 2936 wrote to memory of 2992 N/A C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Ngcgcjnc.exe
PID 2992 wrote to memory of 768 N/A C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 2992 wrote to memory of 768 N/A C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 2992 wrote to memory of 768 N/A C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 768 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ncihikcg.exe
PID 768 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ncihikcg.exe
PID 768 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ncihikcg.exe
PID 1724 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Njcpee32.exe
PID 1724 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Njcpee32.exe
PID 1724 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Njcpee32.exe
PID 1700 wrote to memory of 3324 N/A C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 1700 wrote to memory of 3324 N/A C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 1700 wrote to memory of 3324 N/A C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 3324 wrote to memory of 3820 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nkcmohbg.exe
PID 3324 wrote to memory of 3820 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nkcmohbg.exe
PID 3324 wrote to memory of 3820 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe

"C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe"

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/2004-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mpdelajl.exe

MD5 79b044874fdabab91930d70eff96b331
SHA1 8c5d518bb86fd708f67c201925c76fcffc220990
SHA256 f73684f108a748caf04c1b625ed82e1fccfb2e43a8abc9a431de7062c60017e2
SHA512 d36567fc65e3be52c857fd9219a4b1748970d49f7bbc8d45da6ace44a338371d61c204dd333299a762e13ceb57c3da67291b67bd006e2d68d7eb6104608ac884

memory/1236-8-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nkjjij32.exe

MD5 1a78c200c7a571ca4c4dc342110dcac7
SHA1 d6e76ab24654fc660cd174d6f9d63859921d5d32
SHA256 6ed66b074aa5718a1d39cfe18ace6636c8283ddc2d8e116899de13385af81a74
SHA512 e1d5ea1c08dfd24b231ce841e01c94d756983f8a7450539308d8a435194d9cfe181009bef8d946de21c65b3b5920c1c92fde30ce673039868a6d9a4680eafe87

memory/4652-17-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nnhfee32.exe

MD5 30266f9013303fc20c684cdd49d1120c
SHA1 68124aaa212f33f54531a1913b664a35e1dfbd82
SHA256 ec00358e96e174340be4bd4d864c12add6236fa141b32fa4f5c469bc394055cc
SHA512 05467ec70ec8b0a1db820d14419a2eb3b35a0359551c8f99f1a109930c7b080ff7e98357660963e7384d60ed246b244bc81bc94311b6fc3d6b92d62342ff6211

memory/1072-27-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nceonl32.exe

MD5 de32cb124beaa46e06fb7e34b9052bc5
SHA1 f8efdaf6bc64606a2fe499ab896d7cbde5a2d5ed
SHA256 3aa07d89a829b20222d45d18f070123908c8fa3009ddd9bee3e0c48a9a8c39b6
SHA512 a9bbcb934c21d20c60c608d20b5fec910f435b66ef9719611e33f05175f41f7995b9739ead2dd0620720d11ec7151e09397f96081fd6cd1946adaabb41fa0103

memory/4780-32-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4152-40-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njogjfoj.exe

MD5 d83584aa272553f4b14e3d35e4f1859c
SHA1 56b86de2e625687fd0828617f0d0a1b5d8b25084
SHA256 654c2d839144e1d76d0cf26800d70e35f8c02c26d5533b69ee2d2a568c174a61
SHA512 a4714a887bc6895f96eb1520006d2cd02ada8526d60b993e5b9f7b7388de86b2c9510fdd702b2e9ee34e58e048abd63df0d7463c669f279084d07a5b6226b543

C:\Windows\SysWOW64\Nafokcol.exe

MD5 244b45a63a54a9d1f356f4f3f81ce95e
SHA1 8ddacc03ba871fe644bbb8ce86ff0fbaf1189ff1
SHA256 1af659e8d8040eb176f575f4ec3a508e1fc98207cc62c398f6e56ed0cec39e9d
SHA512 dfe94cd46b70972fb14aaf0d00b0521cb9305b7d84401eaa800c07e1f2bb3dbc5afba74309a8f628c6e4a5e0aeae92eec4007ced5dc19ec11ea51bfaad1e622b

memory/2936-48-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ngcgcjnc.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Ngcgcjnc.exe

MD5 d1a8a94f77a09a8e2b15868e673d9d4f
SHA1 c00b38ff6c376f91b8bca5abd2ac9771c5ade77e
SHA256 cade64b49e6ba3c90da8262c0dcacd04c759153adfa284c2cdec335410d90db7
SHA512 6148d8e3fb8dd4686e2c6ab87fba1911f8f0e33dc53127c52dad14357b5a432d35c3b0840a4fc2346b96927287c2ecc0f9a5c6249d0ae93694a02b3a429f6f8c

memory/2992-55-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nbhkac32.exe

MD5 9142148cb9834cf7ddc764d1d055d67d
SHA1 0bc25b7114fcaa2e0faf925ee8b22f3adeb66c1e
SHA256 1cc87dfc688b28c2525d5911818b91974c33578c3acd2b67ea1a3d3f669584ad
SHA512 5677e7f3e8e1bd8442bee1a4c468276bf89c9a821575e8ac21d038110c57d3450d1494beb73d94e87cd855dcd51661496a6ed746aee6705c4407352c99790559

memory/768-64-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ncihikcg.exe

MD5 66042d4b20cd4756ed34ef5a10d240d3
SHA1 ef31887d2252650881b3fbff61f84485e9512631
SHA256 8291412c538ce24308b1da14eacc617eb75af196189bdf27ae4c61b450207f15
SHA512 7cbd06ee134030e5be3eff99cd3cd32aff548b8c7f269176185d7a79b92c17aa6f2e32bdf07a6d89660db0f1dec25ad98b66af8ab49d7031d3b66dda4d613842

memory/1724-72-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njcpee32.exe

MD5 a4f4a3ae40be25f5380787270609d782
SHA1 5b2ee02ba76cd412beaafad88e9aba13fef60c0e
SHA256 cb7126db3121e574a2c619a9513b6571c13ea8873b9cbd38f79b6140e54e3b73
SHA512 5e7088a4ee9fbe2353f26563edae9c48103da8ab42ccd5b8e38cfc0e3e44f388d03dea12ac62a8674dad54ab2bf1c54e7323157b42fd69b13b459d0e8f4ef95f

memory/1700-80-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ndidbn32.exe

MD5 b85a094dd4b6a41477d7b29332bbad42
SHA1 cc553dbb0aedbfba6366e9a5915ae4b83717a94a
SHA256 f418c7f6db6701ed474806c61662b7f212dc71dfac02d0f31ebe4d14b0d384b2
SHA512 ea8787d67ebcd3dd537c6e8ac2033b68652d682caaddaaf60f4bdf319a862479070a8dcba85a4056b6c4285356044b62d888093fb7beb5a7f070325cba2ed74a

memory/3324-87-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nkcmohbg.exe

MD5 3c0faaf51ccc84646ba7f12b58e20cf4
SHA1 e6ef6cf03536b098aaa6b429150aeda16dd51069
SHA256 861b23bb28a2b50ca17715aa6ee40c9a6603ca3a64b0ab6ec6682cf810c1aa5a
SHA512 6a6178696355008e6cc77cde96b92c42801e11168d9ae25bf091eb5331f8eef4d2f8439307333768cf538a90edf7fe5d75718557fafbc6a5103e9d63aae44e16

memory/3820-95-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3324-98-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1072-106-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1236-108-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-109-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4652-107-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4780-105-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4152-104-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2936-103-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2992-102-0x0000000000400000-0x0000000000434000-memory.dmp

memory/768-101-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1724-100-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-99-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3820-97-0x0000000000400000-0x0000000000434000-memory.dmp