Malware Analysis Report

2025-08-05 10:28

Sample ID 241107-jwkgtayfrk
Target dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N
SHA256 dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327

Threat Level: Known bad

The file dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 08:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 08:01

Reported

2024-11-07 08:03

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pojecajj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gifclb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Idkpganf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbjeinje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ccmpce32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdklfe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkjnnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njfjnpgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Omnipjni.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abmgjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkglnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Objaha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abmgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cocphf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjjpjgjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phlclgfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Accqnc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bigkel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgpjhn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iflmjihl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oococb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pepcelel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Paknelgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjhcegll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkjnnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pebpkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Injndk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilnomp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jhbold32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kncaojfb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgedmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nenkqi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qiioon32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omnipjni.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Accqnc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaimopli.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alqnah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fgldnkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjjpjgjj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfkeokjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpdnbbah.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njfjnpgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Objaha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilnomp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iihiphln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofadnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cinafkkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fgldnkkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbhcim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjacjifm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cchbgi32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Fjhcegll.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgldnkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjjpjgjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfcnegnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Gifclb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkglnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbadjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgpjhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjacjifm.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjcppidk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfjpdjjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Iflmjihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Injndk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilnomp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idkpganf.exe N/A
N/A N/A C:\Windows\SysWOW64\Iihiphln.exe N/A
N/A N/A C:\Windows\SysWOW64\Jikeeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpdnbbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhbold32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhcim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdklfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kncaojfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpdjaecc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kddomchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmdeioh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfkeokjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgedmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmbmeifk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmicfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfjnpgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenkqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opihgfop.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oococb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phlclgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pepcelel.exe N/A
N/A N/A C:\Windows\SysWOW64\Pohhna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pebpkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pojecajj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pplaki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Paknelgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Qppkfhlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiioon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgmpibam.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Accqnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Allefimb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaimopli.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahbekjcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alqnah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmgjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agjobffl.exe N/A
N/A N/A C:\Windows\SysWOW64\Adnpkjde.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjkhdacm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjhcegll.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjhcegll.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgldnkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgldnkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjjpjgjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjjpjgjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfcnegnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfcnegnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Gifclb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gifclb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkglnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkglnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbadjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbadjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgpjhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgpjhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjacjifm.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjacjifm.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjcppidk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjcppidk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfjpdjjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfjpdjjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Iflmjihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iflmjihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Injndk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Injndk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilnomp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilnomp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idkpganf.exe N/A
N/A N/A C:\Windows\SysWOW64\Idkpganf.exe N/A
N/A N/A C:\Windows\SysWOW64\Iihiphln.exe N/A
N/A N/A C:\Windows\SysWOW64\Iihiphln.exe N/A
N/A N/A C:\Windows\SysWOW64\Jikeeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jikeeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpdnbbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpdnbbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhbold32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhbold32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhcim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhcim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdklfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdklfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kncaojfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kncaojfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpdjaecc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpdjaecc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kddomchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kddomchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmdeioh.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmdeioh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfkeokjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfkeokjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Olfcfe32.dll C:\Windows\SysWOW64\Iihiphln.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cocphf32.exe N/A
File created C:\Windows\SysWOW64\Hdhkdkaa.dll C:\Windows\SysWOW64\Hjacjifm.exe N/A
File created C:\Windows\SysWOW64\Accqnc32.exe C:\Windows\SysWOW64\Alihaioe.exe N/A
File created C:\Windows\SysWOW64\Acnenl32.dll C:\Windows\SysWOW64\Cnkjnb32.exe N/A
File created C:\Windows\SysWOW64\Egqjelqn.dll C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
File created C:\Windows\SysWOW64\Pjdjea32.dll C:\Windows\SysWOW64\Mmicfh32.exe N/A
File created C:\Windows\SysWOW64\Pebpkk32.exe C:\Windows\SysWOW64\Pohhna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgmpibam.exe C:\Windows\SysWOW64\Qiioon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmicfh32.exe C:\Windows\SysWOW64\Mmbmeifk.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegoqlof.exe C:\Windows\SysWOW64\Cjakccop.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhbold32.exe C:\Windows\SysWOW64\Jpdnbbah.exe N/A
File created C:\Windows\SysWOW64\Abmgjo32.exe C:\Windows\SysWOW64\Alqnah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cgoelh32.exe N/A
File created C:\Windows\SysWOW64\Iihiphln.exe C:\Windows\SysWOW64\Idkpganf.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjkhdacm.exe C:\Windows\SysWOW64\Adnpkjde.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqeqqk32.exe C:\Windows\SysWOW64\Bjkhdacm.exe N/A
File opened for modification C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kkjnnn32.exe N/A
File created C:\Windows\SysWOW64\Cpehmcmg.dll C:\Windows\SysWOW64\Jpdnbbah.exe N/A
File opened for modification C:\Windows\SysWOW64\Pplaki32.exe C:\Windows\SysWOW64\Pojecajj.exe N/A
File created C:\Windows\SysWOW64\Bbjclbek.dll C:\Windows\SysWOW64\Ahbekjcf.exe N/A
File created C:\Windows\SysWOW64\Eepejpil.dll C:\Windows\SysWOW64\Cnimiblo.exe N/A
File created C:\Windows\SysWOW64\Jhbold32.exe C:\Windows\SysWOW64\Jpdnbbah.exe N/A
File created C:\Windows\SysWOW64\Agjobffl.exe C:\Windows\SysWOW64\Abmgjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccmpce32.exe C:\Windows\SysWOW64\Bigkel32.exe N/A
File created C:\Windows\SysWOW64\Cefkjiak.dll C:\Windows\SysWOW64\Gfcnegnk.exe N/A
File opened for modification C:\Windows\SysWOW64\Pebpkk32.exe C:\Windows\SysWOW64\Pohhna32.exe N/A
File created C:\Windows\SysWOW64\Qqmfpqmc.dll C:\Windows\SysWOW64\Pohhna32.exe N/A
File created C:\Windows\SysWOW64\Pkcbnanl.exe C:\Windows\SysWOW64\Paknelgk.exe N/A
File created C:\Windows\SysWOW64\Jpefpo32.dll C:\Windows\SysWOW64\Qiioon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Ccmpce32.exe N/A
File created C:\Windows\SysWOW64\Kjoahnho.dll C:\Windows\SysWOW64\Jbhcim32.exe N/A
File created C:\Windows\SysWOW64\Pmagpjhh.dll C:\Windows\SysWOW64\Iflmjihl.exe N/A
File created C:\Windows\SysWOW64\Aaimopli.exe C:\Windows\SysWOW64\Allefimb.exe N/A
File created C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Gfcnegnk.exe N/A
File created C:\Windows\SysWOW64\Klbgbj32.dll C:\Windows\SysWOW64\Ofadnq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bigkel32.exe C:\Windows\SysWOW64\Bgcbhd32.exe N/A
File created C:\Windows\SysWOW64\Jclcfm32.dll C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
File created C:\Windows\SysWOW64\Alqnah32.exe C:\Windows\SysWOW64\Aakjdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjcppidk.exe C:\Windows\SysWOW64\Hjacjifm.exe N/A
File created C:\Windows\SysWOW64\Dekhchoj.dll C:\Windows\SysWOW64\Gifclb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Idkpganf.exe C:\Windows\SysWOW64\Ilnomp32.exe N/A
File created C:\Windows\SysWOW64\Behjbjcf.dll C:\Windows\SysWOW64\Kncaojfb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cocphf32.exe C:\Windows\SysWOW64\Ciihklpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Gifclb32.exe C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
File opened for modification C:\Windows\SysWOW64\Nenkqi32.exe C:\Windows\SysWOW64\Njfjnpgp.exe N/A
File created C:\Windows\SysWOW64\Qgmpibam.exe C:\Windows\SysWOW64\Qiioon32.exe N/A
File created C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Ccmpce32.exe N/A
File opened for modification C:\Windows\SysWOW64\Injndk32.exe C:\Windows\SysWOW64\Iflmjihl.exe N/A
File created C:\Windows\SysWOW64\Pojecajj.exe C:\Windows\SysWOW64\Pebpkk32.exe N/A
File created C:\Windows\SysWOW64\Maanne32.dll C:\Windows\SysWOW64\Aaimopli.exe N/A
File created C:\Windows\SysWOW64\Komjgdhc.dll C:\Windows\SysWOW64\Abmgjo32.exe N/A
File created C:\Windows\SysWOW64\Aqpmpahd.dll C:\Windows\SysWOW64\Ciihklpj.exe N/A
File created C:\Windows\SysWOW64\Gfcnegnk.exe C:\Windows\SysWOW64\Fjjpjgjj.exe N/A
File created C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kkjnnn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Objaha32.exe C:\Windows\SysWOW64\Omnipjni.exe N/A
File opened for modification C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Qgmpibam.exe N/A
File created C:\Windows\SysWOW64\Pkjjaebl.dll C:\Windows\SysWOW64\Fgldnkkf.exe N/A
File created C:\Windows\SysWOW64\Knbbpakg.dll C:\Windows\SysWOW64\Kkjnnn32.exe N/A
File created C:\Windows\SysWOW64\Pohbak32.dll C:\Windows\SysWOW64\Mmbmeifk.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Mmicfh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Cnkjnb32.exe N/A
File created C:\Windows\SysWOW64\Gifclb32.exe C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
File created C:\Windows\SysWOW64\Adnpkjde.exe C:\Windows\SysWOW64\Agjobffl.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fgldnkkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lklgbadb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgchgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alqnah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abmgjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqeqqk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hjcppidk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jikeeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Allefimb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opihgfop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oococb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pohhna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pojecajj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hjacjifm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iflmjihl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfkeokjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgedmb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahbekjcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgpjhn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knmdeioh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgmpibam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Accqnc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kncaojfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cocphf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phlclgfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gbadjg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpdnbbah.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbhcim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alihaioe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Injndk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpdjaecc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbjeinje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjakccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fjhcegll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gkglnm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhbold32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdklfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccmpce32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pepcelel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qiioon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agjobffl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pplaki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nenkqi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bceibfgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gifclb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kddomchg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paknelgk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Idkpganf.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdklfe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjcppidk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfcfe32.dll" C:\Windows\SysWOW64\Iihiphln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" C:\Windows\SysWOW64\Pepcelel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bigkel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjlg32.dll" C:\Windows\SysWOW64\Injndk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alqnah32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Agjobffl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahbekjcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll" C:\Windows\SysWOW64\Abmgjo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lfkeokjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbjeinje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgmpibam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Accqnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfcnegnk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbadjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneebcff.dll" C:\Windows\SysWOW64\Jikeeh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gfcnegnk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hfjpdjjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njfjnpgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nenkqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdonf32.dll" C:\Windows\SysWOW64\Kpdjaecc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoahnho.dll" C:\Windows\SysWOW64\Jbhcim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpdjaecc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opihgfop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Injndk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpdjaecc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pohhna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjhcegll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jikeeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll" C:\Windows\SysWOW64\Ccmpce32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaimopli.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkglnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjcppidk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lklgbadb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fgldnkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkglnm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" C:\Windows\SysWOW64\Alihaioe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Idkpganf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbbpakg.dll" C:\Windows\SysWOW64\Kkjnnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljoegei.dll" C:\Windows\SysWOW64\Lklgbadb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Paknelgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjacjifm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll" C:\Windows\SysWOW64\Oococb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnfppba.dll" C:\Windows\SysWOW64\Nenkqi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Adnpkjde.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe C:\Windows\SysWOW64\Fjhcegll.exe
PID 2356 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe C:\Windows\SysWOW64\Fjhcegll.exe
PID 2356 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe C:\Windows\SysWOW64\Fjhcegll.exe
PID 2356 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe C:\Windows\SysWOW64\Fjhcegll.exe
PID 2536 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Fjhcegll.exe C:\Windows\SysWOW64\Fgldnkkf.exe
PID 2536 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Fjhcegll.exe C:\Windows\SysWOW64\Fgldnkkf.exe
PID 2536 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Fjhcegll.exe C:\Windows\SysWOW64\Fgldnkkf.exe
PID 2536 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Fjhcegll.exe C:\Windows\SysWOW64\Fgldnkkf.exe
PID 1972 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Fgldnkkf.exe C:\Windows\SysWOW64\Fjjpjgjj.exe
PID 1972 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Fgldnkkf.exe C:\Windows\SysWOW64\Fjjpjgjj.exe
PID 1972 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Fgldnkkf.exe C:\Windows\SysWOW64\Fjjpjgjj.exe
PID 1972 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Fgldnkkf.exe C:\Windows\SysWOW64\Fjjpjgjj.exe
PID 2136 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Fjjpjgjj.exe C:\Windows\SysWOW64\Gfcnegnk.exe
PID 2136 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Fjjpjgjj.exe C:\Windows\SysWOW64\Gfcnegnk.exe
PID 2136 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Fjjpjgjj.exe C:\Windows\SysWOW64\Gfcnegnk.exe
PID 2136 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Fjjpjgjj.exe C:\Windows\SysWOW64\Gfcnegnk.exe
PID 1192 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Gfcnegnk.exe C:\Windows\SysWOW64\Ghdgfbkl.exe
PID 1192 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Gfcnegnk.exe C:\Windows\SysWOW64\Ghdgfbkl.exe
PID 1192 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Gfcnegnk.exe C:\Windows\SysWOW64\Ghdgfbkl.exe
PID 1192 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Gfcnegnk.exe C:\Windows\SysWOW64\Ghdgfbkl.exe
PID 2936 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Gifclb32.exe
PID 2936 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Gifclb32.exe
PID 2936 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Gifclb32.exe
PID 2936 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Gifclb32.exe
PID 2812 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Gifclb32.exe C:\Windows\SysWOW64\Gkglnm32.exe
PID 2812 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Gifclb32.exe C:\Windows\SysWOW64\Gkglnm32.exe
PID 2812 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Gifclb32.exe C:\Windows\SysWOW64\Gkglnm32.exe
PID 2812 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Gifclb32.exe C:\Windows\SysWOW64\Gkglnm32.exe
PID 1276 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Gkglnm32.exe C:\Windows\SysWOW64\Gbadjg32.exe
PID 1276 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Gkglnm32.exe C:\Windows\SysWOW64\Gbadjg32.exe
PID 1276 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Gkglnm32.exe C:\Windows\SysWOW64\Gbadjg32.exe
PID 1276 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Gkglnm32.exe C:\Windows\SysWOW64\Gbadjg32.exe
PID 2664 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Gbadjg32.exe C:\Windows\SysWOW64\Hgpjhn32.exe
PID 2664 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Gbadjg32.exe C:\Windows\SysWOW64\Hgpjhn32.exe
PID 2664 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Gbadjg32.exe C:\Windows\SysWOW64\Hgpjhn32.exe
PID 2664 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Gbadjg32.exe C:\Windows\SysWOW64\Hgpjhn32.exe
PID 1960 wrote to memory of 556 N/A C:\Windows\SysWOW64\Hgpjhn32.exe C:\Windows\SysWOW64\Hjacjifm.exe
PID 1960 wrote to memory of 556 N/A C:\Windows\SysWOW64\Hgpjhn32.exe C:\Windows\SysWOW64\Hjacjifm.exe
PID 1960 wrote to memory of 556 N/A C:\Windows\SysWOW64\Hgpjhn32.exe C:\Windows\SysWOW64\Hjacjifm.exe
PID 1960 wrote to memory of 556 N/A C:\Windows\SysWOW64\Hgpjhn32.exe C:\Windows\SysWOW64\Hjacjifm.exe
PID 556 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Hjacjifm.exe C:\Windows\SysWOW64\Hjcppidk.exe
PID 556 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Hjacjifm.exe C:\Windows\SysWOW64\Hjcppidk.exe
PID 556 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Hjacjifm.exe C:\Windows\SysWOW64\Hjcppidk.exe
PID 556 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Hjacjifm.exe C:\Windows\SysWOW64\Hjcppidk.exe
PID 1600 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Hjcppidk.exe C:\Windows\SysWOW64\Hfjpdjjo.exe
PID 1600 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Hjcppidk.exe C:\Windows\SysWOW64\Hfjpdjjo.exe
PID 1600 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Hjcppidk.exe C:\Windows\SysWOW64\Hfjpdjjo.exe
PID 1600 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Hjcppidk.exe C:\Windows\SysWOW64\Hfjpdjjo.exe
PID 2848 wrote to memory of 2868 N/A C:\Windows\SysWOW64\Hfjpdjjo.exe C:\Windows\SysWOW64\Iflmjihl.exe
PID 2848 wrote to memory of 2868 N/A C:\Windows\SysWOW64\Hfjpdjjo.exe C:\Windows\SysWOW64\Iflmjihl.exe
PID 2848 wrote to memory of 2868 N/A C:\Windows\SysWOW64\Hfjpdjjo.exe C:\Windows\SysWOW64\Iflmjihl.exe
PID 2848 wrote to memory of 2868 N/A C:\Windows\SysWOW64\Hfjpdjjo.exe C:\Windows\SysWOW64\Iflmjihl.exe
PID 2868 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Iflmjihl.exe C:\Windows\SysWOW64\Injndk32.exe
PID 2868 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Iflmjihl.exe C:\Windows\SysWOW64\Injndk32.exe
PID 2868 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Iflmjihl.exe C:\Windows\SysWOW64\Injndk32.exe
PID 2868 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Iflmjihl.exe C:\Windows\SysWOW64\Injndk32.exe
PID 2144 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Injndk32.exe C:\Windows\SysWOW64\Ilnomp32.exe
PID 2144 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Injndk32.exe C:\Windows\SysWOW64\Ilnomp32.exe
PID 2144 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Injndk32.exe C:\Windows\SysWOW64\Ilnomp32.exe
PID 2144 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Injndk32.exe C:\Windows\SysWOW64\Ilnomp32.exe
PID 2556 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Ilnomp32.exe C:\Windows\SysWOW64\Idkpganf.exe
PID 2556 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Ilnomp32.exe C:\Windows\SysWOW64\Idkpganf.exe
PID 2556 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Ilnomp32.exe C:\Windows\SysWOW64\Idkpganf.exe
PID 2556 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Ilnomp32.exe C:\Windows\SysWOW64\Idkpganf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe

"C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe"

C:\Windows\SysWOW64\Fjhcegll.exe

C:\Windows\system32\Fjhcegll.exe

C:\Windows\SysWOW64\Fgldnkkf.exe

C:\Windows\system32\Fgldnkkf.exe

C:\Windows\SysWOW64\Fjjpjgjj.exe

C:\Windows\system32\Fjjpjgjj.exe

C:\Windows\SysWOW64\Gfcnegnk.exe

C:\Windows\system32\Gfcnegnk.exe

C:\Windows\SysWOW64\Ghdgfbkl.exe

C:\Windows\system32\Ghdgfbkl.exe

C:\Windows\SysWOW64\Gifclb32.exe

C:\Windows\system32\Gifclb32.exe

C:\Windows\SysWOW64\Gkglnm32.exe

C:\Windows\system32\Gkglnm32.exe

C:\Windows\SysWOW64\Gbadjg32.exe

C:\Windows\system32\Gbadjg32.exe

C:\Windows\SysWOW64\Hgpjhn32.exe

C:\Windows\system32\Hgpjhn32.exe

C:\Windows\SysWOW64\Hjacjifm.exe

C:\Windows\system32\Hjacjifm.exe

C:\Windows\SysWOW64\Hjcppidk.exe

C:\Windows\system32\Hjcppidk.exe

C:\Windows\SysWOW64\Hfjpdjjo.exe

C:\Windows\system32\Hfjpdjjo.exe

C:\Windows\SysWOW64\Iflmjihl.exe

C:\Windows\system32\Iflmjihl.exe

C:\Windows\SysWOW64\Injndk32.exe

C:\Windows\system32\Injndk32.exe

C:\Windows\SysWOW64\Ilnomp32.exe

C:\Windows\system32\Ilnomp32.exe

C:\Windows\SysWOW64\Idkpganf.exe

C:\Windows\system32\Idkpganf.exe

C:\Windows\SysWOW64\Iihiphln.exe

C:\Windows\system32\Iihiphln.exe

C:\Windows\SysWOW64\Jikeeh32.exe

C:\Windows\system32\Jikeeh32.exe

C:\Windows\SysWOW64\Jpdnbbah.exe

C:\Windows\system32\Jpdnbbah.exe

C:\Windows\SysWOW64\Jhbold32.exe

C:\Windows\system32\Jhbold32.exe

C:\Windows\SysWOW64\Jbhcim32.exe

C:\Windows\system32\Jbhcim32.exe

C:\Windows\SysWOW64\Kdklfe32.exe

C:\Windows\system32\Kdklfe32.exe

C:\Windows\SysWOW64\Kncaojfb.exe

C:\Windows\system32\Kncaojfb.exe

C:\Windows\SysWOW64\Kpdjaecc.exe

C:\Windows\system32\Kpdjaecc.exe

C:\Windows\SysWOW64\Kkjnnn32.exe

C:\Windows\system32\Kkjnnn32.exe

C:\Windows\SysWOW64\Kddomchg.exe

C:\Windows\system32\Kddomchg.exe

C:\Windows\SysWOW64\Knmdeioh.exe

C:\Windows\system32\Knmdeioh.exe

C:\Windows\SysWOW64\Lcjlnpmo.exe

C:\Windows\system32\Lcjlnpmo.exe

C:\Windows\SysWOW64\Lfkeokjp.exe

C:\Windows\system32\Lfkeokjp.exe

C:\Windows\SysWOW64\Lklgbadb.exe

C:\Windows\system32\Lklgbadb.exe

C:\Windows\SysWOW64\Lgchgb32.exe

C:\Windows\system32\Lgchgb32.exe

C:\Windows\SysWOW64\Mgedmb32.exe

C:\Windows\system32\Mgedmb32.exe

C:\Windows\SysWOW64\Mmbmeifk.exe

C:\Windows\system32\Mmbmeifk.exe

C:\Windows\SysWOW64\Mmicfh32.exe

C:\Windows\system32\Mmicfh32.exe

C:\Windows\SysWOW64\Nbjeinje.exe

C:\Windows\system32\Nbjeinje.exe

C:\Windows\SysWOW64\Njfjnpgp.exe

C:\Windows\system32\Njfjnpgp.exe

C:\Windows\SysWOW64\Nenkqi32.exe

C:\Windows\system32\Nenkqi32.exe

C:\Windows\SysWOW64\Ofadnq32.exe

C:\Windows\system32\Ofadnq32.exe

C:\Windows\SysWOW64\Opihgfop.exe

C:\Windows\system32\Opihgfop.exe

C:\Windows\SysWOW64\Omnipjni.exe

C:\Windows\system32\Omnipjni.exe

C:\Windows\SysWOW64\Objaha32.exe

C:\Windows\system32\Objaha32.exe

C:\Windows\SysWOW64\Oococb32.exe

C:\Windows\system32\Oococb32.exe

C:\Windows\SysWOW64\Phlclgfc.exe

C:\Windows\system32\Phlclgfc.exe

C:\Windows\SysWOW64\Pepcelel.exe

C:\Windows\system32\Pepcelel.exe

C:\Windows\SysWOW64\Pohhna32.exe

C:\Windows\system32\Pohhna32.exe

C:\Windows\SysWOW64\Pebpkk32.exe

C:\Windows\system32\Pebpkk32.exe

C:\Windows\SysWOW64\Pojecajj.exe

C:\Windows\system32\Pojecajj.exe

C:\Windows\SysWOW64\Pplaki32.exe

C:\Windows\system32\Pplaki32.exe

C:\Windows\SysWOW64\Paknelgk.exe

C:\Windows\system32\Paknelgk.exe

C:\Windows\SysWOW64\Pkcbnanl.exe

C:\Windows\system32\Pkcbnanl.exe

C:\Windows\SysWOW64\Qppkfhlc.exe

C:\Windows\system32\Qppkfhlc.exe

C:\Windows\SysWOW64\Qiioon32.exe

C:\Windows\system32\Qiioon32.exe

C:\Windows\SysWOW64\Qgmpibam.exe

C:\Windows\system32\Qgmpibam.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Accqnc32.exe

C:\Windows\system32\Accqnc32.exe

C:\Windows\SysWOW64\Allefimb.exe

C:\Windows\system32\Allefimb.exe

C:\Windows\SysWOW64\Aaimopli.exe

C:\Windows\system32\Aaimopli.exe

C:\Windows\SysWOW64\Ahbekjcf.exe

C:\Windows\system32\Ahbekjcf.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Alqnah32.exe

C:\Windows\system32\Alqnah32.exe

C:\Windows\SysWOW64\Abmgjo32.exe

C:\Windows\system32\Abmgjo32.exe

C:\Windows\SysWOW64\Agjobffl.exe

C:\Windows\system32\Agjobffl.exe

C:\Windows\SysWOW64\Adnpkjde.exe

C:\Windows\system32\Adnpkjde.exe

C:\Windows\SysWOW64\Bjkhdacm.exe

C:\Windows\system32\Bjkhdacm.exe

C:\Windows\SysWOW64\Bqeqqk32.exe

C:\Windows\system32\Bqeqqk32.exe

C:\Windows\SysWOW64\Bkjdndjo.exe

C:\Windows\system32\Bkjdndjo.exe

C:\Windows\SysWOW64\Bceibfgj.exe

C:\Windows\system32\Bceibfgj.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bgcbhd32.exe

C:\Windows\system32\Bgcbhd32.exe

C:\Windows\SysWOW64\Bigkel32.exe

C:\Windows\system32\Bigkel32.exe

C:\Windows\SysWOW64\Ccmpce32.exe

C:\Windows\system32\Ccmpce32.exe

C:\Windows\SysWOW64\Ciihklpj.exe

C:\Windows\system32\Ciihklpj.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cinafkkd.exe

C:\Windows\system32\Cinafkkd.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Cjakccop.exe

C:\Windows\system32\Cjakccop.exe

C:\Windows\SysWOW64\Cegoqlof.exe

C:\Windows\system32\Cegoqlof.exe

C:\Windows\SysWOW64\Cgfkmgnj.exe

C:\Windows\system32\Cgfkmgnj.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 144

Network

N/A

Files

memory/2356-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Fjhcegll.exe

MD5 4548b026a39fb55971664433b5dc2d3d
SHA1 939d335b1e4fd11ed1d555c648a2befe8e25db44
SHA256 82fbe3ab7d5a49f9dff0278d6317731df6cbd57fc5a82302ae880c6e8f3925d8
SHA512 3dc64ab6374b744f0b048418ca307c74a42ddaa5cb9e71a11ae61647e2fdc871475a6e7ed95189c03af49b8b03ca0f5999e4c4a453ad9b9fa0fdb80a96e7481e

memory/2536-18-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2356-11-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Fgldnkkf.exe

MD5 bde89b0690f435581c5301b5d04cb0fe
SHA1 8c14081742e888be2bff354accc43c779175cdb4
SHA256 fe2aed1c7bec5b2486d03fe6071e4270558f3f2d57397f1750c933b0d5ba6a57
SHA512 2fadf6cbb2137a40a27a9309c5ef9feb963d3f3c97a2e20c513d03c10622f1cd2d6417445e690c482da82b0578b1524a2541130e2a14cddab9555a63b2994b43

memory/1972-31-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Fjjpjgjj.exe

MD5 3d308a75cc6952b343fa81e19c4da8c4
SHA1 8c62637cac25ac907a755cbc7228bb61be84cab9
SHA256 37553c31f58d94cd24ab88e07e9d731948d8e51e959423905ff1ddd10581d6ef
SHA512 bc180fbf9a42acca0dd96e8cf0442566f4e9d03f3405f3402d616a418d54b1d8a4df1ea033456d494639e655ee717a5c3480d2eff8680534729086ccc63f8369

memory/2136-39-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Gfcnegnk.exe

MD5 06e057a9566389202f090304706932a4
SHA1 ed78568087ff0408f9d8c31eb8806bee9ab8543d
SHA256 ce019ca09b2fdad1d45ec79995294364062ab4b110685cf76ba929e74a63ae8c
SHA512 16b7a5cd7f063efb61568d41a3be951f6e1130d5cf132e2fd3e8d930f9c7ef3f82b38de9a4610d97bf39431b1b3b38a56ecb0cef11562614732efd91ea5bca81

memory/1192-54-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2136-52-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/2136-51-0x00000000002B0000-0x00000000002F0000-memory.dmp

\Windows\SysWOW64\Ghdgfbkl.exe

MD5 347962b4860b12c6929a5706ce470fb6
SHA1 a005115d3b8138261707bc84936e92a624e693f1
SHA256 73ace806ce823472277df84c23e27095375e069f43387572083722684ed6a6f9
SHA512 be13f1aaa1e133d2c80fb5df2ba0f8e0eb1f2a8ba4b4366f17186287ac8c40c11d037ff97a49a720b7489583786c8dbd53af3d888f2e4d4eba02134c59feb236

memory/2936-67-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Gifclb32.exe

MD5 c922bbf68ca67380f7f485ec27af975c
SHA1 26d8f0fd84b702afc6a4a35d2a01a60d320b6e8b
SHA256 e9665eec5edb8a06f611542d90c9ce1e564ed06f61b82c34f3f46c367e7e4b87
SHA512 a46a9e075f11d8cbc6442f84138fc1e6e02dbd4bd3387b6e58a21008802bd401cf1ae37654c5a60eaf26c3662bc71e042eeb6f3e72487aaf5272a1ef67e0d352

memory/2812-80-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Gkglnm32.exe

MD5 cb7aa1842289a726b2fdd0f2bb5ef375
SHA1 4284a0c4c79daf62fa314faef610be910e3ef4d4
SHA256 3db7bca9989fe285075fe485d4400bf26ee5d7eee7e729519c76ea7483649a5c
SHA512 ffe2bedb1f62cd532353bf555e516e737f45f22799fb02f947bf1fc0e9141c3827b51936545ce2d76a348e14fa07a01c182904c7f443fdab7980432778655d84

memory/1276-93-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Gbadjg32.exe

MD5 b90150936424a465ffb428082d92e73d
SHA1 387cab7b69029b3397e07e1407a47499e977eb8b
SHA256 a8d8530972c0e1d85a0304c847bd8b060cb10d8392bfedd9ba6594906a5057ff
SHA512 d4bae5fa69d07985a09638b1deb7c981d55a46e176e4d5b8e56000e0ca99e12a2ba62498927713e694eb3e83294b19fb34296f9c21b9da6719ec242cd096d647

memory/1276-101-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2664-107-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Hgpjhn32.exe

MD5 a7e1192112f7e8c933b3f3de3cae03c8
SHA1 6ab19a4ae4ff40374307bbfb91fab8d4afee8b4b
SHA256 726504da036af709d9a94617af3c2b915016caf26fe44c0e6bff5a5608f24752
SHA512 84112e184545c1a1100e3a05c889d286c116dcefd034d28cfe8f66c52fbb37ba8d44b67cbc107bb9940189bdf6585c93e1060d4a429d42029f97d5bf408031ab

memory/1960-120-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Hjacjifm.exe

MD5 9ef904a1920ac518ac3aeb4e9b4fd5a6
SHA1 2a71758b24be3a5be063bb7d2a4697ef79d1ddc7
SHA256 881944ca27d3c12d65d58e3f2476c242796fbdf660e3f0be3e59737be1eff8b4
SHA512 2c12d5c1e81ad728ec23577add1d8cf50c5e4b99630c3a3218f9abcaf0ebe71063adb0f7358de63088627e1e5c20f4379c4daabcf27f6ef6ee00d12abf2b6eb7

memory/1960-127-0x0000000000220000-0x0000000000260000-memory.dmp

memory/556-138-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Hjcppidk.exe

MD5 9e15a43f34a46287146a56a777053e61
SHA1 9e7b952e18fa7a2ae44f433f8586c496051d70dc
SHA256 23da91fad5065c7f6f5ceab5a763fbd15a1dbc5e803722d894a45a60793b95dd
SHA512 8538f82d8b4a60e408f04333f5c0f37adeb6ba0897b5a5409798df6834f569d529145049ca9a77906ce5491d0f0746d4e3ff7c82b091461bdfc38044cb627350

memory/1600-151-0x0000000000400000-0x0000000000440000-memory.dmp

memory/556-146-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1600-156-0x0000000000220000-0x0000000000260000-memory.dmp

\Windows\SysWOW64\Hfjpdjjo.exe

MD5 1ca47b513b74dd170aca65336e455355
SHA1 45dcb961749e5e916fbeb7ccc6a49aed392de7ba
SHA256 c9434471e38e97365cab64c62fc36ec7427e8c7f5004b073b44dff6ea881815d
SHA512 d0ef6fc6810199b3ef3e1de87e37cf63fcc3e133d118ad41ceef10f9df67a8401830b3b2ffb3203a13c0643b0bc16de3c23e70ff58e314fc03788df736c9338d

memory/2848-162-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Iflmjihl.exe

MD5 fda0e7bbbdafc9841f95efd7c4c26439
SHA1 7e1a25faeee4b087eade1428b28892e5765d2348
SHA256 fb59ee1faa0c302663419deb5d49d03b3dea9502715a0426bcdcaa7416acfadc
SHA512 bf23231ef73b4189aa2a1c0627a0757da9459f4f829e38bca1a13f70ade461824a195199970593a652486d3639b2d3e2e882f6e733048407fbd4e8f429b8dc84

memory/2868-175-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2556-202-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ilnomp32.exe

MD5 4fc0f71fc432fc182a0162f5983ed5b8
SHA1 54d6e183ce84eb06f561e56040e50e8abc63b7db
SHA256 f747fe4637cc1eb60988acc4a2e2e440fcd9215fdb2e3c4bf4ee58f08b439682
SHA512 636673694a4a52826141066017372a571444859e5746e909e5bdf6ecc06959da6920ca93f79c84a28fbed2e7b67ab931c376ee52082b3e5fb952bf177c93450b

C:\Windows\SysWOW64\Injndk32.exe

MD5 fd9f2cf68e1f57f41c7efbd9253df6f8
SHA1 37e7eaa2075c84725546679a58e38136a75487d7
SHA256 f2f62f0e57a45db391a9d9d8ca374effdb6285148fcc304f471cfbda7c10f24f
SHA512 5e77ba90e70e93b58bae1a8767b518a83a5ae82ec44a8a25be107c6393e96f9d99ac5bdaafa85750748e77ff6b9809af87bd0eff7b5d2b1865331267b71589f3

memory/2144-189-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2868-187-0x00000000005D0000-0x0000000000610000-memory.dmp

\Windows\SysWOW64\Idkpganf.exe

MD5 ba2850b2e1ba5c76d3dd07bd2a2e10e2
SHA1 105770f30c75efe47799c1a4dd69d131ebd48a7e
SHA256 11b71085714ea88a2992bd833e5d83f9685cbddca643fe976cb5611a5cd5d05c
SHA512 c6438ba25a8c156c9a338c1883ef8ef9d869a26b12537248e14fda98fa8310cecc56fce892db065a4e31945718aa795522c9d663a7d4d4a631cde957eb77781a

memory/1864-215-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1124-225-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Iihiphln.exe

MD5 6901537827b869ad60b301c609d16033
SHA1 eb00ed7cc716a084f59ea1f3abf6495dd3a5300d
SHA256 a628b0191a82dfa1493d62d044c9b51f022d840767ef701a791389d59ef04118
SHA512 5adf17b8519a10c380823ea8ea7d18e859c6b3bc61590516098bb611d5ea6ee8e765e8b24dcfeac4f69450fa1b715436a4056041eb415396ec96c1de6eeb92a5

C:\Windows\SysWOW64\Jikeeh32.exe

MD5 14f3097512376a8153f93e35d5d0d556
SHA1 77a64e50a3fc47b0e09a8537ab928732df23f5cb
SHA256 767ef0c75506aeb9b368fffa8a09289d59b24913ad0aa0133a1a350c451f4124
SHA512 1d147571e874b3df6a37c7acb2879cf8f488c5de84754fc01ce71b16c7cec3a83eba9fe5b7aabe604147684edfc74c0e9392b6619dd8bd36450632f027b91684

C:\Windows\SysWOW64\Jpdnbbah.exe

MD5 7803006eedddd5dad3cea049688524d7
SHA1 833107093823706d8b3b753f3faa78b7357373b0
SHA256 fd97d62a5502d4f6b66298f81312ead501dd3b9140bcbb706563f69d964267c0
SHA512 9d9939820a03783c0528de32beef202b8b48482e79aa42364eed9b90e83b6d7733d5f794c65eb67d85c86fef84717c76fbe06eedfb780d1db99cb46b18530ffb

memory/1340-244-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1736-246-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1340-245-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1340-243-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1124-238-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2428-256-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1736-255-0x00000000003B0000-0x00000000003F0000-memory.dmp

C:\Windows\SysWOW64\Jhbold32.exe

MD5 35ac0c7732a23422f000a4d145cbd57b
SHA1 49c6cb3c40d1f79a41cbf4b9ce09b498c53cd64f
SHA256 1eed4329cc22ec97088c204885b975e7811332a448dffc7858fff3adefb16ce6
SHA512 204ed74a5c6fc22192a59f209e1688ca64f901f1dd3f4ebf07ce1b8fd3bbc708e9a632602aafe548a71cc8e5965961083251a751edf9051ca57b32f320ab4f16

memory/2428-262-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2428-266-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Jbhcim32.exe

MD5 fb594a087bafedc228c7b8c253aa6e45
SHA1 b26f22317301ac12bbf6f318c0bc8935d85b8bef
SHA256 75be8c49ec47704ebe82409eea201d9921feb5e5aad4431d0f436cb47827690b
SHA512 3a9eaec64e862d7b4efad722a355bfeb505bb0acf978a21ac07d319e74f3a9f15f6c8ccf63b2f85f4af89ce8721b9bb6b63b3de77fa72ff32cda903d97ee4521

C:\Windows\SysWOW64\Kdklfe32.exe

MD5 ac87c08af5baaa011b4736bd8848e9c6
SHA1 432ce73b61a7965ae2e4fe3961ac3d28065473af
SHA256 9bf85ff2ea98b9adafb6ebd7389b3e2a9be571568df133bdbc9719187f4fc518
SHA512 f1a3845a272dd1968b8aa3c79141c4b1670baf6a6b1c0267903e4e8bc834f4b187b9f4e5a866a806912fc88d202e676df96b670c2f215fbb2e27fa7b4211d4fa

memory/1580-277-0x0000000000400000-0x0000000000440000-memory.dmp

memory/748-276-0x00000000001B0000-0x00000000001F0000-memory.dmp

memory/1020-288-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1580-287-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1580-286-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Kncaojfb.exe

MD5 252dba6cfb6e5133fb6510bdd0f756e1
SHA1 28c4f9014008e2a4604d7fce7891c86bd2fa069e
SHA256 e4322bd1d946daa1a79dd49ad809f719a48cb316fde5887aff596f36877c2b0c
SHA512 b91b67518bb6f876a42cdc0c164788145043d08562207954c7b0990bd0d2e0ea76e66d17c34fbde40fcb795aa0e55a93c2ca15f0decd48aaa9704028f6fa33bb

memory/748-275-0x00000000001B0000-0x00000000001F0000-memory.dmp

memory/1020-298-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1020-297-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Kpdjaecc.exe

MD5 d1c3049bb648867a56d4f2406e72c89c
SHA1 d1c7b7a6f4ce856b659a528a9ec4a30fc4cac213
SHA256 be7366f85dff2ca4a3dda4df04ac172824405f3804b65f79601f0be6659b50b5
SHA512 e484d1462e83f3901debf7ddd87ca7cafb3625777cff72f6a883a9aae9980f0ee871ad8038f49ab111fb78953637c0dc54acc051c7610d4fe1efc465912d4c1e

memory/1408-305-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Kkjnnn32.exe

MD5 3535d7b6349faca583c750c0934a33f5
SHA1 bb7d1a165d7243cd162966a3ba56a09345a6f641
SHA256 055b79dd32a0b47898e13117a441fd2b2c0be880ed1b8513db04710979445cff
SHA512 edcc8d79b7dd903d0fd72e6d0d30a88f8912bea93ab3980f8ce41078562c5d39b47aec489827a44336efa1167931de2428851bb026a2723c62dcc65fd592a6b0

memory/1408-303-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1408-309-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1624-310-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1624-316-0x00000000003C0000-0x0000000000400000-memory.dmp

C:\Windows\SysWOW64\Kddomchg.exe

MD5 833ea5fd7c2a63867040edc75413041a
SHA1 28663761f913eb0ec038897eaae84d24a02654d3
SHA256 06bad6451f202fe9acbe61930196bc4e09792ba20a0ae1e6dffc809c1c4b8307
SHA512 c175edfc4ae9548bb4f434f420f2381b67b36ea9c93b665f53619c24d6db25bbca4e1cdc01d565d853f181268d4f8431e5a795cd834ee7d7bcb6cf5f1f9c22b7

memory/1624-320-0x00000000003C0000-0x0000000000400000-memory.dmp

C:\Windows\SysWOW64\Knmdeioh.exe

MD5 d4781632db0246961788ed6b5dc0c6f5
SHA1 a914b5045138516fb89bc574ebacd986e51acf90
SHA256 2b902cc40e91626b105ec059e6edba963c9a2c252f5c8230e0182b6505fa100f
SHA512 c3205e34dd425fac88c369f5ed95a70968c7d552289770fc3716bf8d51242552f1b3b9af08506db7977218266f7c2d22c0299c0d08edecb74c3bb7f82a9298ed

memory/2056-329-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2056-334-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1684-330-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1684-340-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Lcjlnpmo.exe

MD5 1e1fd7d3e0733b87e595e48417683f65
SHA1 197780abfa50db4346f6fed0609107eb9655195f
SHA256 779790603916af619120c2b2a8cc16598a1a8475d9cccf1302b788ba53df406e
SHA512 791a34023b9226f94487e976702a2a00420c4cb53ff5b0c7bb8e28b86e5b4609da862fb8fd152f9af14a0b2469916e2ed78f433cae2af031edb1a131f01420db

memory/2500-346-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2496-353-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2500-352-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2500-351-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Lfkeokjp.exe

MD5 9fb6afb8e2d144f1355e15f7fe7f1a17
SHA1 fd66b715d22c7b33de13e72061fe7b7fd8d505a0
SHA256 ff509a73487c5b267dfca42d88e43cc46025aa525ade8b449e24dc46dc3da4ed
SHA512 b3620a09530928848fbace8edecaa828aa3e6c17acbf9f20c73d046d93b14375e620c4fd1a708477922ace7ba7d2775aad15ed8ef7c51f87490f0f905cee8a7c

memory/1684-341-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2920-364-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lklgbadb.exe

MD5 354fd5dc15f79db4ad8afefaed1bb4f1
SHA1 cd51145598410ffebdb17199c8d2e62aa39cc08a
SHA256 d4b0bc3440a6d7b9e7527f6ee86f2c0b25c43789d296bf31e140f723b049b09f
SHA512 4f26cefc67c30f3a76044be79af2cb74aae3903ef2ebe1024a1fbb38437c7850875c6eca3c3870f875d14dbf39e0c3f1cb71fbd90bd12636c304244f4995acd1

memory/2496-363-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2496-362-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Lgchgb32.exe

MD5 b75e5ad3d464e0c36dc98a654eda9e90
SHA1 f3ce9602880b9091379cd67b88bcc4e5efbab8f9
SHA256 48d90030710be215150799b4f92886a8264296c5261f46cd4cf9018c5d653e77
SHA512 a5babd26d9f58220d7b3caae64ed0576292443b1e5cd192e32828681bcf5b066a6d8f6b3425e401cfaf424f67c3cdc4ef23ac09bdee687e70ed3b9145c0b4658

memory/2660-387-0x00000000002A0000-0x00000000002E0000-memory.dmp

memory/2920-377-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2168-392-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2536-388-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2648-400-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2168-399-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1972-398-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mmbmeifk.exe

MD5 4ede4eee1f38468dc8b13312d5850b9c
SHA1 21bd28b4b6e90e847e9599b07d1bb528ee8fa385
SHA256 2b7d5b92152a08a91a7dac82daae71c3f1b518069a9438e63f9a572af4213f5a
SHA512 aa74a9eb68d7502a224e0123fc3ad54a926f86ad25e3e807831e5aec75127796f434e23ab630b4a4c7af4a7e18d855ba2267bbaa55d66ba6a892338be1b6b32e

memory/2356-386-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2660-385-0x00000000002A0000-0x00000000002E0000-memory.dmp

C:\Windows\SysWOW64\Mgedmb32.exe

MD5 b6b567ae45bc764401f9bc6000ce676c
SHA1 610b47bcb84f79265388e2e84ce059113428fdd9
SHA256 eb4d8f1bc91baaa4251590fe80c6d04591ff6c58bdf8afae40f1829384712df8
SHA512 0009889c5b82a2e7d6aa088edc98486c617e201db9295eece1dadd220de5d7da3153177c3ca6f2b3492f17506af81976183d6bdd09c051d78b13ab6750af43cd

memory/2660-381-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2356-379-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2920-373-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Mmicfh32.exe

MD5 b4a79a8176d7c0a6aa2c6409368046a7
SHA1 8ee1eb5b13b2565fc3fedbb95d1ae26c916851fe
SHA256 1c1fc137d32a0040b4303ad4055b957f4f69b4142f5ca3cc719eed36226337cc
SHA512 1299b69c460f0cdfa0ee7640bd84f897b10ecce463ff24787c7bee01c46aacd3abae6b0c705083400c341722358a7ac50dc3b034d3d717127bce7c67f0561348

memory/2136-410-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2648-409-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/2136-415-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/1868-423-0x00000000002C0000-0x0000000000300000-memory.dmp

memory/1868-422-0x00000000002C0000-0x0000000000300000-memory.dmp

memory/2632-421-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1868-420-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nbjeinje.exe

MD5 f9d37cf053d5f86388eb2859481ceb7a
SHA1 25071986c8ad1a042f42d67801516fc939ca72c1
SHA256 ddced9c79ea6d878e7e503345372315987f4161082460aa66bc3022dde4b762e
SHA512 76f50acf15245e7d6138e6015a06ef4782cdc4cc22df53874e2e02e2c8a5a575426f2c465750e81611f5caca7dc98ef18eebffe4c43957067735888bfab8602e

C:\Windows\SysWOW64\Njfjnpgp.exe

MD5 7b53b996a78c0dd77ceb7354f03f27d5
SHA1 de39c4ab64a199c8761ee049e253b680b574fe53
SHA256 bb720a71f595424bd895d91f4792be8155ce6856c6b6f1ce35f8a663444a55be
SHA512 366f16b470ad03c3fdbb8a64fafc0c679b1f5312b8f76a3448823a378b8a2dfbc7f3966ee9e1e680477226b33929b924eb9080765e5fb7c55d4bfbf65f8676ac

memory/1192-437-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1996-439-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1192-433-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2136-429-0x00000000002B0000-0x00000000002F0000-memory.dmp

C:\Windows\SysWOW64\Nenkqi32.exe

MD5 362e1666b8e759ae26327c8449903021
SHA1 ad56006692d72bb9dcc5b86f5a71cfada1a1a1ff
SHA256 6e4260d6da5f7e5408dc0e3670863b4d9c97a1c0abacd3c92b670d8ca4883369
SHA512 eb04874ab66eea4b32d59da1000b56e4cdddb0f7f5d809e9e4775be07596131447c0e167546c8161fb18cdfcc17de89d134a6baffacb6eeb5e4e6ee9f4e371da

memory/2936-444-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1264-445-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ofadnq32.exe

MD5 3be9f0d6e5253e64dc7a1c88a25b6bee
SHA1 96b8f5e6234f6c5c87c1cb691438abef9b21ee01
SHA256 ece0f88447d1777cbd2a0609852ccfbf35543dd992984b4dfc1a649e33fd4ee5
SHA512 82ff9f58b028c033836b06a0929de0eb0cf3699cd99b1b2d4af8933ede5383b856b745a0d112b1e5a91b976eb1c54bbc8c9338411564133c49c90169985fb3a2

memory/2812-454-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2012-459-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2964-477-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Omnipjni.exe

MD5 7ce2daa80341613edf1e88dbf141def2
SHA1 ca5e4ee368632a7fddd5da2c7401309dd488c108
SHA256 b3bde361d48b7115c8aec0cffa190bea2f5350873aa8d81e066d37c85402000b
SHA512 3610e137948594b652138d1dd9de147dd416179b43ba12f47ad70776f2073155ac32a864bdb713ff640f24e80ffca7a25ed37b9a3516f7c6f753cd1d4b114605

memory/2748-479-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2964-470-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1960-478-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2012-465-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2964-476-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Objaha32.exe

MD5 40744e7aff44730fe510a3579beddbc2
SHA1 efe60b6149f5b02106bbbfd21d8ad4c60a458c5a
SHA256 60758fc805f6fa4c7fe321afb4348979455df103c1872738249ca877cbf0b3f4
SHA512 c431c36771dbe4b7cb4ee16f6f591d21b383b21d81026908941c0e74a4a9490deccf3a78e1e47bc716ce81239ae714452e8681f182ff8c82528e25b6be665e45

memory/1276-472-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2012-464-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Opihgfop.exe

MD5 ddf1300f5e6cb695e57a2370933e145a
SHA1 cc6c9f6290b5cefcfc28de9828d4e48bbb60d575
SHA256 eb21210d4190717fd38eb60a42095cea46b2d7d8818e970b311353f73f273c0e
SHA512 f771ce936b3fdee63501724553f2cf78a1cfd91bed5815f3be147021e85bf154bc445b5bfa3386778a1e69abd42d81454e51a648583e5ed6651a62581b12e752

C:\Windows\SysWOW64\Oococb32.exe

MD5 62daec2573510aa0dca721579b99cdc2
SHA1 aa5b7614c2e7541a0fda0ede3ca14da101f6519c
SHA256 90503d5dbb0a8063cb6841132e6b43f4b4eb31201dba339db6551e4cdeed85f6
SHA512 e2746f09fd4e58df74184af088442bf5c9f04a97a45b71e6e4b2966cf6026deb2eca6ba051f1d10030543503dbae9babe65f99e5c5ce293db4e346c7956bad4f

C:\Windows\SysWOW64\Phlclgfc.exe

MD5 f8339e53d89915e40efe82e5db35ab04
SHA1 4c286787e17fea6f8c3bae158d95312f8bfa114e
SHA256 6833a16e24854300452385c17c59961099dee7565c73b37c700ce408dc6430e2
SHA512 9ba3cae44c730c727b63049fa4655a823b5076fca5a0df40172fd77f530f61c88df8fceff1c4886e7c82ac86bd85a2a26129e6eb534f495ebc478a217c665c7a

C:\Windows\SysWOW64\Pepcelel.exe

MD5 045973510843d1191a9c1de985e50418
SHA1 131f453f4cd9abaea29460381f225faa46c9d109
SHA256 dc934a0372e98d016fb49028eb69afec32fa55f5d7bb84790e755e36b7ee6626
SHA512 f1e08cdeca170d078732c070d77b4e97fdc11324f6e75f45ab8949256fe334562b735686c5313e9addfa77bdb9919f684b73da4530378daf8eea1c150b3d5b06

C:\Windows\SysWOW64\Pohhna32.exe

MD5 66036320241c1f44f0a6af76bead0569
SHA1 b8b475bc7d5654052acc78e78ad39b7ead10bdbf
SHA256 ff51193cc91f6e21c24ef27ad04b9e8278a8737319b3f94deca82a38fe4175ea
SHA512 d8bf675961cda9d3177ededb3dbf118d93aff1e65e4e521602fb93565baacb1014dd8f644a31e04375840c5df2daa8cf906c115b81a8c60363ddf886465d052b

C:\Windows\SysWOW64\Pebpkk32.exe

MD5 0008c8d0f74f67933f1ce89b86793c02
SHA1 b15a5e49d2cdab4f18a08b24cf97a5978873c351
SHA256 df2b128e438697bc2d7993e0d0881256abe7dad933fe8d0962216277f07350db
SHA512 6671a830195898643fec65b210851272794e2bb2193ccedc16e651cfbd67ed4bcfb5b3cd8183fb978682ea296328f7216dfd0c2879f1abebfaa8c8bc4adeacac

C:\Windows\SysWOW64\Pojecajj.exe

MD5 0763ddc2edad45622c86b9923e968f97
SHA1 bc099401dd44767759e99300c93813c4018410b9
SHA256 b7dde52210a5168b54fc79a8fe3a59ba8964d8265adab63ded2a4a0f13490d60
SHA512 58457f77646438eda7684e3581913eea5846c1e6c60a2dc34837a6cb26622a83a44993c5798a46c452c2f4b2c59d474f169b431ba8bd97caff5ab59a169895b4

C:\Windows\SysWOW64\Pplaki32.exe

MD5 0fbc45bc389a0190686a8488e1afdaa4
SHA1 bc72ea13517ecdfaadb56cb53a295c0e33bd3326
SHA256 47c3f0fce8c5a1b968c014115d49ff7bc3d0454d28ca7588e2a34037edc383bb
SHA512 485dd56a51839d4620c5f99c0b0b6189b59b029f37a60284ead657a57bbb3fa85b8b7a46cce8d8d5094d7d0c6e394e6d7e370977f51d45964bcd35599b71009d

C:\Windows\SysWOW64\Paknelgk.exe

MD5 a95dd70dabd375f45d6ea1e875bf453b
SHA1 13eab06eaa6eba07ede5a4a1eba52d2051836910
SHA256 02e52d35301ef6f0c95776e043153c1307c0ee4a16d4fa9e3626f27a2bd9ce83
SHA512 63b046efe187dccd4bb604d4e48c5cfcdacf87a1562ba618338086689d3efc9f58d4b41f0d6c600e4c987eee555cd15fb4fd22f194039fbc1ca5a7cf4ea61146

C:\Windows\SysWOW64\Pkcbnanl.exe

MD5 74a2690c89a168026d5caea67e052337
SHA1 5217f1d8064df15f2232fa78df83c985d38801f6
SHA256 918755d366a8412a63c9208101435ddbb27bdf94ab4724e10627e5443915ad92
SHA512 fdcf2e6adf8237766271f29a36fb01f7140f0c88151e500000dd33aecc8a38576e0d35d99844655b255111aa6bc8c502d03998fba7a6d5cff53b9d15c4cdbfa5

C:\Windows\SysWOW64\Qppkfhlc.exe

MD5 d867ac4c6dec88ff7bdcbde97d8159af
SHA1 473ba71c4614d825045e0e815a7b81b9fee47f53
SHA256 96ae4b29e47dafe634dae8a8511d51a538443a72496bc862f922ea914b392c21
SHA512 59bf1c04957b34acd716f0e4e599254b682657b4e2e283be00bc6257d5e48378bcfb6a884a7b130a72ec3533f2e1938584e41aff713b3358da93f98f76f0fc72

C:\Windows\SysWOW64\Qiioon32.exe

MD5 2e177a05c6d22be3e754c7ff8088ea8b
SHA1 28bc9af64f3c2798230d7eba0f17dc11f5329159
SHA256 620425947225c864d22dddd020e3c397e986c64b7f7935d8f9677aa2efa606f5
SHA512 9ad031551b60d554f020ec7a61f4aeac087fca29288186c3fe2dd2be5b2bbb74ae26cb8cf5601f6d7786cc58b8d68db07b4b29960ad307e19c49ae6f307065f3

C:\Windows\SysWOW64\Qgmpibam.exe

MD5 be17ea91fb3245df7ef7eaea882aa10e
SHA1 b1aca4afd1d106accb37ae5e6c7621e311e14b62
SHA256 05530c1aadd57ae374f548d11e26507b0146ff83d0853e428467d767e19fa8f3
SHA512 f600912e3b5f4c65fffeb3d37c63a85796fd2c2c1e5d312ec5d77d2decf0639804d92eadd8e3500a77e84e9c957148215fae219b2f51c838644eb5a51890536b

C:\Windows\SysWOW64\Alihaioe.exe

MD5 d5aa4d1f60f293828d3194046bf28608
SHA1 94a13e8310ea58c43af872b183ee9489060e10c7
SHA256 2d631b8c47aee820dd91a56b89e243e0b4431a40f3e2b2dc2012f13e91c84e15
SHA512 78b3aabc2040478303d28495d4cd04fc875d64c392b4cf98bc3ea5f5bc1ce4369da641a3511c774a66c58f302f8eeda308ff3265e19717fdcb5b7f75b8d140d8

C:\Windows\SysWOW64\Accqnc32.exe

MD5 e5a62ea6f78f8e9fb05eb74c9d3f7c5d
SHA1 e53eac40ab62a6ddc42fd78befdb8bfe94209960
SHA256 592b729cb44aae61922c974b0e3b38ff633b57696d613fc86c7afc1ffdf48749
SHA512 fd629a3c95d31392107eb1bb151871df7022673a506f2b1b15a08e63e32e79637c59fce2245193bab0306c22e90e29da51e395467bf3538483a477219ea07354

C:\Windows\SysWOW64\Allefimb.exe

MD5 030f8a787e173102704eb25d142a31e8
SHA1 1d41cf8ae6f15c7bb2f93c11eaa54c4a6d98449f
SHA256 243b5f0f087d73b94d9e34b342c8a5ad550f1eef31218912deda87dca5ef9719
SHA512 4b4e413708b7550698446d38adb3df9de0a9b8a0c45f0d608247e1c7ca3f32801ec80014cbc5ba37769c081b1d2890ca526a3260ec522e92e137439a1b17e8d3

C:\Windows\SysWOW64\Aaimopli.exe

MD5 561eb11a0918642de2f28f15f33d4a9a
SHA1 f55363dc2959fd9619f4a0e5fd9a58ac17c10cf8
SHA256 6994babd38d739b8b11b2b8b4c9fa874c5c70e693e88b6ba26f1d8475480942e
SHA512 f84ffc298be4667a88d8c60d18eb3ff8969c2430fe4b520ae688c7d6436a9c531d741d8499cb17bf007c2cf594f4bf4e4724541b5aecda6f5c315cce2151f2ab

C:\Windows\SysWOW64\Ahbekjcf.exe

MD5 dfe153d567f5c46b2cbb1921b1cc5e7b
SHA1 13846a7093f1547f00de532864b8d934d3c2f256
SHA256 c18a708d0450d6cf3e884299cfd34a806394cff95374f35ab88ffbe8f22db5d8
SHA512 e77efa19374e688034feaaca689748b610ad7e71dda45657a74d5c751e8328920718a4c86d288ad6a2122f4c54feb68e0268dfbe8dffa1d588f163283d0e196f

C:\Windows\SysWOW64\Aakjdo32.exe

MD5 e33a118339f020506175efdf1cbaffdc
SHA1 9afe77f7fae11a785cec2c22ed6345f5f102f59d
SHA256 c47d2bc329d27278aca5808930fed888e73213ab8f5ff200d9b6d427ca6953c4
SHA512 1b98a4878be923acc7c1a8338fbfff073cb392c51b64b94dc3fb22b1502c2d0d6407ca602edb5d85a48c66ab0554c98d9daabcbc446af839609911bbeb3a96a0

C:\Windows\SysWOW64\Alqnah32.exe

MD5 94ab5ac805df72930ea36491b6c2ce05
SHA1 d63a9678159d4e7817b2945674dc79d6d4d359b2
SHA256 1820615c3477a7394e9274b3920b7cb71af86f87cfad72a602fadd82faca0bad
SHA512 854ce7c2110d16f39f98dae2615972277aee91ce6a1947a5fe088ccefa21ba8481814230566cc840a5a8fa5784575b4fae828e4003589eca27fcb114c9cb6258

C:\Windows\SysWOW64\Abmgjo32.exe

MD5 823e0cf5dece42b18091bda5a9f717bf
SHA1 06eb394cd17f4a993e8e24efec5a67f75a29f69f
SHA256 dfeb1eabc2da2571d345589e9068321b021c78395031384e5eeca0fab76a5108
SHA512 11374aff3e2c416cd726bfe718d0c4be1a3e7eb97154584ca7f6895bae59fcbbd3748389e319afd2260bc5e5065a32afa7d226ffff8a477ab1b50a981155037d

C:\Windows\SysWOW64\Agjobffl.exe

MD5 3236cb755d8bd81b096d08e24de504dd
SHA1 9d4986142d748d7da5c124ddc5895428bdc549ae
SHA256 a07dfb2effc33b7e4f4b1a33bead5af94cb98bf9d106a948527d1d1493340fcb
SHA512 1695058d279ae5e33896b7c7bd8e91fbe2809661696f13d54bf0e6dfae95d20dc6752cdcd8d62f0ff7250d50e7475823d3d0e53ccc11a746c5c57a3043353559

C:\Windows\SysWOW64\Adnpkjde.exe

MD5 4e6ff88e563044a043fcc5a9d0479a28
SHA1 fc7eea580795b0e4aa67e74531a2274846ec3ff8
SHA256 dc510251f1cbfdcb479ed151eace9f03a54d7488d92afb45d7fc961658095c48
SHA512 1b8ca3d9c292159f49d9d493249b2d00e04af2a692caff276776440166491cb1d5f2b975ce01ab4758a9d91158e4a0885899790a4c82ae3219f2258ea59b4a99

C:\Windows\SysWOW64\Bjkhdacm.exe

MD5 e041915386edc27728e409658b31228e
SHA1 0971c71234cae33622e08de954877800b6837229
SHA256 226ee8310691acdb5729dd1375ed4ffd4dc785f188bc02f5c9678c7c0182119f
SHA512 08c84c951b069920153c21cb04b4f979fa9955b3e92e57875d18d00b28cdcc27d26d98127aa6913b472dc1ffd1f27e962d0ed3125c6eef728e31ac5bf39b0f1d

C:\Windows\SysWOW64\Bqeqqk32.exe

MD5 228bd1a0a647509081268a900bbee635
SHA1 5e984849618be4c88ef71a067a5c45160907cecc
SHA256 f1ae3ca0f231bcdbe0c3533b5ff912b708a6443f622483bd15236685fb848912
SHA512 10aac98974a214bcc28a7d58379bedce27ef82b4173701956a6b8765a55a828cdcbcc329d6188e85d5a1dbb627bf57a8ddf9087721a923ed3345e20a5a4ca134

C:\Windows\SysWOW64\Bkjdndjo.exe

MD5 b65132371b58d814140c2e4cf5157f56
SHA1 0a749a4696673f5b305230560ef63016a91661ea
SHA256 baecc24ebda71af6699d1044b78b2ff3c51fe40ea9db2d21017d4963d7bb8ddd
SHA512 052f584bae2b8c4d41e92de791dff919039aaf1d684cdb7eb56cdf13c6f39df8df66cac4ae5411e0f7f096c2b71e58ba6718a99c607fb99c3b3ad541e58d23b5

C:\Windows\SysWOW64\Bceibfgj.exe

MD5 e04d5bc3552c8e92fbb349138b641f27
SHA1 59854c3f9d833d307ac0f7edba711cabc2dd23bb
SHA256 fc30b42e8733c99eb2d02d0709b41328f951476e1b20e902f16683c41f63423b
SHA512 681698e4c4c6e613b3c8dd8f1a4e7b35676a9ed65d3eaac5e48495e1bf8f3660dd1535a57e129c2d6a55423ae6c2c29fea295175db1d6afae962a8d11a63c33d

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 b8eb9d8c01058ae1dd0cc922032f0063
SHA1 2a634f62f357f2dbd52bca185c97a10e631a95d6
SHA256 b0f8b306f85998c77a115eb5bb4dcb2f73a757aac49317a1e68ef25d59f1f8c2
SHA512 7c31d9ecc27562610a81f83cffff2c9da6663f874314be43f707e19b90a6bdc6e8b03a55d6a21f7540ab2268a72ae5d376e347258cdbdb3ff3026c512b839c93

C:\Windows\SysWOW64\Bgcbhd32.exe

MD5 dc3f997af7c474c46ab1aa89cf177510
SHA1 437dae3537e72fa19f64fc54d638398b31577ccd
SHA256 d20ea3851ec1abad5b2e69641035191b895a4cb9bc43ac2c81537f635be8d00f
SHA512 977796893f4aabbf6d68af469bec02ded8774a5d6633a97d1d940a78bf64988b11efb6b6b4090b7a89b0762a2415218b7f797414f038eadd1c13ec7b9d1ecee3

C:\Windows\SysWOW64\Bigkel32.exe

MD5 d865a724382b14815f88d65b2d160ee5
SHA1 28c27db4a4db693c9917986bf08defdf2837c818
SHA256 85f74a40384cf9a3792996e1920c313bac5ee4bbda14a5284901d8ee345fbefa
SHA512 886eb1d74102a595aec0c7a7c2826db09a81de62e11ff021ff26a1eae6d5de54436590bb8343f843e72d04c42de32785e6ed4f43077dea9422f1440c08833e4b

C:\Windows\SysWOW64\Ccmpce32.exe

MD5 ae6bca3f27893e322079a2f4f60ed0c3
SHA1 4107f7516e9b0d3448164afc1edaebd9a4a2eb67
SHA256 1e7b0a9b1f5402f7619cbf288cd1e778eb5e073beb7b996586d658baea667b9a
SHA512 704faac13d86a8bb36a78ee480f7881d99317346942e84082a95b29f5a6fe68ea4de97ebfad34d0ad3f72e6b71092286da406bc8dbb451c049cec38c3cb0849c

C:\Windows\SysWOW64\Ciihklpj.exe

MD5 215c164d1bd7300cc1ec856dd4c712fe
SHA1 4ac03e34ae3022aa07123327435bf51fbb94d8f3
SHA256 71528e50eb58597121848719aea14893b3e00ba61456f5db02391d2fad0c3d39
SHA512 a43f6461c81476c82d8458db4a118d721b73d8e6476967e4e67e0e4f58eb91fd133ea0568aef3b9870bbc22111293a3dce1d414a51e5b8bb2472fa2473befc7d

C:\Windows\SysWOW64\Cocphf32.exe

MD5 3cff5fd71a48ee309e63dc6f800a508a
SHA1 d033448ff60517c3eed1cd9e14c141c53aaa8dd1
SHA256 8acc6e478d88ab2dbdd172db6401f9d8476a2c2df398c48a56893670db2a9f38
SHA512 4d27a4f84abc8fc20c3a4a82b94e0e36107b4c17eb2c2fcb0d5770fbb7606aba7127c0f4e6a7edb5a0fadb31f64ab59dc09ed4d339b9067cbbc1ac62e4dd7580

C:\Windows\SysWOW64\Cgoelh32.exe

MD5 3739724f67d8a575ef31e34d2efb8f0b
SHA1 5c0824ba0e59901a9cd324563fb1f87b47b1e2f8
SHA256 921a748fd57e40050b836150a7fd60c73f196bac657cf74ee06593826cd45b38
SHA512 46e6b247b7600957196222197e3005129908ed5d11c00044ddd762be4d6d21b18a7ef44a082494c8a947eed6e2d79d2e5f8dffb6f9bbf65da25bb94d837b38b4

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 266f98df2a47519b6f89e9a536894bb6
SHA1 a786c4a315175a6519b541a30b1906fa969661d4
SHA256 0e40b8a4961315e583d9faca7383ada176b8c774e15f7e694be1c5e4e3253edc
SHA512 2faf53edab9af0f9efdb0a733421e1443c673e67b7203303f796c9da558a94d89afcbebccdd540252c5831b2b9939fb44c85fa368f61b733074ade76e037ab51

C:\Windows\SysWOW64\Cinafkkd.exe

MD5 97857e72361c13c4a1f405b84ee47a50
SHA1 20057e84d3d38caff84065f9bbd48783e2cb527f
SHA256 34484f71abecb1cff75d9e9c26d26e8b31fa724831a14442358e9a328baf89b4
SHA512 e61269b493cca477c2fd14dade6aa1578b149fbc00ea3124820f10be18cc6589813d2333cb836c16852feb27b43dbf982ceb5d8ba1c62fc1e4b7d8255a9396e9

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 53d044fda020f37f7cf3da9f351693a9
SHA1 60b1f576302962b93fc348165f1e93841f883c5d
SHA256 7a48a912de4ab1aec44373c2f792fa8d01826a597e03e3b021ab7e056e4a98ca
SHA512 acca189f782cdbfb3bb8d1b1f24f08804fc635042b7da1d0b915dc11500995de733fb5ecffde8ef738d6f526eeb2b004d8d23d29084f4b5baddb5336fd108bf0

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 241feb3e875dab2799340825aab2b10a
SHA1 da081e61e3a9e77f4d237ddc3724014deafa7a9b
SHA256 17ea1f61499aa9ec0a67fe417fa2fbfc7b0c8f89a988e56f291f443ffef6ebb1
SHA512 d4736317e45ab04e7df35a8887b09a13bdeeef47666343f17fa338a372254d6c0ce04df416648dd2fa78f49b94a2676618f78d130e050c9f5245afcf7e5ce5fd

C:\Windows\SysWOW64\Cjakccop.exe

MD5 639a3c3b8377c1ff2b8c1bb61e5e4633
SHA1 4a9a83f14a8acf70b01f0467672179360630e80e
SHA256 ac8c58467d69a198efa7e3203330a8f3c5e6ba2782f0abf5d7611a3ea344f946
SHA512 5d9e0b66b640e11bc5a1791a3b4c0bb729bbd4b426f8e027c9a97a7f15f7c5b527e36d9b98740d90d0dfb1af49afc02a463ffbfdd55cc8414b0517ae898b412c

C:\Windows\SysWOW64\Cegoqlof.exe

MD5 17128872563342ada69e8fa2d6e4324b
SHA1 781f975e5395f60f7f256826b123f53cd1615ad6
SHA256 5e4a59897f597c0f50282e8aca51fdd666df104928ca4343328c64e425c4173a
SHA512 5a0daee7c25f93d542d6e4cd6414f765d9ca367cc1e6af76054c1c7b39528d05deb46a7e7216dd6923fb60e38aa71e8430c188ab06212b24dabeb85e2084167f

C:\Windows\SysWOW64\Cgfkmgnj.exe

MD5 71b5e0accc3ce5b62475e1646ad9ae1c
SHA1 7ef0a1c3ecf75c338035ccc8f3ea3c561686edc3
SHA256 a4c9db5a765395302eb9caffe42bd0fd56cad8d4208f2b31b9991b2ff5f2c4e7
SHA512 7737c08b76768287c55264abf4d6e135552c0c0037f9b75efa7f6edab7ce92b2924475cb8b664592c5158cb916966f2f3c9a84aadd4a87d07ead3cc20c117862

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 c2396759d728690bf1ab093aa95777f3
SHA1 dd0d964e5baa56283140501029c2963cee78acea
SHA256 8b528203ff7f91e0e95fe246d57d93cf150007d2b773c7f03877971618003a81
SHA512 5cffa19ee1379756594e6444291a3fc14f99af76bf279a9d27483b91544c6d245bfee16eff7df0232bc5ce8ba98d6cc277f3a53d9ac06d2b5686dd8113837022

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 08:01

Reported

2024-11-07 08:03

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dobfld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkifae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daconoae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dobfld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhfajjoj.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File opened for modification C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Gfghpl32.dll C:\Windows\SysWOW64\Deagdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
File created C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File created C:\Windows\SysWOW64\Hcjccj32.dll C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Gmcfdb32.dll C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Lbabpnmn.dll C:\Windows\SysWOW64\Dhmgki32.exe N/A
File created C:\Windows\SysWOW64\Agjbpg32.dll C:\Windows\SysWOW64\Dopigd32.exe N/A
File created C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File created C:\Windows\SysWOW64\Alcidkmm.dll C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Dhmgki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Dogogcpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Deagdn32.exe N/A
File created C:\Windows\SysWOW64\Nbgngp32.dll C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Delnin32.exe N/A
File created C:\Windows\SysWOW64\Poahbe32.dll C:\Windows\SysWOW64\Delnin32.exe N/A
File created C:\Windows\SysWOW64\Daconoae.exe C:\Windows\SysWOW64\Dkifae32.exe N/A
File created C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dopigd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dopigd32.exe N/A
File created C:\Windows\SysWOW64\Fpdaoioe.dll C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Eokchkmi.dll C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
File opened for modification C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File created C:\Windows\SysWOW64\Pdheac32.dll C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Dhmgki32.exe N/A
File created C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Deagdn32.exe N/A
File created C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Oammoc32.dll C:\Windows\SysWOW64\Dkifae32.exe N/A
File created C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Dogogcpo.exe N/A
File created C:\Windows\SysWOW64\Kahdohfm.dll C:\Windows\SysWOW64\Dogogcpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Kngpec32.dll C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Dhfajjoj.exe C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
File opened for modification C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Delnin32.exe N/A
File opened for modification C:\Windows\SysWOW64\Daconoae.exe C:\Windows\SysWOW64\Dkifae32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dopigd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Delnin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dobfld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkifae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daconoae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deagdn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhmgki32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" C:\Windows\SysWOW64\Dobfld32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" C:\Windows\SysWOW64\Deagdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhmgki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Delnin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Delnin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daconoae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dopigd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dobfld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dobfld32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dopigd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe C:\Windows\SysWOW64\Dhfajjoj.exe
PID 1724 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe C:\Windows\SysWOW64\Dhfajjoj.exe
PID 1724 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe C:\Windows\SysWOW64\Dhfajjoj.exe
PID 2328 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Dopigd32.exe
PID 2328 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Dopigd32.exe
PID 2328 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Dopigd32.exe
PID 4148 wrote to memory of 3204 N/A C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Danecp32.exe
PID 4148 wrote to memory of 3204 N/A C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Danecp32.exe
PID 4148 wrote to memory of 3204 N/A C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Danecp32.exe
PID 3204 wrote to memory of 3412 N/A C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe
PID 3204 wrote to memory of 3412 N/A C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe
PID 3204 wrote to memory of 3412 N/A C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe
PID 3412 wrote to memory of 4500 N/A C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Dobfld32.exe
PID 3412 wrote to memory of 4500 N/A C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Dobfld32.exe
PID 3412 wrote to memory of 4500 N/A C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Dobfld32.exe
PID 4500 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Delnin32.exe
PID 4500 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Delnin32.exe
PID 4500 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Delnin32.exe
PID 2468 wrote to memory of 3416 N/A C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Dfnjafap.exe
PID 2468 wrote to memory of 3416 N/A C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Dfnjafap.exe
PID 2468 wrote to memory of 3416 N/A C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Dfnjafap.exe
PID 3416 wrote to memory of 3140 N/A C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Dkifae32.exe
PID 3416 wrote to memory of 3140 N/A C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Dkifae32.exe
PID 3416 wrote to memory of 3140 N/A C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Dkifae32.exe
PID 3140 wrote to memory of 976 N/A C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Daconoae.exe
PID 3140 wrote to memory of 976 N/A C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Daconoae.exe
PID 3140 wrote to memory of 976 N/A C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Daconoae.exe
PID 976 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Daconoae.exe C:\Windows\SysWOW64\Dhmgki32.exe
PID 976 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Daconoae.exe C:\Windows\SysWOW64\Dhmgki32.exe
PID 976 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Daconoae.exe C:\Windows\SysWOW64\Dhmgki32.exe
PID 3116 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Dogogcpo.exe
PID 3116 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Dogogcpo.exe
PID 3116 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Dogogcpo.exe
PID 1576 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Deagdn32.exe
PID 1576 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Deagdn32.exe
PID 1576 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Deagdn32.exe
PID 4044 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Dgbdlf32.exe
PID 4044 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Dgbdlf32.exe
PID 4044 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Dgbdlf32.exe
PID 4396 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Dmllipeg.exe
PID 4396 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Dmllipeg.exe
PID 4396 wrote to memory of 1852 N/A C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Dmllipeg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe

"C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe"

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 1852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 404

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1724-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1724-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Dhfajjoj.exe

MD5 f342d924e8cbf830c9be0e71ab58590e
SHA1 ff052b9c1900cbe3f268a5f81a6e365aed451620
SHA256 604b18928564738b0f3fafef826f63ca24d5c45472412fe52f2298f514c141b8
SHA512 f5082a87f626add0cbe1f625f6f31e863811831eb5cf24590852cee342acb918e52634c70cfa5bb6a472e7461d143999228e1dea233afb4db15ed5a1d739f2ad

memory/2328-8-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dopigd32.exe

MD5 ba213b8716d7b8e1f9904083ef2f6c79
SHA1 159a77c0ce34995685e3b5cfb408174511537d24
SHA256 dda1f3b89c7062cbebb9fbf2eb84f3d05fd66e0ebdebc7b3ddf2b17f57b88be8
SHA512 330b9c52f56313e17eabb35e4e8b75275dc1fce3534792473680628095426052e54bcde2c2b7cda31c9430b8f4f84bcb7beba2a80b925ce66e9ad5cc2759ac0f

memory/4148-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Danecp32.exe

MD5 1d509f0e563836cd63d88d119dc738a8
SHA1 ee09d1ef7faf8a1855d63ea821c817f574dae478
SHA256 f198c2061bae08f433245935be14e02ef046837a868b0be360f975312da27ccc
SHA512 a27c30f92870996f096d33e1b3c0cecbe59c1d1bbdde516fd9f14fcb3b0562b3f24d45ed6dd64e237dd905bc1f8611c3019f5c03a2aaa0b378d37b32fc9c0a1c

memory/3204-25-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dhhnpjmh.exe

MD5 a270c814782febb20273f0f7e68d44ad
SHA1 a7763dab6f250c810c162be3b3cf0d51eca5d199
SHA256 bafeee9d404cc1c7929b380017371f8df241969572515237135c9971946c6fb5
SHA512 06cff0e5d211d2d8b78d856b20914abd4e3bb8a56ebb1a98d5653396ddf3a0e64520e4a31d6df096fe4a7c38e37999eda49beabe754726d16ee4b23dca526653

memory/3412-32-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dobfld32.exe

MD5 cc070b7f1c460ad4595d3e96216d6a2e
SHA1 aae16491211e8564c28c9106521e8c20f5ae5afd
SHA256 b40548b7fa9e9311c96c410d228bbc84684f936ebfd3f04bc2e59e2e4e2f25c5
SHA512 d7f1fd2edf961d3b627916f3bab6dc5eaa50d5e61171675b2760e16e79862124d698f816feb2fea066bb3ed8eb074d00030b408dfe406091822f23de1bbb488c

memory/4500-40-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Delnin32.exe

MD5 a7c8c33a805c425e5f7ccde251dd64f4
SHA1 ac97ff01a0fc9100a3d2eb8087f1c039364bcea8
SHA256 393b5e8fd4404895ef46099f091a714809314c463a25f470c30b89cfd86d226f
SHA512 6293cfdfad8a348d8cedafb862221df5d41969c0b8c210290eb28c3b0d48e7418de7f48f7b0353b2f156f6a4958760864d9842a471e4eb724c755482fe5141f7

memory/2468-48-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dfnjafap.exe

MD5 dc7827c1dec0480f0624099cf37da927
SHA1 687f371c199cc1163d79b2b868968b6fb3d0f255
SHA256 2a064621a1fde850db882c403bf61f20b48ace52b0be5be66f74c9568eb86a24
SHA512 99b45e77e4216136b87322633e051e5f15f6c28bb9cd5b839a53c351df63625d5e15abf0b98177f547a7832d6ff54ab5722e02331087f7cd9991c91becc358a5

memory/3416-57-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dkifae32.exe

MD5 9d933419bb2a3f2f25a06eee2db6e8cb
SHA1 1ff1303b6fc9ae298cb4f79134ef5179d303b792
SHA256 74bfddd0544c5b2c7d15e4737a2d45d432bfb1dc2050547ece1f20d8762407a6
SHA512 fd34547515587ddf2bce976da958343ec88638bffeeacf24637223d3b2d0451ee601dcf5e46ec8cd143896d00af5c8a19c4ff7ddd371073baeeb6f8322035c2f

memory/3140-64-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Daconoae.exe

MD5 deea790b067555ab96169caed39e7a49
SHA1 356400540ad19a8e1755f86ad16540f4548de778
SHA256 ec8b3005416d3295152098e08bf8175692d8c136f3115e65dab777e36cbb1a64
SHA512 b3509b0926416872bc3689ae016a438c671c71db8bba8167842c666d858bcd8154a2c4df111c393258a54d616fc19f3b51ee6b9a9179d0ce6049dc86807f5d11

memory/976-73-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dhmgki32.exe

MD5 573677e2230c06d6e2911041e3482a88
SHA1 ed3f3ebd673cb6289876e49a29def3ebbed85e78
SHA256 a39252a3d1c3e02ad24bdbc3cb46e82c8642f8f9ef2ab7309bd0a36480c030c7
SHA512 46f0b6a719a02a3f0a7a933b97e497a9c7dc9ba3e226196198e0efb633da8fcee88d35a5c31a67be5ce4fa780ff9f487a1123331cfc9f737d7d25e8935970dc8

memory/3116-80-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dogogcpo.exe

MD5 a9b4a1e8338d991d88776454df78f82a
SHA1 24d07b746fd2620fa18f2c1dd146ca9c14a0fb8b
SHA256 ea183a58767e5074e535b737ed2510eee5e591d9ac0f69033b29856f5e0e5d68
SHA512 4ba636e0730352b1936134f1947c6b74cf374b07a91cdd898977deb0d28645e5726fac59b7297c45568f0de15a835cbcb0c878dd877c8f7b124e49ee7396b542

memory/1576-88-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Deagdn32.exe

MD5 2be42037b34325da3e3e8be54b62dea4
SHA1 bdbce7c82863472cf4b9eb90e069c25946ed227b
SHA256 0f39ab61bf512174a41d0d393d11386938e37da276ae1844d54214bab9f9a279
SHA512 719caa0fe3bdce1c86ac18b7634fd5a4c11f4280154caade7bc207bfa6bfa499adc0f720613665c9cc01a943341207a9bafd2d4770a948801688d8854993435e

memory/4044-97-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4396-104-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dgbdlf32.exe

MD5 e08d48794e26021f30a79a943b62b8f9
SHA1 73942a2356f4ebe72f4e0a693bb0f2f022160b20
SHA256 67839a72c20d2e1b3715f5ae74ef9d985526dbc7e80e99073ce2da40e97c5775
SHA512 13c464f66c61c34efca9bbd612e7d8f32c4a6c4345bea9accb5b6d279144c26b8df7457df030f95a113486c7dbc79fdeb68f17af1623129bb84bfc4cfe4a8770

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 90e1366cb198a89a531bfd76b82b3f5e
SHA1 c849aede0b7adf260840364acab26291651f2412
SHA256 328524688e78364665cd1d7b8287ddb1aa9cbe7c93852f939c7529c41067f704
SHA512 151f3c0302aaff1a230c61f7a69e64dbc8334d3bf9d82a72a36c92efb802ec1d966f2b5eba85a55614a05f389f509557d841f105dbadd75b7e274993187c439e

memory/1852-113-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4396-116-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3116-120-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3416-121-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2468-125-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2328-127-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4148-126-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3204-124-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3412-123-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4500-122-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3140-119-0x0000000000400000-0x0000000000440000-memory.dmp

memory/976-118-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1576-117-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4044-115-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1852-114-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1724-128-0x0000000000400000-0x0000000000440000-memory.dmp