Malware Analysis Report

2024-11-13 17:36

Sample ID 241110-b31hlszkek
Target be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N
SHA256 be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808

Threat Level: Known bad

The file be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:42

Platform

win7-20240903-en

Max time kernel

105s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alihaioe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cagienkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npjlhcmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boljgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qeppdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oaghki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phcilf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpfmmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjakccop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhjlli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apedah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahpifj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Boljgg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ciihklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Plgolf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnfqccna.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nabopjmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkegah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Neiaeiii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oemgplgo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcljmdmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pepcelel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajpepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Neknki32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cocphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cchbgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phqmgg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbppnbhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngealejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Objaha32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olebgfao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbagipfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahgofi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omnipjni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akfkbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Coacbfii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pljlbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppnnai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bceibfgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oekjjl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkaehb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahpifj32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Nlnpgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjlhcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngealejo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Neknki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njhfcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nabopjmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfoghakb.exe N/A
N/A N/A C:\Windows\SysWOW64\Omioekbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaghki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Odgamdef.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Olbfagca.exe N/A
N/A N/A C:\Windows\SysWOW64\Opnbbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oekjjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiffkkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Olebgfao.exe N/A
N/A N/A C:\Windows\SysWOW64\Oabkom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oemgplgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Plgolf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbagipfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pepcelel.exe N/A
N/A N/A C:\Windows\SysWOW64\Pljlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pohhna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pohhna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmkhjncg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pebpkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Phqmgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgcmbcih.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgcmbcih.exe N/A
N/A N/A C:\Windows\SysWOW64\Pojecajj.exe N/A
N/A N/A C:\Windows\SysWOW64\Paiaplin.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcilf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkaehb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppnnai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcljmdmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pghfnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pifbjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcogbdkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkfocaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpbglhjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcachc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeppdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Apedah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Accqnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agolnbok.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpifj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apgagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfmcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaimopli.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alnalh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aomnhd32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlnpgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlnpgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjlhcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjlhcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngealejo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngealejo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Neknki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neknki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njhfcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njhfcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nabopjmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nabopjmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfoghakb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfoghakb.exe N/A
N/A N/A C:\Windows\SysWOW64\Omioekbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Omioekbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaghki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaghki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Odgamdef.exe N/A
N/A N/A C:\Windows\SysWOW64\Odgamdef.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Olbfagca.exe N/A
N/A N/A C:\Windows\SysWOW64\Olbfagca.exe N/A
N/A N/A C:\Windows\SysWOW64\Opnbbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opnbbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oekjjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oekjjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiffkkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiffkkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Olebgfao.exe N/A
N/A N/A C:\Windows\SysWOW64\Olebgfao.exe N/A
N/A N/A C:\Windows\SysWOW64\Oabkom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oabkom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oemgplgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Oemgplgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Plgolf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plgolf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbagipfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbagipfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pepcelel.exe N/A
N/A N/A C:\Windows\SysWOW64\Pepcelel.exe N/A
N/A N/A C:\Windows\SysWOW64\Pljlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pljlbf32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ofaejacl.dll C:\Windows\SysWOW64\Cmpgpond.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkjphcff.exe C:\Windows\SysWOW64\Plgolf32.exe N/A
File created C:\Windows\SysWOW64\Eoobfoke.dll C:\Windows\SysWOW64\Adlcfjgh.exe N/A
File created C:\Windows\SysWOW64\Calcpm32.exe C:\Windows\SysWOW64\Cmpgpond.exe N/A
File created C:\Windows\SysWOW64\Olebgfao.exe C:\Windows\SysWOW64\Oiffkkbk.exe N/A
File created C:\Windows\SysWOW64\Pdeqfhjd.exe C:\Windows\SysWOW64\Pebpkk32.exe N/A
File created C:\Windows\SysWOW64\Fdakoaln.dll C:\Windows\SysWOW64\Phcilf32.exe N/A
File created C:\Windows\SysWOW64\Bbbpenco.exe C:\Windows\SysWOW64\Bnfddp32.exe N/A
File created C:\Windows\SysWOW64\Cdpkangm.dll C:\Windows\SysWOW64\Bceibfgj.exe N/A
File created C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Nlnpgd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngealejo.exe C:\Windows\SysWOW64\Npjlhcmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Objaha32.exe C:\Windows\SysWOW64\Odgamdef.exe N/A
File created C:\Windows\SysWOW64\Gfikmo32.dll C:\Windows\SysWOW64\Bffbdadk.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdeqfhjd.exe C:\Windows\SysWOW64\Pebpkk32.exe N/A
File created C:\Windows\SysWOW64\Ekndacia.dll C:\Windows\SysWOW64\Accqnc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe C:\Windows\SysWOW64\Ahgofi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Cjakccop.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Nhgnaehm.exe N/A
File created C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Oaghki32.exe N/A
File created C:\Windows\SysWOW64\Pqbolhmg.dll C:\Windows\SysWOW64\Objaha32.exe N/A
File created C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Ajpepm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnfddp32.exe C:\Windows\SysWOW64\Bgllgedi.exe N/A
File created C:\Windows\SysWOW64\Pobghn32.dll C:\Windows\SysWOW64\Cpfmmf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cagienkb.exe C:\Windows\SysWOW64\Cnimiblo.exe N/A
File created C:\Windows\SysWOW64\Cnkjnb32.exe C:\Windows\SysWOW64\Ckmnbg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Neknki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe C:\Windows\SysWOW64\Njhfcp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Phqmgg32.exe C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe C:\Windows\SysWOW64\Ccjoli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Plgolf32.exe C:\Windows\SysWOW64\Oemgplgo.exe N/A
File opened for modification C:\Windows\SysWOW64\Paiaplin.exe C:\Windows\SysWOW64\Pojecajj.exe N/A
File created C:\Windows\SysWOW64\Nhiejpim.dll C:\Windows\SysWOW64\Pkaehb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
File created C:\Windows\SysWOW64\Nmlkfoig.dll C:\Windows\SysWOW64\Ofcqcp32.exe N/A
File created C:\Windows\SysWOW64\Cpqmndme.dll C:\Windows\SysWOW64\Alihaioe.exe N/A
File created C:\Windows\SysWOW64\Ajpepm32.exe C:\Windows\SysWOW64\Aaimopli.exe N/A
File opened for modification C:\Windows\SysWOW64\Qcachc32.exe C:\Windows\SysWOW64\Qpbglhjq.exe N/A
File created C:\Windows\SysWOW64\Kmapmi32.dll C:\Windows\SysWOW64\Bgllgedi.exe N/A
File created C:\Windows\SysWOW64\Bqgmfkhg.exe C:\Windows\SysWOW64\Bniajoic.exe N/A
File created C:\Windows\SysWOW64\Okhdnm32.dll C:\Windows\SysWOW64\Oaghki32.exe N/A
File created C:\Windows\SysWOW64\Pbagipfi.exe C:\Windows\SysWOW64\Pkjphcff.exe N/A
File opened for modification C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Ajpepm32.exe N/A
File created C:\Windows\SysWOW64\Afffenbp.exe C:\Windows\SysWOW64\Achjibcl.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqijljfd.exe C:\Windows\SysWOW64\Bnknoogp.exe N/A
File created C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Ngealejo.exe N/A
File created C:\Windows\SysWOW64\Eifppipg.dll C:\Windows\SysWOW64\Nnoiio32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Oaghki32.exe N/A
File created C:\Windows\SysWOW64\Boogmgkl.exe C:\Windows\SysWOW64\Bmpkqklh.exe N/A
File created C:\Windows\SysWOW64\Acnenl32.dll C:\Windows\SysWOW64\Ceebklai.exe N/A
File created C:\Windows\SysWOW64\Efeckm32.dll C:\Windows\SysWOW64\Cchbgi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qeppdo32.exe C:\Windows\SysWOW64\Qcachc32.exe N/A
File created C:\Windows\SysWOW64\Bnjdhe32.dll C:\Windows\SysWOW64\Bigkel32.exe N/A
File opened for modification C:\Windows\SysWOW64\Clojhf32.exe C:\Windows\SysWOW64\Cchbgi32.exe N/A
File created C:\Windows\SysWOW64\Neiaeiii.exe C:\Windows\SysWOW64\Nnoiio32.exe N/A
File created C:\Windows\SysWOW64\Ddaafojo.dll C:\Windows\SysWOW64\Oidiekdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Oekjjl32.exe C:\Windows\SysWOW64\Opnbbe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Anbkipok.exe C:\Windows\SysWOW64\Akcomepg.exe N/A
File created C:\Windows\SysWOW64\Lmdlck32.dll C:\Windows\SysWOW64\Bbbpenco.exe N/A
File opened for modification C:\Windows\SysWOW64\Neknki32.exe C:\Windows\SysWOW64\Nnafnopi.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkmlmbcd.exe C:\Windows\SysWOW64\Pljlbf32.exe N/A
File created C:\Windows\SysWOW64\Paiaplin.exe C:\Windows\SysWOW64\Pojecajj.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe C:\Windows\SysWOW64\Cnfqccna.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Neiaeiii.exe N/A
File created C:\Windows\SysWOW64\Dfqnol32.dll C:\Windows\SysWOW64\Qpbglhjq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system32†Dhhhbg32.¿xe C:\Windows\SysWOW64\Dpapaj32.exe N/A
File opened for modification C:\Windows\system32†Dhhhbg32.¿xe C:\Windows\SysWOW64\Dpapaj32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neiaeiii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjakccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olebgfao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pepcelel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Achjibcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahgofi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgllgedi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajpepm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danpemej.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngealejo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhgnaehm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnafnopi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbbpenco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbppnbhm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neknki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnfddp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clojhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Objaha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkjphcff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pohhna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlnpgd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkaehb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcachc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhjlli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npjlhcmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkfocaki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boogmgkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oaghki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oiffkkbk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaimopli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abmgjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmkhjncg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bigkel32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bniajoic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oekjjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paiaplin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oidiekdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Andgop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgoime32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phcilf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agolnbok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anbkipok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckmnbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djdgic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plgolf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pghfnc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acfmcc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkegah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkmlmbcd.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Opnbbe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oekjjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll" C:\Windows\SysWOW64\Qcachc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qeppdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Accqnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll" C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefdbdjo.dll" C:\Windows\SysWOW64\Opnbbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll" C:\Windows\SysWOW64\Achjibcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippbdn32.dll" C:\Windows\SysWOW64\Ngealejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjmdhnf.dll" C:\Windows\SysWOW64\Oekjjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll" C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll" C:\Windows\SysWOW64\Boljgg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npjlhcmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeeheknp.dll" C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Boogmgkl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkegah32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgoelh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll" C:\Windows\SysWOW64\Cfkloq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Npjlhcmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" C:\Windows\SysWOW64\Oaghki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pghfnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Apedah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfkloq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njhfcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oekjjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll" C:\Windows\SysWOW64\Pbagipfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkaehb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akfkbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pebpkk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajpepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll" C:\Windows\SysWOW64\Aomnhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhapci32.dll" C:\Windows\SysWOW64\Plgolf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Phcilf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll" C:\Windows\SysWOW64\Boogmgkl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkgbapp.dll" C:\Windows\SysWOW64\Nfoghakb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nfoghakb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqbolhmg.dll" C:\Windows\SysWOW64\Objaha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll" C:\Windows\SysWOW64\Pmkhjncg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acfmcc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bgllgedi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Paiaplin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll" C:\Windows\SysWOW64\Phcilf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll" C:\Windows\SysWOW64\Bnfddp32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe C:\Windows\SysWOW64\Nlnpgd32.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe C:\Windows\SysWOW64\Nlnpgd32.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe C:\Windows\SysWOW64\Nlnpgd32.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe C:\Windows\SysWOW64\Nlnpgd32.exe
PID 1868 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Nlnpgd32.exe C:\Windows\SysWOW64\Npjlhcmd.exe
PID 1868 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Nlnpgd32.exe C:\Windows\SysWOW64\Npjlhcmd.exe
PID 1868 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Nlnpgd32.exe C:\Windows\SysWOW64\Npjlhcmd.exe
PID 1868 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Nlnpgd32.exe C:\Windows\SysWOW64\Npjlhcmd.exe
PID 2284 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Ngealejo.exe
PID 2284 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Ngealejo.exe
PID 2284 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Ngealejo.exe
PID 2284 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Ngealejo.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Ngealejo.exe C:\Windows\SysWOW64\Nnoiio32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Ngealejo.exe C:\Windows\SysWOW64\Nnoiio32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Ngealejo.exe C:\Windows\SysWOW64\Nnoiio32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Ngealejo.exe C:\Windows\SysWOW64\Nnoiio32.exe
PID 2696 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Neiaeiii.exe
PID 2696 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Neiaeiii.exe
PID 2696 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Neiaeiii.exe
PID 2696 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Neiaeiii.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Neiaeiii.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Neiaeiii.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Neiaeiii.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 2584 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Neiaeiii.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 2604 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2604 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2604 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2604 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2720 wrote to memory of 1460 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Neknki32.exe
PID 2720 wrote to memory of 1460 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Neknki32.exe
PID 2720 wrote to memory of 1460 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Neknki32.exe
PID 2720 wrote to memory of 1460 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Neknki32.exe
PID 1460 wrote to memory of 776 N/A C:\Windows\SysWOW64\Neknki32.exe C:\Windows\SysWOW64\Njhfcp32.exe
PID 1460 wrote to memory of 776 N/A C:\Windows\SysWOW64\Neknki32.exe C:\Windows\SysWOW64\Njhfcp32.exe
PID 1460 wrote to memory of 776 N/A C:\Windows\SysWOW64\Neknki32.exe C:\Windows\SysWOW64\Njhfcp32.exe
PID 1460 wrote to memory of 776 N/A C:\Windows\SysWOW64\Neknki32.exe C:\Windows\SysWOW64\Njhfcp32.exe
PID 776 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Nabopjmj.exe
PID 776 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Nabopjmj.exe
PID 776 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Nabopjmj.exe
PID 776 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Nabopjmj.exe
PID 2812 wrote to memory of 764 N/A C:\Windows\SysWOW64\Nabopjmj.exe C:\Windows\SysWOW64\Nfoghakb.exe
PID 2812 wrote to memory of 764 N/A C:\Windows\SysWOW64\Nabopjmj.exe C:\Windows\SysWOW64\Nfoghakb.exe
PID 2812 wrote to memory of 764 N/A C:\Windows\SysWOW64\Nabopjmj.exe C:\Windows\SysWOW64\Nfoghakb.exe
PID 2812 wrote to memory of 764 N/A C:\Windows\SysWOW64\Nabopjmj.exe C:\Windows\SysWOW64\Nfoghakb.exe
PID 764 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Nfoghakb.exe C:\Windows\SysWOW64\Omioekbo.exe
PID 764 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Nfoghakb.exe C:\Windows\SysWOW64\Omioekbo.exe
PID 764 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Nfoghakb.exe C:\Windows\SysWOW64\Omioekbo.exe
PID 764 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Nfoghakb.exe C:\Windows\SysWOW64\Omioekbo.exe
PID 2940 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Omioekbo.exe C:\Windows\SysWOW64\Ofadnq32.exe
PID 2940 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Omioekbo.exe C:\Windows\SysWOW64\Ofadnq32.exe
PID 2940 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Omioekbo.exe C:\Windows\SysWOW64\Ofadnq32.exe
PID 2940 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Omioekbo.exe C:\Windows\SysWOW64\Ofadnq32.exe
PID 2508 wrote to memory of 916 N/A C:\Windows\SysWOW64\Ofadnq32.exe C:\Windows\SysWOW64\Oaghki32.exe
PID 2508 wrote to memory of 916 N/A C:\Windows\SysWOW64\Ofadnq32.exe C:\Windows\SysWOW64\Oaghki32.exe
PID 2508 wrote to memory of 916 N/A C:\Windows\SysWOW64\Ofadnq32.exe C:\Windows\SysWOW64\Oaghki32.exe
PID 2508 wrote to memory of 916 N/A C:\Windows\SysWOW64\Ofadnq32.exe C:\Windows\SysWOW64\Oaghki32.exe
PID 916 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Oaghki32.exe C:\Windows\SysWOW64\Ofcqcp32.exe
PID 916 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Oaghki32.exe C:\Windows\SysWOW64\Ofcqcp32.exe
PID 916 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Oaghki32.exe C:\Windows\SysWOW64\Ofcqcp32.exe
PID 916 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Oaghki32.exe C:\Windows\SysWOW64\Ofcqcp32.exe
PID 2528 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Omnipjni.exe
PID 2528 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Omnipjni.exe
PID 2528 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Omnipjni.exe
PID 2528 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Omnipjni.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe

"C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe"

C:\Windows\SysWOW64\Nlnpgd32.exe

C:\Windows\system32\Nlnpgd32.exe

C:\Windows\SysWOW64\Npjlhcmd.exe

C:\Windows\system32\Npjlhcmd.exe

C:\Windows\SysWOW64\Ngealejo.exe

C:\Windows\system32\Ngealejo.exe

C:\Windows\SysWOW64\Nnoiio32.exe

C:\Windows\system32\Nnoiio32.exe

C:\Windows\SysWOW64\Neiaeiii.exe

C:\Windows\system32\Neiaeiii.exe

C:\Windows\SysWOW64\Nhgnaehm.exe

C:\Windows\system32\Nhgnaehm.exe

C:\Windows\SysWOW64\Nnafnopi.exe

C:\Windows\system32\Nnafnopi.exe

C:\Windows\SysWOW64\Neknki32.exe

C:\Windows\system32\Neknki32.exe

C:\Windows\SysWOW64\Njhfcp32.exe

C:\Windows\system32\Njhfcp32.exe

C:\Windows\SysWOW64\Nabopjmj.exe

C:\Windows\system32\Nabopjmj.exe

C:\Windows\SysWOW64\Nfoghakb.exe

C:\Windows\system32\Nfoghakb.exe

C:\Windows\SysWOW64\Omioekbo.exe

C:\Windows\system32\Omioekbo.exe

C:\Windows\SysWOW64\Ofadnq32.exe

C:\Windows\system32\Ofadnq32.exe

C:\Windows\SysWOW64\Oaghki32.exe

C:\Windows\system32\Oaghki32.exe

C:\Windows\SysWOW64\Ofcqcp32.exe

C:\Windows\system32\Ofcqcp32.exe

C:\Windows\SysWOW64\Omnipjni.exe

C:\Windows\system32\Omnipjni.exe

C:\Windows\SysWOW64\Odgamdef.exe

C:\Windows\system32\Odgamdef.exe

C:\Windows\SysWOW64\Objaha32.exe

C:\Windows\system32\Objaha32.exe

C:\Windows\SysWOW64\Oidiekdn.exe

C:\Windows\system32\Oidiekdn.exe

C:\Windows\SysWOW64\Olbfagca.exe

C:\Windows\system32\Olbfagca.exe

C:\Windows\SysWOW64\Opnbbe32.exe

C:\Windows\system32\Opnbbe32.exe

C:\Windows\SysWOW64\Oekjjl32.exe

C:\Windows\system32\Oekjjl32.exe

C:\Windows\SysWOW64\Oiffkkbk.exe

C:\Windows\system32\Oiffkkbk.exe

C:\Windows\SysWOW64\Olebgfao.exe

C:\Windows\system32\Olebgfao.exe

C:\Windows\SysWOW64\Oabkom32.exe

C:\Windows\system32\Oabkom32.exe

C:\Windows\SysWOW64\Oemgplgo.exe

C:\Windows\system32\Oemgplgo.exe

C:\Windows\SysWOW64\Plgolf32.exe

C:\Windows\system32\Plgolf32.exe

C:\Windows\SysWOW64\Pkjphcff.exe

C:\Windows\system32\Pkjphcff.exe

C:\Windows\SysWOW64\Pbagipfi.exe

C:\Windows\system32\Pbagipfi.exe

C:\Windows\SysWOW64\Pepcelel.exe

C:\Windows\system32\Pepcelel.exe

C:\Windows\SysWOW64\Pljlbf32.exe

C:\Windows\system32\Pljlbf32.exe

C:\Windows\SysWOW64\Pkmlmbcd.exe

C:\Windows\system32\Pkmlmbcd.exe

C:\Windows\SysWOW64\Pohhna32.exe

C:\Windows\system32\Pohhna32.exe

C:\Windows\SysWOW64\Pohhna32.exe

C:\Windows\system32\Pohhna32.exe

C:\Windows\SysWOW64\Pmkhjncg.exe

C:\Windows\system32\Pmkhjncg.exe

C:\Windows\SysWOW64\Pebpkk32.exe

C:\Windows\system32\Pebpkk32.exe

C:\Windows\SysWOW64\Pdeqfhjd.exe

C:\Windows\system32\Pdeqfhjd.exe

C:\Windows\SysWOW64\Phqmgg32.exe

C:\Windows\system32\Phqmgg32.exe

C:\Windows\SysWOW64\Pgcmbcih.exe

C:\Windows\system32\Pgcmbcih.exe

C:\Windows\SysWOW64\Pgcmbcih.exe

C:\Windows\system32\Pgcmbcih.exe

C:\Windows\SysWOW64\Pojecajj.exe

C:\Windows\system32\Pojecajj.exe

C:\Windows\SysWOW64\Paiaplin.exe

C:\Windows\system32\Paiaplin.exe

C:\Windows\SysWOW64\Phcilf32.exe

C:\Windows\system32\Phcilf32.exe

C:\Windows\SysWOW64\Pkaehb32.exe

C:\Windows\system32\Pkaehb32.exe

C:\Windows\SysWOW64\Ppnnai32.exe

C:\Windows\system32\Ppnnai32.exe

C:\Windows\SysWOW64\Pcljmdmj.exe

C:\Windows\system32\Pcljmdmj.exe

C:\Windows\SysWOW64\Pghfnc32.exe

C:\Windows\system32\Pghfnc32.exe

C:\Windows\SysWOW64\Pifbjn32.exe

C:\Windows\system32\Pifbjn32.exe

C:\Windows\SysWOW64\Qcogbdkg.exe

C:\Windows\system32\Qcogbdkg.exe

C:\Windows\SysWOW64\Qkfocaki.exe

C:\Windows\system32\Qkfocaki.exe

C:\Windows\SysWOW64\Qpbglhjq.exe

C:\Windows\system32\Qpbglhjq.exe

C:\Windows\SysWOW64\Qcachc32.exe

C:\Windows\system32\Qcachc32.exe

C:\Windows\SysWOW64\Qeppdo32.exe

C:\Windows\system32\Qeppdo32.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Apedah32.exe

C:\Windows\system32\Apedah32.exe

C:\Windows\SysWOW64\Accqnc32.exe

C:\Windows\system32\Accqnc32.exe

C:\Windows\SysWOW64\Agolnbok.exe

C:\Windows\system32\Agolnbok.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Apgagg32.exe

C:\Windows\system32\Apgagg32.exe

C:\Windows\SysWOW64\Acfmcc32.exe

C:\Windows\system32\Acfmcc32.exe

C:\Windows\SysWOW64\Aaimopli.exe

C:\Windows\system32\Aaimopli.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Alnalh32.exe

C:\Windows\system32\Alnalh32.exe

C:\Windows\SysWOW64\Aomnhd32.exe

C:\Windows\system32\Aomnhd32.exe

C:\Windows\SysWOW64\Achjibcl.exe

C:\Windows\system32\Achjibcl.exe

C:\Windows\SysWOW64\Afffenbp.exe

C:\Windows\system32\Afffenbp.exe

C:\Windows\SysWOW64\Ahebaiac.exe

C:\Windows\system32\Ahebaiac.exe

C:\Windows\SysWOW64\Akcomepg.exe

C:\Windows\system32\Akcomepg.exe

C:\Windows\SysWOW64\Anbkipok.exe

C:\Windows\system32\Anbkipok.exe

C:\Windows\SysWOW64\Abmgjo32.exe

C:\Windows\system32\Abmgjo32.exe

C:\Windows\SysWOW64\Adlcfjgh.exe

C:\Windows\system32\Adlcfjgh.exe

C:\Windows\SysWOW64\Ahgofi32.exe

C:\Windows\system32\Ahgofi32.exe

C:\Windows\SysWOW64\Akfkbd32.exe

C:\Windows\system32\Akfkbd32.exe

C:\Windows\SysWOW64\Andgop32.exe

C:\Windows\system32\Andgop32.exe

C:\Windows\SysWOW64\Adnpkjde.exe

C:\Windows\system32\Adnpkjde.exe

C:\Windows\SysWOW64\Bhjlli32.exe

C:\Windows\system32\Bhjlli32.exe

C:\Windows\SysWOW64\Bgllgedi.exe

C:\Windows\system32\Bgllgedi.exe

C:\Windows\SysWOW64\Bnfddp32.exe

C:\Windows\system32\Bnfddp32.exe

C:\Windows\SysWOW64\Bbbpenco.exe

C:\Windows\system32\Bbbpenco.exe

C:\Windows\SysWOW64\Bdqlajbb.exe

C:\Windows\system32\Bdqlajbb.exe

C:\Windows\SysWOW64\Bgoime32.exe

C:\Windows\system32\Bgoime32.exe

C:\Windows\SysWOW64\Bjmeiq32.exe

C:\Windows\system32\Bjmeiq32.exe

C:\Windows\SysWOW64\Bniajoic.exe

C:\Windows\system32\Bniajoic.exe

C:\Windows\SysWOW64\Bqgmfkhg.exe

C:\Windows\system32\Bqgmfkhg.exe

C:\Windows\SysWOW64\Bdcifi32.exe

C:\Windows\system32\Bdcifi32.exe

C:\Windows\SysWOW64\Bceibfgj.exe

C:\Windows\system32\Bceibfgj.exe

C:\Windows\SysWOW64\Bjpaop32.exe

C:\Windows\system32\Bjpaop32.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bqijljfd.exe

C:\Windows\system32\Bqijljfd.exe

C:\Windows\SysWOW64\Boljgg32.exe

C:\Windows\system32\Boljgg32.exe

C:\Windows\SysWOW64\Bchfhfeh.exe

C:\Windows\system32\Bchfhfeh.exe

C:\Windows\SysWOW64\Bffbdadk.exe

C:\Windows\system32\Bffbdadk.exe

C:\Windows\SysWOW64\Bjbndpmd.exe

C:\Windows\system32\Bjbndpmd.exe

C:\Windows\SysWOW64\Bmpkqklh.exe

C:\Windows\system32\Bmpkqklh.exe

C:\Windows\SysWOW64\Boogmgkl.exe

C:\Windows\system32\Boogmgkl.exe

C:\Windows\SysWOW64\Bbmcibjp.exe

C:\Windows\system32\Bbmcibjp.exe

C:\Windows\SysWOW64\Bjdkjpkb.exe

C:\Windows\system32\Bjdkjpkb.exe

C:\Windows\SysWOW64\Bigkel32.exe

C:\Windows\system32\Bigkel32.exe

C:\Windows\SysWOW64\Bkegah32.exe

C:\Windows\system32\Bkegah32.exe

C:\Windows\SysWOW64\Coacbfii.exe

C:\Windows\system32\Coacbfii.exe

C:\Windows\SysWOW64\Cbppnbhm.exe

C:\Windows\system32\Cbppnbhm.exe

C:\Windows\SysWOW64\Cfkloq32.exe

C:\Windows\system32\Cfkloq32.exe

C:\Windows\SysWOW64\Ciihklpj.exe

C:\Windows\system32\Ciihklpj.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cnfqccna.exe

C:\Windows\system32\Cnfqccna.exe

C:\Windows\SysWOW64\Cfmhdpnc.exe

C:\Windows\system32\Cfmhdpnc.exe

C:\Windows\SysWOW64\Cileqlmg.exe

C:\Windows\system32\Cileqlmg.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Cpfmmf32.exe

C:\Windows\system32\Cpfmmf32.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cagienkb.exe

C:\Windows\system32\Cagienkb.exe

C:\Windows\SysWOW64\Cinafkkd.exe

C:\Windows\system32\Cinafkkd.exe

C:\Windows\SysWOW64\Cinafkkd.exe

C:\Windows\system32\Cinafkkd.exe

C:\Windows\SysWOW64\Ckmnbg32.exe

C:\Windows\system32\Ckmnbg32.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Cbffoabe.exe

C:\Windows\system32\Cbffoabe.exe

C:\Windows\SysWOW64\Ceebklai.exe

C:\Windows\system32\Ceebklai.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Clojhf32.exe

C:\Windows\system32\Clojhf32.exe

C:\Windows\SysWOW64\Cjakccop.exe

C:\Windows\system32\Cjakccop.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Calcpm32.exe

C:\Windows\system32\Calcpm32.exe

C:\Windows\SysWOW64\Ccjoli32.exe

C:\Windows\system32\Ccjoli32.exe

C:\Windows\SysWOW64\Cgfkmgnj.exe

C:\Windows\system32\Cgfkmgnj.exe

C:\Windows\SysWOW64\Djdgic32.exe

C:\Windows\system32\Djdgic32.exe

C:\Windows\SysWOW64\Dmbcen32.exe

C:\Windows\system32\Dmbcen32.exe

C:\Windows\SysWOW64\Danpemej.exe

C:\Windows\system32\Danpemej.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 144

Network

N/A

Files

memory/2320-0-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Npjlhcmd.exe

MD5 7538688af217489c111a1c69383ed0cf
SHA1 0a7f6e1162d0d02003160f5412826e1bf784b50e
SHA256 52a0c01fc8ba212062d03c09a084ca71effaec89c27fa7bbb6fd6f8341d75140
SHA512 c9b9aeee9917f754964db531b2be0b078cdd48f951fa5ca1bd5775c5bce23a7ed486c30114b2bd7c8c45544d858cbfec0fdd53c67af6e436adffed5cbae6b0e8

C:\Windows\SysWOW64\Nlnpgd32.exe

MD5 d70e81aab8abbd4c906781933922e629
SHA1 f81ca2a4b8d4990e4b880178b60021dc0b9b03bd
SHA256 6fcb15caba117e07a857e2beddb569c6c92163bd2388b4e52cffaffd5f016d56
SHA512 3534754f75f14eacfb6b0349a69fa9f3f0ce1026dce4496379cbab1efe98cdf08a7f7b39b13bf388c043c976f7a30958f4482a8eb1f298ab517b1447a5faf98c

memory/2320-17-0x0000000000280000-0x00000000002BC000-memory.dmp

memory/2284-26-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1868-24-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Ngealejo.exe

MD5 5bfb135e0b907dff28a2728b4bc777f2
SHA1 2a22bcdd4f88ef0dac5316013cde5f724368063d
SHA256 2f4512a9c8dd3c1bdb0abcfcef1efa5db1bf96cb549d8412b92b73ba63070707
SHA512 0598293420021c83ba5c4374c665fd2973ea133512583771a85f65571e54006af9ca1499f7bf5e585cab9099e4064ebf2f11a9f1b6a14c26171a0fbcf9c049cb

memory/2284-33-0x0000000000290000-0x00000000002CC000-memory.dmp

\Windows\SysWOW64\Nnoiio32.exe

MD5 c57f5da8d03f54deffee42f0b44da6a4
SHA1 e3a1a60230462ab21949b73057b8701e8e8af8e6
SHA256 396a74d7290a87afbd931d308716efa5de2be03ea10292a16ff41e9c8834ac73
SHA512 31aa5e505c049fe1c8efc59c7d1491520b42cb44d2efd553189925f360e19318a1b54516275dcf584237dc78463e01eb24ac63eb997bf064212a75b909b34786

memory/2696-52-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Neiaeiii.exe

MD5 0cd0decc2dd1080781201b94bdbd175c
SHA1 55f3d248b6b98b27021652d2fa307724f79576d9
SHA256 c77598386be7ce2ae58474f821981dc7c35f75038947e8f7a05509c14bc51cd1
SHA512 64fadb9d31afbc3bbe777bc836d7e3e19d21db1ee649249c57b91d5d3645e4eec99f90f000c3cb4d9ff0d804dfed141b5b951e7195b0086295b693fa58c3e3fb

memory/2696-61-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2320-59-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2696-66-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2284-68-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Nhgnaehm.exe

MD5 73b3c43dae421558ea446c4af93be867
SHA1 d8375741b00cae571bfd34b0cc689cc50d5d0b02
SHA256 72e32d69705b01a9334dfb95a46a630a31e13875810612ffa0e6e60820e30cfa
SHA512 297452c4b72f152338afca7f7ecd3507317180e8e59a8fc68ae5ca18752a826921b72d034fa30201e394f60794d01d1923f8727b3167ae8bb54ce289f145f587

memory/2584-80-0x0000000000290000-0x00000000002CC000-memory.dmp

memory/2604-83-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2284-82-0x0000000000290000-0x00000000002CC000-memory.dmp

\Windows\SysWOW64\Nnafnopi.exe

MD5 eaee9c3f82d6685f65f727fea5cd92eb
SHA1 c1eaeee99b864cae8c0a9e2ba629a9d23df9bc3b
SHA256 b8752001b6fd945a50daabc0c2af96b5db989a0fcc2ab461af108352c52ac59f
SHA512 768b83969e79ef8aa8ae2a7afbd62f07f59319cafa298035cf843e32c767c4bbde3cbb0378054ae5b68f40b0998e96ad4dc1ffe5320ec28b6a85ae9d5f8bea19

memory/2700-91-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2604-92-0x0000000000440000-0x000000000047C000-memory.dmp

memory/2720-103-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Neknki32.exe

MD5 1ec021b0aa8dc85966cbd423ac126ff2
SHA1 a897677adb782af197922bf056181f8bb4014be7
SHA256 ef1924bc43b0ec0efa5edbc38a262888e65c2086c0058a43abaf8f1738155c7b
SHA512 d871151f392e45ac03dcdc4b15350d60f9812b6b20c857e93458db4174ad23665cb45bd002ab02cbcd0c4b7f8afd8974128e4b9e7ccce46295f9280382dda69d

memory/1460-115-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2696-114-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2720-112-0x0000000001F30000-0x0000000001F6C000-memory.dmp

memory/2720-111-0x0000000001F30000-0x0000000001F6C000-memory.dmp

memory/2696-110-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Njhfcp32.exe

MD5 fd507376e3baff8c412b240ad9faba20
SHA1 c208136dce8522eb039f171c082cfd6b5adf56e5
SHA256 2dfd1495d68e349d22589e2eb3187a78a595b2ca104f1061ac3147bfd8788fd6
SHA512 0fd272b0bd004bc5630b461f0bf5e3bd3b27fa98ee015bb0003c44f4b9ad4307ef5b05d0c7c70febc0b97751576ec07f90443a4ba183e9d9ede53a5e172ba551

memory/1460-124-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2584-122-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1460-129-0x0000000000250000-0x000000000028C000-memory.dmp

memory/776-140-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/2604-139-0x0000000000400000-0x000000000043C000-memory.dmp

memory/776-138-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Nabopjmj.exe

MD5 83d742a770a0cc42f9c9a694b465f004
SHA1 ab02516c0cd43b26462f88896eb4b8657c1ab3fc
SHA256 d3e622e02e1a58bb3c2a1f22cb749e84a0e42ce5453d639f84bd19f1c44e06e8
SHA512 4305977f71c5ec7deefaa4313ba4ffa6a34dc5222039febd90ec20925530780936f021a7aae2590349312fe03970147006ccb92f3fed97f5ee7680553990e418

memory/2812-146-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Nfoghakb.exe

MD5 e8eb142da8c819c2c36ef2fd2b18b7ba
SHA1 401e04bb12c0b3b3387d5fb15bc9e8592cfb94f4
SHA256 911956da8e143ad9c4d14cd0239acd262cebbcc590a5331d0da4eb909e4ec80e
SHA512 3129d77ab308efb3b949169e872e684fce119e2cf17680a2fa2baa89da0d9f3ff49cfabadf7f87d679df77557acd7eb224ad78325c32441d9ae4e629e99e65aa

memory/2812-154-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2720-159-0x0000000001F30000-0x0000000001F6C000-memory.dmp

\Windows\SysWOW64\Omioekbo.exe

MD5 8b1e50e218fa169a2dc7318d55671ac7
SHA1 6032429f6b4ee723cf3d5181e5a36c4b1d9a3370
SHA256 07ef413b91da160918b76bddd5cf894b13d2c867fa4cf3e71f288793a3d185ce
SHA512 ceb8c794a6025eabbecc45217cb3a7c8b95ff41d6d948d869a7decba3df51c1015ca5b76cf2a14b2261ff009dc3c38e57c16b0a4ca0ce059603202e93d7e965d

memory/764-176-0x0000000001F50000-0x0000000001F8C000-memory.dmp

memory/2940-175-0x0000000000400000-0x000000000043C000-memory.dmp

memory/764-174-0x0000000001F50000-0x0000000001F8C000-memory.dmp

memory/1460-173-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Ofadnq32.exe

MD5 1a5dd25055951bd4c124335d88c5719b
SHA1 2d218b69a47204cbebd929e5c4e6c7a1c7d321e9
SHA256 056aa747e591aadbbd15b49ceb83e8938f3f3b51075ca394d59f4c3843f6fdb4
SHA512 6e9aca90f6cb71121158af80ee22d8bd73b1286bf37716c548c2015c021496f0ed601668876f9f568984aec61664b88b6112d4aa2bb1c1e3bf457d0bc41a0e66

memory/2940-186-0x0000000000280000-0x00000000002BC000-memory.dmp

memory/776-185-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1460-183-0x0000000000250000-0x000000000028C000-memory.dmp

memory/776-192-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/2508-193-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Oaghki32.exe

MD5 4922332e1f28be090deb203d14771387
SHA1 a0bdf5532cabbb56d4ba7d40d7a277f2ce3f6599
SHA256 55e4eab70de2cc0b4db9ae3703dad5eb1eb7bcb2e06052e060da61772a66a8e4
SHA512 cf52530797be103fcaa66f0b4b1541d05945b296bc6ccb17aaca023fdf46079b4e6221149dd8c3551b137575f6061e07f88e388a04c423ab06655725723c3c64

memory/776-205-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/2812-206-0x0000000000400000-0x000000000043C000-memory.dmp

memory/916-209-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2508-207-0x0000000000310000-0x000000000034C000-memory.dmp

\Windows\SysWOW64\Ofcqcp32.exe

MD5 24dc7ca604fd4f3e04fa057dbf1b30d4
SHA1 349f5deb535047b05ca121122cb9dbb69f77aafe
SHA256 113c3c4bdae8d9e25e3debc0ce1b5f894e38524c67b7629e6f273097baeb188c
SHA512 d81706488f0ecc48e80686dd3138e9078f12cc5d1d5eae70cedc6729b5886a8097b90d5b6c66936ce27ce72a38a82e124550ded9c38171e9d3f45d9320efc6fd

memory/916-217-0x0000000000250000-0x000000000028C000-memory.dmp

memory/764-220-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2528-227-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2940-226-0x0000000000400000-0x000000000043C000-memory.dmp

memory/764-225-0x0000000001F50000-0x0000000001F8C000-memory.dmp

memory/916-223-0x0000000000250000-0x000000000028C000-memory.dmp

\Windows\SysWOW64\Omnipjni.exe

MD5 ca0feee8e9146c1f52ac9da7451865dd
SHA1 8700485c4a6a522ea172c6a30d798415b336afa1
SHA256 4e2b262c7ef7e7728023ddf704f15bf82e2c99298fe648a65d8cb38959336927
SHA512 34981a509acb4929eacdd53704ab2f4600d37579556759e23c81eb7fd7cde83c0419972273fbbc655aa716cd0af0659204932805075ff1974ac59e81ee4fda9b

memory/2528-238-0x0000000001F50000-0x0000000001F8C000-memory.dmp

memory/1956-255-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1792-254-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/2508-253-0x0000000000310000-0x000000000034C000-memory.dmp

C:\Windows\SysWOW64\Odgamdef.exe

MD5 15bae0fa53301b31759785dd8d908a70
SHA1 ddecf2dbbf66e292e18c44c5014f96394c7de428
SHA256 75008af6fe0f0cde753cbfe40baa2c868398fd409890e1bad40969a67d558a1b
SHA512 68d90ace60c55010b5e4ffcf3efa2d0e560cab33587d3bf2e3e6ab11864d69fb2e72107568d1dc2dd0f637028db36419397d4a3aca9256e844a65b667a4a1c7b

memory/1792-249-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/2508-248-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1792-241-0x0000000000400000-0x000000000043C000-memory.dmp

memory/916-260-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1956-262-0x0000000000250000-0x000000000028C000-memory.dmp

memory/568-268-0x0000000000400000-0x000000000043C000-memory.dmp

memory/316-290-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Olbfagca.exe

MD5 9d9b43736df2a5ef0eb085fde9c3d6e4
SHA1 4812edb0c786b721ea3b7832c61d80d44552f83d
SHA256 f47401e2a5847775533f607a476e94b469d6b9a0e3248f52dcbe2734de1235fe
SHA512 cc3c16abd98b52c8eaffa19afbb07590f2c13e3cf1a500b1bf96354765d1f554f573a5b871558f2ba9228295347667a787ad539693cbbb8f997a490167bdea7d

memory/1792-286-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Opnbbe32.exe

MD5 f2129721dd92d2120f202e6d38acd049
SHA1 af00977b4267cfb05740bc75f8f9ce950c0a5758
SHA256 ee531bf757d0c53ab990b32fccb4639e23e79bfc4b93905d89525738cbd2e6fb
SHA512 8267713e23b7d7e5cdc475d54eea0c7a7df35d131aa2108174a415fd1eb8f76cbac715c35c26fda2b2ee2af93364c4984b00ccb3e8c0ece62fc598f7c3d0c01c

memory/1956-300-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1936-296-0x0000000000250000-0x000000000028C000-memory.dmp

memory/316-280-0x0000000000400000-0x000000000043C000-memory.dmp

memory/568-279-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/2528-278-0x0000000001F50000-0x0000000001F8C000-memory.dmp

memory/3064-312-0x0000000000400000-0x000000000043C000-memory.dmp

memory/568-311-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/568-310-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Oekjjl32.exe

MD5 0cd2b28209b785c7ab084b7f23c2294f
SHA1 f5c24e3831a553afa77730c0027a9e68819477da
SHA256 81a9d4e1f907ed2b5b59d63562d872b7bdd728d463489e06150722dcf3c18cd5
SHA512 e93675bb4b859df7d54daf991112fef35b0521d18a2d9a3d00906f74b4744e1f6374cc9dc6cde3ce27285549451ca60d945d33595e09919dab990f3a144baf03

memory/3040-306-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Oiffkkbk.exe

MD5 9a0a45ecdb680bf5c738ccbb34946c39
SHA1 3769d5280bcee37fcbe85d79f6a92d9515742a19
SHA256 3011704d9ec2d935cc7d197f3708f854aeb3ca3f9c6a6f41ebea00f439c6251b
SHA512 06658f5c9855bff3188371a00994a24080c9a91d46a0acebf49af81406c2c4a98438e2e38eab9bef246f11392ad29080c2f2c65103ae531b08a2159b19d115f4

memory/1936-324-0x0000000000400000-0x000000000043C000-memory.dmp

memory/316-323-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3064-319-0x0000000000290000-0x00000000002CC000-memory.dmp

memory/2020-330-0x0000000000250000-0x000000000028C000-memory.dmp

memory/568-317-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/1532-334-0x0000000000400000-0x000000000043C000-memory.dmp

memory/568-277-0x00000000002D0000-0x000000000030C000-memory.dmp

C:\Windows\SysWOW64\Olebgfao.exe

MD5 d3fadf29e7e1e19c38d7d5c56b77f059
SHA1 c6a1bf51aada226a7fa7288383aa4e6ed9fb5df8
SHA256 faf8ac4fd37c87713e295256eb8fb3c9c025eb8f8efe6883d5f2f3895983300c
SHA512 4d112e68c4840be29f7d88861e0f260af09a8231c446ec9ab882b4ffb2456a798e6b53a89b93cfcd398e11f9d8460a2e64edeed588a60f2592036246e9a2c095

memory/1532-344-0x0000000000250000-0x000000000028C000-memory.dmp

memory/3040-340-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3040-346-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Oemgplgo.exe

MD5 90ddeab0960c48a97017f3fdd543b3e6
SHA1 f991da97ac2074a7be19fdeb01c2bb8d31529b26
SHA256 e5bac6f6c16fbf67dd747d3676a6d216122d984cfae3538473456eae97b314e4
SHA512 d3c89e4c2d3da3f817b9a88c6d813ba6ee2b1096714ae6cb740a0d630666851b52a64c742a922091412e95e387e3f69b9585ba52a3e3dc1216648badb6ec733d

memory/2920-356-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3064-355-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1532-345-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Oabkom32.exe

MD5 fdb5f76d391057557cf5fb9319314c11
SHA1 ea185134c82c78d32fd342466a092c2621572fb5
SHA256 a6643f12bbfec583800d7cbbe304a33156b711d507f916d00be618ece560cdc5
SHA512 4c777f5a978b9ed016dac575ff4bfe1d92fc73a3e662d7417dec77f0b697d7f46ecf3f6905de804eba85d804785ed79343b00722e03d061c1000a9443330ec2c

C:\Windows\SysWOW64\Oidiekdn.exe

MD5 31561040d0e4f6ed68a0cbfd4a0a5431
SHA1 d29299ccfbd707796edf223f9e035c341b9b9c45
SHA256 847027765cd0ae5e7506d7505342fb071bcf44d19b84d3afd3453aa1c7b03f77
SHA512 932740a8de4c320c20cfd264bad03185b68092341ef8658f1180ec96638dcca3af983e8fc97d251b98d4aa610e34c9dee089676bd9185479e4c32c45e9fc0184

memory/2528-267-0x0000000000400000-0x000000000043C000-memory.dmp

memory/916-266-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Objaha32.exe

MD5 3309cebdf79b6dc3f0fae470458f35fb
SHA1 2c00b0eeb1624db906730a883aa72237c45f4aea
SHA256 7b90581a463645e4cef77771f7fc60bd3ba9dbd4ef239b3984bda164ff5ea02a
SHA512 90339c50849a734a581aad1e9cc7f5dff729abab49211f8089f992dfbb08f706ba8fe99d3f0faa264e18e166b26cbde364c1c9fb3adf5592ef7e4a68b5e8d304

memory/2020-361-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Plgolf32.exe

MD5 775c72fb1892fb6319b8dd7bf85469a5
SHA1 69c6dee56513a086995004eee458cac201aa2ca4
SHA256 d6b4e0a3da7b2607c03da448e0bbafcb39ef39df61f7412a81aa977d94d6aa57
SHA512 7a3a2489a325218013eaebd29279f5e3196c16942fa7227d42f77697e0825c6ae4a7a78c50ec947a03763bc560224346fff57feee045435e6018546f6593245f

memory/2920-362-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Pbagipfi.exe

MD5 bab53667d864f1ce8f7f79ac345221a8
SHA1 d5d4483fb14c0467236899d7741b729874b11a01
SHA256 4db798614881ad16b43cb53f0b1290a1010e648e1e6f015a2bbdba40a66e1cda
SHA512 bb9a68e6f5a2c1a25383548757f3fcc078bdf410a5f702fbde7338a169bc0dfee133c614cc50dab49bc6de4c76218a849c7e8408087caf021b1490e76ecadc4a

memory/640-387-0x0000000000320000-0x000000000035C000-memory.dmp

memory/2920-399-0x0000000000400000-0x000000000043C000-memory.dmp

memory/236-398-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Pepcelel.exe

MD5 966bb0828cfcea594df8b89568697803
SHA1 a344db61ca92d31c3610726d52cc39e45497b599
SHA256 b6dcdb002fa5a81da2c7a8682f6c8b3c602e2ba40e05137b97dc069f424992dd
SHA512 d6e1088b931ed098845160e63a292f40d3af0beda5246c22018658ed4d25d167aa4f0b259ddaeb35cc959dea5d9b2cfdb6938e421d49000c4bc85b089908d4f8

memory/2184-386-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Pljlbf32.exe

MD5 2650dc10f181e6a64a81fdc4b85b56f2
SHA1 b2e349e94bf7e79c383bdfa843da43ceeba067ee
SHA256 dcd2bae24bcd0cd94348c20b5aa3736f6207f69f6a156219b2912bc0bfd338a8
SHA512 c8ee35f434996d211f0635078f627b311cd51a27aa0caca1afda0d740b706fc809fc7108d2d9a39d4e029db0262d6d561a1727397954cf1b878bca371a641680

C:\Windows\SysWOW64\Pkmlmbcd.exe

MD5 120267fc3327937bea94aedebe102cdb
SHA1 e32a3ededd706c22b6eca9a13b388fa84775e2ea
SHA256 6c514cef06f6e5b0021b989b2f0f3f6fffb50f339499ba6d414cdef350e5dd09
SHA512 63b7fd2f837197c47e0178ec1a63b1662c28bdd048a4f2a2d8540c98ff31f002f604afaa7b921c744e75831a8e52e982c719c57b80ec0f2f083a2dd0cc848114

C:\Windows\SysWOW64\Pohhna32.exe

MD5 d9eec6ce96ecffed830b88ab73bf2c15
SHA1 4fc1ba44ca124abf13c6948713c3d6854e4c5028
SHA256 9ff6e14e05c5d8db7c326d38aa0fcfbf40cb106dc793f5738ef18245ea493841
SHA512 615e592ac212e03ccff5c33aa7c368aa51da4e09c41d7ece27213e07fcd680b0a8b2cde10a1e7aa76eaf61be1a37dddc304d0f00c5466e67a4fcd70b59104248

memory/640-384-0x0000000000320000-0x000000000035C000-memory.dmp

memory/640-378-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2672-377-0x0000000000440000-0x000000000047C000-memory.dmp

memory/1532-376-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2672-375-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Pkjphcff.exe

MD5 c7ad9926af9ed37c72caffb68572fe9a
SHA1 a81a2ac4507fd3e0fb16a550d077345747ac0380
SHA256 976b3a029e8a7dfe7bb6eae0a2ca039271d8bad8d2fa75fcf08bd51fe73db19e
SHA512 548d94ee3985f4755b3b66150e0ce37fdab4f90d7b8be43693364524d95b3d3f8811ce23dab76503e00698019d5a399f73fc596f3546b6a884369262bb0d0dcc

C:\Windows\SysWOW64\Pmkhjncg.exe

MD5 07a7dcbcf04c428c381a0e99026b5446
SHA1 17b211e1664803b6fa48811e2ec0a5b1fbe5ac63
SHA256 e8cf3234d466640214137bee5fbb02b5c676be4c621098593cd102e654665c5e
SHA512 7a039b6de61303492b96ac88075bf8696eabee29311532e8e080624ce102a67f72ebf6b24e40c3373406d9ea281d82f030ad5e2cfcd07e07db7cb7569bad787f

C:\Windows\SysWOW64\Pebpkk32.exe

MD5 b3b3b2f8f7cc6d7d2d792bb974d3fc63
SHA1 d8ddd94f9d4600f0480e01fdaed69169812d31dd
SHA256 aee084b5cb475097336930f65bb9ac82603fcf4881227c5f1f8e45488a0a1fa0
SHA512 0d36b358851f1b222a4eb3e3102518fdc3b3cf7ea179e8bdaae17a7ad4b8fd8b7bbfcd63087eccb5fc5f62f7d23ac87189f54ea21018619e842a1ff103c8142e

C:\Windows\SysWOW64\Pdeqfhjd.exe

MD5 d164810f28f31698f509eb601acd5516
SHA1 e5e73ff18610677c73a825e0876ebbe406974b4d
SHA256 069779d43cf4aaf4727c1e986a49229e3b5d5f1452ff98800d18dbfbcc2dac68
SHA512 6c04448390cb2c2b1d86d1c456b8c853747473e3291449579101788d988b4ff106256f29a78cfb906d18c11254c0a667c14f8e46a07eaa9aac8b49faa96edf5b

C:\Windows\SysWOW64\Phqmgg32.exe

MD5 99a7e99cd9f4118611be35f9db541730
SHA1 7e9903e962c7a649cf1b25680234485988a64865
SHA256 bda0d74bb31fff6622f937f17d3d93b8462d1342e29d317418233c4b437c6d44
SHA512 132f8fea48e2bc4607d1486fb7a9cea4d649b4b189ae2c1fb34b6707f0362525b4cacaa687836fa238ce79fd7e6c0d3618e9785e080dfb09956ddf0ee676d682

C:\Windows\SysWOW64\Pgcmbcih.exe

MD5 f950a24eff784fb6f9f4521b91c94894
SHA1 c6857c0d67cbe51030b393c80b67a2c0fd48311e
SHA256 19bea7fd0d317ca78c380a3f3e358fca6125124346b3500f969374cfc1686f8d
SHA512 fbe7d19555576d68ca436ba45f6e52461d00c32f4bacce5d5c8f5398273bb9a94d3d224f395b753db172731a93f059783eb50c27d993e60ef6d118c8e0875f04

C:\Windows\SysWOW64\Pojecajj.exe

MD5 57aa5650e9a494ea2f3901bd269bd6c7
SHA1 573e8df9be2de7fce1671b8ebd22034b61e3f891
SHA256 6d32c35c6a96d7663af3e7931edf410973b0dfcc263fbca4813059765407ca1a
SHA512 dad206cd4779ebd1b84d3291e451e55696585bff54613563e81460216414251ec758271980584f1f65691e9b47f3604226d11805dfa9cf211388e6824b9d60bb

C:\Windows\SysWOW64\Paiaplin.exe

MD5 6f31c4d5b107f227de2d8bd4785dae14
SHA1 b20de039bfe4c3216e8c31e3f381e657aea73652
SHA256 ea98a3adee7051959da4f484b7b21a808a99b26e0c57ea0e220bcdd4bab7ccd4
SHA512 cc9b3ab3b7bb1774363df6b83ea30993a93129147712d260624bcb6a2ce1a2c9b7393350f60f7673d56451024fef3dfda2d94d440d71ca994dc6e8ac6104e1d0

C:\Windows\SysWOW64\Phcilf32.exe

MD5 f4f133784825cd1170b7dcc6f68a6070
SHA1 c57793c48a2d9a167a778948e739749cc78d042a
SHA256 44ae3940ae4a68e29b21de44a934ca6dc22c4feb600307ac6befb7f49d2549a0
SHA512 dafe3eca2193909c363eaaa97f2b74cc5fc9384c57347f55b45af260ae3e9f1419f1e0dd35f71920523a16b80b50396ea3ab9835ba7d10d279745efd8ebb0f3c

C:\Windows\SysWOW64\Pkaehb32.exe

MD5 a2563be2c3a20565caca895fb5106250
SHA1 b2d343a91a98d6302464965e537f47fc762d5ed5
SHA256 34f2f75db0221e00d07ee5a5213cc2d198d2b131ed392247991ab7b08bdfb019
SHA512 00169eedab134e9f230d63c328906035fa2a519b6d8dfdef28574d8003d4405513a90d795eafc475481a9fdacb8027de40349408e3c8e5e718ef96e6ae71410b

C:\Windows\SysWOW64\Ppnnai32.exe

MD5 a8dcbe5e0359e8901e673f0ddc61becf
SHA1 2e495d3adc4cad96cb16face30d5b5d2e132022f
SHA256 862851160e92dcee173c4cf6b53dd7e3ae77c8b4ffd0fb3936ebf6053d6635d8
SHA512 7aa95fa3750e00feb69562237172e26508aaa9334044fddf34577c67ca66572398e26990960ee2dee47adbfc3e70a7773ab8b540231ef5f254a9b7fc1545f0ca

C:\Windows\SysWOW64\Pcljmdmj.exe

MD5 96efb7e2920c7ac207ab82c3533fe169
SHA1 e0857ed334085865bbcb9e380cb26f4b41c54a6e
SHA256 c31eb229b407f23ea380a65382ae6350c34eea4af0807d45962e2e4fbb85680c
SHA512 535c727e56843679cee5ac471d4a14b81e2b2254bb85cc9a44617a284df8ae4c7b04dbbc77937b5a91e3943d09d6a1ebd3f0949f25c8e800cc357bcf1235bbf4

C:\Windows\SysWOW64\Pghfnc32.exe

MD5 c6cd4d42b97edc03b30568ca35c4c871
SHA1 e8c230622dbe3f929608447ea43261324b056837
SHA256 6d8a16e55f5cc584dda68f74e898f69f484ad2a4a9c10741eea1c97efbb33abd
SHA512 7d8c0d695fd4f55a4299ebc312594787a3fe9438e0b44877dac7d5858e6a45db03aec813a9f16908a02df075e32fc2d4fd99a435c2e50af01f53138fd90f824c

C:\Windows\SysWOW64\Pifbjn32.exe

MD5 326267e9a7b32726ec9af235d986c6c7
SHA1 2d480e194405d48e9b2fa69770f48d44a39ff87c
SHA256 fb2efcea22cdf502dcc82b109427e1925a3eee5f89d079bb1bfff390ceac6325
SHA512 b2d44fb8ca518d2dccc459333d4cf0d2f7f245829451e48918c39d91b19037b47ae37937ca18cfaf3a0e1cb36b7f166a3fab6837c0c0e9319325d22b4cf97f6d

C:\Windows\SysWOW64\Qcogbdkg.exe

MD5 f955aea15b9956b358284e3ee678c32b
SHA1 05c41d37209a7a3187b00208324817db0d369afb
SHA256 ece612355693ffcd5510dad48a2c977fc3a527ca267963151155d6e441d16335
SHA512 09313f838cda43201730e06106f2421ae44430e510356f30a5fca63c3ebe80d4196ebcdcf0d70007af8cb2b4ffa325777e6a924bcfc3ce8f3b6dbe7cddf79394

C:\Windows\SysWOW64\Qkfocaki.exe

MD5 2e7fe9fd134928cd9173a495c0c91853
SHA1 dde24876c89c485b7bb560639b8b178a030a0399
SHA256 44c23cea1179fbd1e5c9cf5d6d99f9c314c63ead664c6987af650185d6c7af29
SHA512 27793fe13ef4113580692a58ffcd917cbf63f438ca5a5b207537a5f0bc0b2310b7ca38eb49ffc9f907cd95dd16d0fb866c98a46e0cb4acd9bb0aa8ef2d6aeaed

C:\Windows\SysWOW64\Qpbglhjq.exe

MD5 b1d714705f60aba21f1b907993e173da
SHA1 2fa54c7c4d06ddc4aac54a4340be52c547309f93
SHA256 6cee7e2a232c0ff741df055de258b0c4207a787fcb2e193caaf18aa15f1c8a71
SHA512 da4512d5ef39562a89451b53da4fdc668006fb3fdbf9956be734186a666380ce93cb2a9cc29c53ab6975805491287593bb518e16ab760b834bd00a6b592d330c

C:\Windows\SysWOW64\Qcachc32.exe

MD5 5c8484d1f9ca7ea8f6cdcded35ed26d7
SHA1 7ec237e274874e9a6d0be0d8ac1eba6046ae46a2
SHA256 78ee385e36f355bfd38358581b34878666ec30859d0820058f4c88511cba9ea9
SHA512 34a9208b8825c79469086d817c183df1f6c2a4e322615409224266c4b77ae8f34d465d0e42eb90c6bdab83e834b03766cf355799b904dd19ccb515311a6ec1d8

C:\Windows\SysWOW64\Qeppdo32.exe

MD5 7262eb2f289133c38287ffce8be3857d
SHA1 ae0b4721c5d12e7baaa7b0c556e7d6a863352017
SHA256 8fbec61539322c991f91a1558ddbd46aac08b0c8211c46675a3e55623fb3f06a
SHA512 0cddc4c4f46496ef99365634fe595c2c896824cdd80722dd6c4522dba51420cbdda363d1c0856229bed172579bf804c4c0f6b3bbf6e56a144f6fff9debd7a003

C:\Windows\SysWOW64\Alihaioe.exe

MD5 06d48a497c3c32fe3bd61be235036260
SHA1 9f14cb4ed92bfc8aa13673e044f138c6c2618c6b
SHA256 241b42576676a3c478771c24fab0046e290a48e05a03f6fcebf23ba76f803317
SHA512 68eee443f7c343c1309bc8e96cd0e874bd8b52030807e9a361f6a9aa678f9120aa4813b16299c94c52060047e210091a1a5f8c2cf32b0b6183ddf02adaa76ee7

C:\Windows\SysWOW64\Apedah32.exe

MD5 99773e8a1148b51323b535ae0b2df676
SHA1 0ce8f2beaffc7faeaafe12e51912e970dca9151c
SHA256 4fc242f2719975428dbf7545869fd9c4795557f3ce34adcb5102113d4f6b74b4
SHA512 c40c740b8931219f454e1e5df6019054f53cae409535ef9ddc674efd5eaa495141f1213e0aea039d1d35a49da17a7eaf6de415376f27b113806a240a4bfddae5

C:\Windows\SysWOW64\Accqnc32.exe

MD5 fe18a9f95efa9c496df14286291c127b
SHA1 ef86744c81d77604d3583fc629d0ad9469ddf5b6
SHA256 ac081e67aab0a3a6d7220f8e551738a3c4c8007e8a9a22308712dc54c993797d
SHA512 6b49c9fdd9b87266e2201310271dd56b15e75f355abab071b23df858ad9e7cf425e9d8b9c2a32fc9a408df7e8c639e6ec406f493a434736e8b4265d30b73aa07

C:\Windows\SysWOW64\Agolnbok.exe

MD5 b7b8929d4b79767f2aa735b0f3cd905d
SHA1 c56b683164f0008e1d7805e170f92759b8a5e383
SHA256 9954d6bfc382d24a4285b8ef3e675aa31018f492b29cb81840b09bcf9ca5f841
SHA512 88dc34d6f41d02f59ef5b7cfe301f9e7f05bcb3335e6a096c296a93bf81034dfbfa6f2a878249ceb4e405639a1ca76b6d61c637432e3b1a700ad1d56c3fd0297

C:\Windows\SysWOW64\Ahpifj32.exe

MD5 cb8a6e54a980f1087e2ebcc9caac24c9
SHA1 57ed59748c076126454a19cd1109c271b6092ffc
SHA256 15ad35fae755da40f3fbd7564c9e3203dca3983a9465c5f49d00fa59f4e53c68
SHA512 3471a0e1c837f74518ab1727286b6003602b7cd97c59e5dffe8a17d545f95cd60cc506ead920754a0ac7459fb6115f994653787a096b3c0a04d72cea59029b36

C:\Windows\SysWOW64\Apgagg32.exe

MD5 6d0a180d46f85bbd76a1988b5071baa9
SHA1 24cd8e46a2b77cb9a9c4d51b16de561e711c5c8c
SHA256 4e27d8df06ff6ef793b841b7ae0e2806a5514658cdc608a5f1274ef8a4d91af3
SHA512 1ee5e179633c01453f93fc1313ee801de2833d9763ad85cb323bddbefcb8def21eeb153d31d1932b723205954bd2f611085dcb909f4f7a83a45b69ee2faef348

C:\Windows\SysWOW64\Acfmcc32.exe

MD5 6e635ae9e2d6002fde75aee6f31e3ded
SHA1 1d1321786e0a70d46418e9df9dca2ae156af38db
SHA256 465d8504b41c94410b34de3ec6f180e69b2ebbef27771c49ee57c148533413cb
SHA512 cf282ed624058d5cf229c6f4e3be5702a16f8286f74653e6d3e7e8d9ff4787620da5f1ec051be020e6925b2b83229b09559799f0f870057ccb2d69e70bf65ecd

C:\Windows\SysWOW64\Aaimopli.exe

MD5 29a3418b69453e4987941619baa333ae
SHA1 78ef6658c0ca181714e96c1c9425849c826c079c
SHA256 33c457ccf5552fdced30a320c7c8fe4c26ba31baea5402bf3e10c4c1adc59014
SHA512 b9beca5bc0103cd0cb03c207aed75aacdf2bb3abf52c2a1a8f42b08dd3a5ba554d74639f9797ba73d55c7970d00e874d8ef2ae3b22131dc942bb474eb2769174

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 af8a1a677dec0af5683aca69469ec761
SHA1 9b372024ff69e28a6fe7f143a2603db20139d556
SHA256 64b765b5b211c860bb21fead7ef37b168acc0d1c78d3f4fae75b34e923527489
SHA512 fc9f8b315717032e86472fdea75544a5c79c9ecdd07dfb14fdd46942b66b6f46db6df27edb64cf0a154e5a4c7888fdfa10c52f02fba85dc9e2fb8fa2bae5994d

C:\Windows\SysWOW64\Alnalh32.exe

MD5 9215b663859df4d215fd2ae6900b953f
SHA1 b8f4e9b4d5a1a68da2cb99b3e1d64ba9be9b6f58
SHA256 4a34ecff6de2c6219ea07bdde468b37665444c6e45ae60906f0f442856ff1563
SHA512 2b3d314ab12abccc13cba3fbdce0c1334bdc005432f05ee0c303c80f47eebc1c317fca55ee6f048d442880afe138f3cc5084f70662ad504b9ce9a3761e832f44

C:\Windows\SysWOW64\Aomnhd32.exe

MD5 55e5562f525d01d192592789674c614c
SHA1 034a9daaba882f11f22d68f134e233ce6711a085
SHA256 1922f94422d177bd444de4c27f1dab61e12599fd163674199203fa0d057208dd
SHA512 65502d4c27679fe5c36575e7172d829aabea32aded9c106bfa85a219521c6af559ea404be1c8168cd78b409a127aaef358bf602ce919d20710907dd1114e9574

C:\Windows\SysWOW64\Achjibcl.exe

MD5 06e6869246e328ea9e4f1ace90aa7296
SHA1 ac17c01d44df26478329e5c08f194eed995d8e49
SHA256 544c835b9fffe6d0091d0eb9c0b79313f7a1812f2be98a645559d340edb1a1a7
SHA512 cd56bd1b9d8b5780389ec0553a15934930a301c50116a2112ff87173640e9c97e02fb366cf7cf779b5e99c358a3dec384b4973bce57ef9b640ea940713978ceb

C:\Windows\SysWOW64\Afffenbp.exe

MD5 d2db036ae790e751f2a6f03846f340e0
SHA1 6394dd1d0c6cd90dfa9b64ff06c37abcec76f211
SHA256 6f73c092bb34b3c973ac4445c4aa64748a3f1162e1b7b4e454f300334d195e5b
SHA512 1004dafef7d22575b4c25e1ff81338132ebea6ba2f874c3192fb2d46d24e867643d694d424098ad3c7bfbd91eac59aca02d9342e3b124624dca4fe604913763d

C:\Windows\SysWOW64\Ahebaiac.exe

MD5 ee5053e11531e077b50fe0b05b980428
SHA1 42095a01dfc081591201be3860045fe336990b54
SHA256 6de2c8b50386365b1bba20d55f6045944822e4ddc14caecb30fdf92d0f6ace99
SHA512 ee79b35444e90424649a606f888f27e2545e0792c95dddab75faeee1a3f2c7da0f80d0dd11736dba6e737ec872185cdb9e6e73c6e2a2721833e42d6f76e7a0ac

C:\Windows\SysWOW64\Akcomepg.exe

MD5 ab6d63c7049db887b2540f96853b5399
SHA1 ff1784c29f2735755acffd658d8d4dd56b423fbd
SHA256 83e5cd5f0bb56043c2b488d214c2dc5d74ff5b43e38c6d7dfcea1c3b89ddf731
SHA512 ddc7c9b19f731f4b640a0795540bf80a145ac28e98c3b06e5802be4afa7de22634f4c5afdba353c5237273808e3d91be2ed8828f4801135cea3fb408a1797cd3

C:\Windows\SysWOW64\Anbkipok.exe

MD5 bdc189e93cacee1f2c17a5bb2e59f561
SHA1 db5f3c49501e54e82d91ada46d3d7213dd1e17db
SHA256 27d8f2c01083e12749fc901948e7661852fc1cef76893c36d079883aa0bc4c0c
SHA512 17079bf5176ac5aab7dab168263943182cffc839d8202daad5fed406c00db9d23d06d0e5781a3a5bdcabffa33a23c2471e6b6f9a3ec74f4eff5aec31e912d350

C:\Windows\SysWOW64\Abmgjo32.exe

MD5 6c2a0b0a5118f562664f80e0f4a38a9b
SHA1 15c58c10b0a49538adc5dcb4e9ddba02b588c76c
SHA256 a1bfcccb9606d798255c8748a51bcc05a74ca7575c82a7a7a24478830f423af9
SHA512 9d8e5be0e9bb7b98140f13d38b4a54e0c2f0a5692f7981270bd3dc7dc0f0490ac9c62b489b43fe1720eef3500452a891b737c280aa85bd32f913a74dd57834bb

C:\Windows\SysWOW64\Adlcfjgh.exe

MD5 30f4f9b87ac47d887fa940f05232ff97
SHA1 5b7948067098359f4d115ca5cbf15d0a6dd26b6f
SHA256 cc15882c5c2d4da2a61687551fc8eae629782a5a2766ccbd34e5716c3e50619b
SHA512 22cd588dedbd8cc9d86a03667bd4e86b33b1a52c600a3a1bb17f0bcad625922078f66a2c9b13dfe923e0977b32be008f9df2332492e16ca2d5f29ec1a8bd6f42

C:\Windows\SysWOW64\Ahgofi32.exe

MD5 4a15aaa4428590636838fbbb3a8e6936
SHA1 cb622de693afb47e68a7e80330af55fd78229e82
SHA256 b42ff63aab4f32ff038b11fcf7e0b8c06df9d1a2dfe7534480a2f2e2b6284d69
SHA512 c28e776dc85cd94cd74b1a69cda26930f0922549440646b1eb6df3b8201d49ec20b4b3e38ace08753a581a623cfc7f6e1711e84f86df8c504dddb3a807eee577

C:\Windows\SysWOW64\Akfkbd32.exe

MD5 c4ff113a984f0a14b020b98835613feb
SHA1 33b826e7436039c62ff3ac8fbeb24d041faacd21
SHA256 c5f1b348b714f161249a986ed7e8f63832d3873e83e1661e510a0fee655c87ab
SHA512 ebeaff15e86079c109234b727859b53f21538d06de49601bd169c9b4d316d4f5f0c23ef0db0b32045b2d9ebefd46b11fd7202c0759e50f3f32116fe30f7e47e0

C:\Windows\SysWOW64\Andgop32.exe

MD5 80cedad0d3c6fd02ab2e7f5479256f81
SHA1 951daf5522e657b73c54e784151952c6554ab473
SHA256 39a6595100f54843f8b60fa5ce4c664c9dfab27af1b9ad1c5ae2fd8409b4148f
SHA512 8ebe4aa88ad2b1e28fbf50c706ba1c1ce325a9c293907a5a8da3fd069eb35043648ef8726724c2464c7cb648787f598e2f3c0690b41ddbf79faeff6315180193

C:\Windows\SysWOW64\Adnpkjde.exe

MD5 d048d7d1147403bbcb8f6cce79f769d7
SHA1 e5afe9ae3708a0e7e86c9763d32987849a64eb21
SHA256 eaf48853896906192bf2a7635e354c3b107646ee1e0e81829ebed4708fe82f03
SHA512 9a8838463535cd6745a14544f4e25940542eed4374f5d8f31c2f6a81107aae367c32877a7fcf4031b48374ee2809924ecd2653dae90408ecbdf6c464d4512daf

C:\Windows\SysWOW64\Bhjlli32.exe

MD5 f037f7e5b7b7af82b3393ea56c3ce755
SHA1 2f6a5fef19591f20a8b76af6453fb09853e82070
SHA256 0b4ed757c32e62d541090bd772a66a92c00a779e2aa678f220d2104a9737379a
SHA512 bd4aeac96086b6099aa49e33a3db4a918d1cea9e10f0d824c0c83fc84f8e5a50f69ce370f41703adea1e3b9faebb1ea49952b40242a74886f09b7c495e6a1a1c

C:\Windows\SysWOW64\Bgllgedi.exe

MD5 9536d3c1fa18cf1676ff701d4e8c32aa
SHA1 a6162d0a4c44b6736c3cc6f524f9c7df7a229a17
SHA256 17a380750f4d7cae6cc07fa1f257ffa891d08bae105518aa02fc140d76506e44
SHA512 c4a90e395160e7bf9e634a78036da763f4aa188ca1660d6e85287342ed8ae16bf48f9c909165acff6b030b37a0768e182b59b73f0940397705dd1206baa90145

C:\Windows\SysWOW64\Bnfddp32.exe

MD5 c117238e387a74a1453f8be4f8548fa1
SHA1 4191635743647eb5565de1d92dd88499871226d6
SHA256 decda5c21b339a20222020e89a4fe490dacadfd4a6f45cb47bfd68cd1f7c8d5c
SHA512 3c98a2cdd54fdf96cee40c6c3c1e8304d4d58c34f077c0fde93edc94e38d127645dc2daf5d1e74fd400487adb306ba24d26f19638cead8ffcca9b614a74eab9d

C:\Windows\SysWOW64\Bbbpenco.exe

MD5 a89c0134688c967c70ed5315844e2f95
SHA1 ec01b783fc4cc74d43a05b1e53190c452efba660
SHA256 f27cbd5db160c90fec35ce5e5136e0ef7c55c633a53861f63a044f1de4aa3d8f
SHA512 83c5f291199865385eefa168b2d8aeae7f39da705018f2e34f39a37139f37147e0b816aab6921fe663ae5b72afd5099e508605916b4ea6a6363f251eba963c06

C:\Windows\SysWOW64\Bdqlajbb.exe

MD5 8fbf7b224ca9f846fa90aac9e4752310
SHA1 8d1b5e1852ebcaf0a320c5736238282959a55145
SHA256 af3c6c64452ada1af178a264dc36fd8d24ac85304ef044db04fa0e45df54b36c
SHA512 079f38a344bdb5396876c0eac0fdfcddeb72b6b7590032d3e5fa9480420e3faa20562fea61eed712781710cfa184b2ff3ac021d101571535ddd6d05c1d5234aa

C:\Windows\SysWOW64\Bgoime32.exe

MD5 81853ad1789b17dd2cba11e18f6737d7
SHA1 cfbc90560921d3761565a59a76562fa815e33251
SHA256 1b2b3770a46c4b59626a6bd6130273c5d4a8f992f71629884bb89c3b7d38f2e2
SHA512 17b3e13a121c67550b2a1805c9d9b0713dfe80595f6496ba1b6be2915c5a91165977cb4484bb17db9b67b55febb5e2a281a57ef52201f380fceeb929dbc23bc4

C:\Windows\SysWOW64\Bjmeiq32.exe

MD5 80087f997c8a849436a18455f7137817
SHA1 a132fc18e94263c894f771ed2e073cd45b13e014
SHA256 a8a2da02a8963a51e16ad666f12b679445aace15517aed486be0bec8385d0c78
SHA512 928f00336baab81e97f95c48000c9680632d0158fd551c82ee387e46d62e56b59f7e55eb62d53cca7e1332aea1ec96558496ef36260ec6cb84bd19d30fd36539

C:\Windows\SysWOW64\Bniajoic.exe

MD5 fc1d14827e2afd9c2d7d55a5c765fddc
SHA1 939c276ff3965f9c3dbe867164e6c7eb7d936437
SHA256 43742aa2cb105e8a8e2419426384fe6825021e8580ed958e9eb7417def0b8933
SHA512 78ec6e6970410cf28668e088ea582595fbefadac7d99fcbb6cc60747b9087422d0267a9e4ec15ab26b327e75a1948c4d5f16a3936f25e20515c00d8e364bf8b1

C:\Windows\SysWOW64\Bqgmfkhg.exe

MD5 294304a521f3636097ab416798dbb303
SHA1 814549b138d3c63cf9ddfcf37030fcde3b2277ae
SHA256 efc543d6a7c92d455eb345a747e6bd5120f515a910510cd556288468e5a09981
SHA512 2c4e652bc113c4d1756ebacaaadfc2eaa0a26a9b7c4caa29bd3120710511cce5b48c98b723bd741d73543de7d4d461e7afa10cca5115ce319dbdcc3ec036a4d9

C:\Windows\SysWOW64\Bdcifi32.exe

MD5 5d1dbfb1392004297afb3585b4f79f09
SHA1 823c709d384c4250240ca72a32ef9d320c82f6ea
SHA256 d112f78e7be0199ff7e93d43d54617f612d48e54bc3cc1b0b2bb9bf443503a5c
SHA512 ad8c718ca80dd03d640fbe2c0fb96b1d15e112e3a47c3fdbe335326c6130d5cb5c91303205cb4b787606399844dca5c185f115dca3862d36d7c09cb752ecfd9b

C:\Windows\SysWOW64\Bceibfgj.exe

MD5 6055cfbbf6c63fc9d32f0eba3b6379bf
SHA1 9e87e271876c88755ad49859ec131d90d02f4e2f
SHA256 9563e0fa12926a8a94a1bb4d0a8a69bc096dec9d1ab8abd575a32efe8797e52c
SHA512 cd786d0bad6606ce3f471c9130b18b2f5d6738201cd52a8a863f8c51b4ccb21d08a8a2008f4e3bbdfaf6f1a6c37d11699569dc34385b855ed3b5d07dccfbd084

C:\Windows\SysWOW64\Bjpaop32.exe

MD5 c5ddbc27483489c68e9ac2562703fb69
SHA1 6ac591415d05aa8e234729986286f2b3f44d0933
SHA256 352f606180cb3693a081f7f315769dc4aa8eea99ca86096c9ef6f9bf7f8fa039
SHA512 99fa953b33a1a864a96ea06a5c8bc78416f4ffd146353a4309a22576f07a53fa9a0ae769967a54d30a99c350bdff00a32a4a80d14950d9ed8ab793493a2e81c0

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 ed9eab12dd941edf7ab46b1019db638f
SHA1 11904c6518ba37c56e5076293674fad9b3fe1bb3
SHA256 5f7c7c8db2318806113e531eda08f8c60891cc66ebaa73f3cbd91b179dc1e84f
SHA512 4f5ac596aeba312be19a7e7655258c3d64248d7d03bc739c46e463ae8a03d8b8f2777b1ac0b29f30bd1b9f1f64da4ae7b2486687ad6f2b9d9873e122f8c53b39

C:\Windows\SysWOW64\Bqijljfd.exe

MD5 177f4215d6f00663a4e884ed20efc013
SHA1 5cd4a736af3c1dc5f6a9cec158f31ecad4be7c35
SHA256 454440acdce23a6bbd0b030559584a077d6e356c1f6aaaf8af3e5d34254316de
SHA512 8f225f103d78261a0572e510e54b9a27756b1bd5abd56641ca1767d735fcbfab2ed852fcf41912ff3e5320a4d2382dd31bc951975a20ba2bc176fa299a57816f

C:\Windows\SysWOW64\Boljgg32.exe

MD5 cdf05be901276bfbc4510e7acb805cfa
SHA1 edb1cca393021c7a9a23d24b65eb6011a2b25a37
SHA256 39797dd8eeebabbca386e091cb4821ee62906bc476c082953070e59fbdd0324c
SHA512 d98cf4e269fdec067fc45e20d5d784ea9b0c60f8d8ca6115bde9ad2c3c0696990f5837d5bdb7cee694b343332deb4838f7a0a6e380d66256c03dc06851315f45

C:\Windows\SysWOW64\Bchfhfeh.exe

MD5 918aef10848092149356c19eb1abfc25
SHA1 896e6c9da2956b65b2de7cb3d1b787a64be4f3b1
SHA256 3e28981dad24b7b11f44f18ef0d9fbfdc7abad97dee49747239635a9fe6ccb4e
SHA512 ef67cb0f71b042a0b7216815ae9957c5e3ba9d2cb5b7d672af99f4f93155de22d316d6dfef5c7f054d8b2590327424ce9895ced2d77f386ccadaa0f6b72d5a9b

C:\Windows\SysWOW64\Bffbdadk.exe

MD5 ae075507a44189446d6ab88e335f3daa
SHA1 cf7e99b17ca145a699ac1d8cc38202a12283a7c9
SHA256 f0997960ee5effbffbae38672cf968d28ebec83a77e4968fe59333d2b56837d6
SHA512 f510a0df7f4f60f8a1cd13e2debba7b711a382329c9bb214a1a73010946dcb23ae4d55d0016a336367b200978e8ee324c27ce657dc5a4d1f6b406ca0896ea578

C:\Windows\SysWOW64\Bjbndpmd.exe

MD5 a7f9e01bee0861d70a0638537763a197
SHA1 8e88e4a159a242209fab919d213dbae9218aaebd
SHA256 449b87cb68277a082668c5e22a2647d7d141f69e6eb06d120d6e3722f74ef479
SHA512 fdc33ea615afc567c9019aabd447bc5c1b5540c0ee06676c6f6209d6b8db64741816958f5aa318d404d6cb4a7da06c529cb1d74112bfd9d595502017486177e7

C:\Windows\SysWOW64\Bmpkqklh.exe

MD5 a8785b5c1f7f76a2a9d2e77511cc6845
SHA1 ad7d857132974b140b648af8fb04372d9004fb05
SHA256 328e9d68abfb10228bfa05d509ef21dbbb7f68e04cb0d8b3888288a088771ad2
SHA512 64b4873bf5a6edde1c7c54a090ed6f7101eba5478a0e40f7f8ea35b1466a8041dc65858b625d83aa1f24c58baea830b236a26f2ad370d6547ef57f0479c21f3d

C:\Windows\SysWOW64\Boogmgkl.exe

MD5 8bd03861b9c4119118f896ad2e4396cb
SHA1 bf74c2165442b96fc87ad85940443a73a5ee3904
SHA256 ae58d3c534ffc1a3a60e2d4f36272d6cad033f0b91d428f38b079ca246e62178
SHA512 e66e6853a57f632db9b7b262077cfb8c9f0b170c434e80e8261e6a73310e83ae10873e2ff7eb046bc61be036195d7026656476a1800c8bc2beb7a8ee9f089709

C:\Windows\SysWOW64\Bbmcibjp.exe

MD5 264de0621f190bb2fcdd38a035a97aad
SHA1 bb94e718a89e4d7c542ba6da668c8cbc50737180
SHA256 7b94810ba73a675b58f3d755263306d987c7c0212a874d72548990402b7efda6
SHA512 eab76dd0db61eb3f6c0fffc53387a6ddc628f2424d2c25dbfb9c5e363dad00a7ce14a2645decd7dcf70edfb9820ac85cee6a78f6fe45b991857742328960a143

C:\Windows\SysWOW64\Bjdkjpkb.exe

MD5 5c76feb92ce550ed07851113188dfffb
SHA1 32226a697be888084f10637f01358743a9ad356e
SHA256 d437b1aaa5bd754eb7e71a160a6dbe50a73410f0359c0c3369a2176233cf899b
SHA512 142fca649ad0b3cbd15345c1ecf0a71f4f0e9b86d0fcafef7c8ea7638ee7bf6f4816cabe67d49d0185f7169f578840a6137fcb1d7b43d23ffd9582ea2d9f125d

C:\Windows\SysWOW64\Bigkel32.exe

MD5 7feb1d67a668d1f433b198bc3d47b22d
SHA1 9d9071cad0baa63606da9157e8ec971af5f548ce
SHA256 ff564814d1c3ff78addeb8bf3af97a18e2cbd4866ecc1f4922e8e490be463129
SHA512 f58667d12a5782e4374ab6dc0ebe56c1291366bdb9f6813002c73af3d2c115ab366328261fe5fe2fab6b6ceb4fde6065216c2155b77a23130cca8a002e778620

C:\Windows\SysWOW64\Bkegah32.exe

MD5 71a4e451b6a7187682d864fa65083972
SHA1 f3f5e28c3216caef84437ba09413cccd89d42c78
SHA256 415c5d9ccfd5daf358c4cd01b07f8fa824b3ec1a3c22968fedb28adc5c55822b
SHA512 a95e0e77176f3c63eaea9039417357045b9fdf3ee118c0171238ea8e2513550aea876e5fa712b35560b3e3a7f1f13190fdc00c72c528fcc5f44efafb595fa680

C:\Windows\SysWOW64\Coacbfii.exe

MD5 ec9db1900082be7bb5c243fd02e4bc87
SHA1 d0cba2ea109d0c089b9622cee019176f635eaae8
SHA256 bd37a2d3f192dba9b3a11ad19cfe4075079e436b15a5949e1166d9a057884464
SHA512 960b8a02bb89662362e584014969886dc7ed8278be65bacc55fb578778ece45df8b6dad02eb8a7574d59f3816e4700176ae8af39eb2ac5c5fee9eff40c82bc92

C:\Windows\SysWOW64\Cbppnbhm.exe

MD5 9c81cd7fc36f9a89b10dc8636167ff1b
SHA1 1999ff0799d276d1b77f5167a050c94cbf4324c7
SHA256 e3eb3bbd1059554eb93fe215874d068ccafb48095103ff46d24af80454eb4642
SHA512 3dd7336bfcdc5781aa5bd1d4623ee0104aa12f3ce401c0d77c91a207ab1225d819fd44b1889748f1131b5ce3c17009226572ef36c2bbfa4b4ef4a320dc962d7d

C:\Windows\SysWOW64\Cfkloq32.exe

MD5 f586bdfd7ef9c17428f2a1e11b460004
SHA1 430c4d78d5626ef42350d4352d9952599353feba
SHA256 45eaa31d74103554318e4559d49e3eae322ec949e2753b041d129140f4d644d7
SHA512 3aa1fca0245f10a993c2313628a9a63249152678e79e92ee4d6d4f8b6ae23122dc5b605d2228f5cbcf8ebb14e29c496a10f641fa2d8190dac7cc8c9b5def3b34

C:\Windows\SysWOW64\Ciihklpj.exe

MD5 feac5020f9e13d411ebbb1f9df31f6d4
SHA1 2894e9c1691ce91fb5bfbb61e34af984fc908f0a
SHA256 b588e43f24e812494f26d7b4d2162d61072c7ed3e151db02a1cb17b152f0bd3c
SHA512 4460ff16a44dc5def1d95b15af1c9836dea6aa691155803f431e1ae9d824e40db5b20f0a970e8aa91ab2edee3bf5f79463394172a9dd040d2dcd54cc4d9d61e0

C:\Windows\SysWOW64\Cocphf32.exe

MD5 d5657e5cf92e00e9f65df21dd3dbb50b
SHA1 404a6c831c65628839acecefd92aac31f99e279a
SHA256 78daaaca29ece0d3b70c699ebd3061f7b07be43e9dfac1ba0f8b1b26154ed452
SHA512 b393ddde9cdd06404e3b5d8b8f45099c340ee459e2398805eb9bf23adcbda2fd6d59d433a48dfef08afbe7b698f751755c676a0d00cf09968c074875f91eccbc

C:\Windows\SysWOW64\Cnfqccna.exe

MD5 3b783ab23e9c1874b6ed9eb6005683bd
SHA1 51b8b85219145d17e53fc2b5d5a9e4d9d5d53d2c
SHA256 7ba0311c8d55cad18cefd2e874222804490eb3f2b67e094899234deb715e3d86
SHA512 f5b8b9fb2f1e59f9083621aa4d2f07decfd88f2edcb33afe949ae8c82ae7da07db42d4160a84157039e44d6c5a65b441eb884b157cb9b00b8ba900358a11e4a4

C:\Windows\SysWOW64\Cfmhdpnc.exe

MD5 50a9cd70b84d6aa612370d256a572827
SHA1 17d075f845f5c020caa24856da9f3d3b9c65a436
SHA256 69a056a149b83a432a4cc57f55d2ed3da78479660cec9b69f4eba24e92b71b76
SHA512 aba09fb89c4100d5d7a30995cc4b92deb0bbd0b4c4dd3c5531576a69b4ae3f7794b823e30c7b9a3bcdd90f7d81e250940d880227aab287187dd8c3cf98113e67

C:\Windows\SysWOW64\Cileqlmg.exe

MD5 d8a58171eea1e52ae349dfdc2ad86f83
SHA1 bbf36e7bcd4132c898c32539d785ea77e6b646a7
SHA256 dae5a5ca26a3c9200dfd2de4baa50b424348ed0ceef04c9e4edae5a853054e38
SHA512 1b39c8eabb4b0ef172ea301d438aad6a5bfbb0ae9d61a3ddab9e92da9efbc44eb57d0e91fc032b25c8d7b637434b8a23c32cff9ec4c255fcee1d75f30f96decd

C:\Windows\SysWOW64\Cgoelh32.exe

MD5 930e735b0ecba7e695178e4dff849827
SHA1 013ff56b6ba81a304aee1d6f1fff85cb0da0a355
SHA256 4fbe9678af0eefbe4fa066400dbc36cc71982a5b25583660f2c5d67331df23f4
SHA512 30377f4a2f743e6febddfd998be4008f5bf031e4eb3fb1cb3cc5d74a66b236f69ec6adbe2903a0576ce232e060764a05b84bd4d05a1ec5166b03d843ce23a520

C:\Windows\SysWOW64\Cpfmmf32.exe

MD5 634dffd1fbc81c5d139054b38844527f
SHA1 7920973796793d28be84082f6c590dde0f345078
SHA256 48621b2eeaa620b39e3f0ea67d43694d45931c65629257b24a15df79738d7481
SHA512 e2f9fe6d3c2967494b921e6d949f0f146126894e188441aaed18101821d9252545237c4d9fcbc0c431e72e56f7b587004a1bf759c40f62e30be4b2e858f02842

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 6e9f7925d616f0ec30891f03bb25ca8a
SHA1 b8808dface0220b0889a6f9d9f47bdecdcf338b1
SHA256 23fc3cd550410d7ab095cec4d28b3a932cb34f147ecfbe317415dedf3bfa3df2
SHA512 52e5c6493f8ad4ef9035e42bb15ec869570acf0a4252b480b948ef5f0d369d9a50f43cb82c1ee4bc82cd82615740e7f2897413d5f391185d897911c20e0a63e4

C:\Windows\SysWOW64\Cagienkb.exe

MD5 38f88e3a383669ecae6c7883b20e2dc7
SHA1 658676d268f8cf74844728f8163864896561cf15
SHA256 ee7ffaa5196e9615c771cf0461c9e266f99a07b86869a5e8e4653f124c774f14
SHA512 29ab71e6f333f0248cb0806dda6fc3f85595b938379e2db04a330a4f7871fd562f81b4b9aab5e952de128691a2daeea24ad567fcb58fcb401edc6cc9f788e054

C:\Windows\SysWOW64\Cinafkkd.exe

MD5 a18042b40dac842186e9fb8940e0bccb
SHA1 9ba2ea6842ac89d87b2c731187b99a5684bdc610
SHA256 aee1354f679ddcb149f16bf8aa50c7e8d0853e5c8322642de16b2e0fa17f5ea5
SHA512 5014dfe3c97a346840fe78cc7f587101ca811f083dfd394404b00ea6a5a449fdcf47535308f6a0abc78ad26ae78140784927266924f01c24b1bf1ff19409c9c6

C:\Windows\SysWOW64\Ckmnbg32.exe

MD5 d4cbb5c7e84eb8d743dc5b0aa365efee
SHA1 c3daf7dac2984582ccc9fc37fd0b546f767f0995
SHA256 497fcc0ffc68aba166d5af2b02efd9555a3faa5a9bf7a2252a2554bd1fabedd8
SHA512 a79e4cdf0a26eb62e8b5f544515d04fcdc9e70b760c8ca742ef264f9191d91e5a4df42e8631cb2986e787e8227c72d4314202501edfd205718e887ab484e011a

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 6129d40ebdb64dab2cba4bcfb1acddc4
SHA1 ebb9f45df9d61f902e3a09ad22074c61cf85474f
SHA256 5d6b41a019224a536523977477b98665ff49d9d7c72c52f68e005b95cdf5236a
SHA512 f7fb7445e0bc6f274a8c8c20493711eabb561b18a1cd79e44a43f467a3334ebfa38d9f085e995c9a3ec5d7c3319e5fa23de6aef11fc0a0b3cba30b1dc70971fe

C:\Windows\SysWOW64\Cbffoabe.exe

MD5 f9dc4c4684076dc4bb26cfad0cc4204c
SHA1 206b5026b766d51ce8385f1a8bc673f0ce958fe4
SHA256 664c5c306738a64e8e46e566518ad5b97f7e8c7f4e2562b08be403d2f45c6fd8
SHA512 000bef103e8847be9fc45721e6ffa79829e1e46c48ea9898980497f471af454e0f2714f325b750896ec2d9f403661bae999a456baa9f9642c01d18ffbf69c5a7

C:\Windows\SysWOW64\Ceebklai.exe

MD5 8814a94adae1c61e6aadfd8fa7afc99f
SHA1 588228f8bd1dc1e6a94988a041154e371cc018e5
SHA256 1303b08c81ab9a6749ed2e39f36e2f8eb026a90882230615482f9a6d68e38117
SHA512 ad7c917b246fb5b25a48386368d95717aa4c903eed1a75645d5ec0030449f3f9077e08fda179e8d3a62095ad9155c5bb5d6b706ab18671fc0d7eee85e9e527d3

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 c3f68d67ce5e9c4854053b406ffd528d
SHA1 46d9c7371a98967058242e803f5c52a888b4e176
SHA256 a41212d9f242e0413c3546515c78286d82935741a631d705b268ba32ad31b41a
SHA512 73c2933030d56660280002ee913ba538135c588e3d0027f4f89fb2b9a29a7b567cc9d2079ced74bfa45fc6abda2861987a6eb73ac658932af5e81368ac249c02

C:\Windows\SysWOW64\Clojhf32.exe

MD5 d1cb6670e6b01f6c259cf5ba2bce1e1d
SHA1 07771721784cbf5d49e3f8016bd4183a410ca030
SHA256 f1bbfc08d18123e5e9a9a0187667925d715b1f243036eeaa9b7a97ca5eaa68f3
SHA512 77081ebdd67fb16c69b0737fb0360f76b52debc4033fe42249b66e72a4b8bdfc070f0a9988f17823ddbf9d4b5f7b01b02141d09ff174273e228b60fa498d56fd

C:\Windows\SysWOW64\Cjakccop.exe

MD5 a0544a116b9c9bad3368ed1db01d886a
SHA1 6fe89653407c3b5963ccda0d5c6f18c67c828f7f
SHA256 1e260fd3730b6e1b47ece21ccf9505f06a6eef24cbd38636144af5cb7be27cfb
SHA512 c19af6bb368299d4c9f9d1bbc30f875b3b8746072c42005a3375711b2d38f6f18eb89390f0a466c71b03f40d5680a2f0b2c522adc27f10eca5004822bb7c67ba

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 f088faaad1122849f74792b2ee52e38d
SHA1 fe8b31262460aff7289e8010fca35088d239c5ae
SHA256 e62ff4551864706c3b30042880ac95be44f2de4ae3069382747a3e0bff258891
SHA512 9a97dda094ab4a96ef66376d550612e60a7e02198af295cf2d8f853cb606ad718756bba24aa80a234477f33c75003b81b13eacb5d9afc73a72c0f9e5bc272db3

C:\Windows\SysWOW64\Calcpm32.exe

MD5 48d5d5a6d07f565aa25f5197e51f4cfd
SHA1 b2981184a7f8f0a9d7907e5bb58bd56a8956ab95
SHA256 49557c6d58ab1a2211384b6401cf278cc04ee4047c46b001c1b0d43566cd94ee
SHA512 3ccce252aa3ad363bdc02399f6775afbff5d08866493654f407715a01d38c9a47a59d09cfe62c66cfe2f5a9250cbb46a763fb635fb400e9def7ed8ed260245a2

C:\Windows\SysWOW64\Ccjoli32.exe

MD5 91f96e518f028f855af8a2f900db40df
SHA1 67abff11a47fc90672a718904be7b7d56f197e07
SHA256 cb4834108eae554014874754b0e43dec2158b5ee98618b80b3c328e9217439a0
SHA512 22b86c62d6fba2cbb1e874a90f1c61fdc99b8232e911aa6c4cd7d569d271a481260dbac1d4ca8739f10a5397b147fedea7e126dba4f918feed8ab5e308bed34d

C:\Windows\SysWOW64\Cgfkmgnj.exe

MD5 e049a44461ae0dde3caf072dcfc7335f
SHA1 5e66064e1adfbbe91550c137b6638185c7840862
SHA256 084f6a2d0d0487dbe2536a9bd1cefa2a9c766d12edd7c7fd9094e54b685baaf2
SHA512 fd9237417ea7c2c24e300743c2b25780e78a072d71aa00e6a8a71786cd7d978be5e3f8d2711fb7e7580208d391358280c98a8d0ca9876e13f11aaeaaee0c52ae

C:\Windows\SysWOW64\Djdgic32.exe

MD5 6365b6369e7e79d22934c727cc01b9ae
SHA1 162503dc102e51d595d06ae72bd6bb61fe2e6aeb
SHA256 b44f33d2d27267ac44a787dce31d6812f21bcdf7a95b7f46964e86035cb3ffda
SHA512 21c45f80876b14bd2896c60f35753b623187028e54c82eac969561aa66914c0045e7eae0cd8b993b066c816d87bdfc59944f5e14fe05eec9979f2b9ed923e9c8

C:\Windows\SysWOW64\Dmbcen32.exe

MD5 2702f3b20c6edb0585c4b65319015e0a
SHA1 2453d6e4e728220db76ceb8c932d65ca57ba0c17
SHA256 272a8d62fae7e97fb1415d7b35ff33a401e183a6e493f3a25bf9745dc6f4d40f
SHA512 d1f09e13ed9769623b89ceb90a3914c75e6a3c2bd35be8f184a13f97649e409a19dfa0b68601d98d8cd61cd02eb9c4f35af65073163ffebe7eda42fb6d981f38

C:\Windows\SysWOW64\Danpemej.exe

MD5 312ac91883c448d1bb5346463a7b958d
SHA1 77a2830c70d83707c4c4f72a179b13fd79861161
SHA256 1be04663d140bc059cea0d798151fc9703190757545226a764424d293d6d5081
SHA512 f92a65c7d45e0bc8d3a7e8d1afe3c22c9f8240e19791eb4e1520393ae6a79d81936a0ca5977290b822e8d146bdbe4c84874abb03f324238f06c1bd36b818436b

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 a50714a4da49d911b45ee84afc7e0711
SHA1 9345fd1b45331ab007e4c7bd4a1e6b9a286ef8ba
SHA256 a732e4d25d64acaa0dc369ab050361bc84d586477df76af93cb664d22eb911a5
SHA512 5e2d39c924eb417c554bc8164afc92d65dfb0b542f208ed6633a79391e9dbb9a903153c5befdb465995bbadfbf3b8c627d04fd641283c9241ddab0c5074fccc1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:42

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chagok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daqbip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkifae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djdmffnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Daqbip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daconoae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cffdpghg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmbplc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddjejl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddmaok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doilmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cffdpghg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Daekdooc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Doilmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beihma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djdmffnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmbplc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cabfga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cajlhqjp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Bmbplc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beihma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhdil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjfaeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bapiabak.exe N/A
N/A N/A C:\Windows\SysWOW64\Chjaol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndikf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cabfga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdabcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnicfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cagobalc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceckcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chagok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpckf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnkplejl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cajlhqjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceehho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdhhdlid.exe N/A
N/A N/A C:\Windows\SysWOW64\Cffdpghg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbpaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmqmma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Calhnpgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Cegdnopg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddjejl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhfajjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfiafg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djdmffnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dopigd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmcibama.exe N/A
N/A N/A C:\Windows\SysWOW64\Danecp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dejacond.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddmaok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfknkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djgjlelk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dobfld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daqbip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Delnin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddonekbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhkjej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfnjafap.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkifae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodbbdbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmgbnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daconoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Deokon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddakjkqi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfpgffpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkkcge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dogogcpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmjocp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daekdooc.exe N/A
N/A N/A C:\Windows\SysWOW64\Deagdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dddhpjof.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhocqigp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dknpmdfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Doilmc32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Daekdooc.exe N/A
File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe C:\Windows\SysWOW64\Deagdn32.exe N/A
File created C:\Windows\SysWOW64\Amjknl32.dll C:\Windows\SysWOW64\Deagdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Doilmc32.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Bhhdil32.exe C:\Windows\SysWOW64\Beihma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cndikf32.exe N/A
File created C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Djdmffnn.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Pjngmo32.dll C:\Windows\SysWOW64\Cjpckf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cajlhqjp.exe C:\Windows\SysWOW64\Cnkplejl.exe N/A
File created C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Calhnpgn.exe N/A
File created C:\Windows\SysWOW64\Fqjamcpe.dll C:\Windows\SysWOW64\Chjaol32.exe N/A
File created C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cabfga32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Chagok32.exe N/A
File created C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Jjjald32.dll C:\Windows\SysWOW64\Dejacond.exe N/A
File created C:\Windows\SysWOW64\Pdheac32.dll C:\Windows\SysWOW64\Dfnjafap.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjkjpgfi.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File created C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
File created C:\Windows\SysWOW64\Iqjikg32.dll C:\Windows\SysWOW64\Beihma32.exe N/A
File created C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bjfaeh32.exe N/A
File created C:\Windows\SysWOW64\Omocan32.dll C:\Windows\SysWOW64\Cdabcm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Ddjejl32.exe C:\Windows\SysWOW64\Cegdnopg.exe N/A
File opened for modification C:\Windows\SysWOW64\Daekdooc.exe C:\Windows\SysWOW64\Dmjocp32.exe N/A
File created C:\Windows\SysWOW64\Ddmaok32.exe C:\Windows\SysWOW64\Dejacond.exe N/A
File created C:\Windows\SysWOW64\Mjelcfha.dll C:\Windows\SysWOW64\Delnin32.exe N/A
File created C:\Windows\SysWOW64\Dhocqigp.exe C:\Windows\SysWOW64\Dddhpjof.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe C:\Windows\SysWOW64\Beihma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cajlhqjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe C:\Windows\SysWOW64\Ceehho32.exe N/A
File created C:\Windows\SysWOW64\Kkmjgool.dll C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File created C:\Windows\SysWOW64\Jbpbca32.dll C:\Windows\SysWOW64\Ddonekbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe C:\Windows\SysWOW64\Dfpgffpm.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe C:\Windows\SysWOW64\Dddhpjof.exe N/A
File created C:\Windows\SysWOW64\Maickled.dll C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
File created C:\Windows\SysWOW64\Hcjccj32.dll C:\Windows\SysWOW64\Djdmffnn.exe N/A
File created C:\Windows\SysWOW64\Alcidkmm.dll C:\Windows\SysWOW64\Djgjlelk.exe N/A
File created C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Daqbip32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe C:\Windows\SysWOW64\Dfknkg32.exe N/A
File created C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Bmbplc32.exe N/A
File created C:\Windows\SysWOW64\Ndhkdnkh.dll C:\Windows\SysWOW64\Bhhdil32.exe N/A
File created C:\Windows\SysWOW64\Naeheh32.dll C:\Windows\SysWOW64\Cmqmma32.exe N/A
File created C:\Windows\SysWOW64\Eokchkmi.dll C:\Windows\SysWOW64\Ddjejl32.exe N/A
File created C:\Windows\SysWOW64\Kdqjac32.dll C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Ghilmi32.dll C:\Windows\SysWOW64\Chagok32.exe N/A
File created C:\Windows\SysWOW64\Deokon32.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Doilmc32.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Nbgngp32.dll C:\Windows\SysWOW64\Ddmaok32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Dkkcge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dhocqigp.exe N/A
File created C:\Windows\SysWOW64\Diphbb32.dll C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Eifnachf.dll C:\Windows\SysWOW64\Cagobalc.exe N/A
File created C:\Windows\SysWOW64\Okgoadbf.dll C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe C:\Windows\SysWOW64\Cmqmma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Djdmffnn.exe N/A
File created C:\Windows\SysWOW64\Agjbpg32.dll C:\Windows\SysWOW64\Dmcibama.exe N/A
File created C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Delnin32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cabfga32.exe N/A
File created C:\Windows\SysWOW64\Ckmllpik.dll C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File created C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Calhnpgn.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bapiabak.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daconoae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daekdooc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmbplc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cabfga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cndikf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deokon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dopigd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dobfld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkifae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chjaol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cagobalc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chagok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beihma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnicfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceehho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daqbip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deagdn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Doilmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhdil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djdmffnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Delnin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmcibama.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dejacond.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" C:\Windows\SysWOW64\Deokon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cffdpghg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" C:\Windows\SysWOW64\Doilmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daqbip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deokon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dobfld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddjejl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmbplc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" C:\Windows\SysWOW64\Cagobalc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Deokon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Doilmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmcibama.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daekdooc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chagok32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" C:\Windows\SysWOW64\Djdmffnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll" C:\Windows\SysWOW64\Bapiabak.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe C:\Windows\SysWOW64\Bmbplc32.exe
PID 1984 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe C:\Windows\SysWOW64\Bmbplc32.exe
PID 1984 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe C:\Windows\SysWOW64\Bmbplc32.exe
PID 2536 wrote to memory of 316 N/A C:\Windows\SysWOW64\Bmbplc32.exe C:\Windows\SysWOW64\Beihma32.exe
PID 2536 wrote to memory of 316 N/A C:\Windows\SysWOW64\Bmbplc32.exe C:\Windows\SysWOW64\Beihma32.exe
PID 2536 wrote to memory of 316 N/A C:\Windows\SysWOW64\Bmbplc32.exe C:\Windows\SysWOW64\Beihma32.exe
PID 316 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Bhhdil32.exe
PID 316 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Bhhdil32.exe
PID 316 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Bhhdil32.exe
PID 1540 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Bhhdil32.exe C:\Windows\SysWOW64\Bjfaeh32.exe
PID 1540 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Bhhdil32.exe C:\Windows\SysWOW64\Bjfaeh32.exe
PID 1540 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Bhhdil32.exe C:\Windows\SysWOW64\Bjfaeh32.exe
PID 2128 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Bjfaeh32.exe C:\Windows\SysWOW64\Bapiabak.exe
PID 2128 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Bjfaeh32.exe C:\Windows\SysWOW64\Bapiabak.exe
PID 2128 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Bjfaeh32.exe C:\Windows\SysWOW64\Bapiabak.exe
PID 2156 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Chjaol32.exe
PID 2156 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Chjaol32.exe
PID 2156 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Chjaol32.exe
PID 1708 wrote to memory of 4752 N/A C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Cndikf32.exe
PID 1708 wrote to memory of 4752 N/A C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Cndikf32.exe
PID 1708 wrote to memory of 4752 N/A C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Cndikf32.exe
PID 4752 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cabfga32.exe
PID 4752 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cabfga32.exe
PID 4752 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cabfga32.exe
PID 1832 wrote to memory of 3460 N/A C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cdabcm32.exe
PID 1832 wrote to memory of 3460 N/A C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cdabcm32.exe
PID 1832 wrote to memory of 3460 N/A C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cdabcm32.exe
PID 3460 wrote to memory of 4024 N/A C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cjkjpgfi.exe
PID 3460 wrote to memory of 4024 N/A C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cjkjpgfi.exe
PID 3460 wrote to memory of 4024 N/A C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cjkjpgfi.exe
PID 4024 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Cjkjpgfi.exe C:\Windows\SysWOW64\Ceqnmpfo.exe
PID 4024 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Cjkjpgfi.exe C:\Windows\SysWOW64\Ceqnmpfo.exe
PID 4024 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Cjkjpgfi.exe C:\Windows\SysWOW64\Ceqnmpfo.exe
PID 4356 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Ceqnmpfo.exe C:\Windows\SysWOW64\Cjmgfgdf.exe
PID 4356 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Ceqnmpfo.exe C:\Windows\SysWOW64\Cjmgfgdf.exe
PID 4356 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Ceqnmpfo.exe C:\Windows\SysWOW64\Cjmgfgdf.exe
PID 4380 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Cnicfe32.exe
PID 4380 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Cnicfe32.exe
PID 4380 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Cnicfe32.exe
PID 2612 wrote to memory of 4588 N/A C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Cagobalc.exe
PID 2612 wrote to memory of 4588 N/A C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Cagobalc.exe
PID 2612 wrote to memory of 4588 N/A C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Cagobalc.exe
PID 4588 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Ceckcp32.exe
PID 4588 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Ceckcp32.exe
PID 4588 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Ceckcp32.exe
PID 3712 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Chagok32.exe
PID 3712 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Chagok32.exe
PID 3712 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Chagok32.exe
PID 1420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Cfdhkhjj.exe
PID 1420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Cfdhkhjj.exe
PID 1420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Cfdhkhjj.exe
PID 1100 wrote to memory of 4028 N/A C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cjpckf32.exe
PID 1100 wrote to memory of 4028 N/A C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cjpckf32.exe
PID 1100 wrote to memory of 4028 N/A C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cjpckf32.exe
PID 4028 wrote to memory of 408 N/A C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cnkplejl.exe
PID 4028 wrote to memory of 408 N/A C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cnkplejl.exe
PID 4028 wrote to memory of 408 N/A C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cnkplejl.exe
PID 408 wrote to memory of 636 N/A C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Cajlhqjp.exe
PID 408 wrote to memory of 636 N/A C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Cajlhqjp.exe
PID 408 wrote to memory of 636 N/A C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Cajlhqjp.exe
PID 636 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Cajlhqjp.exe C:\Windows\SysWOW64\Ceehho32.exe
PID 636 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Cajlhqjp.exe C:\Windows\SysWOW64\Ceehho32.exe
PID 636 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Cajlhqjp.exe C:\Windows\SysWOW64\Ceehho32.exe
PID 2760 wrote to memory of 4856 N/A C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cdhhdlid.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe

"C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe"

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Doilmc32.exe

C:\Windows\system32\Doilmc32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 396

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1984-0-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Bmbplc32.exe

MD5 976905142b45073a08a9be8bb0fa27b5
SHA1 9ee0b4bff01230d0689745c81c3b103e0f049bf5
SHA256 cfe3ae96cd82a4d4c4b946004f96cf82c7e34f507d809bba82773acd605f84b6
SHA512 0f49c29b462c074e45bb7da53bd79024fc27eeb81abb4efd3ef938f1a27e1fbd5d4a6695f5485f47a63668df2eaff941e6d8b8076c414bde2ad66b6270bf88f1

memory/2536-7-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Beihma32.exe

MD5 b60aa944d358d333422e1c88d65fe9b9
SHA1 8f5fb389c97fb67bab5b5a1269ff4252d92f94cf
SHA256 86b612ee0e9fb953133205268272a77ee3a1328b3af530cfb4c8b784dcedbb79
SHA512 296fd4dc9c9b74378c7eec14232ee5c3a2a2c2f8428f5fd8e1eeb8bd46cee3a4eec51a30662638784a5024b6ea47f38fb0354ec544cda1543e9726fc3f701809

memory/316-15-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Bhhdil32.exe

MD5 407cceaf4efda3fb6f97efa1537eedb3
SHA1 cea371b1014ec40c630ea6eda27827d1666b8ba0
SHA256 1fb3b47565f679fcf73437879cd7f876de3db9060b4b5853769fb0c7289a19cb
SHA512 4b8bd1e31e9b39836e61e49e21b40097e406bcb87a6db9cb7d2e15de397a89f0007c48d9c1467412d211f62e78bfe301b380a931a117364211a9159e9a4a0ea7

memory/1540-28-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2128-32-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Bjfaeh32.exe

MD5 98246540ecb13b4de34393ec79b97dc7
SHA1 a1dc840d6680db1e092ff708506711f3f606d10d
SHA256 4c916fbf11b7b54c805daba55b12fe3823bbefe2ffb754c313df479120bde520
SHA512 61ef4e1abc35ca413faa9eb0b50e57d04306c0da828827fe24906af61f446daa10841df1e8be8c4e86fccd934a21e803e19cc2d41571fd96f7480db09e38a1f6

C:\Windows\SysWOW64\Bapiabak.exe

MD5 6d4a5aef20f9701120e887fbf64ef14d
SHA1 062e312e95d429d3497ec4fee62fe44986ea83ec
SHA256 bfe2f2bb7e4c507803d9d2244baebabe1a04d96a33d3fd0526680c40fe999b5b
SHA512 56be743cb8b609a88d78ab625f3bd90a530b695d208f722e8dc83409ea4f006bd2b1f8bc851541de64e3a42e6eb80be54e21b2ff2ce6fbd417e2d3b1b5d306e3

memory/2156-39-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Chjaol32.exe

MD5 633295bbaba0f6cfab58c8e610fcf70d
SHA1 4034240053feef7c725078aa39979f345e0ea477
SHA256 d18adfbcaad0fb29f549797d689972fbdf99b966967f62b58d06cfd5876c8878
SHA512 17331a8afcec550f14832417104ae00d61453be9405f52a3ba51001993723ad578e658ce02324d855685a0949b73f211425a29b6a4d468bdd08cee873eee47da

memory/1708-47-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cndikf32.exe

MD5 164e575e2d15e3539c85bec7d4bf71f5
SHA1 e87e92c5411f5086d1f24474738e3b962a7974af
SHA256 b1045b879dc4de0b8dc6776185ecf65981ba0bf1c05b033c11f8bc1e05a6c06a
SHA512 7b1a7363bfbe97a451c964b1d01e315e16b58945e0006f093942443240edab455260a27c36f5be8492f649037b7930a9744bfe724f95d09ffb8b4f8766a2106b

memory/4752-56-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cabfga32.exe

MD5 d801f6f03353468465956ee130e89677
SHA1 066a590299b1a2c03a81ff98e599f8856eecadf9
SHA256 9d35bd7c0652c490a8bf5e0040d3b585c6f9afcffa37da4588dc79b62201f20e
SHA512 490de750600bb9de858ddb7b3f1eb1cbf2c7fe044d173cee7ffd6bf43ac982cb31bc613d0c8dd7f1ce79b2f61a4e79c79d6663f6aff7d6b0471963ffea689e85

memory/1832-63-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cdabcm32.exe

MD5 521e37581449ddbf68972c9daaade00b
SHA1 552ec584f17e7ef90396b89afe507504a1d213fa
SHA256 50397d5eb16958be38122d2a99fd0622c7352834ca79f70d26eb4c6e684abad7
SHA512 25ae2a20621285be3d647cd21bfd330a61daa05cd8545ef844309d99bd35d5bb9ee44c398b34b24fe8b5e85cb08c678c4ac49585937a06fd82651a6ad98b898d

memory/3460-71-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cjkjpgfi.exe

MD5 23da000180e7885c9e3827749cdf5d22
SHA1 2c59b845fed35120e8c29877c20216d2a6cb2508
SHA256 ed8fabbf5ebebd0df58ab8e24e505c6ab46965055b9f5bb4e78bd6553cf19300
SHA512 1dc5648f9b91ed5c5afa25cb5be2a5f6a7ce641c0f44383b74a2bae049f08676aebaccb310c91370a0ac11d7d6278552128196b58ba2b618a4efc5728f4e2f7a

memory/4024-80-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1984-79-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2536-88-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ceqnmpfo.exe

MD5 2553a140aa0c2ad4cdfe71ca3f67fbc8
SHA1 048190733e892d5353e55a038d28a3f32e5b645d
SHA256 e0300972ec4291a638d6f9fae68a48336e0d1862bf78f84c8d2ed69e77b55e61
SHA512 6c5e12210000ad416bf3a70d6568a82994c764ba7cfb240d9d1d532120f1dbfba352536db0d4d991d7c0899f40837d951f2acf653ee66796e6d5d71bd285fcc7

memory/4356-90-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cjmgfgdf.exe

MD5 cd6bbe22852ed2c890a39d9d67d2a816
SHA1 f4aa4357d49f33aa0bc1f7a75c9fd96b20fa3a1b
SHA256 84638c59bc9b9273bdbdd21f82a84c839a1bafda22b498d0f8d8f979f5c7ee97
SHA512 32e9b0dda3ca9211628b28c52a042a30880003a8c46445833486ccaf83b00a43f360846fcb047d832e50dbf59e9ca0fa1364f4f41990aec27569be488c5409ad

memory/4380-98-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cnicfe32.exe

MD5 02a441ef861c539a8df630db114a0abc
SHA1 cc6bca0885b4cb869613ab59b3bf807addb7e9c4
SHA256 0e2b3a01fb38ac2de400e10b39b7105fe9902937147b5512e703368d056d0911
SHA512 c34026a66b3d82d72b0405debbf7c01979d9ef57ee556c4c99756e6603f676707dac1af8c9a8ec9e7d345b278f8ddd3a7959ba5a8873210b4bca21dbc950a3fd

memory/2612-107-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cagobalc.exe

MD5 1557ad72b36d3223d9b30a776d9302db
SHA1 285aabce9194f426d0dfd36432b331f85dbcb8e3
SHA256 cafa1e92e374de920fd2739e831d3aab36d7c32ff66951d15890a2cae064e3b5
SHA512 a995e82a6ba649146858c1be6ba0046911c7ddd96ec6795482a331d0218904caff17b10c110a6e6aa9235e5e9ac23b550cd3f9810a86c1c39407e14b36ceeb9f

memory/4588-117-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ceckcp32.exe

MD5 4a10c76c0821122705d8c1d98e887275
SHA1 230448344316e23bbf0890dc06f5c02642ea0de0
SHA256 5dd008cc9096ed36722d5b55a8546845998a265d7f3d291bfcfb9bf1c89fa878
SHA512 99400a5b454a57d1c0473413b290b70824df94e08fe3ee6f26c9db94827d4a188acefc73554264894c5deaa99575e63b6a81e71b5d0f79814644f3d38bcced48

memory/3712-130-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cnkplejl.exe

MD5 e387882045eee6c86a5c50ed79a4fdde
SHA1 49c40de6fa0e347cebc09298899fb0aabb4e1d94
SHA256 c2f9ceed51f16527ae94a8ea2b558628c90e4374f010c8970ea5648c1380f27e
SHA512 b8bd3fb4c6308c5a43afc3ec0c81a468d4763b25d3f0ca738f3ce764619dddfad90b3f5cd3f1d76dd72991a90a941827367e61f93e848b33be7d813d8cf79dfa

memory/408-167-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ceehho32.exe

MD5 1195831b7bb883c05b7ebf4c0e641345
SHA1 f97515d5d0f04e7f6852a2ce287168b5d290475b
SHA256 dc0470f9ef3413e51f2f80fa6ce626398e30883bd04c4ba86fc87a7a0d798187
SHA512 6321169cbacf17cbc5b5e795fa0f7b4283e4fa89602bf799a9a4449ca199783c9faa60550b6540a55244fa0d905e4c463e72dece88e30b9be0a66e5b3f948e2a

C:\Windows\SysWOW64\Cdhhdlid.exe

MD5 013a40b077bf5aa15e6e4fdfb8149cb2
SHA1 a448bb3d76b99eeb80c2918c1bcd195d40721a55
SHA256 fa4348723662b5f0881b61c389717b850a707f3e2b35a0281c90cdcdf591c9aa
SHA512 b0efa2f30644f54a980c3c840d0f75980373d92e7d823022f40b4496d32e99c55d7b4600097243167aac9bf2a25354578169bbefae5293265c6e54189b7d74a6

C:\Windows\SysWOW64\Cegdnopg.exe

MD5 17c475eb0a2f041a5ca91bd379d2a18b
SHA1 2ced81fb43122a26f97eda69f25ad7b7fb238eb9
SHA256 03e2417ccdf547d0a0efecfd1de256849db5b40544c1b1b62599ab18701f7615
SHA512 ad536a1f87f17c4a5771d55125fbea0eb731dd9816c6d7816f3aca5641bb42b45b8300e296e7e41e898a979c6dc0e74bffc060c7076c29a41d946adc569fc1ca

C:\Windows\SysWOW64\Djdmffnn.exe

MD5 8033ad7aef16c6aa4cf459ab6bb61019
SHA1 fd8aeee839fafece23990b28a5113cd5f12d4555
SHA256 e8506c5225fd6cfff2bc85618586d807bad02bc068e46d19469a1e6df33f8596
SHA512 5fc740748d45c6f7891a1b7fd4c690255107a898ea3c3d2b8c2705081921b9aecc980c41e053ccdbaf13262bbfa73c4f2a623c517956ff9c084d1d178305f4be

memory/5060-293-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4932-366-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1096-389-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1660-413-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2584-431-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1936-443-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4760-446-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4252-445-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2284-438-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3004-425-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5096-419-0x0000000000400000-0x000000000043C000-memory.dmp

memory/712-408-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3660-402-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1948-395-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4120-384-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3828-377-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3040-371-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1456-360-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1824-354-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4580-347-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1376-342-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3160-336-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1524-329-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3388-324-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5052-317-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2888-312-0x0000000000400000-0x000000000043C000-memory.dmp

memory/956-305-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2560-299-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1896-288-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2408-282-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2476-276-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Dopigd32.exe

MD5 8f2020adfb2b924ab4add14dc6fc3286
SHA1 aa8550f2a33777ad675c72c176554781bca9b641
SHA256 7c7db047f1a046629fc33fcecaec209eecf84710e9112f7de3117efd123ab02c
SHA512 7883c17f2514fa39f9b9c784d2631d69d6b247ed12fd9b831171ec8329b2d70a3ca6c8df406e045f7d140d26fa676a19ac8d2c6ffbe59576913493f1c9c65d23

memory/2972-267-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1912-259-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Dfiafg32.exe

MD5 e5b0d2dd28eff3ec2e74dddbcd75610d
SHA1 d398fc0f5b098ba7be309d4c8c54525b28609dd4
SHA256 c14ee219a35ee436e6a000af8677d34304a28dce44f0198b050610f3ea5e4b72
SHA512 8f0c490150555927149ba3fae5caef292f6e071cf4699224da5f06ba7f8021dd571dc64732f72e8805842385be3a66db59a8aea41fa16356d2645620658f1596

memory/3604-252-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Dhfajjoj.exe

MD5 49b1071c6c4ba63a5ad82d4b756b3aaa
SHA1 b1b2f46ff6d6d00161f072ffa8eaaab1f09afbcb
SHA256 85a1570689487de87507a7d159052a6a2329f05f89655124f955660fb55d3293
SHA512 9671fdd4203e8173391c6541bd200f43df2a368ef1fd3f7b5b381bcacf73c81007a0568eee6671b1ec1e146e6010b87d554cdc2bafc978a9f3714a38a261706d

memory/4432-244-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ddjejl32.exe

MD5 1e2b7d1504125746bea041bb62982e77
SHA1 3f15ec19ef7d92bc3981f116ce38f0505942c21f
SHA256 d01536c01923d97f18f494f00998ba3c31d9e974107526589f57418e73a1dbe7
SHA512 8fc0f8a2184c3f17e1b9d8fe4b992885f0cf0f7df4d5c00938b4ee49ef36feb0a3e037693dfc82929c59f8c08bb3e883db1d5e93c6ad8c5f1531645aa25e98a0

memory/4764-236-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2928-228-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Calhnpgn.exe

MD5 23667cd4d9e45fca37c5448a093a9620
SHA1 8c5f9c6c2c1de66d1d22050aa1afedb276df89d9
SHA256 9546bb931fc6a48de795f298239291f467b2745aee4977f0beb39725bdbad68c
SHA512 c398adbf441d4fd330391216e9243d1cbedf1d9d5ea0aab4cdecd5aaa96cde1f5fe68f5b630816ffdf020154b87abc47174ffd908ce8ccca45137518510380b0

memory/2532-220-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cmqmma32.exe

MD5 a6977ea5a4adf76b4154cf879f237b1e
SHA1 d82de23c3a8c3b91ee7d2ac885d5dc1a4f514571
SHA256 ec2fb1616c766dea426c77d75074ee32f13bf6c524bbdbd9db5cbd5d3c7d9abd
SHA512 fec7d3647b71abd90c2f8fb0b91240f54e2f06f095ff537f6666fc46bb84b6e86efd6e0888e24fa5fccec1443ee7a8904036d8c2795c5297904ffdb00028b19d

memory/3908-212-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4588-210-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cjbpaf32.exe

MD5 815b1c12a0b476ecc64bcd27c273d9ea
SHA1 f7ee5d5a83f65493f8c85f78dd459f8e0d999ac2
SHA256 46e75083438e667a7feb8d57f7c40a9f289c5d001163339f17eaea839d23d0a4
SHA512 fcb57fad4fbe91810aa777c31b6b673ea98e95005547c8dc357d2ed4ccaa3c94b9ac79c67feb6ef42633ff4b1d1919cb4b0cfe063373efb85f0ea74cd53df0e2

memory/3892-203-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2612-202-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cffdpghg.exe

MD5 46f4d9c968cf52b93d06a96313d4c4ab
SHA1 edf2da3e4c9caef8795803538a10c04ac2e6678f
SHA256 f446e78ca79c456efee5d5a910985819019ffed1a5ed276ec184a8adb2d434c8
SHA512 2f6c074eb9f6d763f21e40208925f0f047501c13838ae06187cdd040cf90296b18e959fcad61eeb0fb58dbe9567e31fe59bf30e07b5736db7281d06bc5d54042

memory/4856-194-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4380-193-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2760-185-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4356-184-0x0000000000400000-0x000000000043C000-memory.dmp

memory/636-176-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4024-174-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cajlhqjp.exe

MD5 0b378d0cd659a2d8da4e7e71af38e287
SHA1 e68afaa96a2ab59e220776011238382747a07e99
SHA256 9a4ea48ce30c8e80f04429e486b5787a61e9ff8ac652a00ffe38904df33ade17
SHA512 f0072af0245b6f47ea6a22921def97c2200f664ba3fd8401f2983ee96323e191c421caa1292fe32773aa00e9e16aef1c9d4d4815a738aa797d5f29ef22ea54c9

memory/3460-165-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4028-158-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1832-157-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cjpckf32.exe

MD5 39e12d447f22212764566d626bf60baa
SHA1 6c3917ad02454b1e1b23676af0f5edd6e80f4fd9
SHA256 7986ce906f9ab6c14b7411a088d4b7cb3672105a3b025dfac8c36748aec9f66e
SHA512 570b3f271a174e04ce1725b19700c1ba978df4e207703473b795c224e96c083f0129bbcb63a68fe9f2bb515aa370e60a9dbfcbcb3e555630b9e7e55e0c74bbde

memory/1100-149-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4752-148-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cfdhkhjj.exe

MD5 6e5c5e88966c1080ee5ae836625c6d0f
SHA1 85f4234c24c29f4be96c9479960fdea68f3625bd
SHA256 f85ef654c96fb430d0a12a7b463eb9fd5df0767d1ade5cfc185d9c7f93077ffc
SHA512 8f53ef859f7339cae4016fb51140ea96bba9ace16f5a1762f77af094ab3d826a91bf14d3b4b6a59192b41e6525cb3a1932c0e4388de1295b341290817292ac27

memory/1420-139-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1708-137-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Chagok32.exe

MD5 93b610ff7224af413a2b595406d90409
SHA1 1df8b2051debda096c689fba366e446649af3412
SHA256 4f3d5425c040e6c5f7b5db81bb84162a8602a1bd0b68ec4b7848aee82c341acb
SHA512 a7a247e86e081d918c7d8cae881ef1a7df97594e1fdfa5a4fadd2d7282df0f409bf1be03b14ec24a38c2c92c204fc74dc31a1606e31017d9f58a8f8a57d4b0fb

memory/2156-129-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2128-116-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1540-106-0x0000000000400000-0x000000000043C000-memory.dmp

memory/316-97-0x0000000000400000-0x000000000043C000-memory.dmp