Analysis Overview
SHA256
dce340e1e7c0f1782c5bc80acd3c8fae7efcf60ac1feb7bf4b0cff70ea9e55b6
Threat Level: Known bad
The file e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 00:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 00:05
Reported
2024-04-07 00:07
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnffgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Legmbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Clmbddgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Legmbd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmebnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mholen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmldme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bhajdblk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmefooki.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbbngf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oghopm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ljkomfjl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpjqiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oomjlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ipllekdl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Keednado.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bhdgjb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mpjqiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiknhbcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oqcpob32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpceidcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jgcdki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdacop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Maedhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nekbmgcn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mmldme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jhljdm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nekbmgcn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jmplcp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbdklf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lmebnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Laegiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mieeibkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Onbgmg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cinfhigl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mbmjah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhajdblk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iheddndj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmplcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkaiqk32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Cpdcnhnl.dll | C:\Windows\SysWOW64\Jgcdki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hendhe32.dll | C:\Windows\SysWOW64\Mbpgggol.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Meppiblm.exe | C:\Windows\SysWOW64\Maedhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qgoapp32.exe | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqfjpj32.dll | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpceidcn.exe | C:\Windows\SysWOW64\Bobhal32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgpmbc32.dll | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nelkpj32.dll | C:\Windows\SysWOW64\Jbgkcb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhngjmlo.exe | C:\Windows\SysWOW64\Jhljdm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngdifkpi.exe | C:\Windows\SysWOW64\Mpjqiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qodlkm32.exe | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgoapp32.exe | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iheddndj.exe | C:\Windows\SysWOW64\Iompkh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbdklf32.exe | C:\Windows\SysWOW64\Kilfcpqm.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnlmhpjh.dll | C:\Windows\SysWOW64\Mbmjah32.exe | N/A |
| File created | C:\Windows\SysWOW64\Maedhd32.exe | C:\Windows\SysWOW64\Mkklljmg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oomjlk32.exe | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaapnkij.dll | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fnahcn32.dll | C:\Windows\SysWOW64\Ohendqhd.exe | N/A |
| File created | C:\Windows\SysWOW64\Faflglmh.dll | C:\Windows\SysWOW64\Oqcpob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnpinc32.exe | C:\Windows\SysWOW64\Jmplcp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fcohbnpe.dll | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| File created | C:\Windows\SysWOW64\Kganqf32.dll | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eppddhlj.dll | C:\Windows\SysWOW64\Ngdifkpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Npccpo32.exe | C:\Windows\SysWOW64\Nlekia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhdqqjhl.dll | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oghopm32.exe | C:\Windows\SysWOW64\Ohendqhd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Okfgfl32.exe | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljkomfjl.exe | C:\Windows\SysWOW64\Ljibgg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmefooki.exe | C:\Windows\SysWOW64\Jcmafj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qaqkcf32.dll | C:\Windows\SysWOW64\Mholen32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngdifkpi.exe | C:\Windows\SysWOW64\Mpjqiq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngibaj32.exe | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aganeoip.exe | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjbcfn32.exe | C:\Windows\SysWOW64\Bhdgjb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jhljdm32.exe | C:\Windows\SysWOW64\Jnffgd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oaajloig.dll | C:\Windows\SysWOW64\Mdacop32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Odlojanh.exe | C:\Windows\SysWOW64\Onbgmg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kicmdo32.exe | C:\Windows\SysWOW64\Keednado.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Becnhgmg.exe | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjdplm32.exe | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| File created | C:\Windows\SysWOW64\Kilfcpqm.exe | C:\Windows\SysWOW64\Kbbngf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Keednado.exe | C:\Windows\SysWOW64\Kbfhbeek.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajdlmi32.dll | C:\Windows\SysWOW64\Mbkmlh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ohendqhd.exe | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amnfnfgg.exe | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbgnak32.exe | C:\Windows\SysWOW64\Blmfea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Keednado.exe | C:\Windows\SysWOW64\Kbfhbeek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oaiibg32.exe | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmebnb32.exe | C:\Windows\SysWOW64\Lclnemgd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmagdbci.exe | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdiadenf.dll | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfgheegc.dll | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jmplcp32.exe | C:\Windows\SysWOW64\Jgcdki32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mbmjah32.exe | C:\Windows\SysWOW64\Mieeibkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjojco32.dll | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Balkchpi.exe | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdkgocpm.exe | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iompkh32.exe | C:\Windows\SysWOW64\Ipgbjl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Laegiq32.exe | C:\Windows\SysWOW64\Ljkomfjl.exe | N/A |
| File created | C:\Windows\SysWOW64\Mencccop.exe | C:\Windows\SysWOW64\Mbpgggol.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ceegmj32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlmj32.dll" | C:\Windows\SysWOW64\Iamimc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Keednado.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" | C:\Windows\SysWOW64\Nkbalifo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oomjlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ipgbjl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdfge32.dll" | C:\Windows\SysWOW64\Ipllekdl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mkklljmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mholen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll" | C:\Windows\SysWOW64\Bhajdblk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicieohp.dll" | C:\Windows\SysWOW64\Ioaifhid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mencccop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iamimc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daekko32.dll" | C:\Windows\SysWOW64\Onbgmg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Laegiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll" | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Agfgqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpceidcn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hiknhbcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jnpinc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cilibi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdacop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Onbgmg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lclnemgd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ndhipoob.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll" | C:\Windows\SysWOW64\Mieeibkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mkhofjoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lmebnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ngdifkpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nekbmgcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iheddndj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kilfcpqm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nlekia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiknhbcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Abphal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jcmafj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghhkllb.dll" | C:\Windows\SysWOW64\Knpemf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbbngf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mbkmlh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nkbalifo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cinfhigl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kbdklf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mholen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngibaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pledghce.dll" | C:\Windows\SysWOW64\Jnffgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnbi32.dll" | C:\Windows\SysWOW64\Kmefooki.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe"
C:\Windows\SysWOW64\Hiknhbcg.exe
C:\Windows\system32\Hiknhbcg.exe
C:\Windows\SysWOW64\Ipgbjl32.exe
C:\Windows\system32\Ipgbjl32.exe
C:\Windows\SysWOW64\Iompkh32.exe
C:\Windows\system32\Iompkh32.exe
C:\Windows\SysWOW64\Iheddndj.exe
C:\Windows\system32\Iheddndj.exe
C:\Windows\SysWOW64\Ipllekdl.exe
C:\Windows\system32\Ipllekdl.exe
C:\Windows\SysWOW64\Iamimc32.exe
C:\Windows\system32\Iamimc32.exe
C:\Windows\SysWOW64\Ioaifhid.exe
C:\Windows\system32\Ioaifhid.exe
C:\Windows\SysWOW64\Jnffgd32.exe
C:\Windows\system32\Jnffgd32.exe
C:\Windows\SysWOW64\Jhljdm32.exe
C:\Windows\system32\Jhljdm32.exe
C:\Windows\SysWOW64\Jhngjmlo.exe
C:\Windows\system32\Jhngjmlo.exe
C:\Windows\SysWOW64\Jbgkcb32.exe
C:\Windows\system32\Jbgkcb32.exe
C:\Windows\SysWOW64\Jgcdki32.exe
C:\Windows\system32\Jgcdki32.exe
C:\Windows\SysWOW64\Jmplcp32.exe
C:\Windows\system32\Jmplcp32.exe
C:\Windows\SysWOW64\Jnpinc32.exe
C:\Windows\system32\Jnpinc32.exe
C:\Windows\SysWOW64\Jcmafj32.exe
C:\Windows\system32\Jcmafj32.exe
C:\Windows\SysWOW64\Kmefooki.exe
C:\Windows\system32\Kmefooki.exe
C:\Windows\SysWOW64\Kbbngf32.exe
C:\Windows\system32\Kbbngf32.exe
C:\Windows\SysWOW64\Kilfcpqm.exe
C:\Windows\system32\Kilfcpqm.exe
C:\Windows\SysWOW64\Kbdklf32.exe
C:\Windows\system32\Kbdklf32.exe
C:\Windows\SysWOW64\Kbfhbeek.exe
C:\Windows\system32\Kbfhbeek.exe
C:\Windows\SysWOW64\Keednado.exe
C:\Windows\system32\Keednado.exe
C:\Windows\SysWOW64\Kicmdo32.exe
C:\Windows\system32\Kicmdo32.exe
C:\Windows\SysWOW64\Kkaiqk32.exe
C:\Windows\system32\Kkaiqk32.exe
C:\Windows\SysWOW64\Knpemf32.exe
C:\Windows\system32\Knpemf32.exe
C:\Windows\SysWOW64\Lclnemgd.exe
C:\Windows\system32\Lclnemgd.exe
C:\Windows\SysWOW64\Lmebnb32.exe
C:\Windows\system32\Lmebnb32.exe
C:\Windows\SysWOW64\Ljibgg32.exe
C:\Windows\system32\Ljibgg32.exe
C:\Windows\SysWOW64\Ljkomfjl.exe
C:\Windows\system32\Ljkomfjl.exe
C:\Windows\SysWOW64\Laegiq32.exe
C:\Windows\system32\Laegiq32.exe
C:\Windows\SysWOW64\Liplnc32.exe
C:\Windows\system32\Liplnc32.exe
C:\Windows\SysWOW64\Legmbd32.exe
C:\Windows\system32\Legmbd32.exe
C:\Windows\SysWOW64\Mbkmlh32.exe
C:\Windows\system32\Mbkmlh32.exe
C:\Windows\SysWOW64\Mieeibkn.exe
C:\Windows\system32\Mieeibkn.exe
C:\Windows\SysWOW64\Mbmjah32.exe
C:\Windows\system32\Mbmjah32.exe
C:\Windows\SysWOW64\Mkhofjoj.exe
C:\Windows\system32\Mkhofjoj.exe
C:\Windows\SysWOW64\Mbpgggol.exe
C:\Windows\system32\Mbpgggol.exe
C:\Windows\SysWOW64\Mencccop.exe
C:\Windows\system32\Mencccop.exe
C:\Windows\SysWOW64\Mdacop32.exe
C:\Windows\system32\Mdacop32.exe
C:\Windows\SysWOW64\Mkklljmg.exe
C:\Windows\system32\Mkklljmg.exe
C:\Windows\SysWOW64\Maedhd32.exe
C:\Windows\system32\Maedhd32.exe
C:\Windows\SysWOW64\Meppiblm.exe
C:\Windows\system32\Meppiblm.exe
C:\Windows\SysWOW64\Mholen32.exe
C:\Windows\system32\Mholen32.exe
C:\Windows\SysWOW64\Mkmhaj32.exe
C:\Windows\system32\Mkmhaj32.exe
C:\Windows\SysWOW64\Mmldme32.exe
C:\Windows\system32\Mmldme32.exe
C:\Windows\SysWOW64\Mpjqiq32.exe
C:\Windows\system32\Mpjqiq32.exe
C:\Windows\SysWOW64\Ngdifkpi.exe
C:\Windows\system32\Ngdifkpi.exe
C:\Windows\SysWOW64\Naimccpo.exe
C:\Windows\system32\Naimccpo.exe
C:\Windows\SysWOW64\Ndhipoob.exe
C:\Windows\system32\Ndhipoob.exe
C:\Windows\SysWOW64\Nkbalifo.exe
C:\Windows\system32\Nkbalifo.exe
C:\Windows\SysWOW64\Nlcnda32.exe
C:\Windows\system32\Nlcnda32.exe
C:\Windows\SysWOW64\Ngibaj32.exe
C:\Windows\system32\Ngibaj32.exe
C:\Windows\SysWOW64\Nekbmgcn.exe
C:\Windows\system32\Nekbmgcn.exe
C:\Windows\SysWOW64\Nlekia32.exe
C:\Windows\system32\Nlekia32.exe
C:\Windows\SysWOW64\Npccpo32.exe
C:\Windows\system32\Npccpo32.exe
C:\Windows\SysWOW64\Oohqqlei.exe
C:\Windows\system32\Oohqqlei.exe
C:\Windows\SysWOW64\Okoafmkm.exe
C:\Windows\system32\Okoafmkm.exe
C:\Windows\SysWOW64\Oaiibg32.exe
C:\Windows\system32\Oaiibg32.exe
C:\Windows\SysWOW64\Olonpp32.exe
C:\Windows\system32\Olonpp32.exe
C:\Windows\SysWOW64\Oomjlk32.exe
C:\Windows\system32\Oomjlk32.exe
C:\Windows\SysWOW64\Oalfhf32.exe
C:\Windows\system32\Oalfhf32.exe
C:\Windows\SysWOW64\Ohendqhd.exe
C:\Windows\system32\Ohendqhd.exe
C:\Windows\SysWOW64\Oghopm32.exe
C:\Windows\system32\Oghopm32.exe
C:\Windows\SysWOW64\Onbgmg32.exe
C:\Windows\system32\Onbgmg32.exe
C:\Windows\SysWOW64\Odlojanh.exe
C:\Windows\system32\Odlojanh.exe
C:\Windows\SysWOW64\Okfgfl32.exe
C:\Windows\system32\Okfgfl32.exe
C:\Windows\SysWOW64\Oappcfmb.exe
C:\Windows\system32\Oappcfmb.exe
C:\Windows\SysWOW64\Oqcpob32.exe
C:\Windows\system32\Oqcpob32.exe
C:\Windows\SysWOW64\Pkidlk32.exe
C:\Windows\system32\Pkidlk32.exe
C:\Windows\SysWOW64\Pmagdbci.exe
C:\Windows\system32\Pmagdbci.exe
C:\Windows\SysWOW64\Qflhbhgg.exe
C:\Windows\system32\Qflhbhgg.exe
C:\Windows\SysWOW64\Qodlkm32.exe
C:\Windows\system32\Qodlkm32.exe
C:\Windows\SysWOW64\Qeaedd32.exe
C:\Windows\system32\Qeaedd32.exe
C:\Windows\SysWOW64\Qgoapp32.exe
C:\Windows\system32\Qgoapp32.exe
C:\Windows\SysWOW64\Qjnmlk32.exe
C:\Windows\system32\Qjnmlk32.exe
C:\Windows\SysWOW64\Acfaeq32.exe
C:\Windows\system32\Acfaeq32.exe
C:\Windows\SysWOW64\Aganeoip.exe
C:\Windows\system32\Aganeoip.exe
C:\Windows\SysWOW64\Amnfnfgg.exe
C:\Windows\system32\Amnfnfgg.exe
C:\Windows\SysWOW64\Agfgqo32.exe
C:\Windows\system32\Agfgqo32.exe
C:\Windows\SysWOW64\Amcpie32.exe
C:\Windows\system32\Amcpie32.exe
C:\Windows\SysWOW64\Apalea32.exe
C:\Windows\system32\Apalea32.exe
C:\Windows\SysWOW64\Abphal32.exe
C:\Windows\system32\Abphal32.exe
C:\Windows\SysWOW64\Aijpnfif.exe
C:\Windows\system32\Aijpnfif.exe
C:\Windows\SysWOW64\Acpdko32.exe
C:\Windows\system32\Acpdko32.exe
C:\Windows\SysWOW64\Aeqabgoj.exe
C:\Windows\system32\Aeqabgoj.exe
C:\Windows\SysWOW64\Blkioa32.exe
C:\Windows\system32\Blkioa32.exe
C:\Windows\SysWOW64\Bfpnmj32.exe
C:\Windows\system32\Bfpnmj32.exe
C:\Windows\SysWOW64\Becnhgmg.exe
C:\Windows\system32\Becnhgmg.exe
C:\Windows\SysWOW64\Bhajdblk.exe
C:\Windows\system32\Bhajdblk.exe
C:\Windows\SysWOW64\Blmfea32.exe
C:\Windows\system32\Blmfea32.exe
C:\Windows\SysWOW64\Bbgnak32.exe
C:\Windows\system32\Bbgnak32.exe
C:\Windows\SysWOW64\Beejng32.exe
C:\Windows\system32\Beejng32.exe
C:\Windows\SysWOW64\Bhdgjb32.exe
C:\Windows\system32\Bhdgjb32.exe
C:\Windows\SysWOW64\Bjbcfn32.exe
C:\Windows\system32\Bjbcfn32.exe
C:\Windows\SysWOW64\Balkchpi.exe
C:\Windows\system32\Balkchpi.exe
C:\Windows\SysWOW64\Bdkgocpm.exe
C:\Windows\system32\Bdkgocpm.exe
C:\Windows\SysWOW64\Blaopqpo.exe
C:\Windows\system32\Blaopqpo.exe
C:\Windows\SysWOW64\Bjdplm32.exe
C:\Windows\system32\Bjdplm32.exe
C:\Windows\SysWOW64\Bejdiffp.exe
C:\Windows\system32\Bejdiffp.exe
C:\Windows\SysWOW64\Bdmddc32.exe
C:\Windows\system32\Bdmddc32.exe
C:\Windows\SysWOW64\Bkglameg.exe
C:\Windows\system32\Bkglameg.exe
C:\Windows\SysWOW64\Bobhal32.exe
C:\Windows\system32\Bobhal32.exe
C:\Windows\SysWOW64\Cpceidcn.exe
C:\Windows\system32\Cpceidcn.exe
C:\Windows\SysWOW64\Chkmkacq.exe
C:\Windows\system32\Chkmkacq.exe
C:\Windows\SysWOW64\Cfnmfn32.exe
C:\Windows\system32\Cfnmfn32.exe
C:\Windows\SysWOW64\Cilibi32.exe
C:\Windows\system32\Cilibi32.exe
C:\Windows\SysWOW64\Cpfaocal.exe
C:\Windows\system32\Cpfaocal.exe
C:\Windows\SysWOW64\Cgpjlnhh.exe
C:\Windows\system32\Cgpjlnhh.exe
C:\Windows\SysWOW64\Cinfhigl.exe
C:\Windows\system32\Cinfhigl.exe
C:\Windows\SysWOW64\Clmbddgp.exe
C:\Windows\system32\Clmbddgp.exe
C:\Windows\SysWOW64\Cbgjqo32.exe
C:\Windows\system32\Cbgjqo32.exe
C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 140
Network
Files
memory/1460-0-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Hiknhbcg.exe
| MD5 | 74f243ec285175046156bd52d14a4337 |
| SHA1 | 6dbbad1eb108a39377454826cad38ef206430398 |
| SHA256 | 19ec82b9ebb72849f211d868a1bd8f5eae0c6a1a48cf4dc0d16c509f80d8f3e8 |
| SHA512 | 371ac96b3e75a18c6ef06d6fd8f15e7432577a488f7fb5ec6361dcfe340b64739eaf5381e9ff7c5d0c0894fcc4fee1b1a58f0bff488ea9796b028228c50778a5 |
memory/1460-6-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1460-13-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2204-21-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2204-24-0x00000000002B0000-0x00000000002E3000-memory.dmp
\Windows\SysWOW64\Ipgbjl32.exe
| MD5 | 35aa9cf2e207118f556707f6c2956e26 |
| SHA1 | ea57509ab6a3e888eb3cd19612725c1f6fc30931 |
| SHA256 | 1eb008bacab69b2796e7885570f2f276573370df87c434287a8b4e0d48dc70e9 |
| SHA512 | 33fcdfc17c446a76ddf7d81049b4bcf0b072e0a25b3982bc032cf0266315f858bb8206932836f38b132897f91e5d885eb8569f3e7c00398d6460fcff913f73dc |
memory/2552-35-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Iompkh32.exe
| MD5 | 8d5d86091f44e19b66d3bc3e7a1a54aa |
| SHA1 | 1c8a494e84d30a18ab946e9a49ed4f7b9db6e2b4 |
| SHA256 | 9a67bd6aa17e48bbecace252638be6bd093194aa77725a816a114f5f09d93119 |
| SHA512 | 04014036cd8560099cd65b6d8680c77dbb234201324ef4cceeb7212154d07f8b2e41e372974d880f21d66e12a1e8b905d048d3e0b7173ea983f7359821cfe081 |
memory/2452-72-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ipllekdl.exe
| MD5 | e49dff97dc84efeebda077c877dc2966 |
| SHA1 | a25a617cfcd07a7ade055f898a52b73685e83120 |
| SHA256 | 4ff4d55e83c64c424f6f1ccc9282c4f82947bfc90fb417d640b92f25b437a702 |
| SHA512 | 2fad5b6e984136824077efb52fe304aa4eb4c80ea4c5ad026aeb3c559f467509a773a5a4c804018894bd6db329ca8f9da44de95612a2006735cb77218ccf980c |
C:\Windows\SysWOW64\Iamimc32.exe
| MD5 | 2fa6c64c06ad0258d6b239da13899b0a |
| SHA1 | b958bcc8e4ee37f26c24ff41a29218df1581bc32 |
| SHA256 | cdb70f112c5dfd9e0c583c29ae26eda675731a1f8cea0cd9faf4f0feba0538de |
| SHA512 | b3c4c9f61db4d72fc05b51d9469fbe8e799044cdc608fe4e67177daca3b453291a6578c68b6c624e17e4c37d2e99dce904b04b509901cd40609f9fb06364a680 |
memory/2568-59-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Iheddndj.exe
| MD5 | 0f5ded8859e514c0def7b3dfc0893baa |
| SHA1 | 7e5338876e53210f179743b34e74ddbca3df067d |
| SHA256 | 32e39538da219c9910c30d4fe9e81a183c1ca3c90a9e7967c4336790fff1b05e |
| SHA512 | a0ba69b0970cdb33fd287b05876803cfcbae1abdd13b0f136200cc36f6125be5503b3ecf05e298e112d612f458e468933159b38362df3d7e562a5490a99b2499 |
memory/2556-53-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2484-81-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2452-80-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Ioaifhid.exe
| MD5 | 2c73dec6b20dbe07edcbd46383dde9d6 |
| SHA1 | 0d0f8b6846174aee1e60cc0f2254bdd68e6d0ff9 |
| SHA256 | 60026bb78e9c08374b0eeb41c0b427dcf97d27b09fa83c95b73a2862d1f708a0 |
| SHA512 | 44f1aeff81a19290358ef70197dd20e8f599a8bda0cf752480c434661ee3404dee797244b48897628f843dbfe3cf154ab2054117fa70627383d249b9cc284d80 |
memory/2484-89-0x00000000002D0000-0x0000000000303000-memory.dmp
\Windows\SysWOW64\Jnffgd32.exe
| MD5 | 33a40f04ad0a6ff060be54fb130ab2b0 |
| SHA1 | 84afd180be5d458cd913f2254021e8dc293ea921 |
| SHA256 | c34bab7013d5c1d891db3cdb42d25863921f1f97c6553c534c4b81f9c228551e |
| SHA512 | 6b20d5a4adbffe0513ea4098c8946efcdb68114f0d8825bb033405f59f3aa0b9ffcf0002496e362129e221b5a82a2c51e8982e0d06cb97259627c1438e2af04b |
memory/1624-107-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Jhljdm32.exe
| MD5 | 6444a96eb2f643eaa55420f372f00d89 |
| SHA1 | 541122c38e1bb9af14a3eef79b4b7797206c2661 |
| SHA256 | 51ac0876d7a4a04665b6c2d0af19c82365fba2eb4b2b990a0e3a713bc02e25a1 |
| SHA512 | 1024c0d8dd989aac38a6e3159a80502faa04381625e69d6c9501b3d5caa57106c135bc9701adb211b3998671cf4ece472cf200a710ec7fa9614a05d455bb1fae |
memory/1624-115-0x00000000002C0000-0x00000000002F3000-memory.dmp
\Windows\SysWOW64\Jhngjmlo.exe
| MD5 | ebad456b76906d5ddaedaf7934c92454 |
| SHA1 | e07d5e2cd5023069df96e4e312e88a3a798e0c84 |
| SHA256 | 89a672e65d793b2f07387ea5e2f2fae4694d6deb26d793a1379690a50ee0e939 |
| SHA512 | 00035d3df07ab69a2613a78bb26b3f4597310f8b7cb4cb16f6d541df1f13d4442cb2fb7988acc51ad1c619266e23e2d0402b1f3485dd329d66ea9a7b82296c98 |
\Windows\SysWOW64\Jbgkcb32.exe
| MD5 | 860b0cd0809d6e4f043c1f7327bdbd0f |
| SHA1 | 5d300bff08e757c05df4fe51aef26423cb7305b7 |
| SHA256 | 2016642b1fad8034620dee88c4d6c7efdecff253b5672a2195f92f38c4ef5c81 |
| SHA512 | 6c5645f6d76b2d02db00312920a56b1343e70e97d08186a5e29f0cb64c8d7219ce4f54442b8ea5bd449f6a02ab829a20a92b299c6752d62e4c3bba4bb6e92963 |
memory/2764-138-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2764-140-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1976-147-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Jgcdki32.exe
| MD5 | c21cddc0d872e6a58d3ac9f5956b8c27 |
| SHA1 | 72d3d3cd7f48ab03e7571953be47125880e94f61 |
| SHA256 | 84e25c1207a5e539eeccdec9747ed85b08ba1f3aae27de9760220ebb49b8e6d2 |
| SHA512 | cd62b71749c04cfb0fc9058785ef5a10e33051b645da87ee3e1d93803157fe067ee95d3afac65ef42e2a60711d7975048390e64e787c313c35ddcb3d5178f786 |
memory/1976-159-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/1680-165-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1680-169-0x0000000001B60000-0x0000000001B93000-memory.dmp
\Windows\SysWOW64\Jmplcp32.exe
| MD5 | 860d8a714af0e4c1430456b13129f8c5 |
| SHA1 | d4eeeac7c990a7874b035af92601d17cf3e69b99 |
| SHA256 | c2fe6a78409d0a1374106870d44b4c7791bf27adeb31fac97596a4ba53ead014 |
| SHA512 | c7331b1270ffaa57130ddd3f0c1e3ecf5d2c657d3c7425df46c52f852d82b2b251a447098d48de8871a4471bc99b23cf10de4d6f8fe86ae7304640989d7748bd |
memory/1224-175-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Jnpinc32.exe
| MD5 | 1d804bb09b2c13a91ba8eee193ced90c |
| SHA1 | e132bee92cc9c8e0d6bbce01ca12de4be4f722b3 |
| SHA256 | acac5d130e32ca627fc235e18c2e61fce609209502658d432c3e8bf07bdbaa7e |
| SHA512 | ec466172b0a579515c5b59beb6767af11d35c485e4a8d5c3b3bcf11dc8f50586fc2f21faccce4c532d64d31413b06c8b5866a412dd0874e235c6a2407c03281c |
memory/3060-192-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Jcmafj32.exe
| MD5 | bbf7c05e88362f22578c44836e93ff79 |
| SHA1 | 0f206abc49c9b30de8cb6295f95eb94b6ddb2b1c |
| SHA256 | a652a62e07a70846da2c7a140dc934cc087554b9bbe5de5e8ea0f89da843df71 |
| SHA512 | ac2d2b590189ba65396fd58fc1e6b5be6236e9e9d3ae5ad8a26c43530942b41b965d00c3e940028d4e717bf8083af7570d801c65f01b91cce3170c6712711289 |
memory/2812-201-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kmefooki.exe
| MD5 | b0d2c5d96be4963649bc7aaebcac0afb |
| SHA1 | 156678de01398ee796c75dd4e5bad6e1c1faceb6 |
| SHA256 | 736ab4cca1ad13d3bd887931a97669c9d9446e304a9cf0de087078b7762eec46 |
| SHA512 | 695d69890f247292b4344aa2d702cd366c6d1ce2fb69ff7db04484d568585b48e08723a37afadb5d167cf19e128651c2b94c3ab73d6930f7207a92fb46138336 |
memory/2252-220-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1840-229-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kbbngf32.exe
| MD5 | 745f06e56de3ee72cb9d0f5122fe2bde |
| SHA1 | 2c11477402a1f8c93b389e3544df36d0c77daf18 |
| SHA256 | 395c208bfdf58868d81e0fc93e3b9e93b38d180bb0536de95c3b6bda7bfe446c |
| SHA512 | 5ffd8253ad563ff36a132dfc4b7aebd548a91bf279c317eacea7adb5d8db327961a8910123649277c0ff78e2e3f87148ad4e678ac825c5c20717c3c44e273681 |
memory/1840-234-0x00000000002A0000-0x00000000002D3000-memory.dmp
memory/2036-239-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kilfcpqm.exe
| MD5 | 15da1db5c8ff5e8d9defe70de28358c2 |
| SHA1 | 5b69c5747e3451ae2c61f59c3cb9589543ec1715 |
| SHA256 | f5673cb80a9bb767e09e9cdc425a4431c77a4488f44b6c5097fc889768a90dc1 |
| SHA512 | 47dfae7ae11eb1dbf1d945d00c984ae87588dd51fcfec3be1a4296213c1cd1a6bd70d3fa1f95b26d82ccf41ef6a800bf6fd768ff1eb73a92636ce4f4cd921f4b |
memory/2812-209-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/2036-241-0x00000000002B0000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Kbdklf32.exe
| MD5 | 8889cbf4e5146c6c46ac15cff92a08c4 |
| SHA1 | e93e190b74dd4ebd35359ee0df091fd146fc7bc7 |
| SHA256 | 92e6640fbdaeccd53c1ff5fb2110f77b5a8f0af9e52b158b85a57bfc4b66fdd2 |
| SHA512 | 6c592db46b2aba13d46feb78d1a8194c0f413476a1e89168355ffc3b46bb8df391619c74fb4585c3fa443bb1e4dc52e8c906f4e16e3eff382e9a7c6ffc5066e7 |
memory/2108-245-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kbfhbeek.exe
| MD5 | 6e0ee3f725464494d4e1c735d7727e44 |
| SHA1 | e0c519b401c307b04fdc72275ea687d86983f2f5 |
| SHA256 | fa12669953f64ad3043b39dc03b85efc532f1f19a9b53497b77490c1373ccce9 |
| SHA512 | 69395d5c9730f19c4dd29353b4cf137809df503e3e33000d14866032b98adfb312e464d9dd66dc33e05cebf73e2b56c3b761ced8aaf3b2f2f61e5ecf25ed6975 |
memory/1716-254-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1716-260-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Keednado.exe
| MD5 | ff7a0df16a3849534e29d9196da46528 |
| SHA1 | 804e18367be60079810073a3069bb453015dc389 |
| SHA256 | c0183777b0dda7e0dd50eff8a7bc7113b9de74ec1b7c15185d753134a207dce7 |
| SHA512 | 1c691907cae76c61b40dce055fc14538dcd0ea72a828158f52bdf95d00727c9d13b9a3d8395447c2425e57c680c51ded40ab8d3de7afbbc0bb89b15796a03c5c |
C:\Windows\SysWOW64\Kicmdo32.exe
| MD5 | 7133b75aa3a5eb7218e4a46490ca9d32 |
| SHA1 | e07d327e5c6c560327aa188781621c9a1e3a5f8a |
| SHA256 | 24c16f885b172ba263a6536d71f1083cdc8de3305b9ed09e80481ec28de653e9 |
| SHA512 | f42cb2985ab1dd37e36e83c26052102721d245ce840670d6c4fba6af2ec98266bc60899bd9db52b582cbfaaf154ab8f90a6f09acc20b8f671f76e14922de6033 |
C:\Windows\SysWOW64\Kkaiqk32.exe
| MD5 | 526948ae77c48c05e8fa60f7a24bf8cb |
| SHA1 | e3b104563de15d76d6556354a85d0d6d7d7a8bfd |
| SHA256 | 09cd26182f939d736ca0cd4626ebc4ca71f75fc3f9925614d451ae727ac86446 |
| SHA512 | 1059478e075bac6a7040b34ba99812e0ba4badead37aed1b7d0c132a0db7e89f4ee7150bbde4328dc23143fb632907850a01c4d74625e502050d26a99b10a18f |
memory/3004-285-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1900-277-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1572-269-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1900-296-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1572-291-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Knpemf32.exe
| MD5 | 959f84a55b8acbf0bf0789cc3d55836c |
| SHA1 | f014199a85ba0f0ee39f82f350fac805a5be6de2 |
| SHA256 | 63a27cb768f47f9c81c6a1f98786bc7a833780260dc28c065ff1ea3662b441f8 |
| SHA512 | d5fe15a735d2a19d51e60590251a955c034f2bb4b52bc1d1e52f54e30b9ea19de2e7f0d9bb8de06a3f3bb041368e2e5a2b0783dec991892b6773ec2f759bb4e3 |
memory/3004-301-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Lclnemgd.exe
| MD5 | 236a4f51d94232c1181d7690efc08e73 |
| SHA1 | 885e0d64b1060bbabb0cef11fae5077995d19386 |
| SHA256 | 6b5f4209b88910b9e16b0566d4136b9b8bbbb5933e9aa43d51f2d8b1b509eb1b |
| SHA512 | b72958adf88e531660c45c8dff33894a4b8d4cff1ae854f1f23fb6dc06fb81301c5e87c8d81bff8c6db107ff4a6159a07cc9e98abdad2095c8f0a421a509260d |
memory/2296-306-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Lmebnb32.exe
| MD5 | 7e29c356e81271019d212162e2a5ec0d |
| SHA1 | fe44c0f05c89c6156c2d26933c7e8e6abbd6e470 |
| SHA256 | 4f7f4720e99f9649d4abce33b54215203b8fc23a56753a92c41661b914088872 |
| SHA512 | 827d19906990dba4c54c1d3512682437ad3434e064dd9bfa99d3fa65702441c0e99836fbfe9a29a244d54127f597e66506b143ebe238d809673a5c68c6bb3b09 |
memory/2296-316-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2296-317-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2040-319-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/2040-320-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/2760-321-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1928-326-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ljibgg32.exe
| MD5 | c350774470829053daf9bec523ad29f0 |
| SHA1 | abd54eb5c2bd26f84a87cfb7dfb15feb40e7c894 |
| SHA256 | b1ed74c6443ff5cd0e7dcf282a2381a31b2c110c30bcb89b7b9a6a54ebd8a48e |
| SHA512 | 77fe8a1ee390b76a9ae93f7ee4f0b1a2d0ace7e7c323388b320ce4d6fdeeee8239c6618286a7a4183f67da9d39d5f54db4dcdf720130e0f30ca15b7eebb3b079 |
memory/2040-318-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3004-311-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2760-332-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2760-336-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1928-337-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Ljkomfjl.exe
| MD5 | 39342439caa90e52f9e201acc024b3a4 |
| SHA1 | 4e41cf81110a2c6ad5115009efe33857c8f5d7d6 |
| SHA256 | 0f85ee52dd72ceb8bea5950dcd631ddf050cd1bea00bf7b0a190d6a699087c1e |
| SHA512 | e5db2422965be7a527100db54b0550c03cceff26772394330bdc7b09440964f968f90c348ab8c65ee7eae3be2f65d860aad25e254f6d0d49ff0633be884a9137 |
memory/1552-346-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1928-347-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Laegiq32.exe
| MD5 | 6d01e8d9f6aca52b04e2d5aa437ce5c2 |
| SHA1 | b69eca523f9f72397d45fdc47e9d810469b96e62 |
| SHA256 | 990b5aeef3ba8b73c1f8160a5d3abee0cf2300f12c548da52994a6c20ecea858 |
| SHA512 | 9b36b6f951bb4b7f0ed398d1d790adc5d7cf7ac8115b77adb9d61a294f5697388bb83fcd432842ce64cc9eec2a3c5c3d3da8dbd2d7602269926056b63333c472 |
memory/1552-348-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1552-353-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Liplnc32.exe
| MD5 | a77b92a89f24302a86f3e6cef65e1a87 |
| SHA1 | 732888e1cc96fa0aa123a0d6782dff40f3c6ae12 |
| SHA256 | 229ce19d773de81b57f0cd281e4f5e769f9024e73dfca4f64c48000e316e71a6 |
| SHA512 | 90df0b4945afc8f16f1a8f511236ab1ee0f2f53a3f32051ee0b5b0b5a079b6d804779b0c1bcca85532407fcd0e5a0d620e0fb6434a8fe9012f4178e55ca3fed1 |
memory/2628-359-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2936-364-0x00000000002F0000-0x0000000000323000-memory.dmp
memory/2936-363-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2936-358-0x00000000002F0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Legmbd32.exe
| MD5 | 96f16e3116830a52b27f872aa65dbf74 |
| SHA1 | dde62ae62788292d24c67d2c40d003fe42d68e52 |
| SHA256 | f533f46fda80bb05966be28823ad561a0c394a1412905c01f3d52a8ca3eba2be |
| SHA512 | 8780bf89c422095f289179adaae81272a62c5a5f0d3b7facc2510e71017ab381ed1cc0cd56c1218ebd41dc4f3a4c507d709d45b7ab28b00f2dffc96e95724a7b |
memory/2628-370-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2636-384-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mbkmlh32.exe
| MD5 | b6dceeaac6be7ef5030f29a4f81c06be |
| SHA1 | bed847a75dcdc6ca056a88b0e2bcdb3f70ee42a5 |
| SHA256 | 1c9f26e47f7f37cf04350187fa42045d48f9c0a78dfe2433f9e3203eee4d489a |
| SHA512 | 0de9e354e112d4d4a29c41823100462aeefefe65d68e6f70f5f4f45c9379115a1486f5dd25cc3fb0fb99dfeb428e81b863f9d18d1bb9a8fdae73b76e349def74 |
memory/2636-389-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Mieeibkn.exe
| MD5 | e31ce8f2c00b1ef4a559e193815b73f5 |
| SHA1 | 08559f878614fd0affc5abe50fa50501d5a51cf3 |
| SHA256 | 6d996f5c53620919a5cb345208141bd560efff2a4573ea306f1ce57f7e47819c |
| SHA512 | 87c9843972630724d9574b644ac796d575dddcef4a0c881a82ec04d98fff21b45d6692072e3df4feb0f13b9b18b44463866ea968e636f778f806897313a73c92 |
memory/2628-379-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2576-390-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mbmjah32.exe
| MD5 | 68105c5d837978c285f4b8f1cfe3af6f |
| SHA1 | a0074ef008f4275c9b75ad3f15d3de23c957b387 |
| SHA256 | 5404bd7ab073517a1d02b6f7b42d27378e2ff7578735d3e66a5bc360579f5fbc |
| SHA512 | 7fd0415d8de04e31c2a09ba43863aa33d6abaef515c2a90b86bf8682f0449bfc9f7e39f6d8ae6735b94e5ac6e14caadf65313d8bfec8b38a05a1792d9f6f4817 |
memory/2576-396-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Mkhofjoj.exe
| MD5 | 1db7389a6c600d20534d588b1de5e242 |
| SHA1 | b34b6731d9026d357c7f02b10e46d4253ea22e02 |
| SHA256 | fc6cd98e7c3234fad68fcf9b31cc1ff3a387cb694ac67f63425d629b78c14c9b |
| SHA512 | 27cfe39cb6c6d0f76ed53679bffc4bd032f64df78b04ea2172ee7d2bf675933e2521bfcd83bcf92688a72294d0035e4320c3d530e40c7773d8bd4ca1a6706ad8 |
C:\Windows\SysWOW64\Mbpgggol.exe
| MD5 | 0d5bfda70d378afd30d42f8eb76aba0a |
| SHA1 | 4698b5fc57aec3cf087630d0f29c249b99d05c57 |
| SHA256 | ac65447ec1c52f14c4afbcef94413815aea238ce8b89ca3c3cd9baddd4d9d2dc |
| SHA512 | d9fee0d297865cbf9b6497bf5d5d8d8860580c81bfe294b29e05a90b5509ec9b42bd0a22bdf527880a9ae6dce5f45c14b7cab33d295b21fa956e22be1a1379dc |
C:\Windows\SysWOW64\Mencccop.exe
| MD5 | 4fc009b3c8f3133380edd78cee9e38ff |
| SHA1 | ba66cd47a4b005924a326371dd683111b6befad4 |
| SHA256 | 3e3c4f56d3050a6308eacbfce054fb882fb7be768c3ba48a07f9ba42ac49b1d2 |
| SHA512 | 3167b5476692958aa7e3a00ae814d0da1044564ed2d60fc3bd4950139f4c0985e1e96b67f250ebc5e9f654874cbbd58f533be5c4cc8c4047818943df842ef932 |
C:\Windows\SysWOW64\Mdacop32.exe
| MD5 | c78c59a82131bc8cffd4c30c77051409 |
| SHA1 | 6591de78d87292163d3c7dde8802af87c95d8a21 |
| SHA256 | bb40a146ff571a742e5fb5644a3679966f2fe13db82a7c822d92593dd9c89e6c |
| SHA512 | a035831aa873749bcf305247dca155d1d91e8eb124ed4b28ee24a375023896ddd4e23092ea4db90860b948a0aef1b51f2e209e4a680cc5a6957fb7428f053ff9 |
C:\Windows\SysWOW64\Mkklljmg.exe
| MD5 | 0343d534e37ffd3ab73ed033e9347637 |
| SHA1 | ba22d876349751c1c91d008abf71f33acc8ad4d4 |
| SHA256 | 5a48b2d7e05805855296af89e6e3171c62a07338bf4b7ca3ca7fd85465c9f2a2 |
| SHA512 | a15ff4eb7a382cf80b4c9b6cb1bbe615ea4585c86b5cccdf62a7c63ee6c5d8666966068eabdfe89f3ad6f7026bb67c68cf0855ddaad90bbbda0d4cdc1937305a |
C:\Windows\SysWOW64\Maedhd32.exe
| MD5 | 9265241c2dff7c3cc9dae357fd31f390 |
| SHA1 | 9c56735505f4b93bfcf3bff173de891a51318e6d |
| SHA256 | 2998556b196cf63aa0f8245350c8bbb102b01c507900f0eb4674dbd08a505344 |
| SHA512 | ee6b3339f795216ad2231120fe84ebb5c332de8462309377286873e529c53b334f17e00d6d194f5881ccef9cb16baa7e0f5d30c01b1b3fb3830de3d212df4a51 |
C:\Windows\SysWOW64\Meppiblm.exe
| MD5 | d1955582dc17a1c19b48c1d7e21dbd5f |
| SHA1 | 0b7cf40c237786b5ce5c7dc1a7684e8685df9ece |
| SHA256 | be346961063da31cc1d983cdc3b4be4cae373f528193dfd231e9288904cfd4ad |
| SHA512 | d1c18e537214106e384a7d255056df603bf547d9c5d7a6bd783b859f7e4e48fdeaddf548b456bc23cec3b568d3da398b85107ba1ed5f597485f88b0041a15db9 |
C:\Windows\SysWOW64\Mholen32.exe
| MD5 | 16b32d151c407ae117681a4964bea343 |
| SHA1 | b86b59bc5277bc71028153d89a1807c39ef2014a |
| SHA256 | 8a1f4bd572729fe3e2be0954af209454c0f70855084eef7f6a23b09747dfab3c |
| SHA512 | ebc9bf9e82b5950535aee65010f52aa6f00c972e64dbfc409fb913f2a0f78b2c0e5a2e2e6ebd5728397a39e7139d88ab5a2f886224dc64928e0d62268650922b |
C:\Windows\SysWOW64\Mkmhaj32.exe
| MD5 | 62d563cb6e470a7460ecdca542be989f |
| SHA1 | 0bc69a8c31ad82e158a5340615de18b13660d4e2 |
| SHA256 | 3db3b90df4ccce9990b8338eb15b025cbcc1122833739a1cfc9e8a03ec3d4c58 |
| SHA512 | 8602c1fe030e67326bdbfddc99316148ae77fc9160293b891760b6cd59d2472f4737a3eb905248b62911ef002691b1c9386ae7b6dd0c664bd6d722cc29e874ea |
C:\Windows\SysWOW64\Mmldme32.exe
| MD5 | 599b9a115ca4d81c2e2ce242903fb586 |
| SHA1 | 685e461bcde6c9355e7cdffcf8b8751a7e369d81 |
| SHA256 | 2b9dc9c1052b8270f03bec09cdb4ecf92330f46d7a1fb05ec313a02c609422a0 |
| SHA512 | 8d2cf68b888e1caf7c3f54e556af77f04baf19a5784e926792b5a33bc7b512ae80330bdac972ec69cf07afabbcbef42b13922bbaffda553d63ba7881fc14ebaa |
C:\Windows\SysWOW64\Mpjqiq32.exe
| MD5 | fa5f3e9c0def88d1cc0a98609f9cdf67 |
| SHA1 | f4680abc1a29fc29df7889a4f3db2a23c2fccebe |
| SHA256 | ed399ffd814a9a6a3d8a0ec83e3dc432411d359d1261a97173a02c8604697002 |
| SHA512 | be2d5195f0239992425ab0b4dce58ff6e6ee21fe9ebd23d79adf0b73ea8109ee44ce48e9e9ab941d8156450f1297c43a91fd1ebe85c627f6f2b2f7a7e427fc50 |
C:\Windows\SysWOW64\Ngdifkpi.exe
| MD5 | 98f4a86d32df6704ae8a4124576aa1e8 |
| SHA1 | e5712fdd9603813733f94f1a0290453c79cdb231 |
| SHA256 | 0c2f0b0ad886811c90b41e8c287ec466526889d7e0a98ebd2138b904ed7e6511 |
| SHA512 | 20c6865dc86e51bcc27c0f8acebc3c9c0d8b7ea9b0ef6bdb34ed035f9a269e6d7ac033f1a9791ebe293e3f67b0e47be03721a188e0679f6c05d8cd17904420a2 |
C:\Windows\SysWOW64\Naimccpo.exe
| MD5 | 6872a6cc0d15034640de697fd3db13bf |
| SHA1 | 8b71449b00a7db9c532d0972b955aa05a382208f |
| SHA256 | afad345a8032ce43cc8af4796e78fe3d83c2a3db6d620f2d594e42e855075a70 |
| SHA512 | 31ec01a8778ea3e635acc5d27c6fc46836d1accc2c7cc6631392b9374c41c9d143fb857925cf6fa738b20826370e88e1add443dcbec375f7015cf67bab45d04d |
C:\Windows\SysWOW64\Ndhipoob.exe
| MD5 | 69256728b411a9e3a9359fb3b4742d24 |
| SHA1 | 93ade66a7b40dc611a54e4164e0ed3a46b0af781 |
| SHA256 | 1d25f7e8d606f3854a3871fec3424e8bafdcfa243a72715f964ad95f221f74e5 |
| SHA512 | 3d43425710fd680e603d7086be1eb4028d39a6b3af4d74026352ebbcb891f2ac08c3c9cca11de5784b3a054a9d9d5a02ba40c22ca9b80124df9380785031208c |
C:\Windows\SysWOW64\Nkbalifo.exe
| MD5 | e85e7dddc84beb330f4f7620871374ef |
| SHA1 | 2f3f21d2edeeda8254f1c66f079f202c841c6105 |
| SHA256 | 370d242e8f6c230cecfd1d97e86a13ca993749fb728b36c0daa5fa49a28bfd23 |
| SHA512 | 7cf0d2d62e1a2953c6087c6bb890258a59902d936eaffb93a6cade4ef8b8c2085c4e4b6923b179243182979e1fa1e7eaf7f382ff907115c294a27eb0a27f1bdb |
C:\Windows\SysWOW64\Nlcnda32.exe
| MD5 | 90fb78ec528761a4a1cdab2ff74baab2 |
| SHA1 | 85638f981f31c47887c805d464cdd5c7d24e2c3e |
| SHA256 | d8ebce03c3ad9eab401af2e9b51b51638fb798a7d57c0e757377f700602df8e9 |
| SHA512 | 5cffa9c4bce462a048c4ce464fb6ac784ef1c9a6c19d42e4798a75015cb7ad3dc9bb9a74d08e18bce7cebda071b3f1fc5f8d923caa5ccf4c25d1191b2daef02a |
C:\Windows\SysWOW64\Ngibaj32.exe
| MD5 | 04f4313c2c18b0e64d6f7ec27d11d92a |
| SHA1 | 7619243e0192816b1d61ecc7e529dfc1eba8a9db |
| SHA256 | 11f89c2ece21e003e6f233b0cae9325bd4125c34421e78894715f7bb0d529944 |
| SHA512 | 4360d4bb9aa95ea9bf99eebcee486f8a118ae1061366944e44405b89ba8238a0d19671b2abe081a711802005cf2099b33914a8b075af439da9a7cf6e940931a7 |
C:\Windows\SysWOW64\Nekbmgcn.exe
| MD5 | 34472cda237bda5b8fd19578e66ba5a8 |
| SHA1 | 93adb9820c1bc9aa5df0b8484caac528c0bcdf38 |
| SHA256 | be8ba1afe2fd3ddf5320365bc6e20baf3b5a1cb43096445a8c2027407ad3bdd4 |
| SHA512 | 9e63357a48301384988ae4c8be125745c55d53f294c2168da80170b5a2f4483ce04e27a1a66126a60ad7226638ce82e46509b97782679acc16a7d028412e955f |
C:\Windows\SysWOW64\Nlekia32.exe
| MD5 | 42cca3d32a73d716247e7dc51701222c |
| SHA1 | 1ad63a7d8936343fe524ba9a0af8c95228f410cb |
| SHA256 | c4c87e00bfa6b673d8d84f9ee059d080157bd56bfc821e5bbeaaf971e014a560 |
| SHA512 | f5935f285c6bd2d70884d0ebcb366402ca886b1f326a4365d7e96c1251a1279ad2aa86f100b407fe6db4de62ec802f15920d65e4ccd6801b25ece0516dc3745f |
C:\Windows\SysWOW64\Npccpo32.exe
| MD5 | 52156dc60e6d5369e5e2dc6bb8b5f48f |
| SHA1 | 8843e9bb6101843603eb0f5872e72d21a2e17dcf |
| SHA256 | 9d41afa5bf275018bde5c30aa6dbe73cf9fd8a18fdf055521b8d75267572e361 |
| SHA512 | c5ba09d7512c2a2e7d42f943b491596c57463568ae0cb98c874192fd435cdddc8a3d6bd58d0db235f9f5898c68f4e479d5b7e8f50c2b19ce679aec87aea85cd4 |
C:\Windows\SysWOW64\Oohqqlei.exe
| MD5 | 6a03706eaa3f65c2a3047363cd317891 |
| SHA1 | ffff4cdf187a06cad72ac19dbf823166c67cb67f |
| SHA256 | e2d31252d7e50b5baebcda82027068559922603c860b339e4b06705e60510e2d |
| SHA512 | 94b518052e9ff75d10c5c2ca1590be9ddff81c5cd599cde25389f57ab1050c0a7cc72f992ab28a3edfa72eec04a991be3c439141cf1b6b48b48b59446f33fcd8 |
C:\Windows\SysWOW64\Okoafmkm.exe
| MD5 | cb314f128414a9c73a016fca1b04a9e6 |
| SHA1 | ce7f2e5752ef5194c06a48a79de42a30e10f6781 |
| SHA256 | 2e59f1a3892596783d7349f23ea857d7b40bfdc234d4b86b05dd49e28035144e |
| SHA512 | d0dca50114db5edf7d26135f13adcbd0822a2ac4c9adc41f2822973c4a3e02d55e26298835b0dab77d394ce34069d42b7e69fc5b98b2ffe9731998159a16e631 |
C:\Windows\SysWOW64\Oaiibg32.exe
| MD5 | 40344c8a5357f40162e246f84e095417 |
| SHA1 | 9a0bf5d96a249f2f788e1c4dd8f61ce191a4c953 |
| SHA256 | f98efb18f43db937b264de98b5a188c42dfcfce8c7827f15ab87ed80ef716be0 |
| SHA512 | 1f2a6a5e3a0eaf1d988111507a46b28be969ca2646ae111caec5083f24814fb67d52b4397b0442de7e8e12cdd76a716fc228d1a61126b523bfacdbd9c048e3c0 |
C:\Windows\SysWOW64\Olonpp32.exe
| MD5 | 69e4d7c8800c3fda21a0ac4ab4a1b3f0 |
| SHA1 | 67e49b4ca36c6adc58848a8fbb119467c83155ff |
| SHA256 | 57c250c585c7237f2d043319a93b89272e4e1144e966b864c4e7d19baf254321 |
| SHA512 | 346c2acc22118c741a5d73cc3503ded07bba9eea6612c28627caa39a03a4038d268a04bc755d37d7b332eda5f1eae4a2b217994147ea808e89ddf699d62f11df |
C:\Windows\SysWOW64\Oomjlk32.exe
| MD5 | ee1adc9c6375ff8e69eb29c9853c79fa |
| SHA1 | 0e562450058536c84acbe46f33d7b79019ea70dd |
| SHA256 | 3dcdb5ce1c4344cf0627f1d7685840564daa6088f72075c3aa451e923d5cf626 |
| SHA512 | ac6519621ce9c1e011a66759ef67743462be7af34702cffe03c9a35b7ee4326c4d7b3541a765d61ad38fd2513b6588313a7419572c8985e126f0e3f11521bd29 |
C:\Windows\SysWOW64\Oalfhf32.exe
| MD5 | c0817b979d923de83539f601fdb94b55 |
| SHA1 | b04c495526850a8f3596ee7844d7c90c158f8bac |
| SHA256 | 45390c02226ba5c0442f1f4edf87d666c39c1f242222c61ee31c226f75ef87c5 |
| SHA512 | 5dc536348e7990518b99a2f97df36eb02e64000c2cd266e55bce57ce688f466c6340e856e938cf4346fbb2344f44c97c06c9808abfe1fbd3fc4f4808e955e02d |
C:\Windows\SysWOW64\Ohendqhd.exe
| MD5 | 80969d413b2d1ce8ec6f6e24a6b371ba |
| SHA1 | 1a02afaa9e68bb3723c78896f43ca601b314866e |
| SHA256 | 13520c859c777ab7586597776cb836535420b22d4f21ef311896b4c572b4ff91 |
| SHA512 | 013c209360312c34bc898496f0dbaaa63fcfe97cb7c944ff5066f287b3b903020c2af5cb5378846064e07b5b85ac2c3109a5811138336b62ab2a501ebf370514 |
C:\Windows\SysWOW64\Oghopm32.exe
| MD5 | 3138f2288c901f66ca0a7c7d3889afba |
| SHA1 | 7049943620a582c8c4fa15386c6a8a11e86b3635 |
| SHA256 | 588d7746c6d7eaef47965b271a4ae614a9320193384edc7ea696da5396146aa4 |
| SHA512 | fa2a0dd6828282c08c58be7ad258b3702860a86bc97deff52bdb776d12b910276cb62cf43b982434a9a1912944f4f548169b5f85fd5a7f16f85f8464edad1e3e |
C:\Windows\SysWOW64\Onbgmg32.exe
| MD5 | 52de9ea0879d2651c09b5ef52c1c301a |
| SHA1 | f6bd00d895cc73c95c0c89d5dbf2a5e93c563469 |
| SHA256 | 756c3899b051bd6e02784f6f267ed9788500aaad44a5013af1ba34c2db97dd11 |
| SHA512 | 1515c97409f6491486978e39204c84c14a6711157c8b359c6c023e6a2324c396153ac6377bb3ca287f865399b5a5f123d2cc3b348a6bad9d372f1a1f9c7d12d9 |
C:\Windows\SysWOW64\Odlojanh.exe
| MD5 | 232da680130dce3c06080c59d3173845 |
| SHA1 | 467f689802db8b81e761c836b1709804407ca798 |
| SHA256 | bddab7b0bcda7e7ea3a43af91f5893f86a952466b296bf438391b8f26427a264 |
| SHA512 | b00f3e79c59edf03a1f74123ba03a3721f58cefcb3a6e2a489dc82ccbcd588c6da97a7bafca720678b7de46807b4e949f9c6d48aa64c602c6e4822710a200e09 |
C:\Windows\SysWOW64\Okfgfl32.exe
| MD5 | b191d9a129bc7c334ecade1071130f24 |
| SHA1 | c7a0c0c8c721bab42c22b5c598878f6a422828eb |
| SHA256 | 5418130508fb7e294228a090ef062e1a5ca4392addb7bc9cb6fae9528eb4a278 |
| SHA512 | bb6da0327218ba7d5b4e1a8dad4f2636350679771f077a53e9c5e0c4067cf70fe2094da691a2e56cc74ab56e07a3982be0dd5172a61fb45c53a35cf429737c2f |
C:\Windows\SysWOW64\Oappcfmb.exe
| MD5 | 3617f5eed8253f195aee5b6d18096c2d |
| SHA1 | bfa728bc4eeea4185a2fb9d73b5c1acd6683fa8f |
| SHA256 | 7cb5e82f634fb6d4b73cfde5fc8023990821d68c6ca4b529c7dd1e311add2881 |
| SHA512 | 3c0530b07af57e437ec72963d5fbdc828ce89d419093b4b9d6aec02446ab19f6dd942625596a13c4ed7460cda1b3ee697fb81a57e5bb1b0143400b6ba8279aa6 |
C:\Windows\SysWOW64\Oqcpob32.exe
| MD5 | 0b0d45e300aa7de8303e33d03c3a9f75 |
| SHA1 | 364196775e9e6a78018f579aa9414f2bb113b833 |
| SHA256 | a74f3bd75c6a9aabfc254ea9ac576b9518bc54a2958477b9bbb5c33f8757c208 |
| SHA512 | d98598e2ebfa65919ad33fbea7947a11b54552d2d87dbf26006fba3500a9425e359ec3950945ff56043cf31fcaf819f28cf6a233d6cf19e54d122859474e336a |
C:\Windows\SysWOW64\Pkidlk32.exe
| MD5 | d30fd3af38378f44430ec97c023a9557 |
| SHA1 | a10f8493278b926891e85cb4fe3b1c04d19b4984 |
| SHA256 | 286962ba071200ebeb8f16043995d7b39f3f15b52f0edeff27eeb68b334a9ffc |
| SHA512 | 63a4f660b433d235e34ea1a8f1cfb11d690e717175320707573d7340ada874adc3a30601045d53c390db1c7bdaa6a1490802b0ccd9f7bc718433aa39193d3c0d |
C:\Windows\SysWOW64\Pmagdbci.exe
| MD5 | 0f4f40258bc6686becd3bb00901009a4 |
| SHA1 | fe3335983cb5ce76ebc7e96b9542c3f3d9bc0904 |
| SHA256 | 3805d0a581bd35a0efb612e6f41ee2555e7ef797f9a875a5b6b2e94585682e39 |
| SHA512 | 755b046cdb104bc1fb6b44a90ddc8ff11f08133af70d3f4412e28b3aca68254d142aa560386bcf657487c6e7a5cbd16c02d590aac16711ff4c7e9d663d61f2e7 |
C:\Windows\SysWOW64\Qflhbhgg.exe
| MD5 | 20d04bd65cbc1d72df5dd96a4f0ed4bd |
| SHA1 | ca367e382648f5c588ad68c3e283559eec9fc501 |
| SHA256 | 5bb578c7b0b74dea1a9e534f386fbf4991c8110dfdb5f38d35d4fa9e67e7969c |
| SHA512 | 7affe7d1a1eff21af86ab71c0180be987db63be13b2b1a1024464924f90d5c62590fe82ac6493fca6612af139b386a189e8fec51eb5ffda80488701305054c4a |
C:\Windows\SysWOW64\Qodlkm32.exe
| MD5 | 2f73cc8b7ecd35baae6a4d74307a6440 |
| SHA1 | e5250dccd39a6a811a3973f1454fab37cf2dbc49 |
| SHA256 | 0773b6f695f73b0722df03f43f39fceae1e5bb661b52d17b03f40753745da81b |
| SHA512 | f6f92df181af6f914f6eb3a279a82c65ae4fcfe94ab70e69231fc592c4ed306049abd34682fc22aa1ccbeffe55b491711065379fbce773be2dbb2454dc4301f5 |
C:\Windows\SysWOW64\Qeaedd32.exe
| MD5 | f8df8e9ea468da6bd4d6cf4dc8f0560d |
| SHA1 | cf1734fad935dfaca4e4ccc5b40e937607a0f0ee |
| SHA256 | 80404b2ea14d4c9d0692007bc09f6d84ca5f05e57ede0a39a6607336c5f37477 |
| SHA512 | 90f319dd057b0cc62c463510bf56f5fe4d7e69010142b5a2e2bc2d990416553250e4704c5218794d43f39c383d9dcab5f343bf7a16ad5b1e18183d089918000a |
C:\Windows\SysWOW64\Qgoapp32.exe
| MD5 | 78c54d684578fa09dc3655bb1fd4d5a3 |
| SHA1 | 12473f50869150c128c2fa8d01f4bcf661c01c4c |
| SHA256 | f5704f9e4108b259dd120cb33054fcf932c66aebd01f67a76747cdf993b3dd2a |
| SHA512 | 8524b288cdb75edf32e10e42c50324f9b61b70637a7973849ca91861a42a07b4b133388522d8828257fee0600bdfecd5f2414fa36b608b92e5e22e59348a84ff |
C:\Windows\SysWOW64\Qjnmlk32.exe
| MD5 | 06911101711ace3bd2b6e1d14281640f |
| SHA1 | 5ddc602086d27636658412c92b75e2f2026f848b |
| SHA256 | 6994686087311eaa2936e686f9630145a141a819fff6993a40fc271c2c4c0414 |
| SHA512 | 0fcb4e15d6cf69f99e56da5e9378408f2e367c3598fed3aaccefdd1826f7c47b7a29c0bd6cfffdc96f412de7d55ffc6e0c63dc82b36d2754e3533e943e781bf3 |
C:\Windows\SysWOW64\Acfaeq32.exe
| MD5 | a6c4446017ad5b64a848765ebe7a6f71 |
| SHA1 | f04f38d6a8657b901b47e465aadacb25e5587132 |
| SHA256 | a026e811e5c12e043afff16019d14bb81f9023dded5d25384d0cd3e5cd21f738 |
| SHA512 | 2bc92445cc161f0a77ef00ca92a993e24ac4ea3439791e64e1eb6ac3a2cad78ba809797fac53b2f0a9b25c51c4766b00744ce260f7402662a4d4ce296aa4fbbc |
C:\Windows\SysWOW64\Aganeoip.exe
| MD5 | dd9a5282c849e06c3fb363b1685ffe89 |
| SHA1 | 4616098a99813cc5fcec21811686ce2aa34e839c |
| SHA256 | c25c78917746785f3fed8b3690b645d82fd6b84e3ce7612e3e3fdda4565ae448 |
| SHA512 | f54230cc9415cbdf65df5cec8ea8fc3f5f69782d0ae8ffdc16a57bf37aea499232f1388717539e0575017e8a8f433a7abf309a52b42ff3cda865a5e1d59161dc |
C:\Windows\SysWOW64\Amnfnfgg.exe
| MD5 | 2fc1040fd91937766419d0fcdae0c255 |
| SHA1 | 96e07a1b91b8b306d7f4e0af264dbbb8a0c6534d |
| SHA256 | 6687324008701968455b8f83a2eda24d2d67b2ee9b7df5a268ab50700e6c3135 |
| SHA512 | 359f2ca90215a80587c300a31f2d37f13d4529bf374bc306cf567b21ce3cb38d7a1a1000c6aca7056bdd8def395829989fc661c9f46a5863ca6588fe6bdbf141 |
C:\Windows\SysWOW64\Agfgqo32.exe
| MD5 | 40618113a14cd9683897af7fd3302ec5 |
| SHA1 | fb9bacb6d30fbaa423afd2dd23fa080d8b795c2e |
| SHA256 | 57fc551ffff5cf1a138e75e41c7fc0a169b43e1efc12db2a73034e6a916f054d |
| SHA512 | b7c00e1675528aacdbfce5370aa705188d2fca9625cf0dcceb224eda5c91c9935a2cbba51c358bb7bf78403a6fd9c33337d5dbd96dfb27cf9d89044d99d248b4 |
C:\Windows\SysWOW64\Amcpie32.exe
| MD5 | c904209b6676d85da77cdcf16c9d26f0 |
| SHA1 | 49f3a1bfb46deba5c664bb41781a39f872f4dbf0 |
| SHA256 | 1d8a1f0e108d74b6ceee966c0342c42dcc3de43152cab028a4beb062222985a5 |
| SHA512 | f070528018a2fcfe7713685cf67037cab8388c2be1bd7c171734c900978e267aaa0c4f39020ebeaf334eac51ba60f697239748dac97e1282e84797d1c79b8812 |
C:\Windows\SysWOW64\Apalea32.exe
| MD5 | fc3a8e3dc4765d5e5cb2c0a1f74715a0 |
| SHA1 | f6dd2235551a91fe411cbea5175321a5b6a0d4db |
| SHA256 | 5e1090ad985b87f853e65f835b957e50e3b62e7a2ffa278da935259e73742786 |
| SHA512 | c10218040e77ebe2f6ed3f7b67d9cd3b0d1f7127cf6e75e37de3ec5498cb0ea12e99615cd4d1bad07e9f6bbea2178769fed9eb953475bc2befbe24423baef260 |
C:\Windows\SysWOW64\Abphal32.exe
| MD5 | 2d6c08cf191a6c1704e53ad5bf59bab1 |
| SHA1 | 9fbe19bce90c66ea6afaaf40cc51e123ca22b333 |
| SHA256 | 3305d1cd511218189b5566d187a6bd385692ba34f3a88b38a033573d7253d52f |
| SHA512 | a9f8442b200dd18e1087d2fa05ffe1b6cebb8d636272a231ff954a0550a9164d252dd16c81f27f4c5398b0dcfef585fb9dac4702266026b8e59ee0f8a8f9ead5 |
C:\Windows\SysWOW64\Aijpnfif.exe
| MD5 | ae81336b0e5c2a600dba8f9e9c3d2597 |
| SHA1 | a9502073442ad87e6c9ffa9383147e8962aab895 |
| SHA256 | 9b0abd56b366bf8ac27506f5911fdd03cac342e6641443d5cd2b87f9a9116319 |
| SHA512 | 07b18483cb27640c6fb09bb7f83b519c9412f8cf5cee01f494be17f4c8f9999d52421aff8cb673f9a4490d8d6041eda487c6e42c16bc0e03506270674c33d2f3 |
C:\Windows\SysWOW64\Acpdko32.exe
| MD5 | e299165a1618e6514be2ea13b58cd97d |
| SHA1 | 2eff4a16379c43dafad6bad731ee8d341c7ffc56 |
| SHA256 | c756fb4499d89ef97027fe7cc7ffd0190d7f33760d89601cf68a3d9bcdca113c |
| SHA512 | e631467825daa3ba6d474e0e5859b0eac0f11470825afe9bfb3b152145b5c2737878caafe4e93941c48442fba5e2195b4c42600655d6be31beeeca3f742b2fa9 |
C:\Windows\SysWOW64\Aeqabgoj.exe
| MD5 | 86e78dfc6c60943ea0a766e92bcb8f28 |
| SHA1 | 0de2458abc21dd59d2c00da65efcd5a70d8a3884 |
| SHA256 | e608bf4c26d02b7e7a47a416b3276c436cee076f11b6c4a327e30f31075ee9cf |
| SHA512 | 8997bc759dbc0f07d659e3b8ccb80c86749e033bde9559e96d2a981d3f80a23863a5296afa5d2fc2cbd8b0b95942590f3b2157a4effe055198fd4ed4982ae1cf |
C:\Windows\SysWOW64\Blkioa32.exe
| MD5 | 03ba0d8e26b5525155c521f2b97c466c |
| SHA1 | 546b8a4231dc883bd6d17842084b01c4a925b625 |
| SHA256 | 8839e2c89985861e95e8fd9a7b8fd1eaa6ec7c725aaae1b5812b67a566f4faec |
| SHA512 | f7d1501fc5519e276e99c6c30a78035b33935f586ae6e978dabd06194c0444f5c4fd2cbd1747b643a9c685e57037f8fb66bb7950f541815859bfb551f4fe473d |
C:\Windows\SysWOW64\Bfpnmj32.exe
| MD5 | 8122192f307162bd38db3a792f57f85f |
| SHA1 | 59e94cce7db0f4aee49ae649f22211a9a89941b1 |
| SHA256 | 7df737066aa62c3f48cf83b96fb34812c08badbfa533d65308dd0758f6abde7d |
| SHA512 | 80544532f8ee537f0ff3a1ef962ee5873ad9508d2fcbb436abe7dab0d2ad634599f056f0305d02bcb1b21dd71231449bc9f7e52bcc9984d8b14ebf53c7a7b367 |
C:\Windows\SysWOW64\Becnhgmg.exe
| MD5 | f80edeb8e6ca27ce66a5474372439fc9 |
| SHA1 | d7833a5586dc85852b79fc17589787f543a870e8 |
| SHA256 | 90eebcc2bf5a8f33831fa6768e302323b28bea749476e58e1e04686abb44cb4b |
| SHA512 | b799da6065df0f3972963cc33f35d67fb2bc087a7680d555f288d3aaa75139b6a1ba102e17bc4d452b13590a79b0e4190dd57e53802b3fc2f3ecf9d7210e8082 |
C:\Windows\SysWOW64\Bhajdblk.exe
| MD5 | e4abd3431069fa465ba086ee87ae9d10 |
| SHA1 | b19bc4b0d294382e8d4ddc3a6c8f6b58c35a93f5 |
| SHA256 | 09b59377019ad1ee68db7001889cd982583ee2afc3287f34f821b364112118ee |
| SHA512 | 46615836e58a2161ed4f3ab62141ea6d64dfa86ddaad1c641e8a8c427b65908314716637eba6fb435c1aa9d622426e1b098834e8790dc6454449aa1b2074a105 |
C:\Windows\SysWOW64\Blmfea32.exe
| MD5 | a7e63190fc987f886982a8f21a83e201 |
| SHA1 | e689b52783a6e0d0a8379e785e70eef63e14d7c0 |
| SHA256 | be7da4a773330942fb16b05cb871da8b750a4bfddd405392669ba1e703dc743f |
| SHA512 | 958c3925ebc51a902e09fd7b08cb681192011ade76676a1706861939b34791b00061892d6f92fc4dc1aa3d71cbc00802e9ef6f9401b21a5bbdf9c56dec0fef81 |
C:\Windows\SysWOW64\Bbgnak32.exe
| MD5 | be98f1a44ce9aff6082a896276f45647 |
| SHA1 | ef3e3543455f146d8b05c0f3a5bcc2ccac1ec0dd |
| SHA256 | 68d863bdc55628c8fb86a67080091f4e2feb97b49ed358ad32328526fd1334e2 |
| SHA512 | 31a328b2e23fd42b4bb61491ae585ac787a8d7a491e6b2f044fa9091d992f340c1c9129bb67e71fefc05ac1a0ec32e6e4c1ab64d6bd92f83369b000d221f4115 |
C:\Windows\SysWOW64\Beejng32.exe
| MD5 | cf5f38c4c665269d5eb854aaed99ec99 |
| SHA1 | 0b2222a9d36e341721629d261b33dc031b99333e |
| SHA256 | 0098795fd2e5d75d1c44ce74ab2ac4438daebcd3ac41a20ab832f351d6961c81 |
| SHA512 | fe22545610bb009c87593f5c458e5a230507eefd8f5aeba7a9c2dd60372bc282ad9157e7ad904c1be14744e1c8ece576d980c55bf2544d935048f9cd738e8ad3 |
C:\Windows\SysWOW64\Bhdgjb32.exe
| MD5 | 5c8eb3b302e40f7868f75fe5288d2f8c |
| SHA1 | c1e6bf1c0b0fb49b1db53c929c0a17c07d97056f |
| SHA256 | a3da9a09cf80091d17dd9b6492381d2ccf6cd7bf816397101820f9dcd39c53a4 |
| SHA512 | 965dfceb895190bb0ac384067a9a1dfd337594e62594c1ecd042edce448337b941c4635f296465c04ea7afb2b93c7c9a3099349dc07ccf7dd580e7349567c26f |
C:\Windows\SysWOW64\Bjbcfn32.exe
| MD5 | b172cee4a7b05a13e842c930900fdec6 |
| SHA1 | ed869bd2a95fb118ec90fde8af5748ea86fb55c1 |
| SHA256 | d421a6cae9cfafb20ee793367344ddfa22e75685e698a68d945f8fde878bfe46 |
| SHA512 | 1ab212c564a03ddbbefe4a1de155951727d17e436680cec039d8302cedec4bc5791902912f5f66ffdae58e018bb3fc8e30f89246d451c2390077a696286384ff |
C:\Windows\SysWOW64\Bdkgocpm.exe
| MD5 | 1be59359e6c0723c262f22d940f2c675 |
| SHA1 | c5eff611e160745f47f9a5de3444e1ce96d51a49 |
| SHA256 | 3174eb360fb34c2e1600e3f79fe074e770a131ce4f4666dd23ed70daf1fe91b8 |
| SHA512 | d9b20c1987c277dbaa21751dc29f6adef66ef8faf9e1db112c995fb418ed4a035b11b9bda9199d6cc3e3a70f787c4493563b19eed7e1ed6a291de5910737f76a |
C:\Windows\SysWOW64\Balkchpi.exe
| MD5 | 15e1b3c98492049591b5c51259f800ca |
| SHA1 | b30776b994ad7a785d572413c5b000092cf03d84 |
| SHA256 | 4e8745f685ecd24199c8bafc74a1b5af64f7ea57d58be9c5139a871b32221bf8 |
| SHA512 | 8c09d11f2dfc83947d051f495097dd64c1d83d58215e9971d32c320538b953a23e860e82e16dd49259ef2609ce120aaee8355d120eff1c57a1dfad07d98f2130 |
C:\Windows\SysWOW64\Blaopqpo.exe
| MD5 | f36797142578a6d25f87aa373c09b292 |
| SHA1 | 3c0e2cbded37fe5fe838fe41bd453ad3f3f367bc |
| SHA256 | 29657df78238511d45d6290393ecd69143bec94f075ef0d94dd5b365ac117ab0 |
| SHA512 | 77b74b75cd17ec0031b5ad6b91f90ca940ca86472d5898577762f876cb7e5b4d72e40381cd97bbbe510689377f634515f4b68b1ed6cf05443cbfcf8da681ce39 |
C:\Windows\SysWOW64\Bjdplm32.exe
| MD5 | e20cd71fbd54d05bb9bb4bd9052146c2 |
| SHA1 | a3a2b2a12ba0503c747944b5dd18a4834f9f4500 |
| SHA256 | 2660c99ce86c12138d10306f9f5efe8337c2462021e504670f5384fd69704299 |
| SHA512 | 45f2fe619d77cb09e042d35da99ce9d924240833915e466a1d5a3ae254bc1ec3a6ab954a56ac8286b715055d6a06cdd7d6585f5ed87c6b3972d44bc934e94eb2 |
C:\Windows\SysWOW64\Bejdiffp.exe
| MD5 | 9864131cda7b0cafc9e29d7c760e27d3 |
| SHA1 | ac65c3d61b332c712ed78b1d338dba884e933336 |
| SHA256 | 89e2dd03041d0ae788061bef900205b058465d75c7a6ca09e67625076a63bd42 |
| SHA512 | dc3402b105b779823cf200b53a092698e6cfa71bdef3f5e6352e20d898cf66cdfe231374a7725fc6a473cf81fc53903db1fb0e7ba8b5905417d98e6c21340302 |
C:\Windows\SysWOW64\Bdmddc32.exe
| MD5 | 006d231371230b273aa8a6e6f35dd9f2 |
| SHA1 | 8ff4d48dd987c9d7d3f821bb2dea7eae3379d343 |
| SHA256 | dbc607fae95d9908c7fe76a56c617fd1f6ec7406195a27599caea05d8406e4ea |
| SHA512 | d4a9f64b4944255fc43972459ffdf35df18f1091f3873ea788b29cc78a44fee8854f0fd301074e0def5e5582923c264e949aa0ed39f894675c4cff67cd8a1a58 |
C:\Windows\SysWOW64\Bkglameg.exe
| MD5 | 5960181a93aa4d344680b7ec734cfbe2 |
| SHA1 | 5a1be6b5d62e3afe5173eca6b97876eafa4bf127 |
| SHA256 | ebdb00eb344e360c22c97e2e3ab9893d79a30510004d3594e3dd692e475a10cb |
| SHA512 | 496d7bc67f743d541e7c7e5b4db7f8d910bd61c0f241ce0ee4fdc8eef78c2a067aebace089d84c8d427a7f6cccde7e49721e2c1da953faca4115436274b3ac7d |
C:\Windows\SysWOW64\Bobhal32.exe
| MD5 | dca43da5a1fa00244a0ebebe7dd51283 |
| SHA1 | f0bb392f8d8e28517f8a7a28d26a228e8d8c282a |
| SHA256 | b25b9f55f9a620257af749e413e3ce1a1afeb3f8d13235159a7ec101287e6537 |
| SHA512 | a29856b3c52b75e2451c70af38c4fcdcdd7c0162d4a80dfa3d0c182133d16dc45a1ce27df9fd4b7bb4a8e93c266578dbf24e166611dc1ed8f01adb4ace048c4d |
C:\Windows\SysWOW64\Cpceidcn.exe
| MD5 | 49fce98a293e1807b93e1f02b95b0993 |
| SHA1 | fb7583b9ca06a27ae01620ccd8441f2be208f2b0 |
| SHA256 | 108c1e5ae514e2abd2fc4c54b12515ef845cc82227dfafdab1e915ac4f2eac76 |
| SHA512 | 0832012335fd2bf9e18a4c069c448a853537e38146b905222cf91cd660e95fa54390cd88731cbeafb42c0ddcd78b9c9ec26a8fdf0a26faf583f8f87b6ccf4d39 |
C:\Windows\SysWOW64\Chkmkacq.exe
| MD5 | 3181a7206375fc1e4ef499ab9e20c8b9 |
| SHA1 | e1b3c64322e61de890e2ec3b59a49fa9f3ae5e56 |
| SHA256 | afb94719d767585d22b4d42bcc31e220420e99217eab72fd66ef5e686e932d30 |
| SHA512 | 8cd91b086ff6c1722ce4bc0b6d6e59bc9669c157dc37d695802c8159965a985a6ed40a620778c19162ea0ed8cf4a3022d59d784a0bc8402d79a1469bd0b57827 |
C:\Windows\SysWOW64\Cfnmfn32.exe
| MD5 | ffa4b0f828d10c816a84ba9eac6ef58d |
| SHA1 | 35355eaab3161f0b89cbb27ee904ca71cc885151 |
| SHA256 | bb5d8d10bb1518717f6f98738370a2d756a128f475210008264f05005159c88c |
| SHA512 | 32030ca4c3350e4bf929143e21896b13e97c4098e37cc2f6e9aacc738c4c9b4d5f4723dad85f8a7378732442f42166fbd33e22e722663d0e00b8de13712379a2 |
C:\Windows\SysWOW64\Cilibi32.exe
| MD5 | aabc189b818315c2b887bb68f66ed99b |
| SHA1 | 4f87f45d58223d33d0b207869eab3e32420e2fae |
| SHA256 | 972edc09fce6ad115c3947addcc3f2514d5eabc1cdcd19a59531e40cb42420b5 |
| SHA512 | 87659d2c0b66848e16620cba310ca5fc00ce18c9fa457e6669ac52c616cd70724bd984d75e7c84415190f34d0a5cc2fc347fc4ee41dd25ee0c36a6548a34e609 |
C:\Windows\SysWOW64\Cpfaocal.exe
| MD5 | acf1b233c2666c1392993f0510056a1b |
| SHA1 | 25a28d704eac41242e4700d6dbdeea7c8374d992 |
| SHA256 | 202b6273db027bdde0f1a43b43d309c5b85b622742b6047c265c0fffd26c9875 |
| SHA512 | b9d1c4dee6577c2471fba76ad317811c3a1be5744db57e8d7c7f6a167d5ab968deeb24e94b9e90e3f7c7597c0bf764604c68b9e82ceeb8858efa89ff7e22bb2c |
C:\Windows\SysWOW64\Cgpjlnhh.exe
| MD5 | cbf92288e5bdf10d29579a22fa6c7520 |
| SHA1 | 8405d8019601223c609b56e45d5e26be6ea4a96e |
| SHA256 | 95371d245ebf9d2cfaa5595f9be45081d1189d2e7ea19ff69a92e363e34d12ec |
| SHA512 | 4f5c9b19b1f2e667b216f83830b731d6f9d6ab9c53a9ee8fc3cf26e1c3b5f533bbaed91d0912295e02b8cebc1667a079e8286b52ea3a74a52b95157012443ea5 |
C:\Windows\SysWOW64\Cinfhigl.exe
| MD5 | d1d66d96f40acc38d01ade5eef2dc2f6 |
| SHA1 | a2f1285bd5952b9bd00c314d0137550e3ef689ea |
| SHA256 | a89dc04aaca749bb637d06b3c488bda0e21154f7292c3c52dc1ce3c885a94a16 |
| SHA512 | 82d3e879d52f8eff5245c23c521a501164b02ead8ff339d86b20cabf42ecf12c61de0993f978eb81b151bf5de6a810d93be016733ccae4edc2144a14399ddc24 |
C:\Windows\SysWOW64\Cbgjqo32.exe
| MD5 | d718042b7e1ebca5aaa0c214e48ec3e2 |
| SHA1 | 7396878e78de658b407f2d3288c1f68037345dfe |
| SHA256 | 1a7065832d4eea0b3a8a5d80e6dbf11211db503900ea0cdd5b2ed4d58a1e9168 |
| SHA512 | 9ca0efcb46b7957d62bf0020c875ac5e8c4d17117e3926f0c35805d0bc268317d9a87f1e003b28d6023fc2c0e0748432d16fa5afafa359e76bec0946ad230f58 |
C:\Windows\SysWOW64\Ceegmj32.exe
| MD5 | d2eaa2c5039c3e121422f3449a4e5ce1 |
| SHA1 | bb0a17b94ea6d182d4f533813df34a1857a384c7 |
| SHA256 | 3f91cd4a7645b93f25fff0b1208fe90d297e37a3ac0ecfec0e20755dfeaac98a |
| SHA512 | bd7bd49b13d97f5162e7c4744e4a9393c567c9b8a1d0e5588d8541715a75ec3da31518fb691b6f662042a432fda5e82ac3d0cefdf99ed7163e2583c30c121f54 |
memory/1460-1012-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2552-1014-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2556-1015-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2484-1018-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2384-1019-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1624-1020-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2584-1021-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1976-1023-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1224-1025-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1680-1024-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3060-1026-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2812-1027-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2108-1031-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1716-1032-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3004-1035-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1928-1039-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2628-1042-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2160-1046-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1028-1049-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2756-1052-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2984-1059-0x0000000000400000-0x0000000000433000-memory.dmp
memory/552-1061-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2944-1060-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2104-1063-0x0000000000400000-0x0000000000433000-memory.dmp
memory/892-1064-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2064-1067-0x0000000000400000-0x0000000000433000-memory.dmp
memory/564-1069-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2072-1066-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1032-1065-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1752-1062-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1872-1058-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1416-1057-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1020-1056-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1712-1068-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2808-1055-0x0000000000400000-0x0000000000433000-memory.dmp
memory/332-1051-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1544-1054-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1660-1053-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1524-1070-0x0000000000400000-0x0000000000433000-memory.dmp
memory/876-1071-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2500-1073-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2912-1075-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2420-1074-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2648-1072-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2152-1050-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2644-1048-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2216-1047-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 00:05
Reported
2024-04-07 00:07
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jehokgge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ceaehfjj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Elgfgl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghopckpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iehfdi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kpeiioac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Leihbeib.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Llcpoo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Baaplhef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oqhacgdh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hofdacke.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hecmijim.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kebbafoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lebkhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkikkeeo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eleiam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Flnlhk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fhgjblfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcgbco32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmdqgd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdkcde32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Behbag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Deanodkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dllfkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Flqimk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Immapg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Adcmmeog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eekaebcm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmnldp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Docmgjhp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Glebhjlg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gdeqhl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iikhfg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bbgipldd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aejfpjne.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Edpnfo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hbeqmoji.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hecmijim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njefqo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qgallfcq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Edkdkplj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qnnanphk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ognpebpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdpmpdbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pjmehkqk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbfbkj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkhbdg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jbjcolha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mmnldp32.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Inpocg32.dll | C:\Windows\SysWOW64\Kipkhdeq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cliaoq32.exe | C:\Windows\SysWOW64\Cbqlfkmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Glebhjlg.exe | C:\Windows\SysWOW64\Fdnjgmle.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnfeqknj.dll | C:\Windows\SysWOW64\Gmlhii32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eeijge32.dll | C:\Windows\SysWOW64\Angddopp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibnccmbo.exe | C:\Windows\SysWOW64\Ickchq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfhlejnh.exe | C:\Windows\SysWOW64\Jcioiood.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbgngp32.dll | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhmgki32.exe | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbjcolha.exe | C:\Windows\SysWOW64\Jcgbco32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Npjebj32.exe | C:\Windows\SysWOW64\Nloiakho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oponmilc.exe | C:\Windows\SysWOW64\Nnqbanmo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmdkch32.exe | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pdpmpdbd.exe | C:\Windows\SysWOW64\Pjjhbl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djgjlelk.exe | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdmlkkap.dll | C:\Windows\SysWOW64\Pnihcq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qnnanphk.exe | C:\Windows\SysWOW64\Qloebdig.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iicbehnq.exe | C:\Windows\SysWOW64\Iehfdi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgoilo32.dll | C:\Windows\SysWOW64\Abemjmgg.exe | N/A |
| File created | C:\Windows\SysWOW64\Eofbch32.exe | C:\Windows\SysWOW64\Elgfgl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkmefd32.exe | C:\Windows\SysWOW64\Hioiji32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbabgh32.exe | C:\Windows\SysWOW64\Lpcfkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dchfiejc.dll | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jiglalpk.dll | C:\Windows\SysWOW64\Aaepqjpd.exe | N/A |
| File created | C:\Windows\SysWOW64\Eleiam32.exe | C:\Windows\SysWOW64\Ehimanbq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jmhale32.exe | C:\Windows\SysWOW64\Jfoiokfb.exe | N/A |
| File created | C:\Windows\SysWOW64\Eicplccq.dll | C:\Windows\SysWOW64\Baaplhef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mmnldp32.exe | C:\Windows\SysWOW64\Megdccmb.exe | N/A |
| File created | C:\Windows\SysWOW64\Qciaajej.dll | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogbipa32.exe | C:\Windows\SysWOW64\Oqhacgdh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajckij32.exe | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Daaicfgd.exe | C:\Windows\SysWOW64\Docmgjhp.exe | N/A |
| File created | C:\Windows\SysWOW64\Kipkhdeq.exe | C:\Windows\SysWOW64\Kedoge32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cihmlb32.dll | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkgldj32.dll | C:\Windows\SysWOW64\Behbag32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbqlfkmi.exe | C:\Windows\SysWOW64\Blfdia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Goaojagc.dll | C:\Windows\SysWOW64\Nlmllkja.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lebkhc32.exe | C:\Windows\SysWOW64\Lbdolh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmijnn32.dll | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcdmai32.dll | C:\Windows\SysWOW64\Ogpmjb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qdbiedpa.exe | C:\Windows\SysWOW64\Pjmehkqk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bcoenmao.exe | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnaendmh.dll | C:\Windows\SysWOW64\Bjghpn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njohbh32.dll | C:\Windows\SysWOW64\Ibjjhn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iikhfg32.exe | C:\Windows\SysWOW64\Ifllil32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckijjqka.dll | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjjald32.dll | C:\Windows\SysWOW64\Dejacond.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Anpncp32.exe | C:\Windows\SysWOW64\Alabgd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Edkdkplj.exe | C:\Windows\SysWOW64\Eamhodmf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fomhdg32.exe | C:\Windows\SysWOW64\Fkalchij.exe | N/A |
| File created | C:\Windows\SysWOW64\Jijjfldq.dll | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhcbhjlp.dll | C:\Windows\SysWOW64\Dldpkoil.exe | N/A |
| File created | C:\Windows\SysWOW64\Acbmpm32.dll | C:\Windows\SysWOW64\Eekaebcm.exe | N/A |
| File created | C:\Windows\SysWOW64\Lommhphi.dll | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| File created | C:\Windows\SysWOW64\Oekgfqeg.dll | C:\Windows\SysWOW64\Hkikkeeo.exe | N/A |
| File created | C:\Windows\SysWOW64\Jifhaenk.exe | C:\Windows\SysWOW64\Jfhlejnh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjmehkqk.exe | C:\Windows\SysWOW64\Pfaigm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdabcm32.exe | C:\Windows\SysWOW64\Cenahpha.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Behbag32.exe | C:\Windows\SysWOW64\Blpnib32.exe | N/A |
| File created | C:\Windows\SysWOW64\Baaplhef.exe | C:\Windows\SysWOW64\Bjghpn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgifdn32.dll | C:\Windows\SysWOW64\Cdkldb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aoqimi32.dll | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Deokon32.exe | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Bahmfj32.exe | C:\Windows\SysWOW64\Abemjmgg.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Flnlhk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ipknlb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmkghpm.dll" | C:\Windows\SysWOW64\Qecppkdm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhkapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dbllbibl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll" | C:\Windows\SysWOW64\Mmnldp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mmnldp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll" | C:\Windows\SysWOW64\Qffbbldm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aeiofcji.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cojjqlpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lbdolh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekgfqeg.dll" | C:\Windows\SysWOW64\Hkikkeeo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gfpcgpae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll" | C:\Windows\SysWOW64\Kmdqgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll" | C:\Windows\SysWOW64\Kmncnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Olfobjbg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajckij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fcfhof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Anmjcieo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gicinj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihoofe32.dll" | C:\Windows\SysWOW64\Iihkpg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nnqbanmo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Onjegled.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qnkdhpjn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fljcmlfd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Icifbang.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll" | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Anpncp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfeqknj.dll" | C:\Windows\SysWOW64\Gmlhii32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fljcmlfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfmfg32.dll" | C:\Windows\SysWOW64\Eabbjc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmijbcpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll" | C:\Windows\SysWOW64\Likjcbkc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eekaebcm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jfcbjk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Blbknaib.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibnccmbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ogifjcdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gohhpe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll" | C:\Windows\SysWOW64\Nlmllkja.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qalnjkgo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelcja32.dll" | C:\Windows\SysWOW64\Edkdkplj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhi32.dll" | C:\Windows\SysWOW64\Dojcgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oncofm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll" | C:\Windows\SysWOW64\Mgkjhe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll" | C:\Windows\SysWOW64\Ipnjab32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll" | C:\Windows\SysWOW64\Kedoge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdjagjco.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bagflcje.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e39b9dee2c352dbdc00ca03c14cb8436_JaffaCakes118.exe"
C:\Windows\SysWOW64\Peqcjkfp.exe
C:\Windows\system32\Peqcjkfp.exe
C:\Windows\SysWOW64\Pnihcq32.exe
C:\Windows\system32\Pnihcq32.exe
C:\Windows\SysWOW64\Qecppkdm.exe
C:\Windows\system32\Qecppkdm.exe
C:\Windows\SysWOW64\Qgallfcq.exe
C:\Windows\system32\Qgallfcq.exe
C:\Windows\SysWOW64\Qnkdhpjn.exe
C:\Windows\system32\Qnkdhpjn.exe
C:\Windows\SysWOW64\Qajadlja.exe
C:\Windows\system32\Qajadlja.exe
C:\Windows\SysWOW64\Qloebdig.exe
C:\Windows\system32\Qloebdig.exe
C:\Windows\SysWOW64\Qnnanphk.exe
C:\Windows\system32\Qnnanphk.exe
C:\Windows\SysWOW64\Qalnjkgo.exe
C:\Windows\system32\Qalnjkgo.exe
C:\Windows\SysWOW64\Acjjfggb.exe
C:\Windows\system32\Acjjfggb.exe
C:\Windows\SysWOW64\Alabgd32.exe
C:\Windows\system32\Alabgd32.exe
C:\Windows\SysWOW64\Anpncp32.exe
C:\Windows\system32\Anpncp32.exe
C:\Windows\SysWOW64\Aejfpjne.exe
C:\Windows\system32\Aejfpjne.exe
C:\Windows\SysWOW64\Ajfoiqll.exe
C:\Windows\system32\Ajfoiqll.exe
C:\Windows\SysWOW64\Ahkobekf.exe
C:\Windows\system32\Ahkobekf.exe
C:\Windows\SysWOW64\Ahmlgd32.exe
C:\Windows\system32\Ahmlgd32.exe
C:\Windows\SysWOW64\Angddopp.exe
C:\Windows\system32\Angddopp.exe
C:\Windows\SysWOW64\Aaepqjpd.exe
C:\Windows\system32\Aaepqjpd.exe
C:\Windows\SysWOW64\Adcmmeog.exe
C:\Windows\system32\Adcmmeog.exe
C:\Windows\SysWOW64\Ahoimd32.exe
C:\Windows\system32\Ahoimd32.exe
C:\Windows\SysWOW64\Ajneip32.exe
C:\Windows\system32\Ajneip32.exe
C:\Windows\SysWOW64\Abemjmgg.exe
C:\Windows\system32\Abemjmgg.exe
C:\Windows\SysWOW64\Bahmfj32.exe
C:\Windows\system32\Bahmfj32.exe
C:\Windows\SysWOW64\Bdfibe32.exe
C:\Windows\system32\Bdfibe32.exe
C:\Windows\SysWOW64\Bhaebcen.exe
C:\Windows\system32\Bhaebcen.exe
C:\Windows\SysWOW64\Bbgipldd.exe
C:\Windows\system32\Bbgipldd.exe
C:\Windows\SysWOW64\Blpnib32.exe
C:\Windows\system32\Blpnib32.exe
C:\Windows\SysWOW64\Behbag32.exe
C:\Windows\system32\Behbag32.exe
C:\Windows\SysWOW64\Blbknaib.exe
C:\Windows\system32\Blbknaib.exe
C:\Windows\SysWOW64\Bblckl32.exe
C:\Windows\system32\Bblckl32.exe
C:\Windows\SysWOW64\Bjghpn32.exe
C:\Windows\system32\Bjghpn32.exe
C:\Windows\SysWOW64\Baaplhef.exe
C:\Windows\system32\Baaplhef.exe
C:\Windows\SysWOW64\Blfdia32.exe
C:\Windows\system32\Blfdia32.exe
C:\Windows\SysWOW64\Cbqlfkmi.exe
C:\Windows\system32\Cbqlfkmi.exe
C:\Windows\SysWOW64\Cliaoq32.exe
C:\Windows\system32\Cliaoq32.exe
C:\Windows\SysWOW64\Cogmkl32.exe
C:\Windows\system32\Cogmkl32.exe
C:\Windows\SysWOW64\Ceaehfjj.exe
C:\Windows\system32\Ceaehfjj.exe
C:\Windows\SysWOW64\Clkndpag.exe
C:\Windows\system32\Clkndpag.exe
C:\Windows\SysWOW64\Cojjqlpk.exe
C:\Windows\system32\Cojjqlpk.exe
C:\Windows\SysWOW64\Cahfmgoo.exe
C:\Windows\system32\Cahfmgoo.exe
C:\Windows\SysWOW64\Chbnia32.exe
C:\Windows\system32\Chbnia32.exe
C:\Windows\SysWOW64\Colffknh.exe
C:\Windows\system32\Colffknh.exe
C:\Windows\SysWOW64\Cajcbgml.exe
C:\Windows\system32\Cajcbgml.exe
C:\Windows\SysWOW64\Cdiooblp.exe
C:\Windows\system32\Cdiooblp.exe
C:\Windows\SysWOW64\Conclk32.exe
C:\Windows\system32\Conclk32.exe
C:\Windows\SysWOW64\Cehkhecb.exe
C:\Windows\system32\Cehkhecb.exe
C:\Windows\SysWOW64\Cdkldb32.exe
C:\Windows\system32\Cdkldb32.exe
C:\Windows\SysWOW64\Clbceo32.exe
C:\Windows\system32\Clbceo32.exe
C:\Windows\SysWOW64\Doqpak32.exe
C:\Windows\system32\Doqpak32.exe
C:\Windows\SysWOW64\Dbllbibl.exe
C:\Windows\system32\Dbllbibl.exe
C:\Windows\SysWOW64\Dldpkoil.exe
C:\Windows\system32\Dldpkoil.exe
C:\Windows\SysWOW64\Docmgjhp.exe
C:\Windows\system32\Docmgjhp.exe
C:\Windows\SysWOW64\Daaicfgd.exe
C:\Windows\system32\Daaicfgd.exe
C:\Windows\SysWOW64\Dhkapp32.exe
C:\Windows\system32\Dhkapp32.exe
C:\Windows\SysWOW64\Dkjmlk32.exe
C:\Windows\system32\Dkjmlk32.exe
C:\Windows\SysWOW64\Dbaemi32.exe
C:\Windows\system32\Dbaemi32.exe
C:\Windows\SysWOW64\Deoaid32.exe
C:\Windows\system32\Deoaid32.exe
C:\Windows\SysWOW64\Dlijfneg.exe
C:\Windows\system32\Dlijfneg.exe
C:\Windows\SysWOW64\Dohfbj32.exe
C:\Windows\system32\Dohfbj32.exe
C:\Windows\SysWOW64\Dafbne32.exe
C:\Windows\system32\Dafbne32.exe
C:\Windows\SysWOW64\Deanodkh.exe
C:\Windows\system32\Deanodkh.exe
C:\Windows\SysWOW64\Dllfkn32.exe
C:\Windows\system32\Dllfkn32.exe
C:\Windows\SysWOW64\Dojcgi32.exe
C:\Windows\system32\Dojcgi32.exe
C:\Windows\SysWOW64\Dahode32.exe
C:\Windows\system32\Dahode32.exe
C:\Windows\SysWOW64\Dedkdcie.exe
C:\Windows\system32\Dedkdcie.exe
C:\Windows\SysWOW64\Echknh32.exe
C:\Windows\system32\Echknh32.exe
C:\Windows\SysWOW64\Eefhjc32.exe
C:\Windows\system32\Eefhjc32.exe
C:\Windows\SysWOW64\Ehedfo32.exe
C:\Windows\system32\Ehedfo32.exe
C:\Windows\SysWOW64\Ekcpbj32.exe
C:\Windows\system32\Ekcpbj32.exe
C:\Windows\SysWOW64\Eamhodmf.exe
C:\Windows\system32\Eamhodmf.exe
C:\Windows\SysWOW64\Edkdkplj.exe
C:\Windows\system32\Edkdkplj.exe
C:\Windows\SysWOW64\Elbmlmml.exe
C:\Windows\system32\Elbmlmml.exe
C:\Windows\SysWOW64\Eoaihhlp.exe
C:\Windows\system32\Eoaihhlp.exe
C:\Windows\SysWOW64\Ecmeig32.exe
C:\Windows\system32\Ecmeig32.exe
C:\Windows\SysWOW64\Eekaebcm.exe
C:\Windows\system32\Eekaebcm.exe
C:\Windows\SysWOW64\Ehimanbq.exe
C:\Windows\system32\Ehimanbq.exe
C:\Windows\SysWOW64\Eleiam32.exe
C:\Windows\system32\Eleiam32.exe
C:\Windows\SysWOW64\Eabbjc32.exe
C:\Windows\system32\Eabbjc32.exe
C:\Windows\SysWOW64\Edpnfo32.exe
C:\Windows\system32\Edpnfo32.exe
C:\Windows\SysWOW64\Elgfgl32.exe
C:\Windows\system32\Elgfgl32.exe
C:\Windows\SysWOW64\Eofbch32.exe
C:\Windows\system32\Eofbch32.exe
C:\Windows\SysWOW64\Eepjpb32.exe
C:\Windows\system32\Eepjpb32.exe
C:\Windows\SysWOW64\Edbklofb.exe
C:\Windows\system32\Edbklofb.exe
C:\Windows\SysWOW64\Fljcmlfd.exe
C:\Windows\system32\Fljcmlfd.exe
C:\Windows\SysWOW64\Fohoigfh.exe
C:\Windows\system32\Fohoigfh.exe
C:\Windows\SysWOW64\Fcckif32.exe
C:\Windows\system32\Fcckif32.exe
C:\Windows\SysWOW64\Febgea32.exe
C:\Windows\system32\Febgea32.exe
C:\Windows\SysWOW64\Fhqcam32.exe
C:\Windows\system32\Fhqcam32.exe
C:\Windows\SysWOW64\Fkopnh32.exe
C:\Windows\system32\Fkopnh32.exe
C:\Windows\SysWOW64\Fcfhof32.exe
C:\Windows\system32\Fcfhof32.exe
C:\Windows\SysWOW64\Flnlhk32.exe
C:\Windows\system32\Flnlhk32.exe
C:\Windows\SysWOW64\Fkalchij.exe
C:\Windows\system32\Fkalchij.exe
C:\Windows\SysWOW64\Fomhdg32.exe
C:\Windows\system32\Fomhdg32.exe
C:\Windows\SysWOW64\Ffgqqaip.exe
C:\Windows\system32\Ffgqqaip.exe
C:\Windows\SysWOW64\Fhemmlhc.exe
C:\Windows\system32\Fhemmlhc.exe
C:\Windows\SysWOW64\Flqimk32.exe
C:\Windows\system32\Flqimk32.exe
C:\Windows\SysWOW64\Fooeif32.exe
C:\Windows\system32\Fooeif32.exe
C:\Windows\SysWOW64\Ffimfqgm.exe
C:\Windows\system32\Ffimfqgm.exe
C:\Windows\SysWOW64\Fhgjblfq.exe
C:\Windows\system32\Fhgjblfq.exe
C:\Windows\SysWOW64\Foabofnn.exe
C:\Windows\system32\Foabofnn.exe
C:\Windows\SysWOW64\Fcmnpe32.exe
C:\Windows\system32\Fcmnpe32.exe
C:\Windows\SysWOW64\Fdnjgmle.exe
C:\Windows\system32\Fdnjgmle.exe
C:\Windows\SysWOW64\Glebhjlg.exe
C:\Windows\system32\Glebhjlg.exe
C:\Windows\SysWOW64\Gkhbdg32.exe
C:\Windows\system32\Gkhbdg32.exe
C:\Windows\SysWOW64\Gdqgmmjb.exe
C:\Windows\system32\Gdqgmmjb.exe
C:\Windows\SysWOW64\Glhonj32.exe
C:\Windows\system32\Glhonj32.exe
C:\Windows\SysWOW64\Gkkojgao.exe
C:\Windows\system32\Gkkojgao.exe
C:\Windows\SysWOW64\Gcagkdba.exe
C:\Windows\system32\Gcagkdba.exe
C:\Windows\SysWOW64\Gfpcgpae.exe
C:\Windows\system32\Gfpcgpae.exe
C:\Windows\SysWOW64\Ghopckpi.exe
C:\Windows\system32\Ghopckpi.exe
C:\Windows\SysWOW64\Gohhpe32.exe
C:\Windows\system32\Gohhpe32.exe
C:\Windows\SysWOW64\Gbgdlq32.exe
C:\Windows\system32\Gbgdlq32.exe
C:\Windows\SysWOW64\Gfbploob.exe
C:\Windows\system32\Gfbploob.exe
C:\Windows\SysWOW64\Gdeqhl32.exe
C:\Windows\system32\Gdeqhl32.exe
C:\Windows\SysWOW64\Gmlhii32.exe
C:\Windows\system32\Gmlhii32.exe
C:\Windows\SysWOW64\Gokdeeec.exe
C:\Windows\system32\Gokdeeec.exe
C:\Windows\SysWOW64\Gcfqfc32.exe
C:\Windows\system32\Gcfqfc32.exe
C:\Windows\SysWOW64\Gfembo32.exe
C:\Windows\system32\Gfembo32.exe
C:\Windows\SysWOW64\Gicinj32.exe
C:\Windows\system32\Gicinj32.exe
C:\Windows\SysWOW64\Gkaejf32.exe
C:\Windows\system32\Gkaejf32.exe
C:\Windows\SysWOW64\Gfgjgo32.exe
C:\Windows\system32\Gfgjgo32.exe
C:\Windows\SysWOW64\Hiefcj32.exe
C:\Windows\system32\Hiefcj32.exe
C:\Windows\SysWOW64\Hkdbpe32.exe
C:\Windows\system32\Hkdbpe32.exe
C:\Windows\SysWOW64\Hckjacjg.exe
C:\Windows\system32\Hckjacjg.exe
C:\Windows\SysWOW64\Hihbijhn.exe
C:\Windows\system32\Hihbijhn.exe
C:\Windows\SysWOW64\Hcmgfbhd.exe
C:\Windows\system32\Hcmgfbhd.exe
C:\Windows\SysWOW64\Hflcbngh.exe
C:\Windows\system32\Hflcbngh.exe
C:\Windows\SysWOW64\Heocnk32.exe
C:\Windows\system32\Heocnk32.exe
C:\Windows\SysWOW64\Hkikkeeo.exe
C:\Windows\system32\Hkikkeeo.exe
C:\Windows\SysWOW64\Hbbdholl.exe
C:\Windows\system32\Hbbdholl.exe
C:\Windows\SysWOW64\Heapdjlp.exe
C:\Windows\system32\Heapdjlp.exe
C:\Windows\SysWOW64\Hmhhehlb.exe
C:\Windows\system32\Hmhhehlb.exe
C:\Windows\SysWOW64\Hofdacke.exe
C:\Windows\system32\Hofdacke.exe
C:\Windows\SysWOW64\Hbeqmoji.exe
C:\Windows\system32\Hbeqmoji.exe
C:\Windows\SysWOW64\Hfqlnm32.exe
C:\Windows\system32\Hfqlnm32.exe
C:\Windows\SysWOW64\Hecmijim.exe
C:\Windows\system32\Hecmijim.exe
C:\Windows\SysWOW64\Hioiji32.exe
C:\Windows\system32\Hioiji32.exe
C:\Windows\SysWOW64\Hkmefd32.exe
C:\Windows\system32\Hkmefd32.exe
C:\Windows\SysWOW64\Hbgmcnhf.exe
C:\Windows\system32\Hbgmcnhf.exe
C:\Windows\SysWOW64\Immapg32.exe
C:\Windows\system32\Immapg32.exe
C:\Windows\SysWOW64\Ipknlb32.exe
C:\Windows\system32\Ipknlb32.exe
C:\Windows\SysWOW64\Ibjjhn32.exe
C:\Windows\system32\Ibjjhn32.exe
C:\Windows\SysWOW64\Iehfdi32.exe
C:\Windows\system32\Iehfdi32.exe
C:\Windows\SysWOW64\Iicbehnq.exe
C:\Windows\system32\Iicbehnq.exe
C:\Windows\SysWOW64\Ipnjab32.exe
C:\Windows\system32\Ipnjab32.exe
C:\Windows\SysWOW64\Icifbang.exe
C:\Windows\system32\Icifbang.exe
C:\Windows\SysWOW64\Iejcji32.exe
C:\Windows\system32\Iejcji32.exe
C:\Windows\SysWOW64\Imakkfdg.exe
C:\Windows\system32\Imakkfdg.exe
C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
C:\Windows\SysWOW64\Ickchq32.exe
C:\Windows\system32\Ickchq32.exe
C:\Windows\SysWOW64\Ibnccmbo.exe
C:\Windows\system32\Ibnccmbo.exe
C:\Windows\SysWOW64\Ifjodl32.exe
C:\Windows\system32\Ifjodl32.exe
C:\Windows\SysWOW64\Iihkpg32.exe
C:\Windows\system32\Iihkpg32.exe
C:\Windows\SysWOW64\Ilghlc32.exe
C:\Windows\system32\Ilghlc32.exe
C:\Windows\SysWOW64\Icnpmp32.exe
C:\Windows\system32\Icnpmp32.exe
C:\Windows\SysWOW64\Ifllil32.exe
C:\Windows\system32\Ifllil32.exe
C:\Windows\SysWOW64\Iikhfg32.exe
C:\Windows\system32\Iikhfg32.exe
C:\Windows\SysWOW64\Ipdqba32.exe
C:\Windows\system32\Ipdqba32.exe
C:\Windows\SysWOW64\Icplcpgo.exe
C:\Windows\system32\Icplcpgo.exe
C:\Windows\SysWOW64\Jfoiokfb.exe
C:\Windows\system32\Jfoiokfb.exe
C:\Windows\SysWOW64\Jmhale32.exe
C:\Windows\system32\Jmhale32.exe
C:\Windows\SysWOW64\Jpgmha32.exe
C:\Windows\system32\Jpgmha32.exe
C:\Windows\SysWOW64\Jcbihpel.exe
C:\Windows\system32\Jcbihpel.exe
C:\Windows\SysWOW64\Jfaedkdp.exe
C:\Windows\system32\Jfaedkdp.exe
C:\Windows\SysWOW64\Jmknaell.exe
C:\Windows\system32\Jmknaell.exe
C:\Windows\SysWOW64\Jfcbjk32.exe
C:\Windows\system32\Jfcbjk32.exe
C:\Windows\SysWOW64\Jmmjgejj.exe
C:\Windows\system32\Jmmjgejj.exe
C:\Windows\SysWOW64\Jlpkba32.exe
C:\Windows\system32\Jlpkba32.exe
C:\Windows\SysWOW64\Jcgbco32.exe
C:\Windows\system32\Jcgbco32.exe
C:\Windows\SysWOW64\Jbjcolha.exe
C:\Windows\system32\Jbjcolha.exe
C:\Windows\SysWOW64\Jehokgge.exe
C:\Windows\system32\Jehokgge.exe
C:\Windows\SysWOW64\Jmpgldhg.exe
C:\Windows\system32\Jmpgldhg.exe
C:\Windows\SysWOW64\Jpnchp32.exe
C:\Windows\system32\Jpnchp32.exe
C:\Windows\SysWOW64\Jcioiood.exe
C:\Windows\system32\Jcioiood.exe
C:\Windows\SysWOW64\Jfhlejnh.exe
C:\Windows\system32\Jfhlejnh.exe
C:\Windows\SysWOW64\Jifhaenk.exe
C:\Windows\system32\Jifhaenk.exe
C:\Windows\SysWOW64\Jpppnp32.exe
C:\Windows\system32\Jpppnp32.exe
C:\Windows\SysWOW64\Kboljk32.exe
C:\Windows\system32\Kboljk32.exe
C:\Windows\SysWOW64\Kemhff32.exe
C:\Windows\system32\Kemhff32.exe
C:\Windows\SysWOW64\Kmdqgd32.exe
C:\Windows\system32\Kmdqgd32.exe
C:\Windows\SysWOW64\Kpbmco32.exe
C:\Windows\system32\Kpbmco32.exe
C:\Windows\SysWOW64\Kfmepi32.exe
C:\Windows\system32\Kfmepi32.exe
C:\Windows\SysWOW64\Kikame32.exe
C:\Windows\system32\Kikame32.exe
C:\Windows\SysWOW64\Kpeiioac.exe
C:\Windows\system32\Kpeiioac.exe
C:\Windows\SysWOW64\Kebbafoj.exe
C:\Windows\system32\Kebbafoj.exe
C:\Windows\SysWOW64\Kmijbcpl.exe
C:\Windows\system32\Kmijbcpl.exe
C:\Windows\SysWOW64\Kpgfooop.exe
C:\Windows\system32\Kpgfooop.exe
C:\Windows\SysWOW64\Kbfbkj32.exe
C:\Windows\system32\Kbfbkj32.exe
C:\Windows\SysWOW64\Kedoge32.exe
C:\Windows\system32\Kedoge32.exe
C:\Windows\SysWOW64\Kipkhdeq.exe
C:\Windows\system32\Kipkhdeq.exe
C:\Windows\SysWOW64\Klngdpdd.exe
C:\Windows\system32\Klngdpdd.exe
C:\Windows\SysWOW64\Kdeoemeg.exe
C:\Windows\system32\Kdeoemeg.exe
C:\Windows\SysWOW64\Kbhoqj32.exe
C:\Windows\system32\Kbhoqj32.exe
C:\Windows\SysWOW64\Kefkme32.exe
C:\Windows\system32\Kefkme32.exe
C:\Windows\SysWOW64\Kmncnb32.exe
C:\Windows\system32\Kmncnb32.exe
C:\Windows\SysWOW64\Kplpjn32.exe
C:\Windows\system32\Kplpjn32.exe
C:\Windows\SysWOW64\Kdgljmcd.exe
C:\Windows\system32\Kdgljmcd.exe
C:\Windows\SysWOW64\Leihbeib.exe
C:\Windows\system32\Leihbeib.exe
C:\Windows\SysWOW64\Llcpoo32.exe
C:\Windows\system32\Llcpoo32.exe
C:\Windows\SysWOW64\Ldjhpl32.exe
C:\Windows\system32\Ldjhpl32.exe
C:\Windows\SysWOW64\Lfhdlh32.exe
C:\Windows\system32\Lfhdlh32.exe
C:\Windows\SysWOW64\Ligqhc32.exe
C:\Windows\system32\Ligqhc32.exe
C:\Windows\SysWOW64\Lpqiemge.exe
C:\Windows\system32\Lpqiemge.exe
C:\Windows\SysWOW64\Lboeaifi.exe
C:\Windows\system32\Lboeaifi.exe
C:\Windows\SysWOW64\Lmdina32.exe
C:\Windows\system32\Lmdina32.exe
C:\Windows\SysWOW64\Lpcfkm32.exe
C:\Windows\system32\Lpcfkm32.exe
C:\Windows\SysWOW64\Lbabgh32.exe
C:\Windows\system32\Lbabgh32.exe
C:\Windows\SysWOW64\Lepncd32.exe
C:\Windows\system32\Lepncd32.exe
C:\Windows\SysWOW64\Likjcbkc.exe
C:\Windows\system32\Likjcbkc.exe
C:\Windows\SysWOW64\Lmgfda32.exe
C:\Windows\system32\Lmgfda32.exe
C:\Windows\SysWOW64\Lpebpm32.exe
C:\Windows\system32\Lpebpm32.exe
C:\Windows\SysWOW64\Lbdolh32.exe
C:\Windows\system32\Lbdolh32.exe
C:\Windows\SysWOW64\Lebkhc32.exe
C:\Windows\system32\Lebkhc32.exe
C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mmlpoqpg.exe
C:\Windows\system32\Mmlpoqpg.exe
C:\Windows\SysWOW64\Mpjlklok.exe
C:\Windows\system32\Mpjlklok.exe
C:\Windows\SysWOW64\Megdccmb.exe
C:\Windows\system32\Megdccmb.exe
C:\Windows\SysWOW64\Mmnldp32.exe
C:\Windows\system32\Mmnldp32.exe
C:\Windows\SysWOW64\Mplhql32.exe
C:\Windows\system32\Mplhql32.exe
C:\Windows\SysWOW64\Mgfqmfde.exe
C:\Windows\system32\Mgfqmfde.exe
C:\Windows\SysWOW64\Miemjaci.exe
C:\Windows\system32\Miemjaci.exe
C:\Windows\SysWOW64\Mlcifmbl.exe
C:\Windows\system32\Mlcifmbl.exe
C:\Windows\SysWOW64\Mdjagjco.exe
C:\Windows\system32\Mdjagjco.exe
C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
C:\Windows\SysWOW64\Mmbfpp32.exe
C:\Windows\system32\Mmbfpp32.exe
C:\Windows\SysWOW64\Mlefklpj.exe
C:\Windows\system32\Mlefklpj.exe
C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
C:\Windows\SysWOW64\Mlhbal32.exe
C:\Windows\system32\Mlhbal32.exe
C:\Windows\SysWOW64\Ncbknfed.exe
C:\Windows\system32\Ncbknfed.exe
C:\Windows\SysWOW64\Ncdgcf32.exe
C:\Windows\system32\Ncdgcf32.exe
C:\Windows\SysWOW64\Nlmllkja.exe
C:\Windows\system32\Nlmllkja.exe
C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
C:\Windows\SysWOW64\Ncfdie32.exe
C:\Windows\system32\Ncfdie32.exe
C:\Windows\SysWOW64\Nloiakho.exe
C:\Windows\system32\Nloiakho.exe
C:\Windows\SysWOW64\Npjebj32.exe
C:\Windows\system32\Npjebj32.exe
C:\Windows\SysWOW64\Ncianepl.exe
C:\Windows\system32\Ncianepl.exe
C:\Windows\SysWOW64\Ngdmod32.exe
C:\Windows\system32\Ngdmod32.exe
C:\Windows\SysWOW64\Nfgmjqop.exe
C:\Windows\system32\Nfgmjqop.exe
C:\Windows\SysWOW64\Nnneknob.exe
C:\Windows\system32\Nnneknob.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
C:\Windows\SysWOW64\Nnqbanmo.exe
C:\Windows\system32\Nnqbanmo.exe
C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
C:\Windows\SysWOW64\Ogifjcdp.exe
C:\Windows\system32\Ogifjcdp.exe
C:\Windows\SysWOW64\Oncofm32.exe
C:\Windows\system32\Oncofm32.exe
C:\Windows\SysWOW64\Olfobjbg.exe
C:\Windows\system32\Olfobjbg.exe
C:\Windows\SysWOW64\Ocpgod32.exe
C:\Windows\system32\Ocpgod32.exe
C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
C:\Windows\SysWOW64\Ognpebpj.exe
C:\Windows\system32\Ognpebpj.exe
C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
C:\Windows\SysWOW64\Olkhmi32.exe
C:\Windows\system32\Olkhmi32.exe
C:\Windows\SysWOW64\Oqfdnhfk.exe
C:\Windows\system32\Oqfdnhfk.exe
C:\Windows\SysWOW64\Odapnf32.exe
C:\Windows\system32\Odapnf32.exe
C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
C:\Windows\SysWOW64\Ofcmfodb.exe
C:\Windows\system32\Ofcmfodb.exe
C:\Windows\SysWOW64\Ojoign32.exe
C:\Windows\system32\Ojoign32.exe
C:\Windows\SysWOW64\Onjegled.exe
C:\Windows\system32\Onjegled.exe
C:\Windows\SysWOW64\Oqhacgdh.exe
C:\Windows\system32\Oqhacgdh.exe
C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pgefeajb.exe
C:\Windows\system32\Pgefeajb.exe
C:\Windows\SysWOW64\Pjcbbmif.exe
C:\Windows\system32\Pjcbbmif.exe
C:\Windows\SysWOW64\Pmannhhj.exe
C:\Windows\system32\Pmannhhj.exe
C:\Windows\SysWOW64\Pdifoehl.exe
C:\Windows\system32\Pdifoehl.exe
C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
C:\Windows\SysWOW64\Pmdkch32.exe
C:\Windows\system32\Pmdkch32.exe
C:\Windows\SysWOW64\Pdkcde32.exe
C:\Windows\system32\Pdkcde32.exe
C:\Windows\SysWOW64\Pdmpje32.exe
C:\Windows\system32\Pdmpje32.exe
C:\Windows\SysWOW64\Pjjhbl32.exe
C:\Windows\system32\Pjjhbl32.exe
C:\Windows\SysWOW64\Pdpmpdbd.exe
C:\Windows\system32\Pdpmpdbd.exe
C:\Windows\SysWOW64\Pgnilpah.exe
C:\Windows\system32\Pgnilpah.exe
C:\Windows\SysWOW64\Pfaigm32.exe
C:\Windows\system32\Pfaigm32.exe
C:\Windows\SysWOW64\Pjmehkqk.exe
C:\Windows\system32\Pjmehkqk.exe
C:\Windows\SysWOW64\Qdbiedpa.exe
C:\Windows\system32\Qdbiedpa.exe
C:\Windows\SysWOW64\Qgqeappe.exe
C:\Windows\system32\Qgqeappe.exe
C:\Windows\SysWOW64\Qnjnnj32.exe
C:\Windows\system32\Qnjnnj32.exe
C:\Windows\SysWOW64\Qqijje32.exe
C:\Windows\system32\Qqijje32.exe
C:\Windows\SysWOW64\Qcgffqei.exe
C:\Windows\system32\Qcgffqei.exe
C:\Windows\SysWOW64\Qffbbldm.exe
C:\Windows\system32\Qffbbldm.exe
C:\Windows\SysWOW64\Anmjcieo.exe
C:\Windows\system32\Anmjcieo.exe
C:\Windows\SysWOW64\Adgbpc32.exe
C:\Windows\system32\Adgbpc32.exe
C:\Windows\SysWOW64\Ageolo32.exe
C:\Windows\system32\Ageolo32.exe
C:\Windows\SysWOW64\Ajckij32.exe
C:\Windows\system32\Ajckij32.exe
C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
C:\Windows\SysWOW64\Aeiofcji.exe
C:\Windows\system32\Aeiofcji.exe
C:\Windows\SysWOW64\Agglboim.exe
C:\Windows\system32\Agglboim.exe
C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
C:\Windows\SysWOW64\Anadoi32.exe
C:\Windows\system32\Anadoi32.exe
C:\Windows\SysWOW64\Agjhgngj.exe
C:\Windows\system32\Agjhgngj.exe
C:\Windows\SysWOW64\Andqdh32.exe
C:\Windows\system32\Andqdh32.exe
C:\Windows\SysWOW64\Aabmqd32.exe
C:\Windows\system32\Aabmqd32.exe
C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Accfbokl.exe
C:\Windows\system32\Accfbokl.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
C:\Windows\SysWOW64\Bagflcje.exe
C:\Windows\system32\Bagflcje.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bffkij32.exe
C:\Windows\system32\Bffkij32.exe
C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Beihma32.exe
C:\Windows\system32\Beihma32.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bjfaeh32.exe
C:\Windows\system32\Bjfaeh32.exe
C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
C:\Windows\SysWOW64\Cenahpha.exe
C:\Windows\system32\Cenahpha.exe
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
C:\Windows\SysWOW64\Chagok32.exe
C:\Windows\system32\Chagok32.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Ceehho32.exe
C:\Windows\system32\Ceehho32.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Dopigd32.exe
C:\Windows\system32\Dopigd32.exe
C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
C:\Windows\SysWOW64\Dejacond.exe
C:\Windows\system32\Dejacond.exe
C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
C:\Windows\SysWOW64\Deokon32.exe
C:\Windows\system32\Deokon32.exe
C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9236 -ip 9236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9236 -s 192
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 72.246.173.187:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/3996-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3996-5-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Peqcjkfp.exe
| MD5 | 18f865b052516e36431dfff417c8bfc9 |
| SHA1 | 4e8c4cb1a021e8dfa3c3c78046da13851682eb3a |
| SHA256 | dd3ff3654e8d428b20761cccf5d9946601a9f82732062302b99f0c853ce8a0c6 |
| SHA512 | 0c606f9bd7adfdadf7e629718baf3892b59d5c89e0effa280ef2307b570f62550d11ddb19919451588f817a509e88c55bdb12307be8a66aa0eccad50ac09fbd7 |
memory/4004-9-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pnihcq32.exe
| MD5 | 45dba52b9ec67751f7d2805740bd7a7f |
| SHA1 | c4ac27dbbc8caae393856d121bd21069cd7b8c25 |
| SHA256 | 730273a484eb0901513da2e0ee942213a515a6ef4f39fbbe21c6bda7b659e31a |
| SHA512 | fd0f06ca7126e0cca91598278564718f4d42148a6378429e45d00f9d1a6731db640d69e376a6f59e4be2fe654be7a88fb74264d787cc529187264e410b8f0963 |
memory/1084-16-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qecppkdm.exe
| MD5 | f4e4f4a6b16efac492912bf22e6d7a7c |
| SHA1 | 64f88c69ec3415956309ad849ed7b022d108029c |
| SHA256 | 2b5fe3ba2440a1fe8bd860308b0810dfc1cd47088e38149823da84cc13817deb |
| SHA512 | ebf3da2665a319d1660d7206e75be33d96c64474a45b3255833459ba68d7d5c5b855eb3b737700aeaba686e1ee32efdccd183923c82bb0a06d62eb4f7cd90367 |
memory/2680-25-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qgallfcq.exe
| MD5 | 0206a0dafa216d3f82bc75b916977521 |
| SHA1 | e2b0e2532da860ec53e8919d8411368e3b35eac7 |
| SHA256 | 008728fc50cc0a1176871dd825348f701c52fa48b627c28e94f52aedab53d43b |
| SHA512 | bfc8874b0b4e03edfa2ed1e86f2fb17c4cebbcd1e446226e8ff8c77be31942f3295db0eda7861d029268cb3960d566176931415d41a873e685456372c21c6db7 |
C:\Windows\SysWOW64\Qnkdhpjn.exe
| MD5 | 044c3c34c35b876084b07c635e55b225 |
| SHA1 | e7cc0bec5fc4ab1a087780fb44b5d3067d1336b6 |
| SHA256 | f118b123d25c40d7302043d7c8ffcea0952cf5d209e2dbd6f2d52adc7f7660c6 |
| SHA512 | 35acc547f69a139a1d638714f83737315be1995037c61fcad474210f672e1820635ab13a7a2dc0b72a1eae81b6ed6076e5f35f7426374140a5126196f4a6b7bb |
memory/3132-37-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4072-41-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qajadlja.exe
| MD5 | 7787c12fb439ebbcf300cdb52bd1f80d |
| SHA1 | 71af7fe6ccac24ed8f71747e09c1443570bb4e9b |
| SHA256 | 0bd8129956c0d1c3ddae6c244402f965e0f05b43b4cf0e3969d31ea1f140d38f |
| SHA512 | e9a70370f4b107adf5819b1bcb9aea6058d0f3f97f4f9506dcaaa1707c6e00694871905d0971fea88f8b050bc012a472d6e3334e6537eeae302ab231040b0598 |
memory/1196-49-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qloebdig.exe
| MD5 | e6bc20d532aa9730e6f497089a2a7dca |
| SHA1 | c1593464b7447005f091e1b5d23e1d901a2fce08 |
| SHA256 | f31458f5d6c0399b461060e313053a5acb3f5921ab103c892d3af4cbd3bc414b |
| SHA512 | a17b6d67267f903eb55992cdfa3b322dca5e61c30c6678c1ebf7608c82dafc4a0e7d7b752cec84ea30e9a139d603bb72307b5681af7825266397a2016761e60e |
memory/388-61-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qnnanphk.exe
| MD5 | 01ecdb65513a592ef4ec614634a5b8c1 |
| SHA1 | 08b1a6de69cf0a65ca38d1fc5a1f6843e43b2fe2 |
| SHA256 | 9cf14364667a4f9d6527b129e80b19a0285360448b01c1f9f435f8cd9e85b113 |
| SHA512 | 5bee5bd3df5ea0965ed9f92f7f1d3a3da4924c48c80aab1cdb6dc100b48adc2a7bafd7c86bbf87fa251050ed8ec8a275971fe83da6b206357eb149fbc56f97f8 |
memory/1488-65-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qalnjkgo.exe
| MD5 | 38fe85e637bd6b6babfdc2a71cbe41e4 |
| SHA1 | 2c426c7f378e7c50814535934f9f414c91d82a43 |
| SHA256 | 1c37447ecf647c68303f0c87dad4becd4f7d9b71933404c943470494cc0160e1 |
| SHA512 | 8aadd304b35c84903db0cefef4d372a806709ce883f4daee10854dd6f17420899af9544210910c94060f2be42e11f0fd301f53d587b54e9c9f88beab7aee5cdb |
memory/744-73-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Acjjfggb.exe
| MD5 | 76d553cc9bd6c5a029a7717f3b8d9ba8 |
| SHA1 | 6617964ec89f582d2235f1df7c822b98a34064a5 |
| SHA256 | 8eb5a096a53513e831d0e7f7e0e87ea04245e384535738afdf27a449aaedec12 |
| SHA512 | 5ea662caa6cf758505e9ae5ab257a56d8efa8ed1416683449557db5a0d86dfff3fe784a4499a887f03e438dad64faad65bc1f6cdef37ee81795647e912c0ae8a |
memory/2872-81-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Alabgd32.exe
| MD5 | 31019c3d4dfe3036f662a1dfafd7697d |
| SHA1 | 4b6d64c98bcaae97beb43face1e80eb5ab0f9137 |
| SHA256 | 0adbec63b2a6919f4d89fbdf6ae425cb9b2e753043fba7ae51c56a8cc322748b |
| SHA512 | 4308ac05cf7b6876b10f6960786f32479633a4ac43e71d3d7d2aafbf3dc2007cfc1fa00b9276ab277f9682c30785b15845c21729666c2eb35869ac9a97f8e901 |
memory/2660-89-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Anpncp32.exe
| MD5 | 1fe501e8baf615f5c4cccefcfd8d754c |
| SHA1 | dea2068a8b961af8655649128e4ff13301ec43cc |
| SHA256 | 06e28d0b4c2d946ddecf97321fdfbf55cfac6383df9c931cbfdae03225a97ce9 |
| SHA512 | 1b2e72017bdfa84cbc8433b0c64128b7af96de5b48a7440fbd942e7c3d4cfb5684cd5a0b4ebbaf7d524177ee603bf0a520a7bd5c342dd20ecf671bd425ab1a27 |
memory/3480-97-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aejfpjne.exe
| MD5 | 8ede7be7f23f4f2981d442f999feed51 |
| SHA1 | 3fd4b7af08994f568b64c2453ad2fc8a9c0da505 |
| SHA256 | 7f52f0b9915560c13cb5661b6202191285bb144351ade346d98c43079004bbeb |
| SHA512 | fe7e4f82009265f96a295aea4e4ff30fe21008f409abb4543a217d241a63182681729ad92705c63dc8b7f7aab54c585deda6b8b7b5515fba3a925ca058dc101d |
memory/3000-105-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ajfoiqll.exe
| MD5 | 268a8299d6804e331d6ceebe7cc0611f |
| SHA1 | d92cb3af188d4a83363eaa783668106a6e30a2f1 |
| SHA256 | f3f7d03c8d2dc3458a90a4313d5d981b1734a0097446beecc6313fa4689e1e0a |
| SHA512 | f7bb3788735ce02afc18ae5362719d5eedc7687097d18e787cbc423107c983c4bef67f7532fcc2bad6ccff231fbb50dce9268912c28add4514ecb1e4637bd7c3 |
memory/5040-112-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ahkobekf.exe
| MD5 | a9ccd47be7bbcdafb3c271068f1a6535 |
| SHA1 | e8e80217799845a72eb32168f90e2a0331ca28b9 |
| SHA256 | e03c6bef3a4c074c1a1bcb53a96916f3e3d58d0f78674c70088e62521dd75ccd |
| SHA512 | 809b37a713d3c2d8165f912d1bcb7211363cffa2cd8b74d92ad01d981d2210078e2e73aa8cc215cce226bd2ba814b3837990732de313061cb8f8b9d5cb5962cd |
memory/1816-121-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ahmlgd32.exe
| MD5 | 5a1ba2ccfedd3420677921e561dafa2f |
| SHA1 | c813768030457faa02dc6d97e268a642516be3c9 |
| SHA256 | b2926eb980243ead152422630af7df0c5484f9d6922c92e1e48ec27eccfc93fe |
| SHA512 | 65a8afa4c0b36e64a78de56a98fb2cbbf4109e209f88059d6584d51ae411f543f57f516c81d790d5aa8afbae1b7950c696f57bb71a4ee2314717ce5ec228de0d |
memory/3792-128-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Angddopp.exe
| MD5 | 48e4390195d954c953c4a62fd3b6dfca |
| SHA1 | 910ddea9c3999524d988f48b0e3a7f2036ce355d |
| SHA256 | 98ba4edab85ebb0f69b832a70c552c8f00e5d04eb789a778d0fa3ea396d0bf20 |
| SHA512 | ed249bc77cd0db881b0026a9426fbfd1a1c8ccac6ff4048c16c025877d39d17bec8509d78252250b24a45c6e6ee95728127db54ff761aae8f6659f318f1016a8 |
C:\Windows\SysWOW64\Aaepqjpd.exe
| MD5 | adfb8d17ade16ac6cdd9f4fca515c8fa |
| SHA1 | a6f9159969e0cf5ce0ccbe16c7ecb30d156ed162 |
| SHA256 | 6771b61e7a102a0245efeae3e294dbeffd391d7fec550dea6e2ff05fcf2551a9 |
| SHA512 | 6fa7876bea29d399991c7a9ecb67a7299807ab3cd99d21439b9e59289485f1ab1f2fbccd41e679f0aad091be6ee538e84e591c303ceb0465d86157b51822e26e |
memory/2200-144-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Adcmmeog.exe
| MD5 | 5b0d938766dfafacccc124f0910d915e |
| SHA1 | 9b47791b7e978fbd0f639438566bed75b04a4ccc |
| SHA256 | f25815507feab38b3660ba82913e8dc4afed3ca5a36c2127d0aa11858c46d22b |
| SHA512 | 05c8a27f6cc426830c17ed8e0b5b9e9ceabdfc6417426256cb1edceb50ad658356a1414dd670a6fda374d8f678f5f90f543a03d525811ed5a0134a0ab6bde2c6 |
memory/3484-153-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ahoimd32.exe
| MD5 | 932fc17630982318a89ce3086fafc268 |
| SHA1 | 2ed0c5aa101abdf71a9f1f0cbf345a9f76151978 |
| SHA256 | 5cc1b3333916901eaeeedb4fd1a267a350af3e28f2d4085270bc936badf633b5 |
| SHA512 | 9be6382caf23cf678a603c055912c4932e440e2370b7d9519567735d008ca6c09ff8b47661d7e1af173eaf8200a3bf59b98225cb79fbf039d9316ea3b138e9bb |
C:\Windows\SysWOW64\Ajneip32.exe
| MD5 | 2a4712ef21e992bb8be3a110aca1ccba |
| SHA1 | a5e0b4421121a69e503416162db8b665ec80203f |
| SHA256 | 0c226ad51814468742a4da1d9e240e14068dc96899353e1e7b1b9450c075bad9 |
| SHA512 | 1a6e3c9a64dddec21f796fe80e344a0ff871e76a0a1591d5a1fd72ae33f823593a3ece667cd4a9a69f6f63c13b986d141ef7861319e4d88704484b78748b3333 |
memory/1496-176-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bahmfj32.exe
| MD5 | 855102dae590a2507f09a1df9480be01 |
| SHA1 | e70d1040fe37f7b178892c385514b61fd88d0a07 |
| SHA256 | 9f6847132b62366a5a7d56ba4128e9866a21a945712cbf0ee4f6b1a047c22307 |
| SHA512 | 6717ad81f7830b0158af74ca73a765a9d2dfab97df59296c56af6e8b44e6432476c1690b483a24c94a37fa799e9636f8531ccbeb50294ad6380778b5d489cd50 |
C:\Windows\SysWOW64\Bdfibe32.exe
| MD5 | df3d5ec081f7a3b697dc2c1601dfd309 |
| SHA1 | f7f427e8e652348236551def1ca8dc9d3ab02574 |
| SHA256 | 9b0f2ef9d3903ed1a7585185cd7991544e6154204577bcbea69c1fef94eafd65 |
| SHA512 | 660341ebf5da46bf94f2547659310fe9a18ce373a74a551ea16cc78bb8555bc7d77542df15576d6b3aa4595488ee3000af73a89a7dec123e2657b118b49cb10d |
C:\Windows\SysWOW64\Abemjmgg.exe
| MD5 | 968034f7336f274f0dfa2b8bc98d164a |
| SHA1 | a9dc12b31473a03850a427d3742996773a4fc4c1 |
| SHA256 | 3fd0f8afbe59581abdbd1a1770ae7651ba2438d2d49dc2560fe332294dda3a81 |
| SHA512 | f0954a26d59ce0ad1f044b8cda51590cb892452f2401b4bba440b79b48f3405cddcf44a61ea47750707238c1723cf63669e0b6b57b9e38d2a0073ab8e346c0d8 |
memory/2464-165-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4876-141-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1476-184-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bhaebcen.exe
| MD5 | 13e5aaa4c05c0cdc8219078d8443a398 |
| SHA1 | fd845a07474e235321f3db1b05cdba7f2b6cab00 |
| SHA256 | 20333f764f13cb70734bd80c01c251f432f9f3ebbd1756a49b1da4faeb6cad9b |
| SHA512 | fa23797c9bcc2a820c28b0e9b0e370e35ea9e27981df6f3533b9a42562dfb4f0fb71d8922ffab6a3b8615d829ee71798a5d94cac994258ab7328851b727918d2 |
memory/2832-192-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2640-200-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bbgipldd.exe
| MD5 | c37eff19ed48c9cdef7942825043ca46 |
| SHA1 | ba9fa7757a201aa82ba4ab853bc8614628f19a2c |
| SHA256 | bd636759b6300ee613e767a35195c83ac4fbea6f0141c630615475f9cd44df87 |
| SHA512 | 1f77a7ac23c487c84e62ee43baa2569e5d2fdf208cacfb17b45a6734ecc7b4007c174fdf9e417277b352697c4e9a60da53d75ea994a45c0a2160a1f51b7693df |
memory/4168-208-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3832-209-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5032-216-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Blpnib32.exe
| MD5 | 692a49971803881b9685f09b853ef4c2 |
| SHA1 | 3c131f07c3f1b0d2e3602cf2dfa0c0536195ed20 |
| SHA256 | 732d4046a0b07866e29a2409840a194b41ca8baa8f869319bbe6ea8c0ab66e17 |
| SHA512 | 94d0938391260aba635a10f26131b77bdf9747992b8da8164ede0375875b167ee2d209412dc4f70003e4ef56b3e98b98d8dff7f24501e712e47b568a07df783a |
C:\Windows\SysWOW64\Behbag32.exe
| MD5 | b459961b070f654265f1169289e6a733 |
| SHA1 | 5113a58a43ec69227bd1fe1d8a5754801158b4bc |
| SHA256 | a8e1c33b5990571f73c84aea9c9489c74f4d8f6e34332f74d7be099470efd18e |
| SHA512 | b68e71fabb1e448f3eaa49fbe00e179b36154b5c534b63e21fd41008bf12a504fc8806636d5f2d8fac2d9e674866ef0b5331cf32b2612295d3694c0d1c377c2d |
memory/1524-225-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Blbknaib.exe
| MD5 | 92ebf8e63b7b4ae345e0738498934a20 |
| SHA1 | a681b590c82ed63c3b8481dfc5c3dddd742885f3 |
| SHA256 | 951f4eef92499aa2eb87846b960240bc4a0d524d5685fa4203dbb9341fb2925e |
| SHA512 | e4ff13c4a8f94a0513322ac415d367327b772f87c8c10d0f9806d587846636647bef5684d3a6b18b5203baa63f3088126c09d386423db6d4f9a2c22208658625 |
memory/5064-232-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bblckl32.exe
| MD5 | e562198be994a5bd795a8d8fa1e8d1af |
| SHA1 | e40f0c8c6e75f2fd610054dfc35857ed43d1a68f |
| SHA256 | 76231dff34c02a9e5300ed8bb4fc9316cdb51512a6f6d4527759bef83069cbbb |
| SHA512 | adfe4482d2f6ce0ab742906d7aabd58499a8c6d8a1cb5fec3e439595bf90c56ec4c69fec156d13118ae0b9758d37f2c90d78bd3a5787e61850d711da0ab453c3 |
memory/1632-240-0x0000000000400000-0x0000000000433000-memory.dmp
memory/752-248-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bjghpn32.exe
| MD5 | db07e6b6f6450fa13c30433d58c7a183 |
| SHA1 | f4cf9405d657be5257d315e3eb1039790cf9ffdb |
| SHA256 | 9cb7e492fb92d8415fb636c756cd527f6cfbd3ad90aa0d67df8ecfff154b096e |
| SHA512 | defacf7e61c1499f031ffb219113e44650c39d7ef762d2441861490dc6ffcba598ee5e8e2706d74c73d2eb2f9457ea2998268d69b5aa445ae4b18bec9ed1ef87 |
C:\Windows\SysWOW64\Baaplhef.exe
| MD5 | a647e16f85901504fa7a3385bbd6576b |
| SHA1 | 3ab6d07250d178a9d2e5e08041e96a568172b02b |
| SHA256 | 0c442194c5e3ae8efbf97b1a256253af42247bbf1c0748f77d2411eed594ebe5 |
| SHA512 | 1ad63d9c20870b63ec94be2f6f25acae44ee0c6832ea9577f8207e87c2b2946f38407b8462317e04436bddcf3c161679a4b649094a672661ed841dcdd0158bb8 |
memory/760-256-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1240-263-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1928-269-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2360-275-0x0000000000400000-0x0000000000433000-memory.dmp
memory/208-285-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3236-287-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4456-298-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3960-299-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2528-305-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2928-311-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2732-317-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2456-323-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2772-329-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4124-335-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4556-345-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3284-347-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3616-359-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2340-358-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3636-365-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5100-375-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4304-380-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1368-383-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1608-393-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2040-395-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1772-401-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5088-407-0x0000000000400000-0x0000000000433000-memory.dmp
memory/768-417-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2016-423-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4888-429-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2556-431-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2924-437-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mplhql32.exe
| MD5 | e3f5c9ea8612c4ed09f4c8785bd3bceb |
| SHA1 | 86b23f1a0a0fb478db4bfcef819ee6b2cecfd235 |
| SHA256 | 80c4e1d06bc2d6a08a9280c500822cb3c0f9af8c8c254c2c9da66cb55864df91 |
| SHA512 | dd8eedbb9ac292d285a400c45508536dc5c7cb006ea852153e272e4f97314f44ba2cc6f53d56b61a462ffef3ebf132354ec2b0c217ef64c6500812a5426daf83 |
C:\Windows\SysWOW64\Mlefklpj.exe
| MD5 | c740b56ddba070bcdf693986e18bbc19 |
| SHA1 | 183c7b97d2d7e32b719ccb04b813b270c5ee8c05 |
| SHA256 | 12ca162c4da2f9e5261bc33a827eed55432daa876eb5b5f83e31f5908c32aa92 |
| SHA512 | d124ca8938203438bc7a57d94789ffd6c978d45ff1e1bbae3dd4e0cfad7010df200af51f5827f88c3d14dfafc773c53d97c62e693cf5df8dfc8a110b945e77ba |
C:\Windows\SysWOW64\Opdghh32.exe
| MD5 | 3c0148896202fafabae39f31fcfff8fd |
| SHA1 | a23ed9cc834cf3de5a56bd6b2d18f7240ea09484 |
| SHA256 | 56a79180ff48991c8216e1ecd774f6c82ec94998d6490b7c714d4bba4113a585 |
| SHA512 | 2f0eb231565dddba286ae52ff5392519d415a76b124b0e623aea17724d885f8c2f32bab18caa536844da6fdad159a6a129e272598199d9a9dd9a5fb38657e24d |
memory/9236-2386-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5060-2387-0x0000000000400000-0x0000000000433000-memory.dmp
memory/10200-2388-0x0000000000400000-0x0000000000433000-memory.dmp
memory/10160-2389-0x0000000000400000-0x0000000000433000-memory.dmp
memory/10080-2391-0x0000000000400000-0x0000000000433000-memory.dmp
memory/10032-2392-0x0000000000400000-0x0000000000433000-memory.dmp
memory/9912-2395-0x0000000000400000-0x0000000000433000-memory.dmp
memory/9660-2401-0x0000000000400000-0x0000000000433000-memory.dmp
memory/9608-2402-0x0000000000400000-0x0000000000433000-memory.dmp
memory/9388-2407-0x0000000000400000-0x0000000000433000-memory.dmp
memory/9296-2409-0x0000000000400000-0x0000000000433000-memory.dmp
memory/8716-2414-0x0000000000400000-0x0000000000433000-memory.dmp
memory/9104-2416-0x0000000000400000-0x0000000000433000-memory.dmp