Analysis Overview
SHA256
964629cf18f32cee219a1ade43a360ce71c9527c59c1d6ecd9c8d265a2b5cdf7
Threat Level: Known bad
The file TrojanDownloader.Win32.Berbew.pz-964629cf18f32cee219a1ade43a360ce71c9527c59c1d6ecd9c8d265a2b5cdf7N was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-16 14:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-16 14:45
Reported
2024-09-16 14:47
Platform
win7-20240903-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nmfbpk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Offmipej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mpgobc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nmkplgnq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmedlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njjcip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qgjccb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pgfjhcge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bqgmfkhg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nlqmmd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcljmdmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agolnbok.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpgobc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ompefj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pebpkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pplaki32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aomnhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfkloq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjakccop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Danpemej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nbjeinje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oococb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bigkel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njhfcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Phqmgg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjkgjl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aficjnpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmkhjncg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qlgkki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qnghel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Allefimb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Calcpm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nlcibc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdjjag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Odedge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmnnkl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnfddp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nidmfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndqkleln.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nhjjgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bqgmfkhg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ckjamgmk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnafnopi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afdiondb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pidfdofi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Paknelgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bffbdadk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndqkleln.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oidiekdn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdqlajbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Enjmdhnf.dll | C:\Windows\SysWOW64\Oekjjl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Phlclgfc.exe | C:\Windows\SysWOW64\Oemgplgo.exe | N/A |
| File created | C:\Windows\SysWOW64\Aebfidim.dll | C:\Windows\SysWOW64\Aoojnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofaejacl.dll | C:\Windows\SysWOW64\Cjakccop.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjkgjl32.exe | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Oaghki32.exe | C:\Windows\SysWOW64\Oippjl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Odedge32.exe | C:\Windows\SysWOW64\Oaghki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ooabmbbe.exe | C:\Windows\SysWOW64\Ompefj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbehjc32.dll | C:\Windows\SysWOW64\Dnpciaef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nibqqh32.exe | C:\Windows\SysWOW64\Nbhhdnlh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Alnalh32.exe | C:\Windows\SysWOW64\Ajpepm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiablm32.dll | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ompefj32.exe | C:\Windows\SysWOW64\Oidiekdn.exe | N/A |
| File created | C:\Windows\SysWOW64\Qcachc32.exe | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bceibfgj.exe | C:\Windows\SysWOW64\Bqgmfkhg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmpkqklh.exe | C:\Windows\SysWOW64\Bjbndpmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcjcme32.exe | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pplaki32.exe | C:\Windows\SysWOW64\Pmmeon32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qpbglhjq.exe | C:\Windows\SysWOW64\Qlgkki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfqnol32.dll | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Alppmhnm.dll | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oippjl32.exe | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lflhon32.dll | C:\Windows\SysWOW64\Oaghki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgoelh32.exe | C:\Windows\SysWOW64\Cfmhdpnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Kaqnpc32.dll | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceebklai.exe | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| File created | C:\Windows\SysWOW64\Calcpm32.exe | C:\Windows\SysWOW64\Cjakccop.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhbcjo32.dll | C:\Windows\SysWOW64\Pnbojmmp.exe | N/A |
| File created | C:\Windows\SysWOW64\Afffenbp.exe | C:\Windows\SysWOW64\Aomnhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjbndpmd.exe | C:\Windows\SysWOW64\Bffbdadk.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqbolhmg.dll | C:\Windows\SysWOW64\Offmipej.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qdncmgbj.exe | C:\Windows\SysWOW64\Qpbglhjq.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmdlck32.dll | C:\Windows\SysWOW64\Bbbpenco.exe | N/A |
| File created | C:\Windows\SysWOW64\Oekjjl32.exe | C:\Windows\SysWOW64\Ooabmbbe.exe | N/A |
| File created | C:\Windows\SysWOW64\Pidfdofi.exe | C:\Windows\SysWOW64\Pgfjhcge.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjakccop.exe | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| File created | C:\Windows\SysWOW64\Fkdqjn32.dll | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pcljmdmj.exe | C:\Windows\SysWOW64\Pdjjag32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndqkleln.exe | C:\Windows\SysWOW64\Nmfbpk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Omakjj32.dll | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ciohdhad.dll | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| File created | C:\Windows\SysWOW64\Nibqqh32.exe | C:\Windows\SysWOW64\Nbhhdnlh.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmkhjncg.exe | C:\Windows\SysWOW64\Pkmlmbcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmapmi32.dll | C:\Windows\SysWOW64\Bhjlli32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bbbpenco.exe | C:\Windows\SysWOW64\Bnfddp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfmhdpnc.exe | C:\Windows\SysWOW64\Cnfqccna.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qcachc32.exe | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmclfnqb.dll | C:\Windows\SysWOW64\Akfkbd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abpcooea.exe | C:\Windows\SysWOW64\Andgop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnfddp32.exe | C:\Windows\SysWOW64\Bhjlli32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qqmfpqmc.dll | C:\Windows\SysWOW64\Pmkhjncg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Andgop32.exe | C:\Windows\SysWOW64\Akfkbd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Alnalh32.exe | C:\Windows\SysWOW64\Ajpepm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpqnnmcd.dll | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| File created | C:\Windows\SysWOW64\Pohbak32.dll | C:\Windows\SysWOW64\Mjkgjl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bqlfaj32.exe | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| File created | C:\Windows\SysWOW64\Npjlhcmd.exe | C:\Windows\SysWOW64\Nmkplgnq.exe | N/A |
| File created | C:\Windows\SysWOW64\Baepmlkg.dll | C:\Windows\SysWOW64\Ofcqcp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Enemcbio.dll | C:\Windows\SysWOW64\Oiffkkbk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Offmipej.exe | C:\Windows\SysWOW64\Omnipjni.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgoelh32.exe | C:\Windows\SysWOW64\Cfmhdpnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Aacinhhc.dll | C:\Windows\SysWOW64\Allefimb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bqlfaj32.exe | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdbdqh32.exe | C:\Windows\SysWOW64\Phlclgfc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32†Dcllbhdn.¿xe | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| File opened for modification | C:\Windows\system32†Dcllbhdn.¿xe | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dpapaj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oippjl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjakccop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajpepm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdqlajbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Phqmgg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aficjnpm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmnnkl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nfoghakb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ooabmbbe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmmeon32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Allefimb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Phlclgfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Phnpagdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qcachc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adifpk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bceibfgj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmicfh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oibmpl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pnbojmmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qlgkki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbppnbhm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njhfcp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmkplgnq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mjkgjl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mpgobc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oekjjl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bigkel32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ckjamgmk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dnpciaef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nibqqh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qeppdo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aebmjo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Andgop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nhjjgd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Odedge32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofcqcp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfmhdpnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njjcip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Omnipjni.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ompefj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ahpifj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bqgmfkhg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjbndpmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmedlk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnfqccna.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nidmfh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oaghki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oidiekdn.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aomnhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll" | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" | C:\Windows\SysWOW64\Dnpciaef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongke32.dll" | C:\Windows\SysWOW64\Nibqqh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll" | C:\Windows\SysWOW64\Bbbpenco.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll" | C:\Windows\SysWOW64\Ompefj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ompefj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll" | C:\Windows\SysWOW64\Ahpifj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bceibfgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oemgplgo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" | C:\Windows\SysWOW64\Andgop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll" | C:\Windows\SysWOW64\Agolnbok.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" | C:\Windows\SysWOW64\Coacbfii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oaghki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll" | C:\Windows\SysWOW64\Pmmeon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" | C:\Windows\SysWOW64\Bceibfgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjbndpmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll" | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pebpkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" | C:\Windows\SysWOW64\Cfmhdpnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Calcpm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieocod32.dll" | C:\Windows\SysWOW64\Njhfcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll" | C:\Windows\SysWOW64\Pmkhjncg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bffbdadk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Offmipej.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qiioon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Agolnbok.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Adifpk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qcachc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" | C:\Windows\SysWOW64\Allefimb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bbbpenco.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bffbdadk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pnbojmmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qpbglhjq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" | C:\Windows\SysWOW64\Cjakccop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" | C:\Windows\SysWOW64\Calcpm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oabkom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Agjobffl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll" | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oibmpl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhnd32.dll" | C:\Windows\SysWOW64\Phqmgg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjakccop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Napbjjom.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Phnpagdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" | C:\Windows\SysWOW64\Bniajoic.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nlcibc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmkhjncg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfdenafn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"
C:\Windows\SysWOW64\Mjkgjl32.exe
C:\Windows\system32\Mjkgjl32.exe
C:\Windows\SysWOW64\Mmicfh32.exe
C:\Windows\system32\Mmicfh32.exe
C:\Windows\SysWOW64\Mpgobc32.exe
C:\Windows\system32\Mpgobc32.exe
C:\Windows\SysWOW64\Nmkplgnq.exe
C:\Windows\system32\Nmkplgnq.exe
C:\Windows\SysWOW64\Npjlhcmd.exe
C:\Windows\system32\Npjlhcmd.exe
C:\Windows\SysWOW64\Nbhhdnlh.exe
C:\Windows\system32\Nbhhdnlh.exe
C:\Windows\SysWOW64\Nibqqh32.exe
C:\Windows\system32\Nibqqh32.exe
C:\Windows\SysWOW64\Nlqmmd32.exe
C:\Windows\system32\Nlqmmd32.exe
C:\Windows\SysWOW64\Nbjeinje.exe
C:\Windows\system32\Nbjeinje.exe
C:\Windows\SysWOW64\Nidmfh32.exe
C:\Windows\system32\Nidmfh32.exe
C:\Windows\SysWOW64\Nlcibc32.exe
C:\Windows\system32\Nlcibc32.exe
C:\Windows\SysWOW64\Nnafnopi.exe
C:\Windows\system32\Nnafnopi.exe
C:\Windows\SysWOW64\Napbjjom.exe
C:\Windows\system32\Napbjjom.exe
C:\Windows\SysWOW64\Nhjjgd32.exe
C:\Windows\system32\Nhjjgd32.exe
C:\Windows\SysWOW64\Njhfcp32.exe
C:\Windows\system32\Njhfcp32.exe
C:\Windows\SysWOW64\Nmfbpk32.exe
C:\Windows\system32\Nmfbpk32.exe
C:\Windows\SysWOW64\Ndqkleln.exe
C:\Windows\system32\Ndqkleln.exe
C:\Windows\SysWOW64\Nfoghakb.exe
C:\Windows\system32\Nfoghakb.exe
C:\Windows\SysWOW64\Njjcip32.exe
C:\Windows\system32\Njjcip32.exe
C:\Windows\SysWOW64\Oadkej32.exe
C:\Windows\system32\Oadkej32.exe
C:\Windows\SysWOW64\Odchbe32.exe
C:\Windows\system32\Odchbe32.exe
C:\Windows\SysWOW64\Ofadnq32.exe
C:\Windows\system32\Ofadnq32.exe
C:\Windows\SysWOW64\Oippjl32.exe
C:\Windows\system32\Oippjl32.exe
C:\Windows\SysWOW64\Oaghki32.exe
C:\Windows\system32\Oaghki32.exe
C:\Windows\SysWOW64\Odedge32.exe
C:\Windows\system32\Odedge32.exe
C:\Windows\SysWOW64\Ofcqcp32.exe
C:\Windows\system32\Ofcqcp32.exe
C:\Windows\SysWOW64\Oibmpl32.exe
C:\Windows\system32\Oibmpl32.exe
C:\Windows\SysWOW64\Omnipjni.exe
C:\Windows\system32\Omnipjni.exe
C:\Windows\SysWOW64\Offmipej.exe
C:\Windows\system32\Offmipej.exe
C:\Windows\SysWOW64\Oidiekdn.exe
C:\Windows\system32\Oidiekdn.exe
C:\Windows\SysWOW64\Ompefj32.exe
C:\Windows\system32\Ompefj32.exe
C:\Windows\SysWOW64\Ooabmbbe.exe
C:\Windows\system32\Ooabmbbe.exe
C:\Windows\SysWOW64\Oekjjl32.exe
C:\Windows\system32\Oekjjl32.exe
C:\Windows\SysWOW64\Oiffkkbk.exe
C:\Windows\system32\Oiffkkbk.exe
C:\Windows\SysWOW64\Oococb32.exe
C:\Windows\system32\Oococb32.exe
C:\Windows\SysWOW64\Oabkom32.exe
C:\Windows\system32\Oabkom32.exe
C:\Windows\SysWOW64\Oemgplgo.exe
C:\Windows\system32\Oemgplgo.exe
C:\Windows\SysWOW64\Phlclgfc.exe
C:\Windows\system32\Phlclgfc.exe
C:\Windows\SysWOW64\Pdbdqh32.exe
C:\Windows\system32\Pdbdqh32.exe
C:\Windows\SysWOW64\Phnpagdp.exe
C:\Windows\system32\Phnpagdp.exe
C:\Windows\SysWOW64\Pkmlmbcd.exe
C:\Windows\system32\Pkmlmbcd.exe
C:\Windows\SysWOW64\Pmkhjncg.exe
C:\Windows\system32\Pmkhjncg.exe
C:\Windows\SysWOW64\Pebpkk32.exe
C:\Windows\system32\Pebpkk32.exe
C:\Windows\SysWOW64\Phqmgg32.exe
C:\Windows\system32\Phqmgg32.exe
C:\Windows\SysWOW64\Pgcmbcih.exe
C:\Windows\system32\Pgcmbcih.exe
C:\Windows\SysWOW64\Pmmeon32.exe
C:\Windows\system32\Pmmeon32.exe
C:\Windows\SysWOW64\Pplaki32.exe
C:\Windows\system32\Pplaki32.exe
C:\Windows\SysWOW64\Pgfjhcge.exe
C:\Windows\system32\Pgfjhcge.exe
C:\Windows\SysWOW64\Pidfdofi.exe
C:\Windows\system32\Pidfdofi.exe
C:\Windows\SysWOW64\Paknelgk.exe
C:\Windows\system32\Paknelgk.exe
C:\Windows\SysWOW64\Pdjjag32.exe
C:\Windows\system32\Pdjjag32.exe
C:\Windows\SysWOW64\Pcljmdmj.exe
C:\Windows\system32\Pcljmdmj.exe
C:\Windows\SysWOW64\Pnbojmmp.exe
C:\Windows\system32\Pnbojmmp.exe
C:\Windows\SysWOW64\Qdlggg32.exe
C:\Windows\system32\Qdlggg32.exe
C:\Windows\SysWOW64\Qgjccb32.exe
C:\Windows\system32\Qgjccb32.exe
C:\Windows\SysWOW64\Qiioon32.exe
C:\Windows\system32\Qiioon32.exe
C:\Windows\SysWOW64\Qlgkki32.exe
C:\Windows\system32\Qlgkki32.exe
C:\Windows\SysWOW64\Qpbglhjq.exe
C:\Windows\system32\Qpbglhjq.exe
C:\Windows\SysWOW64\Qdncmgbj.exe
C:\Windows\system32\Qdncmgbj.exe
C:\Windows\SysWOW64\Qcachc32.exe
C:\Windows\system32\Qcachc32.exe
C:\Windows\SysWOW64\Qeppdo32.exe
C:\Windows\system32\Qeppdo32.exe
C:\Windows\SysWOW64\Qnghel32.exe
C:\Windows\system32\Qnghel32.exe
C:\Windows\SysWOW64\Aohdmdoh.exe
C:\Windows\system32\Aohdmdoh.exe
C:\Windows\SysWOW64\Agolnbok.exe
C:\Windows\system32\Agolnbok.exe
C:\Windows\SysWOW64\Aebmjo32.exe
C:\Windows\system32\Aebmjo32.exe
C:\Windows\SysWOW64\Ahpifj32.exe
C:\Windows\system32\Ahpifj32.exe
C:\Windows\SysWOW64\Allefimb.exe
C:\Windows\system32\Allefimb.exe
C:\Windows\SysWOW64\Acfmcc32.exe
C:\Windows\system32\Acfmcc32.exe
C:\Windows\SysWOW64\Afdiondb.exe
C:\Windows\system32\Afdiondb.exe
C:\Windows\SysWOW64\Ajpepm32.exe
C:\Windows\system32\Ajpepm32.exe
C:\Windows\SysWOW64\Alnalh32.exe
C:\Windows\system32\Alnalh32.exe
C:\Windows\SysWOW64\Akabgebj.exe
C:\Windows\system32\Akabgebj.exe
C:\Windows\SysWOW64\Aomnhd32.exe
C:\Windows\system32\Aomnhd32.exe
C:\Windows\SysWOW64\Afffenbp.exe
C:\Windows\system32\Afffenbp.exe
C:\Windows\SysWOW64\Adifpk32.exe
C:\Windows\system32\Adifpk32.exe
C:\Windows\SysWOW64\Alqnah32.exe
C:\Windows\system32\Alqnah32.exe
C:\Windows\SysWOW64\Aoojnc32.exe
C:\Windows\system32\Aoojnc32.exe
C:\Windows\SysWOW64\Abmgjo32.exe
C:\Windows\system32\Abmgjo32.exe
C:\Windows\SysWOW64\Aficjnpm.exe
C:\Windows\system32\Aficjnpm.exe
C:\Windows\SysWOW64\Agjobffl.exe
C:\Windows\system32\Agjobffl.exe
C:\Windows\SysWOW64\Akfkbd32.exe
C:\Windows\system32\Akfkbd32.exe
C:\Windows\SysWOW64\Andgop32.exe
C:\Windows\system32\Andgop32.exe
C:\Windows\SysWOW64\Abpcooea.exe
C:\Windows\system32\Abpcooea.exe
C:\Windows\SysWOW64\Adnpkjde.exe
C:\Windows\system32\Adnpkjde.exe
C:\Windows\SysWOW64\Bhjlli32.exe
C:\Windows\system32\Bhjlli32.exe
C:\Windows\SysWOW64\Bnfddp32.exe
C:\Windows\system32\Bnfddp32.exe
C:\Windows\SysWOW64\Bbbpenco.exe
C:\Windows\system32\Bbbpenco.exe
C:\Windows\SysWOW64\Bdqlajbb.exe
C:\Windows\system32\Bdqlajbb.exe
C:\Windows\SysWOW64\Bgoime32.exe
C:\Windows\system32\Bgoime32.exe
C:\Windows\SysWOW64\Bjmeiq32.exe
C:\Windows\system32\Bjmeiq32.exe
C:\Windows\SysWOW64\Bniajoic.exe
C:\Windows\system32\Bniajoic.exe
C:\Windows\SysWOW64\Bmlael32.exe
C:\Windows\system32\Bmlael32.exe
C:\Windows\SysWOW64\Bqgmfkhg.exe
C:\Windows\system32\Bqgmfkhg.exe
C:\Windows\SysWOW64\Bceibfgj.exe
C:\Windows\system32\Bceibfgj.exe
C:\Windows\SysWOW64\Bgaebe32.exe
C:\Windows\system32\Bgaebe32.exe
C:\Windows\SysWOW64\Bfdenafn.exe
C:\Windows\system32\Bfdenafn.exe
C:\Windows\SysWOW64\Bnknoogp.exe
C:\Windows\system32\Bnknoogp.exe
C:\Windows\SysWOW64\Bmnnkl32.exe
C:\Windows\system32\Bmnnkl32.exe
C:\Windows\SysWOW64\Boljgg32.exe
C:\Windows\system32\Boljgg32.exe
C:\Windows\SysWOW64\Bffbdadk.exe
C:\Windows\system32\Bffbdadk.exe
C:\Windows\SysWOW64\Bjbndpmd.exe
C:\Windows\system32\Bjbndpmd.exe
C:\Windows\SysWOW64\Bmpkqklh.exe
C:\Windows\system32\Bmpkqklh.exe
C:\Windows\SysWOW64\Bqlfaj32.exe
C:\Windows\system32\Bqlfaj32.exe
C:\Windows\SysWOW64\Bcjcme32.exe
C:\Windows\system32\Bcjcme32.exe
C:\Windows\SysWOW64\Bfioia32.exe
C:\Windows\system32\Bfioia32.exe
C:\Windows\SysWOW64\Bigkel32.exe
C:\Windows\system32\Bigkel32.exe
C:\Windows\SysWOW64\Coacbfii.exe
C:\Windows\system32\Coacbfii.exe
C:\Windows\SysWOW64\Cbppnbhm.exe
C:\Windows\system32\Cbppnbhm.exe
C:\Windows\SysWOW64\Cfkloq32.exe
C:\Windows\system32\Cfkloq32.exe
C:\Windows\SysWOW64\Cmedlk32.exe
C:\Windows\system32\Cmedlk32.exe
C:\Windows\SysWOW64\Cocphf32.exe
C:\Windows\system32\Cocphf32.exe
C:\Windows\SysWOW64\Cnfqccna.exe
C:\Windows\system32\Cnfqccna.exe
C:\Windows\SysWOW64\Cfmhdpnc.exe
C:\Windows\system32\Cfmhdpnc.exe
C:\Windows\SysWOW64\Cgoelh32.exe
C:\Windows\system32\Cgoelh32.exe
C:\Windows\SysWOW64\Ckjamgmk.exe
C:\Windows\system32\Ckjamgmk.exe
C:\Windows\SysWOW64\Cnimiblo.exe
C:\Windows\system32\Cnimiblo.exe
C:\Windows\SysWOW64\Cagienkb.exe
C:\Windows\system32\Cagienkb.exe
C:\Windows\SysWOW64\Cebeem32.exe
C:\Windows\system32\Cebeem32.exe
C:\Windows\SysWOW64\Cgaaah32.exe
C:\Windows\system32\Cgaaah32.exe
C:\Windows\SysWOW64\Ceebklai.exe
C:\Windows\system32\Ceebklai.exe
C:\Windows\SysWOW64\Cchbgi32.exe
C:\Windows\system32\Cchbgi32.exe
C:\Windows\SysWOW64\Cgcnghpl.exe
C:\Windows\system32\Cgcnghpl.exe
C:\Windows\SysWOW64\Cjakccop.exe
C:\Windows\system32\Cjakccop.exe
C:\Windows\SysWOW64\Calcpm32.exe
C:\Windows\system32\Calcpm32.exe
C:\Windows\SysWOW64\Cegoqlof.exe
C:\Windows\system32\Cegoqlof.exe
C:\Windows\SysWOW64\Ccjoli32.exe
C:\Windows\system32\Ccjoli32.exe
C:\Windows\SysWOW64\Cfhkhd32.exe
C:\Windows\system32\Cfhkhd32.exe
C:\Windows\SysWOW64\Dnpciaef.exe
C:\Windows\system32\Dnpciaef.exe
C:\Windows\SysWOW64\Danpemej.exe
C:\Windows\system32\Danpemej.exe
C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 144
Network
Files
memory/2324-0-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Mjkgjl32.exe
| MD5 | f0103e2e1e201b094e06ceb494f6d20a |
| SHA1 | dd63052b9037e0bd4ef20bc9d30a6ad30ff22f91 |
| SHA256 | 1d70b30a0c21c827129efe1539192684fc045128bdd0ffbf322e3d93b8db4b8e |
| SHA512 | 6eeb9c0704027693571e8ea8bafdcd4be0edade87aafa7aae2b95645c27e0196717dead01962fed4db27ee4d8182adfd65efd3782ad747e2cbb51c813db57f63 |
C:\Windows\SysWOW64\Mmicfh32.exe
| MD5 | 926281c7fb8d51529baba4816d87e8a5 |
| SHA1 | 5df7b5d6e874ccffe8e289e0658f7bc81df9db9a |
| SHA256 | 79768583fc8bbb5492d74286a21f00e3d97ba4a889078e307dc798f77b739ec4 |
| SHA512 | 0080ddd90388eea66857398b12a537ef1ddb39e9b131455ff90620e4972c491104e2e85a5cfcecf003325eca0e42340b764089db0e6273b8729b67cb242b6cf4 |
memory/2156-28-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2652-27-0x00000000003D0000-0x00000000003FF000-memory.dmp
memory/2652-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2324-13-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2324-12-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Mpgobc32.exe
| MD5 | 8063fedb44209b561530da3b4c7078be |
| SHA1 | 1f582cfd0e375adbe0c032d98ecf4851ffb26eff |
| SHA256 | bd0792102e4e9e20158d4eab92ccd2559c4667032a1118cc1939ffcbd4adda2f |
| SHA512 | fe5f868e17bdca781e8c2c00a992dd749266e0cd6b4f1a67fc0cdd90ef6ab1866363844f6cad719697f6e5166f8748f0658a01d57d2e3a18493c79e44a1a818b |
memory/2156-35-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Nmkplgnq.exe
| MD5 | 2bef2d03d53fdbd45ccca62a16d5efa6 |
| SHA1 | 3e300d36b14b2e96ce548ca0a24bb1c4613d94fc |
| SHA256 | eaa01a814e84db5760756c958b3346ad23c637a8d2ead0d60fe3ab05595a8a87 |
| SHA512 | 03158b81c5e1db04150ff4c4463ed5525976ed91ef610a61486bcfbe23c7eefa960b32951253febc3ab717cd53ccb7a11f660ad3f1255446b7aff8817e091e41 |
memory/2800-55-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3068-54-0x0000000000280000-0x00000000002AF000-memory.dmp
\Windows\SysWOW64\Npjlhcmd.exe
| MD5 | cc06089c43acc4cbf8acbe2543016830 |
| SHA1 | 5611a9bcce77a61ac257fe70935db2cbbbedb208 |
| SHA256 | 0d334dd045bed55bde802a69bf0bc1354daa73f794db05e0fdc9ac8c25f33ecd |
| SHA512 | 7fcde7c128ea3fbe7d7ba7ab32d2405713317dd54606407c9b46edc5b456e8124b73667b62a6a1e8fe7c0ed5b0588fb34f3a7d47d4da3a6149a18c07defd385a |
memory/2800-62-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2792-82-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2192-81-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Nbhhdnlh.exe
| MD5 | 42be850687e7e571fc6dd751124f7053 |
| SHA1 | 5fa96f33aaaa33bb423d18eebd73f0e6be029c0c |
| SHA256 | 64978e79185b19f8bd63abe88216eae617d406b3ff9aa9f89d9ff28d75bc7fed |
| SHA512 | 78de1564c7dcc38819b8408ad201c7f48489db4012aae4005bd065995b628e1ad392ba92590455137bc96e520ba2ed6f5eff637f1db32a10ec4d503b066b2858 |
\Windows\SysWOW64\Nibqqh32.exe
| MD5 | 3618beb128a9b74ac145130171bf7848 |
| SHA1 | bb955958d4aac940a7d6cfc9233d2833a9d2fd5e |
| SHA256 | bffecaf94fedbee83bbe984bab165ddc2524b780a94e6dcfeca890062c500a76 |
| SHA512 | e0ab6aa1aa9751dc9f5ea0db1c15fa9037acd4f18b049fc2dd301521b3833b89740f7e36410536d2dcd806a618b8993c41687001055c251b56d7ade880aa1dbd |
memory/2792-89-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Nlqmmd32.exe
| MD5 | 48bc772649f0274b337db4a17942df39 |
| SHA1 | 4a379f108d3f06f6786f56a909e2956ae6bd9888 |
| SHA256 | 4175ff035e5a170c2e8a138b91a4bc5bea3d64f5084451898caad1f7e810b61f |
| SHA512 | 200a3417f2bb0f740cf16bde7ae3ea6695042bcc688d230b7d4ec7e9c7e9c569d0f4c68238150ad96e104d9401ef84797220e3b7340179febdb055c8348c433a |
memory/3052-109-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2580-107-0x00000000002E0000-0x000000000030F000-memory.dmp
\Windows\SysWOW64\Nbjeinje.exe
| MD5 | bfbed8d5edbe38543df0c2803be9e350 |
| SHA1 | ec078904ce2016722aeeb3e1834d015db2cf323e |
| SHA256 | 098dcc826aa8958ae0dc42034ddcc5b11b74916c3e8f69313f49bcca8e9e0b49 |
| SHA512 | 2328799ba9c234cba8935e75add62106883029a3bafab85463f34660fd42b3cd00bc8cd9a4e1ad0dfbfa16d510e14fe3d70a3bf442f4b0b719b099fb4317ef66 |
memory/3052-121-0x00000000003D0000-0x00000000003FF000-memory.dmp
memory/3052-122-0x00000000003D0000-0x00000000003FF000-memory.dmp
\Windows\SysWOW64\Nidmfh32.exe
| MD5 | 434afb55b2f0bc1f0c1981d2046def0a |
| SHA1 | 235eb38ff6f905eb135c8327107b6fa26eb9281a |
| SHA256 | b23d3b9e304b8dac6e49c785e9638c793f13e62c2eb7a7c4694551ff3af5756d |
| SHA512 | 152d03c179f47a612c51e0920731800b842fd0be482cb08a2f7e5e3c9b5e1ee553cbf287aa51f382ad50d87d5a009fc200b7f6525f7b1f24f3e80264a5920017 |
memory/1712-137-0x0000000000400000-0x000000000042F000-memory.dmp
memory/616-135-0x0000000000430000-0x000000000045F000-memory.dmp
\Windows\SysWOW64\Nlcibc32.exe
| MD5 | e0dd83071718be7269c9450e639d5f33 |
| SHA1 | 8c4fc7aa02529e50bdfe14a46160631e01a836f5 |
| SHA256 | f809d34133e92310aefdbfb8a17bc272ddb033d5769c2309fc8823c3ae12cfc0 |
| SHA512 | 8ba2a0b0fe975744733a8c6c54abf7fc69242677e0287d1063388623ac9a6ef0bfd68ea43d965823dddf6b2b49d91571359f93f23915379195efb4c3aa105486 |
memory/1712-145-0x0000000000260000-0x000000000028F000-memory.dmp
memory/2304-151-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Nnafnopi.exe
| MD5 | 42dd33735ddff20cf48741498ee1d67f |
| SHA1 | 043305585cdca6df17251bf4c2eff34e58b065a5 |
| SHA256 | 62256fd6f29c590f8af73fa6549f241876bc2138472122ca27884f4a8537f7cb |
| SHA512 | 9400e5fd84d2c67a82f3887e3a41c13648148b0eb7eb0e54baa2d2f7409594811afb8f57455b22fc634f9976893f4ff9f060b5237df980429682755fb3bd1c34 |
memory/2496-165-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2304-164-0x0000000000280000-0x00000000002AF000-memory.dmp
\Windows\SysWOW64\Napbjjom.exe
| MD5 | b95646c8d15e17bff2247c2a12d584ab |
| SHA1 | 9c0ebb295e80ef81c2f9f570eb1e3c6f73d0c2d1 |
| SHA256 | 609ec753a7606a0ac7d7d75b45d83130124907210f55ff9d72712d94237158cc |
| SHA512 | df9b61bf4e233846704eb95e183f97994db7a90b0108738ffee10325215d4035625f050e1c9f05fc1401de095f0118af4cb3130c8685138de86a25972ac10bad |
memory/2496-173-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Nhjjgd32.exe
| MD5 | ec0e37edec827c68f29521e7820843bd |
| SHA1 | 20b2c3cdc9fd84a9eee0626bee2bdb32f52bc43a |
| SHA256 | 74e01ddbfaa1cbd8558fcb1b58fce9e4015e882f1f7fff2842d82c16df105e4e |
| SHA512 | d9f50b48053c2c68ec9f7b847d966c1c8c21b83162ffa0d38bbf16f04c06faf8b320fc187be6a81ab2f634a6928d44199eb521e1ec5ac97f41b3e1264dd1080b |
memory/2032-192-0x0000000000400000-0x000000000042F000-memory.dmp
memory/868-190-0x0000000000280000-0x00000000002AF000-memory.dmp
\Windows\SysWOW64\Njhfcp32.exe
| MD5 | 522e6dd4f32e8a1af912ed985d3d5e64 |
| SHA1 | da2e89d308315857214a891a12b4b66c05619304 |
| SHA256 | 5ddbbeda15fccffec6a68a50d4fc1a7a1d7822563630d746f574bf7342da7194 |
| SHA512 | 909462db0d286fc08e5a12a0e82ab5a2a1c348ea0a9f324875b2f4e9c7cae63f3f27a8210dbd1d11a718fd970a5c09ee42526911776333f83d96b844efe433d4 |
memory/2032-199-0x00000000002E0000-0x000000000030F000-memory.dmp
\Windows\SysWOW64\Nmfbpk32.exe
| MD5 | 58113f49f731280a1be565340cd6507a |
| SHA1 | 9eac6ef9ac8b7222e39c60c5ffed7be70f520cb0 |
| SHA256 | f1de088f217865b5aaa65b81943bd233500cab4e04e35c577e4e6875798d89a5 |
| SHA512 | 916c09de7041b5cc6a4f2cae716a38b24806c1c66c9f8cf298d99c7dcf3620d96bd882c9c2351c377bf2e5991777d57503aeebb713b3f304d5c294168cd3c5f8 |
memory/408-218-0x0000000000400000-0x000000000042F000-memory.dmp
memory/408-225-0x00000000003D0000-0x00000000003FF000-memory.dmp
C:\Windows\SysWOW64\Ndqkleln.exe
| MD5 | 3bc727829c8be5ccdd9d417a4c972244 |
| SHA1 | 4dc8ffb79d0254fa3f01fd9b3783ec5239d66b26 |
| SHA256 | 5fbb05e22eb56a730c577e4a9eec120e3521222879d3678bfd8b792d58a3a9b7 |
| SHA512 | 3104b1a2100218fb455ffc778ed48ba1c6f324197282f4b42cdd793f00e1ef5c1c7b9af4c0e6fb1761b7e4616f98f02319b568b79239c2f33586b52d62f7342c |
C:\Windows\SysWOW64\Nfoghakb.exe
| MD5 | ab14ed7ddb1aa34f81d5b0c9e92d4251 |
| SHA1 | ee3abdac58c2cd9c223285de74e03afbc4ee7843 |
| SHA256 | 0091930313fbd9f665db01a17f2189a4959bddc3164a03eb8f64bfa788e6ba95 |
| SHA512 | fee4d13ad14caca2cad27c771e5cb1e0d5103c0ca3dcb10335b900698d5b74c4a853582a640b9885d329dd3dc0f72c0acfc64c0dc98cfc1db718e6d3e9d83d44 |
memory/1976-237-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1976-243-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Njjcip32.exe
| MD5 | 2f40b75dc51dfb45816070c945dccb43 |
| SHA1 | c4b11ada37ef32c658c763aad318295ca32dad20 |
| SHA256 | 949481d729bf0770c3fef535ad622ee0f3adf9a3e0f099b0d3c06c1d2810179c |
| SHA512 | 2f189ab1ec0fe3c640f1c539e34d9a28cdc61a89151d5714e3fb08766feedad1a5da4a4c2b2b6d120adaae09e5aefd32f7a00d199469cfa8d408f7fd01ca0334 |
C:\Windows\SysWOW64\Oadkej32.exe
| MD5 | 7fb5d27974f996a08028b6f3569c449a |
| SHA1 | be48be65d84b6cd9c584dfccb7d71b907a70a119 |
| SHA256 | 94bd335fe682af16d5fd5b6e983adde1fdadd9b809cdaed4c2b2f46154224505 |
| SHA512 | f67a6ba75e31f144ba9bd382c8b40207ddd5effd3ff68f7ac7b28feb62de66d1939bcf3a43c6a308e5f682c3bfbd9463085c2b9471839b4e722444adac550706 |
memory/916-255-0x0000000000400000-0x000000000042F000-memory.dmp
memory/916-261-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Odchbe32.exe
| MD5 | ff5107665062f0ebd7ab3797cfa1f062 |
| SHA1 | ee63dc3a5d0f02ba3eceef1883ff2938c9733835 |
| SHA256 | 2540125d688b4aa340a1624fd736e5887c1f9047a51bc1dadb5cd9f22a7f37fc |
| SHA512 | a90de2e1469c51c78eb7e9da5b303d37fb3873fca0235a844b402cb74368b03fca8f3b23e71eddf8c46f61cf6cf09c1048c95f2cc724863edde89ca78f0d1615 |
C:\Windows\SysWOW64\Ofadnq32.exe
| MD5 | 8dd07129b9b59b8837a8a671135411a5 |
| SHA1 | 2436d90738f976cdfc950bf5188739f84519a0a3 |
| SHA256 | d6c42cc66d3f745594180164128182d1384a265c26e5b0470ee5582125e98f46 |
| SHA512 | b0e6304cbeabe91c6dbb9619411e86c5728f84d3642bb109d8ba2da498a84cf63d5185b770cdb3a98644f77ac4e8f9518c7dbeb821e0af406d787b42ee6e06b2 |
memory/1536-273-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1536-279-0x00000000002D0000-0x00000000002FF000-memory.dmp
C:\Windows\SysWOW64\Oippjl32.exe
| MD5 | 80a74b6dd811ef2a02518b78d7eaeabb |
| SHA1 | eb8c142896558a7da8ea97809a7fe1f20917b537 |
| SHA256 | df3ed68cfd2de707ce0ff443be9cc7b4614c1a897beff48a51b408837cdd9f2b |
| SHA512 | 49aa3ad8683abea394bafa0465bd19515ddae08b3aa7bb1dc92bff18cdc2b9350622fd3468d050f9b25368625ffbfc8b6af2f4c1dcfbfae24b5179f15ddeb6fa |
memory/2084-288-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Oaghki32.exe
| MD5 | bb0faf39c96bce96fcb8cc3d0ecee795 |
| SHA1 | 4b7333eb3855b308459f5846e12dc7795d7c3067 |
| SHA256 | cf960f664b78a3912b0a6f6331ff8cc592401cfa2bb142f418e3537caa9c287d |
| SHA512 | 9b42e0040508db9761a5e44f03ab2a2d51e070a40fdbd02d022528d2417c89f9d116a07470583dd89d3cdbd9410b7fc75ac8ad0e1d0cd6950234fc3457b8472e |
memory/2184-297-0x00000000002D0000-0x00000000002FF000-memory.dmp
C:\Windows\SysWOW64\Odedge32.exe
| MD5 | acaefd2437878ff5b48cb5ea613b8bb3 |
| SHA1 | 6f896d17b89a9a452bb2d8db9f65f10fedf1245f |
| SHA256 | 2f4c8a2be39564015343f22a6677e438c758d565242e20f1bb2f6a2873a8b12d |
| SHA512 | cdcfead30018de09ebc1d7783655f8aba37f7556e2c24ed2cc6c82f975c1504aa2bb0b076b480676631fca4ef0cc9bcbf4b103d3829b71fb484a5e2fe5ecdcbc |
memory/2152-305-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Ofcqcp32.exe
| MD5 | 14ec6a7c1dc0d60c873b96d6cd69da7d |
| SHA1 | e5337e91c0b23cc56ee5daee7751fce4eef19ad0 |
| SHA256 | b061a64f7515ebe05831e1ad61e266c556a08e2ebd7edbb5abe7a51f8e6fe805 |
| SHA512 | 95018205d5c70ad65af9c03cbdaf088f031b827b38be9d56f9016a9ef8d96dc544df1aa7dd41e3e7475c62938fe65c0f5c3c745262b28b4560e626fb6fc0808a |
memory/1580-316-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Oibmpl32.exe
| MD5 | a0b1332faa3e87a61afde0f98d1d3386 |
| SHA1 | 9b7f0d63caae9203a8cb37d371ccc948f8b520c9 |
| SHA256 | ab78141ba580ccfb47441e18a2163cf7227a27624e1f9f3ac1c7a0b686570abd |
| SHA512 | 0ae2998593e10b3fa0d6314289540ea583ec9d422437fae45aea00df1e64841025831c5eb945a4489154a9d4639c0c0a54db1ac786990c1e395ed5cadb01d48d |
memory/2204-323-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2152-314-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2204-326-0x0000000000270000-0x000000000029F000-memory.dmp
C:\Windows\SysWOW64\Omnipjni.exe
| MD5 | eead89917ab0c8f8cffddd7bad3d3cad |
| SHA1 | 56d1792fb84b99c41926c7fe83bd8fccdc590c76 |
| SHA256 | 59426d4c322ea8b930b4856914bba8a12a11425b16a607cc90465ce74707a59b |
| SHA512 | df0b7189bb9f895d025cb44e2973bce61fb795293c9fa7afa8db86981181818ed54a3f3f80f80d9ae12bcbc5b95942299bfa9ca5d1f2b59ea7910ac34ac18772 |
memory/2204-330-0x0000000000270000-0x000000000029F000-memory.dmp
memory/2708-331-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2708-337-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2708-341-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Offmipej.exe
| MD5 | 857debc9e76ad8e7ae045b4f6cd124f4 |
| SHA1 | e567ff6e2907632a4fc70aec600eb0ddc5f64985 |
| SHA256 | 8f6a0d99358739e195379fd1e9a8c336a21c88b7fa877426e4d71810df0d6dbf |
| SHA512 | 349f343550caf51b8e6cb505c6844001f886bab431398a30fa978ff355015c9cc31c99d1e8d0c97011d8bac980c193299032d945ed823f5118b4b49a778b170e |
memory/2692-342-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2324-353-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2828-355-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2652-354-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2692-352-0x00000000002E0000-0x000000000030F000-memory.dmp
memory/2692-351-0x00000000002E0000-0x000000000030F000-memory.dmp
C:\Windows\SysWOW64\Oidiekdn.exe
| MD5 | c81764f5bf3a70f2aec888f78b6b3040 |
| SHA1 | e08c81b9918a1ace6567b959a5af0a3ee5d3c7c4 |
| SHA256 | 6f249bb8b599c4387995cc4590dddf39027767ee29e751ce14b87ae0da0108f4 |
| SHA512 | b0f3113d6f0a877134c2de106e3daa7292b7d06e7be197f61f749c148b0d73c86a15166c1a745dd194d25061d632fa2dcbd74a5e389a86a774db67473041ae35 |
memory/2704-366-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2156-365-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ompefj32.exe
| MD5 | ccbef64874c0e0dcb09369fd5dd83429 |
| SHA1 | 712c9841efd2541dff38176680d7926e5d988339 |
| SHA256 | bf13e16010100e2028acc4d96ab30a914600bef2992db11f7bfe60aea98b7ed6 |
| SHA512 | 7fbe8e415e6fe7c3f1af09b67db46e6b5e237f2cc64f14d22edeba470a365a0276a9e6135a95f57dac77246e9b6ce1df5f113e4abf199c0163f3a1fa3c2aa164 |
memory/2324-361-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Ooabmbbe.exe
| MD5 | ad5f642fc8af3f6af07be334d8e86300 |
| SHA1 | f45fc86d44e998d4200a5c4f7cac12b633d2928c |
| SHA256 | 37fb4dd098e967a2d5cde213180950ee4fdb137622134d7364884115bd271057 |
| SHA512 | a415a0f04c6f4af6b323b6cbabed998329a2bc55f934f26b1eef48c422059b32fdd6279d93206ca6fa6e2812099ea692c9c9145f291426de5cdba1eef85447de |
memory/2704-372-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2600-378-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3068-377-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2156-376-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Oekjjl32.exe
| MD5 | b015c05bd42452d70e638c125e686042 |
| SHA1 | f5a58da16231cedeb3a73788e6f5183da3c9d616 |
| SHA256 | 386f7d7e98199fa2c2c26666db5c15681fc36228f06aa733ac6fa000177a68d0 |
| SHA512 | 4b673e71b8f4fb03435075f8ea4ed35bd2ec4a99d352cb54e5d65f9ffce72b45a3576a001e9415a221bd28e3ccd76fc619996e9d66a75e62c4b527c0ff360b68 |
memory/2800-390-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2600-395-0x00000000002F0000-0x000000000031F000-memory.dmp
memory/1992-389-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1716-403-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2800-402-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1992-401-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1992-400-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Oiffkkbk.exe
| MD5 | 6325049a846827e65510315e3334ec43 |
| SHA1 | 7d690daedbebbf76e6f31d9cabdacd7937294dc6 |
| SHA256 | 94dae62df724cc5ae80f8393af5964ef01379651328dc1e9f29034d6d02aa3cf |
| SHA512 | 08276567be60dbc55b7b7ba0d516afbbd6d5c349fb36c1cab804fdc2e7cb2931964ad3d09eb8fa00e49bb454415b958f578ff8d6c80860110f35211bb7e9de98 |
memory/2600-388-0x00000000002F0000-0x000000000031F000-memory.dmp
memory/3068-387-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Oococb32.exe
| MD5 | 38df6ed4a3e5e36e18a2bf5580dec52b |
| SHA1 | 6f2ae9a240377fb75d8cf5b19a93fc56139a7c2f |
| SHA256 | 27e4907ec826e809be49b39eb1ca83ffdba932530109de6196093a520537e499 |
| SHA512 | fddd09b409b7b545e50d0e47755b5a1e03825f90728e91a7eaee7000ee9f5dc6f3b5f506ed1eed6589a2f15c2e7a25863351772ad4ae9739f1a2da2256b8f166 |
memory/2192-412-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1672-423-0x00000000002F0000-0x000000000031F000-memory.dmp
memory/1788-437-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1968-443-0x00000000003D0000-0x00000000003FF000-memory.dmp
memory/2792-429-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1968-449-0x00000000003D0000-0x00000000003FF000-memory.dmp
memory/616-448-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3052-447-0x00000000003D0000-0x00000000003FF000-memory.dmp
memory/3052-434-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2580-432-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1788-431-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1788-426-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Oemgplgo.exe
| MD5 | a34522832c1481b4d9798a15985799f2 |
| SHA1 | c1655add5132808ac3bcdcda473a41d984f790de |
| SHA256 | bd3ded25cf4b6254e425703ea273a08eb39089ba465fb01c389e3f9750c14677 |
| SHA512 | e0256cca4d333c963403d924f6f39bb60adf98a3cc394690ac2a91b2c49dbe828aa431764a7ad39b8d6b81927335172f4df42e7d21842e5a76f67d0178912a6a |
C:\Windows\SysWOW64\Oabkom32.exe
| MD5 | bda58876c960c240f4bda277299a80d2 |
| SHA1 | 8391403faa82f022e68f3ee98c7a24e13d17ad91 |
| SHA256 | e867325ea6ccb12ee58753ce3e6a72c840b5ec60bc68b0d773a580dcadfecf0f |
| SHA512 | 620acd6af035a37f61e2ba88bc0458cbd432fc4e923f70fdf904bc05efb15207ae1b0bd5d34b47ed8a6bd839a3cb04e4973919fc96a8d47d3a949efc271a2324 |
memory/1672-414-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2792-413-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Phlclgfc.exe
| MD5 | 972b28b5c9df57b2d9abb26baa8e6d1a |
| SHA1 | e6aca2468692634f47f6fb221498b938c740d641 |
| SHA256 | f97c827b2fcd8247d20319fe8c3f287a68c155e3414d2518c87a62331046e0d8 |
| SHA512 | 7558d4515e42f006e26cb273bff99ec708c758998d3551509cc20f781801898c38977b117a153e2fedf4098f30b8c2371f00b2d1ae1c365b64448a220dcfc828 |
memory/616-455-0x0000000000430000-0x000000000045F000-memory.dmp
memory/2636-461-0x0000000000280000-0x00000000002AF000-memory.dmp
memory/1712-460-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2636-459-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Pdbdqh32.exe
| MD5 | 0eef58e177b6d0db40961748349bac83 |
| SHA1 | 7b7652dc7aab1f9a181dfde3d68fc20a006fc1a0 |
| SHA256 | fdffcb6173c5d51866e8d283f46ac46969c76a9f6d9f616ef6bd462c7fe71131 |
| SHA512 | fc49ffe6fdd5e42e12726785e9e37b57a10f6e24356afdab6cb7b7ca132db3db51685b83d82c44c62415f01b96100b5a94b06c1b462b12500150e8b914b50f90 |
C:\Windows\SysWOW64\Phnpagdp.exe
| MD5 | fc00530c8bf89b63b8a475ef037f9da1 |
| SHA1 | 9812489fe0fd483704696fabbcb698f0352c2854 |
| SHA256 | ba57ba05a5028296b22864d70f7c22c42281377a38b4b791e0db11e9ac31d903 |
| SHA512 | e57c72f23e38d936466a46ccdf38ca274a6f76590d73856f79c7f6f333583ce5097611d183ab519bbe9dede03ac8555b1cf5bfd1a4d8221e211a586d7ec824fb |
memory/2664-470-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2796-471-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Pkmlmbcd.exe
| MD5 | a9ce88f138aef48318f335fba9486d69 |
| SHA1 | 02650b9f3d98839cc431024ce94d20ae6aed993d |
| SHA256 | 1737a96081eae8bd18c98cc4ef7211659dccbfe2765292c93debcff1f20c593f |
| SHA512 | eadea0d1677dce59a86440cbaa9b40db3707bbb05e6145c447ba1b61ab6554f078febadf7a77a5ce6371e9a86cc1e229c087c5546b9fd533f6f4196f2a70a1b0 |
memory/1712-480-0x0000000000260000-0x000000000028F000-memory.dmp
memory/2628-482-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2304-481-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Pmkhjncg.exe
| MD5 | 6e4272d3993e6606aee2a45ac372b8d8 |
| SHA1 | 7f23cd2c4a44e2b2a3af1f64d3b6a394b526f1e4 |
| SHA256 | 0ff9c3f705001ddb4e3e5c209be7e4db177909a71c983e6adc85d1c7ce8f5d9d |
| SHA512 | 3ade3894bae7f7dee32b9cbde13875bbdabab360379c228ff4a6845fe945a26b6c12101d4328ceaca2c18786d1f34fc4e85df2c347a8b933a78e93b7bea582ab |
memory/2496-491-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1364-492-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2496-498-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2260-503-0x0000000000400000-0x000000000042F000-memory.dmp
memory/868-502-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Pebpkk32.exe
| MD5 | b1181b9f5a9119483075248889fa000b |
| SHA1 | 80ef67f3a24f63c14b771492d92ec1e2b336ed8a |
| SHA256 | 7974cf4e522bb9592c314d0a9ce5f2a5f461eb33a55b41229c1b41e645181cf9 |
| SHA512 | 231458b66fbebdbf69dbe002cdf787307414c8cb0875cf8cb48737f9462171e2e993a115f1c004a8f2d637697fce598fc961e5ded037353064cff577edb1fada |
C:\Windows\SysWOW64\Phqmgg32.exe
| MD5 | 504749750ebc2ee1dfc40ebef3e39d1f |
| SHA1 | 69ff6d93d00e2d29fbf96122bbb1449390376ce4 |
| SHA256 | c841802280ee19faf31ade7184d8954c87fc834c57459bae4b8c9083c967ecaf |
| SHA512 | 46e04909c632036665677b7f11f83ff5717cc0c48419549baa959807a1ad11aa4cd8ba14772497f75ba17c39861d9f6a6889a6d3cd70cbadace4ead6fadc392b |
C:\Windows\SysWOW64\Pgcmbcih.exe
| MD5 | c52c0c8cbf71333aa0a1084ba7c5fff0 |
| SHA1 | f2e7b89c93512913c5ca5f264c34360b372c2ea6 |
| SHA256 | 968d47357872182d1621668d111356262a4328c657249dafc01f86d4f5957cf3 |
| SHA512 | 99efd7c1f45a0fd5f849f3739ea5ba53846557f1d83d0b0cc0bb30bfbaca2db05bd19cc169aad00fe2c57a71c416a655576ff5b548468864906d65076f426170 |
C:\Windows\SysWOW64\Pmmeon32.exe
| MD5 | e92327e6af5138ea53ac39ea3f0c23e2 |
| SHA1 | 311913a068d48b0906aba9d9c1777976374363d4 |
| SHA256 | d4439a7f2011e94aeb0c3d38f3e8e024b0d8121ec67f5950c57a40e8a5ca64f1 |
| SHA512 | 3d2ff6887351133d6f3b1a1b8ee51b0c8fa4d71a6000a16336f459ccf99285565bbc8ecf3b65294b98d4e09d80a940bcde502371e038da46a37e223c0241d090 |
C:\Windows\SysWOW64\Pplaki32.exe
| MD5 | 52e4cec708ef4355e90891c8f00d814f |
| SHA1 | 448726a2869943d462090d9af40efdf3714a53ed |
| SHA256 | 7cd532af2e62b58c1ac6124f804cfb735c32512d13c9fd1efd384b21eb6a488c |
| SHA512 | 3185e4be30ecd2d2f4a71175ab685e83425b0526436afb1e464561e4d15963ff200d87792d5518fddd8caebe78ae5a5808752a2a1c17e127527cbd2e3ab0e73b |
C:\Windows\SysWOW64\Pgfjhcge.exe
| MD5 | 210c6bfac63c9524543cb101d2e59781 |
| SHA1 | 54b4acdd214b951362464392e7a5916c6a3ffc07 |
| SHA256 | 1c190b57340a24efc85285bbee270003ebfbf83155901244a2fcf5bef36ed761 |
| SHA512 | 5996feac9115a99bbc6f77743b45b1d4aaffe7aeb0352a66a82d5c613dc4c3610dc19b6e0a7b3cdfcdb8fa796d51b84d8a46b93dfc3d2290cad9e57403fabb6f |
C:\Windows\SysWOW64\Pidfdofi.exe
| MD5 | 0c196f6baa9d01e6a477aa4ab43d1c73 |
| SHA1 | 5c7c1cca496a8493d6f6aa27553db4752d9bbc98 |
| SHA256 | 873a0b4326a387142231fdf2e63d7ca77a269707fdea647f05b813ac0040d6c0 |
| SHA512 | 908178757a6daf8f2035f51e15c7a264218872f058b1abbeb8abb9b7376ef24131d343a3cccb2d881a1cf97b5a4fcadc03b932d99e15e4ee30c854c8bf2cf0b2 |
C:\Windows\SysWOW64\Paknelgk.exe
| MD5 | 4e5a315b6a549248ee894f06d6dc4044 |
| SHA1 | 3bb033cdbf097d16e645d2242bfb7fde84b4a3d1 |
| SHA256 | 25f09b9e80fd6e95c113637075b1a56b97c984f4475eeb32faaafa099bd73a9d |
| SHA512 | 749b6e3fa08af781e0314ad85e9c59d00f60f4233805b74d3e22f54347f35373b0921e6336675d567038f5ff207c6e7a75507470e9cf87613c6040a30efd6664 |
C:\Windows\SysWOW64\Pdjjag32.exe
| MD5 | 6c2d8a9a77e678e530384c7e6ab8d129 |
| SHA1 | 2aa706743dd7b6e919d5e091b8f9da0f1a0673a4 |
| SHA256 | 7ef5018191627b4e084daa91df33a05c32b7e8fdb4b8fd52b17ea44794c51d29 |
| SHA512 | de6c282244387459b274d8f7e605bda0024619ce28924095115fd6e7d5b5ed1943438a45b4bd8863adece421004fb70fc913037b9d54c524d6d6e7ead0dc7563 |
C:\Windows\SysWOW64\Pcljmdmj.exe
| MD5 | f03388698cc47cb72a71dc919a52161a |
| SHA1 | e7aa5f38daa30e2acc546e4f9a49558c3683c350 |
| SHA256 | dd35cf19d700371df366bfd89ab516354ee5e1282576132c3d1cfb34c4b9a684 |
| SHA512 | 1ad708409d1f2d6d606401b2e14ae6637acf7f5f6048a371c91f28b58396be77de14b56fab2c23ea269081c1fe3fbf8be065103a941688ac186f8e864970fc50 |
C:\Windows\SysWOW64\Pnbojmmp.exe
| MD5 | f40e888a1a5f15091dbdf011348adaaf |
| SHA1 | 9877a41fc7e35b4a0c58d5f4f7459ff7969d7f27 |
| SHA256 | 1728d64b99aa73b4c6bcd4be3bcfafdc1e64847c2d1f25b75f24a6f8ff85c947 |
| SHA512 | d0dc42776c105e0deb4b09b7a0f28c0eef20f65c8de5da66de73d5f4443e0229db5092f2cecb5d7ca112bc2255f0657919a1fc73d129355c2cbf99142c5a0482 |
C:\Windows\SysWOW64\Qdlggg32.exe
| MD5 | 1f485068a4fd14007b52df3c0a8cf209 |
| SHA1 | 10ebd4e1f6444f25386ea1485bcbfc80e33da67a |
| SHA256 | 27f31176e3c3d6e3c82f7d628b54d410bc14b075cec4b11f470108b1429f03ce |
| SHA512 | de4bc1a29e1948d58e5603ebd9205cf2c95ec553f574c0a128dba5be451dd27d469ff5f5301e9d7c0bfb56f5aea8a494c07aa338789ffa442183771c1b2d24a0 |
C:\Windows\SysWOW64\Qgjccb32.exe
| MD5 | 0472ee38f7b36206c2143dfc647b69d6 |
| SHA1 | f168e6ff61ab65250f3942b900993181004cfd24 |
| SHA256 | 34719e7889e6cd6076ba371ac3956c24f181a198c51deb3b6c9cde40c30d573c |
| SHA512 | 596d33a6f7a4511f33919a63b2eb54e6edf33206407a7042ef9b333b02995df2cfb80bfc81a9e707775eb0af8a44829f5d72ef99fa389917377fb4ad4f82827a |
C:\Windows\SysWOW64\Qiioon32.exe
| MD5 | 149369eabdd5323d7f8427354ee77f69 |
| SHA1 | 5def662a7bbe8916824e7c282d40d2bc9b3078dc |
| SHA256 | 68daaac9e13dd7fae3d46866aab46897c384eab59b54c5e56823247e5fa3a5c8 |
| SHA512 | d9d60fb544f7c679af45c8821bd1cc2d1cd9749c26cf8c6f7d7f16998b6ecc1540d872f132d2aebb7bb373607d7e4fe2a1e882bf42f63814dbce375ac82c5966 |
C:\Windows\SysWOW64\Qlgkki32.exe
| MD5 | 61e43ffd5e3a6b90c1cd2967d2ec6175 |
| SHA1 | fe5173593b9638b2dd3ed9d71876a3820751a538 |
| SHA256 | 9e04cc617b02ad95d63f5d05f884872241d7ad3646535a42227b584bed524ac2 |
| SHA512 | 89702dc92ac2ee0d2596dc28fba4a468478aca4e2f5d48b0e45738221ad896d4ec1ef0df1f74a6e48e470951096a87b2b14b35aeb893ef6a40c6f319119a9a97 |
C:\Windows\SysWOW64\Qpbglhjq.exe
| MD5 | da718f75d5fe9b63e5dd2c50dcf261a5 |
| SHA1 | 59d65996325f5d8c39b1808d1e27f76486570372 |
| SHA256 | 34b41ad79d37ae9dabc0591e23b4df857f0bfa3bc335d52779906be116d46ec4 |
| SHA512 | 1abb4bd4ee82f6e032c2cdffad8ad0dbb1d7e3b39b73780997b0d48769a07c678d3e502de07325abb6d91f01cd3e09e1fde9c83ed58328623e07d968e86d850e |
C:\Windows\SysWOW64\Qdncmgbj.exe
| MD5 | c956587d5b69e69e68aedf35bfd69d13 |
| SHA1 | 2795cb234ddbe2b1764671c5836fd73b45cc849c |
| SHA256 | e03de4190757ad40e7dce1fc8ccade0ea6506a1f0d12ad757b92fa6cf9a9589e |
| SHA512 | 08e447c41accde286f87ac8f7786a0334be8057d49ae1749a93821f3fe9b26082d8efced636bb418fe4bc532abed53ecee15e52178aec63a259f7b449cb0cbb5 |
C:\Windows\SysWOW64\Qcachc32.exe
| MD5 | 367eaf84a2234bf46aefd61b96c3333c |
| SHA1 | 8cb1c09bac84c32fdf0514744cc4e2430407bd19 |
| SHA256 | ff0aa97fdcf8b8d46bb21110f0d7b53beeee5324cb784decae6f1ca8403b6a14 |
| SHA512 | 066bac41c6e92f76240df421b78c00cb084b6dafbe138cd93e5c9e11b16f52dabb23da3dc10fcc8964b10db6cd7dd87081d1a3d6eb86788911f65e5033675dbd |
C:\Windows\SysWOW64\Qeppdo32.exe
| MD5 | 87272b491edf7c29657dfd3b107014b2 |
| SHA1 | 3526bfa6b7d406eb5b076ef5fa66a111cb4c8c9f |
| SHA256 | 70d999e64d8bf500174b5118eb67db7ed83802de86509e66086c07bcf7dd50a4 |
| SHA512 | 6cfe9df60918feec160befffba56b5b65fad75348eb407910951548953bcf1514c9bc2d24e46f2ab88f72ffbb753e8754ec168424d24c5fb07799ba42c93b022 |
C:\Windows\SysWOW64\Qnghel32.exe
| MD5 | c15f194edb7ae4ea7924b52108e6c2ad |
| SHA1 | efb68693e296dc42e8fbf0d59c9f50041955ea82 |
| SHA256 | 665b4f65bd1ebb9c8a7658c7b22c30189a95f275e28d69e8641fbe1d70c1355a |
| SHA512 | 0e78fde97d4c86b3c0aff9d5f9cb4ae99420ffb18f8cbf90b01e406d9d615e7eeae899a66c583689eeff77464f72f15c22f6aac619d6bf4c5818062943a115ac |
C:\Windows\SysWOW64\Aohdmdoh.exe
| MD5 | 93b9eadffd8c1f68d2e1061f84c8180d |
| SHA1 | e320b2f769a58f01287f34209569e9f11da28bb5 |
| SHA256 | a1a55b8390a2d3b060f50a890645c02a40a745bb5fa3c9578c06b52526969178 |
| SHA512 | 4d18ecf1d774323e6b4f8ae09578e05628c4ec64fe7a1b2c6b1bab5f334634415465a27da43fca3381e998907d9d33d3303cd52bf42bd365797fc214b39731f4 |
C:\Windows\SysWOW64\Agolnbok.exe
| MD5 | 70e6152218cd7ef066a18db0a9d54914 |
| SHA1 | caa6d05d6702f2ab9e98fba0b538de806f286d88 |
| SHA256 | 5ff4efb19a2414b5dfddb6e07d3a55254bbdb42a1cca3880e604fa9dd5af29f1 |
| SHA512 | d6bfbae32dbc6cc7e39b0194cbcfa428af6c025b5ba34963d2081150ac15dde5eeca2b475afe83b817c1a3c10ea7df5a02e449e379443ff9292d77601a1ff5b5 |
C:\Windows\SysWOW64\Aebmjo32.exe
| MD5 | dfec876526a379be9d644b7f3876f70e |
| SHA1 | c7704deffa4b6861c18ae350b8cd7e0a813d9b18 |
| SHA256 | e08c460bb190c365ea045c553423d84d6dcfa89b89cc9cc591484ce628e9946a |
| SHA512 | 20b4f8dbcabe71f02fce2889b27cae6cd50f68fb752bc6fdddc2b67109f38a813ae7275e5c77842b7a4dbbed185d8532745962228db3e84893cb46331038820d |
C:\Windows\SysWOW64\Ahpifj32.exe
| MD5 | d8c7973c060fbb12a34804e01d9fca38 |
| SHA1 | 7f53c3a69d9e141c9cc3229a50e0b14e74b2be27 |
| SHA256 | 804e8ab1dc1d4bb8ba45219480f7a53b62ac40819fc06582a0dee41d249cab2a |
| SHA512 | 7faa8c3229e787eb78cec907fef2f169d41d774fa17e053c245191d92856e3be3ecc85cb408377552b6e789b38073a347f43fa57c7087049a4d80e844c8329a3 |
C:\Windows\SysWOW64\Allefimb.exe
| MD5 | f3b0d2a80cccc643cab820c9343e3bef |
| SHA1 | 6541d558fe818d6cb7c56ad6335b059809cd2da4 |
| SHA256 | 8df0b90b683cc139ca155941a13c376fb4e4bb85a822b429f5687b562a092643 |
| SHA512 | 65f995b0e004706d9b39a73afed33ee5641f1eb7b5b109e826e63095a85a7497ea7e43a30908d8fb6c5796652aaac6fa2d3480ef03a261679f40e1537ec3f5b3 |
C:\Windows\SysWOW64\Acfmcc32.exe
| MD5 | 84fc905d3fce40a46d9113a946c968f9 |
| SHA1 | 0d37e1bc5c8632a44d8225f779868269b29580ce |
| SHA256 | 343350361f0cfb65fac04e94b5877a4036a564da3aac0cd84107925379e50e98 |
| SHA512 | 5f81ead4082ad943ac4fbb2b2c5b545779e0ebd463ba2c413801e6c76e07a4c2c50e2607df0fde750fdb7a36c0731fc954cdb5195c4f1fd754491234fa538264 |
C:\Windows\SysWOW64\Afdiondb.exe
| MD5 | e25e79fb1fd3a569ef9b2ff64d5abdaa |
| SHA1 | cf97ec35a3553ad0152d275f3b74552c26bcc66b |
| SHA256 | 409fc4f7ff45aafb5d396b1fa310cb15bd36705617020273e250f2e566d8fc60 |
| SHA512 | bb22848e3817e33d5950b6775ec688320087f23adaac110720ec80475f9ab97475fc06043d57246d7bfd1b82ef18a21df3294da3df519cece02bc8d050df6ab9 |
C:\Windows\SysWOW64\Ajpepm32.exe
| MD5 | 049b1476ca6fe69bf5834861fd062f21 |
| SHA1 | 8b52c45e178bbd03cc13f9681b6cd0eafdccadc1 |
| SHA256 | ec3384b2fe5c38ccdf1e44fbb24bd9d1dcc216de573e4feb3e1bc58bb67dea8d |
| SHA512 | 9e58ea90b79f507ea017c6ce9b1327eca3cb93238800bed00f223717e35d5d7c53f58cf4dcc21f74f5c7a2781c2e8b829b4a71da195bc8792b768f3e679f9ab8 |
C:\Windows\SysWOW64\Alnalh32.exe
| MD5 | 09ac7384e317f23d6068d124d418150e |
| SHA1 | 7edae9b2aa696e29d94ee07ea16769ffff775b7f |
| SHA256 | 43c6bddacd2f93c11cf71f5d108be81e59bc121907337c9889225a834e06f704 |
| SHA512 | 1755d663bddddbccd428d4311a161c5d7cad3ecb6c96ca36caace7798a3cbe0ff7759e4bfee2ca89b59f5ff6b3c183d614485aaed2d13182edf9cd3322b56c64 |
C:\Windows\SysWOW64\Akabgebj.exe
| MD5 | c1176d82f46fa48a7270b3527acb09fe |
| SHA1 | 2b68db909fd38ae05bd2bc900f0ea78f2ab1c61a |
| SHA256 | a7f52c59a9743471e5f1869e50a614a2793224221cd4396c9515a85d9c31ae26 |
| SHA512 | 942a31b822bee793644ae988ab55587b3d1516987fae2ddbbabc8611a86124c9aa4d967df38325cb0ee380e1d6c8673043e5ededea6ef797bc8a924741f0761e |
C:\Windows\SysWOW64\Aomnhd32.exe
| MD5 | 098281eadb895a71c86c12421d482e00 |
| SHA1 | 10c9f76f9685cfa668d6663bd5f318d4154067e0 |
| SHA256 | f0196c89d6f44520ecff3bd329ba36af82d15cf70020d23c5c0358b654005de5 |
| SHA512 | e806a25e3aa63516d414979c41bdaa545881e81a5668d69dba1e26594f3867dca10bdb3e3e8895cb7fdde5a95b692c41d1693aa3d5056c410e5552951029e2f1 |
C:\Windows\SysWOW64\Afffenbp.exe
| MD5 | f479f54e20603bb5204de9eec5629082 |
| SHA1 | 72ba4f5dcbe48da6bbb91805a39ea04d51b95058 |
| SHA256 | a7de24007aeab16c2dfd11bd9fb2b2304c4c050059ebad4e8e59b9c67fc81f58 |
| SHA512 | a71994681beeed1a47804e9a3da387be5ac8b2683b31b8181a05086e6f041bafdb71650b3a4b2f05e73da07dbc9bdf589a4d08e07c22fd46d1e67ea56022c68e |
C:\Windows\SysWOW64\Adifpk32.exe
| MD5 | 53f597ccda9860f88fc9bb9c7d4398b3 |
| SHA1 | 17b7c9efa3caa6d40d21561dfe43a00d8d90bc1d |
| SHA256 | 5df32dba31f10d49f88589e6f0880e995f8adcbf4095958a5e0ce7d0de2b8e5e |
| SHA512 | 2cd7caad0f18e5093ba263569aee288e8e9cb339bfda78f8d74f32e879ec0912daafee30b6c4cf28c401645e665c60ed4b305891231337e3321e8011e892e5cf |
C:\Windows\SysWOW64\Alqnah32.exe
| MD5 | 3be112a14ac83605c7f94b6a6dbc761a |
| SHA1 | 442bec04c6a615ead4bd11c740cc373e74cbad3f |
| SHA256 | 6254278abfd76e6fee96f00250b6fd5d5f4ce5180042b163b3c874782b699168 |
| SHA512 | e51f712735ee2fb6d06f77345baa34e49011b4fb0b8b58838ff8551e0954e6c73879317d62f7898f8bd58292d491d7c10133644690285ce0053bd07c55182480 |
C:\Windows\SysWOW64\Aoojnc32.exe
| MD5 | e15cc255b6b6c8efa78e62d36845b51e |
| SHA1 | 374d90bad521ec4fecd1e6a00d8f5d3860fb99fc |
| SHA256 | 7a4513ba2ccd49b19a9e615800b5d870d1516706e423c759f49b4878b9180b40 |
| SHA512 | 3bfebbeb5e65719805128b9bc4d7a3ea9566aede3ef76dac01c70f67a0239a874c7f441be271561cfc4389a2d89dd6a64617d3ef35d225866a29e560d4f398e1 |
C:\Windows\SysWOW64\Abmgjo32.exe
| MD5 | c5133faa74c99252e19c801ffcca78b7 |
| SHA1 | 6f4af5b6e7dbd14b8adb2d92b0397f259f705c57 |
| SHA256 | fc1b02c81be7d6d07cabc514ea7d21fcfe612e5f57ed17548a821a4c3c6512fe |
| SHA512 | da74d399d8eaae36ef3fd032c42682c83b3e0be606492c80971f66435fe3ea114c9fed06c74cd28a0870d0e5c726926080a54acbbf1b5852de561ac9c379010d |
C:\Windows\SysWOW64\Aficjnpm.exe
| MD5 | 5514043d331f9981d69d3ac11874bf3f |
| SHA1 | eade9adaf1180d4b34cf4ad2871a1c53f1179b10 |
| SHA256 | 9c5d8f9948eca7da69002437b9d86724368a012f0786b3fbabd844a6419a7a5d |
| SHA512 | a9515a98e04bb36e13d01bb4dc483e8b8276e830412e378f2bf8bd70002ab71ed028de608fd2eb5f0067cd4d55fa9347c2d2dd68d10f776d5c2969a784628d7c |
C:\Windows\SysWOW64\Agjobffl.exe
| MD5 | 72aa4450c4b4f99d4f988e9f827329fc |
| SHA1 | 455b8f824e41ac339b9b122ce35170eca96d7844 |
| SHA256 | 4b93608dca292a4121d26c4dcc02039598b153cc99100717bc006bd362a0cfcf |
| SHA512 | 680cdf788891089c8a1e9470d7e9a0e37e1fa783700ae9d32881834834e460763dec87883b7fb6db8cd2646d01d80ab357e09d7922a3cbd70d5963cce9732e59 |
C:\Windows\SysWOW64\Akfkbd32.exe
| MD5 | 0bdd9052c7d9bfbe32b1be5bac21f510 |
| SHA1 | 4ab1772b50beeacce7a3ada74526324b8b1b7baa |
| SHA256 | c36a611de786f7dc1f6ee5e94e73b94f4a0f584d01f5ca0c6af1482d0bd66ff8 |
| SHA512 | 01b39bf9006f90f6929ac37c321424cf38a69d772afa37483ff41b974674ff1bb954eb9f7bb02946e456ef673a5784af8f444cf85b38136ce5c2f3e312d5c293 |
C:\Windows\SysWOW64\Andgop32.exe
| MD5 | f7d01552d0bbb2dba9491747b03a00b9 |
| SHA1 | bcb2dc6227863895bb2da3f810ebd793df4bb63e |
| SHA256 | 2cd2fc0740b27f134cfc8940c81ecc415df873c5700ec8ea8cf9669ed98476eb |
| SHA512 | cc84e74a6de29593747dded4018745a1e4df2c924d3b8a51f5b3e57749426f496a4ce8f0bf2a1938f86a7d5b4f7e08e5031451e98fabc7bfb773257de2ea337e |
C:\Windows\SysWOW64\Abpcooea.exe
| MD5 | 1d8fb92abaafc04e0228b92ea5910b17 |
| SHA1 | 586d78066f70cfb44ddf4c58bc1d344902c193b8 |
| SHA256 | 3eab0a5b31910a21a32575d0266e7e485ec3bf1298d45c809ec53a21bbac66ac |
| SHA512 | 0b1bcee6f93d3cfc8c9b398ba0ea8e82a7226aed8051a1fb69b3e08c6445dd0a833587213907acfa88a4cfd783c97a48518e1dc4e6aaf663e2ca9697a76a0e07 |
C:\Windows\SysWOW64\Adnpkjde.exe
| MD5 | 78479f66a3c707812aa4d8b566bef93d |
| SHA1 | 85e2198505e6a9a80bc4a9b1d68ce584d96ead50 |
| SHA256 | 7a3e606ba6ffdf46601216ee0887aadfb2b86883a055199445d0303caab6374a |
| SHA512 | 0eec59022869ebc022402b3c0a8d5d3fbf4e7cc4a728a0dff23e0e0aa254c1d12063129a777a7cf886f2c0eb4f153abe0c171cf74174ed74ce43cdf1084655c2 |
C:\Windows\SysWOW64\Bhjlli32.exe
| MD5 | bbed0298102a3e48dbaba520c88cbc25 |
| SHA1 | 523ff38165887024acc960488fe513660fd231e7 |
| SHA256 | be36950d8bb664be317b342ebae236e3ee1a805e0de5bd4a853368c5797aa6e1 |
| SHA512 | 09744e48c7eeb4e4e765950a3bc3a51471ec9f053e4151130758b44fe965fa25be26d70d4e8ac40006c3ef5b708a053817c981e75a928eb84191bde3928a4377 |
C:\Windows\SysWOW64\Bnfddp32.exe
| MD5 | 2c0960b9ef4fc93ff0c4becc119e6256 |
| SHA1 | 9e85e4d138501578ee0ca05db4477b622dc7afaa |
| SHA256 | 4e516b040ea36f5969cd5cd7e3cb4f45003fc3b4de2202f81a5c21e195b97bfb |
| SHA512 | 4864442ef94df19fb17afeda5342e16c2060f25aa3acf01ed243934351eb424a42fb0049c49f401e91afe2f859bef9aba228294f0220dbfb4e446fd33ae64f9f |
C:\Windows\SysWOW64\Bbbpenco.exe
| MD5 | cb2b53c700efc1cf39b884824dccfbbf |
| SHA1 | 890e4f754accc4679d0683228ef4b8888b105799 |
| SHA256 | 2ea3d9a8069c983361f5dfa24dcf480c74ad806f929d7f1eae93ac42bff8b5f3 |
| SHA512 | 6edde2e07f96b6f244afd0ece350640fe1e6a746a91e3cb73817e155cc499c9e51c257d4b9570865c5f9f32a1558be6e55f13e1f4e8d965dd31788ce1793d78b |
C:\Windows\SysWOW64\Bdqlajbb.exe
| MD5 | d877bec1c6131bd8cb166c2bd5bba7ed |
| SHA1 | dff91d81a0e51ab9577a73f975c6f3fc9428c00a |
| SHA256 | 93631c1979c533426c7429a1017ea094ce7d9580a8b275e440c054388fb5c4c5 |
| SHA512 | b8be4373eb371794f5b4980c31a6239e247fea2d00294e23a6ccffc3e99ec4b4b38a193dbd4bcd8016482e80a4a8c7589699b509be8b0249114aa20616a4f1c0 |
C:\Windows\SysWOW64\Bgoime32.exe
| MD5 | cc58fa609db45de6773eafba38efd149 |
| SHA1 | 820295b3423a8131a494d6c888211f450ab64726 |
| SHA256 | ed18529406f9c9b8ec550aa26d9522b279531356467aa316ea063d1a39e6d349 |
| SHA512 | db06e7555206a93f9e69414f1cd2b7add058fdbb1847419b5d11b3500efe18172ef6152f82494fcd8b42ac12d602e3820af8fa06b3224105a7ebeda26da59c55 |
C:\Windows\SysWOW64\Bjmeiq32.exe
| MD5 | af299e3626c92eee59e5f87d9103bcff |
| SHA1 | d7ba7fdae8cd1bad58a6d527b03a226cebfde399 |
| SHA256 | 57cac8e8c5f5151c9235f39c045eb38435bda4b546d8874c7fc40a5c05ddd121 |
| SHA512 | b799d6788c906530d958ca3bb669d5198697ebbf44eec0512de5e3c527ada0da2715b517f617ba36b629431293dbeae2e87ddaf52412834564043b8547d399e0 |
C:\Windows\SysWOW64\Bniajoic.exe
| MD5 | 64a56a7ae3044ed344beae8193e5fb3e |
| SHA1 | b3c014334ae1b6a88786863f93c1dbf36c44d717 |
| SHA256 | 1be3540eaec7aaad7b02abc37a76690c966f9ce70478a474dd16ffa29a34be2d |
| SHA512 | 1d615740dfb9cf34aa22800489d0466f60a2dfa7ac576ef0469d1c45fa9e61ebcf990d429073db169935f8a7d71c5a864fcfad51b58b744623fc954dce5e5cde |
C:\Windows\SysWOW64\Bmlael32.exe
| MD5 | 68e6ed2c649764a2604080c656580ecf |
| SHA1 | 79e4510dcceceba0fb8949782d5f6aa59efafab6 |
| SHA256 | 3b25b983e61dc857291092e770852dd4d824b69dfc9744addbd721498017292e |
| SHA512 | c48bd3df8c3009fb15214ac5d4558c9dad6f8b066f42a19709b6b8427f43b12560900a5533b0faa1177926287df20e41186f9eb66b910bf37a67f72fe8c73ce5 |
C:\Windows\SysWOW64\Bqgmfkhg.exe
| MD5 | 1104758b60d20dab073a3481be6ed055 |
| SHA1 | 503aa7380995ff243553140917a5f7a65c4ebecc |
| SHA256 | b7f3c39de31b097ed9b9ddffbf56408363ac40cfb3aa39995802e47838367cfb |
| SHA512 | ec21f9500734f8627568b043aa6f12d8eb5eeb2637af19d70c3776f28af681272b722028137b4308f18cb20434fb525373d8a9304a150966e9798a3ddde64400 |
C:\Windows\SysWOW64\Bceibfgj.exe
| MD5 | 5eddbe572c8e8ebbbac5c74b2db00e6f |
| SHA1 | 8bae5d0a9db4c0cba6ae9bb97528d1433d2e8e0f |
| SHA256 | d07cdb830de4e22865330c04ef1cbde02bbccabe2989a357e3146053329d3861 |
| SHA512 | 8d20dd3e8cbbfcdf19efd4952d98bf12d814d36bade0fe5ff540393c3160473586311e7c0150ebff8e05ae20993ec6d34c057f953e7ebdfe7377ad384a858466 |
C:\Windows\SysWOW64\Bgaebe32.exe
| MD5 | ebf3284a85e45bbfb0b0e08068f43d79 |
| SHA1 | d64efd9cfe5f85684f18917ae105bb88c77f3fc7 |
| SHA256 | b37df077acd5fb56d8d59e2155b16465b2d2b333eb09d8a42294ae5f565da2c6 |
| SHA512 | 5e9c6c3773d7b4bb6c76be8848b5d1bdd18772b26c29969d0474844cb15aa357de00137395d6c1b6112df01804b699856ad88e923417c0c0eecb3d08a1535840 |
C:\Windows\SysWOW64\Bfdenafn.exe
| MD5 | 92b1ce9612be8c9edbd06e6ba55fbbbd |
| SHA1 | 639f534a8b37b068b4c82266f29a4bb769908339 |
| SHA256 | 1dbd51a6bc1fc1f3830656127d046169b4894ee3dc3c56e38c6e558a1f49cdb9 |
| SHA512 | 9b8d11bfe1a9619ab71a685f53b3b4b96709e7429713022a9a9f9b831ced3a3c331adfc49428e981a66903a504883ad7cc7054b971c4c1b16c4b45097db0eb68 |
C:\Windows\SysWOW64\Bnknoogp.exe
| MD5 | 0a33cb79260afe10b48a5fe2741a9597 |
| SHA1 | e3ce9c4ee1010bdd59b3efac2c8535d966302ca6 |
| SHA256 | 4a6bfdd16ee8ce69739755d1bc322bb8bde140264e7b6895dc3ac09600384f77 |
| SHA512 | 016faf0af042279937b08c5d81f40818fac4ca80e01e054a3d4f057e5f0b94f95791f0e426ef0db2ba7f7bc186ce6ed0c9e6ff11d23ac2cd7aa22fcb635cc6fa |
C:\Windows\SysWOW64\Bmnnkl32.exe
| MD5 | 6f5477d0b1a8f208a413d35a172a234e |
| SHA1 | afac6786fa380775857bc9c515fd7389ca53ae34 |
| SHA256 | 7ca36f319ce00d7af2427184d6fcdaf9b17b79ba71d4183c295ecc5bc2df48f6 |
| SHA512 | 70809d86c41fc929029bf36da5548735b62255fdaf8e450e2f6f68898e4a36926300b16883c889cd2b17fa953bf5ff89f1c8ef68c6137d28c39411a3c271ea43 |
C:\Windows\SysWOW64\Boljgg32.exe
| MD5 | e85319687cb7b8c7c7ab5d5c91efc3e9 |
| SHA1 | 8a50f04156d636aa506ec1c1140291a2bca4e613 |
| SHA256 | 092a4c309be12bef772e5737c2a89886b8b23fbf7892c2e94d0c8de3ff96900a |
| SHA512 | bd346c273d68fc96d427c115ed060455663db58ab62956ebb80853a6877bffdfc8273c98b2bc1b79c761505fbbcc3b1061cd07da197ddd7ff151333a2f88a090 |
C:\Windows\SysWOW64\Bffbdadk.exe
| MD5 | 13df8c3acf2915fb73ca692bc4cafa9e |
| SHA1 | 8c749745e0a3193dd34b9ad30e119e22200737b3 |
| SHA256 | 0f618e32c2b35fc83b6a54b98954ee55674ce49f37200d419ccc6ec166114bb2 |
| SHA512 | 31f008c172f6bd51bb41ad8e35788ec4d46ade410749184249c89859c01e22fc265c150b94930cf12821e51868c47a7d4d5204cebce2eda1f4c02af8818021f2 |
C:\Windows\SysWOW64\Bjbndpmd.exe
| MD5 | 77fd3f4e180c71def9bbca8929593e86 |
| SHA1 | 1a311aa39a233666d615c41e3e27d5631230e20b |
| SHA256 | 8e9c765a1a2f8f5c6bf5ac8f0861cd834936968f54785028a76af64129394641 |
| SHA512 | 8ae9ccae7b6f15a5e653a1ebf162f393a2e72bd10cc12db286bfb3d8a3de4596d7c76d76b5e5bbc1355f440d467e63a432f0decff91941572e6d8082294890a0 |
C:\Windows\SysWOW64\Bmpkqklh.exe
| MD5 | fb425daf460d070be3bf1fc425401c90 |
| SHA1 | 2947f09c2dfa80122348e8e13966529d51ef226b |
| SHA256 | 4a5a02716b1c96f844fd0312105042fffa81fff125d451e63b27d20d7fa44939 |
| SHA512 | c2e3754b7be58ec5c769ba4ff2e968ede0ed8fe157d47f12afefd2995b6a184f7a6acea1d3d235fccbea10a9899ff2e95309d43bf56c64c6534889ce544d1f17 |
C:\Windows\SysWOW64\Bqlfaj32.exe
| MD5 | 3dc11d76c15dd78162972163a5ce54b2 |
| SHA1 | fd263dd2fbd6de07cc5855b5d43633ab19ca7637 |
| SHA256 | 193e3b91d6c4d8c0b140f5242aa352cdfe77798aeb417d4291702371bcfe86de |
| SHA512 | 9f5cd79ad62a2bb081376e1d0371f1d7b8608b10aaa4d6fd3fa06b011bba561c3609ca9f66ada433bd0228f456594a23961f8967b1b60563158ee25b80d61744 |
C:\Windows\SysWOW64\Bcjcme32.exe
| MD5 | 0cb991b49033a411a8b1275ca9c8d61d |
| SHA1 | 329cf6cecd25688dfffe04c5b0c350870a8052ac |
| SHA256 | cf390c1638f7dc689fb0dee252c6a7ce492bbfa211b7495378c41a3023cf18c7 |
| SHA512 | a35e0a8fdd65cca2eb729b521d88f63e35a7b73acc21639ce9e8c4cc0c9a3691cab17b196d289bfb903ac2f825bd5d7ecffe09e613dce71c401cca0b2c4a9638 |
C:\Windows\SysWOW64\Bfioia32.exe
| MD5 | 1119f09e9d6f48d0eff5ac71afddaacc |
| SHA1 | 3afee6a53be022c40e534b132f0aa264d7382637 |
| SHA256 | 6976f1ee314320fd569d4af80717e1283ee24d2e8efc968df0b24ecc25fc671b |
| SHA512 | bf1743b190722f182633abc5d2822d4679a0e8433a03a41789cd733487bd9b864a04aaebe319f5cd9271a292fb750df37ddc8c6bb3e777c1cae7491a94dd5f37 |
C:\Windows\SysWOW64\Bigkel32.exe
| MD5 | ccbf208232687b5dd4fa8cb2cfb40c36 |
| SHA1 | 8be41cd847d06637b06347d922fba09e182b8153 |
| SHA256 | 543ed41d427edfcbaa2b92703a7177924b843859c8b11921c2da799177b68678 |
| SHA512 | 18dfa223e43b44711b8ebbd7f534b53223236cab91d3aab77d5bd96f88e4dd57338ea0368c64f9de6ef8d0e8432f1942af363e7296b03ea41e8ba35dab1aa3e4 |
C:\Windows\SysWOW64\Coacbfii.exe
| MD5 | 4f204551cd17c8443143b29a259e0eee |
| SHA1 | a923381f62e2b276683870df4ba08d52e7dceadf |
| SHA256 | c6b8b99150bddf4ddc55a13ae3a52c4df0594fe7816a9d56fa1cab8290eab500 |
| SHA512 | bc3e19d15baf76071e48c0766041da84b2abc1804315732bfc303663f194cb73142b03c94d95c3d7f76cc0d00214f16e91a66a342080b7a668fb785af1944f7a |
C:\Windows\SysWOW64\Cbppnbhm.exe
| MD5 | 3147cd8be2a2f7005a8b7077d3336841 |
| SHA1 | 4eb2d48437bcd020778bb11c89aaf48b60477c01 |
| SHA256 | 9fd36281aeb0fd4b3e6749a2bacbdc394f2a104a9787a1521dc0c0fddc958b08 |
| SHA512 | a48db6d7747bef287113b5a2409c5ccd5dbb1f5cd986db1709b94fa7c9e9a9bf8c9876504c9ff28327801a4b74a1bc4e99a9a26181654139583ff3af1183c92e |
C:\Windows\SysWOW64\Cfkloq32.exe
| MD5 | 7d73e38c79622ef8b249ec5709549e2b |
| SHA1 | 797e9a4f3011a07a505575c837f1cf613ba7ffa2 |
| SHA256 | a54a9a884e66da8e426a0f03dadebb17efbf21059b1ceec99ffdd63945a26222 |
| SHA512 | 8fa9dafa896cc74b969c4089331e71b370e1da40644484f7481e460ce249b68f1902fe740b66f001659c3bb85a5621c3e13c792743eec5df5e6ed065a54cb326 |
C:\Windows\SysWOW64\Cmedlk32.exe
| MD5 | f70820a628c8a5d801976d0356a74b62 |
| SHA1 | 113f8ec7f8b3e39bdce29f45abfddb6cd0fc7ab0 |
| SHA256 | e5e1bd11f180000050a62fd20bedb8ebd00bbcd1f8c74138d229b52b09ac137a |
| SHA512 | 9f9c896a7c0955cefdcc63650306e1e0a1a08da8c57058fe803415aba0feef9369475a1636f0dd8af442f21d41b6e657e8bef6261d642a147fb6222192a64fb7 |
C:\Windows\SysWOW64\Cocphf32.exe
| MD5 | 23fab0dfd2d1bb70bb3c7226c0997cec |
| SHA1 | fb7fe7d5ee474af8da14dd20ddc7fe34c1ceabf2 |
| SHA256 | 9850f8eb7a384190a468f863e70485edf173d0bd2a352feb3ba6ead31cf31fd1 |
| SHA512 | 1a72fa8b85d46887965c60a2992a236db9599b836a6c86d6b649f7f0249d97e303011c302f5ed97712862f2a2516040ef1f5fcabecb1cb0ef7d299568fe2ee07 |
C:\Windows\SysWOW64\Cnfqccna.exe
| MD5 | 5966f5fcec2a5d44697e560929ad6c6a |
| SHA1 | d293afe7d3741e27e1ed767ca2adc1ba13deb63f |
| SHA256 | f8f7f4205b3b1530cf776d62cd398f9f51a0e5ddae55fdecdf0350587c6c6d52 |
| SHA512 | 2c5e6b4b68c2c2e28866e08a9f2bcb78fb41911e2f5fe017ae8f914e3d15fd5bb5d1a4a7e29bc246acebb32211f1e7721a17321b1ea9d8eeb5ea0869630315bf |
C:\Windows\SysWOW64\Cfmhdpnc.exe
| MD5 | 3b4aa090a77cd73a61a8e6160c7a22ae |
| SHA1 | 65b7c8b1959f6eabc6c4f5f3bf8becb376221018 |
| SHA256 | 3ee7ecb280883a58754a8c7fa9f03f22cc41e3d3f9226b9b98971d0254297812 |
| SHA512 | 25b2d75b526086756925d2b8b340fc518524c9683789a09ff04647b7b0c8bf773b2fc848771525627ed0f0c841e00f2ae4d2600f22803dcc842513a0c5be3c37 |
C:\Windows\SysWOW64\Cgoelh32.exe
| MD5 | da8d39796fa8362d8ea8178ff9dcd708 |
| SHA1 | 5aa43bb980472d8ae2efe0d7978e6fdc2ceba688 |
| SHA256 | e880fd0cb0ed9c1cfcf5b4a322be4bab32e37704048dc4a84a0852f34104b210 |
| SHA512 | 9e2b7e2fedc770ee96aea77fe2400a7fd33f8efa2985021896fbbf6bc9f75fb1ea30e6947b61429f6ba23fa998612baff68f6db3c64c73b307a8b0e7da57f288 |
C:\Windows\SysWOW64\Ckjamgmk.exe
| MD5 | 56f6f5311f2c13e5d0adcb8f7c660e04 |
| SHA1 | ef77617150975bce012117f1d8adbc42a96720a4 |
| SHA256 | b6abc0a15080cc6a526abf5c0ba7f769afd92f8d09a20ad8212b6d22699bd0cc |
| SHA512 | 6fb1978cb47191e6bf0182cd01689bfa986fa2dfd67fa31a5b118e53c6e57bb763b93408b87827c825f2b501779575aae501b32cd8f50582ea9f5df251357fcf |
C:\Windows\SysWOW64\Cnimiblo.exe
| MD5 | 3a3264f155aea836e4e5382ad244bce7 |
| SHA1 | 8953fb317e44d94fc609403a9514e3eb7df41c34 |
| SHA256 | 640c84be01cc98ebf22cc9ab6885fe8e27f4071c56d1ee2e36e4aee3710b6959 |
| SHA512 | 058a517e9c3829dee85cef78eaf0b905bc5cd10a4ef45472f61452709be5d3ca255dda39d680846e200d6d90163c59988bdf76ac8224f7dab1e09c454c1ab360 |
C:\Windows\SysWOW64\Cagienkb.exe
| MD5 | a65a52d15914eebaf3f195480bf2fd8d |
| SHA1 | 95beb75378efea6dd509b2da9fab01249ab69099 |
| SHA256 | a3fb0574d6e5ed1317fb575f60c48189177d00b34569253653adcbfaed9e2c23 |
| SHA512 | bb3b8d53654d3faa05048508424dba7b4f57c0a025ef1f785ae715f72721a618dc118d10bfdc91972a195aee75455991990f36c21f6cd8b51fb5e52622a9a97c |
C:\Windows\SysWOW64\Cebeem32.exe
| MD5 | ba583c87eabe65b755c600d407ceff21 |
| SHA1 | 5caff820afc301b52fc56b05ccec3a6d6da8a60f |
| SHA256 | 928fb8f5044345f2c98bfd88c76dc8050bbafd3188c0ad5a1ae8f22ac4a577c0 |
| SHA512 | 95cd89f81f7d15cfff7253278e9ce0b432db08f74a6b7f05b9aaa21d791480416e931e64673c8c6b14098f90b2f0ebe43588241646e505c1c898b86f0c8022a9 |
C:\Windows\SysWOW64\Ceebklai.exe
| MD5 | 36264fed3707011d79977843257dcf9d |
| SHA1 | 047cbbe54105d4e78007b70af2359800cec329c2 |
| SHA256 | 0bf9ffa20187b3e72688f3c861e55f40fda02f06b65fb4f832e58d7b647db792 |
| SHA512 | 3fb7cdf204770ce3af37ef01a6835ce557109777d0fc127465f942a89c1f466106968f5d91a6250d69160ce3640dffbeac5dada373b85697895187513e82b638 |
C:\Windows\SysWOW64\Cgaaah32.exe
| MD5 | 2e10806446f7a309dcb0824de432d164 |
| SHA1 | bf60a7f0a85176c2a4aabfaf38975db6ffa9d09f |
| SHA256 | 7945a8e8fe602b91b491a80e9dc5d81b23b4ab9faad76e63fbcf1d92c59d8495 |
| SHA512 | 05b744867bd61d9f538474815f2eff48d397e51c801f7631cd6cb2ae4c88dec5af27d861ba322f35369fe8fff7819a0d3d7643fe97d7425e5c21b2c41ec9d9fc |
C:\Windows\SysWOW64\Cchbgi32.exe
| MD5 | 149df10321375923380665b0f0ffc428 |
| SHA1 | 05033185294bb6a4a15022318b5fc502d00f8a36 |
| SHA256 | 816c4aa2478721b0e6a61fc7f5614bdd8235935af7283d6fb2bc755623f07ab8 |
| SHA512 | 94f843a4a7418cae70effad3b9f180ec6a6ba63f2c57e8f9165eb8dae13e25f19f67fe4efa461fa5a426c5945054e28880dc45a4dc9e87935c861e04583abcbe |
C:\Windows\SysWOW64\Cgcnghpl.exe
| MD5 | e1e797d1c8d02c27c39009fc6992b061 |
| SHA1 | 138eb00655da865a8e5d58a42c4cff948ed2c7e6 |
| SHA256 | e407ae34d951041035a8a8daf28c8e1fcc77270ece28365660c0175ff17eb0df |
| SHA512 | 6eeaaf46d2bb80b3df98e7d0c4aaebd3666108c24b8a2f4ba8abfbf7e634868a392dc9a3f39059db5214b510965af5507da37b229cb736ce4222499642fcb1d2 |
C:\Windows\SysWOW64\Cjakccop.exe
| MD5 | 83218df7c2a3337ce03c932a5f4a9963 |
| SHA1 | b2bfba060fdddca9b88236a2c975fadc4b7cd5bf |
| SHA256 | 25f05ef00a723cb8331bd7d862fbf18922dbfad49dff3fa3a729085cd8a7c383 |
| SHA512 | 01a60f796e018ad7fceb953e47ba9322874f1cb46a06c67ae8daeb05df1a70fa7db9f5d3cbb17b6e7b82c4562034e8c12deee55ae28cd8546a7b98a26a0ab44c |
C:\Windows\SysWOW64\Calcpm32.exe
| MD5 | f869a2f07ed3a2c8f329830c12fe1e58 |
| SHA1 | 2487ea1a7f0393102d5384f5876715befaee16c9 |
| SHA256 | 3619d60c312ae80f68a29cfc4b29dd52ee608037f6a5f83f86e136288fe5c83d |
| SHA512 | a2425fdefea40fe4a0ac76f1d42658a50e037672670c3d61f071ba6cd200edc6f8ef5cc19956651d42ca14eeef4c1c9d22f88ee691f9d670437eed9d506d5709 |
C:\Windows\SysWOW64\Cegoqlof.exe
| MD5 | c89f7ee701dc6e480198f1234ebada93 |
| SHA1 | 323727c6819bf214564e4b2f0e993019a541972c |
| SHA256 | 4abd7f7d0e8d535351ec870d5152da1d07d638788e625d799b368c75aac862a2 |
| SHA512 | 956afbf90993d7bbbe8c05fbdb7a8101f14c10e79b3544d118fed1911e96d6771208b5d975e72795d68634dca20ac7202cb1730609e2ac233efbcbda2db951f2 |
C:\Windows\SysWOW64\Ccjoli32.exe
| MD5 | 98ffadd442e0d58cc017b48b90b1a982 |
| SHA1 | 15ad96f5ff35f92b0117edaa1d331610d120902b |
| SHA256 | d5284f0e7ef5567821af84152747b741831b17a0422dc1ade502defb237cadd4 |
| SHA512 | 5325be55712ed7f852e25abc370437c905a080af0313c30c662e24f680bd28a545a37d16a7f40d772f822bea64442c1bad9418d12bba1883f88950588094ae53 |
C:\Windows\SysWOW64\Cfhkhd32.exe
| MD5 | 3b738512f87613277a9e9eedd39cc14b |
| SHA1 | bc3f2761926a3b9be180cf92c349662eda40c8f1 |
| SHA256 | d3dc9672c0290d368242361075f8aac62fed689477f305f9011a4534d3a46399 |
| SHA512 | be364d5d3182833cf0188246399d7bf65bb883471ddc9f6a100cec0e236ecb8c593924e128e89adf9c166a3ba133a6f645984890719c0871ac15d2403ad77b69 |
C:\Windows\SysWOW64\Dnpciaef.exe
| MD5 | e7d20b1efe397b214dd4c22e3abc36fb |
| SHA1 | a68053d64f9a3f244549bdd2c627df4cccbfc849 |
| SHA256 | 751943f23e1a0bdda01afaa371d3fd0ac360ee1a36b40b2cccd91f0e52afde20 |
| SHA512 | c9782e445b072788908c3bd576fbc7d5f59969cdd3644250b418f1ff0698a12e6b0ab454c91f664ffd535c9e33e9498e585eba89d6704d95b380e614145dc054 |
C:\Windows\SysWOW64\Danpemej.exe
| MD5 | 2c70aff738ab80fc768017437a64e647 |
| SHA1 | 148e20e803edd8389c1eb421014043efd729415d |
| SHA256 | fc321181132d60dd7e8b21cae10ab6601205920415621a1a1ed54066c5c0eab2 |
| SHA512 | a90743d14a5c5f3db3dc2f0fd0c12bddef2c1d6297267976a07da54ff26a233a66d78a2a5cfeeb0de5bed734c4e0a31d919c6dc245d56789f52d525bb7e4b217 |
C:\Windows\SysWOW64\Dpapaj32.exe
| MD5 | 82ec6c709abadd5ac5b09daec75e4c94 |
| SHA1 | d08b8d906ff2c3a92881d08349ef20cf371451b9 |
| SHA256 | 15c0a95ffe5d5f661dffcdccbf17f6ffa26bc3a1f2b2021c25ba61d8c1f77eb0 |
| SHA512 | ab939fbedc11e1c0168cdc941db0c1bb8acf4845c930e442a14f15f2bcf7b1478e2fcee70cc9cc118e56c168e9e3ffc90d890a347dcdbc3f52547bac14a5a1f8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-16 14:45
Reported
2024-09-16 14:47
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
120s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afceko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cidgdg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hqghqpnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hegmlnbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pcfmneaa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qejfkmem.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qihoak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beaecjab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dlncla32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dibdeegc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ncjdki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oflfdbip.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmeoqlpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dpllbp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iabglnco.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ihaidhgf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lddble32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cekhihig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bbefln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cfjeckpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkohchko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jnedgq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmoagk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bppcpc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hnbnjc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndidna32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnedgq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pofhbgmn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfbmdabh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qfjcep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cekhihig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ihaidhgf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jelonkph.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jdmcdhhe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbeibo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmjhlklg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qppkhfec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Akihcfid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpqlfa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ielfgmnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmdmpe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkgmoncl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdbnmbhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abcppq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpifeb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dinjjf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kongmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pbbgicnd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cplckbmc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhknhabf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dbcbnlcl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Clbdpc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmjhlklg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afeban32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mclhjkfa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pbimjb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afeban32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bcpika32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Clijablo.exe | N/A |
Berbew
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Qhomgchl.dll | C:\Windows\SysWOW64\Jelonkph.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebcgjl32.dll | C:\Windows\SysWOW64\Akihcfid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbeibo32.exe | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kajfdk32.exe | C:\Windows\SysWOW64\Kdffjgpj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmdmpe32.exe | C:\Windows\SysWOW64\Cfjeckpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjfkgg32.dll | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mklfjm32.exe | C:\Windows\SysWOW64\Mdbnmbhj.exe | N/A |
| File created | C:\Windows\SysWOW64\Abcppq32.exe | C:\Windows\SysWOW64\Akihcfid.exe | N/A |
| File created | C:\Windows\SysWOW64\Bppcpc32.exe | C:\Windows\SysWOW64\Bejobk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kemhei32.exe | C:\Windows\SysWOW64\Klddlckd.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjonchmn.dll | C:\Windows\SysWOW64\Nooikj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncmaai32.exe | C:\Windows\SysWOW64\Ndlacapp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bflham32.exe | C:\Windows\SysWOW64\Bppcpc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbbojb32.dll | C:\Windows\SysWOW64\Kalcik32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Odbgdp32.exe | C:\Windows\SysWOW64\Nlgbon32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjdedepg.exe | C:\Windows\SysWOW64\Hegmlnbp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndlacapp.exe | C:\Windows\SysWOW64\Ncjdki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcijce32.exe | C:\Windows\SysWOW64\Pkabbgol.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmbpjfij.exe | C:\Windows\SysWOW64\Cekhihig.exe | N/A |
| File created | C:\Windows\SysWOW64\Edngom32.dll | C:\Windows\SysWOW64\Hgocgjgk.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnkhjdle.exe | C:\Windows\SysWOW64\Hgapmj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ilfodgeg.exe | C:\Windows\SysWOW64\Ielfgmnj.exe | N/A |
| File created | C:\Windows\SysWOW64\Mafofggd.exe | C:\Windows\SysWOW64\Mklfjm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfdgep32.dll | C:\Windows\SysWOW64\Ocfdgg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmjhlklg.exe | C:\Windows\SysWOW64\Pbddobla.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldbeqlcg.dll | C:\Windows\SysWOW64\Dlncla32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eopbppjf.dll | C:\Windows\SysWOW64\Iaedanal.exe | N/A |
| File created | C:\Windows\SysWOW64\Kalcik32.exe | C:\Windows\SysWOW64\Kongmo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bblnengb.dll | C:\Windows\SysWOW64\Hghfnioq.exe | N/A |
| File created | C:\Windows\SysWOW64\Lacijjgi.exe | C:\Windows\SysWOW64\Lkiamp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qppkhfec.exe | C:\Windows\SysWOW64\Qejfkmem.exe | N/A |
| File created | C:\Windows\SysWOW64\Qihoak32.exe | C:\Windows\SysWOW64\Qfjcep32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hgapmj32.exe | C:\Windows\SysWOW64\Hqghqpnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Bibokqno.dll | C:\Windows\SysWOW64\Jdmcdhhe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocfdgg32.exe | C:\Windows\SysWOW64\Ollljmhg.exe | N/A |
| File created | C:\Windows\SysWOW64\Cimhefgb.dll | C:\Windows\SysWOW64\Qejfkmem.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qejfkmem.exe | C:\Windows\SysWOW64\Pbljoafi.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkjhlh32.dll | C:\Windows\SysWOW64\Cdnelpod.exe | N/A |
| File created | C:\Windows\SysWOW64\Oojnjjli.dll | C:\Windows\SysWOW64\Kbeibo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lanhkb32.dll | C:\Windows\SysWOW64\Alkeifga.exe | N/A |
| File created | C:\Windows\SysWOW64\Bejobk32.exe | C:\Windows\SysWOW64\Amoknh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlnecf32.dll | C:\Windows\SysWOW64\Igmoih32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dlncla32.exe | C:\Windows\SysWOW64\Dfakcj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dibdeegc.exe | C:\Windows\SysWOW64\Defheg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mckfmq32.dll | C:\Windows\SysWOW64\Dibdeegc.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhfdfbqe.dll | C:\Windows\SysWOW64\Kajfdk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mebkge32.exe | C:\Windows\SysWOW64\Mafofggd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pbddobla.exe | C:\Windows\SysWOW64\Pofhbgmn.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmdlch32.dll | C:\Windows\SysWOW64\Lcjldk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amoknh32.exe | C:\Windows\SysWOW64\Afeban32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfijgnnj.dll | C:\Windows\SysWOW64\Cmmgof32.exe | N/A |
| File created | C:\Windows\SysWOW64\Haafdi32.dll | C:\Windows\SysWOW64\Pkabbgol.exe | N/A |
| File created | C:\Windows\SysWOW64\Qkfkng32.exe | C:\Windows\SysWOW64\Qihoak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Afeban32.exe | C:\Windows\SysWOW64\Ammnhilb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mclhjkfa.exe | C:\Windows\SysWOW64\Lhgdmb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nakhaf32.exe | C:\Windows\SysWOW64\Mdghhb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndlacapp.exe | C:\Windows\SysWOW64\Ncjdki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcfmneaa.exe | C:\Windows\SysWOW64\Pkoemhao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lddble32.exe | C:\Windows\SysWOW64\Logicn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkabbgol.exe | C:\Windows\SysWOW64\Pmoagk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbljoafi.exe | C:\Windows\SysWOW64\Pcijce32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ihaidhgf.exe | C:\Windows\SysWOW64\Ijmhkchl.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbefln32.exe | C:\Windows\SysWOW64\Blknpdho.exe | N/A |
| File created | C:\Windows\SysWOW64\Dbkhnk32.exe | C:\Windows\SysWOW64\Dpllbp32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dbkhnk32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mclhjkfa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abcppq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aealll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afceko32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ledoegkm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nlgbon32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Odbgdp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcijce32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmdmpe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kalcik32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lhgdmb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpllbp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Maaekg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nfnjbdep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpqlfa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kongmo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nlqloo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ochamg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfbmdabh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ammnhilb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfcoblfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dibdeegc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hghfnioq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jelonkph.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pkoemhao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Almanf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cekhihig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Clijablo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oloipmfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeopfl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjkdlall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nconfh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddcogo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ielfgmnj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ndlacapp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofbdncaj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cffkhl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qkfkng32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmkjig32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpifeb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dbkhnk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hqghqpnl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hnbnjc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbhool32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dbcbnlcl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lhdggb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdghhb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncjdki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Omcbkl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bflham32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cplckbmc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgapmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Logicn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pbbgicnd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pbimjb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beaecjab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Blknpdho.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bbefln32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfmahknh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hegmlnbp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkegbpca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mebkge32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pofhbgmn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfijgnnj.dll" | C:\Windows\SysWOW64\Cmmgof32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lddble32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimhefgb.dll" | C:\Windows\SysWOW64\Qejfkmem.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll" | C:\Windows\SysWOW64\Jjkdlall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Abcppq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll" | C:\Windows\SysWOW64\Dinjjf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Logicn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caekaaoh.dll" | C:\Windows\SysWOW64\Madbagif.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lkiamp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abohmm32.dll" | C:\Windows\SysWOW64\Nconfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfnkfn.dll" | C:\Windows\SysWOW64\Hegmlnbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Igmoih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll" | C:\Windows\SysWOW64\Ijmhkchl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lkiamp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefjdppe.dll" | C:\Windows\SysWOW64\Mklfjm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjkdlall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll" | C:\Windows\SysWOW64\Lddble32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lbhool32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndidna32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nlqloo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lcjldk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfakcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dinjjf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dlncla32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopbppjf.dll" | C:\Windows\SysWOW64\Iaedanal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oloipmfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbebgj32.dll" | C:\Windows\SysWOW64\Bbefln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngllodpm.dll" | C:\Windows\SysWOW64\Cidgdg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfbmfbn.dll" | C:\Windows\SysWOW64\Cmbpjfij.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckfmq32.dll" | C:\Windows\SysWOW64\Dibdeegc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nlqloo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ncjdki32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Abpcja32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Blknpdho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiecbnd.dll" | C:\Windows\SysWOW64\Cpifeb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ollljmhg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffopp32.dll" | C:\Windows\SysWOW64\Defheg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qfjcep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amoknh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll" | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qbngeadf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfmahknh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cepadh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kongmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Klddlckd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbnnelf.dll" | C:\Windows\SysWOW64\Nlqloo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pehjfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndjmkng.dll" | C:\Windows\SysWOW64\Bflham32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cidgdg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbeqlcg.dll" | C:\Windows\SysWOW64\Dlncla32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Igmoih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll" | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll" | C:\Windows\SysWOW64\Pehjfm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdnebc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkjom32.dll" | C:\Windows\SysWOW64\Qppkhfec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ielfgmnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnecf32.dll" | C:\Windows\SysWOW64\Igmoih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll" | C:\Windows\SysWOW64\Mebkge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllolf32.dll" | C:\Windows\SysWOW64\Oohkai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mondkfmh.dll" | C:\Windows\SysWOW64\Cfjeckpj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"
C:\Windows\SysWOW64\Hgocgjgk.exe
C:\Windows\system32\Hgocgjgk.exe
C:\Windows\SysWOW64\Hbdgec32.exe
C:\Windows\system32\Hbdgec32.exe
C:\Windows\SysWOW64\Hqghqpnl.exe
C:\Windows\system32\Hqghqpnl.exe
C:\Windows\SysWOW64\Hgapmj32.exe
C:\Windows\system32\Hgapmj32.exe
C:\Windows\SysWOW64\Hnkhjdle.exe
C:\Windows\system32\Hnkhjdle.exe
C:\Windows\SysWOW64\Heepfn32.exe
C:\Windows\system32\Heepfn32.exe
C:\Windows\SysWOW64\Hkohchko.exe
C:\Windows\system32\Hkohchko.exe
C:\Windows\SysWOW64\Hnmeodjc.exe
C:\Windows\system32\Hnmeodjc.exe
C:\Windows\SysWOW64\Hegmlnbp.exe
C:\Windows\system32\Hegmlnbp.exe
C:\Windows\SysWOW64\Hjdedepg.exe
C:\Windows\system32\Hjdedepg.exe
C:\Windows\SysWOW64\Hannao32.exe
C:\Windows\system32\Hannao32.exe
C:\Windows\SysWOW64\Hghfnioq.exe
C:\Windows\system32\Hghfnioq.exe
C:\Windows\SysWOW64\Hnbnjc32.exe
C:\Windows\system32\Hnbnjc32.exe
C:\Windows\SysWOW64\Ielfgmnj.exe
C:\Windows\system32\Ielfgmnj.exe
C:\Windows\SysWOW64\Ilfodgeg.exe
C:\Windows\system32\Ilfodgeg.exe
C:\Windows\SysWOW64\Iabglnco.exe
C:\Windows\system32\Iabglnco.exe
C:\Windows\SysWOW64\Igmoih32.exe
C:\Windows\system32\Igmoih32.exe
C:\Windows\SysWOW64\Iaedanal.exe
C:\Windows\system32\Iaedanal.exe
C:\Windows\SysWOW64\Ijmhkchl.exe
C:\Windows\system32\Ijmhkchl.exe
C:\Windows\SysWOW64\Ihaidhgf.exe
C:\Windows\system32\Ihaidhgf.exe
C:\Windows\SysWOW64\Ibgmaqfl.exe
C:\Windows\system32\Ibgmaqfl.exe
C:\Windows\SysWOW64\Iloajfml.exe
C:\Windows\system32\Iloajfml.exe
C:\Windows\SysWOW64\Jehfcl32.exe
C:\Windows\system32\Jehfcl32.exe
C:\Windows\SysWOW64\Jlanpfkj.exe
C:\Windows\system32\Jlanpfkj.exe
C:\Windows\SysWOW64\Jdmcdhhe.exe
C:\Windows\system32\Jdmcdhhe.exe
C:\Windows\SysWOW64\Jelonkph.exe
C:\Windows\system32\Jelonkph.exe
C:\Windows\SysWOW64\Jnedgq32.exe
C:\Windows\system32\Jnedgq32.exe
C:\Windows\SysWOW64\Jjkdlall.exe
C:\Windows\system32\Jjkdlall.exe
C:\Windows\SysWOW64\Jeaiij32.exe
C:\Windows\system32\Jeaiij32.exe
C:\Windows\SysWOW64\Kbeibo32.exe
C:\Windows\system32\Kbeibo32.exe
C:\Windows\SysWOW64\Kdffjgpj.exe
C:\Windows\system32\Kdffjgpj.exe
C:\Windows\SysWOW64\Kajfdk32.exe
C:\Windows\system32\Kajfdk32.exe
C:\Windows\SysWOW64\Kongmo32.exe
C:\Windows\system32\Kongmo32.exe
C:\Windows\SysWOW64\Kalcik32.exe
C:\Windows\system32\Kalcik32.exe
C:\Windows\SysWOW64\Kkegbpca.exe
C:\Windows\system32\Kkegbpca.exe
C:\Windows\SysWOW64\Kaopoj32.exe
C:\Windows\system32\Kaopoj32.exe
C:\Windows\SysWOW64\Klddlckd.exe
C:\Windows\system32\Klddlckd.exe
C:\Windows\SysWOW64\Kemhei32.exe
C:\Windows\system32\Kemhei32.exe
C:\Windows\SysWOW64\Lkiamp32.exe
C:\Windows\system32\Lkiamp32.exe
C:\Windows\SysWOW64\Lacijjgi.exe
C:\Windows\system32\Lacijjgi.exe
C:\Windows\SysWOW64\Lhmafcnf.exe
C:\Windows\system32\Lhmafcnf.exe
C:\Windows\SysWOW64\Logicn32.exe
C:\Windows\system32\Logicn32.exe
C:\Windows\SysWOW64\Lddble32.exe
C:\Windows\system32\Lddble32.exe
C:\Windows\SysWOW64\Lojfin32.exe
C:\Windows\system32\Lojfin32.exe
C:\Windows\SysWOW64\Ledoegkm.exe
C:\Windows\system32\Ledoegkm.exe
C:\Windows\SysWOW64\Lbhool32.exe
C:\Windows\system32\Lbhool32.exe
C:\Windows\SysWOW64\Lhdggb32.exe
C:\Windows\system32\Lhdggb32.exe
C:\Windows\SysWOW64\Lcjldk32.exe
C:\Windows\system32\Lcjldk32.exe
C:\Windows\SysWOW64\Lhgdmb32.exe
C:\Windows\system32\Lhgdmb32.exe
C:\Windows\SysWOW64\Mclhjkfa.exe
C:\Windows\system32\Mclhjkfa.exe
C:\Windows\SysWOW64\Mdnebc32.exe
C:\Windows\system32\Mdnebc32.exe
C:\Windows\SysWOW64\Mkgmoncl.exe
C:\Windows\system32\Mkgmoncl.exe
C:\Windows\SysWOW64\Maaekg32.exe
C:\Windows\system32\Maaekg32.exe
C:\Windows\SysWOW64\Mhknhabf.exe
C:\Windows\system32\Mhknhabf.exe
C:\Windows\SysWOW64\Madbagif.exe
C:\Windows\system32\Madbagif.exe
C:\Windows\SysWOW64\Mdbnmbhj.exe
C:\Windows\system32\Mdbnmbhj.exe
C:\Windows\SysWOW64\Mklfjm32.exe
C:\Windows\system32\Mklfjm32.exe
C:\Windows\SysWOW64\Mafofggd.exe
C:\Windows\system32\Mafofggd.exe
C:\Windows\SysWOW64\Mebkge32.exe
C:\Windows\system32\Mebkge32.exe
C:\Windows\SysWOW64\Mojopk32.exe
C:\Windows\system32\Mojopk32.exe
C:\Windows\SysWOW64\Mdghhb32.exe
C:\Windows\system32\Mdghhb32.exe
C:\Windows\SysWOW64\Nakhaf32.exe
C:\Windows\system32\Nakhaf32.exe
C:\Windows\SysWOW64\Ndidna32.exe
C:\Windows\system32\Ndidna32.exe
C:\Windows\SysWOW64\Nlqloo32.exe
C:\Windows\system32\Nlqloo32.exe
C:\Windows\SysWOW64\Nooikj32.exe
C:\Windows\system32\Nooikj32.exe
C:\Windows\SysWOW64\Ncjdki32.exe
C:\Windows\system32\Ncjdki32.exe
C:\Windows\SysWOW64\Ndlacapp.exe
C:\Windows\system32\Ndlacapp.exe
C:\Windows\SysWOW64\Ncmaai32.exe
C:\Windows\system32\Ncmaai32.exe
C:\Windows\SysWOW64\Ndnnianm.exe
C:\Windows\system32\Ndnnianm.exe
C:\Windows\SysWOW64\Nconfh32.exe
C:\Windows\system32\Nconfh32.exe
C:\Windows\SysWOW64\Nfnjbdep.exe
C:\Windows\system32\Nfnjbdep.exe
C:\Windows\SysWOW64\Nlgbon32.exe
C:\Windows\system32\Nlgbon32.exe
C:\Windows\SysWOW64\Odbgdp32.exe
C:\Windows\system32\Odbgdp32.exe
C:\Windows\SysWOW64\Oohkai32.exe
C:\Windows\system32\Oohkai32.exe
C:\Windows\SysWOW64\Ofbdncaj.exe
C:\Windows\system32\Ofbdncaj.exe
C:\Windows\SysWOW64\Ollljmhg.exe
C:\Windows\system32\Ollljmhg.exe
C:\Windows\SysWOW64\Ocfdgg32.exe
C:\Windows\system32\Ocfdgg32.exe
C:\Windows\SysWOW64\Oloipmfd.exe
C:\Windows\system32\Oloipmfd.exe
C:\Windows\SysWOW64\Ochamg32.exe
C:\Windows\system32\Ochamg32.exe
C:\Windows\SysWOW64\Omaeem32.exe
C:\Windows\system32\Omaeem32.exe
C:\Windows\SysWOW64\Omcbkl32.exe
C:\Windows\system32\Omcbkl32.exe
C:\Windows\SysWOW64\Ocmjhfjl.exe
C:\Windows\system32\Ocmjhfjl.exe
C:\Windows\SysWOW64\Oflfdbip.exe
C:\Windows\system32\Oflfdbip.exe
C:\Windows\SysWOW64\Pmeoqlpl.exe
C:\Windows\system32\Pmeoqlpl.exe
C:\Windows\SysWOW64\Pbbgicnd.exe
C:\Windows\system32\Pbbgicnd.exe
C:\Windows\SysWOW64\Pmhkflnj.exe
C:\Windows\system32\Pmhkflnj.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
C:\Windows\SysWOW64\Pofhbgmn.exe
C:\Windows\system32\Pofhbgmn.exe
C:\Windows\SysWOW64\Pbddobla.exe
C:\Windows\system32\Pbddobla.exe
C:\Windows\SysWOW64\Pmjhlklg.exe
C:\Windows\system32\Pmjhlklg.exe
C:\Windows\SysWOW64\Pcdqhecd.exe
C:\Windows\system32\Pcdqhecd.exe
C:\Windows\SysWOW64\Pfbmdabh.exe
C:\Windows\system32\Pfbmdabh.exe
C:\Windows\SysWOW64\Peempn32.exe
C:\Windows\system32\Peempn32.exe
C:\Windows\SysWOW64\Pkoemhao.exe
C:\Windows\system32\Pkoemhao.exe
C:\Windows\SysWOW64\Pcfmneaa.exe
C:\Windows\system32\Pcfmneaa.exe
C:\Windows\SysWOW64\Pbimjb32.exe
C:\Windows\system32\Pbimjb32.exe
C:\Windows\SysWOW64\Pehjfm32.exe
C:\Windows\system32\Pehjfm32.exe
C:\Windows\SysWOW64\Pmoagk32.exe
C:\Windows\system32\Pmoagk32.exe
C:\Windows\SysWOW64\Pkabbgol.exe
C:\Windows\system32\Pkabbgol.exe
C:\Windows\SysWOW64\Pcijce32.exe
C:\Windows\system32\Pcijce32.exe
C:\Windows\SysWOW64\Pbljoafi.exe
C:\Windows\system32\Pbljoafi.exe
C:\Windows\SysWOW64\Qejfkmem.exe
C:\Windows\system32\Qejfkmem.exe
C:\Windows\SysWOW64\Qppkhfec.exe
C:\Windows\system32\Qppkhfec.exe
C:\Windows\SysWOW64\Qbngeadf.exe
C:\Windows\system32\Qbngeadf.exe
C:\Windows\SysWOW64\Qfjcep32.exe
C:\Windows\system32\Qfjcep32.exe
C:\Windows\SysWOW64\Qihoak32.exe
C:\Windows\system32\Qihoak32.exe
C:\Windows\SysWOW64\Qkfkng32.exe
C:\Windows\system32\Qkfkng32.exe
C:\Windows\SysWOW64\Abpcja32.exe
C:\Windows\system32\Abpcja32.exe
C:\Windows\SysWOW64\Aeopfl32.exe
C:\Windows\system32\Aeopfl32.exe
C:\Windows\SysWOW64\Akihcfid.exe
C:\Windows\system32\Akihcfid.exe
C:\Windows\SysWOW64\Abcppq32.exe
C:\Windows\system32\Abcppq32.exe
C:\Windows\SysWOW64\Aealll32.exe
C:\Windows\system32\Aealll32.exe
C:\Windows\SysWOW64\Alkeifga.exe
C:\Windows\system32\Alkeifga.exe
C:\Windows\SysWOW64\Abemep32.exe
C:\Windows\system32\Abemep32.exe
C:\Windows\SysWOW64\Almanf32.exe
C:\Windows\system32\Almanf32.exe
C:\Windows\SysWOW64\Afceko32.exe
C:\Windows\system32\Afceko32.exe
C:\Windows\SysWOW64\Ammnhilb.exe
C:\Windows\system32\Ammnhilb.exe
C:\Windows\SysWOW64\Afeban32.exe
C:\Windows\system32\Afeban32.exe
C:\Windows\SysWOW64\Amoknh32.exe
C:\Windows\system32\Amoknh32.exe
C:\Windows\SysWOW64\Bejobk32.exe
C:\Windows\system32\Bejobk32.exe
C:\Windows\SysWOW64\Bppcpc32.exe
C:\Windows\system32\Bppcpc32.exe
C:\Windows\SysWOW64\Bflham32.exe
C:\Windows\system32\Bflham32.exe
C:\Windows\SysWOW64\Bcpika32.exe
C:\Windows\system32\Bcpika32.exe
C:\Windows\SysWOW64\Beaecjab.exe
C:\Windows\system32\Beaecjab.exe
C:\Windows\SysWOW64\Blknpdho.exe
C:\Windows\system32\Blknpdho.exe
C:\Windows\SysWOW64\Bbefln32.exe
C:\Windows\system32\Bbefln32.exe
C:\Windows\SysWOW64\Bmkjig32.exe
C:\Windows\system32\Bmkjig32.exe
C:\Windows\SysWOW64\Cpifeb32.exe
C:\Windows\system32\Cpifeb32.exe
C:\Windows\SysWOW64\Cfcoblfb.exe
C:\Windows\system32\Cfcoblfb.exe
C:\Windows\SysWOW64\Cibkohef.exe
C:\Windows\system32\Cibkohef.exe
C:\Windows\SysWOW64\Cmmgof32.exe
C:\Windows\system32\Cmmgof32.exe
C:\Windows\SysWOW64\Cplckbmc.exe
C:\Windows\system32\Cplckbmc.exe
C:\Windows\SysWOW64\Cdgolq32.exe
C:\Windows\system32\Cdgolq32.exe
C:\Windows\SysWOW64\Cffkhl32.exe
C:\Windows\system32\Cffkhl32.exe
C:\Windows\SysWOW64\Cidgdg32.exe
C:\Windows\system32\Cidgdg32.exe
C:\Windows\SysWOW64\Clbdpc32.exe
C:\Windows\system32\Clbdpc32.exe
C:\Windows\SysWOW64\Cdjlap32.exe
C:\Windows\system32\Cdjlap32.exe
C:\Windows\SysWOW64\Cekhihig.exe
C:\Windows\system32\Cekhihig.exe
C:\Windows\SysWOW64\Cmbpjfij.exe
C:\Windows\system32\Cmbpjfij.exe
C:\Windows\SysWOW64\Cpqlfa32.exe
C:\Windows\system32\Cpqlfa32.exe
C:\Windows\SysWOW64\Cfjeckpj.exe
C:\Windows\system32\Cfjeckpj.exe
C:\Windows\SysWOW64\Cmdmpe32.exe
C:\Windows\system32\Cmdmpe32.exe
C:\Windows\SysWOW64\Cdnelpod.exe
C:\Windows\system32\Cdnelpod.exe
C:\Windows\SysWOW64\Cfmahknh.exe
C:\Windows\system32\Cfmahknh.exe
C:\Windows\SysWOW64\Cepadh32.exe
C:\Windows\system32\Cepadh32.exe
C:\Windows\SysWOW64\Clijablo.exe
C:\Windows\system32\Clijablo.exe
C:\Windows\SysWOW64\Dbcbnlcl.exe
C:\Windows\system32\Dbcbnlcl.exe
C:\Windows\SysWOW64\Dinjjf32.exe
C:\Windows\system32\Dinjjf32.exe
C:\Windows\SysWOW64\Ddcogo32.exe
C:\Windows\system32\Ddcogo32.exe
C:\Windows\SysWOW64\Dfakcj32.exe
C:\Windows\system32\Dfakcj32.exe
C:\Windows\SysWOW64\Dlncla32.exe
C:\Windows\system32\Dlncla32.exe
C:\Windows\SysWOW64\Defheg32.exe
C:\Windows\system32\Defheg32.exe
C:\Windows\SysWOW64\Dibdeegc.exe
C:\Windows\system32\Dibdeegc.exe
C:\Windows\SysWOW64\Dpllbp32.exe
C:\Windows\system32\Dpllbp32.exe
C:\Windows\SysWOW64\Dbkhnk32.exe
C:\Windows\system32\Dbkhnk32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6688 -ip 6688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 224
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/4888-0-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hgocgjgk.exe
| MD5 | 11dc3391ec1b3a1f33c9b52c2727dc82 |
| SHA1 | e36949fbf2bd540d0835ad611cab02277fb0f012 |
| SHA256 | 8d6e26226ad4185cb7cf6446dee5eb54957ca37f8662034d10c2327403390c74 |
| SHA512 | b6f0e85f686d667b949063e1e46fc75c90b5b4b0d51187fb14d446078b371690c3fe2120fd8fcca59439570103253df872f2b05a98c566ef1c4b6ff0858b0435 |
memory/2556-7-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hbdgec32.exe
| MD5 | b404180d41bcf8be899b69dcfe312274 |
| SHA1 | 3e0a04cd410b911aa16174ecb4812a243b4db47a |
| SHA256 | bef2b9d307f8b5ef3bd999f9ce0a587258d3ff6159e5e7a56b73120b4fd31c45 |
| SHA512 | b2b1084d438c25c504b10b3ee10577f021313dd16486257e22def3f725f5be08a7bb3a9b519bba5a0d38cd15c7457eebb1123855f2a69be43b797da4c1ec2f30 |
memory/2304-20-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hqghqpnl.exe
| MD5 | f019a97e8b5e8e96e0f4257003c3dd6d |
| SHA1 | a521c8c8830abffb704b43825390a37d65585c3e |
| SHA256 | 6986a045f1823a0b0ec855a3c3d608352634bb9b8839754e0d75453e427c7a37 |
| SHA512 | c2ca3a9540b80736f9b8d8e5e48c438816ee97dbf09503d0ba678ee4dbae23842a7b1bf02c1480bc992aa8c47362bc4a42b3562316ef736841fa87628fc63535 |
memory/3956-24-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hgapmj32.exe
| MD5 | 78c476600d525115c64c4bee60741192 |
| SHA1 | 91c5f1680b4db407e8e4d55c58d9297c0aba6a19 |
| SHA256 | dc1d0478831925331901132f5f53c3d848ae5c6388d376359acd34bdbf155d11 |
| SHA512 | 7f374f00eb6be4c98fd723385f4dd13005b7eb19311f3f32bb39fb3defc805e21d4318e841d605abd83ed513f3fcf303c5810026e3e5170e7c87a358013c01b0 |
memory/3940-31-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hnkhjdle.exe
| MD5 | e24d04d280c4d3a04a2152db7a8980f9 |
| SHA1 | 8be4357625a3a928888fa41204b0b269a58f6f1c |
| SHA256 | 8d70e6f9a32d78bf40ec4925c54419f7efd6823ca90ac6fb534651259e9f4c9a |
| SHA512 | e43cba1848aa42b718e0b8498bbf192294b62ec21c17c9b816e2397ffd1bbd3453c6fe15171cb2cfb1554856307efe41557f56352d742f237f7c399f32471fee |
memory/2896-39-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Heepfn32.exe
| MD5 | 6b364c00f9fa3e2e6a23822d5c0a71da |
| SHA1 | 8a9c575871f0a8638e306083c601d476d08e4a2f |
| SHA256 | 9c5ef13f22266aff946eff799db8d03ee9b893fd45da024a88a4d4cedc1a37d1 |
| SHA512 | ec3257e6b9cbd1c3f6769991048bc6dd70a5eaed61ddfc8dd5b13265260dff2f8b06c5e1fbaf320196135249b68cda4bb9d454c3ad449a3024c9ea6dc6e988f2 |
memory/2036-48-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hkohchko.exe
| MD5 | f743df688c2ba1050c07836fc333660a |
| SHA1 | 0cc8d56f7af82558add0b4b913312b850e0a7961 |
| SHA256 | 169236d51b1661063b55d7d65430cb36eebddf452249c63219f6d363d9fe34c9 |
| SHA512 | f0c6faaa9023832ba49f3f146dd4d93ff8b2972c7ebeb20b3284b945a15ad5512c91a20aa05d5a4d99f8a4c99d5dffe3c7b9cd4c5f47b7e28522c9f45f9b8efa |
memory/1600-55-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hnmeodjc.exe
| MD5 | a64bb586d08d6bec4f385fff91d99ea0 |
| SHA1 | e02883c80657e1472ef7c00eb487364ed695ce9d |
| SHA256 | c67e5a7824a7df7067980ebd0b895c502e3ad9a460abaf60d06cd0fcedf307e3 |
| SHA512 | 10d26ec6aecc4a0fefa18b61f263b21b36e39f5d96098393ecbbafb404c72bfd70673b8944c9fcb955c9b12d883d5b262b0abd524a7a01d623234ad98c7ab02f |
memory/5004-63-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hegmlnbp.exe
| MD5 | 5c65dba6b8f0edb6a4f3a7ae7b872ec8 |
| SHA1 | 1de30549281375bc17e0b94f636da41c159ec943 |
| SHA256 | f10fc23b36d10e65de3446dad04c696540f9af5fc4b1150eebecd413598345e2 |
| SHA512 | 47e368587741fa215cca49cfdd7f1f29be603c9c6ef7f7e27dba2cc16db182a4bc393a48b698805b55bbeb513bf3359e03cd188f18b6f2a18d13757b3e685ab1 |
memory/3380-71-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hjdedepg.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Hjdedepg.exe
| MD5 | 2d27b3affefd9fb483ad1e21b65dbd01 |
| SHA1 | 77afc101da94c3455effbb486177c5cf3ecb4b56 |
| SHA256 | ef4b54514d62475df7485a16cbd9fbd88590bd13d47f5f56df279aa979df1921 |
| SHA512 | aba6d35db696c143834974ad78cb435802466e615d09f2d5494822a0dd977297055a283e3f8161b4cdab0424a02531e35ae903403573764b7520207b7fd73433 |
memory/1216-80-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hannao32.exe
| MD5 | 2e71da18cbc556f7506a53cb0e203cdb |
| SHA1 | 91ed8706cbd52281d8808892fe1953a97b8619e6 |
| SHA256 | d2e21c140472a4da158c4d254a232afd09ac8c721fdea3e97890e6fab7157819 |
| SHA512 | 2dd7d012c906741c369b634d2c67749fd1d39e0de181f3e48c09b059be69b6735d3c909c67d21511c8aacf1fff1b862a4894ac70bcc6e610dcd83dd068dc048f |
memory/2800-87-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hghfnioq.exe
| MD5 | a8ceab32341146e797ec197a173f0623 |
| SHA1 | 8ff121f001b9c8dec257b4a6d3fbd2eb83f92bce |
| SHA256 | 979d9017fd153f1d33c336ea92183c1f9e1187ff2c95594bf5bdb47b951e05ea |
| SHA512 | 40fb69e02058301bd817064d9d16b94d1c97a87befb3d9a3f3109aae7ef7786de9478ad943a425ac2cb3954af9095d3f9c6ad16de192cb2c65ed9d36044ae1d8 |
memory/2244-95-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hnbnjc32.exe
| MD5 | 8a11efa373dc3d3b2edb6f5c5a9818b4 |
| SHA1 | 1a6d0dde30074f2a9f3b53775c9ddd90f31ed16f |
| SHA256 | 913af578e20c834dbe05e739a81bf100aafd86ce8d803b17dfb7999035d36b64 |
| SHA512 | fd748f3749d274e79ff9d2841db5a4000f512033728f4e588da7d97489df07d84225eb6f12700e7b39e215e1a7de661315865d98ad86507bd3b239fde41a1080 |
memory/1572-103-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ielfgmnj.exe
| MD5 | 29f3572612b134bdd11123798c04a1a0 |
| SHA1 | 506042919307b38a3503f0b62bcc513140535f39 |
| SHA256 | c14db6aa19beeb451fc3058ec2762a94073aa29d2c749329aea2305771aad219 |
| SHA512 | 30b5fb08fb1fdcf710eded59c91222de21eeca1a176bb603c0eef1ad1a5a77058eeba29cc27547c648092e72e9c2f88cc0ac239a876c5df64c9cf1c81707e633 |
memory/1520-112-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ilfodgeg.exe
| MD5 | 676029837d84e36bf31ae3c83c2b0a05 |
| SHA1 | d93ae8823ec6b5f216520d49a39a6b4c1fab7df1 |
| SHA256 | f22d57ebd93ba41b8e73a3ca155a76812866565b2bfb6c423e0653cf5fd48423 |
| SHA512 | 2984b5150f7c1544d276e2e14182b880d195e9a437a26d980da3832603713326d21926ed3b4d61a02b765e172984431b81fe1daabdb8d44c08e5d024fb670d69 |
memory/4484-119-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Iabglnco.exe
| MD5 | 4ef23a283be95de1ddfa8d6bfed778eb |
| SHA1 | 118dbdf3cf1d501f8cd04743d683011cc36687a0 |
| SHA256 | b3c4f82c57b1afbac31b43066df44dc96eda0954450fd5597402766d1bcb66e1 |
| SHA512 | 0f82f92dbaa046f266c618f9a1800a5ca0ba8e1305697a6a9550c3b4c6a332b74159c3283cebf3a0f9b2e6bba98786da9d8348e0f0d197084e455f344065c5e1 |
memory/4068-128-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Igmoih32.exe
| MD5 | a0c16ec34cde681ab64bd66ebd0522b2 |
| SHA1 | 568e423e2aa2ae4b0d3c84bb201a00caded69071 |
| SHA256 | fce956f3cc12f56ba9daac50cac22976af9b313f683c69696d3c340d7ba3cf3c |
| SHA512 | 99899df5df97533fc0cf2a79757c9736f8170b700d117f6c862afbb19a31d2851842322a3cb570499fbcec54db5db32ecbc8e66930d9cef851257c77657efb62 |
memory/4696-135-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Iaedanal.exe
| MD5 | 76c29813ccca3582047ef2152659a24a |
| SHA1 | 9570e2576764d16c4bb76c5997ce471e79705374 |
| SHA256 | 3609fad1d5e46cd80e46dbd12e476a95896cdc5ef1fcd4ee444477c84bd330d5 |
| SHA512 | 651fb5ddcd0296e9ee180b8d103a862490ff6b94ff30d748d66ebb3da0c42b7a564876df5b2ffc26751b40f9ca3c1667006ab9b51fe1c7272278deb0630ca2c6 |
memory/3784-143-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ijmhkchl.exe
| MD5 | d7b0064e180354cade7de4e4a06ea2f6 |
| SHA1 | eee238ce6f6c525c9c7084086223cd7a2796d750 |
| SHA256 | 3807247ea28f6181d154903076679a1721767847453c21e12bd377efadd23e48 |
| SHA512 | 9562e8fe427b102276e302a0ef5eacce86d44552054a448cd91e4bd06cb33aa1618d4f8fd5377dfc28ab6b2e9f8c21d1db60438cb8e2d052e4fc71bf6d050b4c |
memory/3604-151-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ihaidhgf.exe
| MD5 | 61aec923d51e3f20735dffc8351e9ee6 |
| SHA1 | 40a430014464af6519de2c26eb964763b806deb3 |
| SHA256 | 3f8600800bf071092cd3dca8ac46ad0b4e3f890a8de6f862039b56633e629537 |
| SHA512 | e8465be77bb2cffc7c9d6ae46ff9877fd156eee53c6fc1369db0af09500683b3302a229ed528d01b3e84fd625c7d80b051d7d6fec4d9aa63fb964aaf73d06ea7 |
memory/2316-159-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2064-167-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ibgmaqfl.exe
| MD5 | cda56ee700a4168eb7c686247324c3bd |
| SHA1 | d7a71760bf17019d31af689b33e6e4bdbf5a4683 |
| SHA256 | 28814d9b26e47f1d881d8ec3b4c460a0f6763665bbc07a6b12d6e3f76d10a6d5 |
| SHA512 | 9c05af655fb45e3bf27be80bf16e37973379de910330ee996b165d9bfe48fc8de4099132ce59fa041e5ef593af8082df78e259d2e974e01418732d8260e86358 |
memory/3108-175-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Iloajfml.exe
| MD5 | d4db97cf7947b081100bf0cb3c51d844 |
| SHA1 | 38c2e21595ad4755c148727d783d13fce84c3f49 |
| SHA256 | 46606f4d6edbd7eba198b5264a5611ccc858251a383b09efe6f64d9d1c4e0809 |
| SHA512 | 73203bc23521c4b8716697d5ad184016fb6a32cbc48ef3fdadb1f13aeab565c3757df288154484c5a12e8c71fd45f0fab1f5c00000beb5a4ccd642725c0ef7d1 |
C:\Windows\SysWOW64\Jehfcl32.exe
| MD5 | 87a9653184f30ca341e93751f3c5a22f |
| SHA1 | 5c2cdb07f0e354ee607d3d5b0cf8996ebd442566 |
| SHA256 | acc163adb317ead924ac728556b7cf44d4ac63f5a523f3125111f3524dcd5ba4 |
| SHA512 | 91aff5d5acd44b3e5b5cf7f141e904f0ef1f9d480bd32f9cc497a579f96724c22e9e7441684538e1e2a9666bbfa026888492df91e74037c8ceff73629c5747b3 |
memory/4632-183-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jlanpfkj.exe
| MD5 | 917e46894cea90d5d16279a383bcff0e |
| SHA1 | cb3af02e73e18fb79c18a097c8ec673b4309e514 |
| SHA256 | db986ffc5e84b831bf2e61310b761ddbc6031174069247c555b01077a790af37 |
| SHA512 | 3e174774430b733e5c85af03bf516a2e5f1b1b09e1d4a3111a3d2af122cf3cb4a9924b4aabe6ff6e4eb61c1ced4805934fdc7307023d92c938ef79226f22a088 |
memory/1940-191-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jdmcdhhe.exe
| MD5 | b6df36773c6855f3250825f843c40c84 |
| SHA1 | 96a6e7fd5388677e5dc6eb9f6955938cde7085e4 |
| SHA256 | 9c53992ad78ba63d2d48bf6dfdaaaf2b217c9abddd8eb09a32ceaf886512ca8f |
| SHA512 | 37819e1ee43e67d8aa9ae101e0dfc586291697fe9a265ac17f50f883cc758f9ca1cb5d361285dd1a79b9eee24f2db1b05805969f5569defec8499a9a92acba69 |
memory/2252-199-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jelonkph.exe
| MD5 | fb1d89c191064b5222b05aff47852838 |
| SHA1 | 02a16c8e58c04dfa4f01ca49bf2d636c74b6ce67 |
| SHA256 | 8b8f7957ed70dae98dea5acf127c6833c6d23a5d90d0418d320b470d60ac1563 |
| SHA512 | bcb3b4835a20962af9acc8fb3b1a7bd835ef702a075917e064004909fc3e543a1b79990e582a50b504dffff7bbd8d03c2b5153f3e84152b23c3f25b9b16d2d91 |
memory/1932-207-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jnedgq32.exe
| MD5 | c77b44169b7b275c62cc4d688010a545 |
| SHA1 | 0308a2ca96cdbf38b281080d04adef94197be4a3 |
| SHA256 | 248d729d3415adcc6d016fb507eb1d7b34ab7560ce67dd5ed09d63a45520cbea |
| SHA512 | 6ecd71ed6ede3e6f72cb35fbe7cfc4406078885a69386661f86156cddc1140e4af2c3f7e150ee761163df34c3ffa4434f5fa370046e5fa70e58c50bc1d4a9aac |
memory/4012-215-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jjkdlall.exe
| MD5 | 58302e334f5876d6e02e3e77fecb1edb |
| SHA1 | c194b466651b7b2c5bdf1126f6a38d0f266c41ac |
| SHA256 | 78250ab6f03e1d49b844c14a7fa8adec96431162b2d65ea5e4ff307e4820e7c2 |
| SHA512 | 16a58dda91ee589441339c84a0d2d570ab5916cde9dbbef39a4fe6a42462e9cc5924c4a7f6f5ceb4df30dd991d82003ede856d9b3abcbc4f6f631c5204e84937 |
memory/4548-223-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jeaiij32.exe
| MD5 | 5edec2b9088ca5995b4415b2314fb790 |
| SHA1 | 22d0ae90b90637fb8da6d135b4dc87b0cd34c0ac |
| SHA256 | eeb8cc67fe1a7fb760c4d672c7e86e73667377035a9da02d1cc2403802682872 |
| SHA512 | 309e1133be743b543bd8338bc844c8d595670eae5664ab3275c419da8c43ccaa5e0573c5b4416f512001ed8b957bcc4224c5012ca5291ba85cd359f12ff9a9b9 |
memory/968-231-0x0000000000400000-0x000000000042F000-memory.dmp
memory/684-239-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Kbeibo32.exe
| MD5 | d74ebb62554457e8930cad282ea77b6b |
| SHA1 | 91bb2a91d962640f9b317ff395408f22224b94d8 |
| SHA256 | 26689ed7fab060d3a42b2869fe605c76809ae3bae87ada6ea7908774b18f643f |
| SHA512 | aee7d140e8ba9fa3bd32dc4a34c0a4b40a659053b64811145baccaf12f4c46ac79baddadbaf7fe1ecebc538e32c792d93d5fd6543306083f460fe050d3186219 |
C:\Windows\SysWOW64\Kdffjgpj.exe
| MD5 | ec644ac26725c966a65f3261d0bcdabf |
| SHA1 | 0fad629a3be01bd613df2fb1d2930619b3a5dd1c |
| SHA256 | fe20b71911a1beb54618b9294074d9fd8e3bb241626477cf3c5cb61979f077e2 |
| SHA512 | b3c4a7f958e72e5ac51a13c085a4b304e20543c4d1d465241db55f350fde37462cc106655b52f090de01cb3ce75e926d7d9ad197b1a0cf6f463b1e5238bc4e47 |
memory/1156-247-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Kajfdk32.exe
| MD5 | c66c5b52d246e9f4ac43246a57b1de8a |
| SHA1 | 59ed82625b11d41c150bfdac67235fb0136302f7 |
| SHA256 | b9fd03c7b4fd5e1a3ecb04cd6e02b59359c2250f301d4ce73d6ad13cdfe4b1a3 |
| SHA512 | a9aa9ef3026f95d126cb6b18ce8fe7a104988805aa165ea63eb75e592c2c50d10f9b3a8ec758a5bdf119ab1687ad9f05cb9cad5ae0ff30459f7d7efeffe2bbe2 |
memory/3688-255-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Kongmo32.exe
| MD5 | 2049727cb301c042c350c5dcd2a01657 |
| SHA1 | ddbc3037f357fffe76fe525a6f754ec1b87cff89 |
| SHA256 | 38ab688eeafbf60232903317d6ea906dcaed4d7b356700aa15779ba18072d7d0 |
| SHA512 | 1ee348b025cb59ea4ec0d040ea24a1a945ea4d8f3c8df018e27d1f4f494b731e4ad93f95485468b4141531537c163abf006b2a3b7a25cff9803ad1dd2c615bbb |
memory/520-262-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5076-268-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Kkegbpca.exe
| MD5 | 4507043779ec0d7d72cb6d36e86938b8 |
| SHA1 | 94e349e76200e86c19717b62b17d78d151dd3d58 |
| SHA256 | c14d10fe8a866161ef1b0d4de2043d13231c19fe47a5ff315720b946d8cab126 |
| SHA512 | 96121fe9b566a60067e318b0de0ce8924ecb989d6960d772cee806dc28e0c8bb77dd8388add5b1039f2af55ac6c02344d94047bdc78e653ca5801ccaa54d00f8 |
memory/3172-274-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5104-280-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Klddlckd.exe
| MD5 | fbb0bdf9486c1059664303f5e6fdabcb |
| SHA1 | bba114e1b2a387240516c972a9b07a5bd91df67f |
| SHA256 | 9e701778a7184577d90f5a69ed202ae349352fd2b03c19e8144159eadece9da5 |
| SHA512 | a8e8baeabc7a5a0bf9320f507243eebfd28f4469aed72d99b9032626d8bf3abe53cb350b96283eba158bf620e272b6a70ce4cb7058ecd92014df9325fa53df52 |
memory/980-286-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1072-292-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2732-298-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1148-304-0x0000000000400000-0x000000000042F000-memory.dmp
memory/224-310-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Logicn32.exe
| MD5 | 517fe7985862d84c34752efe39ccda9f |
| SHA1 | 8b08a822269eee91757918b5a1019a034e7ceb50 |
| SHA256 | 220787374661d69e62c892047e56ca1f5dccfd84b36a7c63e9c5d11505108ffa |
| SHA512 | 8a12f8c7a7bffa4ebf75279dde73bc49c621720b6bb000b32bb0980d47d7cc62b84884d5577a0eef2f84e74b14605bec72359ec2fc39ffc09bf0bd84ebdd2ba7 |
memory/452-316-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2876-322-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3944-328-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4660-334-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Lbhool32.exe
| MD5 | 8219516692953848a390655e2aadefb9 |
| SHA1 | 184f2c5401b444599ef53b552325811638f5d2e9 |
| SHA256 | 576f6d30b5d3dd8cd11b6790748f1a44d2062351c52655ee2c9b17bb4adedc4a |
| SHA512 | 75bb8c3215ae637de91ed27705abe70aa88265b5c02a629c822460a45fe2f024f47c450959a03ad2a4547d4980023400aa10bea3201b58201c55c3df358278c6 |
memory/4200-340-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4988-346-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2032-352-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2136-358-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4432-364-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4008-370-0x0000000000400000-0x000000000042F000-memory.dmp
memory/776-376-0x0000000000400000-0x000000000042F000-memory.dmp
memory/244-382-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1944-388-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2616-394-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1120-400-0x0000000000400000-0x000000000042F000-memory.dmp
memory/948-406-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Mafofggd.exe
| MD5 | e72211c5b99a388901bd06523d02f913 |
| SHA1 | c5d3edc885a2916dd3a8c0ab58ad9d30dc6b2b53 |
| SHA256 | 6e2cbeac7968d7502d98dbd2831bb8203fe02bb0c1b06cdb1b8742847d8017f0 |
| SHA512 | ec413e28cdc23dace360ac91228281cfeced68e802bb53c717e143a24d8a8be5b5724f8f23377aa5aa2206bd56cf4ce4382d3b5fcd97603d25a20fa4f5f36d00 |
memory/2424-412-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4576-418-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3832-424-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4560-430-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2224-436-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3464-442-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3516-448-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1656-454-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1784-460-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3524-466-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ncmaai32.exe
| MD5 | 4a9d6bc383eb74b24682a09bc2412341 |
| SHA1 | 2a9e3cf1a117d28362b10dc509ca2a74b0d5f549 |
| SHA256 | 045bf6e201fc0c72c8b648ab5bdcf400a00f7784f2c5265213e9acf61f847600 |
| SHA512 | a310b8765921370db3661cb51eeb530eb9ca0fa6e777a3ec2ae01f8499bc7256d4ccc419768c8e577173a1d71226a2a88acca919e7ad687d350c148f3f5c72a6 |
memory/2060-472-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1848-478-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3428-484-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Nfnjbdep.exe
| MD5 | a12251259b965a61c7c38e3514c90c4c |
| SHA1 | a2aa2b9baeff10183572b9cf529addfa450ea3dd |
| SHA256 | 8ec038fa461c77a672255f8c88c84f49560d818ad7c7091dabe66f99810a5756 |
| SHA512 | dfa1704f44eda8d5150c8c8015480a2ea1334719b9df8b6ab5d092dba96258953da4f1fe9666e848c06f2e0e65ccc8f383c7d5a6bdae09f1b0ed0dc1b3670270 |
memory/4924-490-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Nlgbon32.exe
| MD5 | 796c38ecc6f3f2646c732b101c319442 |
| SHA1 | 23b373575ddb661c99b650e8d56903704df13e2c |
| SHA256 | 2a638be6eacf5a8e31bb1b231c0536d9db8f9d4bd05c1cd59264986c7783b8ca |
| SHA512 | 758bf6d14e852606b078212996e0105e13b25e3b81d3d7e4ee40e269c05fe16f3f8c48c4171436efef842aadb8f69df2a5667176e7bcd73174ce273a83067e35 |
memory/5084-496-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3916-502-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4968-508-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1760-514-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3588-520-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5060-526-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1780-532-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4692-538-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4404-545-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4888-544-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2556-551-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2928-552-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1836-558-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3956-564-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4792-565-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3940-571-0x0000000000400000-0x000000000042F000-memory.dmp
memory/816-572-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2896-578-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3052-579-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2036-585-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3244-586-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1600-592-0x0000000000400000-0x000000000042F000-memory.dmp
memory/928-593-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5004-599-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Qkfkng32.exe
| MD5 | 8f2aa2c5524993b0ed9a7d121abe4e8b |
| SHA1 | 6ec8e1ce0bb4db3305a5753696c542503b4300ce |
| SHA256 | 6f9b342b552d7c1c51681706fd6c91a9cb8a04b98f57cc1f469902720f6d17f1 |
| SHA512 | 3c5a041b70e7aaa41cc3b57ab0b524446c61f62bd15c1d7cbf3b10f5ec712b4f22641f51f0f0d4e62e88b4b94322964a613f9de7d9ec3b68136b8e816293178b |
C:\Windows\SysWOW64\Almanf32.exe
| MD5 | da4625b9ae1b43218bfc1ed488fedeb2 |
| SHA1 | c3b70add5d88beea8e06017066cc687aef7bd723 |
| SHA256 | 5c5c7d5bc132b2355c9f86d5ac5aa46032832bbf3e477be38be5931399f432e7 |
| SHA512 | 67776d8270b525e4f352c4d153c1e62c7e50bd208acc82cb45664682ec3b14cf065a295c680fa964b8750da51807cd6f280e78feb93c6432467c32920f407ab5 |
C:\Windows\SysWOW64\Afeban32.exe
| MD5 | be25f44bbc005df6864827b943e00920 |
| SHA1 | 290dd18b1103d5ef6dd62a960c24d3094bd5d0ca |
| SHA256 | 357eb7595ef19e71afbcefed22024dc3ec07c6426fbeed932abae9ec14ce7a86 |
| SHA512 | 594b2e824a161c05766601672ae7c7eaa13955fbd741a0a9d1bd4f0db1b678fb543e108f6dae055c683e37a3184fe7b2f85a3430c0e8b39913d7702cc8b21bfc |
C:\Windows\SysWOW64\Bppcpc32.exe
| MD5 | 0057fd992d9ad960e793047f55e6260b |
| SHA1 | 9c3ed5da687c9384404ba1ba6b799b229cb01d79 |
| SHA256 | af87621e138e6186ab668fd36ab51eaf0ddaa0a75d261f96b94749aa072db5a4 |
| SHA512 | 8227f9a1e9ff9d1f0cce4a7cabd7250df2b8d90f17383b90ea478e1ac3b88393b2a32a2a7d4810246e5644d122b9cb4696539f993999553cb95dd23ceac303d9 |
C:\Windows\SysWOW64\Blknpdho.exe
| MD5 | 9b1892c1f7d45b68b5a232b87f8e81ff |
| SHA1 | 24b36a65c989ea3e0442057c12a194fafbca4e79 |
| SHA256 | 546a87582d273d2f0eeb1446309a5f31d67f4a3707f3b1bfaa879956e6da202b |
| SHA512 | 9289f40022525dc1a50203d491617e831fff5f2dd8aabb4b4ed0a60ffe914caa0850fe7f7e918540d80732f2a9bd37c12321bc6783b7a387bb31617019628ceb |
C:\Windows\SysWOW64\Cmdmpe32.exe
| MD5 | 2bc3622e593e83a1d530d3a8cdb08aee |
| SHA1 | 0889e365575b7a20b20da7550038009c315b9b5e |
| SHA256 | a5f8c5e6cd18cf7933da67b4db3c11f8893a6ee76a27e83cdc0b54869bf1cbb0 |
| SHA512 | b196af988455c48d4459c8af46498172562aedcfcc0dc6d8d860272d9e5d69ad46b5e15fdf7bf1174273c373eca30b6f9ed287c494d408c2ec6025df610315a7 |
C:\Windows\SysWOW64\Clijablo.exe
| MD5 | 4de8ada9497a841de511bed8b947a013 |
| SHA1 | c93cba46eb290389f606d87181d6de9becb322b6 |
| SHA256 | 1cb87a7a27bfe14c05eed94a6b6ec001029340552bdc7759e7672f99d5c5296c |
| SHA512 | bbf87ab0ccbcdd5e06e43509296634aec504acc6502f7d7c222e33826f1d2ed67150993ffac7791c86bb9637fd6c86da7d23b69eccec8fa897e1337ee6adf2ac |
C:\Windows\SysWOW64\Dinjjf32.exe
| MD5 | 4eb8cb54e1f7e93a8ccd633ad5d6b554 |
| SHA1 | a70cfcb3803fddfd521d0d13fe60eceed99c00ba |
| SHA256 | 2ef0251e9b03143d80086eec9411f3497af2d41111c8bed7e038694e843abdac |
| SHA512 | 894d467f24385a839bb8760b205c7e160b47a9d80f4dc12ba31821c050b6b58a55edc30fe47d7a885a2e68bdfcca1d549eb72f1c28a84fc654a2af828bb179e8 |
C:\Windows\SysWOW64\Dibdeegc.exe
| MD5 | 997e57d494f68e33e5c076597dac7550 |
| SHA1 | 53e45a0eae624501f443682f8e5c8204454d6d26 |
| SHA256 | 70c06fa94ba5e6912787cf1d9d73df6a0de81fc6c36f436ac69072ab5586c536 |
| SHA512 | cdc1c689cbbe18f204b1f21c6a2541a83afc25425821bcac1af3000865199afd98b0a5b8bdd3144b61dce44634eb9f0f00914653aba34f1758776163ad962090 |
C:\Windows\SysWOW64\Dbkhnk32.exe
| MD5 | 7cf55e17bb99a3662b8614d9f0d48da4 |
| SHA1 | 2971558a62d91c4f578acbe38f72d79e1968a455 |
| SHA256 | 5b69f01db9b721a9ad6cfa7ca2bfe42053c32765d6f02651be6d7d2c3478f7f0 |
| SHA512 | 66e4cdeb7bc9e18aeee286018054a2e2be6ffb7217efa7adfb27b812333fdd49599179a30c5b958b9d3d368751b93cfd6e28afdabd288b797157a5072848348a |
memory/6292-1081-0x0000000000400000-0x000000000042F000-memory.dmp
memory/6188-1083-0x0000000000400000-0x000000000042F000-memory.dmp
memory/6248-1082-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5636-1170-0x0000000000400000-0x000000000042F000-memory.dmp