Analysis Overview
SHA256
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec
Threat Level: Known bad
The file a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:12
Reported
2024-11-10 01:15
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
135s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dailkl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klapqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kppigdlg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pjbkjb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Afghqa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aakfcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Chhdlhfe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Goqkhk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nghflj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mgageace.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nnpimkfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ocmjlpfa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Foiegl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hojnnj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lfcdjm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ddjemgal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dejafj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gochmk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpdikffd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nehjagbo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfbfod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mimpagqp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pemlcdpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpjlngje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pfqpcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Amhdab32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Egpgiakg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emlllk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfcdjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kicddk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cqhljhob.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mccooc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnbebk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aqdqbaee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bncqgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bfoelf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dejafj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjjjbolj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdcolh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Egbdoaie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mfocelal.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhbmbc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qcmlig32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ahlafnag.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aompdgbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfedbomi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pmjhpdil.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgplnmib.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ifpefbja.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jgmajifb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kfiaco32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kihnpj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cfedbomi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Acgfil32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fhpmjbch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hddiqaml.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ifdoaa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjbkjb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jkfaehpn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kicddk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjokgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bcgopjba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Egdqdagb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fhpmjbch.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Kpkple32.exe | C:\Windows\SysWOW64\Kiagokip.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgplnmib.exe | C:\Windows\SysWOW64\Pdapabjo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Inhneeio.exe | C:\Windows\SysWOW64\Ikjaiijk.exe | N/A |
| File created | C:\Windows\SysWOW64\Alhegi32.dll | C:\Windows\SysWOW64\Jlmgegjf.exe | N/A |
| File created | C:\Windows\SysWOW64\Loninpid.exe | C:\Windows\SysWOW64\Lpkibcbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlkcoo32.dll | C:\Windows\SysWOW64\Olehko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Failkdgj.dll | C:\Windows\SysWOW64\Qqopml32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ofeqhl32.exe | C:\Windows\SysWOW64\Ocfdlqmi.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkbkkm32.dll | C:\Windows\SysWOW64\Ojbinjbc.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmohdknn.dll | C:\Windows\SysWOW64\Bnfmmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oeppod32.dll | C:\Windows\SysWOW64\Egpgiakg.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpdikffd.exe | C:\Windows\SysWOW64\Jgmajifb.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjgmig32.dll | C:\Windows\SysWOW64\Lngcmqol.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnakeg32.dll | C:\Windows\SysWOW64\Eehnhhmo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gecmcf32.exe | C:\Windows\SysWOW64\Foiegl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hbkgpe32.exe | C:\Windows\SysWOW64\Hkqockbf.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbpbhp32.exe | C:\Windows\SysWOW64\Klfjlebk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Opljpn32.exe | C:\Windows\SysWOW64\Oibbcdnh.exe | N/A |
| File created | C:\Windows\SysWOW64\Najdei32.dll | C:\Windows\SysWOW64\Lbghiocp.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpdkiajo.exe | C:\Windows\SysWOW64\Mhmcgdim.exe | N/A |
| File created | C:\Windows\SysWOW64\Ambgha32.exe | C:\Windows\SysWOW64\Ajcklf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dailkl32.exe | C:\Windows\SysWOW64\Dmnpjmla.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofjgla32.dll | C:\Windows\SysWOW64\Jbkpfb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhfgganp.dll | C:\Windows\SysWOW64\Onekoh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hondnl32.dll | C:\Windows\SysWOW64\Kfiaco32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Keondk32.exe | C:\Windows\SysWOW64\Kbpbhp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogfcmhma.exe | C:\Windows\SysWOW64\Opljpn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgddka32.exe | C:\Windows\SysWOW64\Mpjlngje.exe | N/A |
| File created | C:\Windows\SysWOW64\Afekka32.exe | C:\Windows\SysWOW64\Acfoof32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjeago32.exe | C:\Windows\SysWOW64\Bggdkd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jlmgegjf.exe | C:\Windows\SysWOW64\Jinkikkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpoijjol.dll | C:\Windows\SysWOW64\Odhmkcbi.exe | N/A |
| File created | C:\Windows\SysWOW64\Fiaeni32.dll | C:\Windows\SysWOW64\Pgbicm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgqigmnb.exe | C:\Windows\SysWOW64\Hfompd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mffohjpj.dll | C:\Windows\SysWOW64\Hkehnj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbgoba32.exe | C:\Windows\SysWOW64\Jlmgegjf.exe | N/A |
| File created | C:\Windows\SysWOW64\Oppcholp.dll | C:\Windows\SysWOW64\Bcdkpdph.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bnfmmc32.exe | C:\Windows\SysWOW64\Bfoelf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lehhen32.dll | C:\Windows\SysWOW64\Edcgcfja.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mhbmbc32.exe | C:\Windows\SysWOW64\Mecqfh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bogbae32.dll | C:\Windows\SysWOW64\Ammgblek.exe | N/A |
| File created | C:\Windows\SysWOW64\Nppkdp32.exe | C:\Windows\SysWOW64\Nhiccb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njlcmk32.exe | C:\Windows\SysWOW64\Ngmgap32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgiodlqh.exe | C:\Windows\SysWOW64\Qmdkfcaa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfdgnc32.exe | C:\Windows\SysWOW64\Ddekah32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fhgmfjcf.dll | C:\Windows\SysWOW64\Hfdfkddo.exe | N/A |
| File created | C:\Windows\SysWOW64\Kfiaco32.exe | C:\Windows\SysWOW64\Kppigdlg.exe | N/A |
| File created | C:\Windows\SysWOW64\Bodhhffm.dll | C:\Windows\SysWOW64\Leakjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lngcmqol.exe | C:\Windows\SysWOW64\Llhfaepi.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmhpfdjn.dll | C:\Windows\SysWOW64\Aofjch32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdnkbgfn.dll | C:\Windows\SysWOW64\Agpoje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjheclij.dll | C:\Windows\SysWOW64\Gehfofol.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejpkjc32.dll | C:\Windows\SysWOW64\Hgqigmnb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifpefbja.exe | C:\Windows\SysWOW64\Inhneeio.exe | N/A |
| File created | C:\Windows\SysWOW64\Kicddk32.exe | C:\Windows\SysWOW64\Kbilhq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbbkhbja.dll | C:\Windows\SysWOW64\Lhogff32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Opjnko32.exe | C:\Windows\SysWOW64\Oipend32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kajaijjb.dll | C:\Windows\SysWOW64\Mpcenhpn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nhdjhcce.exe | C:\Windows\SysWOW64\Mfcmqknf.exe | N/A |
| File created | C:\Windows\SysWOW64\Dejafj32.exe | C:\Windows\SysWOW64\Dmbiem32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpklee32.exe | C:\Windows\SysWOW64\Cqhljhob.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjmnbd32.exe | C:\Windows\SysWOW64\Bgnafinp.exe | N/A |
| File created | C:\Windows\SysWOW64\Flbedadb.dll | C:\Windows\SysWOW64\Fnjhmida.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kihnpj32.exe | C:\Windows\SysWOW64\Kfiaco32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Cakiohmo.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cqhljhob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nplaiqdg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pohnbjdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddonhf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jelihn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mlfcbc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pddmga32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgnafinp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Egpgiakg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gdijecgi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgiodlqh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eodbeo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hddiqaml.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nehjagbo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aokcngdo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogkcbn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdcolh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hacqofpk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbilhq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Opljpn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oidoidle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aiakammb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njnpck32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Emlllk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ifbblb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kiagokip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afnejb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acfoof32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofeqhl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddekah32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acgfil32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Egbdoaie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Faednh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngfqqa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojgbij32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aefbcogf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnadadld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cabfjmkc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkbpda32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gdmcpb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Infapela.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcbdgo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pgplnmib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qqopml32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Joamef32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Leedejbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Baicdncn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hkqockbf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amjjml32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mpcenhpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ambgha32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Feochgff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fgpppo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mhmcgdim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfocelal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pplcglgb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngmgap32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkgbfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jlmgegjf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbghiocp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Plgdpo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjeojhbn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnopcb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eokhfn32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hbkgpe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ifbblb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Goqkhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hfompd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmfjcf.dll" | C:\Windows\SysWOW64\Hfdfkddo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Olehko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdigcf32.dll" | C:\Windows\SysWOW64\Pfbfod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qgfldf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddjemgal.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Nlbbna32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Olehko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbheh32.dll" | C:\Windows\SysWOW64\Bjeago32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bgnafinp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndmkiod.dll" | C:\Windows\SysWOW64\Faonmibc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Klapqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pnlapgnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjeno32.dll" | C:\Windows\SysWOW64\Eeokaiei.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kieajj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Plgdpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aqmlnjio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gamjngfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hddiqaml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njnpck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcmgf32.dll" | C:\Windows\SysWOW64\Pqknlbmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ehdmodne.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjaqbn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Amhdab32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Nehjagbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhdmdld.dll" | C:\Windows\SysWOW64\Amhdab32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ambgha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhobfed.dll" | C:\Windows\SysWOW64\Phcopoib.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqfeclf.dll" | C:\Windows\SysWOW64\Ccjlfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gkpelm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Infapela.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Emlllk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kfbkbpjl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejlmniq.dll" | C:\Windows\SysWOW64\Nhiccb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cpklee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kpkple32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mopnaq32.dll" | C:\Windows\SysWOW64\Kbpbhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ocmjlpfa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pfgfdikg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkafloa.dll" | C:\Windows\SysWOW64\Chhdlhfe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfociegn.dll" | C:\Windows\SysWOW64\Eecdmi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Egdqdagb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ifdoaa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ocopgiac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lpfogcfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acdbifok.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pgplnmib.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aceidl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpjpg32.dll" | C:\Windows\SysWOW64\Ajoaqfjc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehfbi32.dll" | C:\Windows\SysWOW64\Fdmjidaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jelihn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jlmgegjf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aakfcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcopp32.dll" | C:\Windows\SysWOW64\Cfedbomi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eaekgjjn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhfqh32.dll" | C:\Windows\SysWOW64\Jpffqfdb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kbilhq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qhghkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mpjlngje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelidm32.dll" | C:\Windows\SysWOW64\Gamjngfc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe
"C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"
C:\Windows\SysWOW64\Lfckdcoe.exe
C:\Windows\system32\Lfckdcoe.exe
C:\Windows\SysWOW64\Libgpooi.exe
C:\Windows\system32\Libgpooi.exe
C:\Windows\SysWOW64\Lmppfm32.exe
C:\Windows\system32\Lmppfm32.exe
C:\Windows\SysWOW64\Ldjhcgll.exe
C:\Windows\system32\Ldjhcgll.exe
C:\Windows\SysWOW64\Lekekp32.exe
C:\Windows\system32\Lekekp32.exe
C:\Windows\SysWOW64\Lpqihhbp.exe
C:\Windows\system32\Lpqihhbp.exe
C:\Windows\SysWOW64\Memapppg.exe
C:\Windows\system32\Memapppg.exe
C:\Windows\SysWOW64\Mpcenhpn.exe
C:\Windows\system32\Mpcenhpn.exe
C:\Windows\SysWOW64\Mgmnjb32.exe
C:\Windows\system32\Mgmnjb32.exe
C:\Windows\SysWOW64\Mmgfgl32.exe
C:\Windows\system32\Mmgfgl32.exe
C:\Windows\SysWOW64\Mccooc32.exe
C:\Windows\system32\Mccooc32.exe
C:\Windows\SysWOW64\Mebkko32.exe
C:\Windows\system32\Mebkko32.exe
C:\Windows\SysWOW64\Mgageace.exe
C:\Windows\system32\Mgageace.exe
C:\Windows\SysWOW64\Mpjlngje.exe
C:\Windows\system32\Mpjlngje.exe
C:\Windows\SysWOW64\Mgddka32.exe
C:\Windows\system32\Mgddka32.exe
C:\Windows\SysWOW64\Mplhdghc.exe
C:\Windows\system32\Mplhdghc.exe
C:\Windows\SysWOW64\Ngfqqa32.exe
C:\Windows\system32\Ngfqqa32.exe
C:\Windows\SysWOW64\Nnpimkfl.exe
C:\Windows\system32\Nnpimkfl.exe
C:\Windows\SysWOW64\Ncmaeb32.exe
C:\Windows\system32\Ncmaeb32.exe
C:\Windows\SysWOW64\Nnbebk32.exe
C:\Windows\system32\Nnbebk32.exe
C:\Windows\SysWOW64\Ngkjlpkj.exe
C:\Windows\system32\Ngkjlpkj.exe
C:\Windows\SysWOW64\Njifhljn.exe
C:\Windows\system32\Njifhljn.exe
C:\Windows\SysWOW64\Ngmgap32.exe
C:\Windows\system32\Ngmgap32.exe
C:\Windows\SysWOW64\Njlcmk32.exe
C:\Windows\system32\Njlcmk32.exe
C:\Windows\SysWOW64\Npekjeph.exe
C:\Windows\system32\Npekjeph.exe
C:\Windows\SysWOW64\Njnpck32.exe
C:\Windows\system32\Njnpck32.exe
C:\Windows\SysWOW64\Ocfdlqmi.exe
C:\Windows\system32\Ocfdlqmi.exe
C:\Windows\SysWOW64\Ofeqhl32.exe
C:\Windows\system32\Ofeqhl32.exe
C:\Windows\SysWOW64\Ofgmml32.exe
C:\Windows\system32\Ofgmml32.exe
C:\Windows\SysWOW64\Ojbinjbc.exe
C:\Windows\system32\Ojbinjbc.exe
C:\Windows\SysWOW64\Odhmkcbi.exe
C:\Windows\system32\Odhmkcbi.exe
C:\Windows\SysWOW64\Onqbdihj.exe
C:\Windows\system32\Onqbdihj.exe
C:\Windows\SysWOW64\Ocmjlpfa.exe
C:\Windows\system32\Ocmjlpfa.exe
C:\Windows\SysWOW64\Ojgbij32.exe
C:\Windows\system32\Ojgbij32.exe
C:\Windows\SysWOW64\Oqakfdek.exe
C:\Windows\system32\Oqakfdek.exe
C:\Windows\SysWOW64\Ogkcbn32.exe
C:\Windows\system32\Ogkcbn32.exe
C:\Windows\SysWOW64\Onekoh32.exe
C:\Windows\system32\Onekoh32.exe
C:\Windows\SysWOW64\Pqcgkc32.exe
C:\Windows\system32\Pqcgkc32.exe
C:\Windows\SysWOW64\Pcbdgo32.exe
C:\Windows\system32\Pcbdgo32.exe
C:\Windows\SysWOW64\Pfqpcj32.exe
C:\Windows\system32\Pfqpcj32.exe
C:\Windows\SysWOW64\Pmjhpdil.exe
C:\Windows\system32\Pmjhpdil.exe
C:\Windows\SysWOW64\Pdapabjo.exe
C:\Windows\system32\Pdapabjo.exe
C:\Windows\SysWOW64\Pgplnmib.exe
C:\Windows\system32\Pgplnmib.exe
C:\Windows\SysWOW64\Pjnijihf.exe
C:\Windows\system32\Pjnijihf.exe
C:\Windows\SysWOW64\Pmmefd32.exe
C:\Windows\system32\Pmmefd32.exe
C:\Windows\SysWOW64\Pddmga32.exe
C:\Windows\system32\Pddmga32.exe
C:\Windows\SysWOW64\Pgbicm32.exe
C:\Windows\system32\Pgbicm32.exe
C:\Windows\SysWOW64\Pnlapgnl.exe
C:\Windows\system32\Pnlapgnl.exe
C:\Windows\SysWOW64\Pqknlbmp.exe
C:\Windows\system32\Pqknlbmp.exe
C:\Windows\SysWOW64\Pfgfdikg.exe
C:\Windows\system32\Pfgfdikg.exe
C:\Windows\SysWOW64\Pjcbeh32.exe
C:\Windows\system32\Pjcbeh32.exe
C:\Windows\SysWOW64\Pqmjab32.exe
C:\Windows\system32\Pqmjab32.exe
C:\Windows\SysWOW64\Pjeojhbn.exe
C:\Windows\system32\Pjeojhbn.exe
C:\Windows\SysWOW64\Qmdkfcaa.exe
C:\Windows\system32\Qmdkfcaa.exe
C:\Windows\SysWOW64\Qgiodlqh.exe
C:\Windows\system32\Qgiodlqh.exe
C:\Windows\SysWOW64\Qflpoi32.exe
C:\Windows\system32\Qflpoi32.exe
C:\Windows\SysWOW64\Qqadmagh.exe
C:\Windows\system32\Qqadmagh.exe
C:\Windows\SysWOW64\Amhdab32.exe
C:\Windows\system32\Amhdab32.exe
C:\Windows\SysWOW64\Aqdqbaee.exe
C:\Windows\system32\Aqdqbaee.exe
C:\Windows\SysWOW64\Aqfmhacc.exe
C:\Windows\system32\Aqfmhacc.exe
C:\Windows\SysWOW64\Aceidl32.exe
C:\Windows\system32\Aceidl32.exe
C:\Windows\SysWOW64\Ajoaqfjc.exe
C:\Windows\system32\Ajoaqfjc.exe
C:\Windows\SysWOW64\Acgfil32.exe
C:\Windows\system32\Acgfil32.exe
C:\Windows\SysWOW64\Aakfcp32.exe
C:\Windows\system32\Aakfcp32.exe
C:\Windows\SysWOW64\Aefbcogf.exe
C:\Windows\system32\Aefbcogf.exe
C:\Windows\SysWOW64\Ajcklf32.exe
C:\Windows\system32\Ajcklf32.exe
C:\Windows\SysWOW64\Ambgha32.exe
C:\Windows\system32\Ambgha32.exe
C:\Windows\SysWOW64\Bnadadld.exe
C:\Windows\system32\Bnadadld.exe
C:\Windows\SysWOW64\Bncqgd32.exe
C:\Windows\system32\Bncqgd32.exe
C:\Windows\SysWOW64\Bglepipb.exe
C:\Windows\system32\Bglepipb.exe
C:\Windows\SysWOW64\Bfoelf32.exe
C:\Windows\system32\Bfoelf32.exe
C:\Windows\SysWOW64\Bnfmmc32.exe
C:\Windows\system32\Bnfmmc32.exe
C:\Windows\SysWOW64\Bepeinol.exe
C:\Windows\system32\Bepeinol.exe
C:\Windows\SysWOW64\Bgnafinp.exe
C:\Windows\system32\Bgnafinp.exe
C:\Windows\SysWOW64\Bjmnbd32.exe
C:\Windows\system32\Bjmnbd32.exe
C:\Windows\SysWOW64\Bagfooep.exe
C:\Windows\system32\Bagfooep.exe
C:\Windows\SysWOW64\Bcebkjdd.exe
C:\Windows\system32\Bcebkjdd.exe
C:\Windows\SysWOW64\Bhqnki32.exe
C:\Windows\system32\Bhqnki32.exe
C:\Windows\SysWOW64\Bjokgd32.exe
C:\Windows\system32\Bjokgd32.exe
C:\Windows\SysWOW64\Baicdncn.exe
C:\Windows\system32\Baicdncn.exe
C:\Windows\SysWOW64\Bcgopjba.exe
C:\Windows\system32\Bcgopjba.exe
C:\Windows\SysWOW64\Cjagmd32.exe
C:\Windows\system32\Cjagmd32.exe
C:\Windows\SysWOW64\Ccjlfi32.exe
C:\Windows\system32\Ccjlfi32.exe
C:\Windows\SysWOW64\Cnopcb32.exe
C:\Windows\system32\Cnopcb32.exe
C:\Windows\SysWOW64\Chhdlhfe.exe
C:\Windows\system32\Chhdlhfe.exe
C:\Windows\SysWOW64\Cdoeaili.exe
C:\Windows\system32\Cdoeaili.exe
C:\Windows\SysWOW64\Cjhmnc32.exe
C:\Windows\system32\Cjhmnc32.exe
C:\Windows\SysWOW64\Cabfjmkc.exe
C:\Windows\system32\Cabfjmkc.exe
C:\Windows\SysWOW64\Caebpm32.exe
C:\Windows\system32\Caebpm32.exe
C:\Windows\SysWOW64\Cdcolh32.exe
C:\Windows\system32\Cdcolh32.exe
C:\Windows\SysWOW64\Dfakhc32.exe
C:\Windows\system32\Dfakhc32.exe
C:\Windows\SysWOW64\Dmlcennd.exe
C:\Windows\system32\Dmlcennd.exe
C:\Windows\SysWOW64\Ddekah32.exe
C:\Windows\system32\Ddekah32.exe
C:\Windows\SysWOW64\Dfdgnc32.exe
C:\Windows\system32\Dfdgnc32.exe
C:\Windows\SysWOW64\Dmnpjmla.exe
C:\Windows\system32\Dmnpjmla.exe
C:\Windows\SysWOW64\Dailkl32.exe
C:\Windows\system32\Dailkl32.exe
C:\Windows\SysWOW64\Ddhhggdo.exe
C:\Windows\system32\Ddhhggdo.exe
C:\Windows\SysWOW64\Dkbpda32.exe
C:\Windows\system32\Dkbpda32.exe
C:\Windows\SysWOW64\Dmpmpm32.exe
C:\Windows\system32\Dmpmpm32.exe
C:\Windows\SysWOW64\Ddjemgal.exe
C:\Windows\system32\Ddjemgal.exe
C:\Windows\SysWOW64\Dfiaibap.exe
C:\Windows\system32\Dfiaibap.exe
C:\Windows\SysWOW64\Dmbiem32.exe
C:\Windows\system32\Dmbiem32.exe
C:\Windows\SysWOW64\Dejafj32.exe
C:\Windows\system32\Dejafj32.exe
C:\Windows\SysWOW64\Dhhncehb.exe
C:\Windows\system32\Dhhncehb.exe
C:\Windows\SysWOW64\Dkfjoagf.exe
C:\Windows\system32\Dkfjoagf.exe
C:\Windows\SysWOW64\Dmefklfj.exe
C:\Windows\system32\Dmefklfj.exe
C:\Windows\SysWOW64\Ddonhf32.exe
C:\Windows\system32\Ddonhf32.exe
C:\Windows\SysWOW64\Egmjdb32.exe
C:\Windows\system32\Egmjdb32.exe
C:\Windows\SysWOW64\Eodbeo32.exe
C:\Windows\system32\Eodbeo32.exe
C:\Windows\SysWOW64\Eeokaiei.exe
C:\Windows\system32\Eeokaiei.exe
C:\Windows\SysWOW64\Egpgiakg.exe
C:\Windows\system32\Egpgiakg.exe
C:\Windows\SysWOW64\Eogokokj.exe
C:\Windows\system32\Eogokokj.exe
C:\Windows\SysWOW64\Eaekgjjn.exe
C:\Windows\system32\Eaekgjjn.exe
C:\Windows\SysWOW64\Edcgcfja.exe
C:\Windows\system32\Edcgcfja.exe
C:\Windows\SysWOW64\Egbdoaie.exe
C:\Windows\system32\Egbdoaie.exe
C:\Windows\SysWOW64\Emlllk32.exe
C:\Windows\system32\Emlllk32.exe
C:\Windows\SysWOW64\Eecdmi32.exe
C:\Windows\system32\Eecdmi32.exe
C:\Windows\SysWOW64\Egdqdagb.exe
C:\Windows\system32\Egdqdagb.exe
C:\Windows\SysWOW64\Eokhfn32.exe
C:\Windows\system32\Eokhfn32.exe
C:\Windows\SysWOW64\Eeeqbhoa.exe
C:\Windows\system32\Eeeqbhoa.exe
C:\Windows\SysWOW64\Ehdmodne.exe
C:\Windows\system32\Ehdmodne.exe
C:\Windows\SysWOW64\Eonekn32.exe
C:\Windows\system32\Eonekn32.exe
C:\Windows\SysWOW64\Eehnhhmo.exe
C:\Windows\system32\Eehnhhmo.exe
C:\Windows\SysWOW64\Fhfjdclb.exe
C:\Windows\system32\Fhfjdclb.exe
C:\Windows\SysWOW64\Fkdfpokf.exe
C:\Windows\system32\Fkdfpokf.exe
C:\Windows\SysWOW64\Faonmibc.exe
C:\Windows\system32\Faonmibc.exe
C:\Windows\SysWOW64\Fdmjidaf.exe
C:\Windows\system32\Fdmjidaf.exe
C:\Windows\SysWOW64\Fkgbfo32.exe
C:\Windows\system32\Fkgbfo32.exe
C:\Windows\SysWOW64\Faakbipp.exe
C:\Windows\system32\Faakbipp.exe
C:\Windows\SysWOW64\Fdogodpd.exe
C:\Windows\system32\Fdogodpd.exe
C:\Windows\SysWOW64\Fgnckpog.exe
C:\Windows\system32\Fgnckpog.exe
C:\Windows\SysWOW64\Fnhlgjfd.exe
C:\Windows\system32\Fnhlgjfd.exe
C:\Windows\SysWOW64\Feochgff.exe
C:\Windows\system32\Feochgff.exe
C:\Windows\SysWOW64\Fgpppo32.exe
C:\Windows\system32\Fgpppo32.exe
C:\Windows\SysWOW64\Fnjhmida.exe
C:\Windows\system32\Fnjhmida.exe
C:\Windows\SysWOW64\Faednh32.exe
C:\Windows\system32\Faednh32.exe
C:\Windows\SysWOW64\Fhpmjbch.exe
C:\Windows\system32\Fhpmjbch.exe
C:\Windows\SysWOW64\Foiegl32.exe
C:\Windows\system32\Foiegl32.exe
C:\Windows\SysWOW64\Gecmcf32.exe
C:\Windows\system32\Gecmcf32.exe
C:\Windows\SysWOW64\Gdfmocil.exe
C:\Windows\system32\Gdfmocil.exe
C:\Windows\SysWOW64\Gkpelm32.exe
C:\Windows\system32\Gkpelm32.exe
C:\Windows\SysWOW64\Gnoahi32.exe
C:\Windows\system32\Gnoahi32.exe
C:\Windows\SysWOW64\Gdijecgi.exe
C:\Windows\system32\Gdijecgi.exe
C:\Windows\SysWOW64\Gkbbam32.exe
C:\Windows\system32\Gkbbam32.exe
C:\Windows\SysWOW64\Gamjngfc.exe
C:\Windows\system32\Gamjngfc.exe
C:\Windows\SysWOW64\Gehfofol.exe
C:\Windows\system32\Gehfofol.exe
C:\Windows\SysWOW64\Ghfbkanp.exe
C:\Windows\system32\Ghfbkanp.exe
C:\Windows\SysWOW64\Goqkhk32.exe
C:\Windows\system32\Goqkhk32.exe
C:\Windows\SysWOW64\Gdmcpb32.exe
C:\Windows\system32\Gdmcpb32.exe
C:\Windows\SysWOW64\Ghioqqlm.exe
C:\Windows\system32\Ghioqqlm.exe
C:\Windows\SysWOW64\Gochmk32.exe
C:\Windows\system32\Gochmk32.exe
C:\Windows\SysWOW64\Gaadif32.exe
C:\Windows\system32\Gaadif32.exe
C:\Windows\SysWOW64\Gdppeb32.exe
C:\Windows\system32\Gdppeb32.exe
C:\Windows\SysWOW64\Goedbkag.exe
C:\Windows\system32\Goedbkag.exe
C:\Windows\SysWOW64\Hacqofpk.exe
C:\Windows\system32\Hacqofpk.exe
C:\Windows\SysWOW64\Hfompd32.exe
C:\Windows\system32\Hfompd32.exe
C:\Windows\SysWOW64\Hgqigmnb.exe
C:\Windows\system32\Hgqigmnb.exe
C:\Windows\SysWOW64\Hnjadg32.exe
C:\Windows\system32\Hnjadg32.exe
C:\Windows\SysWOW64\Hddiqaml.exe
C:\Windows\system32\Hddiqaml.exe
C:\Windows\SysWOW64\Hgcfmm32.exe
C:\Windows\system32\Hgcfmm32.exe
C:\Windows\SysWOW64\Hojnnj32.exe
C:\Windows\system32\Hojnnj32.exe
C:\Windows\SysWOW64\Hfdfkddo.exe
C:\Windows\system32\Hfdfkddo.exe
C:\Windows\SysWOW64\Hkqockbf.exe
C:\Windows\system32\Hkqockbf.exe
C:\Windows\SysWOW64\Hbkgpe32.exe
C:\Windows\system32\Hbkgpe32.exe
C:\Windows\SysWOW64\Hdiclq32.exe
C:\Windows\system32\Hdiclq32.exe
C:\Windows\SysWOW64\Hkckhk32.exe
C:\Windows\system32\Hkckhk32.exe
C:\Windows\SysWOW64\Hnagdf32.exe
C:\Windows\system32\Hnagdf32.exe
C:\Windows\SysWOW64\Hdkpapgd.exe
C:\Windows\system32\Hdkpapgd.exe
C:\Windows\SysWOW64\Hkehnj32.exe
C:\Windows\system32\Hkehnj32.exe
C:\Windows\SysWOW64\Inddje32.exe
C:\Windows\system32\Inddje32.exe
C:\Windows\SysWOW64\Ifklkc32.exe
C:\Windows\system32\Ifklkc32.exe
C:\Windows\SysWOW64\Iglhckde.exe
C:\Windows\system32\Iglhckde.exe
C:\Windows\SysWOW64\Infapela.exe
C:\Windows\system32\Infapela.exe
C:\Windows\SysWOW64\Ifmiqbld.exe
C:\Windows\system32\Ifmiqbld.exe
C:\Windows\SysWOW64\Ikjaiijk.exe
C:\Windows\system32\Ikjaiijk.exe
C:\Windows\SysWOW64\Inhneeio.exe
C:\Windows\system32\Inhneeio.exe
C:\Windows\SysWOW64\Ifpefbja.exe
C:\Windows\system32\Ifpefbja.exe
C:\Windows\SysWOW64\Igabnk32.exe
C:\Windows\system32\Igabnk32.exe
C:\Windows\SysWOW64\Iohjoh32.exe
C:\Windows\system32\Iohjoh32.exe
C:\Windows\SysWOW64\Ifbblb32.exe
C:\Windows\system32\Ifbblb32.exe
C:\Windows\SysWOW64\Ieebgooi.exe
C:\Windows\system32\Ieebgooi.exe
C:\Windows\SysWOW64\Iojgegoo.exe
C:\Windows\system32\Iojgegoo.exe
C:\Windows\SysWOW64\Ifdoaa32.exe
C:\Windows\system32\Ifdoaa32.exe
C:\Windows\SysWOW64\Iegomnmf.exe
C:\Windows\system32\Iegomnmf.exe
C:\Windows\SysWOW64\Ikagjh32.exe
C:\Windows\system32\Ikagjh32.exe
C:\Windows\SysWOW64\Jbkpfb32.exe
C:\Windows\system32\Jbkpfb32.exe
C:\Windows\SysWOW64\Jeilbn32.exe
C:\Windows\system32\Jeilbn32.exe
C:\Windows\SysWOW64\Jkcdohbq.exe
C:\Windows\system32\Jkcdohbq.exe
C:\Windows\SysWOW64\Jooppg32.exe
C:\Windows\system32\Jooppg32.exe
C:\Windows\SysWOW64\Jelihn32.exe
C:\Windows\system32\Jelihn32.exe
C:\Windows\SysWOW64\Jkfaehpn.exe
C:\Windows\system32\Jkfaehpn.exe
C:\Windows\SysWOW64\Joamef32.exe
C:\Windows\system32\Joamef32.exe
C:\Windows\SysWOW64\Jbpiab32.exe
C:\Windows\system32\Jbpiab32.exe
C:\Windows\SysWOW64\Jgmajifb.exe
C:\Windows\system32\Jgmajifb.exe
C:\Windows\SysWOW64\Jpdikffd.exe
C:\Windows\system32\Jpdikffd.exe
C:\Windows\SysWOW64\Jfnbgp32.exe
C:\Windows\system32\Jfnbgp32.exe
C:\Windows\SysWOW64\Jilndl32.exe
C:\Windows\system32\Jilndl32.exe
C:\Windows\SysWOW64\Jpffqfdb.exe
C:\Windows\system32\Jpffqfdb.exe
C:\Windows\SysWOW64\Jfpomp32.exe
C:\Windows\system32\Jfpomp32.exe
C:\Windows\SysWOW64\Jinkikkb.exe
C:\Windows\system32\Jinkikkb.exe
C:\Windows\SysWOW64\Jlmgegjf.exe
C:\Windows\system32\Jlmgegjf.exe
C:\Windows\SysWOW64\Kbgoba32.exe
C:\Windows\system32\Kbgoba32.exe
C:\Windows\SysWOW64\Kfbkbpjl.exe
C:\Windows\system32\Kfbkbpjl.exe
C:\Windows\SysWOW64\Kiagokip.exe
C:\Windows\system32\Kiagokip.exe
C:\Windows\SysWOW64\Kpkple32.exe
C:\Windows\system32\Kpkple32.exe
C:\Windows\SysWOW64\Kbilhq32.exe
C:\Windows\system32\Kbilhq32.exe
C:\Windows\SysWOW64\Kicddk32.exe
C:\Windows\system32\Kicddk32.exe
C:\Windows\SysWOW64\Klapqf32.exe
C:\Windows\system32\Klapqf32.exe
C:\Windows\SysWOW64\Kbkimpnn.exe
C:\Windows\system32\Kbkimpnn.exe
C:\Windows\SysWOW64\Kieajj32.exe
C:\Windows\system32\Kieajj32.exe
C:\Windows\SysWOW64\Kppigdlg.exe
C:\Windows\system32\Kppigdlg.exe
C:\Windows\SysWOW64\Kfiaco32.exe
C:\Windows\system32\Kfiaco32.exe
C:\Windows\SysWOW64\Kihnpj32.exe
C:\Windows\system32\Kihnpj32.exe
C:\Windows\SysWOW64\Klfjlebk.exe
C:\Windows\system32\Klfjlebk.exe
C:\Windows\SysWOW64\Kbpbhp32.exe
C:\Windows\system32\Kbpbhp32.exe
C:\Windows\SysWOW64\Keondk32.exe
C:\Windows\system32\Keondk32.exe
C:\Windows\SysWOW64\Llhfaepi.exe
C:\Windows\system32\Llhfaepi.exe
C:\Windows\SysWOW64\Lngcmqol.exe
C:\Windows\system32\Lngcmqol.exe
C:\Windows\SysWOW64\Leakjk32.exe
C:\Windows\system32\Leakjk32.exe
C:\Windows\SysWOW64\Lhogff32.exe
C:\Windows\system32\Lhogff32.exe
C:\Windows\SysWOW64\Lpfogcfo.exe
C:\Windows\system32\Lpfogcfo.exe
C:\Windows\SysWOW64\Lechpjdf.exe
C:\Windows\system32\Lechpjdf.exe
C:\Windows\SysWOW64\Liocpi32.exe
C:\Windows\system32\Liocpi32.exe
C:\Windows\SysWOW64\Lpilmcdl.exe
C:\Windows\system32\Lpilmcdl.exe
C:\Windows\SysWOW64\Lbghiocp.exe
C:\Windows\system32\Lbghiocp.exe
C:\Windows\SysWOW64\Lfcdjm32.exe
C:\Windows\system32\Lfcdjm32.exe
C:\Windows\SysWOW64\Leedejbd.exe
C:\Windows\system32\Leedejbd.exe
C:\Windows\SysWOW64\Lhdqaeag.exe
C:\Windows\system32\Lhdqaeag.exe
C:\Windows\SysWOW64\Lpkibcbj.exe
C:\Windows\system32\Lpkibcbj.exe
C:\Windows\SysWOW64\Loninpid.exe
C:\Windows\system32\Loninpid.exe
C:\Windows\SysWOW64\Lfeaomjf.exe
C:\Windows\system32\Lfeaomjf.exe
C:\Windows\SysWOW64\Licmkhij.exe
C:\Windows\system32\Licmkhij.exe
C:\Windows\SysWOW64\Llbigdhn.exe
C:\Windows\system32\Llbigdhn.exe
C:\Windows\SysWOW64\Lejnpi32.exe
C:\Windows\system32\Lejnpi32.exe
C:\Windows\SysWOW64\Mbnnjnmh.exe
C:\Windows\system32\Mbnnjnmh.exe
C:\Windows\SysWOW64\Mlfcbc32.exe
C:\Windows\system32\Mlfcbc32.exe
C:\Windows\SysWOW64\Mhmcgdim.exe
C:\Windows\system32\Mhmcgdim.exe
C:\Windows\SysWOW64\Mpdkiajo.exe
C:\Windows\system32\Mpdkiajo.exe
C:\Windows\SysWOW64\Mfocelal.exe
C:\Windows\system32\Mfocelal.exe
C:\Windows\SysWOW64\Mimpagqp.exe
C:\Windows\system32\Mimpagqp.exe
C:\Windows\SysWOW64\Mlklnbpc.exe
C:\Windows\system32\Mlklnbpc.exe
C:\Windows\SysWOW64\Mecqfh32.exe
C:\Windows\system32\Mecqfh32.exe
C:\Windows\SysWOW64\Mhbmbc32.exe
C:\Windows\system32\Mhbmbc32.exe
C:\Windows\SysWOW64\Mpieda32.exe
C:\Windows\system32\Mpieda32.exe
C:\Windows\SysWOW64\Mfcmqknf.exe
C:\Windows\system32\Mfcmqknf.exe
C:\Windows\SysWOW64\Nhdjhcce.exe
C:\Windows\system32\Nhdjhcce.exe
C:\Windows\SysWOW64\Nplaiqdg.exe
C:\Windows\system32\Nplaiqdg.exe
C:\Windows\SysWOW64\Nehjagbo.exe
C:\Windows\system32\Nehjagbo.exe
C:\Windows\SysWOW64\Nlbbna32.exe
C:\Windows\system32\Nlbbna32.exe
C:\Windows\SysWOW64\Npnnopbd.exe
C:\Windows\system32\Npnnopbd.exe
C:\Windows\SysWOW64\Nghflj32.exe
C:\Windows\system32\Nghflj32.exe
C:\Windows\SysWOW64\Nhiccb32.exe
C:\Windows\system32\Nhiccb32.exe
C:\Windows\SysWOW64\Nppkdp32.exe
C:\Windows\system32\Nppkdp32.exe
C:\Windows\SysWOW64\Nemcmg32.exe
C:\Windows\system32\Nemcmg32.exe
C:\Windows\SysWOW64\Nlgliaef.exe
C:\Windows\system32\Nlgliaef.exe
C:\Windows\SysWOW64\Ncadfk32.exe
C:\Windows\system32\Ncadfk32.exe
C:\Windows\SysWOW64\Neopbf32.exe
C:\Windows\system32\Neopbf32.exe
C:\Windows\SysWOW64\Nlihoq32.exe
C:\Windows\system32\Nlihoq32.exe
C:\Windows\SysWOW64\Nohdkl32.exe
C:\Windows\system32\Nohdkl32.exe
C:\Windows\SysWOW64\Neamhfjd.exe
C:\Windows\system32\Neamhfjd.exe
C:\Windows\SysWOW64\Ohpidaig.exe
C:\Windows\system32\Ohpidaig.exe
C:\Windows\SysWOW64\Ocfmajin.exe
C:\Windows\system32\Ocfmajin.exe
C:\Windows\SysWOW64\Ogaiai32.exe
C:\Windows\system32\Ogaiai32.exe
C:\Windows\SysWOW64\Oipend32.exe
C:\Windows\system32\Oipend32.exe
C:\Windows\SysWOW64\Opjnko32.exe
C:\Windows\system32\Opjnko32.exe
C:\Windows\SysWOW64\Ochjgj32.exe
C:\Windows\system32\Ochjgj32.exe
C:\Windows\SysWOW64\Oibbcdnh.exe
C:\Windows\system32\Oibbcdnh.exe
C:\Windows\SysWOW64\Opljpn32.exe
C:\Windows\system32\Opljpn32.exe
C:\Windows\SysWOW64\Ogfcmhma.exe
C:\Windows\system32\Ogfcmhma.exe
C:\Windows\SysWOW64\Oidoidle.exe
C:\Windows\system32\Oidoidle.exe
C:\Windows\SysWOW64\Olbkeoki.exe
C:\Windows\system32\Olbkeoki.exe
C:\Windows\SysWOW64\Oghpbh32.exe
C:\Windows\system32\Oghpbh32.exe
C:\Windows\SysWOW64\Ojgloc32.exe
C:\Windows\system32\Ojgloc32.exe
C:\Windows\SysWOW64\Olehko32.exe
C:\Windows\system32\Olehko32.exe
C:\Windows\SysWOW64\Ocopgiac.exe
C:\Windows\system32\Ocopgiac.exe
C:\Windows\SysWOW64\Pemlcdpf.exe
C:\Windows\system32\Pemlcdpf.exe
C:\Windows\SysWOW64\Plgdpo32.exe
C:\Windows\system32\Plgdpo32.exe
C:\Windows\SysWOW64\Pofalj32.exe
C:\Windows\system32\Pofalj32.exe
C:\Windows\SysWOW64\Pgminggi.exe
C:\Windows\system32\Pgminggi.exe
C:\Windows\SysWOW64\Pljafneq.exe
C:\Windows\system32\Pljafneq.exe
C:\Windows\SysWOW64\Pohnbjdd.exe
C:\Windows\system32\Pohnbjdd.exe
C:\Windows\SysWOW64\Pgoecgef.exe
C:\Windows\system32\Pgoecgef.exe
C:\Windows\SysWOW64\Pfbfod32.exe
C:\Windows\system32\Pfbfod32.exe
C:\Windows\SysWOW64\Phqbko32.exe
C:\Windows\system32\Phqbko32.exe
C:\Windows\SysWOW64\Pgabig32.exe
C:\Windows\system32\Pgabig32.exe
C:\Windows\SysWOW64\Phcopoib.exe
C:\Windows\system32\Phcopoib.exe
C:\Windows\SysWOW64\Plnkan32.exe
C:\Windows\system32\Plnkan32.exe
C:\Windows\SysWOW64\Pgdonf32.exe
C:\Windows\system32\Pgdonf32.exe
C:\Windows\SysWOW64\Pjbkjb32.exe
C:\Windows\system32\Pjbkjb32.exe
C:\Windows\SysWOW64\Pplcglgb.exe
C:\Windows\system32\Pplcglgb.exe
C:\Windows\SysWOW64\Qgfldf32.exe
C:\Windows\system32\Qgfldf32.exe
C:\Windows\SysWOW64\Qhghkn32.exe
C:\Windows\system32\Qhghkn32.exe
C:\Windows\SysWOW64\Qqopml32.exe
C:\Windows\system32\Qqopml32.exe
C:\Windows\SysWOW64\Qcmlig32.exe
C:\Windows\system32\Qcmlig32.exe
C:\Windows\SysWOW64\Qjgdealp.exe
C:\Windows\system32\Qjgdealp.exe
C:\Windows\SysWOW64\Qleaamkc.exe
C:\Windows\system32\Qleaamkc.exe
C:\Windows\SysWOW64\Qodmnhjg.exe
C:\Windows\system32\Qodmnhjg.exe
C:\Windows\SysWOW64\Afnejb32.exe
C:\Windows\system32\Afnejb32.exe
C:\Windows\SysWOW64\Ahlafnag.exe
C:\Windows\system32\Ahlafnag.exe
C:\Windows\SysWOW64\Aofjch32.exe
C:\Windows\system32\Aofjch32.exe
C:\Windows\SysWOW64\Agmbde32.exe
C:\Windows\system32\Agmbde32.exe
C:\Windows\SysWOW64\Ahonlmoe.exe
C:\Windows\system32\Ahonlmoe.exe
C:\Windows\SysWOW64\Amjjml32.exe
C:\Windows\system32\Amjjml32.exe
C:\Windows\SysWOW64\Acdbifok.exe
C:\Windows\system32\Acdbifok.exe
C:\Windows\SysWOW64\Agpoje32.exe
C:\Windows\system32\Agpoje32.exe
C:\Windows\SysWOW64\Ajnkfp32.exe
C:\Windows\system32\Ajnkfp32.exe
C:\Windows\SysWOW64\Aiakammb.exe
C:\Windows\system32\Aiakammb.exe
C:\Windows\SysWOW64\Ammgblek.exe
C:\Windows\system32\Ammgblek.exe
C:\Windows\SysWOW64\Aokcngdo.exe
C:\Windows\system32\Aokcngdo.exe
C:\Windows\SysWOW64\Acfoof32.exe
C:\Windows\system32\Acfoof32.exe
C:\Windows\SysWOW64\Afekka32.exe
C:\Windows\system32\Afekka32.exe
C:\Windows\SysWOW64\Aichgm32.exe
C:\Windows\system32\Aichgm32.exe
C:\Windows\SysWOW64\Aqjphj32.exe
C:\Windows\system32\Aqjphj32.exe
C:\Windows\SysWOW64\Aompdgbl.exe
C:\Windows\system32\Aompdgbl.exe
C:\Windows\SysWOW64\Agdhedco.exe
C:\Windows\system32\Agdhedco.exe
C:\Windows\SysWOW64\Afghqa32.exe
C:\Windows\system32\Afghqa32.exe
C:\Windows\SysWOW64\Aqmlnjio.exe
C:\Windows\system32\Aqmlnjio.exe
C:\Windows\SysWOW64\Bckijehc.exe
C:\Windows\system32\Bckijehc.exe
C:\Windows\SysWOW64\Bggdkd32.exe
C:\Windows\system32\Bggdkd32.exe
C:\Windows\SysWOW64\Bjeago32.exe
C:\Windows\system32\Bjeago32.exe
C:\Windows\SysWOW64\Bmcmck32.exe
C:\Windows\system32\Bmcmck32.exe
C:\Windows\SysWOW64\Bobiof32.exe
C:\Windows\system32\Bobiof32.exe
C:\Windows\SysWOW64\Bmfjhj32.exe
C:\Windows\system32\Bmfjhj32.exe
C:\Windows\SysWOW64\Bjjjbolj.exe
C:\Windows\system32\Bjjjbolj.exe
C:\Windows\SysWOW64\Bjlggnjh.exe
C:\Windows\system32\Bjlggnjh.exe
C:\Windows\SysWOW64\Bcdkpdph.exe
C:\Windows\system32\Bcdkpdph.exe
C:\Windows\SysWOW64\Bfchlopl.exe
C:\Windows\system32\Bfchlopl.exe
C:\Windows\SysWOW64\Biadhkop.exe
C:\Windows\system32\Biadhkop.exe
C:\Windows\SysWOW64\Cqhljhob.exe
C:\Windows\system32\Cqhljhob.exe
C:\Windows\SysWOW64\Cpklee32.exe
C:\Windows\system32\Cpklee32.exe
C:\Windows\SysWOW64\Cfedbomi.exe
C:\Windows\system32\Cfedbomi.exe
C:\Windows\SysWOW64\Cjaqbn32.exe
C:\Windows\system32\Cjaqbn32.exe
C:\Windows\SysWOW64\Cakiohmo.exe
C:\Windows\system32\Cakiohmo.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7384 -ip 7384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 236
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1132-0-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Lfckdcoe.exe
| MD5 | 5f107309a7a29d2a76521a52c7e09620 |
| SHA1 | 46e36331b28d66da3eeb4cecc472cff7c6cccdb5 |
| SHA256 | 3afa3075e56e7615791b896b7a19a9b3d870bff7ac8d285a88ca07e233bfa508 |
| SHA512 | 06b11001b0019b70b727d5dbe9f636a685bda394056b91a4f1c3e8a944c0d718bf57123fe18282853936ca6388a1d79581789ee1a1246a8f3c8249bea6f8e76c |
memory/1648-8-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Libgpooi.exe
| MD5 | 82fc5778e40a8031097a7fb246ce742c |
| SHA1 | f4080fc1e2e81eb1aa4098125f354ecd25d13b48 |
| SHA256 | 1e28f64b3daac486188ed8118cd086877ab3d1dd541f9df111001031d0b89d53 |
| SHA512 | 8aafb6172ccca1f587d49664f44d17ea5339dd7b52022fc7a80f88429120a14f359bf9b3ad98344263680bfc786c35a6de1e08aefc9fcc87291cf7189d10b9e2 |
memory/632-15-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Lmppfm32.exe
| MD5 | 252f1daf9d0362af0362539a17d3d205 |
| SHA1 | 62dfb8273639843343aa36f7f23d06735d7045dc |
| SHA256 | 5dfa8f5db21488d700420a3ecee81e57d93b09d083414b191fb4d915c71d25bd |
| SHA512 | 02476a9d2ffdb5b246aad478515198d71802f5d5065cd9aeb5d93d2aead7c76671940dcaf84b9a2d32a554e81281d9fa5b9fd9c21168c499ccf4d797fa17bb53 |
memory/2540-23-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4352-32-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ldjhcgll.exe
| MD5 | aa074b4d6f38e2638f5a6cd07576cec2 |
| SHA1 | 2c1f88b850070b21dfe2d701544d28fdaa4c195d |
| SHA256 | cdecd4209bc316d973da0ecd31b81dddf19a9d2b70b107ce23e78492b2cd0d74 |
| SHA512 | d4dd09486a64a7c297bb1be3ea8159a569f3322fc63b85e9ed6f62700620b8133d2094f29aca226fc3d53ed7c19d742ec8fd2d07fb5717499a12a4a38b01ad6c |
C:\Windows\SysWOW64\Hqmfgcnl.dll
| MD5 | 17982ff51b17be332b6adb02e6922d7e |
| SHA1 | 321283706bbb990deae16fad9854903b13a75335 |
| SHA256 | 51ba4abd3051e0711e4b3c1a08a103fb44541c1dc8ae2e080f5c1b3d1bd2d286 |
| SHA512 | b4a7b75dcc849422baa39577e5478ae3e0b604e8834a1bef1ad8a6d81bf9f41f6fa7db0973835f2a9bf857b30ec7ecdea2bb4da4c84ee06d04fedd70325237ce |
C:\Windows\SysWOW64\Lekekp32.exe
| MD5 | 6976bb9179b6d517a40b643120c424f1 |
| SHA1 | cc50040d12db1f9eceaa1b02bf87c0456c7db38f |
| SHA256 | 6445c6b6f720d8efe9f1760a16b7869f13239d9066a9e42db81b14a701c5f047 |
| SHA512 | b7c4b3b90cec5b2a6473379db92fcc8224abaa275aff39a7a73ee0403353871153282100d01eb6429abc3cf0c9cba7d2d3a7cf2e1f4f995f22f24ad3922ad35c |
memory/4872-39-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Lpqihhbp.exe
| MD5 | 48dfb0b8c26a5f42c61231ffd59779bd |
| SHA1 | 4d786cd653ae3daa9e91225e5c06cd3396034415 |
| SHA256 | 730f5146a759fb39c59de00603408bf798f00d5ad88a7946cf02a1ef98bf651e |
| SHA512 | adaf27d1f22f421cff1e7a465339fe4e4c9bc7160f6d0c3affb69835e3874a5b718f5971c843e9aa3e8ea6b28d46c70d1f8ebab467074b154d60750cc9e74eb5 |
memory/4164-47-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Memapppg.exe
| MD5 | bcb8e0bd058eda40845cedb0713c8c76 |
| SHA1 | 571ec20a65af43a3bcc1203cdee20483e1523245 |
| SHA256 | 216d192a95017ab9056a413b468bdcdd5128bffde9e3bfab28205f753f3e2cd6 |
| SHA512 | a83397f874b5d2730ed3c40a1ebe5e96e7f754e7638114ea70be78bd9540ac2c240eeb7c5bcbb009ebf016b716c1a4abf7b2c6ff9a38c8fe3493702ef9ff4f91 |
memory/1368-56-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mpcenhpn.exe
| MD5 | 7bfdc8937a958e0f021980823335cd2c |
| SHA1 | 62b846abe537fb8b8d0a20a42f83dca4f17516d5 |
| SHA256 | a5d364b5ecc3ab13b0f2f7fe2429fb93e1d22a89d35d8b7d2eb893dcd4725731 |
| SHA512 | 50c1c9b6805ebe147f78d59596094d033f9c93ff8049fdf702d6d716c12ec7d639b68441cc8c3a6f69ae0a7c758c7333d10ad449c46f785579599bf56d5bdc68 |
memory/940-63-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mgmnjb32.exe
| MD5 | 3ab111e8457ea3b904098831abdb227e |
| SHA1 | 6b5250ce1ff2e5aa2127206af34d860f359c07f1 |
| SHA256 | 9b21f92e90f743c78ea9b2f4740d899529fcf2b3421758f668a5afc1c99a8969 |
| SHA512 | 899e77c55eba2ea14ed78b94231b65da88b88afaa6d51e91d409be3f707ebd1dd015cf42c92011c7461c17e5e108aea11cbcf0379c8d4587949e1cb84887bfbe |
memory/3492-72-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mmgfgl32.exe
| MD5 | 13bf5cb51411a62ad9fcde530c4dfa1b |
| SHA1 | 9f7998f3b318c55962787d88694f303065934b75 |
| SHA256 | 3b390cc78daacfcb4179104040e499606622b98857ff925f0a1e6edc66ad6d3c |
| SHA512 | 63914519de3fe12583f796b835d36a3b3c28ac20b8e081df6435cbd997d9810f94e3cc3b68556de404371c7b9ee509912f92cba9296211cbf6deb4cdf4a74063 |
memory/2760-79-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mccooc32.exe
| MD5 | 6683875490e7383c024fc7341e6d1e65 |
| SHA1 | 5d09c2b4bae0120e2c8b85802517bf55df503817 |
| SHA256 | 5402e931a993b5f1f600f510ad5f39a0ce9d688b344ed4a057b7fbb6890a7abc |
| SHA512 | 6d8e85df9d650c9b9948c6d99b5ce5731fb0f4241d249dc378853a0c0d461c81031167a500b97332dab54d49bf613e82d2d9a135736e29c9b3b8c67695d0856d |
memory/224-88-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mebkko32.exe
| MD5 | c2d163a0f7ecd63fc702e71a30f10614 |
| SHA1 | 433181fed5c56132ecde4e17cc5e5504f37b65c9 |
| SHA256 | 83999fd3eeb68ec8c501108bdcdf19a5f127bc9a45c78f5144e9994a8c74d02a |
| SHA512 | 43fabab2f7c3a624130302623b110f5d365b174f9ac226d1b5d63533f8d05d3d83f69e8c6a6869eb04c4dcc33a7db97480b7837084cf48ae81ef48e52508f0cb |
memory/3152-96-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mgageace.exe
| MD5 | a79a0e348f3eff5cb8e901d00ba8e0e1 |
| SHA1 | ef068f1c2e8f30725b0a3f48b7f4998f856c6337 |
| SHA256 | 4f0821787faa38d7204d8a21e42e1bd2c67f1340d7475e6b47d1722e2522f2e4 |
| SHA512 | f249dd402689c8f86a087795b4d49727c0e36e1c77de630d63a9cecf9d36f3929de37e19ae7b65848ace55fe12e991132fa841b5bf1526be0123045ed3485284 |
memory/5104-104-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mpjlngje.exe
| MD5 | 2e209cea577b2219dc09d10bc4ff5e71 |
| SHA1 | 2da478f75de1554a0ba8801ca15dca62e3daeb3a |
| SHA256 | d66f5da72b239c037549b82f7faa62c8a4972aba1707bb5ad53012e9cb54d75a |
| SHA512 | 7b5b66a413772fe28c7ea00fa206d0e531a74c768eeb2b01c7e3197e9b749b9c6e0e08a1d1c25d8b46224058c1cf2616ba422acba0cd59a9487c4d0dbefdb4df |
memory/1684-111-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mgddka32.exe
| MD5 | ffa0324ffb6cf3291b44869dac5a4b68 |
| SHA1 | 386e9a60b24d9994ca13a8fd6334fe2694157dac |
| SHA256 | 97513d9ef2ef6c77193adec38b1e4b475cb756aae1515d430816386ae6d0e5b0 |
| SHA512 | 6e2c912eb480f20554f407f6e109714104562a49f4f4ec64d56c98b0116c7e33cfac1928a015545b554ce5cfd565e955673546cf30ac1bc230424870095f5258 |
memory/4240-119-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mplhdghc.exe
| MD5 | cfd37e272d73c646e19512c00c3c0c81 |
| SHA1 | 4497a19b921fa528c0c0d3bef44931f2bc1ce8f7 |
| SHA256 | 64cc37afc808a2f57383f5dadbff45f7164aab66a7ba74d8fbab80e3674f977d |
| SHA512 | 33b649ad1787ac6436ec425629c89d1c5d7de6f509f9e6e0e3a901643a6a0fc47182d16badd19de485e9a4170cae855725303e7bf42f5064f68e6764019d838c |
memory/1504-127-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ngfqqa32.exe
| MD5 | 55033e588cb6eef7920a3475cd0e0d60 |
| SHA1 | 9f8f4620c9a31b9b7bdd6cd977fa4299e5280426 |
| SHA256 | 62ca0ec081894e4f856d4b988cbf1e03b1418372bcdab90fcc936135b757510b |
| SHA512 | abdc20c0294fb31ca20159207463bd9691bc604dd4f51dd67a4a3ec580a4c8025dcddfb675422df7aaf91beea617d94220420b81986029eecf939c398a8edcf0 |
memory/1620-135-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3104-144-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nnpimkfl.exe
| MD5 | a3f79eda3ae07aff28ed4778dc5eb597 |
| SHA1 | 7050965a869cc784aa8c342a2e6e75270a32d63d |
| SHA256 | 9385406e2e87a8edff879e90c7738945aebcbb79196d282347fc185bc5e5aaf1 |
| SHA512 | 7641208086818884ccc5b795a3e702acd423a20e89b94be52d934935cd1e5de0e4bc78e5ed97da505df408541af8b4b765e727008d1732d7565bbc0f828b5fc5 |
C:\Windows\SysWOW64\Ncmaeb32.exe
| MD5 | 76ed6afcc067c919b285a43486f7f040 |
| SHA1 | e751937f9b330069b13a542cd93a9508a9235af0 |
| SHA256 | 4b1607823262a4717cd51e24432ccccfc3236be5aaa67dbb78354bb5aa880a40 |
| SHA512 | 1ecb37421a2ba5284a40e477b60f79f0b7cda9db9bd31820fa9b30fb4cf34c9d297bb24924796e807f09cfe73655feb5fc6c322b44bb11962e19e7fab9b3b2d8 |
memory/1292-152-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nnbebk32.exe
| MD5 | 32b701aeca3081a796510b6bb9cf3dc3 |
| SHA1 | 8960a7f0d2bd84147328e172769f8f972890ac2f |
| SHA256 | 954b9e22db1a5b7d2699f2e6d8d0c6dc0f2dcba93c15be17434da6e6f868ff5e |
| SHA512 | 2ebfbffb6829c327859982878393d6b0271d9b55457d8da5f8579d497f5edc793435c02912de30b675106dcf10dd5374d9c412d8671ced303cfb5db42c126000 |
memory/1964-159-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ngkjlpkj.exe
| MD5 | b15950fbfddcf1a6cb20f77a7eba0537 |
| SHA1 | 11ac6ff418383320ab9ae2f17401601f9de41c9e |
| SHA256 | f107d649211f8737db065f2e1832ad0327124b2d6e0a65aaac9a19028a786efd |
| SHA512 | bd94eea5cdc114aed5bae188d2aa13b54f0365fea525f07d4e1a3dcc82c5bac4b08deb1e56534b46f5287e3428fd874b6aae5f6deb0ed319a202d06aaf52d330 |
memory/4904-168-0x0000000000400000-0x0000000000434000-memory.dmp
memory/456-175-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Njifhljn.exe
| MD5 | 4f87cd38872f656c94ee7346fd6527ee |
| SHA1 | 24c450d6f271ef81aecf7395300884373e5e4c52 |
| SHA256 | 0dc868cfb0778b7cff367fca0cc1c224f6a5adb1b8d1c81e3e0b3ddd1d990727 |
| SHA512 | 4930e6c97958c9bf5ff53fa299d9d1c2e4809cc4e0980127befccc1d8b3a82a97b3f9021eddb5b6fe074a169870be06ac920ca73c0e847cc8e3056c1c1880dcd |
C:\Windows\SysWOW64\Ngmgap32.exe
| MD5 | 334c80dbb68c8e374db9bcddfb34381a |
| SHA1 | ce9ba9a7012aceae0b91c3008a1568f25392c0d7 |
| SHA256 | ccef4afa7c281ddba498f28116e45cc8c85eaf46771994d9a73bcae3883f4050 |
| SHA512 | f255a4ec37ef37c3c06f20567f35c1835b26ec78f7803240cfff91df8ce7343b2234f02f4c10bfaa1e353ee86b7bd187ed45782bde6ed8d38b1693fb9a820012 |
memory/2812-183-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Njlcmk32.exe
| MD5 | e77eb7db412c83e133c99a3dadd3c762 |
| SHA1 | 3a17e41eae921735645ac48e8dcc1d448522e803 |
| SHA256 | 6c803e9174002ebfdefda48ee5271e280ff8cd4c53fc3827382e006d93347828 |
| SHA512 | 61d5c73662a3c2e7eb932ff317f54f8658fc869594bd615798326c96d1ae9a4578e76288ffedf1da39549b20623ef66d4acf82aa0c8a7d33b99c6a46c7557b73 |
memory/4752-192-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Npekjeph.exe
| MD5 | a08f3d13a587a8285bc1a7a490a734f7 |
| SHA1 | d7c03c324b25599b82d15c83cfc96fe5ad539117 |
| SHA256 | e13c9a5be6cd668b3ab03361292f2a67045144a745c33aa57a49d11343af1f05 |
| SHA512 | b7e08614935e4846fd3a9f316e2e96bceaa205ea1f2bc8f6d84b5b6cca046f9e0697365bf9f3a23745b3102c6a59ebd05dc8ce5c280a3e3ba29d56642209be4d |
memory/3272-200-0x0000000000400000-0x0000000000434000-memory.dmp
memory/472-207-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Njnpck32.exe
| MD5 | 6980d5c32df09e6c1fbdd5ffbcfe11f4 |
| SHA1 | c0a354d31cd3a32776b720bcf9d741c7c459dcf8 |
| SHA256 | a6f3fab5040d1c52878d411ce48fa7012d9db8b56d1ce81f175cdfcace8108fe |
| SHA512 | b22da39cfe3484006f86a509463d21194cc534310b34283ca7c672382224ae00c8306645226a3a0e4e4bd4d87cd4943bc85066f9fbf2daad8be49e9973abc27d |
C:\Windows\SysWOW64\Ocfdlqmi.exe
| MD5 | 131d4b53d4faac0a1d108ace9a787d14 |
| SHA1 | abfe7a45b53eca440b98d53df38d997293807726 |
| SHA256 | 4da120244371f508c5e686a2060d04d2d4f1ab7ed93c700cd365d569d3573554 |
| SHA512 | 45de8ad65469dbe55ae5450001329e3e7278e916b4450de9ee53994c7210e5cf6e164878e6523551c35bcf2b6f92ef3374dd73c6aec93443119617099725aaee |
memory/4548-215-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ofeqhl32.exe
| MD5 | 8217d5f047d79a567d89a431051e2bde |
| SHA1 | e45a93e0d8c58a87c4bbba2c1a0f68c9cda81adf |
| SHA256 | 7e600fc90f2f6e7b6d053280fd51e61e7ed61107c5abad1aca017c671912dd63 |
| SHA512 | 14a442c24af9f8aab5b3e92df6cda90062f058097a85ecaa2a469667118e2b791c679c46afd8484659ac07978270393380b27082dc437b638231b24bdd619fbc |
memory/2960-223-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ofgmml32.exe
| MD5 | 7af484720c892197039b341dad598366 |
| SHA1 | d55051cad031c8ba46f185fbf1c50e5d23f02382 |
| SHA256 | 0a8574997b541fbb175c6b1ede7df97eb308778768acf0f6c16aa6425d96f480 |
| SHA512 | 8cbc319156abbf39309f1356f3dbc73ebfcded787b98692ca8a68e2339eb12297c4e9fafdad20fd4840a6415f490ae25435feb54c6ed5a7326054418a9ded248 |
memory/5040-231-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ojbinjbc.exe
| MD5 | b2a1658750be174d179f0a47ab2e225a |
| SHA1 | 24ffacad35b34b28f9bab2fcdba33532cf755c0d |
| SHA256 | ec852fef26a7804703263aae047d40c6b0c3a6df2325c4c09309a453b590b0f9 |
| SHA512 | ea6d64cc654718dceda876194990b38e4e90070ab75940e6c37d36f5b6eb7b8ccb6b7fee2104c146fc9055ebe92b4ad3aa18788722a82d7ec884fcf947b01933 |
memory/1040-239-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Odhmkcbi.exe
| MD5 | a8b6e1bce018f6722f8a7c6dc4b1ce0a |
| SHA1 | f42cd9b63bb22b827d8137b300fe7087030f42d7 |
| SHA256 | 641158e193df046d88919a521623a38ca0a5d647404ceb51b592ef6f85b2a85e |
| SHA512 | b6906fc1f1408d25c464c890023ad063c6bc3babf1724e25f3fac96a39eb71b71ee250899e83d6277d55d9379acfa7c600ff5f401e264d2115190c1ce748d185 |
memory/2252-247-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Onqbdihj.exe
| MD5 | 9bc159ff654cab6ed2643d734eb75f28 |
| SHA1 | 98af60e248152e8671aa85f5ceadbb9af5d82ea3 |
| SHA256 | 3c28ddde9dbb7b0485588fadd443bdd89ff722989b23463ef71501a68a3c2056 |
| SHA512 | befdf9d5603cae6384e5c5ca89628456ded8738242c88ce1eee0241332ae38e647f9243580e3cd7f0bd9449b2e9697339194f498eeda9fba117a590ae0dba83d |
memory/1164-255-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3364-262-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ojgbij32.exe
| MD5 | a4925f014ebfb3b6762aa650eb3c34de |
| SHA1 | 0672ec57e3c01832efa2e774741227a24370a417 |
| SHA256 | 73a22f0d620f65106d11b5c0a7b1c31b84c77d39a3d9eafa6ad6f7adb631c07f |
| SHA512 | b967dcc073cfb718c3f6e572fa0b810863980a5ad5eb495632cbf0d1700434bec035df58c5061f53d6b4963920b99b61c8b729e8a14db28aa5c4c4f823f1db02 |
memory/4748-268-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4760-274-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2972-280-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1968-286-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1780-292-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1652-298-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4952-304-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4972-310-0x0000000000400000-0x0000000000434000-memory.dmp
memory/116-316-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4128-322-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4120-328-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4852-334-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4700-344-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2016-346-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3964-352-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3960-358-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4692-368-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4124-370-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3500-376-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3048-382-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4816-388-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2492-394-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1332-400-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Qqadmagh.exe
| MD5 | 266cb8f8099a17e7e2ca3e6677f254de |
| SHA1 | b065aeaae9946e4fa5c06d631c21a1b95762cb7c |
| SHA256 | 2bbe4f0a7aa9477658e4492134eaff560e589db7254aa0b7fcdfc6c62b92a68a |
| SHA512 | c43503b4900c1ab218e967195e2f2baabb06cb08cf6ea81be07a586f971cd5261910d7319d9b2dbfa84b8e88e270c75aedd14433d19762f0cfa4087fcce98c87 |
memory/3928-406-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4316-412-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1036-418-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Aceidl32.exe
| MD5 | 175ffd2932aebdd60bd8169b9c4b8f3e |
| SHA1 | aeb3e456f48063a0181404c0f5c32b688f2d6503 |
| SHA256 | f2f8f26825178ab27b261abb416d21e50c1fd35e650f98a9b16d8af9b1dc9299 |
| SHA512 | ef8f1e7bec247f591aa9f74bbd69eac24803dbdb0e2ec56e15d6b20bb0475415e4877e67a73249b7c1488ea7b1ca61905949e4fb3f165a389a9ef96add64e6c1 |
memory/2148-424-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4716-430-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3824-436-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Acgfil32.exe
| MD5 | cce78cfc1925d465aa73e066af2eddc9 |
| SHA1 | 8537a39f08c86fe8765da33d20d051127fc5186a |
| SHA256 | 81307d22feda2ebaaf7f7b029451b73304b9c250225f00e6f2b9495e891ba9a9 |
| SHA512 | 851ca2763bca43e6988148d671ac6590bb8d0528c75dc1743f78f9d4c9be1a8e65e81ddda304637e7da87b0dc2f9ca29579c7d9a1d303560edfa5d73847d361b |
memory/764-442-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3264-448-0x0000000000400000-0x0000000000434000-memory.dmp
memory/840-454-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4412-460-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ambgha32.exe
| MD5 | 5c09b9e9a58ef551096a5aaa4206b30d |
| SHA1 | 8df7f882a231df8731af647b83cfa4069318ab8e |
| SHA256 | 5aa69e8172caabf208d04c20bc9d499f6ecf5fb43122b3f7aae5357ddb230c53 |
| SHA512 | 2f36f76fae787e58c1970af4d544891d1ce6b3c8ad6950ce28c8a5c96f3879497702a5ca3ebde452063fdfadac3754a7a1754b4954cb36636639ad8e69396a63 |
memory/1472-466-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bnadadld.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2140-472-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4552-478-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4620-484-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4440-490-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1980-496-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4436-502-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3096-512-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4564-514-0x0000000000400000-0x0000000000434000-memory.dmp
memory/700-520-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bcebkjdd.exe
| MD5 | 3628bbb278fc2d597efb739622e4ce0d |
| SHA1 | 06af668725f522001754897b9c320ae00682d408 |
| SHA256 | a3e8b0bd978558a6619f81799b3bcd120ae5a8c263b7da389e99fa1acd85b798 |
| SHA512 | 32f61148816806cef43302209262a952ca5f30d82fabb6d89d55e1baa6b8f5c2b41c82f449ef3464567b361e8eb4fb72a1381426caf62ea9ae344d7e8245953f |
memory/2192-530-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2716-536-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5016-538-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3080-545-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1132-544-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1648-551-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3800-552-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1920-559-0x0000000000400000-0x0000000000434000-memory.dmp
memory/632-558-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4576-566-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2540-565-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4844-573-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4352-572-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4872-579-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4948-580-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4164-586-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4908-587-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1524-594-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1368-593-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Cabfjmkc.exe
| MD5 | f0228b05d145ec7df8b5ba030111f17a |
| SHA1 | b78afb306fef3088ae0579e2ef00ca98e4b625e5 |
| SHA256 | 8feee1b666493d34f8b097e71e350e0cd0dc2807c25f8114ea6bfe886a93982f |
| SHA512 | ce0413f9f59210d9d0c42b596db92c0cff4bde5bf88a5c8eef0717d659158a67ef529f99ab51062207f9d1b2e9d8fb467229a834688e0f5f235b261ef872adf0 |
C:\Windows\SysWOW64\Dmlcennd.exe
| MD5 | 8f13361e737c456412a82ab90fa3a79a |
| SHA1 | 0897353df896abf877803143c7ed884b2aa91d16 |
| SHA256 | 503fcee4d3ae4e2548233f36f92b669e39adddb461189fcf8044f38cf2b0bd5e |
| SHA512 | f07e7d0f026ae376bb8ca664f5c700472f275195d0451db9568159b80ed5f288ff05217ecbed9afc66361bdd021ac88328043a2bbf60c8843239fbb7bcd92f5f |
C:\Windows\SysWOW64\Dkbpda32.exe
| MD5 | fd42388e411e345f82e54304955e89f4 |
| SHA1 | a1e99e1e392d683f4fcc9c4a14efc74ebeeb2acc |
| SHA256 | 4f6cdb26e2e853d0c1f0fa9fb0a3fd9cb469e21d8f4eedd3646307fc87d356d1 |
| SHA512 | 01d5c9155cd665335ee5f56c9e04820128845af040216675a3da4d3b083c7db13afdb4e39ca6b0b419626540b4087f883482dde5667d6435ad9ba7418f137345 |
C:\Windows\SysWOW64\Dfiaibap.exe
| MD5 | 92485e33a8947dfd21a8febe4136229e |
| SHA1 | d821ca5289610b55a81f879b2883e9d422ac715e |
| SHA256 | 0f0e1f1602503740264e86bc068380e7edbe4abc64059d2e167ff3244df3a1be |
| SHA512 | d06db1f01f3a55ad29ed04cd3cf1421a91c00a5db0600883a68a4ffd8c70e070e120fd993d71e494328a7fa9a4fd2c315d9e1160409798c502c9a8747191c357 |
C:\Windows\SysWOW64\Dkfjoagf.exe
| MD5 | 186052fd8e4c8c1e0279f48d8c8fe6d6 |
| SHA1 | 796580361c24e9ccc163fe604688c846f96d7e5d |
| SHA256 | 60ca203dd6ad54520830dea0dd1c113c754a733fc58d02157bf75bb512bfdcf3 |
| SHA512 | fab49e7bd9883f230a22e1300d4a36e0dbf0154c3b33ee4baf9ae67f8457228b5993dc10db877b72549dac1a2d0519799e1952e367549b8f31508a45ba1762b3 |
C:\Windows\SysWOW64\Ddonhf32.exe
| MD5 | 22bd0f71d98f76b164587047ac5a5405 |
| SHA1 | 4e86afce9164755c2d48d70c6721172ea42267ac |
| SHA256 | e34757b524ac469daa2cc3ae1bd58729ef683e15a999428f146a92587e386ff1 |
| SHA512 | 7bd9b494b35e6b65358b5c40bad0090048dadeb566a0c6d811dfc5f66475836ff4a1b95cd29e2b1387101abf07c689af2aebbba44684010a819680381ac07c1b |
C:\Windows\SysWOW64\Eeokaiei.exe
| MD5 | 15cdb0ce4c3e599781fc3ae802587603 |
| SHA1 | 957781d9dd3f8113d08c434824e54f59201cfa75 |
| SHA256 | c294e968563c7f0161f706003c7d7f627594b71b6a2f37e29b877ec0bada824d |
| SHA512 | e3c99250e1b0fc47d13471fe60efeefa3cf9cc5da6b34b4b6f034f88431f7da872db773558ffa85444515ea7e615ae953df8f348720db9b0fbfc27e49753ae91 |
C:\Windows\SysWOW64\Eecdmi32.exe
| MD5 | fb56fac81184b4f103e15f811ef3e715 |
| SHA1 | 7646793d347d9a94045e8f293df94b4c16229190 |
| SHA256 | 319432a3a0ab44494682ed1f9d04ffef1067a07ea72d4cd03563b4886d5b926a |
| SHA512 | a16205ff9791c2b0829c8862129bca14f14d73eacea49d076c6bece2b72f3475972225b5bae63e6d166b54d2036fc7139f2775256d487d51ea1008090566c693 |
C:\Windows\SysWOW64\Eeeqbhoa.exe
| MD5 | bd8ac751bacbead93bc7f31b694b2177 |
| SHA1 | 0ebeb26dbe093815ac74fe47e4564b2a05298967 |
| SHA256 | 69c0a45acacd260a4899a5cb25c6689b6e1a13f8e80d4c17bba7b6978661a167 |
| SHA512 | 9ee5cec87712e5d5928d0be34a1df90ee8aa84655f0140613b3eced18dfcc2f5595768d4cf8969bf455dc32e93833c8f06662f235da3fac5787ebef320296ad5 |
C:\Windows\SysWOW64\Eonekn32.exe
| MD5 | 3f9b2d08626d677b8b104957feaed48a |
| SHA1 | 1c8686db985eac0258160781cf57d6eaaaaadf82 |
| SHA256 | ece559eac737fe0f7aefcdd73ad748f61027c66a543c4fb13bd6272b63c0e2ae |
| SHA512 | aa932b7d40bbb0496ee7b04c351f0fe2299e9c2b5abc0b6d306c0c55966e4a7ffa3b20df94f67cfaff70f52dccfb76d70c42e9ed430228248b46b54471eee70d |
C:\Windows\SysWOW64\Faonmibc.exe
| MD5 | 2dbe935e502981795ff3883eac2253b0 |
| SHA1 | 79a34a1268f07e346d6b0bdb2131bda7896fdebb |
| SHA256 | 11162b1673b43d6ac5b71824a80ed3b00a9c882838f76e1b688ef7b702a4ab2d |
| SHA512 | 4a1a2aed243bf89b9ed468b860c4d2626032fd7600f1a75290fcaf7aa5216fbe08bc12aa545cb0628ab2deb48acddc6b54f68dfc996c1618aa9afa3797d52d5d |
C:\Windows\SysWOW64\Fkgbfo32.exe
| MD5 | 3a1918c6e89f0a0ceb476be2b73c6ba0 |
| SHA1 | d500c137f8b7ee3b5df9811d7e729fae3db7624a |
| SHA256 | 736d06080f55809fe2a0878adee8d95afecd38393a50e994e645a0960c499af6 |
| SHA512 | 33f5810de88a490e5b11d9379f33e8b4a5f0c0fd3be02a1778d3bfd7e64a54eb5435f2e1e8987678e1289cc13aae0f7c6478a33878298a70fd345cfe2f8e0fda |
C:\Windows\SysWOW64\Fgnckpog.exe
| MD5 | fc5ec3ecd385474b319be44db1ec4fd5 |
| SHA1 | 967e2f6bad297dfd68a924fa57f74fe699a46bb3 |
| SHA256 | 14175f7b5de0cdd2faee0faabff6b5b89de4d64f0ef2dd7ddea13aa831949ba8 |
| SHA512 | 7b2bf609d02714ec5f2b19011cefa414fa020ac3c6261a13c4afb56e46a31f0bc630f33f762393539a0ed5ba3c90f4af675c226aa1fa48c625514dff7da68d48 |
C:\Windows\SysWOW64\Fgpppo32.exe
| MD5 | b2acf695b93e2ea6f4c27c96cffd0b1f |
| SHA1 | d3291637b4e9126b2f872286aa6750c49363f086 |
| SHA256 | 85641ffea6d4824a7b3c5390f86d4c34c40db9ebe46a6c7db61dc9fb4de56183 |
| SHA512 | f1755ba79a4d4a87d7b27d35f1f2dccaa397e3a2dbecfd1b497761fc57d1c760dc1a93bf903be2a91db1c60425208c92bd903feb0248fecee7a259bfc358ed4c |
C:\Windows\SysWOW64\Fhpmjbch.exe
| MD5 | b6c3b43f21391f7e0f49cf27250189d7 |
| SHA1 | 2e5aa8c422a30e5327c6cdb4a39023989fc85804 |
| SHA256 | 3982e2769e109b70732ff1fecf632389689ee1e3917cf254bb50380ec070464b |
| SHA512 | 0cc2af19dd53e825d63ef5a9af60bc4ffcdd6b1061c07fe30079fe537801f3c188bc114033e0c322e30b483732d95f7db442335f8f58c5e5c88e9bf5ae55a059 |
C:\Windows\SysWOW64\Gkpelm32.exe
| MD5 | a38478055310b22f09bc7b9565fd2176 |
| SHA1 | 129f2268c310ee83ecb876a09258ecb3300cf1a4 |
| SHA256 | 53ad61f5d7d9d9ba5d4cecf597563b4b351e7c90aedba53d2143019fde2834d1 |
| SHA512 | cffc6f078968b4877eb05bcaeb95bf2e1a4ec602015a2ba6b9d61909e176be3155a90884196d6d10180902bff1996d6f2f9a8eb1499420e090db6bc8a3ce6d48 |
C:\Windows\SysWOW64\Gdijecgi.exe
| MD5 | 1b03c244a95d026cdac92e78f63feee6 |
| SHA1 | 39b7bb7d911fad3282b6e2a3686aead8310e23f9 |
| SHA256 | 96c272818c057630261264bde5ea1bc32ab5f35b3d8e65fd03ceb0af6a38ff47 |
| SHA512 | 4bf472e53ed590afb07ee79341c80253605c34ee565bda0afb275e655e4b7394f16dd24ca82be846a8bf4efd0273828b81163e43f48a5d5f2e8b5bdac7549c7e |
C:\Windows\SysWOW64\Goqkhk32.exe
| MD5 | e4128485753b287034a073e99a2a7372 |
| SHA1 | 1f6402127d686c2ebc37935e454065bc21aa3879 |
| SHA256 | 187be6231cedf8aa866871075ab6aa3b8572e230d07b09002edb5bb30cceb799 |
| SHA512 | 2cd05de565c8e343908a3e7a02c66110902179b9a8f7ef3c556080dec992735191594f77301626e0e38850bf634edd225d9a66433e173e4fe3a779501e20a165 |
C:\Windows\SysWOW64\Gochmk32.exe
| MD5 | e8044dd5650bab962e41ebf285ed6425 |
| SHA1 | d05a3ccc3e727f73cc692baafbe1b33a1b2983e8 |
| SHA256 | 00ea338eefc99217c0d40e13d5593a71dabd0d2fb1063412e8544c9ecce87364 |
| SHA512 | b47f6ca3710904770d4b1c02f30aed2136208671584b4a66078a52b621212780d806a3da1478828c1cbf12826e9505188fd57805130deec0e34b5b361927e836 |
C:\Windows\SysWOW64\Gdppeb32.exe
| MD5 | 202251a2ddd27f0c22042d19e719811d |
| SHA1 | 6c9001ece765786b8a6d0b1e84c94ef7f131ec9d |
| SHA256 | d1f6480a6d2950a1f1cff6a54b32dd8ea950eab56f3f52b994fdebd98b7d537b |
| SHA512 | 038bad19e1ee16fc88576b10abb48435b37c3d27e1930097eb6def132620a98e94d276f3ceb145d3598932ad358674fd18f7ea0b90bcdb08296339d6628f1a55 |
C:\Windows\SysWOW64\Hgqigmnb.exe
| MD5 | 43788e45c49c4d3504bb480877422649 |
| SHA1 | 8bf722c21966b5af24a4ff95bf263613fe49b577 |
| SHA256 | 1ec99dc9cac48b4777944aad5d685ab1ef2d36a153ed355b2da510aeb2ad43b6 |
| SHA512 | 89cd2aae5e550f6af43d275fd649c64847b9a41c36252caf31321b5531b40561938e35f53f7971f2369301df189f4c001c366f67686851c3a3e236c2f61a15c4 |
C:\Windows\SysWOW64\Hnjadg32.exe
| MD5 | ec31a86c468b13294e2c1c2ae31f57d7 |
| SHA1 | 29afe91571fe6da6b01a1b11336355148ef6315c |
| SHA256 | d4c3c9aba1bed757a869d737ab11fddc1d56d62af43c6fb4b41507a7cc97199e |
| SHA512 | 7e4d94afac696c971968785feacf581df4ba93c65a8fadb4f596235770a5ddd7657cfe36ab18c6868618b1f3181d10cc33e7d4d6de0acd904b12938b4ead1af2 |
C:\Windows\SysWOW64\Hfdfkddo.exe
| MD5 | 4be310aa1342a3040f7d091a6c749db1 |
| SHA1 | 79459ed69186ab547dd6c1edf7334fa78956757e |
| SHA256 | b94c0861cb2319c61888e0b58fe07760bf523021d1678dce8e808d327ab45c36 |
| SHA512 | 55c12096a3dfa3a9a40497cbdf0f81e807e5863c59fa417f41474ff01863a3a07973b86f149f7ab33f915c1e91e0857145ffd6cb6cf08caee614b8d5d1793700 |
C:\Windows\SysWOW64\Hkckhk32.exe
| MD5 | 079672cd22a83d14632a2b145a37606f |
| SHA1 | e74997978afe0b1a6b9857087a75e2abee21aa84 |
| SHA256 | d03e46aed412d5a4e1dae369af3b90491dd795dd6a07b21facbdefe9e9d4d8b2 |
| SHA512 | 464f1dc9ee80103b7cc169430191806ed0738c394f7f9ebe2fdd5815dd20ebb686a2aa10321ac86fb6bae8eb4f0f159ac33dc1d01e5cbf5079fc3db2d5dfe572 |
C:\Windows\SysWOW64\Hdkpapgd.exe
| MD5 | 0a68811b0498fb122b65de14415a2add |
| SHA1 | 26f58d705a814ebac7c66b5c24b4bab27a569948 |
| SHA256 | 794bcc53b6343ed6c91df5ae3f19df479eb87159c3f142b6529b5ff5f57d1e18 |
| SHA512 | dd8490cf3daefaa8949276f4b7f05c567d624972c59ccf982ec639449e144666126493f411c024d31e4a2e8355a6e14ecb29a82e459f3fd1321fb2801ca8cd0e |
C:\Windows\SysWOW64\Ifklkc32.exe
| MD5 | 17982c2a3ab4125a0402c940a1be62a2 |
| SHA1 | 28335160dda350aa9dda740d289b2389a87ade06 |
| SHA256 | 4e418d117bc2bddb7c62da62110973c0fd06ef3b77ea1e7d8314d42df2f2d7d1 |
| SHA512 | 97ad4906e0893e7d52179f058ef043cca330f86bdb2165601c437d801343d4227b7420ac994dd350f6682c8684382142996219c028f3c5a49dd32639b170675f |
C:\Windows\SysWOW64\Infapela.exe
| MD5 | bd5f86c431d36d72fdec046bc163182b |
| SHA1 | d8670bc207bd0f6aeda301353e88bc90e16171ce |
| SHA256 | d2c1ad6100729e86bc0d345e947ca0a1f1da4ff9a558ce87bea870ba45759c9a |
| SHA512 | 6aa3406c4ac3dbe80d3c9874239e469fa7230737d86d6fc54e2702db06e33aa122c82325ee6925f233004e1be2c19ee5ef72a07400ad545493005a62afa71498 |
C:\Windows\SysWOW64\Ikjaiijk.exe
| MD5 | a5ebb0e04a8035cb36a49b79b26a3a66 |
| SHA1 | 0b139ac27b4ea5d27da4dae56f665582d64b6be3 |
| SHA256 | e1e67798a660ee7e6f342240a7a80cf4d6d148aee2403d437c4ec92e9428f0c2 |
| SHA512 | 7931cc972abeae95dfb00ac57f435cf12c7f6a3cb9806e7ee5100b1210f5270353a75bd392f69581425a57cc469bd820fabe0c8248399099a7537e3d14634df0 |
C:\Windows\SysWOW64\Ikagjh32.exe
| MD5 | b336fe3c2201e2ac0d64c7699a718841 |
| SHA1 | c5848d2309302f094037dd6fe652dce7d9320f5a |
| SHA256 | 9db3f067bf3b93dd11c11550277f7692b0b531c0fd9bdd2002222bd900e5274a |
| SHA512 | fbc71cd01f9ebb2c7e68c57b4ccd19b21b9d497f026ac9164354cc7f46100dc95b11643650233ba1e6fabf3244b161eafbf993203afede445d44192758c79982 |
C:\Windows\SysWOW64\Jooppg32.exe
| MD5 | d89e305db56d3bfb1c1d82e36836190e |
| SHA1 | 95c27dd07d1ae97e09815cfe0ce3c72be0124d4a |
| SHA256 | efe43ad8751c5f516a4f4c1a3bb738f8be8a62f294d4ec391566b957fd8f11e2 |
| SHA512 | 5c655143fcea4e2b6ca76c51a0bdf88cbf30e35c3d5e1e14acbdfca6212d89ed9fbe49aa4193e4eb70ddeccb069820fe98b88acb2112adc26cdfd53fd380c5cd |
C:\Windows\SysWOW64\Jbpiab32.exe
| MD5 | fd051ffdbb8d613b241dd01205c8c1fd |
| SHA1 | 52772c9101c3a9c1e3807862821c4eecbd41f43e |
| SHA256 | 752592f21e55c5e0ff88688acc67843c77a86150e88e886f2664cabfded74dce |
| SHA512 | cc1dabc45cd307a60796a96a2616c5d5f3b76a80d4b89a80685819bea3a92e4bee766daf4dea87f8b28bcc3f42444b1493055f3f21e5b477523428189aaee538 |
C:\Windows\SysWOW64\Kpkple32.exe
| MD5 | 2d82a8618571d15a66c651a798143c31 |
| SHA1 | 628df891edd59cf829ed1febb78cbaf6bcbd379a |
| SHA256 | 45214c90418476b100f0d1391871e397a8d262fac93998001cd9147b0c32700a |
| SHA512 | 012fa3bf0c390be6928fbd0c3591f9fdb763fa528aaf76e9bf77f27a6a3381c1382cedbf7826deb974d1015daa5e13ecc461bcf66e178dbea339474803fbe5c9 |
C:\Windows\SysWOW64\Klapqf32.exe
| MD5 | d2173df03bbb1822c3de010644e961e5 |
| SHA1 | 09e3fb4d40f630e3a15ea4c448f62b1dfeeab6f2 |
| SHA256 | ce4ec18300e774eaad5fc7bb226b8c8c23885e0535e4bb4053885917130123ab |
| SHA512 | 9e2e706ed8565fb61bcda8defa76bdfe356c1f21faff8d174edfcbe3bb2f9dcf0d0b86d845c5a1bfdd071e7039d51dd53b28fe115883760267a04796736c2a48 |
C:\Windows\SysWOW64\Kieajj32.exe
| MD5 | 8a1c2821c33f907cc483ac121076928e |
| SHA1 | be2160f8770cc46994bd83c8fc00008e098f6755 |
| SHA256 | d3c8dcc85187fab4be8835cda6a1c77e8434bcc65ada5659a146465be7a82f5a |
| SHA512 | 3edbc6ae81fc1dfd4c03e9bf9393627e62898618f802fb37851e58cffee2fdf1374af0665d2dc81b980f179c1fba570fa17bb6533089a979a38fed16fca4860e |
C:\Windows\SysWOW64\Kbpbhp32.exe
| MD5 | 02a17c971ddf47313ff2d75c14d7f594 |
| SHA1 | c66ed50c2f3499ce9072d0ebc26f4f5356d9c567 |
| SHA256 | 0e4f016c6c38361cd206072bb553bf5826f6e9df7a581105808b3de537440854 |
| SHA512 | 2fa4e55fddadc65367d84fac1a2983beff06e75c38b98e3b55ea74a09e065a2fb9001fc87544dfa8afe4615fa8a821573997201c0228ac660fb8b747e5f56f89 |
C:\Windows\SysWOW64\Llhfaepi.exe
| MD5 | 44828501754de925d86b412907f64857 |
| SHA1 | 66b4f2133a4dd8655cd572e008167c7d20f54252 |
| SHA256 | 757195bc99be460d9484ede677dd88c67f047ecc204c878d6879253a70050155 |
| SHA512 | 6d92baba2e63c761d2bc9b04565ed5ce25ffaffde26e6735171504b8444834b975db75172c3cc0183591273186dff16abee501b32641afea1895bda1af2d2e64 |
C:\Windows\SysWOW64\Lpfogcfo.exe
| MD5 | 8a7b273bdc77b8c885d5a2f7bbd7b2f4 |
| SHA1 | 8db03d3ddf429d7bea5e43ec5e6e01c111234394 |
| SHA256 | b29ddbf5cc4bda7945996eaee1c1083b3b192caa8407e089024c4476d782d924 |
| SHA512 | 411abf5a0e541d524caa9726a986da2d461df76d1a82651bcd2ddfcf34afe19b568160f3710b1ae69f44dbb6be321356651b7646970ae4d27d64cb0720e9dfc3 |
C:\Windows\SysWOW64\Llbigdhn.exe
| MD5 | 91a3530c9c84a2c7755d70911195dffc |
| SHA1 | 243e908c110708797eb573f78b19c01149916360 |
| SHA256 | 82bb958e11c6c3f5bbaf88d11a05604009bc778dc88d10673e882c7dc9085cf3 |
| SHA512 | 51134fe877f75b10ea8148591e32e9255586e196618b50351295e735a40bdf90a4caed726a19460a565bf8d6603bc46eed7e60a58e0fef55de8609dd507cd7a1 |
C:\Windows\SysWOW64\Mbnnjnmh.exe
| MD5 | 510b26da96a8d25961ebbd8432976b86 |
| SHA1 | 9a5e4a8cf9886de9e76a7b98ccd328794fd81b08 |
| SHA256 | a6f2f3d5de622ebc9d5ec7a5600ea786d3354293ef1c5af6aab7a11c4e5510b6 |
| SHA512 | fe2e944b10a8ef63a0508283a60492fec89b5208cc4e2fb69020f037f6c78b05b0ea1676f6af8b08ef32d8df2b8b184b5eb7497e3739ae0bac85929b4d734de6 |
C:\Windows\SysWOW64\Mimpagqp.exe
| MD5 | f1644762b4cfeafb03bfa03828cffdfd |
| SHA1 | cd2ca68394c7e2f8938676a1eb66bf9f4e33204d |
| SHA256 | 0ef7004f41411ceb4d674770de11d14344250c66e7a72a4077bbec0e61518e9c |
| SHA512 | b17916532e220aef6a2f42e1e99f306f42edc8a70f392286106fc2c8562f9802a5a30f61959cd70a01dc2febcf35e0a58571b41c95c07eecf310fac4a3becac8 |
C:\Windows\SysWOW64\Mecqfh32.exe
| MD5 | dfb54b82b4506a48a6973d3bfd5791ce |
| SHA1 | d41490faa68ed2716c34da47ce7c3891681e72e1 |
| SHA256 | e789981c337ca20d5f126e19c9c7c8645980c1b8e441ad2fc764ceeff96d6ce7 |
| SHA512 | 3eeadcdb07de4b399dfae7c4b0d38c4918553c9dc5128e7accbb92516f8e96a4516546c5a126ca13b6382830152dc45fb2f3fe0078a21b153fb206f14225fdba |
C:\Windows\SysWOW64\Nhdjhcce.exe
| MD5 | 7cab8ba0e06b527b5f274851e72c6caf |
| SHA1 | 663fdc85bbf13eb8a01923cba9e5ee23a13ad4b5 |
| SHA256 | 03b7ac6c0bfb007737cd403c3fb6fab21a44044009c0464282f2d472edb1dd50 |
| SHA512 | 166bb71e5f9d83227b4781e0051dca6c09b5fca5f43e0dd6b15dbe45fe481b363bf62aa3ea41a663300b9c3796e43733ee6e6621e8caef97a35127ec857aa173 |
C:\Windows\SysWOW64\Nehjagbo.exe
| MD5 | b189f7555ac59b679350f2880cbebcec |
| SHA1 | 1cf001c379702f6e61bd783af73fabe367142aae |
| SHA256 | ca1fe06db925af97d448c2e02f39063a5aa7fd6409ea05f3125f9bda24bcccca |
| SHA512 | f5729104f7b54290da003dbd01292a5ee4864bfd52c0bf92eff2931dce9ac39c4c4026f04dce95822bf671bc43c4306ffef6c4b579cdf5b1e38d6c54eb2eaf0a |
C:\Windows\SysWOW64\Nghflj32.exe
| MD5 | d3620609c6cf43b2dd670b05ce727c90 |
| SHA1 | 42c5b9e4def67d1f197e2445ebe68f0f40fb3eb1 |
| SHA256 | 6eea2454e824404b3ed745d51a941584643534477433f097346da3c1efe7ca48 |
| SHA512 | 1bee62c881be0288007a29672dab0e2eb04a6000bfde0244233ce7ed4537656489d878736af0ff2212f50be2d5c311f743d317b19ecb68617072c4e639bab11f |
C:\Windows\SysWOW64\Nppkdp32.exe
| MD5 | 21439401286215fe90eea06cf93f9379 |
| SHA1 | 14486ec6eb2f2ca25640abc5bc9ba343a99dd0d1 |
| SHA256 | 45503c3440a1bd225804024367caaeb024b5e830c483f2a14f9ecc76bd686f68 |
| SHA512 | d1ac80492145ac82798baf3c78bdb45487e1c993677fbbe477e32de48535f164a2bd36daed8e6519d016052da8b29a691835d6ca861c92d0ffed234477e57051 |
C:\Windows\SysWOW64\Ncadfk32.exe
| MD5 | 7b04bb32866145d294d549c9c0c48c4e |
| SHA1 | 09fcef815979d52f13bd9ec529b34df74180ee6f |
| SHA256 | f5dd6609d966e6973617cec1de49745e503cf5206c962a7a6f1fb8fa8fae91fc |
| SHA512 | 4a6fd5693cdb9d59c845a9dfccfa91924954eee51dc3906e356dfe2216c1ff701ba370cb334052e344506f57e11ece9ecbfaa26d0eece889b4f046ff63d2051b |
C:\Windows\SysWOW64\Nohdkl32.exe
| MD5 | 173769d02ff35504289a65eccb654922 |
| SHA1 | 61eec9b2d1b00562d5f038709ef49c66cbc5d1c7 |
| SHA256 | 19ad71a75dfa947a30ab362c8606a517d39b5e4576108a8982a46fd0cf28600e |
| SHA512 | 09aec65fb67467ba5cc4395f0174b8c73288a50b81ed3e7f012359b9d3a4f48fddf3bd93ca6f91174833c27df5505b145155444e19938802b70d63d28a2e1bc4 |
C:\Windows\SysWOW64\Ohpidaig.exe
| MD5 | 61ac941ab4235ba3a933161f89886922 |
| SHA1 | 55fa842ec6166d0c1ac6d73d410b3ac4eadcc334 |
| SHA256 | bb7294756e7856780b7990af357a6680b29e310f8f444c2d6e04afb98af11a73 |
| SHA512 | 4689bbc1ef587168e81ba30daebe8919a2adf6077cdc66724a113ce91480d9277e7422656842a3c6a29d9ba661e3d9110ebbdc14b09d7c6b626646eff8102999 |
C:\Windows\SysWOW64\Opjnko32.exe
| MD5 | 2c7360a8598a6245ccab68f4f4b39596 |
| SHA1 | cd8ffce7517c8be5e41d4839e4fdfe889eff8bd3 |
| SHA256 | e73381dc50d9eef6dc87434a05cc68348e824de1d1cb9cb1a679d712c622a87e |
| SHA512 | 4c508f0be9d3621b37923043984eb4e1daf946142b907fe0e047cdd6c3e12ff0ad458f263546cf60357ce3d251850587103d4a7aceac419a1026fe07b2d8d69b |
C:\Windows\SysWOW64\Opljpn32.exe
| MD5 | 456db4345b04ab6ac6a08a7eb3b6b949 |
| SHA1 | b58c81d7c327d8c14a3c67fe8388ed52c68d2ece |
| SHA256 | eb218cb56ede524740419334ff45beee9a4dfd5a670050765def9aefc4faf3a9 |
| SHA512 | bb61d6d025427992e38632fb41d51981598eb58191bad6048d08e43da4a04ee60c74dd22df850ae5172d89072862dfd5941a97f35b8dd35b4989e77760001c7e |
C:\Windows\SysWOW64\Pgminggi.exe
| MD5 | 01f1e40da2eef1255d9a2bd49e0abad4 |
| SHA1 | bc1f9de68840524fa19bcec7a233fd7d9d8fa1cb |
| SHA256 | 36978009c8719d124d7e70a80260f8919494f0a7322d7a5d0bcfa92ce1aa7c7d |
| SHA512 | 8528f308360551d45df66fc154bc79a9db9b91e43bf54f874c1fcb67edf4a89253ba5152f7ae5eab59322127810e78909923cd3ffc4bb5ccd2a764702c1be2c2 |
C:\Windows\SysWOW64\Pljafneq.exe
| MD5 | b29cf9f555df4f45aad1f6a216b9e0f2 |
| SHA1 | f529b8961142a5f44c29fc28b39ac57ed0b875e7 |
| SHA256 | 875ccfde69aadf49afe6a36d8106a0ab219c6396692858557548d8f07d2bd20d |
| SHA512 | aacd1bf6bf8a03b4bcf545de14701e8a7ef29ecf12c2e2c251bd5e48941ca479582c3d7f7c67264e67d14876ccdafa9747398d1ae5e1216479be4c7ef2319687 |
C:\Windows\SysWOW64\Pgabig32.exe
| MD5 | 07f75a636588bccdf99cb620eeb40c90 |
| SHA1 | ed020ccbedd54d27f04cbfe059933a88bfa8763d |
| SHA256 | 824524382bfe47a6d9c378de11f658d3e57545e764b0edd0e82a8c31e27aec78 |
| SHA512 | 4ece54b8530c271ca9a34701e8cc15081e4c0db377723e8bd8b780d301275805191ec2d32086da3099922d77aa4d06f8760789e6fdb925d718604054c2d79d99 |
C:\Windows\SysWOW64\Pgdonf32.exe
| MD5 | 274093d411cffc5e43a0fbfce46ca4cd |
| SHA1 | 5c5849cb11b538a71ef5220264f117bee6e26f6e |
| SHA256 | 92f088c998059380ff0a01a3c189b6e6a449afc973c830dbb209df55ecbf1e24 |
| SHA512 | 64e71e2bfac948b73242e15f6efbd4c0d86eaf450ead7f42a9d4ad5908f3b72790aa940eb01e43df1218571c56e8233dd611501ae14da0fcfc84cb49acc1a54e |
C:\Windows\SysWOW64\Pplcglgb.exe
| MD5 | 86df7e8ed38cc5ff0dcd969fe7d24b18 |
| SHA1 | 9469ac7cd47f3e45114206e66809fdca626cca4c |
| SHA256 | d31125a07fe9e8c7b03bcdd25871875d89ac1ca955a93ff9db7798b34bc65435 |
| SHA512 | 4916e8974812e388811d9c53c11857d8d5c35ffffaa0410fef1ca6b58f8ef7bccfe1b8153c1646d85c3ec63bfcabe620189f010dab1a9852973bbb82fd67211b |
C:\Windows\SysWOW64\Qjgdealp.exe
| MD5 | 6814f0274f57488b767201b49761dfcd |
| SHA1 | 40d938e30f3b6e5adba6566bb7269887b24b9448 |
| SHA256 | 96c16e485e90eb474d41bba4e84b0182b8e1d0f9088690518baa4fdd0f39d4bf |
| SHA512 | 6a3b05b9d247e934da5268d88c3fa197b0e29379b49f1270d51507d4c41e03f3fe448accc97ca76151d532dd0248627b014179983bd977bbef3a2d4de4a282bb |
C:\Windows\SysWOW64\Ammgblek.exe
| MD5 | be07b2ea4564fc5316e0f289b157519c |
| SHA1 | 739500f3746db0b6b6d6edcce31d31572225c0c0 |
| SHA256 | 607c01316c4633434e8d6017cf062025098a3b4c6c46739b93bc0c8cc635bd3c |
| SHA512 | 5846e08bc59155ff04878aed71c021779cadc8ba1b533b70a0606c74ae83f1b9bd34e3915691690d7243b96c1bd7f9e0a1e46e503f04c86dc29e3a8521a6215f |
C:\Windows\SysWOW64\Afghqa32.exe
| MD5 | f5e3debd2ed534c6be804807654c7204 |
| SHA1 | 10aaa3b2453fcd74a72b5e14e23be5c01b816d63 |
| SHA256 | cced90193bfaf57434cde6bea204116f1997cbd59d2f6d00122b3f7acdb52594 |
| SHA512 | 882af663ae611a839be3fa206174d1b1bd9117bf390843c0700cf87306dd99a64cc3342cd7d1e8cf46cfd66efaf6307b55d7dc82ad1f3c3716530625b0c3b448 |
C:\Windows\SysWOW64\Bobiof32.exe
| MD5 | f865ce58d03a994e4db2be47a2743ac4 |
| SHA1 | 0b632a1ad5ebb35107e535209294b95f152da180 |
| SHA256 | c8878c3f7af266bdd8e90cf3cc7dd52a4d4db4c8e6f977b0ed817a75ad9f586e |
| SHA512 | 2adb0e80a5d26009adea57e635e1b71d88e7070146853e99b0347e9b5b29abfed72cc72162ef9566cf4e9a11788812807c86c1ba724035b45c4276f1398ac005 |
C:\Windows\SysWOW64\Bjlggnjh.exe
| MD5 | 72e2b4d0e8ff19139e29796d32942066 |
| SHA1 | 18e5345513f42b45163d6e72e6ba1157a156ba1d |
| SHA256 | 7c28506f4c239adf2d6f4665c7bc5f0d2473a789839a1617b212b27efd150192 |
| SHA512 | 53c1594d423e602b32ac9723edac6ab72a91b78953537ba2a61dc23ee7e190b9abc3eb27ac1ecc83e21d200f721cce650277341556c1df02621c2d0454649239 |
C:\Windows\SysWOW64\Cakiohmo.exe
| MD5 | 71c7c6ec305298cbeebb258c07fd84d2 |
| SHA1 | 0aabb39dec567d8ed912c0360133d56919af8ad6 |
| SHA256 | 1d9769b88dd7676189665e4322f247e68868528cf68a97ff129d7c6c7be20e7c |
| SHA512 | b6a8e9c4f3702863d941f37319e5094edbfe9b7d0c4db7f1a1df22cfd2b3708f07562a37f09f3860b9c63ba83bb7c5d6f16ec3fdc2ada9a6ca5addb8bf876432 |
memory/1448-2331-0x0000000000400000-0x0000000000434000-memory.dmp
memory/8976-2354-0x0000000000400000-0x0000000000434000-memory.dmp
memory/8948-2343-0x0000000000400000-0x0000000000434000-memory.dmp
memory/8728-2336-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:12
Reported
2024-11-10 01:15
Platform
win7-20240708-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Nlhgoqhh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Nlhgoqhh.exe | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nlhgoqhh.exe | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Lamajm32.dll | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Npagjpcd.exe | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Npagjpcd.exe | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| File created | C:\Windows\SysWOW64\Mahqjm32.dll | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nlhgoqhh.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nlhgoqhh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll" | C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe
"C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"
C:\Windows\SysWOW64\Npagjpcd.exe
C:\Windows\system32\Npagjpcd.exe
C:\Windows\SysWOW64\Nlhgoqhh.exe
C:\Windows\system32\Nlhgoqhh.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 140
Network
Files
memory/2160-0-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Npagjpcd.exe
| MD5 | 1070c2ee886db07cf2c37559119209c6 |
| SHA1 | 166a2fe50dad978c63020e21f62cf699b3f82fa3 |
| SHA256 | 5412c939043b7ab3825149e33ddadddaca623527c016132862debf5c9b54ef29 |
| SHA512 | 0707a862fa1103fdaba634ea447ffafccd4e53ba0be0ec01b47355c2fcefe3428691f0101e71c5c8a67f2a15d30b05a3589973302594e7578c137c378971e5e5 |
memory/2792-14-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2160-13-0x0000000000290000-0x00000000002C4000-memory.dmp
memory/2160-12-0x0000000000290000-0x00000000002C4000-memory.dmp
\Windows\SysWOW64\Nlhgoqhh.exe
| MD5 | 096bd25ffb16647fb8577c9da14aeab1 |
| SHA1 | 485d423a94f28b040de7e9529500c634c2fce3cc |
| SHA256 | d97617c5f485899f09a654128ace9d1e035f58366ad4ac91dfab1436023bc84a |
| SHA512 | 96d7606c3a01bf3a7f19bf0762a366c1cc9631a1140eb538ecf423070713f34bf7628fd815f2b79c2bee763d7395cb41e142d10146b8259dec255a906a8d13e7 |
memory/2168-29-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2792-27-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2792-26-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2168-36-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2792-37-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2160-39-0x0000000000400000-0x0000000000434000-memory.dmp