Analysis Overview
SHA256
a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9
Threat Level: Known bad
The file a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9 was found to be: Known bad.
Malicious Activity Summary
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:20
Signatures
Berbew family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:20
Reported
2024-11-10 01:22
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
143s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nahgoe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aaldccip.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kjeiodek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jhlgfj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kjffdalb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Omgcpokp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jjafok32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ohfami32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gdfoio32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibmeoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qlggjk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gaamlecg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhfppabl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojbacd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hnodaecc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kjkpoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hkeaqi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ecefqnel.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Popbpqjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pllgnl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pemomqcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lkabjbih.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Leopnglc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mldhfpib.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Olbdhn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qhngolpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Innfnl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmieae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nmgjia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Iqklon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kelkaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nobdbkhf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgeakekd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cacckp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dojqjdbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dlieda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fmpqfq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njpdnedf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iknmla32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jnhpoamf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ogekbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aggpfkjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bhkmec32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gklnjj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ihnkel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ipjedh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gijekg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pkhjph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lieccf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oeokal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mejpje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Allpejfe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ijcjmmil.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcikgacl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mmpdhboj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gnhnaf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jglklggl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kniieo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lbgalmej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnjejjgh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Naaqofgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fpgpgfmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnhmnn32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ncabfkqo.exe | C:\Windows\SysWOW64\Nmgjia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnffoibg.dll | C:\Windows\SysWOW64\Ofmdio32.exe | N/A |
| File created | C:\Windows\SysWOW64\Boenhgdd.exe | C:\Windows\SysWOW64\Bdojjo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpomcp32.exe | C:\Windows\SysWOW64\Hammhcij.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jglklggl.exe | C:\Windows\SysWOW64\Jhijqj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Phbhcmjl.exe | C:\Windows\SysWOW64\Piphgq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfbped32.exe | C:\Windows\SysWOW64\Kngkqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmfcok32.exe | C:\Windows\SysWOW64\Ngjkfd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gaamlecg.exe | C:\Windows\SysWOW64\Gijekg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Piomhofd.dll | C:\Windows\SysWOW64\Iqipio32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bombmcec.exe | C:\Windows\SysWOW64\Bmofagfp.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjpqjh32.dll | C:\Windows\SysWOW64\Bcinna32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbphdn32.exe | C:\Windows\SysWOW64\Cmcolgbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpkchqdj.exe | C:\Windows\SysWOW64\Gahcmd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjglocmi.dll | C:\Windows\SysWOW64\Leopnglc.exe | N/A |
| File created | C:\Windows\SysWOW64\Oeehkn32.exe | C:\Windows\SysWOW64\Nmnqjp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Popbpqjh.exe | C:\Windows\SysWOW64\Pehngkcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hmkigh32.exe | C:\Windows\SysWOW64\Gpgind32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kioghlbd.dll | C:\Windows\SysWOW64\Qodeajbg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljdceo32.exe | C:\Windows\SysWOW64\Lkabjbih.exe | N/A |
| File created | C:\Windows\SysWOW64\Clghdi32.dll | C:\Windows\SysWOW64\Hhiajmod.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jqdoem32.exe | C:\Windows\SysWOW64\Jbaojpgb.exe | N/A |
| File created | C:\Windows\SysWOW64\Clomci32.dll | C:\Windows\SysWOW64\Jibmgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdqlliil.dll | C:\Windows\SysWOW64\Cioilg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmhand32.exe | C:\Windows\SysWOW64\Dfoiaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oidalg32.dll | C:\Windows\SysWOW64\Ddligq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Klkfenfk.dll | C:\Windows\SysWOW64\Gimqajgh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmqgpgoc.exe | C:\Windows\SysWOW64\Fpmggb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmnkkg32.exe | C:\Windows\SysWOW64\Fpjjac32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ljbfpo32.exe | C:\Windows\SysWOW64\Lgcjdd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pefhlaie.exe | C:\Windows\SysWOW64\Pakllc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Icknfcol.exe | C:\Windows\SysWOW64\Ipmbjgpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjodla32.exe | C:\Windows\SysWOW64\Mqfpckhm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngjkfd32.exe | C:\Windows\SysWOW64\Npbceggm.exe | N/A |
| File created | C:\Windows\SysWOW64\Nabbod32.dll | C:\Windows\SysWOW64\Ejflhm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmhidbhg.dll | C:\Windows\SysWOW64\Ahcajk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcahmb32.exe | C:\Windows\SysWOW64\Bkkple32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Efepbi32.exe | C:\Windows\SysWOW64\Emmkiclm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejnocehc.dll | C:\Windows\SysWOW64\Ljhefhha.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oeokal32.exe | C:\Windows\SysWOW64\Omgcpokp.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmiikh32.exe | C:\Windows\SysWOW64\Pfoann32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Neoieenp.exe | C:\Windows\SysWOW64\Nbqmiinl.exe | N/A |
| File created | C:\Windows\SysWOW64\Mapmipen.dll | C:\Windows\SysWOW64\Jkomneim.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nahgoe32.exe | C:\Windows\SysWOW64\Nojjcj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Okgaijaj.exe | C:\Windows\SysWOW64\Ohiemobf.exe | N/A |
| File created | C:\Windows\SysWOW64\Niehpfnk.dll | C:\Windows\SysWOW64\Cbbdjm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlhkgi32.exe | C:\Windows\SysWOW64\Ncabfkqo.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocaikjof.dll | C:\Windows\SysWOW64\Hnodaecc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhijqj32.exe | C:\Windows\SysWOW64\Iqbbpm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jhijqj32.exe | C:\Windows\SysWOW64\Iqbbpm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qlggjk32.exe | C:\Windows\SysWOW64\Qhlkilba.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Anmfbl32.exe | C:\Windows\SysWOW64\Aknifq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aphnnafb.exe | C:\Windows\SysWOW64\Aogbfi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gklnjj32.exe | C:\Windows\SysWOW64\Ggpbjkpl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkjjlhle.exe | C:\Windows\SysWOW64\Hhknpmma.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbaojpgb.exe | C:\Windows\SysWOW64\Jnfcia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhlgfj32.exe | C:\Windows\SysWOW64\Jqdoem32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnpban32.dll | C:\Windows\SysWOW64\Kijchhbo.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiacfqch.dll | C:\Windows\SysWOW64\Jjlmclqa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fpgpgfmh.exe | C:\Windows\SysWOW64\Fbbpmb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmophg32.dll | C:\Windows\SysWOW64\Ifmqfm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gacjadad.exe | C:\Windows\SysWOW64\Gnhnaf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfoann32.exe | C:\Windows\SysWOW64\Oabhfg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkaicd32.exe | C:\Windows\SysWOW64\Jibmgi32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dkqaoe32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qohpkf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qodeajbg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpjjac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iahlcaol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pekbga32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ohfami32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjbcplpe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mnkggfkb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdkifmjq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hnodaecc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hhknpmma.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkabjbih.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nolgijpk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qhlkilba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Elnoopdj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eangpgcl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iddljmpc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gilapgqb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hjjnae32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Phbhcmjl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjafok32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bedgjgkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkokcl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jdmgfedl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncabfkqo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjpode32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Npepkf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcobaedj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bljlfh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Icfekc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jdbhkk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jkaicd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nlnkmnah.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfoiaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmcolgbj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oaqbkn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpmggb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnahdi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgelgi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fhmigagd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kijchhbo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kecabifp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jnelok32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bklomh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Meamcg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmofagfp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pejkmk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkaobnio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Panhbfep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaldccip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kndojobi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkkple32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbphdn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhndljll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbmoen32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Efjimhnh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpgpgfmh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofmdio32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkfcndce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olbdhn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gigaka32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hmbfbn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gklnjj32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fmnkkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingcceof.dll" | C:\Windows\SysWOW64\Objpoh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlljcfl.dll" | C:\Windows\SysWOW64\Efjimhnh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jnjejjgh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilmjcon.dll" | C:\Windows\SysWOW64\Lggldm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oejbfmpg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll" | C:\Windows\SysWOW64\Ckgohf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjmcnbdm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jjdjoane.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklhm32.dll" | C:\Windows\SysWOW64\Jjdjoane.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ljdceo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Njiegl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkaobnio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peehmbji.dll" | C:\Windows\SysWOW64\Nklbmllg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Polppg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebadmmge.dll" | C:\Windows\SysWOW64\Fhmigagd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gacjadad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migidc32.dll" | C:\Windows\SysWOW64\Ginnfgop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gpkchqdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgaaeham.dll" | C:\Windows\SysWOW64\Hgiepjga.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meickkqm.dll" | C:\Windows\SysWOW64\Iahlcaol.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ggahedjn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnidao32.dll" | C:\Windows\SysWOW64\Hgmgqc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jdmgfedl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bnhenj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Npbceggm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmieae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jocefm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhdhon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhginhk.dll" | C:\Windows\SysWOW64\Hpomcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjlbppk.dll" | C:\Windows\SysWOW64\Jjmcnbdm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Llhikacp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ahjgjj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ijcjmmil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aajhndkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kndojobi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kijchhbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgkbp32.dll" | C:\Windows\SysWOW64\Poomegpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdqlliil.dll" | C:\Windows\SysWOW64\Cioilg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncijina.dll" | C:\Windows\SysWOW64\Oeheqm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhpjc32.dll" | C:\Windows\SysWOW64\Cdnmfclj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Anmfbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll" | C:\Windows\SysWOW64\Nceefd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pnifekmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bildbk32.dll" | C:\Windows\SysWOW64\Gnhnaf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Neoieenp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oekiqccc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Poomegpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mkhapk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ipoheakj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll" | C:\Windows\SysWOW64\Bdagpnbk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ihnkel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfpfg32.dll" | C:\Windows\SysWOW64\Ikcmbfcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jbaojpgb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqomopfd.dll" | C:\Windows\SysWOW64\Nojjcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmhand32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ohfami32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Aaldccip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbbhqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjlmclqa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojigdcll.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll" | C:\Windows\SysWOW64\Qklmpalf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebnfbcbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe
"C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe"
C:\Windows\SysWOW64\Ehcfaboo.exe
C:\Windows\system32\Ehcfaboo.exe
C:\Windows\SysWOW64\Ejbbmnnb.exe
C:\Windows\system32\Ejbbmnnb.exe
C:\Windows\SysWOW64\Efhcbodf.exe
C:\Windows\system32\Efhcbodf.exe
C:\Windows\SysWOW64\Eangpgcl.exe
C:\Windows\system32\Eangpgcl.exe
C:\Windows\SysWOW64\Edmclccp.exe
C:\Windows\system32\Edmclccp.exe
C:\Windows\SysWOW64\Ejflhm32.exe
C:\Windows\system32\Ejflhm32.exe
C:\Windows\SysWOW64\Emehdh32.exe
C:\Windows\system32\Emehdh32.exe
C:\Windows\SysWOW64\Fmgejhgn.exe
C:\Windows\system32\Fmgejhgn.exe
C:\Windows\SysWOW64\Fhmigagd.exe
C:\Windows\system32\Fhmigagd.exe
C:\Windows\SysWOW64\Fineoi32.exe
C:\Windows\system32\Fineoi32.exe
C:\Windows\SysWOW64\Fgbfhmll.exe
C:\Windows\system32\Fgbfhmll.exe
C:\Windows\SysWOW64\Fpjjac32.exe
C:\Windows\system32\Fpjjac32.exe
C:\Windows\SysWOW64\Fmnkkg32.exe
C:\Windows\system32\Fmnkkg32.exe
C:\Windows\SysWOW64\Fpmggb32.exe
C:\Windows\system32\Fpmggb32.exe
C:\Windows\SysWOW64\Fmqgpgoc.exe
C:\Windows\system32\Fmqgpgoc.exe
C:\Windows\SysWOW64\Fpodlbng.exe
C:\Windows\system32\Fpodlbng.exe
C:\Windows\SysWOW64\Gkdhjknm.exe
C:\Windows\system32\Gkdhjknm.exe
C:\Windows\SysWOW64\Gpaqbbld.exe
C:\Windows\system32\Gpaqbbld.exe
C:\Windows\SysWOW64\Gijekg32.exe
C:\Windows\system32\Gijekg32.exe
C:\Windows\SysWOW64\Gaamlecg.exe
C:\Windows\system32\Gaamlecg.exe
C:\Windows\SysWOW64\Ghkeio32.exe
C:\Windows\system32\Ghkeio32.exe
C:\Windows\SysWOW64\Ggnedlao.exe
C:\Windows\system32\Ggnedlao.exe
C:\Windows\SysWOW64\Gilapgqb.exe
C:\Windows\system32\Gilapgqb.exe
C:\Windows\SysWOW64\Gnhnaf32.exe
C:\Windows\system32\Gnhnaf32.exe
C:\Windows\SysWOW64\Gacjadad.exe
C:\Windows\system32\Gacjadad.exe
C:\Windows\SysWOW64\Gpfjma32.exe
C:\Windows\system32\Gpfjma32.exe
C:\Windows\SysWOW64\Ghmbno32.exe
C:\Windows\system32\Ghmbno32.exe
C:\Windows\SysWOW64\Ggpbjkpl.exe
C:\Windows\system32\Ggpbjkpl.exe
C:\Windows\SysWOW64\Gklnjj32.exe
C:\Windows\system32\Gklnjj32.exe
C:\Windows\SysWOW64\Ginnfgop.exe
C:\Windows\system32\Ginnfgop.exe
C:\Windows\SysWOW64\Gnjjfegi.exe
C:\Windows\system32\Gnjjfegi.exe
C:\Windows\SysWOW64\Gaefgd32.exe
C:\Windows\system32\Gaefgd32.exe
C:\Windows\SysWOW64\Gddbcp32.exe
C:\Windows\system32\Gddbcp32.exe
C:\Windows\SysWOW64\Ghpocngo.exe
C:\Windows\system32\Ghpocngo.exe
C:\Windows\SysWOW64\Ggbook32.exe
C:\Windows\system32\Ggbook32.exe
C:\Windows\SysWOW64\Gknkpjfb.exe
C:\Windows\system32\Gknkpjfb.exe
C:\Windows\SysWOW64\Gnlgleef.exe
C:\Windows\system32\Gnlgleef.exe
C:\Windows\SysWOW64\Gahcmd32.exe
C:\Windows\system32\Gahcmd32.exe
C:\Windows\SysWOW64\Gpkchqdj.exe
C:\Windows\system32\Gpkchqdj.exe
C:\Windows\SysWOW64\Gdfoio32.exe
C:\Windows\system32\Gdfoio32.exe
C:\Windows\SysWOW64\Hhbkinel.exe
C:\Windows\system32\Hhbkinel.exe
C:\Windows\SysWOW64\Hkpheidp.exe
C:\Windows\system32\Hkpheidp.exe
C:\Windows\SysWOW64\Hjchaf32.exe
C:\Windows\system32\Hjchaf32.exe
C:\Windows\SysWOW64\Hnodaecc.exe
C:\Windows\system32\Hnodaecc.exe
C:\Windows\SysWOW64\Hajpbckl.exe
C:\Windows\system32\Hajpbckl.exe
C:\Windows\SysWOW64\Hpmpnp32.exe
C:\Windows\system32\Hpmpnp32.exe
C:\Windows\SysWOW64\Hhdhon32.exe
C:\Windows\system32\Hhdhon32.exe
C:\Windows\SysWOW64\Hgghjjid.exe
C:\Windows\system32\Hgghjjid.exe
C:\Windows\SysWOW64\Hkbdki32.exe
C:\Windows\system32\Hkbdki32.exe
C:\Windows\SysWOW64\Hjedffig.exe
C:\Windows\system32\Hjedffig.exe
C:\Windows\SysWOW64\Hammhcij.exe
C:\Windows\system32\Hammhcij.exe
C:\Windows\SysWOW64\Hpomcp32.exe
C:\Windows\system32\Hpomcp32.exe
C:\Windows\SysWOW64\Hdkidohn.exe
C:\Windows\system32\Hdkidohn.exe
C:\Windows\SysWOW64\Hgiepjga.exe
C:\Windows\system32\Hgiepjga.exe
C:\Windows\SysWOW64\Hkeaqi32.exe
C:\Windows\system32\Hkeaqi32.exe
C:\Windows\SysWOW64\Hjhalefe.exe
C:\Windows\system32\Hjhalefe.exe
C:\Windows\SysWOW64\Haoimcgg.exe
C:\Windows\system32\Haoimcgg.exe
C:\Windows\SysWOW64\Hpbiip32.exe
C:\Windows\system32\Hpbiip32.exe
C:\Windows\SysWOW64\Hhiajmod.exe
C:\Windows\system32\Hhiajmod.exe
C:\Windows\SysWOW64\Hglaej32.exe
C:\Windows\system32\Hglaej32.exe
C:\Windows\SysWOW64\Hjjnae32.exe
C:\Windows\system32\Hjjnae32.exe
C:\Windows\SysWOW64\Hnfjbdmk.exe
C:\Windows\system32\Hnfjbdmk.exe
C:\Windows\SysWOW64\Haafcb32.exe
C:\Windows\system32\Haafcb32.exe
C:\Windows\SysWOW64\Hdpbon32.exe
C:\Windows\system32\Hdpbon32.exe
C:\Windows\SysWOW64\Hhknpmma.exe
C:\Windows\system32\Hhknpmma.exe
C:\Windows\SysWOW64\Hkjjlhle.exe
C:\Windows\system32\Hkjjlhle.exe
C:\Windows\SysWOW64\Hjlkge32.exe
C:\Windows\system32\Hjlkge32.exe
C:\Windows\SysWOW64\Hacbhb32.exe
C:\Windows\system32\Hacbhb32.exe
C:\Windows\SysWOW64\Hpfcdojl.exe
C:\Windows\system32\Hpfcdojl.exe
C:\Windows\SysWOW64\Ihnkel32.exe
C:\Windows\system32\Ihnkel32.exe
C:\Windows\SysWOW64\Igqkqiai.exe
C:\Windows\system32\Igqkqiai.exe
C:\Windows\SysWOW64\Iklgah32.exe
C:\Windows\system32\Iklgah32.exe
C:\Windows\SysWOW64\Injcmc32.exe
C:\Windows\system32\Injcmc32.exe
C:\Windows\SysWOW64\Iafonaao.exe
C:\Windows\system32\Iafonaao.exe
C:\Windows\SysWOW64\Iqipio32.exe
C:\Windows\system32\Iqipio32.exe
C:\Windows\SysWOW64\Iddljmpc.exe
C:\Windows\system32\Iddljmpc.exe
C:\Windows\SysWOW64\Igchfiof.exe
C:\Windows\system32\Igchfiof.exe
C:\Windows\SysWOW64\Ikndgg32.exe
C:\Windows\system32\Ikndgg32.exe
C:\Windows\SysWOW64\Ijadbdoj.exe
C:\Windows\system32\Ijadbdoj.exe
C:\Windows\SysWOW64\Iahlcaol.exe
C:\Windows\system32\Iahlcaol.exe
C:\Windows\SysWOW64\Iqklon32.exe
C:\Windows\system32\Iqklon32.exe
C:\Windows\SysWOW64\Idghpmnp.exe
C:\Windows\system32\Idghpmnp.exe
C:\Windows\SysWOW64\Iakiia32.exe
C:\Windows\system32\Iakiia32.exe
C:\Windows\SysWOW64\Idieem32.exe
C:\Windows\system32\Idieem32.exe
C:\Windows\SysWOW64\Iggaah32.exe
C:\Windows\system32\Iggaah32.exe
C:\Windows\SysWOW64\Ikcmbfcj.exe
C:\Windows\system32\Ikcmbfcj.exe
C:\Windows\SysWOW64\Ijfnmc32.exe
C:\Windows\system32\Ijfnmc32.exe
C:\Windows\SysWOW64\Ibmeoq32.exe
C:\Windows\system32\Ibmeoq32.exe
C:\Windows\SysWOW64\Iqpfjnba.exe
C:\Windows\system32\Iqpfjnba.exe
C:\Windows\SysWOW64\Idkbkl32.exe
C:\Windows\system32\Idkbkl32.exe
C:\Windows\SysWOW64\Igjngh32.exe
C:\Windows\system32\Igjngh32.exe
C:\Windows\SysWOW64\Ikejgf32.exe
C:\Windows\system32\Ikejgf32.exe
C:\Windows\SysWOW64\Indfca32.exe
C:\Windows\system32\Indfca32.exe
C:\Windows\SysWOW64\Ibobdqid.exe
C:\Windows\system32\Ibobdqid.exe
C:\Windows\SysWOW64\Iqbbpm32.exe
C:\Windows\system32\Iqbbpm32.exe
C:\Windows\SysWOW64\Jhijqj32.exe
C:\Windows\system32\Jhijqj32.exe
C:\Windows\SysWOW64\Jglklggl.exe
C:\Windows\system32\Jglklggl.exe
C:\Windows\SysWOW64\Jkhgmf32.exe
C:\Windows\system32\Jkhgmf32.exe
C:\Windows\SysWOW64\Jnfcia32.exe
C:\Windows\system32\Jnfcia32.exe
C:\Windows\SysWOW64\Jbaojpgb.exe
C:\Windows\system32\Jbaojpgb.exe
C:\Windows\SysWOW64\Jqdoem32.exe
C:\Windows\system32\Jqdoem32.exe
C:\Windows\SysWOW64\Jhlgfj32.exe
C:\Windows\system32\Jhlgfj32.exe
C:\Windows\SysWOW64\Jgogbgei.exe
C:\Windows\system32\Jgogbgei.exe
C:\Windows\SysWOW64\Jjmcnbdm.exe
C:\Windows\system32\Jjmcnbdm.exe
C:\Windows\SysWOW64\Jnhpoamf.exe
C:\Windows\system32\Jnhpoamf.exe
C:\Windows\SysWOW64\Jbdlop32.exe
C:\Windows\system32\Jbdlop32.exe
C:\Windows\SysWOW64\Jdbhkk32.exe
C:\Windows\system32\Jdbhkk32.exe
C:\Windows\SysWOW64\Jhndljll.exe
C:\Windows\system32\Jhndljll.exe
C:\Windows\SysWOW64\Jgadgf32.exe
C:\Windows\system32\Jgadgf32.exe
C:\Windows\SysWOW64\Jjopcb32.exe
C:\Windows\system32\Jjopcb32.exe
C:\Windows\SysWOW64\Jnkldqkc.exe
C:\Windows\system32\Jnkldqkc.exe
C:\Windows\SysWOW64\Jbfheo32.exe
C:\Windows\system32\Jbfheo32.exe
C:\Windows\SysWOW64\Jdedak32.exe
C:\Windows\system32\Jdedak32.exe
C:\Windows\SysWOW64\Jhpqaiji.exe
C:\Windows\system32\Jhpqaiji.exe
C:\Windows\SysWOW64\Jkomneim.exe
C:\Windows\system32\Jkomneim.exe
C:\Windows\SysWOW64\Jqlefl32.exe
C:\Windows\system32\Jqlefl32.exe
C:\Windows\SysWOW64\Jibmgi32.exe
C:\Windows\system32\Jibmgi32.exe
C:\Windows\SysWOW64\Jkaicd32.exe
C:\Windows\system32\Jkaicd32.exe
C:\Windows\SysWOW64\Jjdjoane.exe
C:\Windows\system32\Jjdjoane.exe
C:\Windows\SysWOW64\Kqnbkl32.exe
C:\Windows\system32\Kqnbkl32.exe
C:\Windows\SysWOW64\Kdinljnk.exe
C:\Windows\system32\Kdinljnk.exe
C:\Windows\SysWOW64\Kkcfid32.exe
C:\Windows\system32\Kkcfid32.exe
C:\Windows\SysWOW64\Kjffdalb.exe
C:\Windows\system32\Kjffdalb.exe
C:\Windows\SysWOW64\Kbmoen32.exe
C:\Windows\system32\Kbmoen32.exe
C:\Windows\SysWOW64\Kelkaj32.exe
C:\Windows\system32\Kelkaj32.exe
C:\Windows\SysWOW64\Kiggbhda.exe
C:\Windows\system32\Kiggbhda.exe
C:\Windows\SysWOW64\Kkfcndce.exe
C:\Windows\system32\Kkfcndce.exe
C:\Windows\SysWOW64\Kndojobi.exe
C:\Windows\system32\Kndojobi.exe
C:\Windows\SysWOW64\Kqbkfkal.exe
C:\Windows\system32\Kqbkfkal.exe
C:\Windows\SysWOW64\Kijchhbo.exe
C:\Windows\system32\Kijchhbo.exe
C:\Windows\SysWOW64\Kkhpdcab.exe
C:\Windows\system32\Kkhpdcab.exe
C:\Windows\SysWOW64\Kjkpoq32.exe
C:\Windows\system32\Kjkpoq32.exe
C:\Windows\SysWOW64\Kbbhqn32.exe
C:\Windows\system32\Kbbhqn32.exe
C:\Windows\SysWOW64\Kjmmepfj.exe
C:\Windows\system32\Kjmmepfj.exe
C:\Windows\SysWOW64\Kniieo32.exe
C:\Windows\system32\Kniieo32.exe
C:\Windows\SysWOW64\Kageaj32.exe
C:\Windows\system32\Kageaj32.exe
C:\Windows\SysWOW64\Kecabifp.exe
C:\Windows\system32\Kecabifp.exe
C:\Windows\SysWOW64\Kgamnded.exe
C:\Windows\system32\Kgamnded.exe
C:\Windows\SysWOW64\Kkmioc32.exe
C:\Windows\system32\Kkmioc32.exe
C:\Windows\SysWOW64\Knkekn32.exe
C:\Windows\system32\Knkekn32.exe
C:\Windows\SysWOW64\Lbgalmej.exe
C:\Windows\system32\Lbgalmej.exe
C:\Windows\SysWOW64\Leenhhdn.exe
C:\Windows\system32\Leenhhdn.exe
C:\Windows\SysWOW64\Lgcjdd32.exe
C:\Windows\system32\Lgcjdd32.exe
C:\Windows\SysWOW64\Ljbfpo32.exe
C:\Windows\system32\Ljbfpo32.exe
C:\Windows\SysWOW64\Lbinam32.exe
C:\Windows\system32\Lbinam32.exe
C:\Windows\SysWOW64\Legjmh32.exe
C:\Windows\system32\Legjmh32.exe
C:\Windows\SysWOW64\Licfngjd.exe
C:\Windows\system32\Licfngjd.exe
C:\Windows\SysWOW64\Lkabjbih.exe
C:\Windows\system32\Lkabjbih.exe
C:\Windows\SysWOW64\Ljdceo32.exe
C:\Windows\system32\Ljdceo32.exe
C:\Windows\SysWOW64\Lankbigo.exe
C:\Windows\system32\Lankbigo.exe
C:\Windows\SysWOW64\Lieccf32.exe
C:\Windows\system32\Lieccf32.exe
C:\Windows\SysWOW64\Lghcocol.exe
C:\Windows\system32\Lghcocol.exe
C:\Windows\SysWOW64\Ljgpkonp.exe
C:\Windows\system32\Ljgpkonp.exe
C:\Windows\SysWOW64\Lbngllob.exe
C:\Windows\system32\Lbngllob.exe
C:\Windows\SysWOW64\Lelchgne.exe
C:\Windows\system32\Lelchgne.exe
C:\Windows\SysWOW64\Lihpif32.exe
C:\Windows\system32\Lihpif32.exe
C:\Windows\SysWOW64\Llflea32.exe
C:\Windows\system32\Llflea32.exe
C:\Windows\SysWOW64\Lndham32.exe
C:\Windows\system32\Lndham32.exe
C:\Windows\SysWOW64\Lacdmh32.exe
C:\Windows\system32\Lacdmh32.exe
C:\Windows\SysWOW64\Leopnglc.exe
C:\Windows\system32\Leopnglc.exe
C:\Windows\SysWOW64\Llhikacp.exe
C:\Windows\system32\Llhikacp.exe
C:\Windows\SysWOW64\Mbbagk32.exe
C:\Windows\system32\Mbbagk32.exe
C:\Windows\SysWOW64\Meamcg32.exe
C:\Windows\system32\Meamcg32.exe
C:\Windows\SysWOW64\Mlpokp32.exe
C:\Windows\system32\Mlpokp32.exe
C:\Windows\SysWOW64\Mjbogmdb.exe
C:\Windows\system32\Mjbogmdb.exe
C:\Windows\SysWOW64\Mehcdfch.exe
C:\Windows\system32\Mehcdfch.exe
C:\Windows\SysWOW64\Mhfppabl.exe
C:\Windows\system32\Mhfppabl.exe
C:\Windows\SysWOW64\Mejpje32.exe
C:\Windows\system32\Mejpje32.exe
C:\Windows\SysWOW64\Mldhfpib.exe
C:\Windows\system32\Mldhfpib.exe
C:\Windows\SysWOW64\Nobdbkhf.exe
C:\Windows\system32\Nobdbkhf.exe
C:\Windows\SysWOW64\Naaqofgj.exe
C:\Windows\system32\Naaqofgj.exe
C:\Windows\SysWOW64\Nemmoe32.exe
C:\Windows\system32\Nemmoe32.exe
C:\Windows\SysWOW64\Nhkikq32.exe
C:\Windows\system32\Nhkikq32.exe
C:\Windows\SysWOW64\Njiegl32.exe
C:\Windows\system32\Njiegl32.exe
C:\Windows\SysWOW64\Nbqmiinl.exe
C:\Windows\system32\Nbqmiinl.exe
C:\Windows\SysWOW64\Neoieenp.exe
C:\Windows\system32\Neoieenp.exe
C:\Windows\SysWOW64\Nijeec32.exe
C:\Windows\system32\Nijeec32.exe
C:\Windows\SysWOW64\Nklbmllg.exe
C:\Windows\system32\Nklbmllg.exe
C:\Windows\SysWOW64\Nbcjnilj.exe
C:\Windows\system32\Nbcjnilj.exe
C:\Windows\SysWOW64\Neafjdkn.exe
C:\Windows\system32\Neafjdkn.exe
C:\Windows\SysWOW64\Nimbkc32.exe
C:\Windows\system32\Nimbkc32.exe
C:\Windows\SysWOW64\Nlkngo32.exe
C:\Windows\system32\Nlkngo32.exe
C:\Windows\SysWOW64\Nojjcj32.exe
C:\Windows\system32\Nojjcj32.exe
C:\Windows\SysWOW64\Nahgoe32.exe
C:\Windows\system32\Nahgoe32.exe
C:\Windows\SysWOW64\Neccpd32.exe
C:\Windows\system32\Neccpd32.exe
C:\Windows\SysWOW64\Nlnkmnah.exe
C:\Windows\system32\Nlnkmnah.exe
C:\Windows\SysWOW64\Nolgijpk.exe
C:\Windows\system32\Nolgijpk.exe
C:\Windows\SysWOW64\Nbgcih32.exe
C:\Windows\system32\Nbgcih32.exe
C:\Windows\SysWOW64\Nefped32.exe
C:\Windows\system32\Nefped32.exe
C:\Windows\SysWOW64\Niakfbpa.exe
C:\Windows\system32\Niakfbpa.exe
C:\Windows\SysWOW64\Nlphbnoe.exe
C:\Windows\system32\Nlphbnoe.exe
C:\Windows\SysWOW64\Oondnini.exe
C:\Windows\system32\Oondnini.exe
C:\Windows\SysWOW64\Objpoh32.exe
C:\Windows\system32\Objpoh32.exe
C:\Windows\SysWOW64\Olbdhn32.exe
C:\Windows\system32\Olbdhn32.exe
C:\Windows\SysWOW64\Okedcjcm.exe
C:\Windows\system32\Okedcjcm.exe
C:\Windows\SysWOW64\Ooqqdi32.exe
C:\Windows\system32\Ooqqdi32.exe
C:\Windows\SysWOW64\Oaompd32.exe
C:\Windows\system32\Oaompd32.exe
C:\Windows\SysWOW64\Oekiqccc.exe
C:\Windows\system32\Oekiqccc.exe
C:\Windows\SysWOW64\Ohiemobf.exe
C:\Windows\system32\Ohiemobf.exe
C:\Windows\SysWOW64\Okgaijaj.exe
C:\Windows\system32\Okgaijaj.exe
C:\Windows\SysWOW64\Oboijgbl.exe
C:\Windows\system32\Oboijgbl.exe
C:\Windows\SysWOW64\Oaajed32.exe
C:\Windows\system32\Oaajed32.exe
C:\Windows\SysWOW64\Oihagaji.exe
C:\Windows\system32\Oihagaji.exe
C:\Windows\SysWOW64\Olgncmim.exe
C:\Windows\system32\Olgncmim.exe
C:\Windows\SysWOW64\Okjnnj32.exe
C:\Windows\system32\Okjnnj32.exe
C:\Windows\SysWOW64\Obafpg32.exe
C:\Windows\system32\Obafpg32.exe
C:\Windows\SysWOW64\Oeoblb32.exe
C:\Windows\system32\Oeoblb32.exe
C:\Windows\SysWOW64\Ohnohn32.exe
C:\Windows\system32\Ohnohn32.exe
C:\Windows\SysWOW64\Oklkdi32.exe
C:\Windows\system32\Oklkdi32.exe
C:\Windows\SysWOW64\Oohgdhfn.exe
C:\Windows\system32\Oohgdhfn.exe
C:\Windows\SysWOW64\Obcceg32.exe
C:\Windows\system32\Obcceg32.exe
C:\Windows\SysWOW64\Oeaoab32.exe
C:\Windows\system32\Oeaoab32.exe
C:\Windows\SysWOW64\Oimkbaed.exe
C:\Windows\system32\Oimkbaed.exe
C:\Windows\SysWOW64\Pllgnl32.exe
C:\Windows\system32\Pllgnl32.exe
C:\Windows\SysWOW64\Pkogiikb.exe
C:\Windows\system32\Pkogiikb.exe
C:\Windows\SysWOW64\Pcepkfld.exe
C:\Windows\system32\Pcepkfld.exe
C:\Windows\SysWOW64\Pahpfc32.exe
C:\Windows\system32\Pahpfc32.exe
C:\Windows\SysWOW64\Piphgq32.exe
C:\Windows\system32\Piphgq32.exe
C:\Windows\SysWOW64\Phbhcmjl.exe
C:\Windows\system32\Phbhcmjl.exe
C:\Windows\SysWOW64\Pkadoiip.exe
C:\Windows\system32\Pkadoiip.exe
C:\Windows\SysWOW64\Polppg32.exe
C:\Windows\system32\Polppg32.exe
C:\Windows\SysWOW64\Pakllc32.exe
C:\Windows\system32\Pakllc32.exe
C:\Windows\SysWOW64\Pefhlaie.exe
C:\Windows\system32\Pefhlaie.exe
C:\Windows\SysWOW64\Phedhmhi.exe
C:\Windows\system32\Phedhmhi.exe
C:\Windows\SysWOW64\Poomegpf.exe
C:\Windows\system32\Poomegpf.exe
C:\Windows\SysWOW64\Peieba32.exe
C:\Windows\system32\Peieba32.exe
C:\Windows\SysWOW64\Pidabppl.exe
C:\Windows\system32\Pidabppl.exe
C:\Windows\SysWOW64\Poajkgnc.exe
C:\Windows\system32\Poajkgnc.exe
C:\Windows\SysWOW64\Pekbga32.exe
C:\Windows\system32\Pekbga32.exe
C:\Windows\SysWOW64\Phincl32.exe
C:\Windows\system32\Phincl32.exe
C:\Windows\SysWOW64\Pkhjph32.exe
C:\Windows\system32\Pkhjph32.exe
C:\Windows\SysWOW64\Pcobaedj.exe
C:\Windows\system32\Pcobaedj.exe
C:\Windows\SysWOW64\Pemomqcn.exe
C:\Windows\system32\Pemomqcn.exe
C:\Windows\SysWOW64\Qhlkilba.exe
C:\Windows\system32\Qhlkilba.exe
C:\Windows\SysWOW64\Qlggjk32.exe
C:\Windows\system32\Qlggjk32.exe
C:\Windows\SysWOW64\Qcaofebg.exe
C:\Windows\system32\Qcaofebg.exe
C:\Windows\SysWOW64\Qepkbpak.exe
C:\Windows\system32\Qepkbpak.exe
C:\Windows\SysWOW64\Qhngolpo.exe
C:\Windows\system32\Qhngolpo.exe
C:\Windows\SysWOW64\Qohpkf32.exe
C:\Windows\system32\Qohpkf32.exe
C:\Windows\SysWOW64\Qaflgago.exe
C:\Windows\system32\Qaflgago.exe
C:\Windows\SysWOW64\Allpejfe.exe
C:\Windows\system32\Allpejfe.exe
C:\Windows\SysWOW64\Acfhad32.exe
C:\Windows\system32\Acfhad32.exe
C:\Windows\SysWOW64\Ahcajk32.exe
C:\Windows\system32\Ahcajk32.exe
C:\Windows\SysWOW64\Aoofle32.exe
C:\Windows\system32\Aoofle32.exe
C:\Windows\SysWOW64\Akffafgg.exe
C:\Windows\system32\Akffafgg.exe
C:\Windows\SysWOW64\Afkknogn.exe
C:\Windows\system32\Afkknogn.exe
C:\Windows\SysWOW64\Ahjgjj32.exe
C:\Windows\system32\Ahjgjj32.exe
C:\Windows\SysWOW64\Aleckinj.exe
C:\Windows\system32\Aleckinj.exe
C:\Windows\SysWOW64\Akhcfe32.exe
C:\Windows\system32\Akhcfe32.exe
C:\Windows\SysWOW64\Acokhc32.exe
C:\Windows\system32\Acokhc32.exe
C:\Windows\SysWOW64\Bfngdn32.exe
C:\Windows\system32\Bfngdn32.exe
C:\Windows\SysWOW64\Bjicdmmd.exe
C:\Windows\system32\Bjicdmmd.exe
C:\Windows\SysWOW64\Blhpqhlh.exe
C:\Windows\system32\Blhpqhlh.exe
C:\Windows\SysWOW64\Bkkple32.exe
C:\Windows\system32\Bkkple32.exe
C:\Windows\SysWOW64\Bcahmb32.exe
C:\Windows\system32\Bcahmb32.exe
C:\Windows\SysWOW64\Bbdhiojo.exe
C:\Windows\system32\Bbdhiojo.exe
C:\Windows\SysWOW64\Bjlpjm32.exe
C:\Windows\system32\Bjlpjm32.exe
C:\Windows\SysWOW64\Bljlfh32.exe
C:\Windows\system32\Bljlfh32.exe
C:\Windows\SysWOW64\Bohibc32.exe
C:\Windows\system32\Bohibc32.exe
C:\Windows\SysWOW64\Bcddcbab.exe
C:\Windows\system32\Bcddcbab.exe
C:\Windows\SysWOW64\Bfbaonae.exe
C:\Windows\system32\Bfbaonae.exe
C:\Windows\SysWOW64\Bhamkipi.exe
C:\Windows\system32\Bhamkipi.exe
C:\Windows\SysWOW64\Bmofagfp.exe
C:\Windows\system32\Bmofagfp.exe
C:\Windows\SysWOW64\Bombmcec.exe
C:\Windows\system32\Bombmcec.exe
C:\Windows\SysWOW64\Bcinna32.exe
C:\Windows\system32\Bcinna32.exe
C:\Windows\SysWOW64\Bkdcbd32.exe
C:\Windows\system32\Bkdcbd32.exe
C:\Windows\SysWOW64\Cmcolgbj.exe
C:\Windows\system32\Cmcolgbj.exe
C:\Windows\SysWOW64\Cbphdn32.exe
C:\Windows\system32\Cbphdn32.exe
C:\Windows\SysWOW64\Cbbdjm32.exe
C:\Windows\system32\Cbbdjm32.exe
C:\Windows\SysWOW64\Cfqmpl32.exe
C:\Windows\system32\Cfqmpl32.exe
C:\Windows\SysWOW64\Cioilg32.exe
C:\Windows\system32\Cioilg32.exe
C:\Windows\SysWOW64\Ckmehb32.exe
C:\Windows\system32\Ckmehb32.exe
C:\Windows\SysWOW64\Ccdnjp32.exe
C:\Windows\system32\Ccdnjp32.exe
C:\Windows\SysWOW64\Ckpbnb32.exe
C:\Windows\system32\Ckpbnb32.exe
C:\Windows\SysWOW64\Coknoaic.exe
C:\Windows\system32\Coknoaic.exe
C:\Windows\SysWOW64\Djqblj32.exe
C:\Windows\system32\Djqblj32.exe
C:\Windows\SysWOW64\Dmoohe32.exe
C:\Windows\system32\Dmoohe32.exe
C:\Windows\SysWOW64\Dfgcakon.exe
C:\Windows\system32\Dfgcakon.exe
C:\Windows\SysWOW64\Dmalne32.exe
C:\Windows\system32\Dmalne32.exe
C:\Windows\SysWOW64\Dkdliame.exe
C:\Windows\system32\Dkdliame.exe
C:\Windows\SysWOW64\Dckdjomg.exe
C:\Windows\system32\Dckdjomg.exe
C:\Windows\SysWOW64\Dbndfl32.exe
C:\Windows\system32\Dbndfl32.exe
C:\Windows\SysWOW64\Dpbdopck.exe
C:\Windows\system32\Dpbdopck.exe
C:\Windows\SysWOW64\Dlieda32.exe
C:\Windows\system32\Dlieda32.exe
C:\Windows\SysWOW64\Dfoiaj32.exe
C:\Windows\system32\Dfoiaj32.exe
C:\Windows\SysWOW64\Dmhand32.exe
C:\Windows\system32\Dmhand32.exe
C:\Windows\SysWOW64\Eiobceef.exe
C:\Windows\system32\Eiobceef.exe
C:\Windows\SysWOW64\Elnoopdj.exe
C:\Windows\system32\Elnoopdj.exe
C:\Windows\SysWOW64\Ecefqnel.exe
C:\Windows\system32\Ecefqnel.exe
C:\Windows\SysWOW64\Emmkiclm.exe
C:\Windows\system32\Emmkiclm.exe
C:\Windows\SysWOW64\Efepbi32.exe
C:\Windows\system32\Efepbi32.exe
C:\Windows\SysWOW64\Eleepoob.exe
C:\Windows\system32\Eleepoob.exe
C:\Windows\SysWOW64\Efjimhnh.exe
C:\Windows\system32\Efjimhnh.exe
C:\Windows\SysWOW64\Elgaeolp.exe
C:\Windows\system32\Elgaeolp.exe
C:\Windows\SysWOW64\Ffmfchle.exe
C:\Windows\system32\Ffmfchle.exe
C:\Windows\SysWOW64\Fpejlmcf.exe
C:\Windows\system32\Fpejlmcf.exe
C:\Windows\SysWOW64\Fllkqn32.exe
C:\Windows\system32\Fllkqn32.exe
C:\Windows\SysWOW64\Fdepgkgj.exe
C:\Windows\system32\Fdepgkgj.exe
C:\Windows\SysWOW64\Fmpqfq32.exe
C:\Windows\system32\Fmpqfq32.exe
C:\Windows\SysWOW64\Gigaka32.exe
C:\Windows\system32\Gigaka32.exe
C:\Windows\SysWOW64\Gpqjglii.exe
C:\Windows\system32\Gpqjglii.exe
C:\Windows\SysWOW64\Giinpa32.exe
C:\Windows\system32\Giinpa32.exe
C:\Windows\SysWOW64\Gfmojenc.exe
C:\Windows\system32\Gfmojenc.exe
C:\Windows\SysWOW64\Gljgbllj.exe
C:\Windows\system32\Gljgbllj.exe
C:\Windows\SysWOW64\Gdaociml.exe
C:\Windows\system32\Gdaociml.exe
C:\Windows\SysWOW64\Gmiclo32.exe
C:\Windows\system32\Gmiclo32.exe
C:\Windows\SysWOW64\Ggahedjn.exe
C:\Windows\system32\Ggahedjn.exe
C:\Windows\SysWOW64\Hbhijepa.exe
C:\Windows\system32\Hbhijepa.exe
C:\Windows\SysWOW64\Hgfapd32.exe
C:\Windows\system32\Hgfapd32.exe
C:\Windows\SysWOW64\Hmbfbn32.exe
C:\Windows\system32\Hmbfbn32.exe
C:\Windows\SysWOW64\Hgmgqc32.exe
C:\Windows\system32\Hgmgqc32.exe
C:\Windows\SysWOW64\Iphioh32.exe
C:\Windows\system32\Iphioh32.exe
C:\Windows\SysWOW64\Icfekc32.exe
C:\Windows\system32\Icfekc32.exe
C:\Windows\SysWOW64\Iknmla32.exe
C:\Windows\system32\Iknmla32.exe
C:\Windows\SysWOW64\Inlihl32.exe
C:\Windows\system32\Inlihl32.exe
C:\Windows\SysWOW64\Ipjedh32.exe
C:\Windows\system32\Ipjedh32.exe
C:\Windows\SysWOW64\Iciaqc32.exe
C:\Windows\system32\Iciaqc32.exe
C:\Windows\SysWOW64\Ikpjbq32.exe
C:\Windows\system32\Ikpjbq32.exe
C:\Windows\SysWOW64\Ijcjmmil.exe
C:\Windows\system32\Ijcjmmil.exe
C:\Windows\SysWOW64\Innfnl32.exe
C:\Windows\system32\Innfnl32.exe
C:\Windows\SysWOW64\Ipmbjgpi.exe
C:\Windows\system32\Ipmbjgpi.exe
C:\Windows\SysWOW64\Icknfcol.exe
C:\Windows\system32\Icknfcol.exe
C:\Windows\SysWOW64\Ipoopgnf.exe
C:\Windows\system32\Ipoopgnf.exe
C:\Windows\SysWOW64\Jdmgfedl.exe
C:\Windows\system32\Jdmgfedl.exe
C:\Windows\SysWOW64\Jnelok32.exe
C:\Windows\system32\Jnelok32.exe
C:\Windows\SysWOW64\Jjlmclqa.exe
C:\Windows\system32\Jjlmclqa.exe
C:\Windows\SysWOW64\Jdaaaeqg.exe
C:\Windows\system32\Jdaaaeqg.exe
C:\Windows\SysWOW64\Jnjejjgh.exe
C:\Windows\system32\Jnjejjgh.exe
C:\Windows\SysWOW64\Jcgnbaeo.exe
C:\Windows\system32\Jcgnbaeo.exe
C:\Windows\SysWOW64\Jjafok32.exe
C:\Windows\system32\Jjafok32.exe
C:\Windows\SysWOW64\Jdfjld32.exe
C:\Windows\system32\Jdfjld32.exe
C:\Windows\SysWOW64\Jcikgacl.exe
C:\Windows\system32\Jcikgacl.exe
C:\Windows\SysWOW64\Kmaopfjm.exe
C:\Windows\system32\Kmaopfjm.exe
C:\Windows\SysWOW64\Kmdlffhj.exe
C:\Windows\system32\Kmdlffhj.exe
C:\Windows\SysWOW64\Kkeldnpi.exe
C:\Windows\system32\Kkeldnpi.exe
C:\Windows\SysWOW64\Knchpiom.exe
C:\Windows\system32\Knchpiom.exe
C:\Windows\SysWOW64\Kqbdldnq.exe
C:\Windows\system32\Kqbdldnq.exe
C:\Windows\SysWOW64\Kcpahpmd.exe
C:\Windows\system32\Kcpahpmd.exe
C:\Windows\SysWOW64\Kmieae32.exe
C:\Windows\system32\Kmieae32.exe
C:\Windows\SysWOW64\Kqdaadln.exe
C:\Windows\system32\Kqdaadln.exe
C:\Windows\SysWOW64\Knhakh32.exe
C:\Windows\system32\Knhakh32.exe
C:\Windows\SysWOW64\Kqfngd32.exe
C:\Windows\system32\Kqfngd32.exe
C:\Windows\SysWOW64\Lcggio32.exe
C:\Windows\system32\Lcggio32.exe
C:\Windows\SysWOW64\Lcjcnoej.exe
C:\Windows\system32\Lcjcnoej.exe
C:\Windows\SysWOW64\Lnohlgep.exe
C:\Windows\system32\Lnohlgep.exe
C:\Windows\SysWOW64\Lggldm32.exe
C:\Windows\system32\Lggldm32.exe
C:\Windows\SysWOW64\Lmdemd32.exe
C:\Windows\system32\Lmdemd32.exe
C:\Windows\SysWOW64\Ljhefhha.exe
C:\Windows\system32\Ljhefhha.exe
C:\Windows\SysWOW64\Mkhapk32.exe
C:\Windows\system32\Mkhapk32.exe
C:\Windows\SysWOW64\Mmkkmc32.exe
C:\Windows\system32\Mmkkmc32.exe
C:\Windows\SysWOW64\Mnkggfkb.exe
C:\Windows\system32\Mnkggfkb.exe
C:\Windows\SysWOW64\Maiccajf.exe
C:\Windows\system32\Maiccajf.exe
C:\Windows\SysWOW64\Mchppmij.exe
C:\Windows\system32\Mchppmij.exe
C:\Windows\SysWOW64\Mmpdhboj.exe
C:\Windows\system32\Mmpdhboj.exe
C:\Windows\SysWOW64\Meiioonj.exe
C:\Windows\system32\Meiioonj.exe
C:\Windows\SysWOW64\Nelfeo32.exe
C:\Windows\system32\Nelfeo32.exe
C:\Windows\SysWOW64\Nmgjia32.exe
C:\Windows\system32\Nmgjia32.exe
C:\Windows\SysWOW64\Ncabfkqo.exe
C:\Windows\system32\Ncabfkqo.exe
C:\Windows\SysWOW64\Nlhkgi32.exe
C:\Windows\system32\Nlhkgi32.exe
C:\Windows\SysWOW64\Nnfgcd32.exe
C:\Windows\system32\Nnfgcd32.exe
C:\Windows\SysWOW64\Nlkgmh32.exe
C:\Windows\system32\Nlkgmh32.exe
C:\Windows\SysWOW64\Njpdnedf.exe
C:\Windows\system32\Njpdnedf.exe
C:\Windows\SysWOW64\Nmnqjp32.exe
C:\Windows\system32\Nmnqjp32.exe
C:\Windows\SysWOW64\Oeehkn32.exe
C:\Windows\system32\Oeehkn32.exe
C:\Windows\SysWOW64\Odhifjkg.exe
C:\Windows\system32\Odhifjkg.exe
C:\Windows\SysWOW64\Ojbacd32.exe
C:\Windows\system32\Ojbacd32.exe
C:\Windows\SysWOW64\Onnmdcjm.exe
C:\Windows\system32\Onnmdcjm.exe
C:\Windows\SysWOW64\Oeheqm32.exe
C:\Windows\system32\Oeheqm32.exe
C:\Windows\SysWOW64\Ohfami32.exe
C:\Windows\system32\Ohfami32.exe
C:\Windows\SysWOW64\Ojdnid32.exe
C:\Windows\system32\Ojdnid32.exe
C:\Windows\SysWOW64\Oejbfmpg.exe
C:\Windows\system32\Oejbfmpg.exe
C:\Windows\SysWOW64\Odmbaj32.exe
C:\Windows\system32\Odmbaj32.exe
C:\Windows\SysWOW64\Ojgjndno.exe
C:\Windows\system32\Ojgjndno.exe
C:\Windows\SysWOW64\Oaqbkn32.exe
C:\Windows\system32\Oaqbkn32.exe
C:\Windows\SysWOW64\Ohkkhhmh.exe
C:\Windows\system32\Ohkkhhmh.exe
C:\Windows\SysWOW64\Ojigdcll.exe
C:\Windows\system32\Ojigdcll.exe
C:\Windows\SysWOW64\Omgcpokp.exe
C:\Windows\system32\Omgcpokp.exe
C:\Windows\SysWOW64\Oeokal32.exe
C:\Windows\system32\Oeokal32.exe
C:\Windows\SysWOW64\Ohmhmh32.exe
C:\Windows\system32\Ohmhmh32.exe
C:\Windows\SysWOW64\Okkdic32.exe
C:\Windows\system32\Okkdic32.exe
C:\Windows\SysWOW64\Omjpeo32.exe
C:\Windows\system32\Omjpeo32.exe
C:\Windows\SysWOW64\Pahilmoc.exe
C:\Windows\system32\Pahilmoc.exe
C:\Windows\SysWOW64\Plpjoe32.exe
C:\Windows\system32\Plpjoe32.exe
C:\Windows\SysWOW64\Pehngkcg.exe
C:\Windows\system32\Pehngkcg.exe
C:\Windows\SysWOW64\Popbpqjh.exe
C:\Windows\system32\Popbpqjh.exe
C:\Windows\SysWOW64\Pejkmk32.exe
C:\Windows\system32\Pejkmk32.exe
C:\Windows\SysWOW64\Qmhlgmmm.exe
C:\Windows\system32\Qmhlgmmm.exe
C:\Windows\SysWOW64\Qklmpalf.exe
C:\Windows\system32\Qklmpalf.exe
C:\Windows\SysWOW64\Aknifq32.exe
C:\Windows\system32\Aknifq32.exe
C:\Windows\SysWOW64\Anmfbl32.exe
C:\Windows\system32\Anmfbl32.exe
C:\Windows\SysWOW64\Alpbecod.exe
C:\Windows\system32\Alpbecod.exe
C:\Windows\SysWOW64\Aaohcj32.exe
C:\Windows\system32\Aaohcj32.exe
C:\Windows\SysWOW64\Baadiiif.exe
C:\Windows\system32\Baadiiif.exe
C:\Windows\SysWOW64\Bhkmec32.exe
C:\Windows\system32\Bhkmec32.exe
C:\Windows\SysWOW64\Bnhenj32.exe
C:\Windows\system32\Bnhenj32.exe
C:\Windows\SysWOW64\Bnkbcj32.exe
C:\Windows\system32\Bnkbcj32.exe
C:\Windows\SysWOW64\Bedgjgkg.exe
C:\Windows\system32\Bedgjgkg.exe
C:\Windows\SysWOW64\Bkaobnio.exe
C:\Windows\system32\Bkaobnio.exe
C:\Windows\SysWOW64\Cnahdi32.exe
C:\Windows\system32\Cnahdi32.exe
C:\Windows\SysWOW64\Cdnmfclj.exe
C:\Windows\system32\Cdnmfclj.exe
C:\Windows\SysWOW64\Cbbnpg32.exe
C:\Windows\system32\Cbbnpg32.exe
C:\Windows\SysWOW64\Cofnik32.exe
C:\Windows\system32\Cofnik32.exe
C:\Windows\SysWOW64\Cbfgkffn.exe
C:\Windows\system32\Cbfgkffn.exe
C:\Windows\SysWOW64\Dkokcl32.exe
C:\Windows\system32\Dkokcl32.exe
C:\Windows\SysWOW64\Dnpdegjp.exe
C:\Windows\system32\Dnpdegjp.exe
C:\Windows\SysWOW64\Ddligq32.exe
C:\Windows\system32\Ddligq32.exe
C:\Windows\SysWOW64\Dndnpf32.exe
C:\Windows\system32\Dndnpf32.exe
C:\Windows\SysWOW64\Dmennnni.exe
C:\Windows\system32\Dmennnni.exe
C:\Windows\SysWOW64\Emhkdmlg.exe
C:\Windows\system32\Emhkdmlg.exe
C:\Windows\SysWOW64\Eiokinbk.exe
C:\Windows\system32\Eiokinbk.exe
C:\Windows\SysWOW64\Efblbbqd.exe
C:\Windows\system32\Efblbbqd.exe
C:\Windows\SysWOW64\Eokqkh32.exe
C:\Windows\system32\Eokqkh32.exe
C:\Windows\SysWOW64\Eblimcdf.exe
C:\Windows\system32\Eblimcdf.exe
C:\Windows\SysWOW64\Ebnfbcbc.exe
C:\Windows\system32\Ebnfbcbc.exe
C:\Windows\SysWOW64\Fneggdhg.exe
C:\Windows\system32\Fneggdhg.exe
C:\Windows\SysWOW64\Fijkdmhn.exe
C:\Windows\system32\Fijkdmhn.exe
C:\Windows\SysWOW64\Fbbpmb32.exe
C:\Windows\system32\Fbbpmb32.exe
C:\Windows\SysWOW64\Fpgpgfmh.exe
C:\Windows\system32\Fpgpgfmh.exe
C:\Windows\SysWOW64\Fmkqpkla.exe
C:\Windows\system32\Fmkqpkla.exe
C:\Windows\SysWOW64\Flpmagqi.exe
C:\Windows\system32\Flpmagqi.exe
C:\Windows\SysWOW64\Gmojkj32.exe
C:\Windows\system32\Gmojkj32.exe
C:\Windows\SysWOW64\Gblbca32.exe
C:\Windows\system32\Gblbca32.exe
C:\Windows\SysWOW64\Gncchb32.exe
C:\Windows\system32\Gncchb32.exe
C:\Windows\SysWOW64\Gbalopbn.exe
C:\Windows\system32\Gbalopbn.exe
C:\Windows\SysWOW64\Gbchdp32.exe
C:\Windows\system32\Gbchdp32.exe
C:\Windows\SysWOW64\Gimqajgh.exe
C:\Windows\system32\Gimqajgh.exe
C:\Windows\SysWOW64\Gpgind32.exe
C:\Windows\system32\Gpgind32.exe
C:\Windows\SysWOW64\Hmkigh32.exe
C:\Windows\system32\Hmkigh32.exe
C:\Windows\SysWOW64\Hplbickp.exe
C:\Windows\system32\Hplbickp.exe
C:\Windows\SysWOW64\Hoaojp32.exe
C:\Windows\system32\Hoaojp32.exe
C:\Windows\SysWOW64\Hpqldc32.exe
C:\Windows\system32\Hpqldc32.exe
C:\Windows\SysWOW64\Ifmqfm32.exe
C:\Windows\system32\Ifmqfm32.exe
C:\Windows\SysWOW64\Iliinc32.exe
C:\Windows\system32\Iliinc32.exe
C:\Windows\SysWOW64\Iinjhh32.exe
C:\Windows\system32\Iinjhh32.exe
C:\Windows\SysWOW64\Ipjoja32.exe
C:\Windows\system32\Ipjoja32.exe
C:\Windows\SysWOW64\Igdgglfl.exe
C:\Windows\system32\Igdgglfl.exe
C:\Windows\SysWOW64\Ilqoobdd.exe
C:\Windows\system32\Ilqoobdd.exe
C:\Windows\SysWOW64\Ipoheakj.exe
C:\Windows\system32\Ipoheakj.exe
C:\Windows\SysWOW64\Jocefm32.exe
C:\Windows\system32\Jocefm32.exe
C:\Windows\SysWOW64\Jofalmmp.exe
C:\Windows\system32\Jofalmmp.exe
C:\Windows\SysWOW64\Johnamkm.exe
C:\Windows\system32\Johnamkm.exe
C:\Windows\SysWOW64\Jjpode32.exe
C:\Windows\system32\Jjpode32.exe
C:\Windows\SysWOW64\Kjblje32.exe
C:\Windows\system32\Kjblje32.exe
C:\Windows\SysWOW64\Kjeiodek.exe
C:\Windows\system32\Kjeiodek.exe
C:\Windows\SysWOW64\Kgiiiidd.exe
C:\Windows\system32\Kgiiiidd.exe
C:\Windows\SysWOW64\Knenkbio.exe
C:\Windows\system32\Knenkbio.exe
C:\Windows\SysWOW64\Kngkqbgl.exe
C:\Windows\system32\Kngkqbgl.exe
C:\Windows\SysWOW64\Lfbped32.exe
C:\Windows\system32\Lfbped32.exe
C:\Windows\SysWOW64\Lgbloglj.exe
C:\Windows\system32\Lgbloglj.exe
C:\Windows\SysWOW64\Lomqcjie.exe
C:\Windows\system32\Lomqcjie.exe
C:\Windows\SysWOW64\Lopmii32.exe
C:\Windows\system32\Lopmii32.exe
C:\Windows\SysWOW64\Lflbkcll.exe
C:\Windows\system32\Lflbkcll.exe
C:\Windows\SysWOW64\Mcpcdg32.exe
C:\Windows\system32\Mcpcdg32.exe
C:\Windows\SysWOW64\Mqdcnl32.exe
C:\Windows\system32\Mqdcnl32.exe
C:\Windows\SysWOW64\Mqfpckhm.exe
C:\Windows\system32\Mqfpckhm.exe
C:\Windows\SysWOW64\Mjodla32.exe
C:\Windows\system32\Mjodla32.exe
C:\Windows\SysWOW64\Mfeeabda.exe
C:\Windows\system32\Mfeeabda.exe
C:\Windows\SysWOW64\Mgeakekd.exe
C:\Windows\system32\Mgeakekd.exe
C:\Windows\SysWOW64\Nclbpf32.exe
C:\Windows\system32\Nclbpf32.exe
C:\Windows\SysWOW64\Njfkmphe.exe
C:\Windows\system32\Njfkmphe.exe
C:\Windows\SysWOW64\Npbceggm.exe
C:\Windows\system32\Npbceggm.exe
C:\Windows\SysWOW64\Ngjkfd32.exe
C:\Windows\system32\Ngjkfd32.exe
C:\Windows\SysWOW64\Nmfcok32.exe
C:\Windows\system32\Nmfcok32.exe
C:\Windows\SysWOW64\Npepkf32.exe
C:\Windows\system32\Npepkf32.exe
C:\Windows\SysWOW64\Njjdho32.exe
C:\Windows\system32\Njjdho32.exe
C:\Windows\SysWOW64\Nmipdk32.exe
C:\Windows\system32\Nmipdk32.exe
C:\Windows\SysWOW64\Ngndaccj.exe
C:\Windows\system32\Ngndaccj.exe
C:\Windows\SysWOW64\Nnhmnn32.exe
C:\Windows\system32\Nnhmnn32.exe
C:\Windows\SysWOW64\Nceefd32.exe
C:\Windows\system32\Nceefd32.exe
C:\Windows\SysWOW64\Nfcabp32.exe
C:\Windows\system32\Nfcabp32.exe
C:\Windows\SysWOW64\Oaifpi32.exe
C:\Windows\system32\Oaifpi32.exe
C:\Windows\SysWOW64\Ogcnmc32.exe
C:\Windows\system32\Ogcnmc32.exe
C:\Windows\SysWOW64\Ompfej32.exe
C:\Windows\system32\Ompfej32.exe
C:\Windows\SysWOW64\Ogekbb32.exe
C:\Windows\system32\Ogekbb32.exe
C:\Windows\SysWOW64\Ojdgnn32.exe
C:\Windows\system32\Ojdgnn32.exe
C:\Windows\SysWOW64\Oclkgccf.exe
C:\Windows\system32\Oclkgccf.exe
C:\Windows\SysWOW64\Ofkgcobj.exe
C:\Windows\system32\Ofkgcobj.exe
C:\Windows\SysWOW64\Omdppiif.exe
C:\Windows\system32\Omdppiif.exe
C:\Windows\SysWOW64\Ofmdio32.exe
C:\Windows\system32\Ofmdio32.exe
C:\Windows\SysWOW64\Oabhfg32.exe
C:\Windows\system32\Oabhfg32.exe
C:\Windows\SysWOW64\Pfoann32.exe
C:\Windows\system32\Pfoann32.exe
C:\Windows\SysWOW64\Pmiikh32.exe
C:\Windows\system32\Pmiikh32.exe
C:\Windows\SysWOW64\Phonha32.exe
C:\Windows\system32\Phonha32.exe
C:\Windows\SysWOW64\Pnifekmd.exe
C:\Windows\system32\Pnifekmd.exe
C:\Windows\SysWOW64\Pagbaglh.exe
C:\Windows\system32\Pagbaglh.exe
C:\Windows\SysWOW64\Pnkbkk32.exe
C:\Windows\system32\Pnkbkk32.exe
C:\Windows\SysWOW64\Pdhkcb32.exe
C:\Windows\system32\Pdhkcb32.exe
C:\Windows\SysWOW64\Pjbcplpe.exe
C:\Windows\system32\Pjbcplpe.exe
C:\Windows\SysWOW64\Ppolhcnm.exe
C:\Windows\system32\Ppolhcnm.exe
C:\Windows\SysWOW64\Pfiddm32.exe
C:\Windows\system32\Pfiddm32.exe
C:\Windows\SysWOW64\Panhbfep.exe
C:\Windows\system32\Panhbfep.exe
C:\Windows\SysWOW64\Ppahmb32.exe
C:\Windows\system32\Ppahmb32.exe
C:\Windows\SysWOW64\Qjfmkk32.exe
C:\Windows\system32\Qjfmkk32.exe
C:\Windows\SysWOW64\Qpcecb32.exe
C:\Windows\system32\Qpcecb32.exe
C:\Windows\SysWOW64\Qjiipk32.exe
C:\Windows\system32\Qjiipk32.exe
C:\Windows\SysWOW64\Qodeajbg.exe
C:\Windows\system32\Qodeajbg.exe
C:\Windows\SysWOW64\Ahmjjoig.exe
C:\Windows\system32\Ahmjjoig.exe
C:\Windows\SysWOW64\Aogbfi32.exe
C:\Windows\system32\Aogbfi32.exe
C:\Windows\SysWOW64\Aphnnafb.exe
C:\Windows\system32\Aphnnafb.exe
C:\Windows\SysWOW64\Afbgkl32.exe
C:\Windows\system32\Afbgkl32.exe
C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
C:\Windows\SysWOW64\Agdcpkll.exe
C:\Windows\system32\Agdcpkll.exe
C:\Windows\SysWOW64\Aajhndkb.exe
C:\Windows\system32\Aajhndkb.exe
C:\Windows\SysWOW64\Aggpfkjj.exe
C:\Windows\system32\Aggpfkjj.exe
C:\Windows\SysWOW64\Aaldccip.exe
C:\Windows\system32\Aaldccip.exe
C:\Windows\SysWOW64\Agimkk32.exe
C:\Windows\system32\Agimkk32.exe
C:\Windows\SysWOW64\Aaoaic32.exe
C:\Windows\system32\Aaoaic32.exe
C:\Windows\SysWOW64\Bhhiemoj.exe
C:\Windows\system32\Bhhiemoj.exe
C:\Windows\SysWOW64\Bmeandma.exe
C:\Windows\system32\Bmeandma.exe
C:\Windows\SysWOW64\Bdojjo32.exe
C:\Windows\system32\Bdojjo32.exe
C:\Windows\SysWOW64\Boenhgdd.exe
C:\Windows\system32\Boenhgdd.exe
C:\Windows\SysWOW64\Bdagpnbk.exe
C:\Windows\system32\Bdagpnbk.exe
C:\Windows\SysWOW64\Bklomh32.exe
C:\Windows\system32\Bklomh32.exe
C:\Windows\SysWOW64\Baegibae.exe
C:\Windows\system32\Baegibae.exe
C:\Windows\SysWOW64\Bhpofl32.exe
C:\Windows\system32\Bhpofl32.exe
C:\Windows\SysWOW64\Bnlhncgi.exe
C:\Windows\system32\Bnlhncgi.exe
C:\Windows\SysWOW64\Bgelgi32.exe
C:\Windows\system32\Bgelgi32.exe
C:\Windows\SysWOW64\Bajqda32.exe
C:\Windows\system32\Bajqda32.exe
C:\Windows\SysWOW64\Chdialdl.exe
C:\Windows\system32\Chdialdl.exe
C:\Windows\SysWOW64\Cnaaib32.exe
C:\Windows\system32\Cnaaib32.exe
C:\Windows\SysWOW64\Cdkifmjq.exe
C:\Windows\system32\Cdkifmjq.exe
C:\Windows\SysWOW64\Coqncejg.exe
C:\Windows\system32\Coqncejg.exe
C:\Windows\SysWOW64\Cdmfllhn.exe
C:\Windows\system32\Cdmfllhn.exe
C:\Windows\SysWOW64\Ckgohf32.exe
C:\Windows\system32\Ckgohf32.exe
C:\Windows\SysWOW64\Caageq32.exe
C:\Windows\system32\Caageq32.exe
C:\Windows\SysWOW64\Ckjknfnh.exe
C:\Windows\system32\Ckjknfnh.exe
C:\Windows\SysWOW64\Cacckp32.exe
C:\Windows\system32\Cacckp32.exe
C:\Windows\SysWOW64\Cgqlcg32.exe
C:\Windows\system32\Cgqlcg32.exe
C:\Windows\SysWOW64\Cnjdpaki.exe
C:\Windows\system32\Cnjdpaki.exe
C:\Windows\SysWOW64\Dhphmj32.exe
C:\Windows\system32\Dhphmj32.exe
C:\Windows\SysWOW64\Dojqjdbl.exe
C:\Windows\system32\Dojqjdbl.exe
C:\Windows\SysWOW64\Dpkmal32.exe
C:\Windows\system32\Dpkmal32.exe
C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 12460 -ip 12460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 12460 -s 228
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/216-0-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Ehcfaboo.exe
| MD5 | a1704dcdeed22c339cd145b513263da7 |
| SHA1 | 3b2b806f1650408c23c45a20c22a7c78a17cf46f |
| SHA256 | a85fe3688cde438d847f13861feee5e494efce8b16059f9ebe4816b1cb587b23 |
| SHA512 | 0aabb7bfb8ef67c7f2004a3e5f04c7086fa1a28e68b15c257d054ab85d6ecf676602fd6df1615a5fcfb415c1d7038177aee1d52b864ab40718434447639ce103 |
memory/2960-11-0x0000000000400000-0x0000000000442000-memory.dmp
memory/408-16-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Ejbbmnnb.exe
| MD5 | 3784b7343583c4178df066da3a2c151f |
| SHA1 | 9981460ed089e4b16527b1c852eb7d28729d242d |
| SHA256 | a88fe0b5196d850017ced7abf0cfe10f9e7ee740b6cc92ce14d9497739530921 |
| SHA512 | 15ff4dc7eb6df16982d76791002de6ece0ba0745345786c29e9abc6982c87252d56fc60714bbc2105cac856623fdd75f14a30ac95175802715631070acb5891f |
C:\Windows\SysWOW64\Efhcbodf.exe
| MD5 | d65585d65af6632002aad76ee864c1a6 |
| SHA1 | 9dad32326a78888108324d6ae1694056cd8b3956 |
| SHA256 | ef05be754d7c43b119fbc6389f146a89ff0fb14b0a2f760bdb0da7b4d690a4b7 |
| SHA512 | 0898d4260f472ff7878f8f15157f7afe7e76f6c843a8f53faf6c8496de39357122a35ad8e43a06b8516777c525b50555567abe15a337c470b99f31b0042b7f5f |
memory/3800-23-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Eangpgcl.exe
| MD5 | 08daeaef5cd31e1e986127bbaa5530d7 |
| SHA1 | 3d122fc9f9ab78338101cc7a59df8290107d4981 |
| SHA256 | 3d28a1fbd22562820852b3626b584cbadba76aef9a6aa47c2a78808afd8c1ab5 |
| SHA512 | 973ceed28408799eebb9df629d19cd4bb9d58f3764466e12308d9c0291f725f2355043ff0112c1bec4f815197f84d19e3cf5e79cf590b1a527613edbad88bf67 |
memory/3636-31-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Qnmghonf.dll
| MD5 | 5ade067e9af68c2323a6558b4f63ea3a |
| SHA1 | e6dfaf1d251e19e2af97bf8973569f3a20d34503 |
| SHA256 | 1e426d421656d889f56195014ec84200efc4f4d6be45677ec6d79917de2635f8 |
| SHA512 | 89ceaea4ef97605223296b7deeeb0028c27e5dfd88f2c12c2e9e7ffd438034618a0f40c30776a0019b77fd9f6255cdc26a091e4090a827909374b8992c01f516 |
C:\Windows\SysWOW64\Edmclccp.exe
| MD5 | 0b9bcd1b35151fe7970993fe13a616b4 |
| SHA1 | 4b241298fca5587923c00583987f570540403957 |
| SHA256 | bdb8511fff5a2072f820b83c21c9db8a63b913c03f986bbcefc29e0163a0ab64 |
| SHA512 | 42223e5264a8d49a126a327d8f4021b5d06fa6f828912c5fa0d26deb8de47878fc9f35ec75ec97e302912a2bfe58465b6dd525ba61b35d7b9eeb5772091bfd9c |
memory/4496-44-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Ejflhm32.exe
| MD5 | 68b1993dfc59b2852e58f7b578986c66 |
| SHA1 | 5e823f3aeb387b9de8c8fe1b0182cdb5699b0522 |
| SHA256 | dd870f32044c5edb7ab84f6f097a80bbbf80b1e9e2022dddbfdc72b4d4102f00 |
| SHA512 | 337b0889d61aaf170eb79b268518682415b2813e76fa7e51bc43f2e583b949e69e502f4811bf91945c7b1b0f567eceb05bf576c0f3c0fa76849eafbd8b654cb7 |
memory/1880-48-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Emehdh32.exe
| MD5 | b40e6ee5546d28b0209d6faab9449197 |
| SHA1 | 66629238b5e6d49df9ca896b612325616ab3622a |
| SHA256 | 1b248274813e3515557115eab6133ae8f62ae9f3e119edd7cc44d71e35456d65 |
| SHA512 | f599110cf5ac1c01800f817ae03365ca855018f503807ca17f80530c0b3110d7bd665056b59b7f13431ebffa7c5a784d762802a720630d819198fc1c9505bd28 |
memory/4968-56-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Fmgejhgn.exe
| MD5 | d72d6a5076ac2ca3558454d28e3da4f8 |
| SHA1 | 81fa7e4fffb7305c4b729663371a81eadf356888 |
| SHA256 | 2c61eb4549dc680595bd1aac8cdb74001ed6beb62c01d691f53844ead6682032 |
| SHA512 | 4cfe68b2be112ad6aa740ac9beea510b9b324061eccf73506de380cd581e78b40b9c5562690aa043ab8f7f4369d7709c68b323dfdf37b7e8169c673c201ce7c7 |
memory/2304-64-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Fhmigagd.exe
| MD5 | d6e4e4c02e71886f1ca7ba32272ff2f3 |
| SHA1 | f985c6d33d39009d080a921b1d452dfdc33c78d3 |
| SHA256 | cc769c11ef8cafea294b950dcc807f1f5d6d6f8998a5425e9eabefb21b64429e |
| SHA512 | adad42c1efd6c44e3a9ee907dcead54831b63a19e344c43617d20f7d4ad597eb49453356613063b69673443cc2099dc67a1ae68da3e44bce59db9acd7045b0fa |
memory/220-72-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Fineoi32.exe
| MD5 | 3c3d1bfb372eedc88ddfd43e26ed9d88 |
| SHA1 | 3aabb8e2a549180cd605c39eacd6cdf7e78ba2d0 |
| SHA256 | 7cf9d7299242ec66155c5a4e1d3222f119461a8a6574a46a2ed9124a4f8786c9 |
| SHA512 | 7a95030fbc594a22b5d0e8a8857c933d565e4a270b94cb5d30a7f8ef24231dbf942c000a761b584a974092dce33fc9d291b61270d65c243deaadf4681d19ca21 |
memory/4668-80-0x0000000000400000-0x0000000000442000-memory.dmp
memory/216-79-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Fgbfhmll.exe
| MD5 | f2ad67ef671395ceda011d38000e8f58 |
| SHA1 | d83c85c7a7ae26d65a1babc7b4c8cf32392bfa81 |
| SHA256 | c2f4c781b9797c95a25f73053af6f41dcabcd11523c19c814e80aa60411284a8 |
| SHA512 | 6c2634a4dc9b4bfd5ad00730272fc86e68ce35ac4ac60ed7ae6fb2af9267260551cf9d5a5467e11222ea50cc1dcf5d031663e71a59904ed735ea71e2b159e81a |
memory/2960-88-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2716-90-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Fpjjac32.exe
| MD5 | 2ca42155cafa4f47384ac7447f1e00ff |
| SHA1 | b4a2cd0482a72f95db6333d13c1a53732ebc55c0 |
| SHA256 | c661e5e86eced334e5ad1999b95245bcabbfa0f25c84e5ca5791a314755d8a47 |
| SHA512 | f31c84fb2e005267f73e3f3fa0f58046700d6fe83067064900bba741f43e61d3ddf7a7daed916f14eaaf952fe2a4babc8df6d2d55ac0352435ba3a9cdc8f6bc0 |
memory/408-97-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2640-98-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Fmnkkg32.exe
| MD5 | a03c3c4c139778a245f1e5849e20aa9d |
| SHA1 | aab517ab62e265e2f694ae0d44bc5e10bdaf19bd |
| SHA256 | b2ef349a19a468fac9beb55b9d473ab4045ba30901d0c4f1e51fd7c93218931e |
| SHA512 | 02b923c2ca7a7ade0192124772dcae96896f1ca83bf271eaff1bf8313e34402f5ea9b3a563c91054838b9003c8f5cd2d58099c35526c073c2f1150d50de54dc2 |
memory/3800-106-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2808-108-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3636-116-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3424-117-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Fpmggb32.exe
| MD5 | 2f9345418712e09af9eaab6c3674a54b |
| SHA1 | 77dae187c5fcde3e4049aaaf60aa46a3ce8915b3 |
| SHA256 | 0b54a442cdd84af75ff6ffc42cf5643b91eb26577583417642a884e2417beb73 |
| SHA512 | 006769a8230b8e60864ccf4a7d7b0cd66f64190f284b1c401bfa532c0a0735c529951dde05ac25e51821d363bcf161893b8edf3d4b3b6ff10eced3a04469537c |
C:\Windows\SysWOW64\Fmqgpgoc.exe
| MD5 | 145616b7c9bc0346eadf49d950a742d4 |
| SHA1 | c5ccfecc73043156c9e3847004eb6fb44b0fbf0e |
| SHA256 | f6506c66e12894f86bc0de280a5b00899d45f277d0209cf694c2865b11af66e1 |
| SHA512 | 47d4086ba2e2561de426aa228a54227202897a79186cb19496c42a1ed1a476a224cde0d5a6b97cd532cc6ccbcd4ca700f33b0f1161ba98dfbc5d4589f1030adc |
memory/3880-125-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1880-132-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Fpodlbng.exe
| MD5 | 99e03eeccf09005b6b5138e79251aed1 |
| SHA1 | f4d07bed776c4eedd5d6a1b2753511f0668a31bc |
| SHA256 | 11bd85711b2ba7b06b56005922f44e6a094d9534057b108950c25f7ecc34a0cb |
| SHA512 | 0709d3ba75c2c835a0ae92e9ce69f63c79fc78fcef0a595318bdbc0d9d42e2b654432ced704fd0553e1396ba08a7599ef328cb7d046f1b9591d5bb10221d8f10 |
memory/3128-134-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gkdhjknm.exe
| MD5 | 9f88cb4b69b7336f09b014365d4eaffd |
| SHA1 | 4f0f125d7c5eb46a1a5a95b9b7f84c2e8ccd5cb7 |
| SHA256 | 2b8a2e4656e5d92eb74dba33dfcefddd2934f9f881d956d584eeeea9ab500174 |
| SHA512 | 569245d07270c716a83055b4b0d4fbe8e4f73b1b90bc75b65e93de1bc6c8b3cd8fcd2338b493dce3296dd8dc17197e20834c5a2fc975f8814640c02eacc3f7ec |
memory/5056-143-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4968-142-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gpaqbbld.exe
| MD5 | ccc1e46ead86773349a5a4547556b2ec |
| SHA1 | cc7266e6228c63ceeae072c53f2ee320caa55901 |
| SHA256 | b93d4ba63a355e3b421a9fdb493a39f9f8166eee465e5ae2c9ee428b11cf5c55 |
| SHA512 | aff5766d3b490834ab087f2917038cae244d4604eebfae4c0d27c94011d0be9231536263d2e4ab2baae3afa4ff52f007f79c407d7de230f38f27912430d52278 |
memory/620-151-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gijekg32.exe
| MD5 | b26b349c42e85df91c6e452bf16ce33b |
| SHA1 | 97c733ead5636a17122bce178ed820bca30b3306 |
| SHA256 | b63fdba12f5f5265b72ca9ac07ec9e125927d30acf62e31ee4eeeaaedbf6610a |
| SHA512 | 09ed1b4a7b919ceb03d78788a791889623bceb6c358888d61eb8eadefc78967f9b21e0a00e3096cfaa865125b0ac79f63548195fd39a1f8d692e050c7f964936 |
C:\Windows\SysWOW64\Gaamlecg.exe
| MD5 | d892aa4f114a2fa6f2872984095cc112 |
| SHA1 | 4ed4b8bda18392b8747fe19e6e4394f4e97ea476 |
| SHA256 | e1e02d2561763ae44f5b2016433323fefb68430a197e1866a1b634a5c7c78dd4 |
| SHA512 | ae82ef9c1ebb1412c09f9f5f1ade8948e060b435bb9bb8a0b98a2015faac4e1dd60e7eab4d5b2be157222f849932b4e3ebd82b1f73ab7c48163de83491981303 |
C:\Windows\SysWOW64\Ghkeio32.exe
| MD5 | 87b2ba488513ba78d730239f5e069b60 |
| SHA1 | b1e97b468425e946164fd92d3e02250f23a56903 |
| SHA256 | c0eb0251d80b71134a95ece9a328c5e466a429c58f2d6bee3c5634ce3a3b0242 |
| SHA512 | f390240d2236e09b6be641a8029bb0a4dcca216ce80ce67e8282f070de190302a49a93af2e25c979c3a476e0095872d3842d93165be24d831e852b9664051021 |
C:\Windows\SysWOW64\Ggnedlao.exe
| MD5 | f8d91029290ea432a65f49f900d5e6c7 |
| SHA1 | 61bddddaf909e6bdc624e777640ccb1b7bb63dac |
| SHA256 | ab86b871854d405242e4677afddf2a8ffd8c33183e3255284bd7277193bc5b8f |
| SHA512 | 59bfec9e91177047c88ea5225862a5c1d99b7f25c3d055f1c94d27be988756dbba3395890ae06045898530de0ea30661fc971b4e321cd4570411873bf4546fe2 |
memory/2808-200-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3880-218-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Ggpbjkpl.exe
| MD5 | e27f3888e4ec30dad7b5010e9e136a83 |
| SHA1 | c9f1e8a4c7c009e44b1d79a90a4e9f097c382e30 |
| SHA256 | 3db11722d1aee08a80954edb6b4f4ae7d8a6c8756d9b6bc43b7a571bc580905c |
| SHA512 | 80245db19610a76f006d6b3d9a33b6a3b0f4a647dc59937182c1577c231cc30c06d7152db615f839c879cd856720cd5d8db24a64a31f76ffc9fe904fbf02bfb2 |
memory/1716-298-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2652-496-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3904-532-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3412-544-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2348-537-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3240-526-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4900-520-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4492-514-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3464-508-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4140-501-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4112-490-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2004-483-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4152-478-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4444-472-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3456-466-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1896-460-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3704-454-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3044-448-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4464-442-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3548-436-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4500-429-0x0000000000400000-0x0000000000442000-memory.dmp
memory/528-424-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3120-418-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4840-412-0x0000000000400000-0x0000000000442000-memory.dmp
memory/828-406-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4516-400-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3788-393-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3400-387-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4488-382-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4304-376-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2632-370-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2208-364-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4852-358-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2176-352-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2868-346-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1712-340-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4092-334-0x0000000000400000-0x0000000000442000-memory.dmp
memory/512-328-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2204-322-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1392-316-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3908-310-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1576-303-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4880-292-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2916-286-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1216-280-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gaefgd32.exe
| MD5 | 6c9ec608dd7089cf094de568eabd7fc1 |
| SHA1 | 013317372b1540cb0f841194a5c88bd396740f41 |
| SHA256 | b2cfe455af179f3f72e469cdca773a1b5ebb0af1de4f91a685c1124af508da75 |
| SHA512 | 21802ca40602c4e63b2fa1528e068c885b0ab642ecd60357eddf2406d407c1eefc0e3c7db59e68e5b277d6e02e76bc077dc12182f5ad33e8627a0dbefc4b4d77 |
memory/1740-271-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gnjjfegi.exe
| MD5 | b8ad6a06c1c8d626bdb08ff1aee00ec0 |
| SHA1 | 180a4394a445072aab48222a00cc86ccc8397b8b |
| SHA256 | 77f5c49f57289e81ccdab7f1e299e264499e9596627b3adfdafe4c5e5643c461 |
| SHA512 | df63b1e2ad1c7bc5488150c237615ff29b0ba83a2dd1c81324a28815b745ec9afb70356df5264d0a02583a6a876be48bc92797c59e4dfbf976a43a0e30dbded2 |
memory/1148-263-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3716-262-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Ginnfgop.exe
| MD5 | 92e7223802c408e5fe9244a7f3b5f4f9 |
| SHA1 | 61701dc4f8e691dbae9a57c6806a95f7848cd073 |
| SHA256 | e2544a52e96e3389735f45d53732db5555a2b34fc75f8396704b4c6a6227c1f5 |
| SHA512 | 2dde584be2a4c587b1a9f55e6fa73ba2a33c928580d24c03b8058fa9082ecf6c0ee71ec62f75a99479be2c4e003b9212b85bb0b2cd071590be8238670ae5eb77 |
memory/1244-255-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gklnjj32.exe
| MD5 | b4c77dda7c7fdab2429009a7a3d75bd1 |
| SHA1 | e27f687f750798687d3f202681bd795880521ab5 |
| SHA256 | 6e17f5c5f022c72e0ab2473441bdeb12306c3da44cace836297b27b090a2f84d |
| SHA512 | 7aee4e1725e0544a8cdddebab8a9ec9509b4f92d8dfbad12d7c835b5a2dc854d86f4da6d60d9e7a334cea2d9ca6622bc348b7495bbdd92d0d8558851f841bf4b |
memory/1560-246-0x0000000000400000-0x0000000000442000-memory.dmp
memory/620-245-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2236-237-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5056-236-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Ghmbno32.exe
| MD5 | 54faa466d6193e0d31c13c5997b957e8 |
| SHA1 | 762894039f5403c6d3ec9bcf07a0ecfc49a1e8a0 |
| SHA256 | fffbfe7c6197b0bfcf65e20f6ad9d17997577f97cb35e029e7610a0efc54fcdb |
| SHA512 | da9e8448ebdea397a673e0279e66e5471c47b718c8df3739f1635fa30d39cfe865a56dbb60e97b83542c9243344494435348ae074e57df4ad8e7681ec241a712 |
memory/4260-228-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3128-227-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gpfjma32.exe
| MD5 | 8a378f5a25a2d8af05d1f78c0d26acbb |
| SHA1 | bac3984b6e1bdfbd06f8ceb035bdd4175f728c10 |
| SHA256 | 2eab7f57ae061321ef02702fd962dee7faa1428324316b937bb789eb111d632f |
| SHA512 | 69e527616f4780e554312007b81646ed04a6fe9126b2841aca0392d307a316ff1bb1d39af857ec009bcbdf7905bbe2f3b0ce29a3bf17025ffe6e7765383d40a7 |
memory/3392-219-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gacjadad.exe
| MD5 | 0a51dbd61da3abe331634e986784a499 |
| SHA1 | 1f8052a09a0a2f8a7a549f06e26fa221f29ac6d7 |
| SHA256 | 312f7d684bc80b4e672b3515d3b9ba258660db94075307b01d8216b9e27a3c32 |
| SHA512 | ba2856f6b2145ec5a84ee08ec9723c7e87bc3e604a2c7380f5cd5835341da77f9be87f8c0b6d0251f0b685f1cf11a6d7b008c18e25815f6ca4d1cd3471a2fd8a |
memory/5016-210-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3424-209-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gnhnaf32.exe
| MD5 | 71444535c31eb6d49c357343c9cb1538 |
| SHA1 | d0acb86f8ab3b65c862b1ec762df33d4cd4cd436 |
| SHA256 | 1a76d1f8438786b56d2ff546136233f60a3f74187ac2a5a2c0f9fa5a468ac14d |
| SHA512 | 7add566f99f24a657b3a7ba35f836b9552914e3ab7fdec0aeb02a68f7c2c078bd5aa3c01307382a5bed788a52a240576660d0e9f3f2a30bcfc904fcb917f2ae6 |
memory/1704-202-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gilapgqb.exe
| MD5 | 21d69a046420f8cb8204630394996090 |
| SHA1 | 78256488653c9298fdf14d95487edb6609949855 |
| SHA256 | cefd55a7a08b699a483c0f0e880a6f7da0b5eec5a696f77aa30aa1ed6f0f0efe |
| SHA512 | 2a5e9c890ded3366417f3cef74b3619e7fca6a6db88cfaf242bcc96885c3bda41983d89d21574f194536c3aca6bc64cf42794b4ff4f58700df9a34b568ad7501 |
memory/4080-193-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2640-191-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4472-184-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2716-182-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3716-170-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4668-169-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3232-166-0x0000000000400000-0x0000000000442000-memory.dmp
memory/220-164-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2304-150-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Nijeec32.exe
| MD5 | 36d25a6cd1a52b9c52a06ae8f45dcb14 |
| SHA1 | 58e8643f0ccef8476d850efada4794ae934d3d91 |
| SHA256 | 37f13cdd21281eb4093512443979f3518fa79e9272cbc50a2c6222ad4df4e97a |
| SHA512 | c6fecf09711085759bb2e1f398a6923f103948fdbb73917d9ecfb85950f905a0783df3ad6e83fdb79198bea58166803824c42feb0c4fa65a55d2e9d581c552bb |
C:\Windows\SysWOW64\Oaajed32.exe
| MD5 | 0af3a2160fcac229df347c92ce0c9cf0 |
| SHA1 | 0d79675572068cae2ccd202452c59eef1ddbd55c |
| SHA256 | 34c8434ddede71201fd2293a41a25da99b9638b3002c02ac6c92506c2bcd0ab8 |
| SHA512 | b086f19aca3b0af4da6bfedcf5e244cf38615b712f6ec9ed1f88b17c71f9008abc9e6ca5e9654ae622f7e4cf677fc25139c24dc64d08011837b5e3e812b2978f |
C:\Windows\SysWOW64\Obafpg32.exe
| MD5 | b53d65d389c96ab32cc13aa337438144 |
| SHA1 | d152aab7ae9f7d5c7e8a70654d90b634bd995c0a |
| SHA256 | 363511ebdfb53be79be130fe0fe757a8e8bd261d3a2484e871c9eca604d8b2c6 |
| SHA512 | daee482299620f89d61c08029c1036816bdd3b0a1f8739369bcda66966a3917664f0c4a4fcc6d11e6ba5317cc9c89212c3599e467a886ba88b7b0169f3e0e5db |
C:\Windows\SysWOW64\Pllgnl32.exe
| MD5 | 68dce603a4d19c957fee38761e3db8a0 |
| SHA1 | 71e8023145fbc506b78b0fa2d7d74b64678414cb |
| SHA256 | d7596d2d912d34a01b2714b2a7449549b8d39b46bbe377e96b9bba49903123dc |
| SHA512 | e743cef4661e55c2cbd94271de25de03013aafa1d5de2d9d360715ca0bc9980928b3aa09517a0b8328435e1471952598094f0b725fee6744b5379072a91c379b |
C:\Windows\SysWOW64\Akffafgg.exe
| MD5 | 7b0c2f905ec5b9e689d5af9977a2e955 |
| SHA1 | 686e698ecad2c0a7cb67611f63e823c7b264465c |
| SHA256 | 71bbc28fe4c130bd7d906caa1f6d1dab5384e4e33b95f234e73851462c58b740 |
| SHA512 | 0af31900c0a3bbef56f592aa18b4228125320156a45badfa51106259ab007b3232c58fb73b2f6183bce9161e2d3c93a1d2827c365b29818b4cd13bf54cb36554 |
C:\Windows\SysWOW64\Bkdcbd32.exe
| MD5 | 594a559b70f8fcc1210f1f5270f1043b |
| SHA1 | 3efbc87bba222135fd54cee44145d1bb92ddb10f |
| SHA256 | eaf6d05d800d8d0d4c32b074939b8a62411db0d5244ccdf2fc57056904f64460 |
| SHA512 | f01791a17e9f65ec8b72ddd47c95e1a4afc1a02be058b492a10f95f65a917b7ce92af8ab902a9300a86ecbeca8ca9acdf356ab023446685d115208e62f0e1962 |
C:\Windows\SysWOW64\Dmoohe32.exe
| MD5 | 003240f4a139987c0a31238c72529d3d |
| SHA1 | deca7ace65c7a08d100918ec1009c8fd37f31b3c |
| SHA256 | 62bacd2d06adf81333dbc2d23894cca90a8ee01729d3385880ddf3f183054062 |
| SHA512 | 761cd4c666b1430d77edf4c7f0fa1a76fe68828220995a557e512c3c224aacf64fd7b8265991355f06c9b6a97d9bf29c17421e3120e29ecb7dc50b7902ca89b5 |
C:\Windows\SysWOW64\Dpbdopck.exe
| MD5 | 96dced1cf685e1f56c79d3e67bb45c12 |
| SHA1 | 4a1d08882fde2874d3f8ed7669ad3f7544301ff9 |
| SHA256 | c63d353365cd307b9baba63f51f99443685d18fb8721e5b2a196f66dbfdd7143 |
| SHA512 | ee21ebdb28cfdcf1e138756474fcce793f6cf0375319f68e606ceaf48470b7c0caebc45b03ceb19bfebde5bb4b0040c16a921507d7c41c0be667fcaebe3cff60 |
C:\Windows\SysWOW64\Gigaka32.exe
| MD5 | ba386fdf6bda12796774bffe21cd8288 |
| SHA1 | dc9f5c3017a2a27bf979b661726573292f2a9057 |
| SHA256 | 9d95f415c34ceb4cc8613631dc74a6eb58fa3090fd1c7e29cec18ad43beacf2f |
| SHA512 | e585f6008eada644f11b0fda8b60f362d8e7a9841cc4e177647fcca3176e723349b545095a4fcb8629090e76467d9da804a2f830bbf0754b21f5b3893ff398a0 |
C:\Windows\SysWOW64\Gfmojenc.exe
| MD5 | 2dc6e46698a2409f7a1658d4d536a2f9 |
| SHA1 | b8acb99281b40434d165a26d4dc5f366c79218af |
| SHA256 | 274ba9b2c13ec6b1cb1429d3994143ae63ab90f0e9f6a9b1193a0d21100ed8d0 |
| SHA512 | c22403017469a10d7c5d5067347754eaa750d6871dfd90507350a4a8d851fd056be75e8c9c6f9ae95f01e894e1aa1bf58e344144e9caa298c4a499e5a6c3a9fb |
C:\Windows\SysWOW64\Gdaociml.exe
| MD5 | b5b48029e426cccb498c897abffaaac1 |
| SHA1 | 930ff29c999196c58a42d3a895c0aa11671c9f9d |
| SHA256 | 2ca7cef3fff3767efb405f8feb5553a976add2b32d20537d622b18b54a03e698 |
| SHA512 | 8828ff3cb86ddc7fcecde330c82778201e0dd2b20b0a1abbb88d320ba253d7ce291de6e787094700440eb520c635b7d3bae30cfa645bd25d850fcd8b9ccb98cd |
C:\Windows\SysWOW64\Hgmgqc32.exe
| MD5 | 0b68d82e010203de8dcb98057a4a66a3 |
| SHA1 | 28a3b216b702004685eaebf72b42557e1120e0ab |
| SHA256 | 355a93583a00fd0a15c06a94373874e0f8d76668d31a95a82907a8da7fd3eac5 |
| SHA512 | b12f90815ab0bef4d09624513407108fa52ba7fe4f0c27243e87627f2f79570bb31b98718ec8487bdba19bccb79947841420133d37df68acf7ad9ad5326b9307 |
C:\Windows\SysWOW64\Ipoopgnf.exe
| MD5 | 0a89918aa450d5fc49ef9fb531f9ccb7 |
| SHA1 | 7e6cd2461af36f031890b1c7f1df14ba83d1bb38 |
| SHA256 | 6b06a6951432c89c99687c0a976beab78a6d997434ba131f28caf955be33c2f7 |
| SHA512 | 9254c70633f363c09e2471c4091d5e44e8b2be67a18e3f96c89ddbf4616503a84555a816e08212b6c52ed27919f73f3b75ee836771268c99dd64e1658dda27a2 |
C:\Windows\SysWOW64\Jjlmclqa.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Jjafok32.exe
| MD5 | 00ab96719415a092014c090f9f4246de |
| SHA1 | 02b1ccc9392e98a435882f41845c4f7a6d074a63 |
| SHA256 | 8016f21f3d9aeefb175a72967179fd0ce34fff6e6dab28f0f64d9a2205c911f8 |
| SHA512 | 6261d2c199a847351ec6a5ca5d69b71ffbfbb31b69eb0debcebcd1fb9dfb698f15362d554ed315fd0098c01cc306df792592d1343a754687fc2924bd2fa3f238 |
C:\Windows\SysWOW64\Kmaopfjm.exe
| MD5 | 2bf76bfd5df2c7a41557cc752b3ab95a |
| SHA1 | 9993f5cde0f5248cc52ec263e442a39ba8d2891b |
| SHA256 | 3a3949dd3ddebcef32b103e263bb1496791a6fdc4fbcd7eb830ae7d490c1b7fb |
| SHA512 | 25d9814a9465d3e2d99854e787005bf2fa1ab0c62fe45763136b973d72842030b2ed69c45948f1f2c486774767cb29b5573a5431084cf627c5a36586ac54f097 |
C:\Windows\SysWOW64\Kcpahpmd.exe
| MD5 | 03c13ac1efea5ba82b173a35fe1bb1ca |
| SHA1 | 3fe2210ff926a8fa3d821f486f77fc3c82af1dc8 |
| SHA256 | de48edfab7f1d03da4bae9f2e24fd7cf2994367ff6b90e1f5a66cd104f18ae12 |
| SHA512 | 59328499f01f22f74404fec16b7ba2caa9c0247e1ac15ad163639a74f203e13d3b08ba2dee6efbe72921d7b6efb645d7e7cc04e6ce546799a3ac7a90a7863060 |
C:\Windows\SysWOW64\Kqfngd32.exe
| MD5 | a9409f77726fda71a380df53200d0948 |
| SHA1 | 28b16bd46c44494513d001d44fe2e63b37b73075 |
| SHA256 | 6283645c02cb857d5ec17d4b2ba762af23c6b2a278aa6848a39dbfa74832fde5 |
| SHA512 | 16269dd578794851a1d3e652da39a5a6029de1592f5cdf11518183a8b6a55cf2d84f7730181ff88e24a7ce364fc5548f63ec90f648d17a18c0c00c958e52727a |
C:\Windows\SysWOW64\Lggldm32.exe
| MD5 | 2d9c27f1a53668ba22300cbbbf19963e |
| SHA1 | c05c0bb3321c966a086ad1a3b130c9d2a7fccc25 |
| SHA256 | 531fc531f09e0f12c3f780efa20b41f75104acc44f99fe9e873d61104fad3446 |
| SHA512 | cfbb2b320b615f76a97ea891f39007a29e414d7eb723acaaa9c4ac8c02fe147002024c74211946b0ca09558d6e84d507db4b0a56e0ae97662678141d90bb1823 |
C:\Windows\SysWOW64\Mmkkmc32.exe
| MD5 | bdce8bca092298306ed4458b072dcb22 |
| SHA1 | 464809007a281980175a784263cc28a77d747565 |
| SHA256 | b196e3d8130e107709bc7f743fb0b07e40447baad23beb40ae803344eb80f0a4 |
| SHA512 | 24e19241b949da100767a873dcc13dc31efe89150d09442c383b81156f74117185109025db556529d6fc59b65dfbeb686778b72f6369c4d62b388472f31b453a |
C:\Windows\SysWOW64\Mmpdhboj.exe
| MD5 | 3c8130591b52551dba1f5971cebb259d |
| SHA1 | de51fc3b6d7288abaa5b1276cba41ed7cf9cd49e |
| SHA256 | 5c45319d09cfbeedbb7d5faff6c1f61bf52587f6f1975bb01760fe832631b6f9 |
| SHA512 | 6176f35c25e9ce5c28701443497f2ee1639df53d6cb24dbc009ecc73173e49ea963210ca760c6b12c850c1007c0e8c9af265db0d91e6ff4100cb72be14ae27b1 |
C:\Windows\SysWOW64\Nelfeo32.exe
| MD5 | 29a8a8d557320a54bc1358cd79886ea9 |
| SHA1 | ff4135e34767117f2ebf4f843f0d8e57ff27ab32 |
| SHA256 | 0c824ccfa234e50d8b420fcf4c6d61c74cf07a701ec71d9664af3f3c440f7c42 |
| SHA512 | 9af6ed4c5737c8b86b4f13616b9adfc4aed73023fd1fc11e8670798b4f3ff1f2838750094800909caddff2c2fef554a4aaf29b42a4bf349cd6bf10ec0dbf4bf5 |
C:\Windows\SysWOW64\Nnfgcd32.exe
| MD5 | b0f3e3f871172d5c2627eea6a04de3b0 |
| SHA1 | c1af745916c514b151ad8e7fb926e36b67e54e00 |
| SHA256 | 56b05c34a9bfb0b4bd0b3b21c91474a2054244c1cc4aa70fa0bb900a0fd1df9e |
| SHA512 | 492e39b16355387b6482452c06b3a06e98b8b13de951aba59726142c4f5dffd6db2dcaaa18e4e96db68dece7a13e9b52ceb1e1adfe0c51c314ddd650915dc9e0 |
C:\Windows\SysWOW64\Odmbaj32.exe
| MD5 | 337fb615acbb5d10244deb5262d76e31 |
| SHA1 | 1fb6dc9bbfece47b4eb7a400450a3cf51a52017a |
| SHA256 | 03a979d7c42517e45963e5aca92ae7bb1df7e3fbb4f57f1919f442f8b76de70e |
| SHA512 | 90ecd5195badbce8e131608e6a900c4b898e917953e049937842415bb657ce9cf0e0c09412484553de83e828a405be8bd7efe4205966f630d4a25cc42bec4e56 |
C:\Windows\SysWOW64\Pahilmoc.exe
| MD5 | 63f6d51ce5265541570932d321f9dc17 |
| SHA1 | b257935280ff9302ddd0920f4b140c6b83ba7697 |
| SHA256 | 853a0670b0ac3dd51bd8995c52b693fb84c771cec216040824cbb3c0b257437c |
| SHA512 | 167f096f8fbb1707494a95e4a81f39ad6a4a1d011209ac5218d08ec0bb0d2e5e58eee7e3b0e9392952e2bab26845ed1d043bf5618c85a81cadb4df2679e53d4f |
C:\Windows\SysWOW64\Qklmpalf.exe
| MD5 | 8cea2ed59dfaf374ec51d8aea4718503 |
| SHA1 | e303d3a8120eee38ea5261efc8a9ef36d2a6152c |
| SHA256 | f088c7f171109bc6a1d02c54b45b40444331ee5e51fb539bb156133322b5ed75 |
| SHA512 | 512191088fd22ebcee80687cc44b0d4be0a2712311f1920712249dfa67bfcde838e68a14af264bf4516d33354ff27db107ca17172275ef05e868d49de3100b7d |
C:\Windows\SysWOW64\Aaohcj32.exe
| MD5 | 7fa65030383bd53e846f023cf07fd692 |
| SHA1 | bea7ef52d4e76d5d1645c4d909c373bd0936e726 |
| SHA256 | 6219f4cca5a066622b7fb160854f244f5d65ef546390d6ba6acda89847f3a150 |
| SHA512 | d5a336c42fb044cb91bed02211d00b017075393a384f039e9db172dbba49b05c9c98af68dd81a6b9f5b34f0d8d5d6d803834ed146b852d8d16af1d5c46324742 |
C:\Windows\SysWOW64\Bnkbcj32.exe
| MD5 | 34353ff1ba6fb713304f79f0057e2e41 |
| SHA1 | 59076df3ec487e90f3d6636043bc95543b46bf56 |
| SHA256 | 1ec5130c358d0b448d129c5a8078b614f952048ba7e7ab11b4251a84b17001f6 |
| SHA512 | b0f509958ef04563ecd00fe7636a1bcb5b38b607f2f1c0e4d80d3cc131bd8c9cd3d86a2337f0219879ade4c0b0d16669b86d54d3ab52d85b8548dd13604c84ea |
C:\Windows\SysWOW64\Cnahdi32.exe
| MD5 | f5984308662ea13f4e1135498c07096a |
| SHA1 | 2e35bec3aca89188c46d1dd2cdc371f1454b9a02 |
| SHA256 | c257bc610ecb0434b37b52b7df87b78352ddfd434db0c69f42c796b547e27156 |
| SHA512 | 04ed69fcccb0f470346e0171b03f412a6c5a5557d2092e498218b2b45e95ba5335506c16fc7daaa4b3163758a1bb7e13e6fbce94e944550ea88837367ae70fe9 |
C:\Windows\SysWOW64\Cbbnpg32.exe
| MD5 | 14ad984b202d9b75c0ec926e79baffa5 |
| SHA1 | bdbd152ebeba66ee30f1de9321291a44675c5687 |
| SHA256 | c5a8542e6a76b3017d6a491c2b25e655ffbf0c82a66ba5cce8c8fbb80179dc2f |
| SHA512 | 0a5087d70820a53db8c10b4190027a8f446ceaadef3209d8f9ead17d4f955cc51f718fca0986a07ce6c96d62f7e4d8a6c135c80d324615a0522245255f04f6cc |
C:\Windows\SysWOW64\Cbfgkffn.exe
| MD5 | 248c861d71f50eb2c67577f935bf41e0 |
| SHA1 | 29a27e09d395ef0843586026c54c2d63d25cb7a7 |
| SHA256 | 44bf6b689b22c2958a0da889361b7d901b939640a4b2a0b11df995a5ddecad92 |
| SHA512 | 387172a52af0d79778e456b3f92b94c2e2801f0c04ae6cf3613bf78bea6ace0264151b7863656dcecb31bcaf6aacbde0775e77bc3d74ec535bae139858038967 |
C:\Windows\SysWOW64\Dnpdegjp.exe
| MD5 | 3e9553a534b764a4ee28823a7413868b |
| SHA1 | 5496192e6df599c11c750decd09f22b58b980165 |
| SHA256 | 229749d815e71832e4ea4bb296fc5813cbaa35a25d0bb216cf2320c40e941913 |
| SHA512 | 498368ad711e96875d7bc968a297cc88738ee3bb6c44fdf7842f660b8002fbf04a013b6b372a265c966043689fe4a83039de585b7482285b00869b82ff32d26d |
C:\Windows\SysWOW64\Dndnpf32.exe
| MD5 | f50517d67a700af6dd737280e7fe6c9d |
| SHA1 | 732b2b5a42813040d9e9279e2eb320c6527bc90e |
| SHA256 | 27b70a6584acbef0b804cbd0b70549e912f7e686b8fcf4f4d7aa30976d7ed4df |
| SHA512 | 23c48f6062b6a37dbc376d54556a7afe77d57b53d3dd18c5951b3fc67e2df2a3b57b030e7f9e3a2504dce3bbfb4d19378ec3151f57387d353b7733e12ce336d4 |
C:\Windows\SysWOW64\Emhkdmlg.exe
| MD5 | 6048f958502fc05d8d3f90a64878dc9f |
| SHA1 | 64679e8c5c57472aedaa954ae4ebf2178076dc48 |
| SHA256 | c87ce1bbfede219020b47da69c1be1e7d557b182fb23e67961eecbf3ee11a1c2 |
| SHA512 | 4d1000a79a69e04a1d488efcc50a98ccd38f5c877fbdec5067e9a40dbf61a9f3aebec63d972c26e2cd89581f637b5af66bdf00202a6ff11030300753f618ccee |
C:\Windows\SysWOW64\Eblimcdf.exe
| MD5 | ec0beae203050f8c968640fb2a3507a8 |
| SHA1 | 05471325e0448ce1c0bbfddf6554049ed3fb883d |
| SHA256 | ec6be0a83578d61a34338edf51dc9e17d01a32184f01fc1205c0e2054ab43d0f |
| SHA512 | 59c364205cb88577641c9762fa5fc594311eb18af5a623a60eb80c152fc8b333f5a3c4755ce69a6a2b21c5bbae42476de108efb8ece5fec6d58f754c058eaa04 |
C:\Windows\SysWOW64\Gncchb32.exe
| MD5 | 37e4ef11f8e476fe3c8120d49f851795 |
| SHA1 | 38848e6faf029f882093ece53b20428e843b018e |
| SHA256 | 53a1de43d4a64f0e595afc85e5b0da288520ecfaccf8e604559182d2ce603064 |
| SHA512 | 78e7762b37cd97f70994a5fd9ec4cc71f7b175db7ee7af4dd32863274a4dfacb7507d048dbc376c8bdc69c150a06f1fab7594c189686f4c96139a8298bc30bff |
C:\Windows\SysWOW64\Hoaojp32.exe
| MD5 | 4af0eedd3abf6441d3547e9f70c16654 |
| SHA1 | 2fd969ed5756f81c8f15b7b02d4dc40da4630485 |
| SHA256 | 001ad72537a5bebd54c8257cbfda9e496cf68de675f11ffe65810cea595f1b84 |
| SHA512 | d95eee8c4b028c1d5963e02c5b6ded14518cff3f462c59a38ff9457d09e4e84599f8d929fb51227b82d22f00fb794611f2ce1626e3823be221727a2dc18627e2 |
C:\Windows\SysWOW64\Iliinc32.exe
| MD5 | e2aff3ffc5ee1769a4167808734b1ff7 |
| SHA1 | 3536b867cf8d9b2b824088ae93a1d3d8d7411947 |
| SHA256 | 9349f19770a3237dadbd94cd07287f499f90d8713d1ab48e6d4e44e855078c22 |
| SHA512 | dfa23c245818b82bad24c57b3f4ca553c4877ee40eba5c01b2befd1bcaf5f61ae0bb901b9c94bda9bedc0057a02ec9b7ae32f775eacb2838868b3a89375ef15d |
C:\Windows\SysWOW64\Ilqoobdd.exe
| MD5 | 54b6c3f96dd37e2c81dc9e3fb583f15c |
| SHA1 | 24c3f2067a7eb4fb319b1fef9052cf23332fe596 |
| SHA256 | 6e3f2acdcee771fb8b777b13ad2c6f68f5e7bbdec15436f498ce919c1bf68dbb |
| SHA512 | f7a9492e0fc756a68067be1e456d5e7e40bfe5aecd4752d323dcd75e6fb4040c84893d86ffdbe263b733124b437ca4d599071bac5800a8a27e911d80c845f576 |
C:\Windows\SysWOW64\Johnamkm.exe
| MD5 | 693e386739e8389b32a96d82fbf239f7 |
| SHA1 | d578966cf724597404e758b9aa35452af78b0bed |
| SHA256 | 3e2bd7d7032f74deb26dbf52e7a26b7df438ad4612e049d837e012ce00e266e1 |
| SHA512 | f0d06185066ec36843c2e498827edbdeb88c3f3ef682eaab6fccfa65cc5dc379651ea70ff8491e84bc1e64792f0cb72549849f3689ec6ce8d5a0d43fdaca58eb |
C:\Windows\SysWOW64\Kjblje32.exe
| MD5 | 8befaf7008b9f99da2c6e1862bf5034d |
| SHA1 | ac360bd2ca9915c14e84c6f170c4954b3ec6ebaf |
| SHA256 | 2ed73649bf9d5c8a2c16fa50f8101cf170b487fec77a405bc004c0e2bbbbcc03 |
| SHA512 | 4ee916d5c09b7efb4170a00babfa388e01781864b7aeffc788122af1c803ade888cf66eafa532382bfc773f3fe69f3afceae0047ac206474c3eecdd2705b1bc1 |
C:\Windows\SysWOW64\Lopmii32.exe
| MD5 | d5a1d2705189a08e6770875a2ad6561b |
| SHA1 | 9cc662a43345c600e5711d4a9d4a2cce3497e02e |
| SHA256 | 8d6a7b011287114781160e495b67ea73d17d91c652f7f643af9df8e32af818ce |
| SHA512 | 82ca7f7e1d59144e0c848a09d4c624f36b731cd552c85368cb220f3fdb769b428ca0d55fea1c2d4124f9bd5133ecf46b5e3a072bcb241ce59997c811c790bcfb |
C:\Windows\SysWOW64\Mcpcdg32.exe
| MD5 | 33ad48432877761d724fc059e3d1e835 |
| SHA1 | d6d22e34087a73b50fcda20f93608cffb71079b3 |
| SHA256 | b622250190526aa8810699e60ebbfaff150f3a71547b7836f040c2d893243bdf |
| SHA512 | 87aa6a2e5efecafd0543de7910a37401f0512c55b9e6b2bb59daecf70f39eaf9309464786137b4cf8f8d6391eaa5960f4a1ceee692b40c5dfa9de32995c01bf2 |
C:\Windows\SysWOW64\Mqfpckhm.exe
| MD5 | 037c6cc769a92bc2cfe48039e3882cc8 |
| SHA1 | a0ff7b2fb34688c3e7ef624d0a3ce185ac75ac5a |
| SHA256 | 3a0c54277ea46b245b42f02006699c9e6c57048cbad5a0deb90e757f283e8a7f |
| SHA512 | d519edb40f4d2ae0a5f186027c50c4f2b9157b28838e888fe8561ad47c7631947cb004eefdb89a056ecce616100f6ff99f4eec3d3ba57140c261497271a7f9d0 |
C:\Windows\SysWOW64\Npbceggm.exe
| MD5 | 7799a1a973b55a462f8ecb30cc6886ae |
| SHA1 | 3d7fc7bad30f57015697d09064663080bafb5d0d |
| SHA256 | ac28f5f3c68c69a7cc2c6cad4d1bcbbb8ce55ef641e1aa8a85782f6dd5c107d8 |
| SHA512 | 38695d84c081bfb104f6c0144bf5df82129ac4973a6fb4a9ec956e1059ff6053ab10d8abf77f14b96385c171159108af1bfd63791f00b746acb2afd45e591b69 |
C:\Windows\SysWOW64\Nnhmnn32.exe
| MD5 | 96232c4aeb812bc9c03f6bbf81045da4 |
| SHA1 | 76fbcc93581e871966649915ce2c16924fdc3edf |
| SHA256 | d65a4407c625ce9f18d3878b282d42baaed259dfa63f10cc8cf9148f17ac8892 |
| SHA512 | 86227a8e05620a2f2dc612cbcdd1ad6a137e03a883f35a3beb5fdb974c2f46d191e4010f6bcf52b857cacc05afc6b1fe787aa522effdaa84ec100e528f791523 |
C:\Windows\SysWOW64\Ogcnmc32.exe
| MD5 | 8ee240c7550612d7d3620bcae506e9bb |
| SHA1 | 480307d0ea6ed76487569fb485323d43082e3a67 |
| SHA256 | a170c562cc4e820917ebc33925648274364c6c3cdd4115e7d6a6b585cae7bea9 |
| SHA512 | faca3fa02821b4b24a823f13ca088b8872d3dfc38b8771e52107ce4e0b86931e93f04520e1b125aa1793a130eb5d611f3c74dc012a4990cbece5647d47d66db1 |
C:\Windows\SysWOW64\Ofmdio32.exe
| MD5 | 8345bbeae2229d2a758d116e3585301e |
| SHA1 | c9713a42ddf60f0359a1afdace350814f5b08204 |
| SHA256 | 56ea34e816f29f5e4f6d30ba51ca3bfb9dc5dbadadc6f178441dd0de169f01ab |
| SHA512 | 8bec53bfa69256229db30b16a74419aafe7490ff5190fbe8c54038ed01623cf235bf3ffbb7f854cb9c852e8fa63e88d5cddd459806915b493dbe33caef11a9da |
C:\Windows\SysWOW64\Pnkbkk32.exe
| MD5 | f52656038485aac3a68a316a0b80b6b1 |
| SHA1 | 7b0aa161df15a8e37fd2ed63636c6b3ba3d7c664 |
| SHA256 | 60870819b319e4ca8200e49c0b01f08377fc61f881ca599f488d1c586f3bb5eb |
| SHA512 | a88b0f249c3dde5833cc754a57334d668d209dcf09c5ebe5bbc6b9ec6870be8833e3b02ddda46e9bf968c04a879dff5d802d0ec23add8ad8f7c599cf2c3508a4 |
C:\Windows\SysWOW64\Ppolhcnm.exe
| MD5 | 00648006c67037aca89d21cf5b8f5085 |
| SHA1 | 702897d011986359e96872a33768dad7865d3da5 |
| SHA256 | bbe5d7d246626faf961cf87932d1f69c57049fa06b50806c722a49f4da70232b |
| SHA512 | 5dfd285bcff704cadc398c68e76a0e5e3de8407f0843601f90d3b9d57470e5cc895c0a481aad4ce7f616a8973dc82b0c5e0bb23919dd47d7f78bfcfedb4f9d1b |
C:\Windows\SysWOW64\Qjfmkk32.exe
| MD5 | 0dbcb9c036b182d616cb303615f1ebe7 |
| SHA1 | 9ae2ed67f22592eb30dc1fa41ce4671f86f1c938 |
| SHA256 | b716e6f08dbf4fcd963981fa97106d5505054b138fa9b9d46d4c9a7f3035654a |
| SHA512 | 5806c686a61547b4b83031a771a3d766b956cf947c4e3aa9df9b8288691de6127cf9aec8e0cddc46eebfcc481e059d10854882a2645ef134ed7a6364b8c9fe52 |
C:\Windows\SysWOW64\Aagkhd32.exe
| MD5 | 45b83a19537b1b3887fb9e29321a9afb |
| SHA1 | 3b964f18743ee4f3e0e02822d11dc433a1918191 |
| SHA256 | 09eee2b530aa933c0eb53809dac705d2911e25a97b08c1c1f469279d291549e6 |
| SHA512 | 6d1694f264ed96aaaf4f86401783641fa07c710b7d95e263d5daee1da2b525bc5f5966cedef1ecaaed98e18bc095bc7f07b7eb7487e127c1e6e0730ae178dfae |
C:\Windows\SysWOW64\Bhhiemoj.exe
| MD5 | de8159735ea0885bd4a7211b8e0836dc |
| SHA1 | 0b794800b9c97e2eaa977a79edfff2c525ae0287 |
| SHA256 | d56b769f08539358d53ce6de6cb17866cd2b3a079cf9b99997aed00486c61c51 |
| SHA512 | 98e9bfb215bc72402f2a096e00fc8b6b2cc25b74c9ed4f6f25f7f43e669310bfaf0bcd58c8a212e95bb49d85b11561dc59ae9dd3479e84ac3f147783a46b5fd3 |
C:\Windows\SysWOW64\Bnlhncgi.exe
| MD5 | dd284b7d9e2b9649cf3642472d6110f5 |
| SHA1 | 6b23e8e38568a91185b457754a030f842672cfe9 |
| SHA256 | 66e013a193be0e7aaaec1bc0fd473d3de451845c35f2dca66b52064552b2be2d |
| SHA512 | aa8089fcf0e2e2367af9d765509f9ae7993a14be1bb3ae45ce5fb49467e9bc3c3dc04a955b2c6d9009153aa0b6fa7da7fa12b095526b99f5ef5ff1d1bb61e7d3 |
C:\Windows\SysWOW64\Bgelgi32.exe
| MD5 | 6d963cf482e308b9edb191ba774a55ed |
| SHA1 | ba2d1af1ff7eda2fb545b70152e9aeecc8c4766f |
| SHA256 | efcbe0d5cb8e1dba244b6eabaa36916fe8973470c65d7beb4880d2d1af790360 |
| SHA512 | 0d9af07b61ea6fe86e9794a11ecfa0bf916a69d2dffd267ae2577ac021da00638b7c2800077f6398d865b2e45c2619bf4ebf7df804543e0b8e0c1560dcf4eb2f |
C:\Windows\SysWOW64\Ckgohf32.exe
| MD5 | d04fa68819bdd11dba6a9c7b66f6118c |
| SHA1 | 8c0c541329b0ea5eec732997b2ed75bffa4d6286 |
| SHA256 | cb8a4497bc4f9bba97b8474259eb05480d73673647f79e6ca2bd43fff1a62b3c |
| SHA512 | eb00a8a7869f14f912452204bb3a11fc4b32228ff9a02f6f54d3c94c2b9ee1aa5949e3700396c19fd548b8e80fa9387d3ac6261423161de590ba13fd29b106bc |
C:\Windows\SysWOW64\Ckjknfnh.exe
| MD5 | 4bf921a7dbd74f0928027c5812061d6b |
| SHA1 | ff3fcc600d4e8c557931f166f15daaf5f5721f27 |
| SHA256 | 8972055b4d594c3814f99c0313eaff204256bc52841055047ed561aa33e11076 |
| SHA512 | 4f2afd27765dd14a3c853052ceb294436ae6157e5371b2f63b2e60392119edb68c4bfbf3429aea6289c60c2402ff653007875e04bc36dc598d8924b0f6ec4823 |
C:\Windows\SysWOW64\Dhphmj32.exe
| MD5 | 8a539a9b21c1fab16cbbc25c8de7f376 |
| SHA1 | 6f82af3442c6344e14ce42f248aadf361e61bc25 |
| SHA256 | 3f2b6dfe3a301183e6dacc746761c29492285547443d87d9f4f35a4f15acd42a |
| SHA512 | 53a83c6fa5a259375b9be14014c3c1fa7f1b37d323d5ae3c0022388a7b80a6f5e1fe25e6df1042cd13fa330e6f8a3620e0732b833bfa1cf2cc2507e0cb811dd7 |
C:\Windows\SysWOW64\Dkqaoe32.exe
| MD5 | fa10c44b9b0008273780508e9fe2b709 |
| SHA1 | 264f81999f6bfdc28b8d2ec7d687bcd29f9059f4 |
| SHA256 | bf3bdf63e8bc9c8cecaaf66dc3ec4c56972a308759f8da4d0cfe9e65ea715593 |
| SHA512 | 66b2f410171464390c52f63ff3fbeb92889a3d7794e78737bad28423a8c76693d90e31c46644d7b7a0b98cb912de0c5b95195a3da2cbf662b0b38c1a72c2ad4e |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:20
Reported
2024-11-10 01:22
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfbelipa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oappcfmb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ocdmaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Oappcfmb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nadpgggp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nadpgggp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pfbelipa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ocdmaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Pndpajgd.exe | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| File created | C:\Windows\SysWOW64\Apoooa32.exe | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apoooa32.exe | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| File created | C:\Windows\SysWOW64\Cklfll32.exe | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cklfll32.exe | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eebghjja.dll | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pgbafl32.exe | C:\Windows\SysWOW64\Pfbelipa.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmmfff32.dll | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aheefb32.dll | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfbnoibb.dll | C:\Windows\SysWOW64\Ocdmaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Odlojanh.exe | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Blkioa32.exe | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| File created | C:\Windows\SysWOW64\Beejng32.exe | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mlcpdacl.dll | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| File created | C:\Windows\SysWOW64\Amcpie32.exe | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abbeflpf.exe | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cddjebgb.exe | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipfhpoda.dll | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajcfjgdj.dll | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Paenhpdh.dll | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qgoapp32.exe | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| File created | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oilpcd32.dll | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Abbeflpf.exe | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Becnhgmg.exe | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Odjbdb32.exe | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjldghjm.exe | C:\Windows\SysWOW64\Oappcfmb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pbnoliap.exe | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lclclfdi.dll | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agdjkogm.exe | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhhpeafc.exe | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Okoafmkm.exe | C:\Windows\SysWOW64\Ocdmaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Napoohch.dll | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bejdiffp.exe | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdoajb32.exe | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| File created | C:\Windows\SysWOW64\Eoqbnm32.dll | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdoajb32.exe | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Olonpp32.exe | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgbafl32.exe | C:\Windows\SysWOW64\Pfbelipa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Piekcd32.exe | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aobcmana.dll | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amcpie32.exe | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnhbfpnj.dll | C:\Windows\SysWOW64\Oappcfmb.exe | N/A |
| File created | C:\Windows\SysWOW64\Aijpnfif.exe | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Blkioa32.exe | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| File created | C:\Windows\SysWOW64\Nadpgggp.exe | C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nadpgggp.exe | C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocdmaj32.exe | C:\Windows\SysWOW64\Nadpgggp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Okoafmkm.exe | C:\Windows\SysWOW64\Ocdmaj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Odlojanh.exe | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cddjebgb.exe | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhdmagqq.dll | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbgjqo32.exe | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| File created | C:\Windows\SysWOW64\Llaemaih.dll | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjphijco.dll | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Becnhgmg.exe | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhfcpb32.exe | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibafdk32.dll | C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe | N/A |
| File created | C:\Windows\SysWOW64\Daekko32.dll | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oappcfmb.exe | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjcceqko.dll | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdblnn32.dll | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ceegmj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceegmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfbelipa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nadpgggp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oappcfmb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ocdmaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Nadpgggp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" | C:\Windows\SysWOW64\Pfbelipa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll" | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ocdmaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcceqko.dll" | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll" | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ocdmaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" | C:\Windows\SysWOW64\Ocdmaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibafdk32.dll" | C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll" | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daekko32.dll" | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll" | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll" | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Oappcfmb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll" | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll" | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfhpoda.dll" | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll" | C:\Windows\SysWOW64\Nadpgggp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll" | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aijpnfif.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhbfpnj.dll" | C:\Windows\SysWOW64\Oappcfmb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe
"C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe"
C:\Windows\SysWOW64\Nadpgggp.exe
C:\Windows\system32\Nadpgggp.exe
C:\Windows\SysWOW64\Ocdmaj32.exe
C:\Windows\system32\Ocdmaj32.exe
C:\Windows\SysWOW64\Okoafmkm.exe
C:\Windows\system32\Okoafmkm.exe
C:\Windows\SysWOW64\Olonpp32.exe
C:\Windows\system32\Olonpp32.exe
C:\Windows\SysWOW64\Odjbdb32.exe
C:\Windows\system32\Odjbdb32.exe
C:\Windows\SysWOW64\Odlojanh.exe
C:\Windows\system32\Odlojanh.exe
C:\Windows\SysWOW64\Oappcfmb.exe
C:\Windows\system32\Oappcfmb.exe
C:\Windows\SysWOW64\Pjldghjm.exe
C:\Windows\system32\Pjldghjm.exe
C:\Windows\SysWOW64\Pfbelipa.exe
C:\Windows\system32\Pfbelipa.exe
C:\Windows\SysWOW64\Pgbafl32.exe
C:\Windows\system32\Pgbafl32.exe
C:\Windows\SysWOW64\Pcibkm32.exe
C:\Windows\system32\Pcibkm32.exe
C:\Windows\SysWOW64\Piekcd32.exe
C:\Windows\system32\Piekcd32.exe
C:\Windows\SysWOW64\Pbnoliap.exe
C:\Windows\system32\Pbnoliap.exe
C:\Windows\SysWOW64\Pndpajgd.exe
C:\Windows\system32\Pndpajgd.exe
C:\Windows\SysWOW64\Qgoapp32.exe
C:\Windows\system32\Qgoapp32.exe
C:\Windows\SysWOW64\Acfaeq32.exe
C:\Windows\system32\Acfaeq32.exe
C:\Windows\SysWOW64\Agdjkogm.exe
C:\Windows\system32\Agdjkogm.exe
C:\Windows\SysWOW64\Apoooa32.exe
C:\Windows\system32\Apoooa32.exe
C:\Windows\SysWOW64\Amcpie32.exe
C:\Windows\system32\Amcpie32.exe
C:\Windows\SysWOW64\Aijpnfif.exe
C:\Windows\system32\Aijpnfif.exe
C:\Windows\SysWOW64\Abbeflpf.exe
C:\Windows\system32\Abbeflpf.exe
C:\Windows\SysWOW64\Blkioa32.exe
C:\Windows\system32\Blkioa32.exe
C:\Windows\SysWOW64\Becnhgmg.exe
C:\Windows\system32\Becnhgmg.exe
C:\Windows\SysWOW64\Bbgnak32.exe
C:\Windows\system32\Bbgnak32.exe
C:\Windows\SysWOW64\Beejng32.exe
C:\Windows\system32\Beejng32.exe
C:\Windows\SysWOW64\Blobjaba.exe
C:\Windows\system32\Blobjaba.exe
C:\Windows\SysWOW64\Bhfcpb32.exe
C:\Windows\system32\Bhfcpb32.exe
C:\Windows\SysWOW64\Bejdiffp.exe
C:\Windows\system32\Bejdiffp.exe
C:\Windows\SysWOW64\Bhhpeafc.exe
C:\Windows\system32\Bhhpeafc.exe
C:\Windows\SysWOW64\Cdoajb32.exe
C:\Windows\system32\Cdoajb32.exe
C:\Windows\SysWOW64\Cklfll32.exe
C:\Windows\system32\Cklfll32.exe
C:\Windows\SysWOW64\Cddjebgb.exe
C:\Windows\system32\Cddjebgb.exe
C:\Windows\SysWOW64\Cbgjqo32.exe
C:\Windows\system32\Cbgjqo32.exe
C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 140
Network
Files
memory/2996-0-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Nadpgggp.exe
| MD5 | 81e8dda9b761bb889671784e39418619 |
| SHA1 | 4dd2aef8a88b046572ce5a22abe81939504b9f8d |
| SHA256 | a272f645de76a7287fc54037f72ac6b201b7e0e9985ac85e739908b959b91e4d |
| SHA512 | e4e293982ee31804e2511a0559b1389d5070e32904dd34f1bfab653611acc7f99be00bcefc35eab1b8297a7d0e74310b5c9b39b4dc3a620544ac8b8d9dc99cbd |
memory/2996-7-0x0000000000280000-0x00000000002C2000-memory.dmp
\Windows\SysWOW64\Ocdmaj32.exe
| MD5 | ca4f21228c9f23c51655643424e1cdbe |
| SHA1 | 74fdc1a9def929d9cac4d19495892ad96f6c9e15 |
| SHA256 | 53f4139bf9ceaa3630fd54666ac5871f842b899b4e40760653d9dc7ca3ab90bd |
| SHA512 | 362f314ac11861b917652c79831c9010c2f04c61a454f187f6c04aa2b41ebbba4da717a1465e1d38470bfff8297dba3405f6f98696eecd61ba1dae82aeb9ca05 |
memory/3064-26-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2808-25-0x0000000000260000-0x00000000002A2000-memory.dmp
memory/3064-34-0x0000000000250000-0x0000000000292000-memory.dmp
\Windows\SysWOW64\Okoafmkm.exe
| MD5 | 5c614aba482095330651b10b7a8f0e9e |
| SHA1 | 8cc7ae61c97b983cca0d0024fa5713f93bd5b7ed |
| SHA256 | 35cfbc832242732343e5d6b9bb1ae372015547cecc795dc7361a76e429c46a89 |
| SHA512 | b9c61c78088b4752181cce02be19a70da3cc091a12d9fa045bbacb8b8f0fe58e6c61e644567fedf1e29e9e0e76b0665373e84a0b5b86be55790e2c710901645d |
memory/2644-40-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Olonpp32.exe
| MD5 | 28b361cc91feeb2c9df63b6240407d89 |
| SHA1 | c099e6ca01fa6f06c44d15f8d1c7e10c0320aad3 |
| SHA256 | c5b65ff0cc107fa73a502ff3657c471d7e07fad1beac20180d53b2aedb58bcf9 |
| SHA512 | f7acc8795b131f6b8e0f81ab376523d253cec4fa86ac6a223b492c28752aa3ab45ecc0ba296f540781d9c609ffce671ece9e48502220f010073dc82477d5b8bc |
memory/2996-52-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2524-54-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Ajcfjgdj.dll
| MD5 | 05fdda8879e2e3de5cf4ef493a8fafb7 |
| SHA1 | 44673720833f650bd1b252b0c4164d2d7a194903 |
| SHA256 | 786706b0602cac6e9458c8f81ef0e8fc6742cb310b58366d3cbee0916a8cb9d2 |
| SHA512 | 610add54a32672d75c47ff1bc22c1bf072750b713be0dbc2e7ab9d73e66a0175a87ef425f2b8b6f5c4340264ae7c73da966dd72abade64bc1493a7acfbeb14e9 |
\Windows\SysWOW64\Odjbdb32.exe
| MD5 | fe8847e1ce8e75d6c08e3630905acfa9 |
| SHA1 | 629751926f2a810660f5ef4b7543dbd84a5d6fa9 |
| SHA256 | 3163454e6ae3115858809d7880e22d8a75d794acb10ae2f8d8e2353fc61b295f |
| SHA512 | c65ea3ed86f09aece4e0761d86784de2f6921dfa01abf4dad911ada5cf7d51a652841ce17cb1576e7305ce411040485d1c6d0f2e7eb4540609ebe5a2fb28c540 |
memory/2524-61-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2808-67-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3064-75-0x0000000000400000-0x0000000000442000-memory.dmp
memory/264-77-0x0000000000300000-0x0000000000342000-memory.dmp
\Windows\SysWOW64\Odlojanh.exe
| MD5 | e1598d651bcaf2da5d7a12dd7781dfb1 |
| SHA1 | 3bea2bc35c43f936337fd243a391583113e38a1a |
| SHA256 | 83e1396920a260a52792390f80b0ab7ee9045882353a3ae935b4da6bfcd4a9e6 |
| SHA512 | d9379b65f98878a3cbaed93fda8f993c398f68c5fae46a991f8e487608de8c79b85502bc7a3db558e3ac318e42c1cc93cf993646cdcd4b3a107b88745753e137 |
\Windows\SysWOW64\Oappcfmb.exe
| MD5 | dc4467560adaf8908bad8fd0ba1ec5d3 |
| SHA1 | 791c6897c69b202680aa044e2be2797989058cd7 |
| SHA256 | 8e8fdaf4bb1bf06f495fada7a2754e1203ac6ef38d36ab6f33d4c28118ad270e |
| SHA512 | 37ea66414813b152cc8bd3e4abd9f35f3398800660e7f757205c500c2c7172b0137e15c1d6c559393d33f7bc250b7f14988e86263514d8a33e7becd3bbf545af |
memory/1720-91-0x0000000000290000-0x00000000002D2000-memory.dmp
memory/2644-89-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2108-105-0x0000000000290000-0x00000000002D2000-memory.dmp
memory/2524-104-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pjldghjm.exe
| MD5 | 9c29287074b2d2d0d279c494f08de8c6 |
| SHA1 | 4a76ceb3ce6e7d2643491b7d1f817b2e4c3a18cd |
| SHA256 | 4c56b74598523946d44c1145e7f44f6265a4bdfa409c554f1a674caa0a0c5285 |
| SHA512 | 23c686eaa05499feaea536b547e33fb0f961e4478ca2f566f29f44a9c1a306f9b6c236042506821d533ba332f901b59ab8f5779f20f806008ae20e09c017d370 |
memory/2524-111-0x0000000000250000-0x0000000000292000-memory.dmp
\Windows\SysWOW64\Pfbelipa.exe
| MD5 | c4bdff749350bc0c39aa4b5cf2c6c94d |
| SHA1 | 7745dc5065ec0ad223ecf38781e61275e6f62bf0 |
| SHA256 | 55ed195ffb210da65254ce5a02fd9e5368454563c72fedeb3900b234f5f9acca |
| SHA512 | 28255f2f54adeaa668555b32c311a24952a733f5d8d654edf2b7b557582e68a303f33116f97e7989ffc465b2af96b8b2c89ad141d5d13b044e4316c38ad0f1d2 |
memory/1608-124-0x0000000000450000-0x0000000000492000-memory.dmp
memory/264-119-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pgbafl32.exe
| MD5 | 603d4552260715f90fff9b075da23b64 |
| SHA1 | 22c617901d070f127f799d56a6851961fbf6aa7c |
| SHA256 | 4744ce238d20d56f98fb6057d22d17df10156d6c68d33ad66bf498786203fe44 |
| SHA512 | 28f8b8bdbe6db0de667985195917c89b932b8b76336a6a8b1712afdd24d1bd982a45c9239c32dc3f1eef48162e4fec73dbfb308952ce959c7b5f25bc246d0368 |
memory/2880-141-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3036-139-0x0000000000250000-0x0000000000292000-memory.dmp
memory/3036-138-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1720-137-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2880-150-0x00000000002B0000-0x00000000002F2000-memory.dmp
memory/2108-148-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Pcibkm32.exe
| MD5 | 50c946c1f31df56ba0bcf014915c29ea |
| SHA1 | 1927562fb9985d7ba96ea487456039ef14a9fbbc |
| SHA256 | 32687441913ad0dbdd4006e1c2a18b37a177d36d494b8df539f5314c87c22869 |
| SHA512 | 8630be1bcb76b5a89f86d0c63c4b2f863a3aa1ea69458f7bd4a6b3b65deb39cae3cb1b3106b2736103d1454ddb79cd998a138fd2749b5b39612cbd3c360c398b |
memory/2880-155-0x00000000002B0000-0x00000000002F2000-memory.dmp
C:\Windows\SysWOW64\Piekcd32.exe
| MD5 | 22c00d4f93b60ddfdc77265375d421ce |
| SHA1 | 5b593f3adeae6fb7ede867625900bbc53a99b631 |
| SHA256 | 864b59f9d13f662da80dc756931fa6b5f887a8b781933e1a0b977351df05e84e |
| SHA512 | 10b79fd40b23db9f94c4432d4623d4a80f0d3b1502a7c654e834e06f15fa155a854afceb0f30ca5145c0e105679e720c63b6fc3d3dc70a0c05ce16b04c1bd7ea |
memory/1824-169-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1608-173-0x0000000000400000-0x0000000000442000-memory.dmp
memory/380-171-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1824-170-0x0000000000280000-0x00000000002C2000-memory.dmp
\Windows\SysWOW64\Pbnoliap.exe
| MD5 | 2546738d9d0ed165d4dfdf84a93e21cf |
| SHA1 | 97209c9696a5389bdb39c199246679202c440936 |
| SHA256 | 7488967d554a8f9a52caf4e722e0c437861b73b1caa509acf1e93340a9ea0d15 |
| SHA512 | 1e9ce934fe94e6739cf99b1206579498c7eec2227569da4514bad3f39358310f9582b46a23e195f74cb1239239b479211b7796c482f92d7a61275e7be5a79600 |
memory/1608-184-0x0000000000450000-0x0000000000492000-memory.dmp
memory/2440-189-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3036-188-0x0000000000400000-0x0000000000442000-memory.dmp
memory/380-185-0x0000000000290000-0x00000000002D2000-memory.dmp
memory/2440-197-0x0000000000260000-0x00000000002A2000-memory.dmp
memory/3036-196-0x0000000000250000-0x0000000000292000-memory.dmp
memory/3036-195-0x0000000000250000-0x0000000000292000-memory.dmp
\Windows\SysWOW64\Pndpajgd.exe
| MD5 | 29aea1d7f725de8d71b889e42d550239 |
| SHA1 | 39682e180c49f58ee985c5cb35b7dfb33932ad23 |
| SHA256 | 1931a8b34b4540d60f06edfa17a67794e233e231c9035a6289bb9345dccaab5a |
| SHA512 | a37970a078df0eea4a07641f76038b4cfec62b6d78784828b87aee8a874b94aa6877153c23cce17757fa64b6f144a7cdfade8239fd6128e267225960990c157b |
memory/2880-204-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Qgoapp32.exe
| MD5 | 363a4c58b65da3a6eef4b886c814a180 |
| SHA1 | 0ac6b5aaadcf6ef724e3dfa1b83f251915bca87f |
| SHA256 | b070df34d79849ffe64d84a857a4374b45ba20d8688015fef2941b52cf29e2e1 |
| SHA512 | 612903be0f4db65c569f924f897f0035431d0b22e08819544d80c562393cc471b828e0a2fde404015646eb83c588ff78cb686fc7cb4674587f21752c7bd813e1 |
memory/1672-219-0x0000000000400000-0x0000000000442000-memory.dmp
memory/380-218-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1824-216-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Acfaeq32.exe
| MD5 | 127daed11b900d7470927703d18e32fe |
| SHA1 | 089d49937888b92722d4f8a1c42d832802143dfb |
| SHA256 | b5f8264237bb63bc3a5520e014c3c69f6372bcdea33f3dc251144f0f8720f960 |
| SHA512 | f3859c84a1ce4be5803e7532a874219b8b285ba69a60fc94b2fa13611837fab1356910830a0eca4d97d5b80d03f86f7d4798b1a0c1d7e0491b7ef25c5e80becd |
memory/1368-234-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1672-232-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1672-231-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2440-241-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Agdjkogm.exe
| MD5 | c29056bf52f806658906178b51cc7bb1 |
| SHA1 | a78554fbd0331ae93141b241359229061162a4e2 |
| SHA256 | f0d0c060767ec80eb657bfe5bc3c5d9ccf33400a67a50c3e62c3f46ae796ca36 |
| SHA512 | 436bcadcf02f9d8379f558246a821b2b3904ac320b004d89655108ca917140b2e7d61afd5c9499c77e43cb649435e2ca3eaacd26292e106f4b091c95fb8fc46d |
memory/1552-245-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1140-256-0x0000000000280000-0x00000000002C2000-memory.dmp
memory/892-257-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1552-255-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1140-254-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Apoooa32.exe
| MD5 | 791e9849272f3cbb2d87baa793aafa54 |
| SHA1 | f2a9158861b4064f234b8e0857fe83bb9580b1d7 |
| SHA256 | c2708ef9d61af73bb27bbb13a0c5fac66e089dc5ab1f412aef25d3554d06b4df |
| SHA512 | c4c3e86f9932051c5081327c59bcfcc33a664dd84edd5eaf30b02ee93afa3307fa499c91710d75b77d11478d109071d3d2494ccd1acef9261f84abf72636f690 |
memory/892-264-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1672-262-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Amcpie32.exe
| MD5 | be784132bd9b17bb484f3b3b139ae26f |
| SHA1 | ea87adf8901ef308d8963b8a98ca2c8bf1b2a63f |
| SHA256 | cabc8e742f185a8c08a94a2c48bd6ac4a261c4ccd7d521b2d42167f22902afa4 |
| SHA512 | abb8b7f09c24767fbede8dcfba550de32aee8a5045693c8e8e6e257db2feb413eb35fc82c22c2ca960c6678c1aec67255817845856c3f3c6bdc87a0ac91e07f5 |
memory/1672-269-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1672-268-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1368-278-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Aijpnfif.exe
| MD5 | ecdeb7a2701f69a4a5bb12dbb3a05be0 |
| SHA1 | 190fbadd0e0a8b34cc27c517d15d640b69019a5b |
| SHA256 | eb646123e32598fbb795a00edcd4caf294b41a8385b5bb56dc06b21751731bb6 |
| SHA512 | 53e359da4b7e78d2ebeca7cf891b69ec66e8e51fe427f509669bd1c6edb57038e2cd4bc3c1c0d5c98167100fedb99ce6f7d53b562ca5823ae6ee637fbccc4d58 |
memory/2528-279-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1744-280-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1744-287-0x00000000002A0000-0x00000000002E2000-memory.dmp
memory/1552-285-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Abbeflpf.exe
| MD5 | 8920caf802919bd66c7e015c4ae5789c |
| SHA1 | 696160892d06e3d1ad9e896739ac02c3b6c7e9e5 |
| SHA256 | 98930b6389ad0342ca7404aa3006f862fde1f1c46c9913e60a250af2722452d0 |
| SHA512 | a7d8b2582cfed34f5a0a38ec1f197a04c0dfe889f77d4020a5e50eeda8f6821f89f9388db540bfb9a3e3fcad4bc491491daf7d3bfe39b4ec8d29d0d3d3f74081 |
memory/1552-291-0x0000000000250000-0x0000000000292000-memory.dmp
memory/892-297-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2760-301-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2760-302-0x0000000000250000-0x0000000000292000-memory.dmp
C:\Windows\SysWOW64\Blkioa32.exe
| MD5 | 6fa5963b9bf4051dd97c64ed6edb597a |
| SHA1 | 748de9017d0135fb51ec623357a6984d092ae6f0 |
| SHA256 | 0b6fb4694b830cb98c1332c4e7c92fcc2a2911fb4dff58fe062ed469b56af81f |
| SHA512 | 26cbf7834b71041fd21f9be64d1ff6bcd912384ddc7f08be6d38979c519c4f2b956ba5b1543da142b936cb15221651b653af95483dccd1d2283ef83d28d50352 |
memory/1620-309-0x0000000000450000-0x0000000000492000-memory.dmp
memory/2528-313-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2528-308-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Becnhgmg.exe
| MD5 | 2f73734d48f601a616f15a66736bdec2 |
| SHA1 | bc8b1cfc7c8cf510b80172719ea551b80eec1e1c |
| SHA256 | b0d69dd9458bdb20625062c11c50bc319d273ed384c09e93072f89e371c36972 |
| SHA512 | 875dc1d6323de758983faafd7259febf314850ea17aeafb339d23c63d02c64654dd680b89813d4b24198d6d82ee49848fdae43da718da705926df7000f1c0ccd |
memory/2756-315-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2528-314-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2156-325-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1744-324-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Bbgnak32.exe
| MD5 | 84a5e0218ac8a65e98c0103fc09316de |
| SHA1 | da2ceb01b6f285d2818c404cf75ac2cb49d1a761 |
| SHA256 | 5fbc3a93566e9392c604632a904e2f9bb844f9044ef95103fd9024026a08815b |
| SHA512 | 24473cbdbd433aa4b54ec9f96db40aa93e5219c4e3b3ef1857bbe233201d281368cc80062cab87da9a43ee03dadc4a4655cf8b9f9bc455cbf3b5ebdff311f264 |
memory/2760-335-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2156-334-0x0000000000250000-0x0000000000292000-memory.dmp
C:\Windows\SysWOW64\Beejng32.exe
| MD5 | d7e4bf8001f96d52734ec4198a2e90ae |
| SHA1 | 5255059e6abf6ff6e5c4c54bc0e94ab3d00e1a7f |
| SHA256 | e9453e99040515f591f2e51206b87bd8beeb67a49b3003e84664968ac05fc52d |
| SHA512 | a479023b9dffb775a84e65eddefd814daf32dad5989245fd5f1a9bade4c79da9bfe98c9f0a9ea09a87ffe7a66c9cb7c63699735a7e80608c355dc89a17be51b1 |
C:\Windows\SysWOW64\Blobjaba.exe
| MD5 | 6c381a5772e13679b9ce6eb16353321c |
| SHA1 | 1a0a2aa792cc7eba1bd70263e1d66c8fa85a83d1 |
| SHA256 | c968ef6d9ca43ff044ff11c7995263b2fffc26bd2114f68b660321251946f1a3 |
| SHA512 | 22e2d36da0f0f3d47c1ff8d515d14af84275f97937a61770d223b9adda7e4ffe9c9b9875ac3fdb34786fc56045cabfcacc7e8a4fcd1b4ebe2ad1999646e0e577 |
memory/2788-346-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2764-345-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2764-344-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2788-353-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1620-351-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Bhfcpb32.exe
| MD5 | 5c14f8db4c386e8e196b32feeb20b870 |
| SHA1 | 34e40ac9684ca51a786693d81a01068d6046c575 |
| SHA256 | a39bdad0bdd0f4fc8aff0bd0a5dadc6dfa01bf542c44e037dda03f3d3ae83c12 |
| SHA512 | 1eefbca3cc157ef1783ae5320265a64940f1b21ba003f523a5f61fe449d26d3d846b70c70ae0ae62694c77e058ab151300775a088bfdb85de5b82291c1c68dd6 |
memory/2788-357-0x0000000000250000-0x0000000000292000-memory.dmp
C:\Windows\SysWOW64\Bejdiffp.exe
| MD5 | 46824f8a6a04d6b3d76b221d83d829d0 |
| SHA1 | 25d8a915233915951905193fc242bc35c9bfa642 |
| SHA256 | 9abb3f84acccbf682dc5483da132dd154df5fc4ced93e89cbea5d01e1c846295 |
| SHA512 | e5f51001a2319706e2a6193f33381c571e136c5411543ab8ec85bdf8c83475bdf8f19198fe0e9a6bdcdf39d61db99963ce6789af5ddec0a48b6750bc7f6ece93 |
memory/1944-370-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2156-369-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2756-368-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2756-367-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2756-366-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2156-376-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1944-382-0x00000000002D0000-0x0000000000312000-memory.dmp
memory/3016-383-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2764-381-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1944-380-0x00000000002D0000-0x0000000000312000-memory.dmp
C:\Windows\SysWOW64\Bhhpeafc.exe
| MD5 | f7f4e64446d602dedfc2c41ad35c6bc0 |
| SHA1 | dcb181be42a207d809ee1fc5f5136065a88c528b |
| SHA256 | 1fe1e3e6767ff0d93fcd450aaf6c2b525d802c022d86dff13721dac50557f7fb |
| SHA512 | 67c7550315a2d25723fcab8303caf606dc744056fdf11b792e98cf3d99594f657455c9ca950b8b6598ec93f6868653b09bc6af3d808c183c5c280da4418f504d |
memory/2120-396-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2788-395-0x0000000000250000-0x0000000000292000-memory.dmp
memory/3016-394-0x0000000000450000-0x0000000000492000-memory.dmp
memory/2788-393-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2764-392-0x0000000000250000-0x0000000000292000-memory.dmp
C:\Windows\SysWOW64\Cdoajb32.exe
| MD5 | 6841930f2b7033e1cc9fbc9fb91a70c8 |
| SHA1 | 1f7c3d8cf5258a20fa1e31401390a369739daeed |
| SHA256 | 1a2a33587e36d56a85dc4d3ab7eb79e8e664389c497f7b0e0da77659b9bbcf3d |
| SHA512 | 7788a06fcfd4b2ae373b4951aae53511328c68278799f32ee76d21a7bb993552e77042350aa126256564bebaed35c065592b81419dc5629f21d75652aad6590a |
memory/2120-403-0x0000000000290000-0x00000000002D2000-memory.dmp
memory/1708-401-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1708-407-0x0000000000450000-0x0000000000492000-memory.dmp
C:\Windows\SysWOW64\Cklfll32.exe
| MD5 | 364c240160edca32efc7910ee58907d7 |
| SHA1 | dd7ffc66f39f0085ebf960b091d0c25650d3d040 |
| SHA256 | ec380158ba738ee7eaad80e441897facae3a573c7fe124b1130c380df88ce626 |
| SHA512 | 9030f48c1d7ce994b07af6e761b97e4f92511b1b79af04b6634669d353d93f278bcdf6cf36e2f38540e34c9c4fcffc3c8e38d2fc286dd2a73216f373a400de85 |
C:\Windows\SysWOW64\Cddjebgb.exe
| MD5 | 2d3ff9e46c340d2427e5ae715232fc4e |
| SHA1 | aa09190cddf0b71f3ff13f4bcfd9f45ba61affdc |
| SHA256 | 44fa015b87fda2c08130e77aea04be39b6cfa44e66042801578719b7f0fc976d |
| SHA512 | a4f0911bd89c6fcfc92f46b107ccfba58c30cb5f2ca02500832f933b08153614e36bb7efc6ca8edfff2377c7a001ae88a75f69b68238cbe44faa665cf9fc24b7 |
C:\Windows\SysWOW64\Cbgjqo32.exe
| MD5 | 37028e5ceef1834203c89009595ebcca |
| SHA1 | 57ef27e7eaec562f5ce1100f6d789e1d6f7da8ab |
| SHA256 | d2b18a48a7817fefaf4e708ab14aba7b3b2e36935729baf325638dc0bbea8912 |
| SHA512 | 514daa371deab6b1f63ba7d708ef5dda71c2bf452658a7408b308562d1f583f52cad72d03849f0554abbd472e8df239735401aaf5684f534da6a8181dfdcd252 |
C:\Windows\SysWOW64\Ceegmj32.exe
| MD5 | 4897cd4c0f1fce62f7fc692581b08f84 |
| SHA1 | 9978471d2d28e99dc3fefdcc0c33c61c42fe5e53 |
| SHA256 | e120d4bd2148d703e3447b33b9d6884be24737484293c8be84222a658a9e1b90 |
| SHA512 | f5eee828507ab7bd11494bf2e81069d458a1cd44e7a7a3d1b0f71a44fe19fa3fbafc4034fa01578964092931e31648bc6fde09658c7c1c830fb449498b670232 |