Analysis Overview
SHA256
68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932
Threat Level: Known bad
The file 68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N was found to be: Known bad.
Malicious Activity Summary
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 16:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 16:01
Reported
2024-11-10 16:04
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nmigoagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hedafk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ihpcinld.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nqfbpb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmpjoloh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pcjiff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kqdaadln.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jemfhacc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pidlqb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Flinkojm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdgged32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ohiemobf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Eifhdd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pimfpc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aaiqcnhg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cmjemflb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bdfpkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgipcogp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdlqqcnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cncnob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Iondqhpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dcphdqmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dmoohe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kdkdgchl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kqmkae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lenicahg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Blielbfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fjjjgh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbfldf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jjjpnlbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhpofl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eiekog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fjjnifbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Adhdjpjf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Coiaiakf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmcclm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qadoba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Alnmjjdb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gmfplibd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kcmfnd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aomifecf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fefedmil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Djqblj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Modpib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Igdgglfl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekonpckp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gejhef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qhngolpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fideeaco.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkokcl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gifkpknp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gegkpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ieagmcmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lpgmhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jgadgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kqbdldnq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ppgomnai.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Poajkgnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dcigeooj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nlcalieg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hgelek32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Jebfng32.exe | C:\Windows\SysWOW64\Johnamkm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkhgod32.exe | C:\Windows\SysWOW64\Dqbcbkab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Giljfddl.exe | C:\Windows\SysWOW64\Gngeik32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aalmimfd.exe | C:\Windows\SysWOW64\Adgmoigj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bipecnkd.exe | C:\Windows\SysWOW64\Baepolni.exe | N/A |
| File created | C:\Windows\SysWOW64\Oaajed32.exe | C:\Windows\SysWOW64\Okgaijaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Oqadgkdb.dll | C:\Windows\SysWOW64\Cnkkjh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Helbbkkj.dll | C:\Windows\SysWOW64\Fkfcqb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ingcceof.dll | C:\Windows\SysWOW64\Oampjeml.exe | N/A |
| File created | C:\Windows\SysWOW64\Geibhp32.dll | C:\Windows\SysWOW64\Dcnqpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ennioe32.dll | C:\Windows\SysWOW64\Hpabni32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gncchb32.exe | C:\Windows\SysWOW64\Gifkpknp.exe | N/A |
| File created | C:\Windows\SysWOW64\Bahdob32.exe | C:\Windows\SysWOW64\Boihcf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dcnqpo32.exe | C:\Windows\SysWOW64\Dmdhcddh.exe | N/A |
| File created | C:\Windows\SysWOW64\Keldkigj.dll | C:\Windows\SysWOW64\Olanmgig.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbbmemif.dll | C:\Windows\SysWOW64\Bdgged32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Okgaijaj.exe | C:\Windows\SysWOW64\Ohiemobf.exe | N/A |
| File created | C:\Windows\SysWOW64\Lghcocol.exe | C:\Windows\SysWOW64\Lankbigo.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkhjph32.exe | C:\Windows\SysWOW64\Phincl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmfplibd.exe | C:\Windows\SysWOW64\Gncchb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hodbhp32.dll | C:\Windows\SysWOW64\Nceefd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnjjdmoc.dll | C:\Windows\SysWOW64\Inomhbeq.exe | N/A |
| File created | C:\Windows\SysWOW64\Gncchb32.exe | C:\Windows\SysWOW64\Gifkpknp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Onkidm32.exe | C:\Windows\SysWOW64\Nceefd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jekjcaef.exe | C:\Windows\SysWOW64\Jlbejloe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lpgmhg32.exe | C:\Windows\SysWOW64\Likhem32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qkdbgdbg.dll | C:\Windows\SysWOW64\Ggilil32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aglafhih.dll | C:\Windows\SysWOW64\Iolhkh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjjkejin.dll | C:\Windows\SysWOW64\Jadgnb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Afhfaddk.exe | C:\Windows\SysWOW64\Aalmimfd.exe | N/A |
| File created | C:\Windows\SysWOW64\Mogcihaj.exe | C:\Windows\SysWOW64\Mnegbp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekcgkb32.exe | C:\Windows\SysWOW64\Eiekog32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqnpfi32.dll | C:\Windows\SysWOW64\Nlcalieg.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmcpoedn.exe | C:\Windows\SysWOW64\Nbnlaldg.exe | N/A |
| File created | C:\Windows\SysWOW64\Gebekb32.dll | C:\Windows\SysWOW64\Gnnccl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdjblf32.exe | C:\Windows\SysWOW64\Cmpjoloh.exe | N/A |
| File created | C:\Windows\SysWOW64\Ggqecq32.dll | C:\Windows\SysWOW64\Dfnbgc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljfhqh32.exe | C:\Windows\SysWOW64\Lclpdncg.exe | N/A |
| File created | C:\Windows\SysWOW64\Qgdcdg32.dll | C:\Windows\SysWOW64\Aalmimfd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nlkngo32.exe | C:\Windows\SysWOW64\Neafjdkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Cndeii32.exe | C:\Windows\SysWOW64\Ckeimm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfebfnqn.dll | C:\Windows\SysWOW64\Gbeejp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdflknog.dll | C:\Windows\SysWOW64\Mapppn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ecgflaec.dll | C:\Windows\SysWOW64\Gjdaodja.exe | N/A |
| File created | C:\Windows\SysWOW64\Malhfo32.dll | C:\Windows\SysWOW64\Qlggjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdlqqcnl.exe | C:\Windows\SysWOW64\Bheplb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Egohdegl.exe | C:\Windows\SysWOW64\Edplhjhi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ledepn32.exe | C:\Windows\SysWOW64\Lpgmhg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfqedp32.dll | C:\Windows\SysWOW64\Lpgmhg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mhafeb32.exe | C:\Windows\SysWOW64\Mjneln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlbpmd32.dll | C:\Windows\SysWOW64\Jnhpoamf.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpdbcaok.dll | C:\Windows\SysWOW64\Kbhmbdle.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofimgb32.dll | C:\Windows\SysWOW64\Phganm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ehkaqc32.dll | C:\Windows\SysWOW64\Iebngial.exe | N/A |
| File created | C:\Windows\SysWOW64\Klambq32.dll | C:\Windows\SysWOW64\Fdlkdhnk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Niakfbpa.exe | C:\Windows\SysWOW64\Nolgijpk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dngjff32.exe | C:\Windows\SysWOW64\Dflfac32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aajhndkb.exe | C:\Windows\SysWOW64\Aokkahlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fqgedh32.exe | C:\Windows\SysWOW64\Fofilp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlkppnab.dll | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnclimck.dll | C:\Windows\SysWOW64\Qohpkf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djhimica.exe | C:\Windows\SysWOW64\Dcnqpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qkicbhla.dll | C:\Windows\SysWOW64\Cncnob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dqbcbkab.exe | C:\Windows\SysWOW64\Dqnjgl32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Gddgpqbe.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aalmimfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpdaepai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpjcgm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mkohaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hibjli32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fbplml32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Likhem32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Haafcb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hcpojd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ingpmmgm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqfbpb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kndojobi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jgnqgqan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbebbk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kjlopc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ekonpckp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fqgedh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oklkdi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Codhnb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nhokljge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojigdcll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iondqhpl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbepme32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gfokoelp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kjhloj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qmepam32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ieojgc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qppaclio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Piphgq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aomifecf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Epikpo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kcoccc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghpocngo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nognnj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgelek32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Neqopnhb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Glbjggof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mnmmboed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jnpfop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mldhfpib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Poajkgnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cndeii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ebkbbmqj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kjpijpdg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lgffic32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Flinkojm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qohpkf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oeokal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ocihgnam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nnicid32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Offnhpfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qmgelf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjcikejg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fjjjgh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qlggjk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hpabni32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jlfpdh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkfcqb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Giljfddl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nfgklkoc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qcnjijoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oaplqh32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaigbkko.dll" | C:\Windows\SysWOW64\Fplpll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pmkofa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pidlqb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdaleh32.dll" | C:\Windows\SysWOW64\Enhifi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kaehljpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbefdijg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paplcg32.dll" | C:\Windows\SysWOW64\Epikpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hglaej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piomhofd.dll" | C:\Windows\SysWOW64\Ijogmdqm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ocihgnam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cijpahho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jddnfd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Anaomkdb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gdmmbq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ihgnkkbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gegkpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mjbogmdb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgbhl32.dll" | C:\Windows\SysWOW64\Ckmonl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Meiioonj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Glbjggof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Glfmgp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" | C:\Windows\SysWOW64\Fbhpch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Banjnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifenan32.dll" | C:\Windows\SysWOW64\Jcfggkac.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mngegmbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Noppeaed.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gpcfmkff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfcoqpl.dll" | C:\Windows\SysWOW64\Mnmdme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpopgneq.dll" | C:\Windows\SysWOW64\Niooqcad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Modpib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Aeddnp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Neqopnhb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieijp32.dll" | C:\Windows\SysWOW64\Jiglnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll" | C:\Windows\SysWOW64\Aajhndkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Plpqil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jgnqgqan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dkokcl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpban32.dll" | C:\Windows\SysWOW64\Kqbkfkal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll" | C:\Windows\SysWOW64\Hibjli32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fqgedh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gpolbo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bdpaeehj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkoigdom.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lqikmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oeehkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll" | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Akcjkfij.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Igdnabjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mmnhcb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nagpeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll" | C:\Windows\SysWOW64\Eqiibjlj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dflfac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklcfhik.dll" | C:\Windows\SysWOW64\Kdinljnk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcagd32.dll" | C:\Windows\SysWOW64\Mgehfkop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Oiagde32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Adfnofpd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll" | C:\Windows\SysWOW64\Ppolhcnm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jqiipljg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Nbqmiinl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfnqklgh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ahgjejhd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe
"C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe"
C:\Windows\SysWOW64\Fhdohp32.exe
C:\Windows\system32\Fhdohp32.exe
C:\Windows\SysWOW64\Fpodlbng.exe
C:\Windows\system32\Fpodlbng.exe
C:\Windows\SysWOW64\Ggilil32.exe
C:\Windows\system32\Ggilil32.exe
C:\Windows\SysWOW64\Gdmmbq32.exe
C:\Windows\system32\Gdmmbq32.exe
C:\Windows\SysWOW64\Gijekg32.exe
C:\Windows\system32\Gijekg32.exe
C:\Windows\SysWOW64\Gpcmga32.exe
C:\Windows\system32\Gpcmga32.exe
C:\Windows\SysWOW64\Gacjadad.exe
C:\Windows\system32\Gacjadad.exe
C:\Windows\SysWOW64\Ginnfgop.exe
C:\Windows\system32\Ginnfgop.exe
C:\Windows\SysWOW64\Ghpocngo.exe
C:\Windows\system32\Ghpocngo.exe
C:\Windows\SysWOW64\Gpkchqdj.exe
C:\Windows\system32\Gpkchqdj.exe
C:\Windows\SysWOW64\Hgelek32.exe
C:\Windows\system32\Hgelek32.exe
C:\Windows\SysWOW64\Hjchaf32.exe
C:\Windows\system32\Hjchaf32.exe
C:\Windows\SysWOW64\Hkbdki32.exe
C:\Windows\system32\Hkbdki32.exe
C:\Windows\SysWOW64\Hdkidohn.exe
C:\Windows\system32\Hdkidohn.exe
C:\Windows\SysWOW64\Hjhalefe.exe
C:\Windows\system32\Hjhalefe.exe
C:\Windows\SysWOW64\Hglaej32.exe
C:\Windows\system32\Hglaej32.exe
C:\Windows\SysWOW64\Haafcb32.exe
C:\Windows\system32\Haafcb32.exe
C:\Windows\SysWOW64\Hnhghcki.exe
C:\Windows\system32\Hnhghcki.exe
C:\Windows\SysWOW64\Ihnkel32.exe
C:\Windows\system32\Ihnkel32.exe
C:\Windows\SysWOW64\Ijogmdqm.exe
C:\Windows\system32\Ijogmdqm.exe
C:\Windows\SysWOW64\Iddljmpc.exe
C:\Windows\system32\Iddljmpc.exe
C:\Windows\SysWOW64\Iqklon32.exe
C:\Windows\system32\Iqklon32.exe
C:\Windows\SysWOW64\Inomhbeq.exe
C:\Windows\system32\Inomhbeq.exe
C:\Windows\SysWOW64\Ihdafkdg.exe
C:\Windows\system32\Ihdafkdg.exe
C:\Windows\SysWOW64\Ikcmbfcj.exe
C:\Windows\system32\Ikcmbfcj.exe
C:\Windows\SysWOW64\Ihgnkkbd.exe
C:\Windows\system32\Ihgnkkbd.exe
C:\Windows\SysWOW64\Ijhjcchb.exe
C:\Windows\system32\Ijhjcchb.exe
C:\Windows\SysWOW64\Ibobdqid.exe
C:\Windows\system32\Ibobdqid.exe
C:\Windows\SysWOW64\Jhijqj32.exe
C:\Windows\system32\Jhijqj32.exe
C:\Windows\SysWOW64\Jdpkflfe.exe
C:\Windows\system32\Jdpkflfe.exe
C:\Windows\SysWOW64\Jnhpoamf.exe
C:\Windows\system32\Jnhpoamf.exe
C:\Windows\SysWOW64\Jgadgf32.exe
C:\Windows\system32\Jgadgf32.exe
C:\Windows\SysWOW64\Jqiipljg.exe
C:\Windows\system32\Jqiipljg.exe
C:\Windows\SysWOW64\Jgcamf32.exe
C:\Windows\system32\Jgcamf32.exe
C:\Windows\SysWOW64\Jbiejoaj.exe
C:\Windows\system32\Jbiejoaj.exe
C:\Windows\SysWOW64\Jibmgi32.exe
C:\Windows\system32\Jibmgi32.exe
C:\Windows\SysWOW64\Jnpfop32.exe
C:\Windows\system32\Jnpfop32.exe
C:\Windows\SysWOW64\Kdinljnk.exe
C:\Windows\system32\Kdinljnk.exe
C:\Windows\SysWOW64\Kkcfid32.exe
C:\Windows\system32\Kkcfid32.exe
C:\Windows\SysWOW64\Kbmoen32.exe
C:\Windows\system32\Kbmoen32.exe
C:\Windows\SysWOW64\Kiggbhda.exe
C:\Windows\system32\Kiggbhda.exe
C:\Windows\SysWOW64\Kndojobi.exe
C:\Windows\system32\Kndojobi.exe
C:\Windows\SysWOW64\Kqbkfkal.exe
C:\Windows\system32\Kqbkfkal.exe
C:\Windows\SysWOW64\Kkhpdcab.exe
C:\Windows\system32\Kkhpdcab.exe
C:\Windows\SysWOW64\Kaehljpj.exe
C:\Windows\system32\Kaehljpj.exe
C:\Windows\SysWOW64\Kkjlic32.exe
C:\Windows\system32\Kkjlic32.exe
C:\Windows\SysWOW64\Kbddfmgl.exe
C:\Windows\system32\Kbddfmgl.exe
C:\Windows\SysWOW64\Kecabifp.exe
C:\Windows\system32\Kecabifp.exe
C:\Windows\SysWOW64\Kjpijpdg.exe
C:\Windows\system32\Kjpijpdg.exe
C:\Windows\SysWOW64\Lgcjdd32.exe
C:\Windows\system32\Lgcjdd32.exe
C:\Windows\SysWOW64\Lalnmiia.exe
C:\Windows\system32\Lalnmiia.exe
C:\Windows\SysWOW64\Lgffic32.exe
C:\Windows\system32\Lgffic32.exe
C:\Windows\SysWOW64\Lankbigo.exe
C:\Windows\system32\Lankbigo.exe
C:\Windows\SysWOW64\Lghcocol.exe
C:\Windows\system32\Lghcocol.exe
C:\Windows\SysWOW64\Laqhhi32.exe
C:\Windows\system32\Laqhhi32.exe
C:\Windows\SysWOW64\Lgkpdcmi.exe
C:\Windows\system32\Lgkpdcmi.exe
C:\Windows\SysWOW64\Lbpdblmo.exe
C:\Windows\system32\Lbpdblmo.exe
C:\Windows\SysWOW64\Lijlof32.exe
C:\Windows\system32\Lijlof32.exe
C:\Windows\SysWOW64\Mngegmbc.exe
C:\Windows\system32\Mngegmbc.exe
C:\Windows\SysWOW64\Maeachag.exe
C:\Windows\system32\Maeachag.exe
C:\Windows\SysWOW64\Mhoipb32.exe
C:\Windows\system32\Mhoipb32.exe
C:\Windows\SysWOW64\Mjneln32.exe
C:\Windows\system32\Mjneln32.exe
C:\Windows\SysWOW64\Mhafeb32.exe
C:\Windows\system32\Mhafeb32.exe
C:\Windows\SysWOW64\Mnlnbl32.exe
C:\Windows\system32\Mnlnbl32.exe
C:\Windows\SysWOW64\Mjbogmdb.exe
C:\Windows\system32\Mjbogmdb.exe
C:\Windows\SysWOW64\Mbighjdd.exe
C:\Windows\system32\Mbighjdd.exe
C:\Windows\SysWOW64\Mehcdfch.exe
C:\Windows\system32\Mehcdfch.exe
C:\Windows\SysWOW64\Mlbkap32.exe
C:\Windows\system32\Mlbkap32.exe
C:\Windows\SysWOW64\Mejpje32.exe
C:\Windows\system32\Mejpje32.exe
C:\Windows\SysWOW64\Mldhfpib.exe
C:\Windows\system32\Mldhfpib.exe
C:\Windows\SysWOW64\Nihipdhl.exe
C:\Windows\system32\Nihipdhl.exe
C:\Windows\SysWOW64\Nbqmiinl.exe
C:\Windows\system32\Nbqmiinl.exe
C:\Windows\SysWOW64\Nijeec32.exe
C:\Windows\system32\Nijeec32.exe
C:\Windows\SysWOW64\Nognnj32.exe
C:\Windows\system32\Nognnj32.exe
C:\Windows\SysWOW64\Neafjdkn.exe
C:\Windows\system32\Neafjdkn.exe
C:\Windows\SysWOW64\Nlkngo32.exe
C:\Windows\system32\Nlkngo32.exe
C:\Windows\SysWOW64\Nbefdijg.exe
C:\Windows\system32\Nbefdijg.exe
C:\Windows\SysWOW64\Niooqcad.exe
C:\Windows\system32\Niooqcad.exe
C:\Windows\SysWOW64\Nolgijpk.exe
C:\Windows\system32\Nolgijpk.exe
C:\Windows\SysWOW64\Niakfbpa.exe
C:\Windows\system32\Niakfbpa.exe
C:\Windows\SysWOW64\Oondnini.exe
C:\Windows\system32\Oondnini.exe
C:\Windows\SysWOW64\Oampjeml.exe
C:\Windows\system32\Oampjeml.exe
C:\Windows\SysWOW64\Olbdhn32.exe
C:\Windows\system32\Olbdhn32.exe
C:\Windows\SysWOW64\Oekiqccc.exe
C:\Windows\system32\Oekiqccc.exe
C:\Windows\SysWOW64\Ohiemobf.exe
C:\Windows\system32\Ohiemobf.exe
C:\Windows\SysWOW64\Okgaijaj.exe
C:\Windows\system32\Okgaijaj.exe
C:\Windows\SysWOW64\Oaajed32.exe
C:\Windows\system32\Oaajed32.exe
C:\Windows\SysWOW64\Olgncmim.exe
C:\Windows\system32\Olgncmim.exe
C:\Windows\SysWOW64\Ooejohhq.exe
C:\Windows\system32\Ooejohhq.exe
C:\Windows\SysWOW64\Oiknlagg.exe
C:\Windows\system32\Oiknlagg.exe
C:\Windows\SysWOW64\Oklkdi32.exe
C:\Windows\system32\Oklkdi32.exe
C:\Windows\SysWOW64\Obcceg32.exe
C:\Windows\system32\Obcceg32.exe
C:\Windows\SysWOW64\Oimkbaed.exe
C:\Windows\system32\Oimkbaed.exe
C:\Windows\SysWOW64\Pllgnl32.exe
C:\Windows\system32\Pllgnl32.exe
C:\Windows\SysWOW64\Pojcjh32.exe
C:\Windows\system32\Pojcjh32.exe
C:\Windows\SysWOW64\Pahpfc32.exe
C:\Windows\system32\Pahpfc32.exe
C:\Windows\SysWOW64\Piphgq32.exe
C:\Windows\system32\Piphgq32.exe
C:\Windows\SysWOW64\Pkadoiip.exe
C:\Windows\system32\Pkadoiip.exe
C:\Windows\SysWOW64\Pchlpfjb.exe
C:\Windows\system32\Pchlpfjb.exe
C:\Windows\SysWOW64\Pibdmp32.exe
C:\Windows\system32\Pibdmp32.exe
C:\Windows\SysWOW64\Plpqil32.exe
C:\Windows\system32\Plpqil32.exe
C:\Windows\SysWOW64\Pcjiff32.exe
C:\Windows\system32\Pcjiff32.exe
C:\Windows\SysWOW64\Peieba32.exe
C:\Windows\system32\Peieba32.exe
C:\Windows\SysWOW64\Phganm32.exe
C:\Windows\system32\Phganm32.exe
C:\Windows\SysWOW64\Poajkgnc.exe
C:\Windows\system32\Poajkgnc.exe
C:\Windows\SysWOW64\Pekbga32.exe
C:\Windows\system32\Pekbga32.exe
C:\Windows\SysWOW64\Phincl32.exe
C:\Windows\system32\Phincl32.exe
C:\Windows\SysWOW64\Pkhjph32.exe
C:\Windows\system32\Pkhjph32.exe
C:\Windows\SysWOW64\Pcobaedj.exe
C:\Windows\system32\Pcobaedj.exe
C:\Windows\SysWOW64\Piijno32.exe
C:\Windows\system32\Piijno32.exe
C:\Windows\SysWOW64\Qlggjk32.exe
C:\Windows\system32\Qlggjk32.exe
C:\Windows\SysWOW64\Qofcff32.exe
C:\Windows\system32\Qofcff32.exe
C:\Windows\SysWOW64\Qadoba32.exe
C:\Windows\system32\Qadoba32.exe
C:\Windows\SysWOW64\Qhngolpo.exe
C:\Windows\system32\Qhngolpo.exe
C:\Windows\SysWOW64\Qohpkf32.exe
C:\Windows\system32\Qohpkf32.exe
C:\Windows\SysWOW64\Qcclld32.exe
C:\Windows\system32\Qcclld32.exe
C:\Windows\SysWOW64\Qebhhp32.exe
C:\Windows\system32\Qebhhp32.exe
C:\Windows\SysWOW64\Allpejfe.exe
C:\Windows\system32\Allpejfe.exe
C:\Windows\SysWOW64\Aeddnp32.exe
C:\Windows\system32\Aeddnp32.exe
C:\Windows\SysWOW64\Alnmjjdb.exe
C:\Windows\system32\Alnmjjdb.exe
C:\Windows\SysWOW64\Aomifecf.exe
C:\Windows\system32\Aomifecf.exe
C:\Windows\SysWOW64\Ajbmdn32.exe
C:\Windows\system32\Ajbmdn32.exe
C:\Windows\SysWOW64\Akcjkfij.exe
C:\Windows\system32\Akcjkfij.exe
C:\Windows\SysWOW64\Aanbhp32.exe
C:\Windows\system32\Aanbhp32.exe
C:\Windows\SysWOW64\Ahgjejhd.exe
C:\Windows\system32\Ahgjejhd.exe
C:\Windows\SysWOW64\Akffafgg.exe
C:\Windows\system32\Akffafgg.exe
C:\Windows\SysWOW64\Abponp32.exe
C:\Windows\system32\Abponp32.exe
C:\Windows\SysWOW64\Ajggomog.exe
C:\Windows\system32\Ajggomog.exe
C:\Windows\SysWOW64\Aodogdmn.exe
C:\Windows\system32\Aodogdmn.exe
C:\Windows\SysWOW64\Bljlfh32.exe
C:\Windows\system32\Bljlfh32.exe
C:\Windows\SysWOW64\Bjnmpl32.exe
C:\Windows\system32\Bjnmpl32.exe
C:\Windows\SysWOW64\Bkoigdom.exe
C:\Windows\system32\Bkoigdom.exe
C:\Windows\SysWOW64\Bombmcec.exe
C:\Windows\system32\Bombmcec.exe
C:\Windows\SysWOW64\Bheffh32.exe
C:\Windows\system32\Bheffh32.exe
C:\Windows\SysWOW64\Cbphdn32.exe
C:\Windows\system32\Cbphdn32.exe
C:\Windows\SysWOW64\Cijpahho.exe
C:\Windows\system32\Cijpahho.exe
C:\Windows\SysWOW64\Codhnb32.exe
C:\Windows\system32\Codhnb32.exe
C:\Windows\SysWOW64\Cfnqklgh.exe
C:\Windows\system32\Cfnqklgh.exe
C:\Windows\SysWOW64\Cimmggfl.exe
C:\Windows\system32\Cimmggfl.exe
C:\Windows\SysWOW64\Ckkiccep.exe
C:\Windows\system32\Ckkiccep.exe
C:\Windows\SysWOW64\Ccbadp32.exe
C:\Windows\system32\Ccbadp32.exe
C:\Windows\SysWOW64\Cfqmpl32.exe
C:\Windows\system32\Cfqmpl32.exe
C:\Windows\SysWOW64\Cmjemflb.exe
C:\Windows\system32\Cmjemflb.exe
C:\Windows\SysWOW64\Coiaiakf.exe
C:\Windows\system32\Coiaiakf.exe
C:\Windows\SysWOW64\Cfcjfk32.exe
C:\Windows\system32\Cfcjfk32.exe
C:\Windows\SysWOW64\Cmmbbejp.exe
C:\Windows\system32\Cmmbbejp.exe
C:\Windows\SysWOW64\Coknoaic.exe
C:\Windows\system32\Coknoaic.exe
C:\Windows\SysWOW64\Dfefkkqp.exe
C:\Windows\system32\Dfefkkqp.exe
C:\Windows\SysWOW64\Djqblj32.exe
C:\Windows\system32\Djqblj32.exe
C:\Windows\SysWOW64\Dmoohe32.exe
C:\Windows\system32\Dmoohe32.exe
C:\Windows\SysWOW64\Dcigeooj.exe
C:\Windows\system32\Dcigeooj.exe
C:\Windows\SysWOW64\Dfgcakon.exe
C:\Windows\system32\Dfgcakon.exe
C:\Windows\SysWOW64\Difpmfna.exe
C:\Windows\system32\Difpmfna.exe
C:\Windows\SysWOW64\Dkdliame.exe
C:\Windows\system32\Dkdliame.exe
C:\Windows\SysWOW64\Dckdjomg.exe
C:\Windows\system32\Dckdjomg.exe
C:\Windows\SysWOW64\Djelgied.exe
C:\Windows\system32\Djelgied.exe
C:\Windows\SysWOW64\Dmdhcddh.exe
C:\Windows\system32\Dmdhcddh.exe
C:\Windows\SysWOW64\Dcnqpo32.exe
C:\Windows\system32\Dcnqpo32.exe
C:\Windows\SysWOW64\Djhimica.exe
C:\Windows\system32\Djhimica.exe
C:\Windows\SysWOW64\Dpdaepai.exe
C:\Windows\system32\Dpdaepai.exe
C:\Windows\SysWOW64\Dbcmakpl.exe
C:\Windows\system32\Dbcmakpl.exe
C:\Windows\SysWOW64\Dimenegi.exe
C:\Windows\system32\Dimenegi.exe
C:\Windows\SysWOW64\Efafgifc.exe
C:\Windows\system32\Efafgifc.exe
C:\Windows\SysWOW64\Epikpo32.exe
C:\Windows\system32\Epikpo32.exe
C:\Windows\SysWOW64\Ejoomhmi.exe
C:\Windows\system32\Ejoomhmi.exe
C:\Windows\SysWOW64\Ecgcfm32.exe
C:\Windows\system32\Ecgcfm32.exe
C:\Windows\SysWOW64\Eblpgjha.exe
C:\Windows\system32\Eblpgjha.exe
C:\Windows\SysWOW64\Eifhdd32.exe
C:\Windows\system32\Eifhdd32.exe
C:\Windows\SysWOW64\Efjimhnh.exe
C:\Windows\system32\Efjimhnh.exe
C:\Windows\SysWOW64\Flinkojm.exe
C:\Windows\system32\Flinkojm.exe
C:\Windows\SysWOW64\Fbcfhibj.exe
C:\Windows\system32\Fbcfhibj.exe
C:\Windows\SysWOW64\Fjjnifbl.exe
C:\Windows\system32\Fjjnifbl.exe
C:\Windows\SysWOW64\Fdccbl32.exe
C:\Windows\system32\Fdccbl32.exe
C:\Windows\SysWOW64\Fipkjb32.exe
C:\Windows\system32\Fipkjb32.exe
C:\Windows\SysWOW64\Fpjcgm32.exe
C:\Windows\system32\Fpjcgm32.exe
C:\Windows\SysWOW64\Fbhpch32.exe
C:\Windows\system32\Fbhpch32.exe
C:\Windows\SysWOW64\Fmndpq32.exe
C:\Windows\system32\Fmndpq32.exe
C:\Windows\SysWOW64\Fplpll32.exe
C:\Windows\system32\Fplpll32.exe
C:\Windows\SysWOW64\Fideeaco.exe
C:\Windows\system32\Fideeaco.exe
C:\Windows\SysWOW64\Gpnmbl32.exe
C:\Windows\system32\Gpnmbl32.exe
C:\Windows\SysWOW64\Gjdaodja.exe
C:\Windows\system32\Gjdaodja.exe
C:\Windows\SysWOW64\Glengm32.exe
C:\Windows\system32\Glengm32.exe
C:\Windows\SysWOW64\Gmdjapgb.exe
C:\Windows\system32\Gmdjapgb.exe
C:\Windows\SysWOW64\Gpcfmkff.exe
C:\Windows\system32\Gpcfmkff.exe
C:\Windows\SysWOW64\Gikkfqmf.exe
C:\Windows\system32\Gikkfqmf.exe
C:\Windows\SysWOW64\Gljgbllj.exe
C:\Windows\system32\Gljgbllj.exe
C:\Windows\SysWOW64\Gfokoelp.exe
C:\Windows\system32\Gfokoelp.exe
C:\Windows\SysWOW64\Gbfldf32.exe
C:\Windows\system32\Gbfldf32.exe
C:\Windows\SysWOW64\Hmlpaoaj.exe
C:\Windows\system32\Hmlpaoaj.exe
C:\Windows\SysWOW64\Hpjmnjqn.exe
C:\Windows\system32\Hpjmnjqn.exe
C:\Windows\SysWOW64\Hlambk32.exe
C:\Windows\system32\Hlambk32.exe
C:\Windows\SysWOW64\Hmpjmn32.exe
C:\Windows\system32\Hmpjmn32.exe
C:\Windows\SysWOW64\Hpofii32.exe
C:\Windows\system32\Hpofii32.exe
C:\Windows\SysWOW64\Hginecde.exe
C:\Windows\system32\Hginecde.exe
C:\Windows\SysWOW64\Higjaoci.exe
C:\Windows\system32\Higjaoci.exe
C:\Windows\SysWOW64\Hpabni32.exe
C:\Windows\system32\Hpabni32.exe
C:\Windows\SysWOW64\Hcpojd32.exe
C:\Windows\system32\Hcpojd32.exe
C:\Windows\SysWOW64\Hkfglb32.exe
C:\Windows\system32\Hkfglb32.exe
C:\Windows\SysWOW64\Hlhccj32.exe
C:\Windows\system32\Hlhccj32.exe
C:\Windows\SysWOW64\Hcblpdgg.exe
C:\Windows\system32\Hcblpdgg.exe
C:\Windows\SysWOW64\Hgmgqc32.exe
C:\Windows\system32\Hgmgqc32.exe
C:\Windows\SysWOW64\Ingpmmgm.exe
C:\Windows\system32\Ingpmmgm.exe
C:\Windows\SysWOW64\Idahjg32.exe
C:\Windows\system32\Idahjg32.exe
C:\Windows\SysWOW64\Igpdfb32.exe
C:\Windows\system32\Igpdfb32.exe
C:\Windows\SysWOW64\Iinqbn32.exe
C:\Windows\system32\Iinqbn32.exe
C:\Windows\SysWOW64\Idcepgmg.exe
C:\Windows\system32\Idcepgmg.exe
C:\Windows\SysWOW64\Iknmla32.exe
C:\Windows\system32\Iknmla32.exe
C:\Windows\SysWOW64\Igdnabjh.exe
C:\Windows\system32\Igdnabjh.exe
C:\Windows\SysWOW64\Ilccoh32.exe
C:\Windows\system32\Ilccoh32.exe
C:\Windows\SysWOW64\Igigla32.exe
C:\Windows\system32\Igigla32.exe
C:\Windows\SysWOW64\Jlfpdh32.exe
C:\Windows\system32\Jlfpdh32.exe
C:\Windows\SysWOW64\Jcphab32.exe
C:\Windows\system32\Jcphab32.exe
C:\Windows\SysWOW64\Jjjpnlbd.exe
C:\Windows\system32\Jjjpnlbd.exe
C:\Windows\SysWOW64\Jgnqgqan.exe
C:\Windows\system32\Jgnqgqan.exe
C:\Windows\SysWOW64\Jklinohd.exe
C:\Windows\system32\Jklinohd.exe
C:\Windows\SysWOW64\Jddnfd32.exe
C:\Windows\system32\Jddnfd32.exe
C:\Windows\SysWOW64\Jgbjbp32.exe
C:\Windows\system32\Jgbjbp32.exe
C:\Windows\SysWOW64\Jnlbojee.exe
C:\Windows\system32\Jnlbojee.exe
C:\Windows\SysWOW64\Kkpbin32.exe
C:\Windows\system32\Kkpbin32.exe
C:\Windows\SysWOW64\Kqmkae32.exe
C:\Windows\system32\Kqmkae32.exe
C:\Windows\SysWOW64\Kdkdgchl.exe
C:\Windows\system32\Kdkdgchl.exe
C:\Windows\SysWOW64\Kgipcogp.exe
C:\Windows\system32\Kgipcogp.exe
C:\Windows\SysWOW64\Kjhloj32.exe
C:\Windows\system32\Kjhloj32.exe
C:\Windows\SysWOW64\Kqbdldnq.exe
C:\Windows\system32\Kqbdldnq.exe
C:\Windows\SysWOW64\Kqdaadln.exe
C:\Windows\system32\Kqdaadln.exe
C:\Windows\SysWOW64\Kgninn32.exe
C:\Windows\system32\Kgninn32.exe
C:\Windows\SysWOW64\Lqikmc32.exe
C:\Windows\system32\Lqikmc32.exe
C:\Windows\SysWOW64\Lmbhgd32.exe
C:\Windows\system32\Lmbhgd32.exe
C:\Windows\SysWOW64\Lclpdncg.exe
C:\Windows\system32\Lclpdncg.exe
C:\Windows\SysWOW64\Ljfhqh32.exe
C:\Windows\system32\Ljfhqh32.exe
C:\Windows\SysWOW64\Lmdemd32.exe
C:\Windows\system32\Lmdemd32.exe
C:\Windows\SysWOW64\Lqpamb32.exe
C:\Windows\system32\Lqpamb32.exe
C:\Windows\SysWOW64\Ljhefhha.exe
C:\Windows\system32\Ljhefhha.exe
C:\Windows\SysWOW64\Lenicahg.exe
C:\Windows\system32\Lenicahg.exe
C:\Windows\SysWOW64\Mepfiq32.exe
C:\Windows\system32\Mepfiq32.exe
C:\Windows\SysWOW64\Mnhkbfme.exe
C:\Windows\system32\Mnhkbfme.exe
C:\Windows\SysWOW64\Mkmkkjko.exe
C:\Windows\system32\Mkmkkjko.exe
C:\Windows\SysWOW64\Mmnhcb32.exe
C:\Windows\system32\Mmnhcb32.exe
C:\Windows\SysWOW64\Meepdp32.exe
C:\Windows\system32\Meepdp32.exe
C:\Windows\SysWOW64\Mkohaj32.exe
C:\Windows\system32\Mkohaj32.exe
C:\Windows\SysWOW64\Mnmdme32.exe
C:\Windows\system32\Mnmdme32.exe
C:\Windows\SysWOW64\Mgehfkop.exe
C:\Windows\system32\Mgehfkop.exe
C:\Windows\SysWOW64\Manmoq32.exe
C:\Windows\system32\Manmoq32.exe
C:\Windows\SysWOW64\Meiioonj.exe
C:\Windows\system32\Meiioonj.exe
C:\Windows\SysWOW64\Nlcalieg.exe
C:\Windows\system32\Nlcalieg.exe
C:\Windows\SysWOW64\Nnbnhedj.exe
C:\Windows\system32\Nnbnhedj.exe
C:\Windows\SysWOW64\Ncofplba.exe
C:\Windows\system32\Ncofplba.exe
C:\Windows\SysWOW64\Nlfnaicd.exe
C:\Windows\system32\Nlfnaicd.exe
C:\Windows\SysWOW64\Njinmf32.exe
C:\Windows\system32\Njinmf32.exe
C:\Windows\SysWOW64\Nmgjia32.exe
C:\Windows\system32\Nmgjia32.exe
C:\Windows\SysWOW64\Nenbjo32.exe
C:\Windows\system32\Nenbjo32.exe
C:\Windows\SysWOW64\Nhmofj32.exe
C:\Windows\system32\Nhmofj32.exe
C:\Windows\SysWOW64\Njkkbehl.exe
C:\Windows\system32\Njkkbehl.exe
C:\Windows\SysWOW64\Nmigoagp.exe
C:\Windows\system32\Nmigoagp.exe
C:\Windows\SysWOW64\Neqopnhb.exe
C:\Windows\system32\Neqopnhb.exe
C:\Windows\SysWOW64\Nhokljge.exe
C:\Windows\system32\Nhokljge.exe
C:\Windows\SysWOW64\Nnicid32.exe
C:\Windows\system32\Nnicid32.exe
C:\Windows\SysWOW64\Nagpeo32.exe
C:\Windows\system32\Nagpeo32.exe
C:\Windows\SysWOW64\Nhahaiec.exe
C:\Windows\system32\Nhahaiec.exe
C:\Windows\SysWOW64\Nnkpnclp.exe
C:\Windows\system32\Nnkpnclp.exe
C:\Windows\SysWOW64\Oeehkn32.exe
C:\Windows\system32\Oeehkn32.exe
C:\Windows\SysWOW64\Ojbacd32.exe
C:\Windows\system32\Ojbacd32.exe
C:\Windows\SysWOW64\Omqmop32.exe
C:\Windows\system32\Omqmop32.exe
C:\Windows\SysWOW64\Odjeljhd.exe
C:\Windows\system32\Odjeljhd.exe
C:\Windows\SysWOW64\Olanmgig.exe
C:\Windows\system32\Olanmgig.exe
C:\Windows\SysWOW64\Ojgjndno.exe
C:\Windows\system32\Ojgjndno.exe
C:\Windows\SysWOW64\Oelolmnd.exe
C:\Windows\system32\Oelolmnd.exe
C:\Windows\SysWOW64\Ojigdcll.exe
C:\Windows\system32\Ojigdcll.exe
C:\Windows\SysWOW64\Oeokal32.exe
C:\Windows\system32\Oeokal32.exe
C:\Windows\SysWOW64\Oogpjbbb.exe
C:\Windows\system32\Oogpjbbb.exe
C:\Windows\SysWOW64\Pknqoc32.exe
C:\Windows\system32\Pknqoc32.exe
C:\Windows\SysWOW64\Pmoiqneg.exe
C:\Windows\system32\Pmoiqneg.exe
C:\Windows\SysWOW64\Ponfka32.exe
C:\Windows\system32\Ponfka32.exe
C:\Windows\SysWOW64\Pmcclm32.exe
C:\Windows\system32\Pmcclm32.exe
C:\Windows\SysWOW64\Qmepam32.exe
C:\Windows\system32\Qmepam32.exe
C:\Windows\SysWOW64\Ahpmjejp.exe
C:\Windows\system32\Ahpmjejp.exe
C:\Windows\SysWOW64\Adfnofpd.exe
C:\Windows\system32\Adfnofpd.exe
C:\Windows\SysWOW64\Aolblopj.exe
C:\Windows\system32\Aolblopj.exe
C:\Windows\SysWOW64\Anaomkdb.exe
C:\Windows\system32\Anaomkdb.exe
C:\Windows\SysWOW64\Aoalgn32.exe
C:\Windows\system32\Aoalgn32.exe
C:\Windows\SysWOW64\Ahippdbe.exe
C:\Windows\system32\Ahippdbe.exe
C:\Windows\SysWOW64\Bdpaeehj.exe
C:\Windows\system32\Bdpaeehj.exe
C:\Windows\SysWOW64\Blielbfi.exe
C:\Windows\system32\Blielbfi.exe
C:\Windows\SysWOW64\Bebjdgmj.exe
C:\Windows\system32\Bebjdgmj.exe
C:\Windows\SysWOW64\Bdgged32.exe
C:\Windows\system32\Bdgged32.exe
C:\Windows\SysWOW64\Bheplb32.exe
C:\Windows\system32\Bheplb32.exe
C:\Windows\SysWOW64\Cdlqqcnl.exe
C:\Windows\system32\Cdlqqcnl.exe
C:\Windows\SysWOW64\Ckeimm32.exe
C:\Windows\system32\Ckeimm32.exe
C:\Windows\SysWOW64\Cndeii32.exe
C:\Windows\system32\Cndeii32.exe
C:\Windows\SysWOW64\Chiigadc.exe
C:\Windows\system32\Chiigadc.exe
C:\Windows\SysWOW64\Cbbnpg32.exe
C:\Windows\system32\Cbbnpg32.exe
C:\Windows\SysWOW64\Cofnik32.exe
C:\Windows\system32\Cofnik32.exe
C:\Windows\SysWOW64\Ckmonl32.exe
C:\Windows\system32\Ckmonl32.exe
C:\Windows\SysWOW64\Cnkkjh32.exe
C:\Windows\system32\Cnkkjh32.exe
C:\Windows\SysWOW64\Dkokcl32.exe
C:\Windows\system32\Dkokcl32.exe
C:\Windows\SysWOW64\Dfdpad32.exe
C:\Windows\system32\Dfdpad32.exe
C:\Windows\SysWOW64\Dkahilkl.exe
C:\Windows\system32\Dkahilkl.exe
C:\Windows\SysWOW64\Dooaoj32.exe
C:\Windows\system32\Dooaoj32.exe
C:\Windows\SysWOW64\Dflfac32.exe
C:\Windows\system32\Dflfac32.exe
C:\Windows\SysWOW64\Dngjff32.exe
C:\Windows\system32\Dngjff32.exe
C:\Windows\SysWOW64\Dfnbgc32.exe
C:\Windows\system32\Dfnbgc32.exe
C:\Windows\SysWOW64\Enigke32.exe
C:\Windows\system32\Enigke32.exe
C:\Windows\SysWOW64\Eecphp32.exe
C:\Windows\system32\Eecphp32.exe
C:\Windows\SysWOW64\Eeelnp32.exe
C:\Windows\system32\Eeelnp32.exe
C:\Windows\SysWOW64\Ennqfenp.exe
C:\Windows\system32\Ennqfenp.exe
C:\Windows\SysWOW64\Eicedn32.exe
C:\Windows\system32\Eicedn32.exe
C:\Windows\SysWOW64\Enpmld32.exe
C:\Windows\system32\Enpmld32.exe
C:\Windows\SysWOW64\Flfkkhid.exe
C:\Windows\system32\Flfkkhid.exe
C:\Windows\SysWOW64\Fngcmcfe.exe
C:\Windows\system32\Fngcmcfe.exe
C:\Windows\SysWOW64\Fmkqpkla.exe
C:\Windows\system32\Fmkqpkla.exe
C:\Windows\SysWOW64\Fefedmil.exe
C:\Windows\system32\Fefedmil.exe
C:\Windows\SysWOW64\Gfeaopqo.exe
C:\Windows\system32\Gfeaopqo.exe
C:\Windows\SysWOW64\Glbjggof.exe
C:\Windows\system32\Glbjggof.exe
C:\Windows\SysWOW64\Gnqfcbnj.exe
C:\Windows\system32\Gnqfcbnj.exe
C:\Windows\SysWOW64\Gifkpknp.exe
C:\Windows\system32\Gifkpknp.exe
C:\Windows\SysWOW64\Gncchb32.exe
C:\Windows\system32\Gncchb32.exe
C:\Windows\SysWOW64\Gmfplibd.exe
C:\Windows\system32\Gmfplibd.exe
C:\Windows\SysWOW64\Gbchdp32.exe
C:\Windows\system32\Gbchdp32.exe
C:\Windows\SysWOW64\Gmimai32.exe
C:\Windows\system32\Gmimai32.exe
C:\Windows\SysWOW64\Gbeejp32.exe
C:\Windows\system32\Gbeejp32.exe
C:\Windows\SysWOW64\Hedafk32.exe
C:\Windows\system32\Hedafk32.exe
C:\Windows\SysWOW64\Hlnjbedi.exe
C:\Windows\system32\Hlnjbedi.exe
C:\Windows\SysWOW64\Hpiecd32.exe
C:\Windows\system32\Hpiecd32.exe
C:\Windows\SysWOW64\Hbhboolf.exe
C:\Windows\system32\Hbhboolf.exe
C:\Windows\SysWOW64\Hibjli32.exe
C:\Windows\system32\Hibjli32.exe
C:\Windows\SysWOW64\Hplbickp.exe
C:\Windows\system32\Hplbickp.exe
C:\Windows\SysWOW64\Hbjoeojc.exe
C:\Windows\system32\Hbjoeojc.exe
C:\Windows\SysWOW64\Hoaojp32.exe
C:\Windows\system32\Hoaojp32.exe
C:\Windows\SysWOW64\Hbohpn32.exe
C:\Windows\system32\Hbohpn32.exe
C:\Windows\SysWOW64\Hmdlmg32.exe
C:\Windows\system32\Hmdlmg32.exe
C:\Windows\SysWOW64\Imgicgca.exe
C:\Windows\system32\Imgicgca.exe
C:\Windows\SysWOW64\Iebngial.exe
C:\Windows\system32\Iebngial.exe
C:\Windows\SysWOW64\Imiehfao.exe
C:\Windows\system32\Imiehfao.exe
C:\Windows\SysWOW64\Igajal32.exe
C:\Windows\system32\Igajal32.exe
C:\Windows\SysWOW64\Igdgglfl.exe
C:\Windows\system32\Igdgglfl.exe
C:\Windows\SysWOW64\Igfclkdj.exe
C:\Windows\system32\Igfclkdj.exe
C:\Windows\SysWOW64\Iidphgcn.exe
C:\Windows\system32\Iidphgcn.exe
C:\Windows\SysWOW64\Jiglnf32.exe
C:\Windows\system32\Jiglnf32.exe
C:\Windows\SysWOW64\Jenmcggo.exe
C:\Windows\system32\Jenmcggo.exe
C:\Windows\SysWOW64\Jpcapp32.exe
C:\Windows\system32\Jpcapp32.exe
C:\Windows\SysWOW64\Jepjhg32.exe
C:\Windows\system32\Jepjhg32.exe
C:\Windows\SysWOW64\Johnamkm.exe
C:\Windows\system32\Johnamkm.exe
C:\Windows\SysWOW64\Jebfng32.exe
C:\Windows\system32\Jebfng32.exe
C:\Windows\SysWOW64\Jcfggkac.exe
C:\Windows\system32\Jcfggkac.exe
C:\Windows\SysWOW64\Kpjgaoqm.exe
C:\Windows\system32\Kpjgaoqm.exe
C:\Windows\SysWOW64\Kjblje32.exe
C:\Windows\system32\Kjblje32.exe
C:\Windows\SysWOW64\Kgflcifg.exe
C:\Windows\system32\Kgflcifg.exe
C:\Windows\SysWOW64\Koaagkcb.exe
C:\Windows\system32\Koaagkcb.exe
C:\Windows\SysWOW64\Kcmmhj32.exe
C:\Windows\system32\Kcmmhj32.exe
C:\Windows\SysWOW64\Kjgeedch.exe
C:\Windows\system32\Kjgeedch.exe
C:\Windows\SysWOW64\Knenkbio.exe
C:\Windows\system32\Knenkbio.exe
C:\Windows\SysWOW64\Kjlopc32.exe
C:\Windows\system32\Kjlopc32.exe
C:\Windows\SysWOW64\Llmhaold.exe
C:\Windows\system32\Llmhaold.exe
C:\Windows\SysWOW64\Ljqhkckn.exe
C:\Windows\system32\Ljqhkckn.exe
C:\Windows\SysWOW64\Llodgnja.exe
C:\Windows\system32\Llodgnja.exe
C:\Windows\SysWOW64\Lggejg32.exe
C:\Windows\system32\Lggejg32.exe
C:\Windows\SysWOW64\Lgibpf32.exe
C:\Windows\system32\Lgibpf32.exe
C:\Windows\SysWOW64\Modgdicm.exe
C:\Windows\system32\Modgdicm.exe
C:\Windows\SysWOW64\Mnegbp32.exe
C:\Windows\system32\Mnegbp32.exe
C:\Windows\SysWOW64\Mogcihaj.exe
C:\Windows\system32\Mogcihaj.exe
C:\Windows\SysWOW64\Mqfpckhm.exe
C:\Windows\system32\Mqfpckhm.exe
C:\Windows\SysWOW64\Mnmmboed.exe
C:\Windows\system32\Mnmmboed.exe
C:\Windows\SysWOW64\Monjjgkb.exe
C:\Windows\system32\Monjjgkb.exe
C:\Windows\SysWOW64\Nopfpgip.exe
C:\Windows\system32\Nopfpgip.exe
C:\Windows\SysWOW64\Npbceggm.exe
C:\Windows\system32\Npbceggm.exe
C:\Windows\SysWOW64\Nglhld32.exe
C:\Windows\system32\Nglhld32.exe
C:\Windows\SysWOW64\Ncchae32.exe
C:\Windows\system32\Ncchae32.exe
C:\Windows\SysWOW64\Nceefd32.exe
C:\Windows\system32\Nceefd32.exe
C:\Windows\SysWOW64\Onkidm32.exe
C:\Windows\system32\Onkidm32.exe
C:\Windows\SysWOW64\Oaifpi32.exe
C:\Windows\system32\Oaifpi32.exe
C:\Windows\SysWOW64\Offnhpfo.exe
C:\Windows\system32\Offnhpfo.exe
C:\Windows\SysWOW64\Ocjoadei.exe
C:\Windows\system32\Ocjoadei.exe
C:\Windows\SysWOW64\Oclkgccf.exe
C:\Windows\system32\Oclkgccf.exe
C:\Windows\SysWOW64\Oaplqh32.exe
C:\Windows\system32\Oaplqh32.exe
C:\Windows\SysWOW64\Ofmdio32.exe
C:\Windows\system32\Ofmdio32.exe
C:\Windows\SysWOW64\Ohlqcagj.exe
C:\Windows\system32\Ohlqcagj.exe
C:\Windows\SysWOW64\Pnfiplog.exe
C:\Windows\system32\Pnfiplog.exe
C:\Windows\SysWOW64\Pfandnla.exe
C:\Windows\system32\Pfandnla.exe
C:\Windows\SysWOW64\Pnkbkk32.exe
C:\Windows\system32\Pnkbkk32.exe
C:\Windows\SysWOW64\Ppolhcnm.exe
C:\Windows\system32\Ppolhcnm.exe
C:\Windows\SysWOW64\Panhbfep.exe
C:\Windows\system32\Panhbfep.exe
C:\Windows\SysWOW64\Qfkqjmdg.exe
C:\Windows\system32\Qfkqjmdg.exe
C:\Windows\SysWOW64\Qobhkjdi.exe
C:\Windows\system32\Qobhkjdi.exe
C:\Windows\SysWOW64\Qmgelf32.exe
C:\Windows\system32\Qmgelf32.exe
C:\Windows\SysWOW64\Afpjel32.exe
C:\Windows\system32\Afpjel32.exe
C:\Windows\SysWOW64\Aaenbd32.exe
C:\Windows\system32\Aaenbd32.exe
C:\Windows\SysWOW64\Adfgdpmi.exe
C:\Windows\system32\Adfgdpmi.exe
C:\Windows\SysWOW64\Aokkahlo.exe
C:\Windows\system32\Aokkahlo.exe
C:\Windows\SysWOW64\Aajhndkb.exe
C:\Windows\system32\Aajhndkb.exe
C:\Windows\SysWOW64\Adhdjpjf.exe
C:\Windows\system32\Adhdjpjf.exe
C:\Windows\SysWOW64\Ahfmpnql.exe
C:\Windows\system32\Ahfmpnql.exe
C:\Windows\SysWOW64\Akdilipp.exe
C:\Windows\system32\Akdilipp.exe
C:\Windows\SysWOW64\Bmeandma.exe
C:\Windows\system32\Bmeandma.exe
C:\Windows\SysWOW64\Bdagpnbk.exe
C:\Windows\system32\Bdagpnbk.exe
C:\Windows\SysWOW64\Bklomh32.exe
C:\Windows\system32\Bklomh32.exe
C:\Windows\SysWOW64\Bhpofl32.exe
C:\Windows\system32\Bhpofl32.exe
C:\Windows\SysWOW64\Boihcf32.exe
C:\Windows\system32\Boihcf32.exe
C:\Windows\SysWOW64\Bahdob32.exe
C:\Windows\system32\Bahdob32.exe
C:\Windows\SysWOW64\Bdfpkm32.exe
C:\Windows\system32\Bdfpkm32.exe
C:\Windows\SysWOW64\Cpmapodj.exe
C:\Windows\system32\Cpmapodj.exe
C:\Windows\SysWOW64\Cnaaib32.exe
C:\Windows\system32\Cnaaib32.exe
C:\Windows\SysWOW64\Cncnob32.exe
C:\Windows\system32\Cncnob32.exe
C:\Windows\SysWOW64\Cnfkdb32.exe
C:\Windows\system32\Cnfkdb32.exe
C:\Windows\SysWOW64\Coegoe32.exe
C:\Windows\system32\Coegoe32.exe
C:\Windows\SysWOW64\Cdbpgl32.exe
C:\Windows\system32\Cdbpgl32.exe
C:\Windows\SysWOW64\Cnjdpaki.exe
C:\Windows\system32\Cnjdpaki.exe
C:\Windows\SysWOW64\Dhphmj32.exe
C:\Windows\system32\Dhphmj32.exe
C:\Windows\SysWOW64\Dgeenfog.exe
C:\Windows\system32\Dgeenfog.exe
C:\Windows\SysWOW64\Dqnjgl32.exe
C:\Windows\system32\Dqnjgl32.exe
C:\Windows\SysWOW64\Dqbcbkab.exe
C:\Windows\system32\Dqbcbkab.exe
C:\Windows\SysWOW64\Dkhgod32.exe
C:\Windows\system32\Dkhgod32.exe
C:\Windows\SysWOW64\Edplhjhi.exe
C:\Windows\system32\Edplhjhi.exe
C:\Windows\SysWOW64\Egohdegl.exe
C:\Windows\system32\Egohdegl.exe
C:\Windows\SysWOW64\Eqgmmk32.exe
C:\Windows\system32\Eqgmmk32.exe
C:\Windows\SysWOW64\Eqiibjlj.exe
C:\Windows\system32\Eqiibjlj.exe
C:\Windows\SysWOW64\Ehpadhll.exe
C:\Windows\system32\Ehpadhll.exe
C:\Windows\SysWOW64\Ekonpckp.exe
C:\Windows\system32\Ekonpckp.exe
C:\Windows\SysWOW64\Edgbii32.exe
C:\Windows\system32\Edgbii32.exe
C:\Windows\SysWOW64\Ebkbbmqj.exe
C:\Windows\system32\Ebkbbmqj.exe
C:\Windows\SysWOW64\Eiekog32.exe
C:\Windows\system32\Eiekog32.exe
C:\Windows\SysWOW64\Ekcgkb32.exe
C:\Windows\system32\Ekcgkb32.exe
C:\Windows\SysWOW64\Fdlkdhnk.exe
C:\Windows\system32\Fdlkdhnk.exe
C:\Windows\SysWOW64\Fkfcqb32.exe
C:\Windows\system32\Fkfcqb32.exe
C:\Windows\SysWOW64\Foapaa32.exe
C:\Windows\system32\Foapaa32.exe
C:\Windows\SysWOW64\Fbplml32.exe
C:\Windows\system32\Fbplml32.exe
C:\Windows\SysWOW64\Fdnhih32.exe
C:\Windows\system32\Fdnhih32.exe
C:\Windows\SysWOW64\Fqeioiam.exe
C:\Windows\system32\Fqeioiam.exe
C:\Windows\SysWOW64\Fofilp32.exe
C:\Windows\system32\Fofilp32.exe
C:\Windows\SysWOW64\Fqgedh32.exe
C:\Windows\system32\Fqgedh32.exe
C:\Windows\SysWOW64\Fganqbgg.exe
C:\Windows\system32\Fganqbgg.exe
C:\Windows\SysWOW64\Fkofga32.exe
C:\Windows\system32\Fkofga32.exe
C:\Windows\SysWOW64\Gnnccl32.exe
C:\Windows\system32\Gnnccl32.exe
C:\Windows\SysWOW64\Gegkpf32.exe
C:\Windows\system32\Gegkpf32.exe
C:\Windows\SysWOW64\Gpmomo32.exe
C:\Windows\system32\Gpmomo32.exe
C:\Windows\SysWOW64\Gejhef32.exe
C:\Windows\system32\Gejhef32.exe
C:\Windows\SysWOW64\Gpolbo32.exe
C:\Windows\system32\Gpolbo32.exe
C:\Windows\SysWOW64\Geldkfpi.exe
C:\Windows\system32\Geldkfpi.exe
C:\Windows\SysWOW64\Glfmgp32.exe
C:\Windows\system32\Glfmgp32.exe
C:\Windows\SysWOW64\Gacepg32.exe
C:\Windows\system32\Gacepg32.exe
C:\Windows\SysWOW64\Gngeik32.exe
C:\Windows\system32\Gngeik32.exe
C:\Windows\SysWOW64\Giljfddl.exe
C:\Windows\system32\Giljfddl.exe
C:\Windows\SysWOW64\Hbenoi32.exe
C:\Windows\system32\Hbenoi32.exe
C:\Windows\SysWOW64\Hajkqfoe.exe
C:\Windows\system32\Hajkqfoe.exe
C:\Windows\SysWOW64\Hhdcmp32.exe
C:\Windows\system32\Hhdcmp32.exe
C:\Windows\SysWOW64\Hbihjifh.exe
C:\Windows\system32\Hbihjifh.exe
C:\Windows\SysWOW64\Hehdfdek.exe
C:\Windows\system32\Hehdfdek.exe
C:\Windows\SysWOW64\Hpmhdmea.exe
C:\Windows\system32\Hpmhdmea.exe
C:\Windows\SysWOW64\Hbldphde.exe
C:\Windows\system32\Hbldphde.exe
C:\Windows\SysWOW64\Hppeim32.exe
C:\Windows\system32\Hppeim32.exe
C:\Windows\SysWOW64\Hemmac32.exe
C:\Windows\system32\Hemmac32.exe
C:\Windows\SysWOW64\Ihkjno32.exe
C:\Windows\system32\Ihkjno32.exe
C:\Windows\SysWOW64\Inebjihf.exe
C:\Windows\system32\Inebjihf.exe
C:\Windows\SysWOW64\Ieojgc32.exe
C:\Windows\system32\Ieojgc32.exe
C:\Windows\SysWOW64\Ilibdmgp.exe
C:\Windows\system32\Ilibdmgp.exe
C:\Windows\SysWOW64\Ibcjqgnm.exe
C:\Windows\system32\Ibcjqgnm.exe
C:\Windows\SysWOW64\Ieagmcmq.exe
C:\Windows\system32\Ieagmcmq.exe
C:\Windows\SysWOW64\Ihpcinld.exe
C:\Windows\system32\Ihpcinld.exe
C:\Windows\SysWOW64\Ibegfglj.exe
C:\Windows\system32\Ibegfglj.exe
C:\Windows\SysWOW64\Ihbponja.exe
C:\Windows\system32\Ihbponja.exe
C:\Windows\SysWOW64\Iolhkh32.exe
C:\Windows\system32\Iolhkh32.exe
C:\Windows\SysWOW64\Iialhaad.exe
C:\Windows\system32\Iialhaad.exe
C:\Windows\SysWOW64\Iondqhpl.exe
C:\Windows\system32\Iondqhpl.exe
C:\Windows\SysWOW64\Jlbejloe.exe
C:\Windows\system32\Jlbejloe.exe
C:\Windows\SysWOW64\Jekjcaef.exe
C:\Windows\system32\Jekjcaef.exe
C:\Windows\SysWOW64\Jldbpl32.exe
C:\Windows\system32\Jldbpl32.exe
C:\Windows\SysWOW64\Jemfhacc.exe
C:\Windows\system32\Jemfhacc.exe
C:\Windows\SysWOW64\Jadgnb32.exe
C:\Windows\system32\Jadgnb32.exe
C:\Windows\SysWOW64\Johggfha.exe
C:\Windows\system32\Johggfha.exe
C:\Windows\SysWOW64\Jafdcbge.exe
C:\Windows\system32\Jafdcbge.exe
C:\Windows\SysWOW64\Jhplpl32.exe
C:\Windows\system32\Jhplpl32.exe
C:\Windows\SysWOW64\Jbepme32.exe
C:\Windows\system32\Jbepme32.exe
C:\Windows\SysWOW64\Kiphjo32.exe
C:\Windows\system32\Kiphjo32.exe
C:\Windows\SysWOW64\Kbhmbdle.exe
C:\Windows\system32\Kbhmbdle.exe
C:\Windows\SysWOW64\Kheekkjl.exe
C:\Windows\system32\Kheekkjl.exe
C:\Windows\SysWOW64\Koonge32.exe
C:\Windows\system32\Koonge32.exe
C:\Windows\SysWOW64\Kcjjhdjb.exe
C:\Windows\system32\Kcjjhdjb.exe
C:\Windows\SysWOW64\Kidben32.exe
C:\Windows\system32\Kidben32.exe
C:\Windows\SysWOW64\Klbnajqc.exe
C:\Windows\system32\Klbnajqc.exe
C:\Windows\SysWOW64\Kcmfnd32.exe
C:\Windows\system32\Kcmfnd32.exe
C:\Windows\SysWOW64\Klekfinp.exe
C:\Windows\system32\Klekfinp.exe
C:\Windows\SysWOW64\Kcoccc32.exe
C:\Windows\system32\Kcoccc32.exe
C:\Windows\SysWOW64\Klggli32.exe
C:\Windows\system32\Klggli32.exe
C:\Windows\SysWOW64\Likhem32.exe
C:\Windows\system32\Likhem32.exe
C:\Windows\SysWOW64\Lpgmhg32.exe
C:\Windows\system32\Lpgmhg32.exe
C:\Windows\SysWOW64\Ledepn32.exe
C:\Windows\system32\Ledepn32.exe
C:\Windows\SysWOW64\Lchfib32.exe
C:\Windows\system32\Lchfib32.exe
C:\Windows\SysWOW64\Lplfcf32.exe
C:\Windows\system32\Lplfcf32.exe
C:\Windows\SysWOW64\Ljdkll32.exe
C:\Windows\system32\Ljdkll32.exe
C:\Windows\SysWOW64\Mapppn32.exe
C:\Windows\system32\Mapppn32.exe
C:\Windows\SysWOW64\Mpapnfhg.exe
C:\Windows\system32\Mpapnfhg.exe
C:\Windows\SysWOW64\Modpib32.exe
C:\Windows\system32\Modpib32.exe
C:\Windows\SysWOW64\Mfnhfm32.exe
C:\Windows\system32\Mfnhfm32.exe
C:\Windows\SysWOW64\Mhldbh32.exe
C:\Windows\system32\Mhldbh32.exe
C:\Windows\SysWOW64\Mcaipa32.exe
C:\Windows\system32\Mcaipa32.exe
C:\Windows\SysWOW64\Mhoahh32.exe
C:\Windows\system32\Mhoahh32.exe
C:\Windows\SysWOW64\Mcdeeq32.exe
C:\Windows\system32\Mcdeeq32.exe
C:\Windows\SysWOW64\Mlljnf32.exe
C:\Windows\system32\Mlljnf32.exe
C:\Windows\SysWOW64\Mbibfm32.exe
C:\Windows\system32\Mbibfm32.exe
C:\Windows\SysWOW64\Mlofcf32.exe
C:\Windows\system32\Mlofcf32.exe
C:\Windows\SysWOW64\Nfgklkoc.exe
C:\Windows\system32\Nfgklkoc.exe
C:\Windows\SysWOW64\Nmaciefp.exe
C:\Windows\system32\Nmaciefp.exe
C:\Windows\SysWOW64\Noppeaed.exe
C:\Windows\system32\Noppeaed.exe
C:\Windows\SysWOW64\Nbnlaldg.exe
C:\Windows\system32\Nbnlaldg.exe
C:\Windows\SysWOW64\Nmcpoedn.exe
C:\Windows\system32\Nmcpoedn.exe
C:\Windows\SysWOW64\Ncmhko32.exe
C:\Windows\system32\Ncmhko32.exe
C:\Windows\SysWOW64\Nodiqp32.exe
C:\Windows\system32\Nodiqp32.exe
C:\Windows\SysWOW64\Nfnamjhk.exe
C:\Windows\system32\Nfnamjhk.exe
C:\Windows\SysWOW64\Nqcejcha.exe
C:\Windows\system32\Nqcejcha.exe
C:\Windows\SysWOW64\Nbebbk32.exe
C:\Windows\system32\Nbebbk32.exe
C:\Windows\SysWOW64\Nmjfodne.exe
C:\Windows\system32\Nmjfodne.exe
C:\Windows\SysWOW64\Nqfbpb32.exe
C:\Windows\system32\Nqfbpb32.exe
C:\Windows\SysWOW64\Obgohklm.exe
C:\Windows\system32\Obgohklm.exe
C:\Windows\SysWOW64\Oiagde32.exe
C:\Windows\system32\Oiagde32.exe
C:\Windows\SysWOW64\Ocgkan32.exe
C:\Windows\system32\Ocgkan32.exe
C:\Windows\SysWOW64\Oiccje32.exe
C:\Windows\system32\Oiccje32.exe
C:\Windows\SysWOW64\Ocihgnam.exe
C:\Windows\system32\Ocihgnam.exe
C:\Windows\SysWOW64\Ojcpdg32.exe
C:\Windows\system32\Ojcpdg32.exe
C:\Windows\SysWOW64\Ockdmmoj.exe
C:\Windows\system32\Ockdmmoj.exe
C:\Windows\SysWOW64\Oqoefand.exe
C:\Windows\system32\Oqoefand.exe
C:\Windows\SysWOW64\Oikjkc32.exe
C:\Windows\system32\Oikjkc32.exe
C:\Windows\SysWOW64\Ppdbgncl.exe
C:\Windows\system32\Ppdbgncl.exe
C:\Windows\SysWOW64\Pimfpc32.exe
C:\Windows\system32\Pimfpc32.exe
C:\Windows\SysWOW64\Ppgomnai.exe
C:\Windows\system32\Ppgomnai.exe
C:\Windows\SysWOW64\Pfagighf.exe
C:\Windows\system32\Pfagighf.exe
C:\Windows\SysWOW64\Pmkofa32.exe
C:\Windows\system32\Pmkofa32.exe
C:\Windows\SysWOW64\Ppikbm32.exe
C:\Windows\system32\Ppikbm32.exe
C:\Windows\SysWOW64\Piapkbeg.exe
C:\Windows\system32\Piapkbeg.exe
C:\Windows\SysWOW64\Pplhhm32.exe
C:\Windows\system32\Pplhhm32.exe
C:\Windows\SysWOW64\Pfepdg32.exe
C:\Windows\system32\Pfepdg32.exe
C:\Windows\SysWOW64\Pidlqb32.exe
C:\Windows\system32\Pidlqb32.exe
C:\Windows\SysWOW64\Pakdbp32.exe
C:\Windows\system32\Pakdbp32.exe
C:\Windows\SysWOW64\Pjcikejg.exe
C:\Windows\system32\Pjcikejg.exe
C:\Windows\SysWOW64\Qppaclio.exe
C:\Windows\system32\Qppaclio.exe
C:\Windows\SysWOW64\Qjffpe32.exe
C:\Windows\system32\Qjffpe32.exe
C:\Windows\SysWOW64\Qapnmopa.exe
C:\Windows\system32\Qapnmopa.exe
C:\Windows\SysWOW64\Qcnjijoe.exe
C:\Windows\system32\Qcnjijoe.exe
C:\Windows\SysWOW64\Qjhbfd32.exe
C:\Windows\system32\Qjhbfd32.exe
C:\Windows\SysWOW64\Aabkbono.exe
C:\Windows\system32\Aabkbono.exe
C:\Windows\SysWOW64\Abcgjg32.exe
C:\Windows\system32\Abcgjg32.exe
C:\Windows\SysWOW64\Amikgpcc.exe
C:\Windows\system32\Amikgpcc.exe
C:\Windows\SysWOW64\Afappe32.exe
C:\Windows\system32\Afappe32.exe
C:\Windows\SysWOW64\Ajohfcpj.exe
C:\Windows\system32\Ajohfcpj.exe
C:\Windows\SysWOW64\Aaiqcnhg.exe
C:\Windows\system32\Aaiqcnhg.exe
C:\Windows\SysWOW64\Adgmoigj.exe
C:\Windows\system32\Adgmoigj.exe
C:\Windows\SysWOW64\Aalmimfd.exe
C:\Windows\system32\Aalmimfd.exe
C:\Windows\SysWOW64\Afhfaddk.exe
C:\Windows\system32\Afhfaddk.exe
C:\Windows\SysWOW64\Banjnm32.exe
C:\Windows\system32\Banjnm32.exe
C:\Windows\SysWOW64\Bboffejp.exe
C:\Windows\system32\Bboffejp.exe
C:\Windows\SysWOW64\Bjfogbjb.exe
C:\Windows\system32\Bjfogbjb.exe
C:\Windows\SysWOW64\Bpcgpihi.exe
C:\Windows\system32\Bpcgpihi.exe
C:\Windows\SysWOW64\Bbaclegm.exe
C:\Windows\system32\Bbaclegm.exe
C:\Windows\SysWOW64\Bmggingc.exe
C:\Windows\system32\Bmggingc.exe
C:\Windows\SysWOW64\Bbdpad32.exe
C:\Windows\system32\Bbdpad32.exe
C:\Windows\SysWOW64\Baepolni.exe
C:\Windows\system32\Baepolni.exe
C:\Windows\SysWOW64\Bipecnkd.exe
C:\Windows\system32\Bipecnkd.exe
C:\Windows\SysWOW64\Bpjmph32.exe
C:\Windows\system32\Bpjmph32.exe
C:\Windows\SysWOW64\Cibain32.exe
C:\Windows\system32\Cibain32.exe
C:\Windows\SysWOW64\Cpljehpo.exe
C:\Windows\system32\Cpljehpo.exe
C:\Windows\SysWOW64\Cgfbbb32.exe
C:\Windows\system32\Cgfbbb32.exe
C:\Windows\SysWOW64\Cmpjoloh.exe
C:\Windows\system32\Cmpjoloh.exe
C:\Windows\SysWOW64\Cdjblf32.exe
C:\Windows\system32\Cdjblf32.exe
C:\Windows\SysWOW64\Ckdkhq32.exe
C:\Windows\system32\Ckdkhq32.exe
C:\Windows\SysWOW64\Cdmoafdb.exe
C:\Windows\system32\Cdmoafdb.exe
C:\Windows\SysWOW64\Caqpkjcl.exe
C:\Windows\system32\Caqpkjcl.exe
C:\Windows\SysWOW64\Ccblbb32.exe
C:\Windows\system32\Ccblbb32.exe
C:\Windows\SysWOW64\Cildom32.exe
C:\Windows\system32\Cildom32.exe
C:\Windows\SysWOW64\Cacmpj32.exe
C:\Windows\system32\Cacmpj32.exe
C:\Windows\SysWOW64\Cdaile32.exe
C:\Windows\system32\Cdaile32.exe
C:\Windows\SysWOW64\Dphiaffa.exe
C:\Windows\system32\Dphiaffa.exe
C:\Windows\SysWOW64\Dgbanq32.exe
C:\Windows\system32\Dgbanq32.exe
C:\Windows\SysWOW64\Dnljkk32.exe
C:\Windows\system32\Dnljkk32.exe
C:\Windows\SysWOW64\Dgdncplk.exe
C:\Windows\system32\Dgdncplk.exe
C:\Windows\SysWOW64\Dpmcmf32.exe
C:\Windows\system32\Dpmcmf32.exe
C:\Windows\SysWOW64\Dnqcfjae.exe
C:\Windows\system32\Dnqcfjae.exe
C:\Windows\SysWOW64\Ddklbd32.exe
C:\Windows\system32\Ddklbd32.exe
C:\Windows\SysWOW64\Djgdkk32.exe
C:\Windows\system32\Djgdkk32.exe
C:\Windows\SysWOW64\Dcphdqmj.exe
C:\Windows\system32\Dcphdqmj.exe
C:\Windows\SysWOW64\Enemaimp.exe
C:\Windows\system32\Enemaimp.exe
C:\Windows\SysWOW64\Enhifi32.exe
C:\Windows\system32\Enhifi32.exe
C:\Windows\SysWOW64\Ecdbop32.exe
C:\Windows\system32\Ecdbop32.exe
C:\Windows\SysWOW64\Ekljpm32.exe
C:\Windows\system32\Ekljpm32.exe
C:\Windows\SysWOW64\Eddnic32.exe
C:\Windows\system32\Eddnic32.exe
C:\Windows\SysWOW64\Egbken32.exe
C:\Windows\system32\Egbken32.exe
C:\Windows\SysWOW64\Ejagaj32.exe
C:\Windows\system32\Ejagaj32.exe
C:\Windows\SysWOW64\Eahobg32.exe
C:\Windows\system32\Eahobg32.exe
C:\Windows\SysWOW64\Enopghee.exe
C:\Windows\system32\Enopghee.exe
C:\Windows\SysWOW64\Fnalmh32.exe
C:\Windows\system32\Fnalmh32.exe
C:\Windows\SysWOW64\Fkemfl32.exe
C:\Windows\system32\Fkemfl32.exe
C:\Windows\SysWOW64\Fboecfii.exe
C:\Windows\system32\Fboecfii.exe
C:\Windows\SysWOW64\Fdmaoahm.exe
C:\Windows\system32\Fdmaoahm.exe
C:\Windows\SysWOW64\Fjjjgh32.exe
C:\Windows\system32\Fjjjgh32.exe
C:\Windows\SysWOW64\Fjmfmh32.exe
C:\Windows\system32\Fjmfmh32.exe
C:\Windows\SysWOW64\Fdbkja32.exe
C:\Windows\system32\Fdbkja32.exe
C:\Windows\SysWOW64\Fnjocf32.exe
C:\Windows\system32\Fnjocf32.exe
C:\Windows\SysWOW64\Gddgpqbe.exe
C:\Windows\system32\Gddgpqbe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 5852 -ip 5852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 420
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4556-0-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Fhdohp32.exe
| MD5 | e41b1fe19c92c627d6cc7aaace1582b0 |
| SHA1 | 24207551adc6ac146f7888a81b10f6954cc0c6b6 |
| SHA256 | 08bc83b9a6c14e5dd5d6e02aeb6b7e9d2475193d1c7db839503bcece4dd62217 |
| SHA512 | c597e75ba10939596a55d32b897ea006ae5e6ee184956e5cc0e4ebba283b6f26db3460cbfb3c841d0b44094a67ab3761b9f17bc9363a923cb8e7459d610a88ba |
memory/2436-7-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Fpodlbng.exe
| MD5 | bc96812b513fc227de0de3d4ef95a93e |
| SHA1 | 9610fca460db4c7593e1af32349bf4a52b888ac3 |
| SHA256 | 98af0ba301585a6d905c55173961a3734e5c98e1df8912799652cbbda513f2f3 |
| SHA512 | 91c1e7cc47f6804dd2a288215a7394b5597e53b80c135458b617f846693b934795c3e0060875411abb214ae9842854dcd1006683088fb48ac70d51ca07636556 |
memory/4876-16-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ggilil32.exe
| MD5 | 87143d76739ef21d0ffff721fcbce54e |
| SHA1 | 8aae513b21631851f29a748186de52d15b2ba6ba |
| SHA256 | aafcdaf5c6de56abb7a60f3c465d3379bffa180e0cae7bae0459afda5ac78169 |
| SHA512 | e61ff00caf63455c3ecf9911cbfbe96b5289423564dc8e45ca3c827800181ce394d6b5bd2fcf70762f4a2e2a7b27248c1ff1b06009ba98f466e701ca6cc241f6 |
memory/4228-24-0x0000000000400000-0x000000000043D000-memory.dmp
memory/332-31-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Gdmmbq32.exe
| MD5 | 9e550bae61440452af5285581a0092c5 |
| SHA1 | d61f3d962e04f4a71dcc97f83dfecccae523d02d |
| SHA256 | 8a3fa35607788b22bd1f83c85a1521531e79ae18e94470fa8e9832089bfc4feb |
| SHA512 | 0c545dfaef6df0c692a69f286184fce214685d7cbc1bdb6e87e5d7824f8ff36ce7ee4a2468cbe6d85c216262ad2beee9f1fa312480af5a6e927682efdcc9807a |
C:\Windows\SysWOW64\Hepfdc32.dll
| MD5 | e824b46372f35ca70169da30d3e32574 |
| SHA1 | 959d7cde383f3b4770f647d876a4dc3ea04c0fac |
| SHA256 | b2f6507a8be77bc93578e62f58fe8d8fce9b0ad62af0b1dd0b9e77a035d29751 |
| SHA512 | fd6b5aabf0c86e321b63f113570b441023c042105bd399c523d594c8fedfcdc1355267ff4cf8cd4e0223ebd3dbe779de6891ecf7ce2fa4383fc3500bb7108574 |
C:\Windows\SysWOW64\Gijekg32.exe
| MD5 | 4a1e3ac3b62fa66332a7a3acef999a1f |
| SHA1 | 90171706755df280637a7e64bc365ceac18dc583 |
| SHA256 | 890640e5328d78558bb606fb0e5d2bada4ecd1498687d1dc7ea975972a609075 |
| SHA512 | 57fb9a6be8f5fd8f9b97026fccd05a6a4ae049d1d79d4f6d7e09d1cd695915774b3b2ba1346b20136a3cdac620b839a30412c1dad82c0dd6778413bf3752b0f1 |
memory/1148-39-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1832-47-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Gpcmga32.exe
| MD5 | 6cf519158a9cb0fb6737e3ad8298fbeb |
| SHA1 | b2918247a62c2f427446fd114471e0f1cbe36852 |
| SHA256 | 9f87cc51127613645fedb6aab149a3ee6f32c59b57e6ff2e118fc3fff87f844b |
| SHA512 | bdae76c58a05be08fed04d9945a91829cc77766afef0efc5e704f19882d2ed177bd7909e9d65dd1e07a0014cb15ec027e28a6a50288e3ad8192a66f36013cd7f |
C:\Windows\SysWOW64\Gacjadad.exe
| MD5 | e3e37e859432be3008cf83329d856f3b |
| SHA1 | bdb2586de612bc44a99574719024cd1fad41673d |
| SHA256 | 313738322b53c39218f400efbd05a3a23b60f67bb843d62afaebc0ce977e2be2 |
| SHA512 | e4767ce85609c3fef0cd9c677a36dae50dafd184cf480b0571a3b580ffd723492e59f3aca34adf6e663bde36d0c0057388ae20155ca1895d763b1b4b21fb6222 |
memory/708-55-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ginnfgop.exe
| MD5 | c271fad65281c6dfa40328f2a326c38b |
| SHA1 | 4d86bce60f93edec1f425e9cd121eabd8e679c1c |
| SHA256 | 7afc38bdee9376c30586edbbb03f29abdfc5597eb53d194d8f66029d148270a4 |
| SHA512 | a218429dc0b47a51626c9acbb0eadfb46276b04871643d0924aafb7dad0ba0f1d94a742970d0bf018c1d4ec1262887a30bf4b615a225c7180718fd27703d2691 |
memory/100-63-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ghpocngo.exe
| MD5 | 94386648e61a22c8336086c149b2dcd2 |
| SHA1 | 41627442a1a0a94f5e4ddcac698c805655c748ee |
| SHA256 | 80f3411a30bfd62f07a707882fe36854f60a60d881bee93868c74625f4f84937 |
| SHA512 | b3f6561d90b521827c1d066fbbe6e72342ad20ab7847f03698c18162a05bb562b9ff954b72617129ce14af3859fae66cb2a01ebe3f7e2afaf56cf9c70e104ba8 |
memory/1368-71-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1456-79-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Gpkchqdj.exe
| MD5 | 5571420f6f11811d12abd9906fb50b0b |
| SHA1 | 1818a7f85064ca946d50b3319f2469535802170c |
| SHA256 | 9f3e15bc00c3549eae10f8bbf813ae3f488a5d21d9462bc9e97bfe6ff639304a |
| SHA512 | fd26a39b88cef8f86e51155ae9a1c6f4c33b57dfc1ada2fb46aa0c3504b994ee2f8d686fd10669e98eed659e64debc9ac3df1e867950fce026a8bd57d514c251 |
C:\Windows\SysWOW64\Hgelek32.exe
| MD5 | 6143a2c126043df6c6fff3474c947ca7 |
| SHA1 | a7869102331cf1769cfc44f801289b0fb3e80a4e |
| SHA256 | fb3a2b9f2f064c1c6fb62002b268c5d6003fe4f2164a4685d095890900839f12 |
| SHA512 | 5e13a219c8d686ee3af92dd670d014778bac7d8a2b2b771e93913a0b14c7833ef67ea880a59e3f485882bac8b5baee095772b31945fff046b95efc7c029535e8 |
memory/2948-88-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Hjchaf32.exe
| MD5 | 2846b6b4c6732cdd3ebe725e46bf7d7f |
| SHA1 | 1aa0ed8f3b9e7df5a71ee68798147efd73d547b0 |
| SHA256 | 26029703076a958f45d73cfdbbd00491dd566f40506e7668d91bd4d533df2eee |
| SHA512 | ceb79239b9b33307f3d7b8e5664b3042d96ce346626b11939e0cae4012ede0eb51a30d0011242bd7a610c82104c0f9ac584444928b44d1622fb438fe21287d79 |
memory/3648-95-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Hkbdki32.exe
| MD5 | 052c60e7fe4a17bc5dd288ae5171d1d2 |
| SHA1 | 2dc2819ab386a10a157ef1a2e20749435e824d03 |
| SHA256 | f86e739712df38c52bf6d3206b9d198349ec4dda6a2dd6c86b7bbdb54cd82fb0 |
| SHA512 | d9f34e173fbcdcee1aadf174e7eaae5fdf9c8a985ad6af837a4cdf41e0080e4bc5004e652f88c5af1f6177ce6a604e9e0bb6534a7ef6cca250e3a98de5c35882 |
memory/2824-103-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Hdkidohn.exe
| MD5 | cd88e1d05ec5916474b36f1b12c396e6 |
| SHA1 | b6b6aeb5689dc8341497df93fda2a97f48bef9f0 |
| SHA256 | 43bd30e29fc7234e208cda220b3e8dbee4bb19b60cff6d658b95d9670fb54693 |
| SHA512 | bbdf7bd04fc99ff12edc36995e195ad87971308bc9d9459bba988c1bda3104af26bff2484bfb68aacea3b7dc65db25187ba24ebb5ecb3c2fd0cbdfbc17fab1ea |
memory/1540-111-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Hjhalefe.exe
| MD5 | 54e781bcc5726697a1a0eb2245601d42 |
| SHA1 | 7d59e31c8fcd65162fc97177ce1c119947edab82 |
| SHA256 | 5ece460728d913cd6d75a65a56e9c019914d62af7a178390a29330c2d2fee4a9 |
| SHA512 | ede43c5b1591065005d4cf3d3d953d50c77fb369d4a141e1a107893ef05013bfadf67643fd1c9b3655613589bb22c40d1ba1ed79cb46f9d6a8913f19a3cedb98 |
memory/4184-119-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Hglaej32.exe
| MD5 | e8a74a970cfa6bc9158d1daaacaced2b |
| SHA1 | c2d9ae968489c373a208a4dd606bd1eb3934baaf |
| SHA256 | 79307373b42b54d42435faa394f7fb8a2f8be85fd13dfd7e17c3b352fdab0c79 |
| SHA512 | 97bdbacf9d4fe8035804af6d21431490b6955a963ebc3364060d4ddffc2b6f29bc8de0e28abd46d14d9788773c0f4e6ff9f64972e29313aaf408c39408eb71df |
memory/4692-128-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Haafcb32.exe
| MD5 | 18045beff529ce735b7b3bb1a4f500f2 |
| SHA1 | 2619c0612f2bddf19f4cabd853bc8b10fcde3689 |
| SHA256 | 99da746fcfe2ae94176af3c7d12876fbebacdfba448dc600c0e44c93317792dd |
| SHA512 | 309cd8442dd20183a586fe7441df68fb2f4f9e59d036c06acef634cce53b6ce9a0c7450a0d0cb0c4889a8b265d8bfcee0eb7b09b7e42fcc70f50dc8828c5c246 |
memory/648-136-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Hnhghcki.exe
| MD5 | 0f9329ba6dd9745bad9b280a734be7ff |
| SHA1 | 9d56a8f1216f0a050bf7331206200f8d750fc25c |
| SHA256 | 88bd5b7d4b02048dcb5ce147d41e09e1949141539d0aa187428f45e4c7dbd69c |
| SHA512 | f4c2c82a05529de3f310b183b0d92dc1fbd7887e1d64c247d6a95cb3fcd0b5798e5961a3b8ac300c82b1777c43f7e229e4466e9f8706b42d4546b7fa2db63fab |
memory/4296-144-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ihnkel32.exe
| MD5 | 2e7673b05f0fc2974a41d12882ea5473 |
| SHA1 | 7c823f99af8bfdbaabcbdf1dafc67538245faa6d |
| SHA256 | 5fbcc1a2371ff2649a4f60cacf56c6ba91c8ff3b683c85711bd2e855d59c62a2 |
| SHA512 | f3bb7e9ff9cde817d789e2d546eb3880c21529ad688157bd5a4d1143b150d0167899344638b3a6902110b51d80965008640ff693ffb62a0d480288e39fc868ef |
memory/3224-156-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2808-159-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ijogmdqm.exe
| MD5 | 26e5436ac05408b976c3c782e5dc9971 |
| SHA1 | ea5cf33b6688485cd7bc6ad059aa15ab998d100a |
| SHA256 | 7d3ba6a88377b444286a26f92a23b570b7bc3544e6630aaa2862cf8ffb98713f |
| SHA512 | b753d7a95527120b8eb94980084932a8a60e916d371150978d9831f89699b13575dacf4c97a9459713288c77d31292968540dbf48a75def2a808c488fa78ba72 |
C:\Windows\SysWOW64\Iddljmpc.exe
| MD5 | 8a5bb9a58488876552d7f9f103f5e128 |
| SHA1 | 9cbbc9d532755bb26a7f951596a9cf77b2138b7b |
| SHA256 | 95f79a8e5ca83bc095c9c05f91ceb519cca3601845b8e9a580164c8e5b9869e8 |
| SHA512 | 6b84a3ceb5558f4c479f7c8285681161dd556f186d0b64093fa56c77dd7f7e249f95f5f168f0bb908efae3ab5e9aa11c5c3e4603ca9f57be1257d4cded5b8ffa |
memory/4564-167-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Iqklon32.exe
| MD5 | d4143f2bd6aa1f0ba087c4671aacf9d2 |
| SHA1 | 9fe2f2c92a3d1e2ae0b5062712318f775666084f |
| SHA256 | 27b0af4c0a2610ddc938289e78629e941d953cf7fa6eff134282ffe801d9a062 |
| SHA512 | 99ff8a8db1934210bb3328e311fd59ee5b45279296bd26db962b5907af91f26ec2aab6156e2b4855629b25ae9737a106d6fbaa0ad88b039d50e987fd4c50e801 |
memory/4452-175-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Inomhbeq.exe
| MD5 | 316a2fa25aeba2052209fec0c060140b |
| SHA1 | e14e801608306d89cd15f36cb779a3ad01e6dbcd |
| SHA256 | b6673aec9c523dbd50a245461d2b4da2d59abe010906741a89fa5a6fac1eeaf7 |
| SHA512 | 8284dd59c134a1863e223ce279bc36a04b6bfd8782a9bf24d6a7df312dda6f56b77af98c0b6740d496a7a5dd9eae7a9b4b4a6fa620d8e4bda9dbbb979616b155 |
memory/4764-183-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ihdafkdg.exe
| MD5 | d460c0281689d371bc95c1fb7f108c33 |
| SHA1 | 20305e105c1ecc5b84524014bb6804f5a78a1676 |
| SHA256 | ed6a01d88f1a4789d0bec67e788b069469eb8eb3b8ca0f2caec305d3f87736b5 |
| SHA512 | 7d476ee9e8aba7fcae766d53bb19eacc27f27959f2cea41e8562d87a552b746990926dc5694bacfb093aebaa8835aac1940a2297927b2e4f6bbfe848cba75279 |
memory/4680-192-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ikcmbfcj.exe
| MD5 | 9e929f1727286bcd2186e1ce20ac98cc |
| SHA1 | df0b5a9ea03a47fb40244e2de482143c228219b2 |
| SHA256 | ae37e89cffaf1ae4b2f15d117e0c1a9a5db36dd7670212cca2179115b7eede28 |
| SHA512 | 05c457bc936ebc68c61fc7eba4eafc4de4c9beeadfc6bb515e8245b8bca02445da707fba5763d2dd61dace577b0fd290c4a578fb99bc05d6166c60f007e50671 |
memory/3256-200-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ihgnkkbd.exe
| MD5 | 0780e30ad30532f2138bcbd3c1f8c973 |
| SHA1 | 58def650f2f25337042bbea9acb8cc0d058d6c0b |
| SHA256 | 2f972408b93838d9f7bee65b0c9b7db6111f523d37abf62509ad2e67f7ad259a |
| SHA512 | be66dc469a855ac1a0751e54b705c7565c314909ee30df5d87c8440654d5e273528aed40c63b1c6b9b383e247d3573985f341457355381ddf245d7a36f190a9d |
memory/4248-207-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ijhjcchb.exe
| MD5 | e575bd0b3f7770953b2522e5a98ecad1 |
| SHA1 | 548a1f36c0335fc073d0b5b8c9c57d07cf5cdd41 |
| SHA256 | 00aac99286786c99f6173596d472b85df2b1715f0b988852051615c97a856b08 |
| SHA512 | d3abacbac57f8f568885a596e5d206c209219cabb4a76aa4714504c889cfba64db569a79232dc328872891e23941fe98f62c4a2365691764eee8d8484689ea6c |
memory/3916-220-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ibobdqid.exe
| MD5 | a3a2a5ceb55b2fa672e7fffe69ec12a6 |
| SHA1 | 80bf7034bb3c96246ad2112a228015ce5f573b5b |
| SHA256 | 5658415f57e635b447936c95b197d8491ba772dc1541ee51b84054a9ff2c4053 |
| SHA512 | 666f1d957fc12268b63138ad402420af98493a0e37b994710b17a6b0246063a872a5220365ae51853e1c79b163455e1f7f7a3680e5c247cac30c3733770fabd2 |
memory/4896-224-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Jhijqj32.exe
| MD5 | ccfe8573515be5307aff20e039ea24a0 |
| SHA1 | 50ea43eef10697b69da75ef19f95f29966c13f2f |
| SHA256 | ed812a09032c805ca2f16d0a636881d02faa53a742a65fdb22e427f37d83c25f |
| SHA512 | faf55f9f50381efc6b5cc8327e66676e0dc0085c600095bad259d19497ba5f9777f3ccab28fe3960a875214aec80d724400e8dd5ec4e563eb642e7406514e235 |
memory/2904-231-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Jdpkflfe.exe
| MD5 | 6cf5fdb8cf236fe730a6b998907022bd |
| SHA1 | ef70889485fbce90fda1cf140363d1a3c42d448d |
| SHA256 | 267f32530727cef1c0d021df0f0728c2c128d7cb2313c4707992b9217c748aa4 |
| SHA512 | d18c27e987e9bd5f00e004f0c75028e30b6b7a003917a75c9902e80748d2f84052d77184d19ae5afc0e42a8be74da44212d96cf0348e8bf124ed5c3650fd3912 |
memory/2332-239-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Jnhpoamf.exe
| MD5 | f3f41162694795db8c76d09b611a20e1 |
| SHA1 | 782f9d353d7aff147d94f854fadba04d24757794 |
| SHA256 | 8a0dd871566e54a912f8be73f608a5214385130ab08dbffc422e8c6123ece117 |
| SHA512 | f22f383125f83edaca55e325722e3760317260d39f93d2cf36690ed447d3488671351935ef4f1983f5b12228fc66966fe5172607d9b9b09bc90dbeae83767c3a |
memory/4288-247-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Jgadgf32.exe
| MD5 | 107effe3c6486d3bcf517efc216c9f13 |
| SHA1 | 48fa8739ab216a5d23ec4246f48c151dc96abf4d |
| SHA256 | 824a930999fbb26f82b6a83723f4f6f82edc72b0c7be7427827b8897612c5694 |
| SHA512 | b9909d4a795a358825b0d1a4c73494ae501cbeb65ad00793f8b5fd2215a0972890874a5d3348bc86c1bb066546a3a6f41a93848e43ef180bc8fa6fd9b554b528 |
memory/1248-255-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4608-262-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4580-268-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1132-274-0x0000000000400000-0x000000000043D000-memory.dmp
memory/972-280-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4268-286-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2388-292-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2492-298-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1016-304-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1452-310-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2940-316-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4568-322-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3376-328-0x0000000000400000-0x000000000043D000-memory.dmp
memory/860-334-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3168-340-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1952-346-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2568-352-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4996-358-0x0000000000400000-0x000000000043D000-memory.dmp
memory/924-364-0x0000000000400000-0x000000000043D000-memory.dmp
memory/348-370-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4712-376-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1144-382-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4904-388-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3860-394-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Lgkpdcmi.exe
| MD5 | 52fa1ac4f4e1a9d0591a74d1391d636b |
| SHA1 | 505dbd6f0be7006e65c205a0a892c2d8a3868fac |
| SHA256 | 4478be1dbedf70af88cbb5fa5842a044736d7b7f6cc23f34b4d83aea536e609b |
| SHA512 | d605efbe7361d1405ecaeefe75fb3a08804c42f250740a2a38d68abc206acc4c6ee32b1210b4d4cb7fcc97d6dab78853c7178168ed5b63a248fc50f4094c65a2 |
memory/2144-400-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1484-406-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3360-412-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4612-413-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3332-424-0x0000000000400000-0x000000000043D000-memory.dmp
memory/436-425-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4572-431-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2252-437-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1560-443-0x0000000000400000-0x000000000043D000-memory.dmp
memory/5000-453-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3748-455-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4364-461-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4724-467-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1172-473-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3964-479-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3112-485-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Nbqmiinl.exe
| MD5 | eea5fe97b363e74a2c0e9db48d00929f |
| SHA1 | 701dfe6247d93824012cc3cd81feee636ed59731 |
| SHA256 | 8d31d143552ed7c3d3d171554f8bfc9105a96e0f6dad4980251f08a20b80d5ac |
| SHA512 | c9b73c273916a1e7ef58a97c98b908ab94433d6c29b6e20eb31a9581a73d640458d5f5f3eb6d5eb9f5364cb06badcfb46c66c40cf2dc1806a0e320e41de1b45c |
memory/3188-491-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2880-497-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4544-503-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1472-509-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1732-515-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1336-526-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2912-527-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1588-533-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4556-539-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4028-540-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2436-546-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4016-547-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1608-558-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4876-553-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4228-560-0x0000000000400000-0x000000000043D000-memory.dmp
memory/780-565-0x0000000000400000-0x000000000043D000-memory.dmp
memory/332-567-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1148-574-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3464-573-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1832-581-0x0000000000400000-0x000000000043D000-memory.dmp
memory/5188-582-0x0000000000400000-0x000000000043D000-memory.dmp
memory/5148-580-0x0000000000400000-0x000000000043D000-memory.dmp
memory/5240-593-0x0000000000400000-0x000000000043D000-memory.dmp
memory/708-588-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Pchlpfjb.exe
| MD5 | 7a7fcb6180f586704b6b9dee3e7c8c17 |
| SHA1 | 7532b3def18b9588517bc7af70eb46d27988ccf3 |
| SHA256 | be480d19386cc44723790b68dc0afd0a5f5ac9b7b7ca1e8d8bf15df805d1323e |
| SHA512 | e4faadf93fbd92a39d2087f252fbb80749224453d7d0b8cb64c2178ae1e44a714b7a1585476243514b4fb639000c7ee2e4ffccd99c408205cdaf1e7b92e2eb33 |
C:\Windows\SysWOW64\Aomifecf.exe
| MD5 | 375781ddc362cffeba06f66233176d1e |
| SHA1 | 6b98906659f0b97e8f1e869ee6e3b938ad90b177 |
| SHA256 | 7690b69cdbd53b4b4769e26447f530c270ec75a7e7e204fde803c89ab79e812c |
| SHA512 | 09fd199a1aaaec67297e91ea4a6ea61b9926cf0d5571322e0430a42d643f0a4241ac5386305fb398820ec68b61b1238d5a85a558d7855589d32840f5c5679e1f |
C:\Windows\SysWOW64\Ajbmdn32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Aanbhp32.exe
| MD5 | 7c2b197bd44a7dec69f8eabc57915e9b |
| SHA1 | 5fa862edee3dc677f399e5fadfa4542124331061 |
| SHA256 | 9648f86b96f5f99acdc19113801212d5eae104dd6f7b2c44c12c5766fbfc7c8d |
| SHA512 | 8b37a7835319d7ce901d75e39413e6b2ce2668ecddb1fc3aaefcef9a20126e14626d7c72ab7ea92d48cb94f3b41ba8572ae583c9af034d9a45afe6afc37b4714 |
C:\Windows\SysWOW64\Bljlfh32.exe
| MD5 | 8edbc9a0249af808c130ab2e61258800 |
| SHA1 | c34669372da3d802f47a48b1c97a9330e905bc19 |
| SHA256 | 1bc1f2069037b381569baf36d37b8d8ddbd33ac38e2612a1526d35a6b1ecd592 |
| SHA512 | 79058c5b5e399d1e84c5664791919597d4f16c70afd8bc9365d706e560c5664173cbbfc1112305c9e996c52687826b492a72d253d6066721b23f8af0a36a1775 |
C:\Windows\SysWOW64\Dmoohe32.exe
| MD5 | 8c8679d0e7fc120250cc96d6d0501b94 |
| SHA1 | e00331a2947f27767df4025d85756f3a459c50c6 |
| SHA256 | 482ef9807be8ebd1349511c90afa6ece409225444fcaa15e40187b3ffcab249a |
| SHA512 | aa05e86b1f2b408dd4f9739f9a7b81099f574cc80e1645e2128f00583b23a8315dbf98aa8bf3f8ed1d88729119c8fd33839de6d0933c440705be17e15a903899 |
C:\Windows\SysWOW64\Dimenegi.exe
| MD5 | 17cd9e3bb3c57252cb2555e6420aa11b |
| SHA1 | dd406f1d5488edbac5bd067502e28bcd328dbda3 |
| SHA256 | d04b75f66a596338bc904d01a7813459924b37f9ddfaa0ed6bf03e1cef41d908 |
| SHA512 | 1a89e4e72f3642a9b72d17dab8e886248aa2e3148e10c94c22afebbaf76a01002b387add7fa545f7f6e323b43acdfcdd7318f75c066114d3c2ab702d578d98be |
C:\Windows\SysWOW64\Ecgcfm32.exe
| MD5 | fd0a037a8aba61bb3bae434d5482c693 |
| SHA1 | 4600cb72da47eb941dcf8c8a5fb780e45cb9baaa |
| SHA256 | f74e4dd54cb47db37e71a3a8c8d207b22b55263b7897f5001a92af630ae4dab6 |
| SHA512 | 31346c2916932d5da3940b11825fb827ac198154d7e19abad1790b3a16a92d46bfa5de38937066321859b7c4fd07feb0750b923fef83d0b27e5bef0550f1fbf3 |
C:\Windows\SysWOW64\Eifhdd32.exe
| MD5 | 43947b5f3849df01c5e6dc52f37840dd |
| SHA1 | 84878c692fa5d98233ddf9e9e3c8e595f69fa855 |
| SHA256 | 89b86b5e7f1f1345a1b3d6ce6cca549d0e46374bf2f5724045b0cec9bfa25b94 |
| SHA512 | 9b9ba714aa0ead8c23b96cd8b9d4a22154109862777a109f37039fa4c408937ae71cff936033b2cac4eff9d03a76377ba62c3a4c3db499baf9b45508af529de6 |
C:\Windows\SysWOW64\Fbhpch32.exe
| MD5 | e4d7a7747452020bb99d38b6a6eb0a8c |
| SHA1 | 6cf8f54b0a79e46d85e2ff377640df584d39911e |
| SHA256 | 5023ef975d6469152be6f1dcdc947147efa575bb7e034524b9dbb732d28b13b5 |
| SHA512 | a96d64d4810bf5617e643e99af239c966c9f04f072fd880d53be6e88766de1a1381232decf9584f0c7f601e18ae0470430b143cce96ffea70ffd8f2f65baa34d |
C:\Windows\SysWOW64\Gmdjapgb.exe
| MD5 | f850d4d522698499205a469e595f094c |
| SHA1 | 3135148991d851d5ef7e5db38ac264ba3f4c52fb |
| SHA256 | 1b6f4617a3bef1b51d486d37f3e083f1a360ba468c484e6c0453e2edbe78c638 |
| SHA512 | 06cb458d295c9d0f2f977be077d8890c99a5d714f0184ff08b481c46622a4680193fc293069e1b2e29f821de911a7ffd27d68e88e35e1366c6ace49d6ab94e14 |
C:\Windows\SysWOW64\Gljgbllj.exe
| MD5 | 9364a89922643d99d92e49425afe8803 |
| SHA1 | abb3ce7d9c14d3f240e33f68bb0a6ebc01730590 |
| SHA256 | 3edac25ab3fb8f9bc31c93fad2cec42e61f9019a00853e4d93587d07691ade2d |
| SHA512 | 0cd138851fa0276166c40f5ea245031551bbc5f1735aa33b8165c43bf816bc758a1c1f7727a9fdc512707f3086b6ad9ab3ec0d2c89ae6ddcc0755bfdfe949eec |
C:\Windows\SysWOW64\Hmlpaoaj.exe
| MD5 | 7d6fcb64e895090da369e2fddfd34c2b |
| SHA1 | c4ae90892ed20cf9cd27525a4afc8dea7e9cff55 |
| SHA256 | fcaf7a42f278dc4e2f6e17fd4cf69baa639c3c89f79a8b0f17559cde721c0571 |
| SHA512 | 31c4710292598ff33bd16a6012c843c744290e51224bfb1a2d91809fd894e87eefd7239ffea185854669a8a20fe10de52ac400dc13557c5f8a12002e4865eec0 |
C:\Windows\SysWOW64\Hlhccj32.exe
| MD5 | c8e63afd0f3222db320f52e2b29d6a6b |
| SHA1 | 8b46dd970a58c6bc35b662f20633a4461d421e4e |
| SHA256 | 3f4632bcc313be1568e49e977a21261426cc598a6d0f59a26961296bad95d8fd |
| SHA512 | 42f13998c7b7a58680e29c87b19cd6ae0bbafca784c1dc397e7cb35d7cbe90937a032123527f723b85df730815d7bbbc69891f50b17de9f5241352f3276b1727 |
C:\Windows\SysWOW64\Igdnabjh.exe
| MD5 | 1c415c3d1573d9ff361a0530052fe610 |
| SHA1 | 033fe7dc3ea2bd61dac88874f971ad0a9848ee5f |
| SHA256 | 6a614da0e76db6fb8c1caf7b69df198b51757a1d946e9bd90fe847862a09a1d6 |
| SHA512 | ccd7860e3a0706bc870f5f0769f549094ce77d68f19f2abf624c6f3488cd057fff314ba9919c29daf83bf4e96167f7f41ea69e95a80600cc248d6df9b5f0286f |
C:\Windows\SysWOW64\Jgnqgqan.exe
| MD5 | 6412d7604a483c2e196016ad7abdb3d1 |
| SHA1 | 67a2da8abaf8461279cc1db269a7bcbd4b14f32d |
| SHA256 | a8db8370004e27f0c23201c4f0f412a37b524eab9d9b7b3055d975e653c869cc |
| SHA512 | f049438bb80a8d7b9f977faa9875977668d69c617e31432f7c26a60e80852699451f88d90cb455df5a90b6edb8cb75a9cfec6809bcdc02275e8b64123b3aafc1 |
C:\Windows\SysWOW64\Jklinohd.exe
| MD5 | 2e37e22a6aa834cc0a9a800d889324a3 |
| SHA1 | a05c22a587fc621504a98f9c352966af416ee570 |
| SHA256 | aea82e162583250b55c30ae2988882ebeeb2c0f6cfc250614f7c55fada99c6b7 |
| SHA512 | 441a2ac9223b92246093af926758956e6e2d840d3a4ae18b3758d66f1f606ea9174e04b620f6404cf613be6a1459bcfca8eba8fe66a62738d94af8b012cfaff3 |
C:\Windows\SysWOW64\Kqmkae32.exe
| MD5 | 7646ae31567cd3a7f990d4a816d8cc66 |
| SHA1 | df4e4eb89bc007d38e35c6eb107965942452fd88 |
| SHA256 | ac89eb6d35a67d26211ceb5500bbf063fa494625cc60f15bd19b72e81c7c05c7 |
| SHA512 | 506db2f12270546f361f41170f5dfc080339033d23c4d61df1e99ff71eea71f51268ecd174ddb217d44971a59f6f39250b5bb8cb418ca2d457c7a12aacc2f6de |
C:\Windows\SysWOW64\Lmbhgd32.exe
| MD5 | 2661b4dbc49774e9044d5fdbf6ed6651 |
| SHA1 | cce7cfa6e57b75a8c862ade36b639f30ff8ef454 |
| SHA256 | 93255c47c656e90ec9331affa20ca5d1f00d29bcbf95eef0f44b674dd9bd10ab |
| SHA512 | 6c004770bb2821f91ae8fb73e4d481021b78f3a79d74ccd7f7b5bb212cf90e1640d49de7c134e3dcb874fec0bdf3d773db23dc22c24b4a4dbab36c4bf053ba88 |
C:\Windows\SysWOW64\Mkmkkjko.exe
| MD5 | 4292a9fee869517d39d968aa751d80a5 |
| SHA1 | c04e9231eef0d5b11c6f99690090bf4a60763a1a |
| SHA256 | 982441a46a0152838104f0991f215a2b15a2ae8500d63d5b7d3df70fa8664051 |
| SHA512 | c048bc62c28cbe433761c571290f4883f1041eaca6cb18afa11be1f0a8a3afc8d2e89e4157256c8c8b33f58399f3191f5c95138034bc57585d3a5af3f398962c |
C:\Windows\SysWOW64\Nagpeo32.exe
| MD5 | 9d3bddfb613db3918da6dbaeab60918f |
| SHA1 | 803aedd8ec25c8d510c9d19c4fb870ad8b7582ce |
| SHA256 | 9f23d86318abb1863ae15371dc4f6b8d358ef08e28d433b99f447a8717ba9c2f |
| SHA512 | c4e10f8d28eae50932d2a405ac405e409d774b66fc25c99560d6523cf88918ca603cb7540203ad542d7fc4076007560f166ff57b55588df53c90cb3eac722f06 |
C:\Windows\SysWOW64\Omqmop32.exe
| MD5 | 699c295abb1df91aa31e02ea5e8a68d5 |
| SHA1 | cabe8500f0d158ccdfa82ca202c49404d4a8f015 |
| SHA256 | bc4106750e7e460e8876935c492f29a2963fcb543a7f435c26b2fae7ff67f817 |
| SHA512 | f833ed8c008240d2a01daf030093df4e011ee1ff76834dbe18239fdb48a7b04e0f523dc91b9e099f7e620b587e396d8856f0c0bd2c16d9118c336dc7ae0e86ef |
C:\Windows\SysWOW64\Olanmgig.exe
| MD5 | adb276cf1df396d33a7ecc83047ffa58 |
| SHA1 | 9e7e57e7ec4686dcc0e72e65e3968573389234f1 |
| SHA256 | 5d643997079c0705bda13781ae2760b757f2ae1eccc0866abe5584e28e7a4c8a |
| SHA512 | 7fdffa614fb10ba501a862ea6862cd6de787d141818d72145e96a79a6801d5aaf5ff1fd5bc9bfdb64b74d5bff426bd5cbce54ecdacd4dfaccd93030bb8739977 |
C:\Windows\SysWOW64\Oeokal32.exe
| MD5 | 97ee182e713d1e26d00ac18bf5d7533d |
| SHA1 | 16ddd0504ad1e946fe731e95d944845065bb8124 |
| SHA256 | 78da48e49483962f92faf81a39e322e03463d62b2af7f5b8df365271302af83a |
| SHA512 | b84d3f565d94747ff32fbc21847906ed7d9f92e582c4c65e6ebebb81f16751ab13e01a3baead65e8b5df6f488103a2c0e1f1933b0bf918b8ed5abfc6247eecf6 |
C:\Windows\SysWOW64\Qmepam32.exe
| MD5 | 53014569c3cdedf52b5aaacbda95edc2 |
| SHA1 | 53371b284403bba9f8a4658f5c121a364817950c |
| SHA256 | 46d6f89ae00adb3b6c90363f0fdd49090a761d78ae89022c4f4cea583b1cd91a |
| SHA512 | 784ff91eca58144f5fee4ef3c553390d1c124d7f688a134bc312bcc629fb84a47aa2029bee9013a859cf35a746dbcc8ee796049f05e4314d2347b563087d2979 |
C:\Windows\SysWOW64\Ahippdbe.exe
| MD5 | 439516d02c775e6cc524c76be757233f |
| SHA1 | af16007ec3e09da2623d345348a49ce73cf35ae4 |
| SHA256 | 371506eb5f9186ffca51e67eda97603c0c65300bf2e6fe7b6f05d717c4de60f8 |
| SHA512 | 596d118df3b645df74a8ffd9dfcfd304698ee0c3a8af75672a55880bf62df9d7fe7823611f0bed55a61fe18c545ceaee23ee5e7d0d8cdb88a4411aabb7fc8479 |
C:\Windows\SysWOW64\Bdpaeehj.exe
| MD5 | 98b11939f7497f65aa7aa9a6b6c265f2 |
| SHA1 | 25dabeef00a668a02eb147ca743d019189bbb591 |
| SHA256 | 3f79fa13936d9fb99e0edde66a0765629366d7f1401146bc550d7eea7142a1e2 |
| SHA512 | 6e30fc3511afb16dbc0fd98a2f8a854b21450618ecb9c3a61126b3e2b1df253b122051f74c9dcba21810dad51edd4b22c83f4c4c4b5377580453c354cbde2d24 |
C:\Windows\SysWOW64\Cofnik32.exe
| MD5 | b35b67976f179e39d9460745f4865840 |
| SHA1 | 874ab29f8bf59d172563093395d23c006dada667 |
| SHA256 | 1867100c98a1119ea91358924a0184b30994dd757de20777d198ac37343e91a5 |
| SHA512 | e9e29d97edbb5b1062ee12d342a779ed946fac0260722720a681fe3d8e888d3cbcd3cb00bc98d9dbe6386449bcd6e99d331a3946fd9329506b9afa6f30caae93 |
C:\Windows\SysWOW64\Dfdpad32.exe
| MD5 | d890dcbb1bdca58bdfd6853fa86106fc |
| SHA1 | 47b70019e3dda461871b1209c717d59e94f64823 |
| SHA256 | e14ead88ae664b0e0ba514fc0b93354fb56ff3581a7bedd85c6cbd3792040970 |
| SHA512 | 9703125de231f492c6e572df3f4cd1d74b73191ada0b78d87d931905b44d627a86c135d3deb85ef4d4544c29e16f4dc5262c353646517ffb7b3d5db3842bdd6e |
C:\Windows\SysWOW64\Eeelnp32.exe
| MD5 | 0664352ff817b1cd2144d3659e5ff991 |
| SHA1 | dce350af45e3dfc21183a1787fef98d4c5b725a1 |
| SHA256 | 5e0cdfc672af6b1fd349f858d58c776bea4cc3b96b383c655366787724dc2dba |
| SHA512 | 19915b9479f649a380de19c8bb382d8adf4d67aec7ee62eb52d57d253a77805933f9b4aaae9fb08afb8bc6187a3289a07fed86d9a2f2aaa0594506d9e3784221 |
C:\Windows\SysWOW64\Enpmld32.exe
| MD5 | a8fea7d8aee24139c264f99a4da0345f |
| SHA1 | 6fc8dd66f16dfcab7f1fdd835f9d6a070a35b0d8 |
| SHA256 | 1482fa77ded5b9e22f29617f76795e99ea8ebf69729bba3dae4cdbf3afea2d1c |
| SHA512 | a030e25dbf232837dda20b36e392e563b03d46eca1d2b2c4437d30eb5970144a119515e8799b33694c59c9c3ca1b3fd0a899ae869657a4f9b0a02d407dd4029a |
C:\Windows\SysWOW64\Glbjggof.exe
| MD5 | 24c2d6abdf723cc960f30ad40a662471 |
| SHA1 | 06ef0237d666da68df92e9a283cf0f4a1a715dd9 |
| SHA256 | 85f40f9b0f6c8553871bd75549ea05c6ea581ccc2377c359ed61c72c62488648 |
| SHA512 | 66aa82aa86b65529e574a7c80df2f9c05ad18dde57048df16362c1be52c3ee6621cf63a07bf7f49d313bd8e3cf3de4992d10f4f71e306dd96958b6800023acec |
C:\Windows\SysWOW64\Gncchb32.exe
| MD5 | be2c280996f2d22878d5e2b381eb137c |
| SHA1 | 5017cc89db0733ac0c9c215c73aa91d54f2ee3ae |
| SHA256 | a8ae37b95d77e47d9e8554e753950c6a704739e1e3d7d212e661884090735f8c |
| SHA512 | 3526ab587fa39edb1e36b5677fb8f717f1c4eb28d9269b3571d122ff74b72d3a316490b261901cd91ea7334a2b89cfa075f60a4cef1eb0eea19af5a7eb1630ac |
C:\Windows\SysWOW64\Hibjli32.exe
| MD5 | 2f2b34fd21a8b19df922801d9c72e9f2 |
| SHA1 | c4c07fd22615335dcdce7a37a707a2a1c82902fa |
| SHA256 | 5e5250e393ddfb33bec05128d472177ae7c229071ec3428f775802d642452914 |
| SHA512 | 8cc551669f9edcb86b9fe4c1038633368c9701991101523287c2a3711f92d1cf409050a9b0fff38ce3fff7394ee760a9485691ca50856a1a21e51ccde7d633f2 |
C:\Windows\SysWOW64\Hoaojp32.exe
| MD5 | c00ae40a29b4948f91596828977affdf |
| SHA1 | 194407a5a489a869fa253f894da2fffa6b99c062 |
| SHA256 | 6f204c55ed42bfadff1f5c0247c9dfe9694dd903eca8f32b66af0d52338e312b |
| SHA512 | fd3ba22fe08946415ecc47975b96163f75f2755cfeb089da9b053795d1090c369f44c65781f5c453e4295bd4488e20d2c711bb119a3491d971ae3e27721a3e04 |
C:\Windows\SysWOW64\Hmdlmg32.exe
| MD5 | 095a8b375b92a6a193e7c795d2f6a94d |
| SHA1 | 310e4930ac174d2b8f89cb3930a6b8d2e1f6e5e2 |
| SHA256 | d199873c661f1e8acd60d671a239c0556719f38c13e236c11eae53dcc51462eb |
| SHA512 | 26468f57b48ab7a5497a76c9c08fb2c57eabf673891acaf07b99518c101c33b90955412ab40a1ca8357d290442a14280aea85f3ee8573f50db09ff0c7e9bb89b |
C:\Windows\SysWOW64\Imgicgca.exe
| MD5 | feaef3c54758977c8c15f1fd2c19b560 |
| SHA1 | a51248a512e07fa5955bf3dbfb7a4bbb3eb862e2 |
| SHA256 | 9875fb0870ae5fc90fff04fb240b5b8919ec6b7edf407a3da8759ed773b0d2f2 |
| SHA512 | 1aadb4281a791926fbc88bd68d1ecd0ec5934df8b73a842a5d96fb926dbdff8639b2d5c31fd322aff2f0e686a9111b44734cb7ee70136211f9e8965242767f2b |
C:\Windows\SysWOW64\Igajal32.exe
| MD5 | e2abc3955ddbf4a17f0b3287dacb13ad |
| SHA1 | f1471ff9b2bf4373cacc15976ad650b1e8cb49fe |
| SHA256 | 068dd0c731cc9d6ecc02f8ca24ac59137d7e4fdce1e050e854c605e822792116 |
| SHA512 | e0b22d78435c61a888ff4dbdc2638f1030b0469505e4e08a6ab8ea5cd2461426b15c39125c5ff41f0ae6b35f45e1a95518fb73e4aa4ed4e89267197b4fd48c5c |
C:\Windows\SysWOW64\Iidphgcn.exe
| MD5 | 59136f7ae227dd2fd8c7fb4bce495691 |
| SHA1 | f93c497ef87dafd7b47746cc13ef9f4ade8b7e98 |
| SHA256 | 51961cff3aa0c5a9c15f5e2f8270492ad4840a0c03ff6130f987b88f96a3f0d2 |
| SHA512 | 3d415024eeb1a13eae278a6f5049da95dbc661155fda595c6b1ead8ff15e418be5f161089f2307dc82e4fe654e0387406549fd4a98b3ab2e1cfc5503ca3c87a6 |
C:\Windows\SysWOW64\Jpcapp32.exe
| MD5 | 99c7a22ae644a797b34d556e8a0b5342 |
| SHA1 | 5ba547bb9a63f81e0911933319e5a65396ed0eb9 |
| SHA256 | 194236820a9bcb59998a9bfb0161266375cd5b4585fe45cb2aeba75da5c11c3f |
| SHA512 | 39080c481ae92ff4bd85c77d41e429ff6812598f52d0e2976399a88b279d2767e316b826c2bd94930efa25a0bd72ec952755b6f3131f4d5a320b1ab0c4752823 |
C:\Windows\SysWOW64\Jcfggkac.exe
| MD5 | 023389182d6ba0284c83ef946ca6576c |
| SHA1 | 3d49e75f9a51c3276a40b86c307ecdf16bfa33e3 |
| SHA256 | 0b703564f8116c69c8e93efd2b7999b7893d23a4ca07d941f1506b99cdc678b3 |
| SHA512 | ecd2575c8cebeb8e790db46a9934b3555eac44f785d4597354c1c9673bbd7279efd527608a30cbd1585a0a14b61284644d052f3db64268a5e412b1da5f0b9534 |
C:\Windows\SysWOW64\Kgflcifg.exe
| MD5 | f5e596a5e081fb24ef93d4aa433ab435 |
| SHA1 | b9921e1837d1c46c6ef5277c81f0178a906498d1 |
| SHA256 | 3d0ced33a23ffcbb7f99b3fb2da305f32ca36e67a879c76c47e279c0bbcd84b7 |
| SHA512 | bbe036c6b7dd0bf95851d1b4d2dce931dc9d2e9e13afc5b56c2987fba49279387ad41ef12bb3c4edaa8cabf6ece0a6eb5aef8807e242d02c6446290024b03926 |
C:\Windows\SysWOW64\Kjlopc32.exe
| MD5 | 417618df37632901b065ee364834a417 |
| SHA1 | b9cd10ca62c52643bb02ebfdd2c5c6b1b9f9d2ee |
| SHA256 | 2fc82f6c71fdc2bf1c59e32113c704180a6d77063cf0a543585c1555e0a10ca3 |
| SHA512 | 1f71457083a19c0cde228c53c0a608e3c46501c5c8fe763bac70ca5117e8097dd0929b03b8e9c5907704a2208e56b3463a009de22d83738738664b217e16fec9 |
C:\Windows\SysWOW64\Llodgnja.exe
| MD5 | ace4311950a0fa5e176fa1a6c8b40a2b |
| SHA1 | e5091fb22084d69b23417f23d36cd5db5de488ed |
| SHA256 | a904035b720b322c6c610c8561ef35a997bcc263aadf58ba690de901534dc062 |
| SHA512 | be332aa88683b3a5e2b1acd757d67082de4e18c45d3c478bef71ef1d3e982849e2fe5117fd7783b51e4d0fdfd65121f6171d623b53563c7253d8382042566480 |
C:\Windows\SysWOW64\Mqfpckhm.exe
| MD5 | 2be99d1464c7460f0b4e7c9f48d45834 |
| SHA1 | 722072aee7eb15a2159ad054dd8f77d9299c3cf9 |
| SHA256 | fda0d5fb556b73056476a79ebfdf1eebf895ffcd869c1b6e6ddc70c344f864f1 |
| SHA512 | e94ace0e3c74ae9f11ddd055e074884f1a5a4ab0d0d2e87260a0357b0dff53ae28af302227314daecc41aa37fa4100b0cbf3dfc51e07e9953d8f14839cdcf867 |
C:\Windows\SysWOW64\Monjjgkb.exe
| MD5 | a44ae68ae54f1582c71d557a6bdb01ba |
| SHA1 | 52a0d2045c729b27aba0b380c203d7d391439285 |
| SHA256 | 582a87fc8daa719bcf78696f5fe267026bc58341067f08ccd1471884d3d674a6 |
| SHA512 | 49c373e5d8bc0eede05c816df34a98599a2f72e92fa223ac2b39a7b50c04d19bdd1d6c648fc3d0db972431eb5bacc9f877cf409d2eaf033f7184654304a10c30 |
C:\Windows\SysWOW64\Ncchae32.exe
| MD5 | e927fe658d9a6206776af3bf8c4bd3b4 |
| SHA1 | 0f537f6db5207981eba39bcb261a61ad2e133556 |
| SHA256 | 6b235582c9339d00b40bdbf41d0153d9def4156893d44d1273fbc72bfdf69566 |
| SHA512 | 0f243c7f1034fb5b2d300c0c5f79c0150994fcd8b36ec58cc0c7906a33f4d1eb27ea67ca4378ab94323fea406625cee4d85c10da81bc6b51106d9f1ba6ca0569 |
C:\Windows\SysWOW64\Onkidm32.exe
| MD5 | bda3d76d1e2d0c4f16d082e6d7b5efc8 |
| SHA1 | f1087d2549eacad609a736aee7b1f50a2811b670 |
| SHA256 | a3d1ff176cce9e1b65252d9193a8ec77e1c16bfb6808b7efb8451359decf58ca |
| SHA512 | 4b4db2a48d47d528c1af75cc0cf9a22ea884c1e7744a5074ff2ac7bd946b35ea9321a0e7383c74eb7189f32db8b86fab2e72e4f5a703fa29066c8ee933ce6d7a |
C:\Windows\SysWOW64\Ofmdio32.exe
| MD5 | 80b27f54d5f4b458f76e8c35522ba118 |
| SHA1 | 2224f84cc4bfcc4124d2c79ad7359aae116459da |
| SHA256 | 34f06413768e68a7e8f99aa867b1b86d460d32f0c0be04c31822ae3238041ea9 |
| SHA512 | a9bb9a84e271fdab9894168016e4249fbb252aff89f20c94c0010b17946e7520add16be10cdaab97cbbe029ed1b61bb583f95c2ee529a422a2bb00822e89b165 |
C:\Windows\SysWOW64\Pnfiplog.exe
| MD5 | f69ac3bd811b4c937831fb923013de2e |
| SHA1 | e43120ea5c1874de710b75983f40aff76e22a60c |
| SHA256 | 49d724de49acc552f522e154636b8899b1f5bac0ab8e04724d974fb86e4d4708 |
| SHA512 | e7ebc7abb9a70e0214eb814739334d7d22ca46ff821eb6b0d6080c84a4f80b575748a8d4fb161a3f02de59ccd95b178b5ec527e23c0548f6eb53106b06e6f2ee |
C:\Windows\SysWOW64\Panhbfep.exe
| MD5 | f62a13b763a44806281204ce14b52527 |
| SHA1 | 6fbb08b008a00bf3618f7a447bc168a3184acab2 |
| SHA256 | 5ce35fd35c15bf6df16446121f343f2b60dd9428a6d3412f5bdfe8143bacbbca |
| SHA512 | 6d2887ee1d3ce871a31726777019a5d83371c7dc8a9971a31224234569c9c6778eb831e08513928a62e6308af35bd3e07ed88fb8e53522a648093facef5b2c6a |
C:\Windows\SysWOW64\Qobhkjdi.exe
| MD5 | 0c506dd2f24c18ca45b18342015d9f35 |
| SHA1 | 162b1b336f875f1806a18e11e492bb9d272d6fea |
| SHA256 | 68afbeba4fa3e27a5267a8268514ff0821bda60ca049faf8e00373c7ec638ff7 |
| SHA512 | bd6047fe4204597d61ab7db5f17047efd0876565423690ebac75bc3de85cacf0c71f1bd8f06ce2e93272dfc7b96e7d2b75c70de744423a585300926b454cae6c |
C:\Windows\SysWOW64\Adfgdpmi.exe
| MD5 | 693a677c0df5f71407f773553570cb27 |
| SHA1 | af24b006f08221c5c2c18c1da5471cc6dae22c59 |
| SHA256 | 874631f5e394960dacde5353f0fb68ffb4f7f141718b94d286ebff3b3cffe326 |
| SHA512 | 4b42a552c0a685b90e432d92922236325d2e0658655745a35ba1bd60f21a060e4d6e0221bb34908af4115c7a4c132191854aa87ed0605162242ea35bbfb1f7b3 |
C:\Windows\SysWOW64\Akdilipp.exe
| MD5 | 47fa3c7b9fa9d6720ecb2a8dbf00d59b |
| SHA1 | adfcb190311fe1990ba983acdf69b7fdbfd3b8bc |
| SHA256 | e7b206ba4cd9f9683a2a827a9de22152fed4410eb7ca92b1088d8f1e8487ec73 |
| SHA512 | d62f242f12402240e5eb3fa48a116e4166915ce206558c20d8ebab263b687e825b31873204437955b926141f054a3c52d46863daa70f5cb5393e8cca6f1a9516 |
C:\Windows\SysWOW64\Bdfpkm32.exe
| MD5 | 845537135fca486950622bae71f8da58 |
| SHA1 | 6f4168fea2880c135cb15e8aac291665d985af67 |
| SHA256 | c48013baaf50c6d5beba3c5ae3feee81b933ec23121c7d05e860f528434f28c6 |
| SHA512 | cb92cfbd8373c660420f268da2ba8dc07fc01fbe86c3b75f8ace458c7e0d65068183c371f1f4469433826d4763ad9286b3c506bd2febb93b7811040565b54056 |
C:\Windows\SysWOW64\Dhphmj32.exe
| MD5 | 5abfad8026357494f3c4c1ce8fd3ade5 |
| SHA1 | c9b4e10372a6e47ee1a0ba3418068804377326dc |
| SHA256 | 5c803cacf4910cd2304567b84170b6a48c6cd9112ac2abee527831e5bdaf6a00 |
| SHA512 | cb638ccc9c2ec861891f66eb559664d25acd0bfa0ae870e0d260febc103506008fe7aaee3596ea6b80ea21df0fa3f33670defc0c6dcdb850b6c20bffaa09006b |
C:\Windows\SysWOW64\Eqgmmk32.exe
| MD5 | 4e82c0eaee466a02c1663a2d608adae6 |
| SHA1 | e753a4d247eecd02a8884f7b5b2c9dd19ddb5f8e |
| SHA256 | 9ab87a9f2077e86f1c4a09b65f451a5e3afaea006292ed264e9f6192ef241912 |
| SHA512 | 7c7c18b7cb54f6d894a21d6fbece0226caa697ea0391f5c4d7b570155b4a9738680f89a2cdff8b56abd8caca7f97f20ca6fa89492590a52c07610134214c539d |
C:\Windows\SysWOW64\Edgbii32.exe
| MD5 | 3a280c0bdfb13c20c7ee926ad2a82042 |
| SHA1 | eaffcc46b5dbaf1ae3eec09e047429cc8c290270 |
| SHA256 | d953e6d4779a4ec0ffa9fe7ae3460514f4aef87db81adbc56e768e5b37ec2ea5 |
| SHA512 | fce0a7266318542d130fa0bf4972c319fb9304e5f141705e3269f207086d1e9f5e33dce58ec440990866961bc03aaeb3a4fec97ed2baff0f32ec7712f0f03449 |
C:\Windows\SysWOW64\Ekcgkb32.exe
| MD5 | 0cc042d4e95adaaacbb400a5e5040a55 |
| SHA1 | fbec3871c6bcd9c89e911193430f54bc01326504 |
| SHA256 | a5dc4f6f219f9b54d9fc45b811690a0396113c275b755789d251ffba867ce0ca |
| SHA512 | 7cd5c0b09bc42ca69afba6ebd2a9d67c09f39e12a5e4826a9cf8c8889b4ed49424f60afcb887b666665480f0a7c6346f0b141d10e931dc05e9df591385e8a456 |
C:\Windows\SysWOW64\Fdnhih32.exe
| MD5 | 81f140764da15d9177274131c14e8023 |
| SHA1 | 7db08cfcddebd8a43d90df1c27ab92e2a725c6a7 |
| SHA256 | 721e7b1808cb7ac5818078bf3f49c74da13ff8d36e5188ed45f2f6f6291b6abf |
| SHA512 | c27ea709c4489d3727fc679285140fa1988ee2be2f2a17c9c08a551bda47474bd55885fa1c5d20ef27f9a1d11175494fc5fb4f032be15b7dadde980d40940d6d |
C:\Windows\SysWOW64\Gnnccl32.exe
| MD5 | d7771c8055a0867788e38935db700bd1 |
| SHA1 | 4e3099f196c7afeb4a3092664293ffca779ce4fe |
| SHA256 | 23c42d306a5155ea3049be61486600a2e3cc6d328a29b3adf18bcb55b8bc16d3 |
| SHA512 | 555c665fbb29a67d09dbe5a345a286ebefb9465bd3a69f8fe88f926b0d94037ab15e64420d0c54865dd6518ec24d4254afb10df16de6dced5f6a5f6608226db6 |
C:\Windows\SysWOW64\Gegkpf32.exe
| MD5 | 46c204192d3b98edf028ae81cceb9ef0 |
| SHA1 | a91bac53eb31493966e4ab2038adcf899dd2af30 |
| SHA256 | 783ca6796d392a837114e3d219de232f014791cce89bdc8a1acc10f804fe83e4 |
| SHA512 | 2187862ec63ce1eb9f7c727aef35417cb005858d3c9e1eb123f4ab30a44f4c1b8bd1f33b0d5ea5c2e0a8bd0e476ca8c8eb1626407dddc6b58351a1decdca5ea9 |
C:\Windows\SysWOW64\Jlbejloe.exe
| MD5 | 19ed161f221c0ac55ca1298e70ac1b38 |
| SHA1 | 53fa985073cb1cba2d69b82ce7e86bd9e5871f43 |
| SHA256 | 0e42973ac0964d91a8d3ea63434cd8fe20d338fc232dd7a80ed30a88cbf2a631 |
| SHA512 | 754e623996055fadc05acb83bee929cdf98a83743cd7db9a0f3e9d50046cd3a1666805559160b610055445429840deb0628b4aa9ddbefc9af6bddfa3ee81ef2e |
C:\Windows\SysWOW64\Jldbpl32.exe
| MD5 | febba4109de187b2520d2bb7c573c626 |
| SHA1 | b81b49fa1b0759a8a22841c9dc535bd5a49cf714 |
| SHA256 | 8972e4f93c0661b525f15a7b4e3f8e2badb2ca9b8919e593f3fcf7ffcd64e175 |
| SHA512 | f209d0ed392229f62e2b9cc7dfe4b0cf6218c2aaa8a3306f4e00d88a7eb2c872e61cd13f3ba1ee12f219cfbb4828926055b92616ab117b5b42723958a65a0ef4 |
C:\Windows\SysWOW64\Jadgnb32.exe
| MD5 | ad2b1e035cf13479284bc9a593335a3c |
| SHA1 | 4ae067d686c02187105ebb6fa22047a5e72bebbd |
| SHA256 | 802266e82f44e04bacc83f1b0c01020b06d33ba76c457d9a67eb53992e4bf010 |
| SHA512 | c162036a2d652303a50d42f91ddab9485db13cd0a662b9943a6c685e2c3666bdcdc384e93ab5fef3816792a619dc5e5b96ca2e146d85bbb48c75dba3f4e06844 |
C:\Windows\SysWOW64\Kiphjo32.exe
| MD5 | bc2ab41b421a0f11a83af85b43bf469c |
| SHA1 | 944b008b42bcb2a424a09234cee269fa58bf7633 |
| SHA256 | a36b8cddb21ca471c61d2c16b8f0ceecd91bdf758d03326c334196aeafd1a3cf |
| SHA512 | aeeb1d6d96df0b932c2d2b8bf6913a8521451556b0ce157b3cb6ac80e40c3e8a3463fc45690e51a2911f3b04609e2d019859d2fb4232143f71fb9ca53fdec17d |
C:\Windows\SysWOW64\Kheekkjl.exe
| MD5 | 43f87b3517ee42c09352ea28d19b42a1 |
| SHA1 | a658145256c482572e595d3c444956f602b6d35e |
| SHA256 | 55af4da00d51afff2e4e724e122eb702a6c1ea325d158be284cb1c862ab8e7d3 |
| SHA512 | 1e1c86fcbe053811026905e986c5850bbf0b6f4d9ab2833c2ba55292faa4610dd89c5177b1a495dca20e509309e5e99c60795a87684854c0977d6718c5d61021 |
C:\Windows\SysWOW64\Klekfinp.exe
| MD5 | aab8d552c6ad26c457cfd875efd0d61d |
| SHA1 | c62a12fdee4976c7c3667be4f41216b861b7a3c6 |
| SHA256 | 362fd8e73b2a7294791cd55e0b6bac0d054cf15ee761f031bf418a08f1417758 |
| SHA512 | 5ec7f7e8b67fd248d6e5d53188d20b03a8a7ec2c6ee8d78fe2d07661c9e46c4ec40ceb0ebc74cabb77e8c639ea28a0f167ec9850b8765a97cacb92d9c172c1ac |
C:\Windows\SysWOW64\Mapppn32.exe
| MD5 | d9be9da6109687f776190aa9af64cac6 |
| SHA1 | aab7a30576a28d22b1f7f02750e8c8cb859e4fda |
| SHA256 | a65c6fff332220ce1b07afa70169beadf396dfe8bce349a75791c614fcf7ef67 |
| SHA512 | f131a97f67b55d343f4d227fad464e13e0ff1c0cf171816e8255948d206e49dd55b4a569fe8774be554458a81bd99ab6e4c24ddcaae48153cc2218dc7012e1c1 |
C:\Windows\SysWOW64\Mcaipa32.exe
| MD5 | 0077ef4cb09e352efd98e29beb7e330c |
| SHA1 | af586d9b64ad4427f186a821d139368b0c103bfa |
| SHA256 | 6d9888143459e80dbbbe02922a703756e40ba79d521868675373a9388c05273b |
| SHA512 | 577fd186740ec1c0cf784fea2f3dfb7fba7fa8d8db2976f82da547402c2a90c0894f4e6925e3bf2d738dd0a7a991d1e1cd651072eb8bc704934e43eb5222b6a1 |
C:\Windows\SysWOW64\Nbebbk32.exe
| MD5 | a77dd59d7b431f8fe829c958005bb156 |
| SHA1 | 64e0d34931e23c9726cba45038102b4f7e2cbd49 |
| SHA256 | 78231455aa130bf9d16c4613314d02b5246c5bc663cd326f088e7eb4ff140385 |
| SHA512 | 772532382c733c82ecd9ed668a88c4d429570952c0af1dae15eb64773d07df32fa9f764c1c58cc7cef7a0caefc9ba133267a9dc3bd87fa6e6941f380ed59f760 |
C:\Windows\SysWOW64\Ocgkan32.exe
| MD5 | 24854abcf994476611c0b6f44a0ef475 |
| SHA1 | c958bb9c194fbf709ec62c750b0ea10dbda8d903 |
| SHA256 | 51a7bdc7ba6ca1ec5ab60efc45c7b8a9a33c4cb5a46ac9b5a34c97b934a6bffe |
| SHA512 | fdf1df13e50d09dab571ab16a20eaf2096ea2fc038af2014d648a363a88fa8ed5049eb66f605d6f4ea3797071c67df33cba9abd1da93314a77cafb55d994dd39 |
C:\Windows\SysWOW64\Ppgomnai.exe
| MD5 | ac9049274d1813b99e035b62df701909 |
| SHA1 | 233483449799a9c609b88c73ad157c80f53b9169 |
| SHA256 | 9d5d40eb5bc4d2952df7e47a4a30e35f8c6fa49b2ff9bffa61f10852cde7e15c |
| SHA512 | 7adf9ff1ffd163e013c42cfb46c507921e7ddb300c425c72461af3c11ee50afb885a3c425c5f43665a396e45b17e8d61a45c26d600292f6db04e824745e7cc0e |
C:\Windows\SysWOW64\Qapnmopa.exe
| MD5 | cfd848a10cbd5024763f71e756c187f0 |
| SHA1 | 1e5a639b60cbb7bfefbf87950d7f2a280d0611eb |
| SHA256 | bfd9eeb383abf2235d9bbe44f5d990b040f79e6f061e6d2ddfdc97b160e8d674 |
| SHA512 | cad4faa5b19d0db4302ebdb4cd2506ee8a5fc123b361bc583501131055f7adc7147749b2b227449361b31772ca9016f2af8206bb7f68220f1bd4e80562e7a144 |
C:\Windows\SysWOW64\Bipecnkd.exe
| MD5 | 4c7fb76c3d5d1872ffdaf8ba2c582175 |
| SHA1 | 666cb02dea3fec7073f7a7e5847da34331de65d3 |
| SHA256 | 5ed69eb5761fe3faf05c17d703ce24159bac4b29042b8e73fc99dbc33aab8393 |
| SHA512 | 206c2ad10125a9579503a056e40c7ad5ee4e60244ef16c72d098f0db22cc686478f265804fc5d70fddecdccc6b7b04064b4e4d9f8d0d6c0094c623c5caae4787 |
C:\Windows\SysWOW64\Cmpjoloh.exe
| MD5 | 6f2ea29733ffe8acfda3ae23131cb989 |
| SHA1 | f46ef9849d02b2916c9c38d4f3abe7a9cf33ef0a |
| SHA256 | 3d7c39abdfd5d83176e8df2206e308f9c394442e54ca9ebb41fcf9c2f5a43b9f |
| SHA512 | 772d15267d748cf194a31085647046ff3aaf9754113a74290cf0eca0e125cd0ed5679dc3cc1fbcacbaba3005aa3cda24cd93b067b5b3eccdf649bf9d71c07bed |
C:\Windows\SysWOW64\Cdmoafdb.exe
| MD5 | 043cc10050dbff239ee371dd77472302 |
| SHA1 | 1818b6e7f0aa7ead7ee7887faf6b16ddf4931e4f |
| SHA256 | d924168b14af1884ba8af447867a9e05e67ad4959fdc3a04515f725723ee050a |
| SHA512 | 523441026036aa86e6155a99c7672ce3c914712db075b16cb129bfec029cbd9290b63611aca9b8ddb3a9031662e814c62f18106a584d47ae621021338f5ba3f2 |
C:\Windows\SysWOW64\Dpmcmf32.exe
| MD5 | a2ad05aaa5ab8ebb6b0d7c6fc38a9e04 |
| SHA1 | c4e294e1289d403ecd9bbd102e6403152397d9d2 |
| SHA256 | 0a86fed4288fdadd3ac2c38e3a5c16bc57bbb899f0b00df5592fcd3e0e6b6f1f |
| SHA512 | 3a6af46638c2c9e151610c572ce8d1f712a1695a3621b432fde1752b6d51700d70e55ab82147a7b06a231f2c43f025c1baf5e379f4fee4a72009b0087a321183 |
C:\Windows\SysWOW64\Enemaimp.exe
| MD5 | e069bb126f2b1f62f1584ceb717849d2 |
| SHA1 | 090c2dcfcf45f3b9447e600cebc3db4d07d5a5a5 |
| SHA256 | e4ed102a7c042cd4c80b6316d3c205af5a2010bbbecbbd0402dc052e421a356d |
| SHA512 | 9b17e777d6fbc18539b8f3a1290d9aceca3192a5ee71332bc20851eabfc893d1adae4e1514ae094351e66efaa0a71e397c828cfd9fa3af21ed5c31e48f41d786 |
C:\Windows\SysWOW64\Enopghee.exe
| MD5 | 4551d020cc9525c8c04b5967e25d43c1 |
| SHA1 | 13916d6f6eb6abbd4e717e37154b6865ae668635 |
| SHA256 | 9b50859e76192259d7e493f4e04cbc2eb4738e2918fa4eb9532a5d827462d8e5 |
| SHA512 | ee51ef13f7a3b154623764868f9d8afff127b46e3c5ae40b116f01a5ff65c8b09bd2e027113caf665351f0bd5a045f2ced0340c8bf39851778710b0c868484b0 |
C:\Windows\SysWOW64\Fdmaoahm.exe
| MD5 | bc5721868105ceb081d09640d504bb5c |
| SHA1 | 4ddec9b7116c8618e08d1c4b2dec6448bd24977d |
| SHA256 | 7d513b59f8fc32616490d00e599b49f9855513302fee8859e306f21e9b294294 |
| SHA512 | ab271edb9cbc25d9b33879b444b763478c38dfdd0c39fe8443b25ce52f947b0e604dd0fe3e3e25f89734383aeecdfd0d85df553d15cef6d322118337168a6aab |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 16:01
Reported
2024-11-10 16:04
Platform
win7-20241010-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Imdjlida.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncggifep.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gocnjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Iceiibef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Opcaiggo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ggncop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ijjgkmqh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gmbagf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lkccob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nqbdllld.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fgnfpm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Foqadnpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nbmcjc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ijhkembk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lhpmhgbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hjfbaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nnknqpgi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdbgia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kbjbibli.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mffgfo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcnhcdkp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mogene32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gcgpiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hbccklmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhndcd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fdbgia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhlgnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ldndng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mogene32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Obopobhe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpfggeai.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kaieai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kaieai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lcnhcdkp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hbepplkh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iadphghe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hbccklmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnlqemal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kdincdcl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nqgngk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnknqpgi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fondonbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ggncop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Opcaiggo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jbooen32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nqgngk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gqkqbe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hbepplkh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdincdcl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhpigk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jhndcd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mjkmfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jehbfjia.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Khnqbhdi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mhpigk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ijjgkmqh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gqkqbe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nmpkal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Laknfmgd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkccob32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Mffgfo32.exe | C:\Windows\SysWOW64\Mhpigk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ieiegf32.exe | C:\Windows\SysWOW64\Hgeenb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbooen32.exe | C:\Windows\SysWOW64\Jehbfjia.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kaieai32.exe | C:\Windows\SysWOW64\Jhndcd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lhpmhgbf.exe | C:\Windows\SysWOW64\Khnqbhdi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lkccob32.exe | C:\Windows\SysWOW64\Laknfmgd.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjkmfn32.exe | C:\Windows\SysWOW64\Ldndng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjkmfn32.exe | C:\Windows\SysWOW64\Ldndng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnknqpgi.exe | C:\Windows\SysWOW64\Nqgngk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Feiefo32.dll | C:\Windows\SysWOW64\Nqgngk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbpccf32.dll | C:\Windows\SysWOW64\Hbccklmj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jhlgnd32.exe | C:\Windows\SysWOW64\Jbooen32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gqkqbe32.exe | C:\Windows\SysWOW64\Gcgpiq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mogene32.exe | C:\Windows\SysWOW64\Mjkmfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmpkal32.exe | C:\Windows\SysWOW64\Ncggifep.exe | N/A |
| File created | C:\Windows\SysWOW64\Anbnkfdj.dll | C:\Windows\SysWOW64\Hgeenb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iiodliep.exe | C:\Windows\SysWOW64\Iadphghe.exe | N/A |
| File created | C:\Windows\SysWOW64\Jehbfjia.exe | C:\Windows\SysWOW64\Iceiibef.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhlgnd32.exe | C:\Windows\SysWOW64\Jbooen32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eelgce32.dll | C:\Windows\SysWOW64\Jbooen32.exe | N/A |
| File created | C:\Windows\SysWOW64\Icgpcjpo.dll | C:\Windows\SysWOW64\Khnqbhdi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbaafocg.exe | C:\Windows\SysWOW64\Nqbdllld.exe | N/A |
| File created | C:\Windows\SysWOW64\Ieiegf32.exe | C:\Windows\SysWOW64\Hgeenb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Opcaiggo.exe | C:\Windows\SysWOW64\Obopobhe.exe | N/A |
| File created | C:\Windows\SysWOW64\Iceiibef.exe | C:\Windows\SysWOW64\Iiodliep.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpmjno32.dll | C:\Windows\SysWOW64\Foqadnpq.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbjpjphf.dll | C:\Windows\SysWOW64\Ggncop32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gqkqbe32.exe | C:\Windows\SysWOW64\Gcgpiq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjfbaj32.exe | C:\Windows\SysWOW64\Gmbagf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnlqemal.exe | C:\Windows\SysWOW64\Hbepplkh.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmlbeoba.dll | C:\Windows\SysWOW64\Ieiegf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iadphghe.exe | C:\Windows\SysWOW64\Ijjgkmqh.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmmjim32.dll | C:\Windows\SysWOW64\Gcgpiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmbagf32.exe | C:\Windows\SysWOW64\Gqkqbe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbjbibli.exe | C:\Windows\SysWOW64\Kaieai32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lhpmhgbf.exe | C:\Windows\SysWOW64\Khnqbhdi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Laknfmgd.exe | C:\Windows\SysWOW64\Lednal32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mhpigk32.exe | C:\Windows\SysWOW64\Mogene32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nqbdllld.exe | C:\Windows\SysWOW64\Mffgfo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmjkbjpm.dll | C:\Windows\SysWOW64\Nqbdllld.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdbgia32.exe | C:\Windows\SysWOW64\Fgnfpm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fondonbc.exe | C:\Windows\SysWOW64\Fdbgia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgeenb32.exe | C:\Windows\SysWOW64\Hnlqemal.exe | N/A |
| File created | C:\Windows\SysWOW64\Iiodliep.exe | C:\Windows\SysWOW64\Iadphghe.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdincdcl.exe | C:\Windows\SysWOW64\Kbjbibli.exe | N/A |
| File created | C:\Windows\SysWOW64\Laknfmgd.exe | C:\Windows\SysWOW64\Lednal32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkffpabj.dll | C:\Windows\SysWOW64\Mhpigk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Opcaiggo.exe | C:\Windows\SysWOW64\Obopobhe.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbccklmj.exe | C:\Windows\SysWOW64\Hjfbaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dbeghn32.dll | C:\Windows\SysWOW64\Hjfbaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihefej32.dll | C:\Windows\SysWOW64\Ijjgkmqh.exe | N/A |
| File created | C:\Windows\SysWOW64\Kocodbpk.exe | C:\Windows\SysWOW64\Kdincdcl.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnoaan32.dll | C:\Windows\SysWOW64\Kocodbpk.exe | N/A |
| File created | C:\Windows\SysWOW64\Lednal32.exe | C:\Windows\SysWOW64\Lhpmhgbf.exe | N/A |
| File created | C:\Windows\SysWOW64\Mafibkqg.dll | C:\Windows\SysWOW64\Fgnfpm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gpfggeai.exe | C:\Windows\SysWOW64\Ggncop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ijhkembk.exe | C:\Windows\SysWOW64\Imdjlida.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghdehmnj.dll | C:\Windows\SysWOW64\Imdjlida.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ijjgkmqh.exe | C:\Windows\SysWOW64\Ijhkembk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fondonbc.exe | C:\Windows\SysWOW64\Fdbgia32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ggncop32.exe | C:\Windows\SysWOW64\Gocnjn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nhkddaih.dll | C:\Windows\SysWOW64\Ijhkembk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Khnqbhdi.exe | C:\Windows\SysWOW64\Kocodbpk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nqbdllld.exe | C:\Windows\SysWOW64\Mffgfo32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ohnemidj.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fgnfpm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iiodliep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Foqadnpq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kocodbpk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hbccklmj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mffgfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmpkal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ggncop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ijhkembk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mjkmfn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nnknqpgi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fondonbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gpfggeai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gcgpiq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Imdjlida.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Laknfmgd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hjfbaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lednal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbmcjc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gocnjn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gqkqbe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hbepplkh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgeenb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iceiibef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ldndng32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mhpigk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ieiegf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iadphghe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbooen32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kaieai32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkccob32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbjbibli.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Obopobhe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jehbfjia.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdincdcl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Khnqbhdi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Opcaiggo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ijjgkmqh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lcnhcdkp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mogene32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fdbgia32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hnlqemal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lhpmhgbf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncggifep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ohnemidj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gmbagf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhlgnd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqbdllld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqgngk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jadlgjjq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhndcd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbaafocg.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ieiegf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kaieai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmoai32.dll" | C:\Windows\SysWOW64\Nnknqpgi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmjno32.dll" | C:\Windows\SysWOW64\Foqadnpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbeghn32.dll" | C:\Windows\SysWOW64\Hjfbaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Nqbdllld.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkmkh32.dll" | C:\Windows\SysWOW64\Gmbagf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelgce32.dll" | C:\Windows\SysWOW64\Jbooen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoakai32.dll" | C:\Windows\SysWOW64\Kaieai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcckc32.dll" | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gocnjn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ggncop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gqkqbe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hgeenb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Foqadnpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lhpmhgbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdjfie32.dll" | C:\Windows\SysWOW64\Lcnhcdkp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbmcjc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlodea32.dll" | C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fdbgia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fondonbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Khnqbhdi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lkccob32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gpfggeai.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hnlqemal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkjfeka.dll" | C:\Windows\SysWOW64\Iadphghe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Laknfmgd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lkccob32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mjkmfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmolej32.dll" | C:\Windows\SysWOW64\Jadlgjjq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kocodbpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lednal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jhndcd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mhpigk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll" | C:\Windows\SysWOW64\Opcaiggo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fondonbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ijhkembk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Iiodliep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} | C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Imdjlida.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clllno32.dll" | C:\Windows\SysWOW64\Iiodliep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hnlqemal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjldnpp.dll" | C:\Windows\SysWOW64\Iceiibef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nqbdllld.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gocnjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbinloge.dll" | C:\Windows\SysWOW64\Gqkqbe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hbccklmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbjbibli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nnknqpgi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmabknal.dll" | C:\Windows\SysWOW64\Fdbgia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbpccf32.dll" | C:\Windows\SysWOW64\Hbccklmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jhlgnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefcdgnb.dll" | C:\Windows\SysWOW64\Nbaafocg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gqkqbe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojdod32.dll" | C:\Windows\SysWOW64\Hnlqemal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mhpigk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddifg32.dll" | C:\Windows\SysWOW64\Hbepplkh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Iceiibef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icgpcjpo.dll" | C:\Windows\SysWOW64\Khnqbhdi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lhpmhgbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jehbfjia.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe
"C:\Users\Admin\AppData\Local\Temp\68916d0954f6f71a304da9f371a783be7f20ef7346b6ca2f81afe7038b9fd932N.exe"
C:\Windows\SysWOW64\Fgnfpm32.exe
C:\Windows\system32\Fgnfpm32.exe
C:\Windows\SysWOW64\Fdbgia32.exe
C:\Windows\system32\Fdbgia32.exe
C:\Windows\SysWOW64\Fondonbc.exe
C:\Windows\system32\Fondonbc.exe
C:\Windows\SysWOW64\Foqadnpq.exe
C:\Windows\system32\Foqadnpq.exe
C:\Windows\SysWOW64\Gocnjn32.exe
C:\Windows\system32\Gocnjn32.exe
C:\Windows\SysWOW64\Ggncop32.exe
C:\Windows\system32\Ggncop32.exe
C:\Windows\SysWOW64\Gpfggeai.exe
C:\Windows\system32\Gpfggeai.exe
C:\Windows\SysWOW64\Gcgpiq32.exe
C:\Windows\system32\Gcgpiq32.exe
C:\Windows\SysWOW64\Gqkqbe32.exe
C:\Windows\system32\Gqkqbe32.exe
C:\Windows\SysWOW64\Gmbagf32.exe
C:\Windows\system32\Gmbagf32.exe
C:\Windows\SysWOW64\Hjfbaj32.exe
C:\Windows\system32\Hjfbaj32.exe
C:\Windows\SysWOW64\Hbccklmj.exe
C:\Windows\system32\Hbccklmj.exe
C:\Windows\SysWOW64\Hbepplkh.exe
C:\Windows\system32\Hbepplkh.exe
C:\Windows\SysWOW64\Hnlqemal.exe
C:\Windows\system32\Hnlqemal.exe
C:\Windows\SysWOW64\Hgeenb32.exe
C:\Windows\system32\Hgeenb32.exe
C:\Windows\SysWOW64\Ieiegf32.exe
C:\Windows\system32\Ieiegf32.exe
C:\Windows\SysWOW64\Imdjlida.exe
C:\Windows\system32\Imdjlida.exe
C:\Windows\SysWOW64\Ijhkembk.exe
C:\Windows\system32\Ijhkembk.exe
C:\Windows\SysWOW64\Ijjgkmqh.exe
C:\Windows\system32\Ijjgkmqh.exe
C:\Windows\SysWOW64\Iadphghe.exe
C:\Windows\system32\Iadphghe.exe
C:\Windows\SysWOW64\Iiodliep.exe
C:\Windows\system32\Iiodliep.exe
C:\Windows\SysWOW64\Iceiibef.exe
C:\Windows\system32\Iceiibef.exe
C:\Windows\SysWOW64\Jehbfjia.exe
C:\Windows\system32\Jehbfjia.exe
C:\Windows\SysWOW64\Jbooen32.exe
C:\Windows\system32\Jbooen32.exe
C:\Windows\SysWOW64\Jhlgnd32.exe
C:\Windows\system32\Jhlgnd32.exe
C:\Windows\SysWOW64\Jadlgjjq.exe
C:\Windows\system32\Jadlgjjq.exe
C:\Windows\SysWOW64\Jhndcd32.exe
C:\Windows\system32\Jhndcd32.exe
C:\Windows\SysWOW64\Kaieai32.exe
C:\Windows\system32\Kaieai32.exe
C:\Windows\SysWOW64\Kbjbibli.exe
C:\Windows\system32\Kbjbibli.exe
C:\Windows\SysWOW64\Kdincdcl.exe
C:\Windows\system32\Kdincdcl.exe
C:\Windows\SysWOW64\Kocodbpk.exe
C:\Windows\system32\Kocodbpk.exe
C:\Windows\SysWOW64\Khnqbhdi.exe
C:\Windows\system32\Khnqbhdi.exe
C:\Windows\SysWOW64\Lhpmhgbf.exe
C:\Windows\system32\Lhpmhgbf.exe
C:\Windows\SysWOW64\Lednal32.exe
C:\Windows\system32\Lednal32.exe
C:\Windows\SysWOW64\Laknfmgd.exe
C:\Windows\system32\Laknfmgd.exe
C:\Windows\SysWOW64\Lkccob32.exe
C:\Windows\system32\Lkccob32.exe
C:\Windows\SysWOW64\Lcnhcdkp.exe
C:\Windows\system32\Lcnhcdkp.exe
C:\Windows\SysWOW64\Ldndng32.exe
C:\Windows\system32\Ldndng32.exe
C:\Windows\SysWOW64\Mjkmfn32.exe
C:\Windows\system32\Mjkmfn32.exe
C:\Windows\SysWOW64\Mogene32.exe
C:\Windows\system32\Mogene32.exe
C:\Windows\SysWOW64\Mhpigk32.exe
C:\Windows\system32\Mhpigk32.exe
C:\Windows\SysWOW64\Mffgfo32.exe
C:\Windows\system32\Mffgfo32.exe
C:\Windows\SysWOW64\Nqbdllld.exe
C:\Windows\system32\Nqbdllld.exe
C:\Windows\SysWOW64\Nbaafocg.exe
C:\Windows\system32\Nbaafocg.exe
C:\Windows\SysWOW64\Nqgngk32.exe
C:\Windows\system32\Nqgngk32.exe
C:\Windows\SysWOW64\Nnknqpgi.exe
C:\Windows\system32\Nnknqpgi.exe
C:\Windows\SysWOW64\Ncggifep.exe
C:\Windows\system32\Ncggifep.exe
C:\Windows\SysWOW64\Nmpkal32.exe
C:\Windows\system32\Nmpkal32.exe
C:\Windows\SysWOW64\Nbmcjc32.exe
C:\Windows\system32\Nbmcjc32.exe
C:\Windows\SysWOW64\Oiglfm32.exe
C:\Windows\system32\Oiglfm32.exe
C:\Windows\SysWOW64\Obopobhe.exe
C:\Windows\system32\Obopobhe.exe
C:\Windows\SysWOW64\Opcaiggo.exe
C:\Windows\system32\Opcaiggo.exe
C:\Windows\SysWOW64\Ohnemidj.exe
C:\Windows\system32\Ohnemidj.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 140
Network
Files
memory/2104-0-0x0000000000400000-0x000000000043D000-memory.dmp
\Windows\SysWOW64\Fgnfpm32.exe
| MD5 | b9ac5c2743cc6dd51cefe2a391082d80 |
| SHA1 | 8f59b9341620b39900cf2385bfb59b47e0e6c4b0 |
| SHA256 | f1774731e60554b59fb39b72a83546dc0b1ede23d9f734f58eec05e79bbf9479 |
| SHA512 | 64a0f8d6b56b6e8d988022c62115ea6a8ea7709fb6b2b173a839976bbb3d375ee14b68aac7feff1ef6577ce7d21ceba4f347da03dbf08d08dba197e3baef67fb |
memory/2104-17-0x0000000000220000-0x000000000025D000-memory.dmp
memory/2028-19-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2104-18-0x0000000000220000-0x000000000025D000-memory.dmp
\Windows\SysWOW64\Fdbgia32.exe
| MD5 | 3430c4f45ef26ab1b6d9d55aaff871b4 |
| SHA1 | 97c2f8d0abcd4e567724358bf4025c6868d7f47c |
| SHA256 | 4255fdcd369feda1c9de4bab6da1872862ef4b0afa35e4a112ea7f94f014cdda |
| SHA512 | 96f0ca27dcd147fe6a08a7ca10a8cc90fe8eb7a6e0544decaac7fb53871d8c180259b5ce2d7d5d90595614595d8c40cf0cd7a02ae040cea1b350643e65481447 |
memory/2028-22-0x00000000002B0000-0x00000000002ED000-memory.dmp
\Windows\SysWOW64\Fondonbc.exe
| MD5 | 0861e301b0e7b1988d99729ee92a76b7 |
| SHA1 | 9ae871fe68e85b6bc26aa99386940fa103153f68 |
| SHA256 | 6f11151477dd78b57705615d42e9d2c75093971d566fc7d9543cb8c8b82071da |
| SHA512 | 52ee0ab0b3d1073e59b28f50bdf334aad135794cff333976e5c224ac42e5d79de0cd77a19922738b80397735d592261a2b3bc007fe039cd7e20d69f9fdbac25d |
memory/2528-35-0x0000000000220000-0x000000000025D000-memory.dmp
memory/2896-41-0x0000000000400000-0x000000000043D000-memory.dmp
\Windows\SysWOW64\Foqadnpq.exe
| MD5 | 3cc0a369283545da8c94118be998234f |
| SHA1 | d943574d2bf3088d59e3b20647a545ceac075de0 |
| SHA256 | c0515236e8b8b6a3e21531387b8485d64a075318f884be495b6cbec61fcaba08 |
| SHA512 | 57ac5891faec40ddaf165a579c988e27ecc922f745638e6f7857c2841e71ff37c3d2f5c5b4d2f9a865f753bdd324e5071935d57005487b7d9c7fa9335f1c2ae9 |
memory/2896-50-0x0000000000230000-0x000000000026D000-memory.dmp
C:\Windows\SysWOW64\Hpmjno32.dll
| MD5 | 68b0c6b950dd28a393e3f41e7dbfee8a |
| SHA1 | 9e7219bd1015cb17e2ada383078dccfb04570c68 |
| SHA256 | af3f0375c1086a723954accaaa029e1370ad6f7045bcc3d7c28010890273e7ef |
| SHA512 | d48b370402308cd05c9d41900e79376e42bcad02fb9f2e5f5a705602592de8ece6b3568d3b8369a406261dc32c413bf66abb381c26bd8de4c7072439f044437f |
\Windows\SysWOW64\Gocnjn32.exe
| MD5 | 8b0dfb7b949a9ba74a9e1cd49e91e07b |
| SHA1 | d74a78edf9b5367f54b4ec7ba0dc111d53bc0195 |
| SHA256 | 4c6916c5ac422f1be0bfaad0ac5512bc7b80716be5d02d1ed03f0584f4221e50 |
| SHA512 | 5177f90456dc5bc72dcb85c89bf5ba31d46f7572e18c8d1af01790edd3d3b9aec8b3a5e82a9dc50a4bce1cc95640b2ae940dc22982246262969005fc50c3353b |
memory/2160-62-0x00000000002B0000-0x00000000002ED000-memory.dmp
\Windows\SysWOW64\Ggncop32.exe
| MD5 | 2daa83fa8c59066831dfebc7c37f2483 |
| SHA1 | cb97fc989371dedc4545a59f1fe88ab554598f7d |
| SHA256 | 78024a7d2869beb92881effe33aa6fd23652e14dd022432c21bd6fd22c261f5e |
| SHA512 | 186aeaf0bb8820d401b9341e2a07ec93b3e21cebc0f1be6848f68274c54b07bc4a43497f9390de887a43b4f11a5fa9152b22b552c8f93386db209f55a285f7c8 |
memory/2884-75-0x0000000000220000-0x000000000025D000-memory.dmp
\Windows\SysWOW64\Gpfggeai.exe
| MD5 | 498bd2dc1532f9cb41e4b6813e9c0d46 |
| SHA1 | ccf3e2d886f9375eff3ba3d106de3f2895907cbf |
| SHA256 | 70e74b860874148bc2fe437b22113a3ef63d6e20286e5c70f2bf509ebc9568a9 |
| SHA512 | e556d2801b47dbf3c1884a3678e744195b78d4e1df29e5a3fcc24c36e281bdf9d44636c7827b2c9f3d6b160beee4bf6aa2faa7375159586ede07522f3f6c9111 |
memory/2732-88-0x0000000000330000-0x000000000036D000-memory.dmp
memory/2756-94-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2756-102-0x00000000003C0000-0x00000000003FD000-memory.dmp
\Windows\SysWOW64\Gcgpiq32.exe
| MD5 | a0f58f6ea546300f6b570256702470fb |
| SHA1 | 4d30a7e291ae3eca158fb9dd2df444f48fa895a7 |
| SHA256 | 7154fb147995f508b20648ae5dc60f24ed681bd0be9654d041e3c3bda0692c89 |
| SHA512 | 105e64722efeff23e38b3fac76ccc04457705b3f2c9a63d3944d23ee71cdd1624408032945d4a3d6c660232eaa208150de6bd4732be0fe621c00a45f97ecb7eb |
\Windows\SysWOW64\Gqkqbe32.exe
| MD5 | db0780fd37388acc4707573af4e43728 |
| SHA1 | 00a25fa2510ed44cb7cc8cc330a72766a69c370e |
| SHA256 | ce4c01bca87900bb3ebe088195fddb58f9791ee51bff38013b6ee99cf2b7af4d |
| SHA512 | 51fd8ae2cd7a3528fae4fe1a23b846ed46f8e9c34445eaf3470836fa9f1bc445d25bc087e00ce3461c5a59a2b0a5d6632248da09da926a4ef71ab6cc93dae786 |
memory/1656-115-0x0000000000220000-0x000000000025D000-memory.dmp
\Windows\SysWOW64\Gmbagf32.exe
| MD5 | 29cbbf6d73f97b983d2fa22dd63845fe |
| SHA1 | 45cd26e750690fb85f56ee7a4c79eeef09c642fe |
| SHA256 | 03e7a43b13f22ceaf0802b81a2d990386c8c648a3bba9c8effef85ad04750cc2 |
| SHA512 | 290f280c9f0c9e7dc320767f61afe674958af6820d32a4846d8036164eac5df89de677aad444cf4cd48dfad94d06ef3b63a875673fdb2d978679919213b4ee7a |
memory/2780-132-0x0000000000220000-0x000000000025D000-memory.dmp
\Windows\SysWOW64\Hjfbaj32.exe
| MD5 | 2efb535fe78302fd5e3ef1bd6b28042d |
| SHA1 | db7d0ac1eda991ac95cc9e5f1254a49bd06c0f14 |
| SHA256 | 299f88d0cb52310ad4aa7cf8f2b4849c003c35408f1c00d9caeb0dab8a388593 |
| SHA512 | 2eac77a90383d972fd0b8fb71c02ac3ba6d7829bc2579154fe93252d2d81c3b2d36b4f90975ca5cca3db122d883f957c60baa243ce243cc6d6f7def876734d95 |
memory/1208-147-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1264-146-0x0000000000440000-0x000000000047D000-memory.dmp
\Windows\SysWOW64\Hbccklmj.exe
| MD5 | 4e92172014e1b761b230fc882e414bcb |
| SHA1 | b7e8b0c641dc6bc30122f532ca2c0f459b865360 |
| SHA256 | f036865b86174d96a04cd6518502050a48a9cdada76d4fa6fbb641bd191637f0 |
| SHA512 | 2afefa3f5833219b9314ecfb8c0455ce01e52c2fa073a18076a4291b26390cf2955c121619910a7ca2b2f354db0497b878b5990400173f9fe27526fbeebe272d |
memory/1208-155-0x0000000000220000-0x000000000025D000-memory.dmp
memory/2308-161-0x0000000000400000-0x000000000043D000-memory.dmp
\Windows\SysWOW64\Hbepplkh.exe
| MD5 | 8470001cae1a111a309e893e4e075700 |
| SHA1 | c1d220b4850224429f1238ec44aba2a12c6a84bc |
| SHA256 | e6419525dcf1602d746d98df0576790dca87286615026fbc3b301cafdaefb2bc |
| SHA512 | a5c50991780317a647093fc928d90429c5d420a619f11229e60a24befb03169fbf6f0cc543ff075882f5e6dc2d79cb33aa9130f7096fc47567beda9dc1c75dde |
memory/1408-174-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1408-182-0x0000000000220000-0x000000000025D000-memory.dmp
\Windows\SysWOW64\Hnlqemal.exe
| MD5 | ac91fc4ca4bc655bce0d173f8a7c8c8d |
| SHA1 | aab99993132dad702d534fde62144571184b87bd |
| SHA256 | e3d1da03c1d5bfbe6626f399a4af6090a902878d16994a5cb14299740324909f |
| SHA512 | 62f72d5fd48546bb1ea56853fddfea2b654c6ec7cdeeb0e101f2a3c10b583848c831f9cd7fee95a529ed64e575dd877bf2bfabb54c53c1575553f70078089094 |
\Windows\SysWOW64\Hgeenb32.exe
| MD5 | 55e6ff9628fdc15a5d0c1b815bcc2fdf |
| SHA1 | fb8d3242db311619fa02c7dd4404209be9be20cb |
| SHA256 | 8273aa3fe9fb688788201a7680ffa2eb0dafa1f6cf1e9417754fc9bf65d75c3a |
| SHA512 | 749072777eda00f86beabd0a7ae72e436fee10b5f8b7d5bfdc0217787aaf5e3ae7a0314e7f24c5cd250a7237e36bc14f9fb87e5e0067615979fae5a6c8b12718 |
memory/2508-195-0x0000000000440000-0x000000000047D000-memory.dmp
memory/1996-208-0x0000000000220000-0x000000000025D000-memory.dmp
\Windows\SysWOW64\Ieiegf32.exe
| MD5 | 5c3cd6b795bbf7e4be26b6a3e3eb7b39 |
| SHA1 | 5c18694a658029ea39a706f2f7115434af34cdb4 |
| SHA256 | e74e14ee4b4bb0e242a4215800a1dea4cd7eb9aa230b0dd329690cc378eb7960 |
| SHA512 | eeabc3b0f67f6eeb606e28f805f1c4a209cf41f3f068397c61cf61794c95f11c29fb1f061f2422277544ac82123b8d09038614bf9f67ae72b163500c95944324 |
memory/2788-220-0x0000000000230000-0x000000000026D000-memory.dmp
C:\Windows\SysWOW64\Imdjlida.exe
| MD5 | a9206d8e26ddceea4c1ae3619d814480 |
| SHA1 | df38d387628afee5b089879423fb9cf84cde79b7 |
| SHA256 | 94febcdf9513e9912a76ef820d7ee1ada39b1549e42293ce95f4aed56b9e7b5d |
| SHA512 | ccad261ee394e8cc767e0568efbbbfced62a74c59950c83ae3b90523b6b09e5d5d2b93662cedd422d6c15b0ebdcca51c159ee7f3fcb11f2ad5ed04ff5e2fb371 |
memory/1128-224-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2272-234-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1128-233-0x00000000002A0000-0x00000000002DD000-memory.dmp
C:\Windows\SysWOW64\Ijhkembk.exe
| MD5 | faeed9f741291a17d317960e3c3a1920 |
| SHA1 | 0963d675f4da25700b712895849e0a3f9264b2fd |
| SHA256 | 4bd537740ec892ec4c6e75ad5283647e1a711f451267ee0ed4d72244e1e5f897 |
| SHA512 | 9f44d9150425b6aeeee0d1ad0a5679d0bc9e4a212c85e08271fe20c0af5107e2e957cd38d2a4b20039e9448020981f94d76b7c50497abcff70769d62fbafa2b5 |
C:\Windows\SysWOW64\Ijjgkmqh.exe
| MD5 | 4350a928e814425f6e0332cd2565fbfb |
| SHA1 | 275b55acfc34d81607b31f0ca0967ba2a6326dfe |
| SHA256 | 2ab63252115829a49f78f8a6df0cd59c16599fdd03b40045c076624e0408fa96 |
| SHA512 | ff85a2b00a0b92f28978ff7c6619716afdc6ea93465c29373b3e899a8b35618506dad8b63183d3cf021993a5e8b4b44045a71e1cc3c8c3308a3c944cb7cb76e9 |
memory/1888-243-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1888-249-0x0000000000220000-0x000000000025D000-memory.dmp
C:\Windows\SysWOW64\Iadphghe.exe
| MD5 | e3cfe4ec85480f4a4cfb19dfe10cea5c |
| SHA1 | f725ea8ba0baebfcdf932fdb38984881afda2379 |
| SHA256 | bf375da5fc524f468c24637b454f616b5480c96b55f738d235c807137ecea7b1 |
| SHA512 | 7a6931dce7fde39c560b2f2f7e8f8c01668351a7a4a76f74e49d6f37f3844290a54f231adf426ad65a5ed042b77319cf783cb17b02b492db0c8d67e0387eeb6e |
memory/1888-253-0x0000000000220000-0x000000000025D000-memory.dmp
C:\Windows\SysWOW64\Iiodliep.exe
| MD5 | afe25bca73fdea795bd9fe510139d39c |
| SHA1 | 5a4d4f1a43f0f2d483bac612612cddd35ef67463 |
| SHA256 | aab45070954aecb5f293c78ecc815be1ec44a434db7d907ca4ce6eeb3959280c |
| SHA512 | d25232352df2d0754445d8364af41faa6999327e757643acfdaf1eae5a23d7d91cfec5de6326028bfcc893e340ec6a99aa2ddbb66a2127ec4b3eb9ba65c964d9 |
memory/1416-264-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1900-263-0x0000000000320000-0x000000000035D000-memory.dmp
memory/1900-262-0x0000000000320000-0x000000000035D000-memory.dmp
memory/1416-270-0x0000000000440000-0x000000000047D000-memory.dmp
C:\Windows\SysWOW64\Iceiibef.exe
| MD5 | 715b46bbb5b0dec450b2c8d77554dbfa |
| SHA1 | 9b9406f749bb79038c5be31e42a14339508f27bd |
| SHA256 | 09bf57c00b6e15561625534cbdf8b16d2020c1848b665ad0a67af5f3917128d9 |
| SHA512 | 6ecd8249723062351eb05eec6ad1425b8eccb1840b717d1825741d36d201db59925bd468425a3644097a9b0b58e0c244d267f4385d80e364f82b5dc892b251e0 |
memory/2220-275-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1416-274-0x0000000000440000-0x000000000047D000-memory.dmp
memory/2220-281-0x00000000001B0000-0x00000000001ED000-memory.dmp
C:\Windows\SysWOW64\Jehbfjia.exe
| MD5 | 9e2df01ddfc03e62368804ceeb4fbf64 |
| SHA1 | c48028ff38f693f7e6e53c2f2363317cee328c00 |
| SHA256 | 20d17bd8b7b7e4e06e232e52583733646287c347f603db82e7480480780efe66 |
| SHA512 | cc833e706b1b598916732de3399f6f2c6bc6801582da01d7b7e0bdd69d853bc8699605e71c4437c2da706fa2b27c1e98a60f3ebf0720803d46ce0de81aef9241 |
memory/2220-285-0x00000000001B0000-0x00000000001ED000-memory.dmp
memory/1512-286-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2572-297-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1512-296-0x0000000000260000-0x000000000029D000-memory.dmp
memory/1512-295-0x0000000000260000-0x000000000029D000-memory.dmp
C:\Windows\SysWOW64\Jbooen32.exe
| MD5 | 3cd242fa4448b2528b1a79187a999e41 |
| SHA1 | f9f5f71a7f2fea19bf84dede425badd2aa21f299 |
| SHA256 | 33f07863237c23f013d25232a2f97f2a6dd20c853cb1a4e28419944b85996fa1 |
| SHA512 | 4ed64c320f74b08fd2438f272de9eff72897019d53dea427cf3cc61ec42d6f2105aebd6a3c31e00b21992d1b5687e96cb90fa38bbbbb3915a20c42d1da551777 |
C:\Windows\SysWOW64\Jhlgnd32.exe
| MD5 | 1cff1d0ef1eb9144e010fe3f109667d3 |
| SHA1 | cb69d32bef406407ccbe8725b6ce381b3668106e |
| SHA256 | aa2ff21343f1454fc22f9920b11e33c532dafaff951cd68e94c9739145bcc493 |
| SHA512 | 95be7dd649b3ef47087f888f2260c98279d2f04f2dac50daf487a0a0ed2bae9eac05c88bf245b3a61c0606225b880bfc443cbcf25b7ecc684c9a14fb4608a384 |
memory/2572-306-0x0000000000250000-0x000000000028D000-memory.dmp
memory/2572-312-0x0000000000250000-0x000000000028D000-memory.dmp
memory/2352-318-0x0000000000220000-0x000000000025D000-memory.dmp
memory/2352-317-0x0000000000220000-0x000000000025D000-memory.dmp
C:\Windows\SysWOW64\Jadlgjjq.exe
| MD5 | 10d652905054bfec8f334a0d78af36c3 |
| SHA1 | bde28a08ceb0971132a622a00ea05dc2ae1551e9 |
| SHA256 | fa09877dc5c395d8b40f8c8ea8c174fe87519472dce5b45ffb3c8692941c7c68 |
| SHA512 | 3c7442d2ddfba45c7b73fb62e093bced47a25188b3290af4935038b91bd49d9c881323507d91544cb045aae7ab8d5e0c13329b29915c3e1c2c441a5ba952559f |
memory/2532-325-0x0000000000220000-0x000000000025D000-memory.dmp
memory/2532-324-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2352-310-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Jhndcd32.exe
| MD5 | 3b0999c86e6ab42381e7f118fae53703 |
| SHA1 | 6fa281cd54e7d7a8426821cd85bee1d99d616a8f |
| SHA256 | 0be4a999ccb17f97de632c506d5af9ef2f5b31a89ff18cb13e1b2896c75aaa96 |
| SHA512 | 188356fdaa47632134af84813b7f0e33133e15656b4e671514639665c959374ee91e3c84fc2ec0e38a6da26c4e6566f73c18e0bbb8806bffd5721e6be1b416e2 |
memory/2532-329-0x0000000000220000-0x000000000025D000-memory.dmp
memory/2776-330-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2188-341-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2776-340-0x00000000003A0000-0x00000000003DD000-memory.dmp
memory/2776-339-0x00000000003A0000-0x00000000003DD000-memory.dmp
C:\Windows\SysWOW64\Kaieai32.exe
| MD5 | 4d6055df2ff2b3fa73bd91e3cd029830 |
| SHA1 | 0cf32a1be950cb1c866dbef85f33b637d86cd8ea |
| SHA256 | e35a9b63c603e07c5c9bba5a00d12b4a45cc694a7808e15edaf47381278bf916 |
| SHA512 | 3557731cf3ced724eab75d5271a63ac41d2beadd4b11ec89555279683b1d505b928c77247af28c682f76d65d37af7281b0a6bb094a3a53ba15060c0993649ba8 |
memory/2104-346-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2104-352-0x0000000000220000-0x000000000025D000-memory.dmp
memory/2908-353-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2188-351-0x00000000003A0000-0x00000000003DD000-memory.dmp
C:\Windows\SysWOW64\Kbjbibli.exe
| MD5 | 262b926104f63e54d159b7af8cb37cbb |
| SHA1 | 2b3879249aa980eaee321cc49dc9bbb4b6ffc9fb |
| SHA256 | e03e80bfc9e1024bbcceb2b50108d2f9607d0f4e753a096838b269c9c7be6f55 |
| SHA512 | 6c246a81ff7a17d1f1639e87c008b260a9c7c69b86cabb3fd2d4c251e37539cf14802c6e70cfd4fecb1cae779ef8ffe8359a45bc6be1e19431fecd9a353be052 |
memory/2528-362-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Kdincdcl.exe
| MD5 | f34fbef310c490d84d3f62d5bec81dbc |
| SHA1 | 789de3c0c765b29f04e0ac0cfaab15274d9dfa99 |
| SHA256 | c9ec5231bbd6762992248308f067962508d31b6f57237a6370d58cf4bed9ce4d |
| SHA512 | 0bf902d7f6d2fbfd5325ee8f3c89b3baec45f65523263d19eb66d5cfaa45a92745aaec155d6e5c1c6c5878e2c86ad4020947c29c89f05843208ae7be7dd018db |
memory/2808-363-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2808-369-0x0000000000220000-0x000000000025D000-memory.dmp
C:\Windows\SysWOW64\Kocodbpk.exe
| MD5 | d6831b7afa0ea36d1d4c6f420d83a5a3 |
| SHA1 | 4cad67177483b0dc033e60e7517790bfc5884e1f |
| SHA256 | 446ab4216b1f455ea793fc6a7bbd27e9828e4c05ab284ed575ccf4378a504e5a |
| SHA512 | 8a724a5b1d6736e4c2c176c989aff51c64507cc8c441fce9d66eeead9c35e854d5cce9b149edf54c7389de09592ea64c3a7dca09a27249f4f28fa00a503e5bff |
memory/2528-373-0x0000000000220000-0x000000000025D000-memory.dmp
memory/2860-374-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2896-380-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2860-381-0x0000000000440000-0x000000000047D000-memory.dmp
C:\Windows\SysWOW64\Khnqbhdi.exe
| MD5 | 9ff5526c4ea657c99618c6dcb44c1227 |
| SHA1 | 07c232e0f3e8cbd00c973ead59142f9e76ae4c41 |
| SHA256 | d0ffa5835d07b7616ce949b93039607677821db534b01ff31207f6f301c8ef8e |
| SHA512 | 3d28c7fe288bfe2cbf935581e3485df2d5634961797f2cd52bce2bc658c7fd13b179dfbc7298133f63f5670c6e1c80fe42bfdee81f9818e940b97d28547f98ee |
memory/2864-386-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2860-385-0x0000000000440000-0x000000000047D000-memory.dmp
memory/2864-393-0x0000000000220000-0x000000000025D000-memory.dmp
C:\Windows\SysWOW64\Lhpmhgbf.exe
| MD5 | d5773c8162f290168f1169f81e3fd313 |
| SHA1 | 695fbfd4d7b6c7a2480cecd824519d22ad2f3a49 |
| SHA256 | 16b3e7f87b121cfc5a46631ecebfbcf919c92beff89c6cfd05e2ebb4016d2399 |
| SHA512 | e57761abfce18229e5b240231c6103acc309f89a2ed3196bb56e160ca75f59266bd15cda48cba12b3597c5e0ce37d6a4542150626de037d277a21c1c76448e53 |
memory/1636-401-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2160-392-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2884-403-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1620-411-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Lednal32.exe
| MD5 | 6603e136113a09090aec96510872ae09 |
| SHA1 | bc55019c76aa9741db37a4429f0263e815eade77 |
| SHA256 | 62222f0bf79502f793e32e5882a22686bab31ff91168994359420baf5861f28b |
| SHA512 | 1db4daee0b0d4db2ac2d94b2b44f4c219c55ab9aa321729772727f0d6b9030387af42d5b6dc6ad40d627e716e6430b7ec407edbcc9358ce0b171d613e54b6c0a |
C:\Windows\SysWOW64\Laknfmgd.exe
| MD5 | 24ddaa4b679cf9e0ceb8a9711745ff3b |
| SHA1 | db333c4c15764b8aea76e8c8d198b97366fcd1e6 |
| SHA256 | af60e0d58cec479240de3c3a99d170fa039f618123ac6f23616c7bd056115beb |
| SHA512 | c2abae72a42c2a3658d041303083cd0a748ad58e178e425e75321b65aad19231df7ab1502dc4bbe4e7e128df00351cf8bf3710ac841fa43bcd0f9d5b419f51f3 |
memory/2732-413-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2756-422-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2032-417-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2032-424-0x0000000000280000-0x00000000002BD000-memory.dmp
memory/1656-428-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Lkccob32.exe
| MD5 | e3b8d2c212c4767575fc4be1dc7c7380 |
| SHA1 | 75c34879c28a5283eaef4ebda38feb021023a17d |
| SHA256 | fc27f81ccdd7ed1e2ba961bb0a4ed60278d9f7d9925397fea923f3afe38cc0a6 |
| SHA512 | 26bdc1c5b137487b3a4fd3d5241cc25b7c43c866550bb2bf26a7278ee1511908422bcfa4c59dd03658955f7154b0a0997d0bca7fef7dd4cafc1fca9b4c32962b |
C:\Windows\SysWOW64\Lcnhcdkp.exe
| MD5 | db43e848f03d7e88e140bf99b71f1d74 |
| SHA1 | f1787d3caab11af01f4b4dcfe364afadd16d401f |
| SHA256 | e2d4334da765da8165ef32086ba9e10c049f06116a25d80f5cc6add5ee057545 |
| SHA512 | 6c4858e861f590c95ee2599bff81d7575ede36d90e2bfa337e152fd0b145f265d2aacf62e2b8b4922b4e31519699035e8096ecc45dc3bfb98bce4f48c95da736 |
memory/872-434-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Ldndng32.exe
| MD5 | b2e97f98feb5d042d600bb16cabe3c25 |
| SHA1 | 72e9cc318e9edbf979633219faa3d9b5c59b4741 |
| SHA256 | d7984598e9c7d45009050a2681d0969cee931aa1167134d066da34787ccb206d |
| SHA512 | 3b6a7d4458aa0cdd11669c1901171eab6abb2c14463199c189d331cdf2e77b7bd56345cb0d8ef553dfcdd1be4462622adfb815a8081935b9c4dbb902565a256e |
memory/2992-442-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2992-447-0x0000000000220000-0x000000000025D000-memory.dmp
memory/1020-452-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Mjkmfn32.exe
| MD5 | 5d18252216557e95f7fba00d5a003ed1 |
| SHA1 | d3756e9530ea7260d55ad23d125fb5ada6e30d8e |
| SHA256 | f57b2039447df446591133b5c2e33515c1c7c346b52d2ddcf80635c3563bfe05 |
| SHA512 | 8672d0997d74e5b32cf3a320abb475e1142a4b48ca4b3271324adc082dc10bdc84759f9d11996704021f6d5cc005df97ca8b3f88963415297e3eb84ec703780c |
memory/2780-454-0x0000000000400000-0x000000000043D000-memory.dmp
memory/652-462-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1264-464-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1264-472-0x0000000000440000-0x000000000047D000-memory.dmp
memory/1208-473-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1264-471-0x0000000000440000-0x000000000047D000-memory.dmp
memory/320-470-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Mhpigk32.exe
| MD5 | d680c2fcca935fac8a788289631b2d41 |
| SHA1 | 899d5f55cca99e20980e9b749ebe35847ed4756a |
| SHA256 | e9a2972020b790ac264ebf47eb8a356fd5a30a19605c12fa8cd38ce41c567db9 |
| SHA512 | e297fdf28b51f58f2241d7fcf20ee39b2cefff3e6bb0499aa0f629bce3bb6216613cd2cdd2d922d8206b93dac6f3858d6fa7b302fd004eaf15b2b1c2f941bfa9 |
memory/652-469-0x00000000002C0000-0x00000000002FD000-memory.dmp
C:\Windows\SysWOW64\Mogene32.exe
| MD5 | d8b350c7963c2b2a51a64027e4a51cd0 |
| SHA1 | f62b759e46d3b4339423b92b3b036797c8fa581f |
| SHA256 | 960f72e73186d1a9eaaa17076660ac5c5e0cca487a17a6052a9b77b1b28c187c |
| SHA512 | 23b75bd3024a349f6e70fd6ec634d1fe4615c297f45a4181f0452a2101dac5fc5d7f5f7e5ea6849bc3d8a175565eb2d0fb9f16c49dddece2c2c3041ddeb1131b |
memory/652-468-0x00000000002C0000-0x00000000002FD000-memory.dmp
memory/2540-482-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2308-491-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Mffgfo32.exe
| MD5 | d804c18021e34208d33c521364668d34 |
| SHA1 | 3bdd32629c57ad47e5fb8a98cf14d34b8d8e5513 |
| SHA256 | 5eff93b34876fc96a0fea23977f5ee6c6bbe5f2c61189178713bdbbada5805b3 |
| SHA512 | d8b8a7821cece89bdc51fa07e2e0430f8f3863717034283daa752360c304b7bdd8dd0fee6d3a0e12ecb8685896d469d7f53f5cbc5191185e7143350cdfd275c7 |
memory/2180-492-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2180-501-0x0000000000270000-0x00000000002AD000-memory.dmp
memory/1408-502-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Nqbdllld.exe
| MD5 | d7f75a6dc271877acf4be84e68883211 |
| SHA1 | 8264d0adb036ef93889f871d12502eaee9177c43 |
| SHA256 | 52f5c2336aa213ef346511e35e785e1e489784438aff5eae4b2f476328903b52 |
| SHA512 | e0f6f7b0c22bea522a8eccc3d9f3ba86f2eeb9c87c9afc6858202b929450c977b9198c64502d6547e1968508692f53d16be9d10b5cf17f3b9bcf0b829b784bd2 |
memory/1144-507-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\SysWOW64\Nbaafocg.exe
| MD5 | a297179aaebb75693488694eef46cb3b |
| SHA1 | 0653f57f83013a9673da4bd99f1975e9b55d2789 |
| SHA256 | 6899a0f875f159bc912ef4773fe91677e408c7a8e460b8c04e5929f0fa25d4a1 |
| SHA512 | 83f0425a97a66dbfe1d994962c6e91fcc6bcb52f2c8e14a29fe641bb7929bd2391a7918dc90ff0b47a256f9df2d312662726d8bcde7fe15729105ed64f705b87 |
C:\Windows\SysWOW64\Nqgngk32.exe
| MD5 | 3e1ebd6150da2e113f1fc3a995097df3 |
| SHA1 | 812bb27678d1d42f142cccece7ff32bf4d1ff3c7 |
| SHA256 | 263c69fcc5294055459e54d179521e6a5d904419141e6b409f160ea5bf967775 |
| SHA512 | 0f8ff26bec1086ff3c537d25ffe7ef083ccd53000cad8f243c39a18205cd1afd7b66b682d58b181bdac49fee32cfd0552e46491d158c5ec9923cbd08c4050ade |
C:\Windows\SysWOW64\Nnknqpgi.exe
| MD5 | 52be70573c80c29e8cb113a5030e6796 |
| SHA1 | f81c4b091283572d10cb78209790e58eb6f32c0d |
| SHA256 | 87fcb910c7933aab6baeedc0d3d616404d96b6b95cab40a94d0bc4cff12f19ef |
| SHA512 | f80b2f653b689adbe01769d9f465d8b0358e85e93954b6a6939117da8724332627f63b6c5b35a812c7c2e5e80db55bf23382190840255de3a612312484c6f59f |
C:\Windows\SysWOW64\Ncggifep.exe
| MD5 | 9627e09b366cbbb24ec457975e57a4c8 |
| SHA1 | d9b309b5e329c3d936af7a6ade4c0ecad6d0c880 |
| SHA256 | 7992ff43af4661a30fbcbccafa08e6d87166c7f33ebc34fa7b5ccfcc97561724 |
| SHA512 | 44e51de703e6b335242a0070d4866b1e7dd2dc7bf33e8055083c8afb89458e9f0d91c98a6e2eb3f3faaea5066097db095a7efe6bca2c00291e59309942ec0588 |
C:\Windows\SysWOW64\Nmpkal32.exe
| MD5 | 32770a1ee335b9d53bdbf85bc09e9432 |
| SHA1 | ea5e5937fd9fc2fe77c4b80edfb12284fd6360b2 |
| SHA256 | 330b3f212352c2fd0792ac40b7d16ecf145754c441b4bdf46f2f54f4fcfc3987 |
| SHA512 | 625c16a80ae435c89cff9f220f88bf6c29431bfda7e2b00957c51c9526021d7c6a739fc8a0c6ee73485b94a93b9273e6920b8d63ffc61788f86b11f4e10b88c2 |
C:\Windows\SysWOW64\Nbmcjc32.exe
| MD5 | 48ad16c613ddb953ec35dd96e73badc6 |
| SHA1 | 31dd85d87269189d9cd63725344665ce444c560e |
| SHA256 | e0ab47c9947e9ec20c7dc98f885f98646ed8972bbd642a440855a9212539dd52 |
| SHA512 | 64fba08f62c7c5f9ed3a8044ad0399464e49ca70a13a8f33037b0080bac41b6a898716cb9ac4ba41c7181c9fc5743eb0fe633649bff8b9ed2e06934162d67a67 |
C:\Windows\SysWOW64\Oiglfm32.exe
| MD5 | 9edb7916c04e54d34bd58d11032ff188 |
| SHA1 | 439b122a9fb21171181121a3f0739d94c95b4b49 |
| SHA256 | d8aef58306c7df304f3cb320287aa55fb57cc6ea5b373ae83f6505e978569fce |
| SHA512 | ea153d417d1dffbbe714fe329fdfd4f7be4c169ffd5f65987c2302d0fba50968178395f6ff0da932f5fbfd04e17112defb2b5fffae6167b7139ae25ce622a04b |
C:\Windows\SysWOW64\Opcaiggo.exe
| MD5 | 1f0d65ee674db660a59a589f587e64ca |
| SHA1 | b23c61335a1afdfb5d63b8f0a817580765d95c05 |
| SHA256 | e11a264aa452cd082e5a07f1c0ce45a12f4df2d536a6fd486b4f990928dded05 |
| SHA512 | f7aad9dc72569dc06b7b786d4ccb6db47a674dfb457a44b8042dce70753c2cfd4d93f23fc24f0d448ef4e33d72450de42b07d24466d87eeb2e2c135c572407bc |
C:\Windows\SysWOW64\Ohnemidj.exe
| MD5 | 3bfe48937780781293d719d864522a70 |
| SHA1 | 44e34e85ab3d538ba6884f8abb4513ab1a57de0a |
| SHA256 | 64b80896fccdb634418f46f51c31282f4cf973e3c013245323ff83afb8fd69b3 |
| SHA512 | 0752d90d4f611cd3bf488dbdee6648741c86dc9686cc94be789a8832692b3d17182d84705f9d99bcc16c488ac24b3ff03c2c83f6bae8aada20256e7a9f414330 |
memory/2656-606-0x00000000778B0000-0x00000000779AA000-memory.dmp
memory/2656-605-0x0000000077790000-0x00000000778AF000-memory.dmp