Analysis Overview
SHA256
da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716
Threat Level: Known bad
The file da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:08
Reported
2024-11-13 17:10
Platform
win7-20240903-en
Max time kernel
116s
Max time network
22s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nlefhcnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olebgfao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdbdqh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ahebaiac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Loqmba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lfmbek32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnoiio32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nhjjgd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ckhdggom.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bgoime32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lnhgim32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mqbbagjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qpbglhjq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aoojnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kffldlne.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgjnhaco.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mikjpiim.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Omioekbo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Obokcqhk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ljddjj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ljddjj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Loqmba32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mnmpdlac.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdiefffn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Padhdm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgoime32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdcifi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lnhgim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mnmpdlac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Paknelgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lklgbadb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Phlclgfc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pljlbf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Paiaplin.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Agolnbok.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mfmndn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mfokinhf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mfokinhf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkndhabp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qkfocaki.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njfjnpgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ahgofi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdqlajbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgjnhaco.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nabopjmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdeqfhjd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcljmdmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfoojj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mklcadfn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhjlli32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Obmnna32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdcifi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgfkmgnj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lgehno32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Kffldlne.exe | C:\Windows\SysWOW64\Kgclio32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcofio32.exe | C:\Windows\SysWOW64\Lkgngb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpqnnmcd.dll | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekohgi32.dll | C:\Windows\SysWOW64\Kgclio32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojefmknj.dll | C:\Windows\SysWOW64\Padhdm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmoloenf.dll | C:\Windows\SysWOW64\Pafdjmkq.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgmdailj.dll | C:\Windows\SysWOW64\Bgoime32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nhjjgd32.exe | C:\Windows\SysWOW64\Nbmaon32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ojomdoof.exe | C:\Windows\SysWOW64\Odedge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Adlcfjgh.exe | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgaaah32.exe | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiablm32.dll | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnfqccna.exe | C:\Windows\SysWOW64\Ckhdggom.exe | N/A |
| File created | C:\Windows\SysWOW64\Cebeem32.exe | C:\Windows\SysWOW64\Cbdiia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Edeomgho.dll | C:\Windows\SysWOW64\Nmkplgnq.exe | N/A |
| File created | C:\Windows\SysWOW64\Pafdjmkq.exe | C:\Windows\SysWOW64\Pohhna32.exe | N/A |
| File created | C:\Windows\SysWOW64\Incjbkig.dll | C:\Windows\SysWOW64\Allefimb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njfjnpgp.exe | C:\Windows\SysWOW64\Nameek32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnoefj32.dll | C:\Windows\SysWOW64\Nbmaon32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Odgamdef.exe | C:\Windows\SysWOW64\Olpilg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pkaehb32.exe | C:\Windows\SysWOW64\Phcilf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agolnbok.exe | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Llgjaeoj.exe | C:\Windows\SysWOW64\Lfmbek32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nhjjgd32.exe | C:\Windows\SysWOW64\Nbmaon32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acfmcc32.exe | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkegah32.exe | C:\Windows\SysWOW64\Bigkel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Abmgjo32.exe | C:\Windows\SysWOW64\Aoojnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihnijmcj.dll | C:\Windows\SysWOW64\Lonpma32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mikjpiim.exe | C:\Windows\SysWOW64\Mfmndn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qcachc32.exe | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdaehcom.dll | C:\Windows\SysWOW64\Afdiondb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjbndpmd.exe | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| File created | C:\Windows\SysWOW64\Cacldi32.dll | C:\Windows\SysWOW64\Mfmndn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kagflkia.dll | C:\Windows\SysWOW64\Nfdddm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Llgjaeoj.exe | C:\Windows\SysWOW64\Lfmbek32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Phcilf32.exe | C:\Windows\SysWOW64\Pdgmlhha.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjkhdacm.exe | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfnafi32.dll | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdqlajbb.exe | C:\Windows\SysWOW64\Bbbpenco.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkhhhd32.exe | C:\Windows\SysWOW64\Bhjlli32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfkgbapp.dll | C:\Windows\SysWOW64\Nenkqi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjklenpa.exe | C:\Windows\SysWOW64\Qeppdo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abmgjo32.exe | C:\Windows\SysWOW64\Aoojnc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Loqmba32.exe | C:\Windows\SysWOW64\Ljddjj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ciffggmh.dll | C:\Windows\SysWOW64\Mdiefffn.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcckcbgp.exe | C:\Windows\SysWOW64\Mklcadfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihaiqn32.dll | C:\Windows\SysWOW64\Obokcqhk.exe | N/A |
| File created | C:\Windows\SysWOW64\Ameaio32.dll | C:\Windows\SysWOW64\Ppnnai32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgehno32.exe | C:\Windows\SysWOW64\Lonpma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nenkqi32.exe | C:\Windows\SysWOW64\Nabopjmj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgcmbcih.exe | C:\Windows\SysWOW64\Pdeqfhjd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bgaebe32.exe | C:\Windows\SysWOW64\Bdcifi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkndhabp.exe | C:\Windows\SysWOW64\Lhpglecl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nenkqi32.exe | C:\Windows\SysWOW64\Nabopjmj.exe | N/A |
| File created | C:\Windows\SysWOW64\Paknelgk.exe | C:\Windows\SysWOW64\Pkaehb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bkhhhd32.exe | C:\Windows\SysWOW64\Bhjlli32.exe | N/A |
| File created | C:\Windows\SysWOW64\Danpemej.exe | C:\Windows\SysWOW64\Dnpciaef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oippjl32.exe | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkgoklhk.dll | C:\Windows\SysWOW64\Pkaehb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbfcnc32.dll | C:\Windows\SysWOW64\Pifbjn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afdiondb.exe | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmlael32.exe | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qpbglhjq.exe | C:\Windows\SysWOW64\Qndkpmkm.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnbamjbm.dll | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32†Dhhhbg32.¿xe | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| File opened for modification | C:\Windows\system32†Dhhhbg32.¿xe | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dpapaj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Phcilf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfkloq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mqnifg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nedhjj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pafdjmkq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nenkqi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oippjl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oemgplgo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmkplgnq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njfjnpgp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Paknelgk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lboiol32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lhpglecl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mikjpiim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfdenafn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kgclio32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aoojnc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdiefffn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfmndn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pkjphcff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lnhgim32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pljlbf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcljmdmj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmlael32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nameek32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qcachc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adifpk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Allefimb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aomnhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pnbojmmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgjnhaco.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ppnnai32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mcckcbgp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbflno32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bhjlli32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Calcpm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mkndhabp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pojecajj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdqlajbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbmaon32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Opglafab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojomdoof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olpilg32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nfdddm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfkdo32.dll" | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" | C:\Windows\SysWOW64\Cgfkmgnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll" | C:\Windows\SysWOW64\Bbbpenco.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ckjamgmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mdiefffn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Odgamdef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Opnbbe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pghfnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lklgbadb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoapfe32.dll" | C:\Windows\SysWOW64\Mcckcbgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll" | C:\Windows\SysWOW64\Akcomepg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdcifi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajpepm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmlael32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Allefimb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aomnhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll" | C:\Windows\SysWOW64\Nedhjj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoefj32.dll" | C:\Windows\SysWOW64\Nbmaon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pdeqfhjd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Olebgfao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll" | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" | C:\Windows\SysWOW64\Calcpm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Njfjnpgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qpbglhjq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnfqccna.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lfmbek32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qkfocaki.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjbndpmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mkndhabp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll" | C:\Windows\SysWOW64\Pgcmbcih.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Paiaplin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll" | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" | C:\Windows\SysWOW64\Danpemej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nenkqi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll" | C:\Windows\SysWOW64\Pghfnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qcachc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll" | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pnbojmmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aoojnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pdgmlhha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll" | C:\Windows\SysWOW64\Ahbekjcf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll" | C:\Windows\SysWOW64\Cfkloq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Phcilf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bgoime32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lfmbek32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmkhf32.dll" | C:\Windows\SysWOW64\Mqnifg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" | C:\Windows\SysWOW64\Nhjjgd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oeindm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll" | C:\Windows\SysWOW64\Ppnnai32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mcckcbgp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe
"C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe"
C:\Windows\SysWOW64\Kgclio32.exe
C:\Windows\system32\Kgclio32.exe
C:\Windows\SysWOW64\Kffldlne.exe
C:\Windows\system32\Kffldlne.exe
C:\Windows\SysWOW64\Lonpma32.exe
C:\Windows\system32\Lonpma32.exe
C:\Windows\SysWOW64\Lgehno32.exe
C:\Windows\system32\Lgehno32.exe
C:\Windows\SysWOW64\Ljddjj32.exe
C:\Windows\system32\Ljddjj32.exe
C:\Windows\SysWOW64\Loqmba32.exe
C:\Windows\system32\Loqmba32.exe
C:\Windows\SysWOW64\Lboiol32.exe
C:\Windows\system32\Lboiol32.exe
C:\Windows\SysWOW64\Lkgngb32.exe
C:\Windows\system32\Lkgngb32.exe
C:\Windows\SysWOW64\Lcofio32.exe
C:\Windows\system32\Lcofio32.exe
C:\Windows\SysWOW64\Lfmbek32.exe
C:\Windows\system32\Lfmbek32.exe
C:\Windows\SysWOW64\Llgjaeoj.exe
C:\Windows\system32\Llgjaeoj.exe
C:\Windows\SysWOW64\Lnhgim32.exe
C:\Windows\system32\Lnhgim32.exe
C:\Windows\SysWOW64\Lfoojj32.exe
C:\Windows\system32\Lfoojj32.exe
C:\Windows\SysWOW64\Lklgbadb.exe
C:\Windows\system32\Lklgbadb.exe
C:\Windows\SysWOW64\Lnjcomcf.exe
C:\Windows\system32\Lnjcomcf.exe
C:\Windows\SysWOW64\Lhpglecl.exe
C:\Windows\system32\Lhpglecl.exe
C:\Windows\SysWOW64\Mkndhabp.exe
C:\Windows\system32\Mkndhabp.exe
C:\Windows\SysWOW64\Mnmpdlac.exe
C:\Windows\system32\Mnmpdlac.exe
C:\Windows\SysWOW64\Mdghaf32.exe
C:\Windows\system32\Mdghaf32.exe
C:\Windows\SysWOW64\Mgedmb32.exe
C:\Windows\system32\Mgedmb32.exe
C:\Windows\SysWOW64\Mjcaimgg.exe
C:\Windows\system32\Mjcaimgg.exe
C:\Windows\SysWOW64\Mqnifg32.exe
C:\Windows\system32\Mqnifg32.exe
C:\Windows\SysWOW64\Mdiefffn.exe
C:\Windows\system32\Mdiefffn.exe
C:\Windows\SysWOW64\Mfjann32.exe
C:\Windows\system32\Mfjann32.exe
C:\Windows\SysWOW64\Mnaiol32.exe
C:\Windows\system32\Mnaiol32.exe
C:\Windows\SysWOW64\Mgjnhaco.exe
C:\Windows\system32\Mgjnhaco.exe
C:\Windows\SysWOW64\Mfmndn32.exe
C:\Windows\system32\Mfmndn32.exe
C:\Windows\SysWOW64\Mikjpiim.exe
C:\Windows\system32\Mikjpiim.exe
C:\Windows\SysWOW64\Mqbbagjo.exe
C:\Windows\system32\Mqbbagjo.exe
C:\Windows\SysWOW64\Mfokinhf.exe
C:\Windows\system32\Mfokinhf.exe
C:\Windows\SysWOW64\Mklcadfn.exe
C:\Windows\system32\Mklcadfn.exe
C:\Windows\SysWOW64\Mcckcbgp.exe
C:\Windows\system32\Mcckcbgp.exe
C:\Windows\SysWOW64\Nbflno32.exe
C:\Windows\system32\Nbflno32.exe
C:\Windows\SysWOW64\Nedhjj32.exe
C:\Windows\system32\Nedhjj32.exe
C:\Windows\SysWOW64\Nmkplgnq.exe
C:\Windows\system32\Nmkplgnq.exe
C:\Windows\SysWOW64\Nfdddm32.exe
C:\Windows\system32\Nfdddm32.exe
C:\Windows\SysWOW64\Nefdpjkl.exe
C:\Windows\system32\Nefdpjkl.exe
C:\Windows\SysWOW64\Nnoiio32.exe
C:\Windows\system32\Nnoiio32.exe
C:\Windows\SysWOW64\Nameek32.exe
C:\Windows\system32\Nameek32.exe
C:\Windows\SysWOW64\Njfjnpgp.exe
C:\Windows\system32\Njfjnpgp.exe
C:\Windows\SysWOW64\Nbmaon32.exe
C:\Windows\system32\Nbmaon32.exe
C:\Windows\SysWOW64\Nhjjgd32.exe
C:\Windows\system32\Nhjjgd32.exe
C:\Windows\SysWOW64\Nlefhcnc.exe
C:\Windows\system32\Nlefhcnc.exe
C:\Windows\SysWOW64\Nabopjmj.exe
C:\Windows\system32\Nabopjmj.exe
C:\Windows\SysWOW64\Nenkqi32.exe
C:\Windows\system32\Nenkqi32.exe
C:\Windows\SysWOW64\Omioekbo.exe
C:\Windows\system32\Omioekbo.exe
C:\Windows\SysWOW64\Opglafab.exe
C:\Windows\system32\Opglafab.exe
C:\Windows\SysWOW64\Ofadnq32.exe
C:\Windows\system32\Ofadnq32.exe
C:\Windows\SysWOW64\Oippjl32.exe
C:\Windows\system32\Oippjl32.exe
C:\Windows\SysWOW64\Oaghki32.exe
C:\Windows\system32\Oaghki32.exe
C:\Windows\SysWOW64\Odedge32.exe
C:\Windows\system32\Odedge32.exe
C:\Windows\SysWOW64\Ojomdoof.exe
C:\Windows\system32\Ojomdoof.exe
C:\Windows\SysWOW64\Oibmpl32.exe
C:\Windows\system32\Oibmpl32.exe
C:\Windows\SysWOW64\Olpilg32.exe
C:\Windows\system32\Olpilg32.exe
C:\Windows\SysWOW64\Odgamdef.exe
C:\Windows\system32\Odgamdef.exe
C:\Windows\SysWOW64\Objaha32.exe
C:\Windows\system32\Objaha32.exe
C:\Windows\SysWOW64\Oeindm32.exe
C:\Windows\system32\Oeindm32.exe
C:\Windows\SysWOW64\Ompefj32.exe
C:\Windows\system32\Ompefj32.exe
C:\Windows\SysWOW64\Opnbbe32.exe
C:\Windows\system32\Opnbbe32.exe
C:\Windows\SysWOW64\Obmnna32.exe
C:\Windows\system32\Obmnna32.exe
C:\Windows\SysWOW64\Ofhjopbg.exe
C:\Windows\system32\Ofhjopbg.exe
C:\Windows\SysWOW64\Ohiffh32.exe
C:\Windows\system32\Ohiffh32.exe
C:\Windows\SysWOW64\Olebgfao.exe
C:\Windows\system32\Olebgfao.exe
C:\Windows\SysWOW64\Obokcqhk.exe
C:\Windows\system32\Obokcqhk.exe
C:\Windows\SysWOW64\Oemgplgo.exe
C:\Windows\system32\Oemgplgo.exe
C:\Windows\SysWOW64\Phlclgfc.exe
C:\Windows\system32\Phlclgfc.exe
C:\Windows\SysWOW64\Pkjphcff.exe
C:\Windows\system32\Pkjphcff.exe
C:\Windows\SysWOW64\Pofkha32.exe
C:\Windows\system32\Pofkha32.exe
C:\Windows\SysWOW64\Padhdm32.exe
C:\Windows\system32\Padhdm32.exe
C:\Windows\SysWOW64\Pdbdqh32.exe
C:\Windows\system32\Pdbdqh32.exe
C:\Windows\SysWOW64\Pljlbf32.exe
C:\Windows\system32\Pljlbf32.exe
C:\Windows\SysWOW64\Pohhna32.exe
C:\Windows\system32\Pohhna32.exe
C:\Windows\SysWOW64\Pafdjmkq.exe
C:\Windows\system32\Pafdjmkq.exe
C:\Windows\SysWOW64\Pdeqfhjd.exe
C:\Windows\system32\Pdeqfhjd.exe
C:\Windows\SysWOW64\Pgcmbcih.exe
C:\Windows\system32\Pgcmbcih.exe
C:\Windows\SysWOW64\Pojecajj.exe
C:\Windows\system32\Pojecajj.exe
C:\Windows\SysWOW64\Paiaplin.exe
C:\Windows\system32\Paiaplin.exe
C:\Windows\SysWOW64\Pdgmlhha.exe
C:\Windows\system32\Pdgmlhha.exe
C:\Windows\SysWOW64\Phcilf32.exe
C:\Windows\system32\Phcilf32.exe
C:\Windows\SysWOW64\Pkaehb32.exe
C:\Windows\system32\Pkaehb32.exe
C:\Windows\SysWOW64\Paknelgk.exe
C:\Windows\system32\Paknelgk.exe
C:\Windows\SysWOW64\Ppnnai32.exe
C:\Windows\system32\Ppnnai32.exe
C:\Windows\SysWOW64\Pcljmdmj.exe
C:\Windows\system32\Pcljmdmj.exe
C:\Windows\SysWOW64\Pghfnc32.exe
C:\Windows\system32\Pghfnc32.exe
C:\Windows\SysWOW64\Pifbjn32.exe
C:\Windows\system32\Pifbjn32.exe
C:\Windows\SysWOW64\Pnbojmmp.exe
C:\Windows\system32\Pnbojmmp.exe
C:\Windows\SysWOW64\Qdlggg32.exe
C:\Windows\system32\Qdlggg32.exe
C:\Windows\SysWOW64\Qkfocaki.exe
C:\Windows\system32\Qkfocaki.exe
C:\Windows\SysWOW64\Qndkpmkm.exe
C:\Windows\system32\Qndkpmkm.exe
C:\Windows\SysWOW64\Qpbglhjq.exe
C:\Windows\system32\Qpbglhjq.exe
C:\Windows\SysWOW64\Qdncmgbj.exe
C:\Windows\system32\Qdncmgbj.exe
C:\Windows\SysWOW64\Qcachc32.exe
C:\Windows\system32\Qcachc32.exe
C:\Windows\SysWOW64\Qeppdo32.exe
C:\Windows\system32\Qeppdo32.exe
C:\Windows\SysWOW64\Qjklenpa.exe
C:\Windows\system32\Qjklenpa.exe
C:\Windows\SysWOW64\Alihaioe.exe
C:\Windows\system32\Alihaioe.exe
C:\Windows\SysWOW64\Aohdmdoh.exe
C:\Windows\system32\Aohdmdoh.exe
C:\Windows\SysWOW64\Agolnbok.exe
C:\Windows\system32\Agolnbok.exe
C:\Windows\SysWOW64\Ajmijmnn.exe
C:\Windows\system32\Ajmijmnn.exe
C:\Windows\SysWOW64\Allefimb.exe
C:\Windows\system32\Allefimb.exe
C:\Windows\SysWOW64\Apgagg32.exe
C:\Windows\system32\Apgagg32.exe
C:\Windows\SysWOW64\Acfmcc32.exe
C:\Windows\system32\Acfmcc32.exe
C:\Windows\SysWOW64\Afdiondb.exe
C:\Windows\system32\Afdiondb.exe
C:\Windows\SysWOW64\Ajpepm32.exe
C:\Windows\system32\Ajpepm32.exe
C:\Windows\SysWOW64\Ahbekjcf.exe
C:\Windows\system32\Ahbekjcf.exe
C:\Windows\SysWOW64\Alnalh32.exe
C:\Windows\system32\Alnalh32.exe
C:\Windows\SysWOW64\Aomnhd32.exe
C:\Windows\system32\Aomnhd32.exe
C:\Windows\SysWOW64\Aakjdo32.exe
C:\Windows\system32\Aakjdo32.exe
C:\Windows\SysWOW64\Adifpk32.exe
C:\Windows\system32\Adifpk32.exe
C:\Windows\SysWOW64\Ahebaiac.exe
C:\Windows\system32\Ahebaiac.exe
C:\Windows\SysWOW64\Akcomepg.exe
C:\Windows\system32\Akcomepg.exe
C:\Windows\SysWOW64\Aoojnc32.exe
C:\Windows\system32\Aoojnc32.exe
C:\Windows\SysWOW64\Abmgjo32.exe
C:\Windows\system32\Abmgjo32.exe
C:\Windows\SysWOW64\Adlcfjgh.exe
C:\Windows\system32\Adlcfjgh.exe
C:\Windows\SysWOW64\Ahgofi32.exe
C:\Windows\system32\Ahgofi32.exe
C:\Windows\SysWOW64\Aoagccfn.exe
C:\Windows\system32\Aoagccfn.exe
C:\Windows\SysWOW64\Abpcooea.exe
C:\Windows\system32\Abpcooea.exe
C:\Windows\SysWOW64\Adnpkjde.exe
C:\Windows\system32\Adnpkjde.exe
C:\Windows\SysWOW64\Bhjlli32.exe
C:\Windows\system32\Bhjlli32.exe
C:\Windows\SysWOW64\Bkhhhd32.exe
C:\Windows\system32\Bkhhhd32.exe
C:\Windows\SysWOW64\Bjkhdacm.exe
C:\Windows\system32\Bjkhdacm.exe
C:\Windows\SysWOW64\Bbbpenco.exe
C:\Windows\system32\Bbbpenco.exe
C:\Windows\SysWOW64\Bdqlajbb.exe
C:\Windows\system32\Bdqlajbb.exe
C:\Windows\SysWOW64\Bgoime32.exe
C:\Windows\system32\Bgoime32.exe
C:\Windows\SysWOW64\Bjmeiq32.exe
C:\Windows\system32\Bjmeiq32.exe
C:\Windows\SysWOW64\Bmlael32.exe
C:\Windows\system32\Bmlael32.exe
C:\Windows\SysWOW64\Bdcifi32.exe
C:\Windows\system32\Bdcifi32.exe
C:\Windows\SysWOW64\Bgaebe32.exe
C:\Windows\system32\Bgaebe32.exe
C:\Windows\SysWOW64\Bfdenafn.exe
C:\Windows\system32\Bfdenafn.exe
C:\Windows\SysWOW64\Bnknoogp.exe
C:\Windows\system32\Bnknoogp.exe
C:\Windows\SysWOW64\Bmnnkl32.exe
C:\Windows\system32\Bmnnkl32.exe
C:\Windows\SysWOW64\Bchfhfeh.exe
C:\Windows\system32\Bchfhfeh.exe
C:\Windows\SysWOW64\Bchfhfeh.exe
C:\Windows\system32\Bchfhfeh.exe
C:\Windows\SysWOW64\Bjbndpmd.exe
C:\Windows\system32\Bjbndpmd.exe
C:\Windows\SysWOW64\Bieopm32.exe
C:\Windows\system32\Bieopm32.exe
C:\Windows\SysWOW64\Bqlfaj32.exe
C:\Windows\system32\Bqlfaj32.exe
C:\Windows\SysWOW64\Bcjcme32.exe
C:\Windows\system32\Bcjcme32.exe
C:\Windows\SysWOW64\Bfioia32.exe
C:\Windows\system32\Bfioia32.exe
C:\Windows\SysWOW64\Bjdkjpkb.exe
C:\Windows\system32\Bjdkjpkb.exe
C:\Windows\SysWOW64\Bigkel32.exe
C:\Windows\system32\Bigkel32.exe
C:\Windows\SysWOW64\Bkegah32.exe
C:\Windows\system32\Bkegah32.exe
C:\Windows\SysWOW64\Ccmpce32.exe
C:\Windows\system32\Ccmpce32.exe
C:\Windows\SysWOW64\Cfkloq32.exe
C:\Windows\system32\Cfkloq32.exe
C:\Windows\SysWOW64\Ciihklpj.exe
C:\Windows\system32\Ciihklpj.exe
C:\Windows\SysWOW64\Ckhdggom.exe
C:\Windows\system32\Ckhdggom.exe
C:\Windows\SysWOW64\Cnfqccna.exe
C:\Windows\system32\Cnfqccna.exe
C:\Windows\SysWOW64\Cfmhdpnc.exe
C:\Windows\system32\Cfmhdpnc.exe
C:\Windows\SysWOW64\Cileqlmg.exe
C:\Windows\system32\Cileqlmg.exe
C:\Windows\SysWOW64\Ckjamgmk.exe
C:\Windows\system32\Ckjamgmk.exe
C:\Windows\SysWOW64\Cbdiia32.exe
C:\Windows\system32\Cbdiia32.exe
C:\Windows\SysWOW64\Cebeem32.exe
C:\Windows\system32\Cebeem32.exe
C:\Windows\SysWOW64\Cgaaah32.exe
C:\Windows\system32\Cgaaah32.exe
C:\Windows\SysWOW64\Cjonncab.exe
C:\Windows\system32\Cjonncab.exe
C:\Windows\SysWOW64\Cnkjnb32.exe
C:\Windows\system32\Cnkjnb32.exe
C:\Windows\SysWOW64\Ceebklai.exe
C:\Windows\system32\Ceebklai.exe
C:\Windows\SysWOW64\Cgcnghpl.exe
C:\Windows\system32\Cgcnghpl.exe
C:\Windows\SysWOW64\Calcpm32.exe
C:\Windows\system32\Calcpm32.exe
C:\Windows\SysWOW64\Cgfkmgnj.exe
C:\Windows\system32\Cgfkmgnj.exe
C:\Windows\SysWOW64\Dnpciaef.exe
C:\Windows\system32\Dnpciaef.exe
C:\Windows\SysWOW64\Danpemej.exe
C:\Windows\system32\Danpemej.exe
C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 144
Network
Files
memory/2236-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2236-12-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Kgclio32.exe
| MD5 | 11f1f3252749e2f7401cab83ad0dfcbc |
| SHA1 | 0acbfd7a9dc48f230b7f495c4f5c5a98164d8f95 |
| SHA256 | 2aa12eb264b703d1046112760caea24866c0b3ed4fc382dba527a2fb6c131b69 |
| SHA512 | 36b5f2fb787e536eaa61ed69ecb88a7e3bd4d196a7e86df12b8b979582f2c7b952e88593875c465906850b82418e5022f64822998ddb29f999f08e37c110e90a |
memory/2084-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2236-13-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Kffldlne.exe
| MD5 | 2959974c63eac1a97b96d958f1a0e08f |
| SHA1 | 9f03fd17117f96872b993765b02969e585fed666 |
| SHA256 | a7922dd13ac7cb924c8d2e9b904893e90b1db18510a3f6ca97779a673f809b90 |
| SHA512 | fe86bdd0c04a900251f766b9b9f464a99eec38a79419d037fa37402019cfc5baabb994766cddf8f264ae4ba05b6b0347ae53ea53d4fc807ff8db0d9e9df09166 |
memory/288-32-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Lgehno32.exe
| MD5 | d00942e90f064ed5b99959334eec4a14 |
| SHA1 | 6d8fd3b88bce008f8bb6d1f5c0641a76d20b0de9 |
| SHA256 | 3757331e1a1257ee134993f947bd24a2956dfc9522c7853ebbbb3116b40d1490 |
| SHA512 | ceca8dd3f1e5fd846b1c6ccd0c9ad0e7d9039a74351e83d98baa14cc6b9b15357c15cf8ca9477fb2a0ddddffdbe99aeab99628cff2480b7f28123feefd1ef282 |
\Windows\SysWOW64\Lonpma32.exe
| MD5 | ab3a82becf437ecc07a6335eef815085 |
| SHA1 | da2f9d6527806c34d761ca26fb46aa527e68784b |
| SHA256 | b4f0885f342a353033fb6a2d9dc5d328cc7d01798287e86789299ad958655853 |
| SHA512 | 32b6d33e43928f6fdee9ad8b418efc2976634b4a6dec87bc4429f1367f23cb9d24003cab962dcaea6e6201acf7efdeb9d3d7b91f65e625ebe0ca1d22232fa05e |
memory/3004-45-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ljddjj32.exe
| MD5 | 54c9011d179938c2014def73e26bc97f |
| SHA1 | 3d229c1cae0309fb95d3d269c9c45df96fc7c42f |
| SHA256 | fdd999b84954dd390dbe8e8c8add1796d79f1dcb68b9ff5db194945977d38f08 |
| SHA512 | 913539de45fc2f2007ef6419e6dfd11bef7cefa123d536dfc8461a4d1bbc2a470b7fe3c0778d15b28be513fdf7b19ff99bd81264cf30154677272f7413874758 |
memory/2696-61-0x00000000003D0000-0x00000000003FF000-memory.dmp
memory/2696-58-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Loqmba32.exe
| MD5 | adb151829d119cadade584df6d2957a2 |
| SHA1 | 1fc3d0ddb56ece4e3760989b9b785edbc8d942cd |
| SHA256 | 52f477120440a053e6c359966f8d8bedef1b2016c89d2ce5a1de398257ed535b |
| SHA512 | c67fd1f6f5e36fd2ca56e9c28cc6c63d63f0ce568e715c903e6ac308f3efa99346c17e2c797ae7a3baa0b96a5e9c0a7ab707609e6359565883f0fca5960dcaa8 |
memory/2508-88-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Lboiol32.exe
| MD5 | 3cd1bc41ab3792b69584153e82b6d468 |
| SHA1 | fbc688da14e9d3aa2d1c0522aabcefeb0337e5c0 |
| SHA256 | d35e907f50cd8f9328cc4fff4ca485d6a2645e07484a21f22da961746f94db94 |
| SHA512 | e974be08fcf596401b36c81aac143c2564bbf91c0cc44b2c2cc6554fc86bc498652fc9a05083ceb2dac656510bd1ebfe59a7d8dd413de13a8feddd52cdaee8af |
memory/2508-80-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2852-74-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2440-94-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Lkgngb32.exe
| MD5 | e90c9bb2c324c4249eaf17021164efdc |
| SHA1 | 9045e1e0a0e104301fafba3c405595a5481a92dd |
| SHA256 | a8287d90ccf62f1d6e979749cd8ba0bbf59d980924ff638dc0d85bb1bd814b36 |
| SHA512 | ae5fa0dd007355f2ff2387e9d9b16db1d37c1d8acedd31664be0726ad2374794f2b8923602c7932aaf6719d9e2fb455bd10eecbce41d8f006cbb7a054a3befed |
memory/2440-105-0x00000000002E0000-0x000000000030F000-memory.dmp
memory/2932-108-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Lcofio32.exe
| MD5 | 3a02dda04b9117a6ef6a2b1d2120ce8c |
| SHA1 | 87990312de61c287ef00cd9c2468929721907464 |
| SHA256 | 177339339df146105209e0ce14e79ad5dae9be44d2c98c8ccd3e211486e084bb |
| SHA512 | c9f47c12b7b57d10fe4ade08dc11217e5224bf29dac4acda5cc787383ac048f4364eb83756de8802c262cccfc71a45f885ad317335c739d255f262bcd7eb3f6f |
memory/1256-123-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1256-129-0x00000000001E0000-0x000000000020F000-memory.dmp
\Windows\SysWOW64\Lfmbek32.exe
| MD5 | 96f7e2f188f347f7d2ee944e09e38c6b |
| SHA1 | ccc11182daadd077dd3cc0619c328296f6d74484 |
| SHA256 | d70ef92916e37c56cb172fd5109b49701b0f5adc28e03fd3f1a037ee0bae6579 |
| SHA512 | 87db13b6e4b90f6377e5a9d6bc5e04b4b402a281b23f4ba5b074258ac5b6affce49a626364ac7495c2f4337c9df3dd0e87b514a1ee91ba45de17765a537d1fa3 |
memory/1128-142-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Llgjaeoj.exe
| MD5 | bf51834ade7e72b6fa621f0703416161 |
| SHA1 | 24c8df6ff9eeac124fcd1e2813c180acaca2d01b |
| SHA256 | 7d163e58ffe032b69986b1eb8cb53ecc92f84406fe5381176c8cb7eaeba7b047 |
| SHA512 | 7f5ff958745f44c0893568da949ceae2539f89b969810a65726369a67d0d818acee245b609e5e2628f068551de3434a6c870ff0eb21dff504a0a9e3429f7246e |
\Windows\SysWOW64\Lnhgim32.exe
| MD5 | bf0459298019b18bf1fd72b7bea560df |
| SHA1 | 98ed65e1217d62fd7c991e2a8d1bc3c54ac2e47a |
| SHA256 | faef3d1b703b8dfb7ba790276bb2b5871f472035b986e6a73db8d09faf7e48c1 |
| SHA512 | 12ef081ec0197527b8e37fad0ef147e4002128d8fe0e224df23e66c47a720a0fd3977f41b12ede4fc3f09f3d948c1df2de2706db74c4e8365e89bac689b2265b |
memory/2004-154-0x00000000003D0000-0x00000000003FF000-memory.dmp
memory/2408-166-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Lfoojj32.exe
| MD5 | e9423bd2e62b5c56ab1abde652e1f629 |
| SHA1 | ab616c9db8f4c7b3f8c653f5d87346677d21d8fd |
| SHA256 | c6866a21371902c0ced302e51d53100e443b529a81800092ceab24f6d12dd05a |
| SHA512 | 937efcf1f58f72dedf260c8ea1d20fe9e1cb18495b88e301fb3f7cf07eb82965a3756f5b99c1b4ad105b32831b59f027adba1554b3323471f2b6d796035fbdf2 |
memory/1720-174-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Lklgbadb.exe
| MD5 | 013eb7aa83a768604adf8d31a70b77eb |
| SHA1 | eae1e91402deb1575b1889e93373b547057ad803 |
| SHA256 | 6f18c66af2c99197d5cfc566e95457a8ecaf36dae680b0a0bbfba7fb55d23d54 |
| SHA512 | 642c4bc00efdd46e82f1a171f1d4df5472312637d92d99657f670def2aa5f436441ab9015d6ccbe7ee4af422898697e51a8f1293eb37873e9c2d611feb36d051 |
memory/1720-182-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1884-188-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1884-196-0x00000000003D0000-0x00000000003FF000-memory.dmp
C:\Windows\SysWOW64\Lnjcomcf.exe
| MD5 | 5f4554734279a4237a9db69d730af23f |
| SHA1 | d49bcc826413540925d79b7d91da78966e6885c0 |
| SHA256 | 26703f185d085bb857acf7ba70ebf33c56f899597124514b3e2bec7be7ae85c0 |
| SHA512 | 4f699fdf69d625d605d4a9fb69f0fb9240540683df53d9678d3168cb6c788646b8104618ade8f1efb7ae2a06f9737ef5bd94aa5c54267e6ed317f6ecc78b9f91 |
\Windows\SysWOW64\Lhpglecl.exe
| MD5 | 817807201e6ef292b0871b43e4936d7e |
| SHA1 | d78768c63b6a4692a7753b9c35d14913818953d4 |
| SHA256 | 570bd8b0fe49ce6a8e09654153338bfef188c0a3bcdaaefa0ad633e1941719a7 |
| SHA512 | fa8b6c0616e73590ef64b0787050aa093f7463db4d38510396476aaa5619c28732471e2f6d114ac34a853d8574ef792b173cfdeb810495c5889e02fc9f858ea7 |
memory/2792-209-0x0000000000270000-0x000000000029F000-memory.dmp
memory/956-215-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Mkndhabp.exe
| MD5 | 68f3be8e4f8b057f13b325e5d2ce13c1 |
| SHA1 | 57b42cb734c8a5e27207e4a083acd3443296dd63 |
| SHA256 | 70019829ea5dcd0b3127d60922e2821e1a90cfa2dba0ca03013989a2a6032d59 |
| SHA512 | 32469705a11d419e39fe2561770b347e6df069b37808c4f7947c621fad7b09c8c6ae8158096690afda6d59409ff85f099f101c9c6e8f7c6fc44c2ce7b2946cf7 |
memory/2920-225-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Mnmpdlac.exe
| MD5 | bafb622403e4a88539def1a23038c251 |
| SHA1 | 180ec3f6fe6914c95b9d57c612c80f9a9486771f |
| SHA256 | a1c22fad5c059f3717d92f953bd553196ca45de5fc476d10a310fc6bae65d16e |
| SHA512 | aa2a14d10a243e079006b60ed7f13de687b81a71ee92314afb78f381cabb781f2442b0afda9e354d81fa47f6c33b91b429a9398d132bccc6ae6decaacb395966 |
memory/2920-231-0x0000000000280000-0x00000000002AF000-memory.dmp
memory/992-240-0x0000000000260000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Mdghaf32.exe
| MD5 | 00841a1cf54d37e20148344043f4558a |
| SHA1 | aba94f583a09e3f800eb161669f53eb3ab286f78 |
| SHA256 | fff212ea76bb663b4e1a8bfe86d3f4cba469be621bc6bc87e785e9fe0e0d960b |
| SHA512 | b673994a515726bdab840dc7103443cd99c3dfb7cddf31e4c0fbd1f750dac67c13e035a7c74f43a06b0c8c068cb16d28094d231f7f4fc2c0ddb245347b8468a6 |
memory/1640-249-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Mgedmb32.exe
| MD5 | 335e577538e81a7a7c38e842256ea02a |
| SHA1 | d62b071020363290d2f05f6cf973945f27d91cb0 |
| SHA256 | 6ceb29b7b0efdf77b1c6afd88020e8fca386534c1038164c41d4120452b24714 |
| SHA512 | 2308050e5bec35e122e699dcc57519fb498e96cd73c14fa906ee50e6f3d52cba23e861201d3da21a2483b329ae5af4925e90a9c3e5768b6b207db34244290e20 |
C:\Windows\SysWOW64\Mjcaimgg.exe
| MD5 | 489c560712aca3621e458b1ab1c8b0a1 |
| SHA1 | fdc69c225e6bd909888100377d85b2691a430d1d |
| SHA256 | 2ebf0d340eabb71c24961b1432ceace639a4ecff0b3ef589b21a80b834303259 |
| SHA512 | 7f1d302227fb8570aae9880f48991707dae68b5f36f7d83aebb9ff46ff2ad9f1a40a4a90b8881675c3ac0d32534d13fbd6b3b63075ab7fc123580a085a47ca28 |
memory/1408-261-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1144-267-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Mqnifg32.exe
| MD5 | e9f0facc4b809e616ea11317c46afc40 |
| SHA1 | 055a161c9481ef058cf7db48767eadb61d46ea83 |
| SHA256 | f2bc9e85a8e308fbc4f65bbb15b8689c14da89ed3f42a6d1635557ed6daa4c59 |
| SHA512 | 77a2d1e90571b40a7ffc2ec9b038e9ee88e8843ee095c5903ff9680e8c225ca4490b1e28599e31440bd1951503ecc7e39573059743478ac1b9288261cda9fa83 |
C:\Windows\SysWOW64\Mdiefffn.exe
| MD5 | 3f4630a063c62601fede34f67f4abff8 |
| SHA1 | 53ba7438eb2fa7b3fc3112f0287d6b90926b1801 |
| SHA256 | 6cc84b8ef2f1c85dd0811b21749adcfed9d4737c49605988aa822dcf66450569 |
| SHA512 | 91078844cee979f8c51d4ebd94eb3a6738748502eb64fa884316a35b083d526915b33b2d136bd20e8b4483ce6ed759d971c696795b3b5294391d49f8a98f6daf |
memory/1704-276-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/852-285-0x0000000000250000-0x000000000027F000-memory.dmp
memory/852-289-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Mfjann32.exe
| MD5 | 4acc75addf0929443ed2487d399abcb9 |
| SHA1 | f66c3bf67baef30117e137f188e4bcec54b2207d |
| SHA256 | ea769d912b0ce0fbe4ae93352f270bca70238784a8b1b9ce222db5616663d6a8 |
| SHA512 | 8a21cbec20b892fa5c7fad353fbffda0423bf4d3bb30b14a066d069b94f5df33f0ab6247d1cdb1e6a4af67129d33d9ae65fbeb369da9183337956a2d2847b515 |
memory/3064-294-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Mnaiol32.exe
| MD5 | 85c12021987df14531dc993127f7572b |
| SHA1 | 840682aef5aa7fa91a71a03a5c037338b2d114b6 |
| SHA256 | 68c33044ea0873158ad37ee885c37056db84ec892d25173cf08e056a4eebc107 |
| SHA512 | 9eb0e043620579a472922880f6e9fecb8730e6e6c44707e52e7984cf35fcb28ad235dbfcbcc678a8e501f991e3be20e7a4c982407edb7117d0eb9424a37f30bc |
memory/1992-300-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3064-299-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1992-306-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/1992-310-0x00000000002D0000-0x00000000002FF000-memory.dmp
C:\Windows\SysWOW64\Mgjnhaco.exe
| MD5 | f12b42d0ab31a1e0cc1a616d21c1bdba |
| SHA1 | 3026690ea187b7ebc308d079441c563211a4a354 |
| SHA256 | 2719d399a4140b67cb4c42f3d7783a39917cc8c14a75e0ab17544c023a0d4d53 |
| SHA512 | a2efa1c3f1b3ba20b130ef9da6e4bf995f2f556203f37ff564670655ad1ef08bb046f037be49ade3bf3e5466959ce0f4206e7b92a903c37c758e8622e923196e |
memory/1508-316-0x00000000003D0000-0x00000000003FF000-memory.dmp
C:\Windows\SysWOW64\Mfmndn32.exe
| MD5 | 3dddf8283fa3935155685291d1a4f23d |
| SHA1 | bca95ede891d58976a7b43537e48f5c4e34c30ec |
| SHA256 | be57010cc8ef0480d55d2a301724817658340447dd0af3c1a0495379e1a9275a |
| SHA512 | 82dc8f4c287e994d20d4b7b36c732e1e55c1dc67219a540edfa0e6af2709e94b3688f8a5a2d9eca3c7927ebf46e37cca5b187f9e90f04cf20ed24a2863676804 |
memory/2312-321-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1508-320-0x00000000003D0000-0x00000000003FF000-memory.dmp
memory/2312-327-0x0000000000270000-0x000000000029F000-memory.dmp
memory/2312-331-0x0000000000270000-0x000000000029F000-memory.dmp
C:\Windows\SysWOW64\Mikjpiim.exe
| MD5 | 4336eec98653c7733d323526ea6138ab |
| SHA1 | 2b571667d640a50f0f67ef95ab4e82b442b0dcba |
| SHA256 | a7cba7c6e58bc9480ddd93ada8efabe6ef76b42ee11a0a3e0eb8094c06f08ae3 |
| SHA512 | af8cb1c5f6edea5c9bdebb42127878d1facaf20fa397184097e5e564a59d749dbfc99392ba204f1268b07ec6dc782d31963c3eb57c053ac74fab3f2abfd3362b |
memory/2372-342-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/1656-343-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2372-341-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/2372-340-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Mqbbagjo.exe
| MD5 | 424b212ea529d18929a5f7c9631097df |
| SHA1 | b009ac4f25daf1818a08c0c79b96743f2e702343 |
| SHA256 | 8c89c100255a8498d1ac448bc4ded709b36a3e0c3378665ce0d314e04955c375 |
| SHA512 | ead7ef640893d889b83d45e123803c1a181803663fb124511ec91485a6e58c7032f8a53fa4dbb7235b245afd9d648065735c7627640901dd689a37c6d22ff5e1 |
C:\Windows\SysWOW64\Mfokinhf.exe
| MD5 | e7d6e68b89532ffe36a70057e71defa0 |
| SHA1 | 37b07be40b4ab531cd0ea8a28c748ab3df0c6bee |
| SHA256 | 7d3d1aebcfaf08e32139eaa4e8ef1368f73004d891eee8334e454074f908f469 |
| SHA512 | 4928ee6f899975ec2b9b4a9577a261b7c31ad6c08c09c2a7630b8922805cdbc1f234aa0c37873ffe6460835253414f54f85858ce834a8321fc46c77be7a857a3 |
memory/2236-350-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2236-348-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2648-356-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2084-354-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1656-353-0x0000000001F20000-0x0000000001F4F000-memory.dmp
memory/288-362-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Mklcadfn.exe
| MD5 | 8755dcd95353ad5d38279d6fc5ea9328 |
| SHA1 | e5655525c049d5cf8d68c7bd899b45775c4b4024 |
| SHA256 | 8e2108beec9fb71e074015ac828e2adfdffaf697cb7c407637ad0ab11a38efe3 |
| SHA512 | 6f27ed31826f288f5f28d7a1e8fd6601a84f302dc72674368d0c2e755d44fa02382f6dcb146bf9f01cf266c8d48fb13e7ce81738b3fabd26018156a031d0b89b |
memory/2740-366-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Mcckcbgp.exe
| MD5 | 79667112a4662a25a4e9fde99347563b |
| SHA1 | d02d2e6789cbf478372cf6fbbe086b8e84c064f7 |
| SHA256 | 704d8b6e29a63d4834bf0c4ebe88581fbfe151f21cc020fc5ce18603bbfd8c3f |
| SHA512 | aa7a74d3dacd5b31a543c799264f44ade4f5789ac3ee24a7eca46ef304090e8e6c9598bc0a7e9f6d944ddfd4eaae06e5a865dd6a553d8dbd709c66cf9e682e1d |
memory/2484-377-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2696-376-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2740-375-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Nbflno32.exe
| MD5 | 1e4496652ed4257c1b36d6bf938b3c90 |
| SHA1 | c36630b6615f923e122fb956440ab4ae84ccf0da |
| SHA256 | 31198f909b56aacf87441220c14c6989ec057d625dde68c34ff930e40e86cdcc |
| SHA512 | 0d59f811705664bf03ff877de298dcfb8e5212ce7c2ffa57e92d458f152f04309e14ed71e848b8a6a3f4eae5d2ec7af2e702bda78932529b80147ac3d0bfddba |
memory/2564-388-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2484-387-0x0000000000270000-0x000000000029F000-memory.dmp
memory/3004-386-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Nedhjj32.exe
| MD5 | ac51a5d68d079dd15772548cb2b2d809 |
| SHA1 | 7e1726324c8a46a029eff9b112555acbd1109107 |
| SHA256 | a353c4d873d739d9369aa2f8f5f90ae315d1fecdf9c8339b35b0e7d878f205a3 |
| SHA512 | 6049ad887bce10d303617062c5b7e55f70178c569ed5cb63410af2bc5ffd61b8a7e87a9769c15634726e0e1f1d64c9cc83e6a9e37a5b66b244a39ca5261ba85e |
C:\Windows\SysWOW64\Nmkplgnq.exe
| MD5 | 8575ede4b7de5520383c19d489b3f3b1 |
| SHA1 | 550df7090e846f06b61c81dddd4c00e4fb327719 |
| SHA256 | 4d035d4ac7dbe06d2a1d171198f28e374134e31539e57c484f5716460aa7de4c |
| SHA512 | a4cc9722c1b247180c555ef2f3dde4abd9c6a9b0b83efe38c93a427a53b5eb196fd196e4ba05067939daaeee049e7b00a3d08e0e16734121d64636ec4d1c2b79 |
memory/1868-410-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2852-409-0x0000000000400000-0x000000000042F000-memory.dmp
memory/352-408-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/352-407-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2564-406-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2564-405-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2508-416-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2852-415-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1872-428-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1872-422-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1868-421-0x0000000000270000-0x000000000029F000-memory.dmp
C:\Windows\SysWOW64\Nfdddm32.exe
| MD5 | ee30242fdd414dcfdd2771cf83fe5941 |
| SHA1 | 113887dc58e89fe4e53eebaa112344744a2ee4f1 |
| SHA256 | ccc4024e29c2531c692832ab8bbd4221eccd27882e52359477f42d3d4fc8264b |
| SHA512 | abfa74b853c475b518046dec098f462a793f78a86b3685c22cdb394ac4c70f2f159c5c9281bee4434b2db3aec60c8b33b25f6b719aa01de9d12a5c0e55f0c4ae |
C:\Windows\SysWOW64\Nefdpjkl.exe
| MD5 | c8a843cc4760348f5a3de154545d7287 |
| SHA1 | f6f64f153affaac29360fbe9230ed098f349b01c |
| SHA256 | cd2eb27653ebaf0a5abf89f05c164f1e88e6eabf5a4496df07be2d5b7a17f0d1 |
| SHA512 | 3d9e5a5d7cc6d3e20d3f9b840687c766fee547b027d59e3c884977b2c71bf585ffd48e97da2b690db94fbebc9deace7f1c95adc1b747211f9186a4e7ee1b5f4d |
memory/2440-432-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2380-433-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2440-438-0x00000000002E0000-0x000000000030F000-memory.dmp
memory/2380-440-0x00000000003D0000-0x00000000003FF000-memory.dmp
C:\Windows\SysWOW64\Nnoiio32.exe
| MD5 | b9971b44bbdac7b4f113619e63a28343 |
| SHA1 | 58f47a5e1006d64709ce8b141639f0481b1e4145 |
| SHA256 | 2a32e93dc5633044fc7f43213e7f5e06fe9be7d277deaea3362007aa9386c601 |
| SHA512 | 330fca07b7c9be5ed4188a2b948a8e481baec920306b5ba7cde2fcb90ba50a60cba4f8e5247780006a3921e47b32ea7675525b2b759a80d552a89154edc38738 |
memory/2932-453-0x0000000000400000-0x000000000042F000-memory.dmp
memory/108-455-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1256-454-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1844-452-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Nameek32.exe
| MD5 | da540fa2b0d92f236ba17284378abc32 |
| SHA1 | 93ed572cb1b713726720337158c3f145a5c9955d |
| SHA256 | c48ffa52f56632031104f2394b7574da483ed6834de62696d83fb7b365bee4a2 |
| SHA512 | 756e8f0681fa8de8426830e11fecf5a1597de5a28d84faa680af55b82d67d638695e850d6412973a087cab9c3bf760a6077f3d715a387c7e96f395d42a6097b3 |
memory/108-462-0x00000000002E0000-0x000000000030F000-memory.dmp
memory/1588-465-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Njfjnpgp.exe
| MD5 | 11381a82f9902e9d0929ef466de16e95 |
| SHA1 | 7c94e4663a13e50490d8245201d30d79764471d6 |
| SHA256 | 493cabd6f912879f4dcfbf328a14714a342ec0ad77e9481b709ad1d01870f251 |
| SHA512 | 74a1456a684bca6d0bf3aab825f899f35cc30536e997f9b905cbe7fa32faf8443e6f41e0bd701bc2e1ab0be9fb9db0d4b7708a794d43a5d1d41031b142072b01 |
C:\Windows\SysWOW64\Nbmaon32.exe
| MD5 | 5f8ce14c8f076c955cba358da9ab6be4 |
| SHA1 | 135436da61d3bd02e4f2620845d2b56c61f74594 |
| SHA256 | 2e342ee5a5606559854239753864ea25b57cf5ae79505cc425b0d473cce86c9a |
| SHA512 | 88eb22fb8d915e7ace6b54156d8b1d33098228eb114a063889a358e26e65de3e309281df71cf22d81af3e3c121a6b89a05952be580532cba82f07b531658976b |
memory/1588-472-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1128-470-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2080-482-0x00000000002D0000-0x00000000002FF000-memory.dmp
C:\Windows\SysWOW64\Nhjjgd32.exe
| MD5 | 94a9111c2584f128117ddf6a09192a6b |
| SHA1 | a4d4757e6ca93a13f858dd335aecd04e6df6a791 |
| SHA256 | 01ed89bb33a3862290a4d2553db29fa80c403be5534751daab04aee2acce5401 |
| SHA512 | 8f3784d89dd473f20659652e7b1fab509983c0f3c3e510e0c369057baa2b0044f3b1a4f5ad38bd25c860bbbd7165d43bef480697bdf13765b957ff938b90318c |
memory/2004-480-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2928-495-0x00000000002D0000-0x00000000002FF000-memory.dmp
C:\Windows\SysWOW64\Nlefhcnc.exe
| MD5 | 4336185989db296899a9b8af2c81e6a9 |
| SHA1 | 84076ee52e9403bde5fd8b2e7698aa529c9bd30e |
| SHA256 | f3e3ada19e4987efe62e8c83ff14b302592b524f00c6e41e6a00fdbb1bf10d58 |
| SHA512 | c4628047aba1b1725ebed24bd312a9f6a1c04fd77d2e986a967ab8b32b886df9dd2666a29fc40e80af915b0364799f01086324d73db4970a2cfb64d37cdd5dce |
memory/2928-490-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1720-500-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Nabopjmj.exe
| MD5 | 82bd63b321f5adbd1faa2be55a8458e9 |
| SHA1 | def41c3547b2e42f98fca5ba47ade1f3b77d3d6a |
| SHA256 | 1b49697c4457cea1287bd0bf4cff30197288db1bc2df2122a75f3ee115bd496f |
| SHA512 | ffd023171e654c0764789eb6a8e76c4b8a17aeda778555f6c0d3232a68e053e45aaec679c47a7fbb89aa1cd8d2b6b3266f8eead5a8fc26c8619e23e1893e4631 |
memory/2376-502-0x0000000000260000-0x000000000028F000-memory.dmp
memory/3016-518-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1624-517-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/1624-516-0x00000000002D0000-0x00000000002FF000-memory.dmp
C:\Windows\SysWOW64\Nenkqi32.exe
| MD5 | f99331b265731a4e18c89da8057fb423 |
| SHA1 | 62ce3e0d098ca105dc8d3ec1918df154725273cf |
| SHA256 | a0bd0132bd05dbdc8326e699c0be1a367bf75b9e93f1ecd8f9d6143d358db192 |
| SHA512 | 7bad17a7dead998072c8574dd6c549bda26a16b43a00ecf0183e56e635a1ae953c617d8a3527cbcb703969b97998c1f2c42e093765b0d4a18755285ddded2e6d |
memory/1884-510-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2376-506-0x0000000000260000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Omioekbo.exe
| MD5 | 4a5d6cae5139ff17aeda8223ff98c980 |
| SHA1 | d189e82aeb0afeb2e6df91ac41b4ce991a30f0a1 |
| SHA256 | 9cfb9b2f316047b3b37605bafec5b69df3d7db5da2e64a83c16ff0dbd303d9ff |
| SHA512 | f20102597757a0ae77400c2f53db580f7ffeecf5836f8f6bc2f8c9a474b0931c4f338533f8131136e578ccf05e13d7471d272248ca27cc13eb841dfe4f158286 |
memory/2792-524-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Opglafab.exe
| MD5 | b3f5f0d5a1767a8199b4300de42d73e6 |
| SHA1 | eaf5913111cfc64e0c6106892f700366a57eb15f |
| SHA256 | eaf1fc6884da38b1a6bad9ff96efd36b04407abf1795999d96a4f25941cc537c |
| SHA512 | f9c1f72e29e53d24c934fcad60242ded67a18316051d980e7eba1258f2ca89da3b481069fe8a8791876a4dd2bd333f0da9aed060b90623949cab60404cbc1a48 |
C:\Windows\SysWOW64\Ofadnq32.exe
| MD5 | b277babac8267d567c9dd7e17b96aab7 |
| SHA1 | 6d1e184b6e9566cdbb1067f92163c9ef766fd503 |
| SHA256 | f376c2fbf8b8f1a277b434cfa8b08db6e8ff03e030adb866990b7942c0223561 |
| SHA512 | c90f37222b568013f0f6553bba42862109caeaa89cff67c70fea126707e79a06bf6edf6630409b4cfa362e9184a9f2b582efcb489dca38a93840ffd83b4d2498 |
C:\Windows\SysWOW64\Oippjl32.exe
| MD5 | f745113a10112d9ef8950dbf107910b0 |
| SHA1 | 673149f2ae95c9dea5b6639a87e7fcc3457bb78d |
| SHA256 | b1bce3be8610e14368d81b982981625e1328ec7a0bf891a5b6c08172f23fb8f3 |
| SHA512 | 312463b8d3f6f31f07cd9a2ed4d8917fc071c6fd102b1c16aec7c90b1d2d637de70ded822af67142a247fb1ff6be745f890f31c77a1b2fab9307ec28e9c982f5 |
C:\Windows\SysWOW64\Oaghki32.exe
| MD5 | f375ca6e35af1fd615767b333926abc4 |
| SHA1 | 1463334cc6752212e3d93acb3bce25afcbf85f32 |
| SHA256 | 84bec85aa9863a1379c8092cecc769121fb2eec99668740d6761a556672b8fd3 |
| SHA512 | d9649dc0ca98f9eb0f1768531867a120aa695132a1b33c9f49ff80890f1ab94b376d39091c722400d21c89c82461e9c8ba9844f2d150605f8028019d906c6f3a |
C:\Windows\SysWOW64\Odedge32.exe
| MD5 | 76133420f448fd2b57ffd695dfba21c5 |
| SHA1 | 97d5cee7fec29887394d4ba6f99ba0dec82986db |
| SHA256 | 524fb0aa18f034045fc96fa299bcce0aa8c9486b6499c621fdd25a5d258083fe |
| SHA512 | 05fc6e0a252cbcfbf08e94d48c4239373149cbc468b966c574934ea5dc68a79dc21d80805e05100f29b9e3a9832b302befcae9c928dc87f92de7ef438fb1c1ae |
C:\Windows\SysWOW64\Ojomdoof.exe
| MD5 | 1a15f501d7bc7b32c38bcd30818fdf8f |
| SHA1 | 7fce2b5e56391d3dd16068f2f497b84955cd3384 |
| SHA256 | b110666829025985680f3ee25937bb8fd837c8403c7f65ea5d2271150ec5c4bd |
| SHA512 | 72da55ac69b62b8579ac393b0a4e5663b966f9dda95123ba97e3eda943b2ecf3ebf7c3d3ae66e26f7b08042bffa3baca807832adfe7f26135a3bcc31c0d9f2c2 |
C:\Windows\SysWOW64\Oibmpl32.exe
| MD5 | 47d7d5ed630074e8f1764eeed4929860 |
| SHA1 | e90886cf45f40b3eece3c528c17780ba4d6f068e |
| SHA256 | f671f27e83deae9a9d343abb221cb270a4c209296e32f38670a13c08cbcee7d6 |
| SHA512 | cde23811487cf45f13402df37f5535f1784f0eb1bd1e584e3d58517d3765b00588e87846cb678b91bbad1b505a9d1c3e9cedda9458f1ca66bb4f6b8ccb05cf51 |
C:\Windows\SysWOW64\Olpilg32.exe
| MD5 | 485f64ba8e74e011d467cd443e7d2d1e |
| SHA1 | 5956a6f8798a2bd0a9d44e65e975d5a9e48a4a4e |
| SHA256 | d710d5a15cce4567a5d42a02caed0dd1f48707b8de2c274e06c69cefa670ae5c |
| SHA512 | 1d8ab1c3542d0ba6715d3c73ffd2639b89cd840fd785d868aa0b44b7c5ac37ca114404daa8f1698adfc899d0dbd3673d904beb79ca37aeffe98b4d452d7e1c38 |
C:\Windows\SysWOW64\Odgamdef.exe
| MD5 | 21fcf187e9945559bd43f64e5a162d00 |
| SHA1 | 661ced8d0e71f4f728ab954a0bff6a5f7b3752f1 |
| SHA256 | f71e86961521c20f04bcb9469fa0bb377a1b499643bc462e33d5c9536532bfe4 |
| SHA512 | 52e107a0bbe52a5be7f6dd005b498028d563fd0cb19dfc5b934a450815de2cfe01febb4ee6963692d6c59ac42b0be5e28e46560937d3967166c1a514e56f4cc1 |
C:\Windows\SysWOW64\Objaha32.exe
| MD5 | acf396174bde31d27be312e89e7c5e96 |
| SHA1 | d09cf4443753eed7cd8eba64e4c7d382be70c847 |
| SHA256 | b9ead3c891c95e7a86ea4856d176471413564ca84bc9cf4d00a6a5f9773e2556 |
| SHA512 | ce7aef5665645940ea82e9ca02752ac680a93e7ede6bf92dfad6a0815c9dd0b2332e73954cdb2fdae28580a62b396ae232fe93b64b30e0f4becab29070544a2d |
C:\Windows\SysWOW64\Oeindm32.exe
| MD5 | ab55c75e187fd677303af7322b6bd6bf |
| SHA1 | fda71ac2d35565aec36bec1e7d08355e44d31e47 |
| SHA256 | 914dd964e856bfd9778d8308796ce70c83d0b1d1778764fc5891f93115bf4134 |
| SHA512 | 8034a7ec1057fb5f566eab44acc1a1a3df68e82505d8a5cc3c6daf106305dbcb470562e9b92fa0b8e21f8ed90350ba3aacd7f1df6eb51b156b60e6c2b6fb47bb |
C:\Windows\SysWOW64\Ompefj32.exe
| MD5 | 17bd5db34c9a10ce7fb6d0e25e35e8fc |
| SHA1 | 63f58fb58eec1dbc94a058411f0d434102d6389f |
| SHA256 | 5842738a3b0c0afa4337962ff95188f5b1f909e2e69138d68dee48e574598e0b |
| SHA512 | 8a346e29062b9a1797dae0a6d35aa47cc719d84d15bf2831a3be51d6b8394925efc8cdf6b3b858b45e02500435f5800e0a5d2d4f75eb83516f9212acad76c96c |
C:\Windows\SysWOW64\Opnbbe32.exe
| MD5 | d224e864c90c3c3fec016659f7a687fa |
| SHA1 | e7023d8f3e5a82d3a5edd00a8fcf86ee8c4d2f2c |
| SHA256 | 5559d365fa5c48a3adde04a88079306d3a6a3eb6045d55148c4dc55743444380 |
| SHA512 | 172ec53cd7f3d092e44009b6f89e38b8f52358c8b59afa935404c586c6ce9f40e37c60a8f6e58027b6654907c15d3941cad2706d414edac6df395c69963ad2aa |
C:\Windows\SysWOW64\Obmnna32.exe
| MD5 | 49304bced528025cfda81fd7f4d32bd7 |
| SHA1 | 57060333f7eaa5736ae7a1cf7c28eed03536f76b |
| SHA256 | a946d81670936f420d4478385aedd43e1b10c0ba1970353d44f4aecdd1c543cc |
| SHA512 | 697db483d0279d8e5a5be5daeb3d8b658f5d789055432c340f6be229acf377309213e5dd66165196492ba63518f8a9518afd136209f81a1ebcbf91ffd4f4b4bf |
C:\Windows\SysWOW64\Ofhjopbg.exe
| MD5 | 48beee6366b8a08a0f9d1bc7bc95cd87 |
| SHA1 | 153e6375eb1739184cbbfccc13169f505ed7c525 |
| SHA256 | 70768b1146637c25dd28812a929982b250ccaebb4b34ad5e0ae28f67c1b83c08 |
| SHA512 | 7159ebf9654bf8c985d6d4d59caf9203a02bb6ab0f3e3b6a1539c9345ff05d73bad7f2a82fbbdc0665ab6558637fb51baf77367f3e4299750bda6328e7745cc0 |
C:\Windows\SysWOW64\Ohiffh32.exe
| MD5 | d7cf04190ec2e757cb47ced63486c618 |
| SHA1 | 1bf396237585d622e773e1dcc1a8c2a1ad068ffc |
| SHA256 | ccceab42f68a4fb1907dcb478d16b5a9bdbf3db822b48b7aa81f97c9782b830b |
| SHA512 | 661bd6327ba4528b700b54611d9a0aef8047a9c423390c474029d83723fd4bac91c026fc9933aad3e2dfcbb01c2688fa6d004a19b708125238ef9bdad5c4bec2 |
C:\Windows\SysWOW64\Olebgfao.exe
| MD5 | e02bf5c65f62b8b090980abedfde8bf5 |
| SHA1 | df465da4dcadcdd8af9b10bf8443beb0b3391495 |
| SHA256 | 2d64ee31efe5c55f7d300d6b111462dc4810859349ff6f9c2294ddddc944873a |
| SHA512 | 74f43ea150d9df30b025cceacc04fe617c0b2d13edd78104327e69ce6418edd46b7c99fec2070a10085f3dc179dc846071c9238c1a65c4c53270f69d6c74ef47 |
C:\Windows\SysWOW64\Obokcqhk.exe
| MD5 | 55bbe372ae0a2aa3ed175042271480ba |
| SHA1 | 3ca4149bdb859cbfdfa27db810da7b4cb2aa5d93 |
| SHA256 | 627a24a15a770d6e40579a5366d25b012e3620e5aa5d59473c1a50f1722d9d4a |
| SHA512 | 851654d698f4cc3341883a00f17f35fa250c5b91df677d311b7f709e3a471212844ffc6d220e289a8cd6db009b9964694f59563d8c6a1beec95c968fd5022ba3 |
C:\Windows\SysWOW64\Oemgplgo.exe
| MD5 | fca20007eb6f3007177e02ad5bfc41bf |
| SHA1 | 06ceac193d365d0a18078047d82f5f802ef6c5c6 |
| SHA256 | 2921bf50aaa359ac8d942b0ee2e00aca09d48d46e35d503af3f51e0572149fa2 |
| SHA512 | f837b7e1d75a5dad07a3e9c13b270142589dcfbcf5082d3a1cf9a6660402b2b92dcf2a7f80e383a50139310e3afb6d45dd98781482a66eaf784f76185f4c3fb4 |
C:\Windows\SysWOW64\Phlclgfc.exe
| MD5 | f64a90d2842faa0db26171577845eebd |
| SHA1 | 851c31fc680cf5e94f75c61cd842f9388506e48b |
| SHA256 | 14eefaeb0bc6fc0a8ca02c90618fa12edce8525d658263a7c4f2f493c5a531f0 |
| SHA512 | bd35f9e8fb03071d5a6db4a05b3529a6223e4bfcf10979a6ebf3720c76e2f465786f10c30748cb4655b7ba0804b25b48f2186c74c28134079b488248d42e1735 |
C:\Windows\SysWOW64\Pkjphcff.exe
| MD5 | ff31460a42f5411ce9a794490d39cd62 |
| SHA1 | 38544afa89fed8f6806a5b773f1f2985f8012322 |
| SHA256 | 8839dc4e440b288094208fc01a874ad07b6eee4e7aa0a5fd82a305a17eb9cebb |
| SHA512 | efb4cc58b79ca9b4a7ac8598efcf09169a1555ca2fd4258477c3c6e5cf4d61064779dadb9baecf2fea3634c9e7519b5353f7bf42eb570c210dd7a9659ef62ead |
C:\Windows\SysWOW64\Pofkha32.exe
| MD5 | 64693acdb68af6330bee8820eae8d462 |
| SHA1 | d820766fd9e764f530741aafb232d8b24745fb2e |
| SHA256 | 47d088591e32b2968feef5d177a22d3caf7baecc087599d1d72e3e1a866736d8 |
| SHA512 | d073cdd157f6ad169bde8081b083a2982ccf280dd2829d4b18d367e048dde3e1db4987fd5673e25d95e99a09f830376170751a66f3b3f4a3e51461c2b5cdd665 |
C:\Windows\SysWOW64\Padhdm32.exe
| MD5 | 8bd8601e1f68c2108ac363b27baefebe |
| SHA1 | 11a3ce1b006f067fdc2782307fc1a1097e6cbfbe |
| SHA256 | 4ee6c4668e82a97f8ec22d0d86adf9c3e02ad125348a120569c0369bb2d13d45 |
| SHA512 | 30593df833eee8fb2b2973723bd071d71ce98aa7ff8a3390201ee57be234a25e9467630540475d88e2653b94642e0d16d5c7d15c927b210cc97f7f25334ffd7a |
C:\Windows\SysWOW64\Pdbdqh32.exe
| MD5 | 258dd5010c4f3dcb89bd79bdd659bcf2 |
| SHA1 | d526482379487563f8cf2f064432cebb47ff1d85 |
| SHA256 | c5a2e2587c356751cad2b6ec5db5aa73b7c79fd79171fee2d0bf845452790869 |
| SHA512 | 08f5b88872507a9ae014c4d66c6580e58ca4af47e81fbaa19dde8a93c0547577cd40bf803c47e66a48d18fa95446fc1c5abf792a204f8a3ea5563e6c9acde2c5 |
C:\Windows\SysWOW64\Pljlbf32.exe
| MD5 | 976d0f834b4558f352d35a5e1c07a34e |
| SHA1 | 3c06e6aedfb7a58fed4e4ea871479b28839bb659 |
| SHA256 | 1b51a6888343387b4bbd7b0862de24af4d830c38965190c8097fbb65b961c8b1 |
| SHA512 | b58ed9216fe9bf3d3b337bfc77fc765115496d48584e08dee812db68d025e313bd574d9cc89a5efd14e71309c037f3448622a3cd892b5fc603406b86c2bf0adb |
C:\Windows\SysWOW64\Pohhna32.exe
| MD5 | 49df378090453e798dca2c7c681aa152 |
| SHA1 | 24eb28307c4a48c614d0e08191aa9c50dbbb3e89 |
| SHA256 | ae04696726ec246209a58ba6e6848a8b3412b6a9bbb65fe52702781a0a4af01c |
| SHA512 | 6593986a5a1a68f02b896434f308f1bd02bfb49fda87b32fb08dc87ffb28817fc938a1bdecd82d59ab8140e1aa8304f63051cfac2ad9e056ed51f77e84a18ee4 |
C:\Windows\SysWOW64\Pafdjmkq.exe
| MD5 | 4c7caf2174f2ed3fbfc56258ad48b222 |
| SHA1 | 78e181df7d8975c5487424123e4b74d2227aa24b |
| SHA256 | b39c80edfe75eeaba1c8030a01952601dfc39d7c76eb11a583829ccce74b2335 |
| SHA512 | cdbed254ee4fd97e080d4c4bf01e47ddfdbcd98ef484a47ba0dec675b6a76ec600b16f3e1730158bce16f11ec86932d60a8c83215c8793df0d064ea3120d7ebe |
C:\Windows\SysWOW64\Pdeqfhjd.exe
| MD5 | 9c0157f23b12d715cfb69e2c04f8a79e |
| SHA1 | dfc469d8e244ffd2033ec5fa1d67ed5119cad97e |
| SHA256 | 57258f48666a18d9b7d3e92be27595d8dadd8d6618e35027603a050fe56c607e |
| SHA512 | 5e74547a7ac0ced4c7c58711e939a9d541d330bd17d849f2837c5abe7d3b1838357d488a22542b7746411e3c50e68c493f53c81f09a02e788296376b038be103 |
C:\Windows\SysWOW64\Pgcmbcih.exe
| MD5 | 90fc767f107732324681e0b316e327d9 |
| SHA1 | ebb544e9ee49a2b56a5ee73ec78867b6847a578d |
| SHA256 | 1595d5c268585af91712d4e36b7729ccc23e33939ea847a32a5e4acc13738a7c |
| SHA512 | a05f1e8f9a3a99550283adba37f76322ac161bdb234d9b3420162490626d20b5949b562046cd51cab507133c640103425ab7479e9799f726be757feeba881f03 |
C:\Windows\SysWOW64\Pojecajj.exe
| MD5 | c56f14ec5cfe0de75926442c4cf38c42 |
| SHA1 | fb13b03dbc2c8f6b5f823eb80209e73acbc76607 |
| SHA256 | cc2a24e45967504d1c79a4a0631bc16f8d1aaf78c7cdfd7ee9aaeaa4d0bd0757 |
| SHA512 | a0a9a524f1e27f3d812bab8732e84a73af5343e04cea9922294148ca5cbe5d4a66a2f3d5362bb5ac0758db627bc8a6878a1b9618e6f938a4568cd91ed67502cf |
C:\Windows\SysWOW64\Paiaplin.exe
| MD5 | d86bae3dde981f63c19d1e84317b32e0 |
| SHA1 | e02d0cace4807b4b7c8efe4b2263b7ddd4fc3352 |
| SHA256 | 9823171a9a94b8b1fb2a311b5b0a15a7ff2b70df967bc4a6c6910c83abe75c3e |
| SHA512 | 558b63e13221d70cf495a7aeb3a97d47fd188c5b21df98a1a3ce27a09bb46ba7d6e6a32da1afa55559ac71ab3a40e92397fa5e268bba8a643fb032b27e3ed0bd |
C:\Windows\SysWOW64\Pdgmlhha.exe
| MD5 | a1be2b9edff91f7f0b03ef7d7def4212 |
| SHA1 | 25631d1fc0fe1d3f39f3d5d4b9b89deafeda438d |
| SHA256 | d043603796f43cf89d342f9bb4d63b24c77d6b97b06396a51fd534cde5e44a21 |
| SHA512 | 3cc114ff23ec038cf13d74f7a744f362b60cd2fed5f596487ff6353fbba57794b42df07274dfc4bd1a8c010b991bf1f72c5d56999ba1491467d0efcbc194c385 |
C:\Windows\SysWOW64\Phcilf32.exe
| MD5 | da345341ce7165b05ece452fce5b0885 |
| SHA1 | 2471a894774bf3d7de84db2b83ca343572d192eb |
| SHA256 | 23e30c356b9b9979fb40e3d8bbb76c8c3d9ced7dd138def1a24315c82263dacc |
| SHA512 | 26f3485073d22bc227dcc2dba31f61bb96db2f55d0f4582aa3d45a1524b175aaa503296087dc6ab13b7d5663d0c3c8ea639d448a32b3e1211911ca8bfde52e54 |
C:\Windows\SysWOW64\Pkaehb32.exe
| MD5 | 52168b627f648cb834a248bfed6e7d87 |
| SHA1 | d960436557e492fd4f285ba372b9ceadd3f8c2d4 |
| SHA256 | 79de282fe42208a8d72117754f12cb27c33445114a8318505c4fa96ad83406eb |
| SHA512 | dfb7a484ee23d6726e1df5c5182aa01044f52d6a0cf93d4068ca4e938884a1fcf47ee6b18e3c1e31eb1df8613d8c91ad9ce100fff2d6e4e7f118999b9d17608e |
C:\Windows\SysWOW64\Paknelgk.exe
| MD5 | a87cfb610a8f91b1f2931e55cfc84aaa |
| SHA1 | cc59af64b50f0637166cd9781dd9a000c031ca12 |
| SHA256 | 54ccc2782740ac7916d8b12dfc83bfb00f0774439b79ddf6f6157bb2cf72f1e5 |
| SHA512 | 3770e5393cd784384d9171c27a74948d3b9eed8ab1021d5038a6dca9df864aa0e343d8b27565ff1c69bb1ce6770546892f9f15bc21c68fba0dcf8648e8dace9d |
C:\Windows\SysWOW64\Ppnnai32.exe
| MD5 | 1eaf91b50fef2ae35ca8e917e1f06f41 |
| SHA1 | c201ec7481cdff4923ab452e74729c59e7c31c10 |
| SHA256 | 0c403f77dcb5d7fa71f1e9a52f60f625311374fad2b3f99ae7f793700f1adcbb |
| SHA512 | 872a3e3d3374f6bf726342d6970be2b59a1d85d2338bbd08bb41db72700da2d73fc4a3428b85afa53d41b477982c930c2078fc7f468125228e5828923d46bd7d |
C:\Windows\SysWOW64\Pcljmdmj.exe
| MD5 | dcf26a955d1819c60a72fbaeeb3dc1ea |
| SHA1 | d7708788b0b3a6a9ab73bfa9aec20f6d803f049a |
| SHA256 | 04c079f2967371c0b874d50049f2debc1212aa7fe3559016376d578f2e5ce23f |
| SHA512 | 35fdaac96756886e4413baba3caccce33b96284c29fbe3c436e7fea72e53eb70011a53440d3c3afb0721a92dc7a7608139d07427935793833fa5f2ca301590e2 |
C:\Windows\SysWOW64\Pghfnc32.exe
| MD5 | 41f02f2c827cf0bdaeb05d4e16033ee8 |
| SHA1 | 5807b0fc38ee0545f0ed95de72b89e039e842277 |
| SHA256 | 4734293412684f3767606da57efe9bf072b1eced605c5ab976fa91ae8fa98357 |
| SHA512 | 775ca4c8ba52ecb37207639a45f7576452ef4f4878e72aa2e5fd8bd2aec0e7e443b7fcfdadd26846bfda5fd21add5272afd763b2ba8c45b31bb44cf84b45d382 |
C:\Windows\SysWOW64\Pifbjn32.exe
| MD5 | f273a0d0514424dc55bfda3bc943880c |
| SHA1 | d95b24ee8fefc0ecdf5daa7fec9739e541c04acd |
| SHA256 | a05195a348a1fb6bd439f5dcc6faa189a66b7db98b5db9c96d76be586a0e6f65 |
| SHA512 | 5540848ec9f05f22cf8f79e334f5a73e57bc7dd31b44fdd9fa2b0e29b52ace86a918ec30c77c4fcfb0cccff84dbae8429a86341264a52db98b986b5f87cfa97a |
C:\Windows\SysWOW64\Pnbojmmp.exe
| MD5 | d94da7732344729de6ebb1ab44dd3158 |
| SHA1 | 586c99ee223ba97e225b3fd4fa76a30ca805164b |
| SHA256 | 8b633984e46e41ac803dd8716cf9a3465edb157977b9ea810fcd944b7e5659e9 |
| SHA512 | 0e3a3811b7be20c428860d31cccb47584ec4e065b2ef28ba862277381f36d3784546d8688623980338e418cb7f5cafb29dbd99684541d89882b96b1a1e9df657 |
C:\Windows\SysWOW64\Qdlggg32.exe
| MD5 | 7f361a57e0c433a01fac2a7db7de7b75 |
| SHA1 | 160e9f419a9f8e6623acb849fd898265d3066bb1 |
| SHA256 | 60387b954e0290e2ef912719c335d8ad20c15a630af08669bb8edec43891751e |
| SHA512 | 422e96e3728c62e18d93351610b4445b89b95e66878421510b0def45616b3a0585066e7d95c610007a5a9a081b50b9e3df6c863a5ac2ee005a92bfc74e6dd711 |
C:\Windows\SysWOW64\Qkfocaki.exe
| MD5 | 522184f93945274ed62f20ba4ad99624 |
| SHA1 | 58ee3b019d8779e0069553404b133ba93d32b710 |
| SHA256 | 2844da6f152c830efe307eb85a28c256f06d62fcfa1207aaa917c2a4732686b4 |
| SHA512 | 615f764624bde085abe6170e53b6bf528b27e61a05c0dd1f8b41261ed8ed739384667b24985d8aa3e76612814a469cb028a9db8d4d6f8290fffd13014c4b45dc |
C:\Windows\SysWOW64\Qndkpmkm.exe
| MD5 | 43f55e12a9fbec3988a1c07d2391970c |
| SHA1 | f3f88cdaf03b70eb1c78b651b3af11850f95b78d |
| SHA256 | 8f8edd67754a173fe5db54cb75ece22a596dd982d973cf4aeb0407af7d76136d |
| SHA512 | 96b9e5a81dba02138373d28903ba2b71a89229a943793e6fed4fcf678b954757c0e504396c7201473b9bca8e35b6b0a114892723010aadb96bfbbff55fa66373 |
C:\Windows\SysWOW64\Qpbglhjq.exe
| MD5 | 58d29cf3c6a8ba989d77961568215ab9 |
| SHA1 | 3313f02b7c7722cbe01a65662e52220e1ace1bd9 |
| SHA256 | bd60e4e8781294e3f78c54f11215eaa84ed8fa2f0b4a521dd3bce12821fe32cf |
| SHA512 | a2a78676e71fc1fc5cbc76f07cf3560e356612fdac495d5d65b6751ebb34339c1b595b07bd242c9e7ed54d664002fbac140d0e88093e11d4ecf970c981c487d2 |
C:\Windows\SysWOW64\Qdncmgbj.exe
| MD5 | 3256af3056fbf1e842be5ddd19ea727b |
| SHA1 | f007b2367915245bf0b9f55bbe062e07066300b2 |
| SHA256 | 67eeb1fbe06e2c7eecde1c3ce9729ad609308fb7a890c32356812f260f36d3f0 |
| SHA512 | 3b197f16425087f20fcd648a5950fbd210a3ac27e78383c379dec171bdd127575b08414063e06292d154deb75c5ec020d497888243c05df4ba6850f5f6d5a9d8 |
C:\Windows\SysWOW64\Qcachc32.exe
| MD5 | 7faf05c80125624d95d22971efefd72d |
| SHA1 | 0e1247223e5118538dc891166179020c047e6347 |
| SHA256 | ec7ddaa40884b53c9d5514fc57c2e9f26b80e81886c03342b1fd887ed21c6746 |
| SHA512 | 577f9a4654ed162014fcf460374b2e42ddceb1ab9b738d4103310f9062b8bb88c3c01f32a0a1d039824ff284946e22bf8b67c903e01e7983204f4cf98eaf7dca |
C:\Windows\SysWOW64\Qeppdo32.exe
| MD5 | 522b6e94b6f39e09d8262fe177fdc874 |
| SHA1 | 1beafbac9b5d97ccb03b9851ec2ccfdb281d7af8 |
| SHA256 | 6b6d9f540e6faa9aa49789478283f082de10ac03f282f67d03354f33519ff3d1 |
| SHA512 | c1b767bd783b4ab5462c406e5c334319beb8c2772c700052ad49fdf29283a71fc9ccc0bb61aa42e7835ae9af56f846492f94e73e6f95cb4470bac497ebee31d4 |
C:\Windows\SysWOW64\Qjklenpa.exe
| MD5 | f63f2f648b627f51b579e062d2b6bbf4 |
| SHA1 | 5b4b1d0da6ad6aa5b3679ba92519bf5c9262c446 |
| SHA256 | b78ba50e88ea22a7848cfc74ee9bd69a2507cd315f8ce6beadac0bf37b2cfb90 |
| SHA512 | d5a48f602d87fa02b80eecfc6177c5ed021785b674d829e7d436ca5e22cf2e3dd93eaf453fb43e30ebbfd5f26414ab554636775dc109435823eeca9d9b3397d3 |
C:\Windows\SysWOW64\Alihaioe.exe
| MD5 | 260aec022e77840d5c1184bc016229fc |
| SHA1 | 119203af9951e7786892c917b4972051d0d9bb66 |
| SHA256 | 2bf3f12ddbb2eebf7204024f580608098244eecfc6f3eb59b66943b5ecd527da |
| SHA512 | 699bb39b9a3f66ee41ef83302164bb45f8a270b47201fc2e9fcb6d28795b577f49d96dd81b403a6e2f190d5a27cf9606ebd923c2bc0e4bae461e6a3fb1dd4bf3 |
C:\Windows\SysWOW64\Aohdmdoh.exe
| MD5 | 4fe221073114a38bd58fc183cfdac772 |
| SHA1 | 1a7b9ec2ee5c749e0dc6b6f8cfab8d67a4901ad6 |
| SHA256 | 76c4044d32b6cc04235eaf78a9df070ce47a931f136c8b41be727bcd8f400237 |
| SHA512 | fea14690726d52bc52a0073fe8d4a7938aa373f986dfef7065daf93878444ad6ea554005d226828ef57c5e45bd524ed3043051e63963710e49265bf29fd4b552 |
C:\Windows\SysWOW64\Agolnbok.exe
| MD5 | 2ae4854ee0d96dccd395192270193e4c |
| SHA1 | 0b2c1f6093927d77ab434516bbd6b467bf4d8a66 |
| SHA256 | cbda29b8975a0fc56dd71761547d91faab3f350242f0e9715d03978f055042e4 |
| SHA512 | 538efc9e7d2c4fab91e9f6ba2196af86d8231f80978a6bcf4583cddcf8f7acf8d416e28a2aad6abd26a3276dd01010ba2c31d8028bb43a2b64d86da8ad96e831 |
C:\Windows\SysWOW64\Ajmijmnn.exe
| MD5 | 7e584a062d9829a1cdb266add93c15ac |
| SHA1 | 9788779c18aa739818f549bc8ef6fc1a7524aced |
| SHA256 | b42026f5a3435eb5cd8dfa1382a2bea6230913785bc23ffe69632067b39ad865 |
| SHA512 | d6a2f3e6811a9fe7dc914fcb55a160c934577d34f7aec6f0564f8980958d69bd6cbc8e42ea580bdc28c5844173e1dd4569f862a05c543d5f7d55017242a704bb |
C:\Windows\SysWOW64\Allefimb.exe
| MD5 | 0bb33761b420710ea0bec59c1f8daab8 |
| SHA1 | 9775648306569f78142a03807289f60adc617463 |
| SHA256 | da607984e573c43e14008b0f6f5bfd42f7ac5bcb18822b96a21d4acf1a73116c |
| SHA512 | 68bd252bf7f9ae7289336dec286cc95bf1e70b880aa81ce9d274e2e056b3cde0472eaed592b70490d7d375339f6cc96b629a69d661e4ce5c4e0dc34bdf332069 |
C:\Windows\SysWOW64\Apgagg32.exe
| MD5 | ce90cc38fcd39041b0e3167d4cded35f |
| SHA1 | cd7d260c63d70423e7c4a341a1b504339f70784c |
| SHA256 | 26251d974ae988594ba4c9ac023e8b8dfae203c52856161105e6331e4768bfd3 |
| SHA512 | c56615ff56c268e6378dbd9a268f1b0ad52d9e903acbdd53086e3396ec2d1bd9e712db6d6d3260f99d0e59281e06d1618d5ab5970ec3f8d02b68af15b39a3f51 |
C:\Windows\SysWOW64\Acfmcc32.exe
| MD5 | 1f217bd34e883a22ad49760b0d11ff83 |
| SHA1 | 5e13ac491b08950ec4cb19f8f2d5bda36ff19e33 |
| SHA256 | 764e66d996fdd696a41154c25c6de6a9785bd299547652e966c94814414623bc |
| SHA512 | 707e114876d0ddcc31dfaa311c09c62a71d48abbbd2025cd8a9549d591216a1992b7dec7a50bba5eb20c21c64f27acb7ade0eeb68fe05b7326311ff8a197c9a7 |
C:\Windows\SysWOW64\Afdiondb.exe
| MD5 | 42200a5782c36ba8716207dec22a764b |
| SHA1 | 6992126dcd199a6a225b821e0e78957fbf50399a |
| SHA256 | 9ffbd1517761f0d50ef68d75984f942e5d652e17026d45e8ecde21bddd18877f |
| SHA512 | 109781fc22e0ed7c4a9891880e6d39fb373e58c957e6422f8d80f7223ab6f1104b133f8650d17fac3c095e3c950462866d6485298ec5f32827fa7b4e0b49b3aa |
C:\Windows\SysWOW64\Ajpepm32.exe
| MD5 | a30bb1bccaa9e96e574145dbf743e1dd |
| SHA1 | 58f6af768e3bddec66c14214f27c6de6d44a78b3 |
| SHA256 | 90280090fbadb37e16bcb2ba95f8c9fb2258e11d6cda44db83d5efa41b3fa3ad |
| SHA512 | f94ffb0e289b540e9ec482c7c83124e0fd7eec8ff2502a17262f872917d7fec3f552c20def5110fbffe7372ca0a6fa5ff6a6f8875c65b8b6c74debe317ac9b2e |
C:\Windows\SysWOW64\Ahbekjcf.exe
| MD5 | f94992ce1abb3981fcb4fe6ec6bf2b92 |
| SHA1 | bf326abf1917a2b570e26d31d2c20307dbc4e1e5 |
| SHA256 | 4d1680593f1d300ffda011c6038401180d928f670075a47695e6abbf1b05a150 |
| SHA512 | 2afc651e82aadd9f37a817f0da15183ec26a993ad9896e0ff591e7a3329c4c4bfeb5b1f7f75d7d168fb07fccdeb06c386c8c853477c5e449aef266a0cdd66a2b |
C:\Windows\SysWOW64\Alnalh32.exe
| MD5 | dd7d8a233e9cd663ad09c173b909d569 |
| SHA1 | 3d2446bba7dd799eb7ea0bce05a13c1de382a930 |
| SHA256 | f7957d79df2f6993b01f9306e84085c252f6d320ed0364d35b29a0d90a63d10c |
| SHA512 | 900f2810c074b473cfb9fad83d3aa20f49d014491fdb7d494b57010d09cebd0860b392812590d2309497d0618cbe2d03fc86de8dfacaf54a93235d7a0fd3091c |
C:\Windows\SysWOW64\Aomnhd32.exe
| MD5 | 7e347f9d49a2f5ecca97b43e84f1444a |
| SHA1 | fa4acf56f8af3a1313cb0f2104b019a4a9af2021 |
| SHA256 | 59828f9090f2ef33d0a0f3496adcc21908679301949fee78b22a77a17fdb8ce2 |
| SHA512 | 94274da0035c37ab498af37d0b208ecc808c0f0ad368658cda3b32002941beeaa21207bf1026a3726d219cfb09e42a153fd773a3b407f1ac60ebe2be14a4f63f |
C:\Windows\SysWOW64\Aakjdo32.exe
| MD5 | 8f46778052121fc8d94190dc353a9112 |
| SHA1 | 2c44b426b2b55fff463bf441a05d382213827dd7 |
| SHA256 | 1c16f612f5938d440596febc90ad5459c5665df7be7bab84a4bc04f02377c444 |
| SHA512 | 21c42075430d17c87f83e3bfecda03e689f46804e78a0b50cb661b26063266c9c9bb10488240c0dccdbda1363b54073a5467ef6968c485877370e9c3b9c44599 |
C:\Windows\SysWOW64\Adifpk32.exe
| MD5 | 71568d32391a632500dc076d1238020c |
| SHA1 | c863f8fa2e85e0f953003eea3597397a133005e3 |
| SHA256 | 1068e6a4a43f8beadff64c6d3927fe6b8b748388dd2d52f783f2a8ee0f139da7 |
| SHA512 | d2c0fcbda62b646cdb4f747c11b6f14c0665bb462d0566e0a3140936f5ab1759d0008b24f4b8d52b7297a64291dea59940d619be45fcbc0d6fe3bf3c31edd3a9 |
C:\Windows\SysWOW64\Ahebaiac.exe
| MD5 | 0a6292db244dc9f08f1d8bcf8bc171a4 |
| SHA1 | 3cd17865adf504fc7350b0f452b53b07199b9f3d |
| SHA256 | b33ece486dd0a0f2833e7517430d7d9e8873539d8b0292418c70f7cd61d55b22 |
| SHA512 | 1059f8082191cdf1bb2a46f4db0547698074947c62e996af1b50905860a4b1260270cc6e29e17398ed4cb745d68b59401bf5533e8ab34e0de76c4ca26e1231c8 |
C:\Windows\SysWOW64\Akcomepg.exe
| MD5 | 4eb031e1e39c07bbc8579e8f46d1fa9d |
| SHA1 | ba0c861cf6df8ccb7e021a9c56993109708af146 |
| SHA256 | 9bf82d7a59ea8a682a4273eef2109787b719e4f657524196e299cbd891c7130b |
| SHA512 | 18b9a7fe741043be87362618e0a0d757791fcb6994d0682be988a447ca75ee3098033edc9a8301cbe47b39df00c844ccbcbcf816c1804aaf7523cfe70ce134a4 |
C:\Windows\SysWOW64\Aoojnc32.exe
| MD5 | 77dc12d28b37b3680ee62a6af3669ddd |
| SHA1 | 1b59699e12d65a4ecc640639a057b726ae06ea48 |
| SHA256 | 32660e6ef11b609aad9bf738029cfb840c0f91853d74cfbe7bbadd7c47fa0749 |
| SHA512 | 80d88f32d6d3f53a23d2fa29a2ca084f5296f248bcfc7899fdfee331c47bffe9f2dfb930c20d85044a50c351d629aa8ab142cb6e8855bda944f253df4f224c8f |
C:\Windows\SysWOW64\Abmgjo32.exe
| MD5 | d5668596cee4b5c937a0835ba8762cdd |
| SHA1 | 24f9a33b452a3d1a1ec4c01a09c9652816b7ab8a |
| SHA256 | 7b3e09859c1f883d198c3e3aefe456e83ac158efc4f6d90528052f77dbfc15a6 |
| SHA512 | 5a9504f0d787bd4bb12b5be36e5a97df940d8121e5d0e83c7e359ada971a9962caa52dbaab86740b533f59a7dc4c9baca752c0f4857ddec5d080011dce3f6f1d |
C:\Windows\SysWOW64\Adlcfjgh.exe
| MD5 | 7ff4bdc52bace6593cac0dda0298894a |
| SHA1 | 793bd4fac97dcc8d4094ed205a4fccbb271ae268 |
| SHA256 | 4d8ab4dcd741f59a3dcbb81ddacc30716137510c9136d8533c7271bcfa2619d9 |
| SHA512 | e3cfb9bfb9d0be29fca9a4b76a58b8e81316ec66b8f36f089f6c26c8f80d5521ae2473e41a09fadd6057c1be10c7fdfde883710a5d91ebc0de14dfc502d84a4d |
C:\Windows\SysWOW64\Ahgofi32.exe
| MD5 | 6e3be45035f9c8c2c64000c82e300383 |
| SHA1 | 7a4e592fd8e956c5d93ea99428765bba53f0da6e |
| SHA256 | 23d6c3bdd2242ebd89a6da1c590da91ac0919d63a19f8ffb299d2ec6130b5d9a |
| SHA512 | 3f0bbb5e02316dbef2edbebbbdcabdd8c30dab50ca730f6bc5f78c6fe8d3c0f07bfb58f177897e3243cfae9f5901d9456e833108d8b3e439e8b537670b2b4a3c |
C:\Windows\SysWOW64\Aoagccfn.exe
| MD5 | f810c6f1a38167fb1264e7e9c79e1747 |
| SHA1 | 421249339d3d42c5e4ba594877035b4791ec359c |
| SHA256 | c5dda7c5b5cce623761164e844ccecc59afae209b4a2b3809dcfa7474738bf53 |
| SHA512 | dc40f68e9f34192143909cbb395803f9c19f43134891f628b9f80ad7453b2e3148358ae3bf809f7891dbc4b36c8005d5bdad3a46201229b2a02c252f5a8c4691 |
C:\Windows\SysWOW64\Abpcooea.exe
| MD5 | f06f9465b26ac42d26ffa05f7e5ba944 |
| SHA1 | 0cdb73c2d0556592180e89d01e058a230ab3b2ac |
| SHA256 | 15d0ece2abf8af91aa571c01e2dc518938b2d2edf415068be656a0fed459f78d |
| SHA512 | 4777a6f7ad4b525fa24f2ae0fa3ce29572d938911d809eed1f25f245641bd15a7d589875aa15f580d7dfc5a12a349b024c1679b7d8d284a9f996aae912de1015 |
C:\Windows\SysWOW64\Adnpkjde.exe
| MD5 | 5efb04c10e40d44150be88037e0b5ac6 |
| SHA1 | 18f7c02f3ccbb1b82deb11f39ff4b15d9b42bcd1 |
| SHA256 | a5ac8b7ba8751f331fd9f34c56bc87bc6fd5225b7cd0bf3f7ad28d2ef5472e3e |
| SHA512 | 2d88523fa8a7f63831a825991879a8d045a4ae92eadb403fdca52b249429d3242d5ba418f511d027a4d340e0d31ba544be51ea8be5d151c5018f69a2fbd1fcac |
C:\Windows\SysWOW64\Bhjlli32.exe
| MD5 | 9ae5600d2a520801ae85b94da778327e |
| SHA1 | 659c27377e4e63a0c4f17f0ece0ad60ac044f3c3 |
| SHA256 | 4c7bed94341243848b70b8f33082ea2a559f38f02afd181ac4043ffe3dbc6b59 |
| SHA512 | 94c7d8d2d201ec7ded62fc727ac749cf9d46618608c9db45272adaa5d9fd6691024002a946f23b1bea3b6e60693a56da2fd6b9b5d2e495c92fab40b34c414d85 |
C:\Windows\SysWOW64\Bkhhhd32.exe
| MD5 | eaea0c4d2df471e0ad6e72deab38cb60 |
| SHA1 | de37301b18bde82e139e4943fd933666d1491385 |
| SHA256 | 4c36a2fbf0b36778d1dce60836ade012962523b7419ce9970bfccce0231c8621 |
| SHA512 | 2eeda575f9e3bf684962063c3b0a757167b5bfa8ef79ea050367af42c38691050aeb2e819f6ace4bfef56fc67488098e9954d7e4f5537429c4177126d8946a68 |
C:\Windows\SysWOW64\Bjkhdacm.exe
| MD5 | f5df70b27d8fa9616bde2285f62cd2d4 |
| SHA1 | 9a4e359673a475bd8feb00ff421cc3d39821c623 |
| SHA256 | eca880788b64f61b8be46963b582d02f049c39c0861cffaf59f8b82f0b6c4a3c |
| SHA512 | 8e08a28b02dec033e82aeba94570054d5346fa2dce732b0654ed80980b0fb04110bcffdbbda1b36036857336e5571fea6c35b6618f8cd66988dd9d6264b36b0e |
C:\Windows\SysWOW64\Bbbpenco.exe
| MD5 | 5c930024b6a8522b8fac522e33148efd |
| SHA1 | 430e77343d656892bad25252dc4888736cd41d09 |
| SHA256 | 98270eac6518a02caafe5834c6016ed799b747db7ea7c1dac9b65ad70fbc7302 |
| SHA512 | 93407761171151caa914f4ca569abf1913af7f23c25f3eba578dfb370bacf969056c13c2509ca41e84955ca5b0f767537822483b439b551ba55c14142fd4a8e3 |
C:\Windows\SysWOW64\Bdqlajbb.exe
| MD5 | 06d668d77a235fd578149c68fe810567 |
| SHA1 | 9574e1066bbeb002335bea93f6098ac5511924ee |
| SHA256 | 84888dbc0c68b2e117c444828ccd45ce7f8ac95e683c503c843df269516f1c0e |
| SHA512 | e0460efab1c77cdfa74f20eb72def29e46a3d2cbea523c88108541da921b419b997972de75318595d5c0b33c93c711ae29eca0f1963bd265ee3e88a40e0bb9b6 |
C:\Windows\SysWOW64\Bgoime32.exe
| MD5 | c375b533275bc5c655cfbc014b5be00d |
| SHA1 | b4bee334320d032daf938708b68bea75bd8bda9f |
| SHA256 | 82de91a327862a3386c4d8bb1d06a18da9cd818b40f80ce57041a8588665f6ed |
| SHA512 | 677f8078f878e39efa801ba796bd72fd2ebfe8391232b25ebe4f1ece1ddd54eb6636d682b425b187798171430153e6f2f6b13e2ce7e5cd0912cdefa60ef139c4 |
C:\Windows\SysWOW64\Bjmeiq32.exe
| MD5 | 06de58a5a026ceddea9998c18fd88156 |
| SHA1 | ccca5321970a2d70fce830214429797b004a4fac |
| SHA256 | 7e16ada5e357f9ec93ef14f468bf0251f54e1bd77e6a58c69e97ff4a5bb6a01f |
| SHA512 | b9126f59e8ee5679109e97bd131b59e678c8ade66b76649b734843d0e506ed6014f846814d3507987fb0a61c1e50e18620283ea1b57f9474698b96b805bc7c99 |
C:\Windows\SysWOW64\Bmlael32.exe
| MD5 | f13ebd9559b56c9deeb7833b72211d41 |
| SHA1 | 3f9d711dfa4ce56fd812395c2d5be23d9bcc7c00 |
| SHA256 | a9e703fb829e0b99e16368e07aa008b3f13b0121985c9a78f95684c16e222b35 |
| SHA512 | 36aaef27113e8260e2b43d0147d02a3a76c82383e022ab3cc4f17555dd8b9343c4ff0bf1194a05c6b9a18a00afe6ce14ea54e446771051009e8dc1ab6621f4bb |
C:\Windows\SysWOW64\Bdcifi32.exe
| MD5 | b093f87559d24515cf7e113c8fb3e85e |
| SHA1 | bc42e1a06d0d0e4fcd119748fd021ded0bf72e0a |
| SHA256 | 970469e8430fad3304b60b41f7a1e65dd11a21a2677e3525c433bd094b73d38c |
| SHA512 | 6e97ea39f6188d3822087173285b2e5ad721ef063f9becccecfe9f3bbe6a50986e8e61f6e9fb2095e80529c88304348d8d55bf8a91504b62b71dac50409ae35d |
C:\Windows\SysWOW64\Bgaebe32.exe
| MD5 | 0f3af2bdc79add28ca2fc02da67c6edd |
| SHA1 | d01a401861e802e828c306959c5baaaca105c7ce |
| SHA256 | 58644f24b2536d7f6b654c357120b2f5e737a2d1055f3a7a12aa65cadf470f38 |
| SHA512 | 24cb3f0e18e0507b44b28428230be50cc8cea96d228e2d30dd88d4b23f2485eded54992c4f63460b6154b963fb141a536d51f70677b1fbc3b091c35dc66d7a84 |
C:\Windows\SysWOW64\Bfdenafn.exe
| MD5 | cca81b77528531d856e95e691bd66e05 |
| SHA1 | 73262cd03aa034d8f7a66c2265e7e923aff0aae2 |
| SHA256 | 300b6218000da11867baab193f3bb6c5a8b4dfd6b3ec97f77641053b807eecf6 |
| SHA512 | ff5d03e7cb9092edb2607e9584a0005cafa06ffbaec97fb2ef558b9acf57a9d177f88b88404c66b53b7d50bd8d9686554e4d2598e43671ec07b5c25b2f7325fa |
C:\Windows\SysWOW64\Bnknoogp.exe
| MD5 | 9958d391ef20a6f177d8d94a4c599fcf |
| SHA1 | f9bb449250db6598c0c65e327ef7b475873f0a46 |
| SHA256 | e8616813b90c4a4dd75266d63f1098020bed07a1d557729acbfe6b14b426aecd |
| SHA512 | 93d8485c40f7a4935e554e0132b0fb4f2e802737f00c6b35daaebf1414ebe6f133b565bfddd551988b109097aea0ba1f2f958e3534f2e78e77087bd284ff4db2 |
C:\Windows\SysWOW64\Bmnnkl32.exe
| MD5 | 7709efd47199cd9ddde372c7d72ea9f9 |
| SHA1 | feb6d5e2b306192467e967ff51f07179daf3b007 |
| SHA256 | 8b4394a8de0586d730a10fcba4acc333812fc70e3da6584d08e8cb70a33d2a1b |
| SHA512 | c18ad66a9a45008ff3ddebdc99c039da50dca6e10220c03b483de4f36d620aab2cbd55ba95fe21698b0c1e71515a73fb1515b7166dd86e6350bb5a9432ad03c7 |
C:\Windows\SysWOW64\Bchfhfeh.exe
| MD5 | 1989ae18df289131e82abbc252ca45a7 |
| SHA1 | f247cc7200e104721543f63172f00c000173435e |
| SHA256 | 3f33c9269f3597ce22f0003fcf05ca2dd56cb79523c33bcb664bf58ae78dc5bb |
| SHA512 | 0482d5ab1a41aaa7a4d1543d415dbabbc30ed030c818d9870ff452d3698f8e16b5156d17885bbe7f79844203ddcbb2bc6c2f606c9bd0ff946997d39d796fe95e |
C:\Windows\SysWOW64\Bjbndpmd.exe
| MD5 | ee4311c73f0d4316a852d3c1651a58cb |
| SHA1 | 39f6376cbcd29d38e1b6a19aeadf70fa9ea9d2c4 |
| SHA256 | 52b3bbab2b8b7a785bca308c924cb53e3b73dbeb3b4c10cff3a5e86defd2cbcf |
| SHA512 | b4dded200b8ea17be0288133bd665de093acb4f7a02e5a38eab9844561989b1120157048b3bbaa98fae4b15e036eef0239556fce006a630601b263d2552a5711 |
C:\Windows\SysWOW64\Bieopm32.exe
| MD5 | 996364750acfab9ef449f637562e6517 |
| SHA1 | ec23644662498b586c28ecf9b9258ac5a18db82a |
| SHA256 | f1551de1b25b8824e5b38fa9780b9145ce5387cae339f747001f26bd84f3a005 |
| SHA512 | 2e2e24e478e40c890342d1db192e2a4351ed9511eb871027afbaae4d1557858fe6a879aafef654b6372c1e04a81a5361de55850f70cbaab61da478b7ca855797 |
C:\Windows\SysWOW64\Bqlfaj32.exe
| MD5 | b52377054296d21abbc7211401836faa |
| SHA1 | cd122a9965a680fc894b8b6a0bba39ea8309b51a |
| SHA256 | ec535b3a98b52905629ae88b5378ed5253462cb5816c8bc76a9595735f5701ec |
| SHA512 | 727134f0343baecbf681f2d20f6800807054156f3074e0a28ffdbffaadba4d9250d0ed03e94f05c2a1bae96e151afc1ad530c38591882d8d82053c6a45be2083 |
C:\Windows\SysWOW64\Bcjcme32.exe
| MD5 | 3420fa5060584d2e74994babcd00ec24 |
| SHA1 | f453e9b2f295c8a9311a72d8900765ca36ead6c3 |
| SHA256 | 6301dd2105a6fa5c24d11345167069606690c9a1e76838d319b84970df56ac70 |
| SHA512 | ffffcded447ef109b752e652d41f9b2e1964c8599aa23b6d829a88c20313854cb25a0409b3613553cd25ab33adb28720f5278efc05dbde01e4c0a7e4fbe9130d |
C:\Windows\SysWOW64\Bfioia32.exe
| MD5 | a414a3d7d4f2e4eb74379397466bbbb7 |
| SHA1 | 52a4bcfbe1572ca5be998adc163ffc09b1e202c2 |
| SHA256 | 4dba8dbe45327699d3d8872a72299014b2dff9f9c911685980057a4a377fb96c |
| SHA512 | 04b7766dc4ee13afb2a0d09a7eb65740c3af31be4037dda077fff664c7fa5205fbc9059a9a35cd42109c4f7baff64ccc8b69a7e0b7be6719c71f197466e21f8d |
C:\Windows\SysWOW64\Bjdkjpkb.exe
| MD5 | 2b0d6354051d7433fe43b31843389f0a |
| SHA1 | ed4792781bfb93e7053fb171eec86bb6292e4b3c |
| SHA256 | 2bf26b59866b531ecdda24062efcc12e3596fc28cccb4b23ef804e44b6841feb |
| SHA512 | 2b463f9bfc9e27bd6653fb558d9d427ffd70c0eeb11733170c36f82b5ab6ed23b8a25ad0f56c9434ad1b21062ecabf27c67ebf5d40f0e32ad3c18134019bb287 |
C:\Windows\SysWOW64\Bigkel32.exe
| MD5 | 72924c0cfb40647805d72710e1cd8716 |
| SHA1 | bb7f5d7afedd08bc4975c48ae661b42683a209c2 |
| SHA256 | a9fdfc5c69a934f4be0a1746c0c3e42c3536bc64cded4cad11cbcdaf752a824c |
| SHA512 | bf5433bc301f38cd58a11441aec5569f519c0ca3d807fd8499d99267961e94e51529c88f7fb93fc0293d21c7a290caf3f2816b2a540bb44a730003893ef68bb7 |
C:\Windows\SysWOW64\Bkegah32.exe
| MD5 | aa5aa290a60825cfd7b425997b96598d |
| SHA1 | 06178cea2f37eb70fb8d394c83a2fb35e3c5cbf6 |
| SHA256 | 151e7d07f1e85945c056aa846c6369f35c5a7ae2c557cc7ced72ca4d6555a8e1 |
| SHA512 | 653b3ba09300db83066dd2428bfdc1d4f6b60beaddc721744ba1874abbc8c723f96e25b5b609a5aa5245bafdb821f8c4e660c947dbea130bc6a4df9eb2f82f5b |
C:\Windows\SysWOW64\Ccmpce32.exe
| MD5 | d4a5d8069706537a60a002ea9dbc8bc4 |
| SHA1 | 5584359659366376e65192f2cf3af068b1c23cd0 |
| SHA256 | 14f570d80b8004aad9f0e003127b8acd3be62188d3222b7625e8e8af4a6a1107 |
| SHA512 | 0c9c78a67074e9849f3c0bbc48ba6644a3b09376e4ff1cd41a3e8ae3b073a616172fbf5bd23917cb9d6c9cc3080261a70b1e653c43fcf76d6fc64a581312163d |
C:\Windows\SysWOW64\Cfkloq32.exe
| MD5 | 17f9d288859830ef9afab4765247e5fe |
| SHA1 | 19b01b45816a7c49f1925840a283f6182e9e674f |
| SHA256 | 760cac34c59ced09a73c83624d71c008b7fc07a1e4a48fe6da8f9eb7dc5e9492 |
| SHA512 | d23238d99ebfff4181e3965754902b3cb3cd9e2441f4df9d03fcabad7f4fbd779f8965ca9b29c950b95cf2c6cc0868b8ec3a4b590be0559f2925ba79b887ceb8 |
C:\Windows\SysWOW64\Ciihklpj.exe
| MD5 | b10d9fc46df611be92e86ed506b0513c |
| SHA1 | 54198d1445fd8e6902ea351119d9db503e1fe6f5 |
| SHA256 | d669b7957089ffb9d5c3bff901d8220b06d6935c14b01b5f855679de262a0e83 |
| SHA512 | ec6f13e492843b59bfa8568c916bbfb48ad88583ece2cf5bdc01428dc092901ddaddfeaa30640c9d334a5d79315337038835c24ddb94bfffa00c60f975bf7ffd |
C:\Windows\SysWOW64\Ckhdggom.exe
| MD5 | 1d3c59a658c76cf374e21eb825879f07 |
| SHA1 | fe56332ecf168239ac33080f1abeb358e7ab3693 |
| SHA256 | d4354a7416a3fcb9279575410ff9e3948207acd5cf09472423460aab43ef9726 |
| SHA512 | 72c28ba1f2c7dc6ced268778c0e8db0770b137033190254824e2c8ffa54131722f0cbb8d90c22b1eae0f1dfa6f5b23427f3ed5e3612ad50688748a6cead7c823 |
C:\Windows\SysWOW64\Cnfqccna.exe
| MD5 | a79fa8c35ca8ba7c60010b61fd5b21bc |
| SHA1 | 28bff0e0851addf58a86a673a84b6565e1cd0272 |
| SHA256 | ce72bb9898137896a22e6415f1e3454a4ba8088ac97fd9c0171e05ece7f4c340 |
| SHA512 | 7547d107bd479052560334e9980b37f0e17800821b87a06dfad000f5ab2b487b043471f211d6a62c0bafc8b3e74f28b85191cb6739bae7464bc0874a83a35010 |
C:\Windows\SysWOW64\Cfmhdpnc.exe
| MD5 | 14ed8aa26c8361dee8adbd990660d1d3 |
| SHA1 | b4fd3970b0465d500e66a6ecf22a4edb404132af |
| SHA256 | cbf03315f45c36ad9c3e0ade1f4b262322e5c7e7d18d70496498cf5a03110c16 |
| SHA512 | be2e6e50470749f79010e14482719f370080679e469cc16242042cdcb2b67a02a21b78f315bf46eb098183e76f81c5fdc8bff1fdbe2838f900ece57c280c2e13 |
C:\Windows\SysWOW64\Cileqlmg.exe
| MD5 | d8a514b2e375b6a6b0d39910d84914a3 |
| SHA1 | 54f7007d333eef83ceeded4c81eb0728ba3e54d0 |
| SHA256 | baa4ff329d464e874bb21686cfa372f74b4c94521f4c9daf609f4763949dd4d6 |
| SHA512 | 21497c4e5963aa42635dc83718e3d59ef1e6eb5341aba514de4a2f6f4f4341bc427144435a572515a83861b045a2809b678e7f4ba81d42328430b921a9ca8d70 |
C:\Windows\SysWOW64\Ckjamgmk.exe
| MD5 | caa01d880130e296fb28bcffc85fcec9 |
| SHA1 | 98b033d069ba3a670845312f9fb57b09e2079d4b |
| SHA256 | 321267376c827c1bba32c0b768475b5532d2275e045b001ced447c97cc4d6bfd |
| SHA512 | 4ae66cde2c0341385628f00a01e83bc39f55da3c299d57844d3d55790441c78138919e048b3dfdf27e4c7c7899f2fc8a0ca0b6463e59ee9e9d731b410f80074f |
C:\Windows\SysWOW64\Cbdiia32.exe
| MD5 | c43e767cd51317b5f3dc154c294826a5 |
| SHA1 | 8651451452d0ba08de8672b5111ba1c4b53d5522 |
| SHA256 | ce4345003ad2687eefc1f9d7f1a8a5621f551561e99003575ccbb5cc3ca8ca60 |
| SHA512 | 9bc2438e7b8c858161416e7f10a90d6004e71463dd28dc45efdfb5461d631cbff503da0ce6fa2dc7d90efe5702ac413b86721f1c7919b9f8bc6b2e81b03667ca |
C:\Windows\SysWOW64\Cebeem32.exe
| MD5 | e2227296640a427a3aebe979d0b604f2 |
| SHA1 | d1833444a1d48ad82dd602074d35f994f4d72a7f |
| SHA256 | 92c5cef5e6a181e0c7b778029533961bc518b38440a4234ef2a20cb5ba4cb266 |
| SHA512 | 3a981324ec5053480b568b4cf073dd1a2fa531afddd7ee87a8f1d87011dc53e5eeccbf3af9b3abad299933f3f3367746864e2402852c929fd43c2f006d15dd88 |
C:\Windows\SysWOW64\Cgaaah32.exe
| MD5 | 56ce97bca62f14b6c4c121ceb34dce7a |
| SHA1 | 5b8af182eef1cf5f6582953fd2a6a535ed50047d |
| SHA256 | cf48b8467baa2a5b02af6b81575450dfe2124c2c5d5b7a6e29918f83aeba0689 |
| SHA512 | 96a3fcce3ce3a25ec6185fd71859d1fa66b7d0fdb3a49967f9e50d6d87e0528e3a35f52743ab8d18268d96212082b103b58066bab11c09e22fecccb9f4d2ff72 |
C:\Windows\SysWOW64\Cjonncab.exe
| MD5 | 44e9579ee005d2403030907a37e09901 |
| SHA1 | 0efc30ec680f709106b68e2fcb49389b9bf79a55 |
| SHA256 | 44fd796d1bb6d5ea06aea587c73a76cc9d0ebab7908e05d481a4afd87b75120d |
| SHA512 | dddf749149fc1eb1d249be6dafb66936671ba2789690ec621c0122ecb5211e6cd2ec06745fac53e2e987dcfd61e124b0a39362b25dcf904ed72705c4190987d7 |
C:\Windows\SysWOW64\Cnkjnb32.exe
| MD5 | 0ee45fd69d1c9208dd713880b126cf86 |
| SHA1 | 2934624f2039c2219df03f4a3d1138ad35a1ac0b |
| SHA256 | e3a9f0e91eda88b960e06215accca63bd8295649466b444e62b772d992756661 |
| SHA512 | 665529f21887a0a7c7678fe97b19d36c3e75ebdf752356475d16870d4ae8f6ec425d9f38546ab3581974090b4210a1a5740196f8d0d624ac7e9de377e6342721 |
C:\Windows\SysWOW64\Ceebklai.exe
| MD5 | 0e256536a683bcbd7d56c4281395ed08 |
| SHA1 | a88bf68c713f5bddaf1e3c1f7af92d78bec88194 |
| SHA256 | 42011176f07cfdda3160abd69cf3ac291d1821580bf0f787e7947adb3aec762f |
| SHA512 | dbfc74a2fb342c79aa0df54aed4df8907b45510ce5c4f80d0e8267f8939809537228442a7811fafde781b31d24957b894d4b3ed86ec15bfb7e3e7deaf5fdb0b0 |
C:\Windows\SysWOW64\Cgcnghpl.exe
| MD5 | 0a63e4ed6175ad8e39a978065c6015b9 |
| SHA1 | 1df11e7d14c9c5050ee5e4eb61e9918dbc5f1b27 |
| SHA256 | 11089f4f09e9e4aac2958e3a3dd20f1e655efabaf8568deab876b34c0ccfb40e |
| SHA512 | 209ac1a29163b4e2ec546be47256891ed82e0f85f3e5189fc3d91cad0b94339ca85792a926f9ea4042452318b36e925554d8fbc533adeb1739a11255e4c04e72 |
C:\Windows\SysWOW64\Calcpm32.exe
| MD5 | f52afd0f71d09fa79964d23ae56dc6bc |
| SHA1 | 329cf6c60b600bfb900792421bb8868b892951b1 |
| SHA256 | dfaa600014d06c8e7edb1f144e584221825829d1289fa8496e377def80ebb7a3 |
| SHA512 | 502e38488ccf91d2b64073374aac3680f43a8088a20ef2574cd082508aa9508496a771d82d9f885efae7cc9a31f92ec638ec82d2e9a6971db1bf2133776a16fd |
C:\Windows\SysWOW64\Cgfkmgnj.exe
| MD5 | 29b36cf0286e5b337a9de9e02fd3bd66 |
| SHA1 | 4fea2a071b4255a1418e4bac4410ec21cd461423 |
| SHA256 | 2e5370be9c4f8e9111da5ddcbf2da3d2fb3e0f4981706ec769167cb38669a025 |
| SHA512 | 2e3be36822ea0a695ede23b34b55a0ff1adf0f37858e609e5d1df4e7e8c80d64c06c7a5c6678eae8bc8dc3234802e203748c6cef4c192b30c7d610edb261a69f |
C:\Windows\SysWOW64\Dnpciaef.exe
| MD5 | b9f5f2db6c96658f3489ce88863082da |
| SHA1 | cb30ccaefb98b832d7207592f6b721d2bf1f0d21 |
| SHA256 | ad1d78cc16a9a8be2c71749808c666cc3327e2b0ec53e3f5aaccd543239fa167 |
| SHA512 | 9202594447c75121ab8c0125e6ad0d8cc2f235562c089a2ea956509868fd5332071cbed9856c8234525ba59b24d62d8be45182a11aa5f699e6237d821f7c5f79 |
C:\Windows\SysWOW64\Danpemej.exe
| MD5 | 3726adfedb30053bad8b07b354589022 |
| SHA1 | 345b0d79383b5c09a4e018bfd7c78a38c3791c07 |
| SHA256 | 9d1b28b6b7946835e8d86eed2bbd197c2bcc3a1b3c8c7563cd0ccac3538a5c4d |
| SHA512 | 0983d9df2353708e69e5ba5aafeffa4e5dda6e1c93e38800b53af67de097ecfe65a40dd30097f24d6f8918cb06dcf932220a8012b4cdd2281037c162e42937b9 |
C:\Windows\SysWOW64\Dpapaj32.exe
| MD5 | 9ad9e65a619e83d129f6523a67824c47 |
| SHA1 | fff40cf73504a498aeb84bb5412679b1625f2f81 |
| SHA256 | cca29ed7365c0c3538bf18bd52a7b10134413475c282734c82d3cfbbce6e1179 |
| SHA512 | 97b56feea475ee376a68719613e20c85b1c1d91fa9e6f747599c88ae9cd9d0d480ca6dad270f344ec117861af7e52fc520c0e5553ff1c110b1d8d4fe0be24ccb |
memory/2068-1839-0x0000000000400000-0x000000000042F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:08
Reported
2024-11-13 17:10
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
97s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmbplc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmbplc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afjlnk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afoeiklb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bcjlcn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aeniabfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Agjbpg32.dll | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Anogiicl.exe | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmqmma32.exe | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmqmma32.exe | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcjlcn32.exe | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iqjikg32.dll | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfnjafap.exe | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ambgef32.exe | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajhddjfn.exe | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| File created | C:\Windows\SysWOW64\Accfbokl.exe | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bnmcjg32.exe | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ddmaok32.exe | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fnmnbf32.dll | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afhohlbj.exe | C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe | N/A |
| File created | C:\Windows\SysWOW64\Afjlnk32.exe | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bffkij32.exe | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cegdnopg.exe | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bobiobnp.dll | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aqncedbp.exe | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdlgno32.dll | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjmgfgdf.exe | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ooojbbid.dll | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmngqdpj.exe | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjjdjk32.dll | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmlcbbcj.exe | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmgbnq32.exe | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| File created | C:\Windows\SysWOW64\Amddjegd.exe | C:\Windows\SysWOW64\Afjlnk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amgapeea.exe | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Aadifclh.exe | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkkcge32.exe | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmllipeg.exe | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjokdipf.exe | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhfajjoj.exe | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Danecp32.exe | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cogflbdn.dll | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmllipeg.exe | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmmmebhb.dll | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Accfbokl.exe | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjokdipf.exe | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmjkjk32.dll | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Bilonkon.dll | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhmgki32.exe | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfghpl32.dll | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amddjegd.exe | C:\Windows\SysWOW64\Afjlnk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agjhgngj.exe | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnbmefbg.exe | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgilhm32.dll | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmjapi32.dll | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| File created | C:\Windows\SysWOW64\Chjaol32.exe | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Maickled.dll | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfknkg32.exe | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dodbbdbb.exe | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File created | C:\Windows\SysWOW64\Doilmc32.exe | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjlena32.dll | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| File created | C:\Windows\SysWOW64\Bchomn32.exe | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnmcjg32.exe | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amgapeea.exe | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnhjohkb.exe | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chjaol32.exe | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfihel32.dll | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjmgfgdf.exe | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmlcbbcj.exe | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dopigd32.exe | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dobfld32.exe | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcjlcn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmbplc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afoeiklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afjlnk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeniabfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Accfbokl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" | C:\Windows\SysWOW64\Bcjlcn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll" | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll" | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll" | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll" | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll" | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll" | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afjlnk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll" | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll" | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll" | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Accfbokl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll" | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe
"C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe"
C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
C:\Windows\SysWOW64\Anogiicl.exe
C:\Windows\system32\Anogiicl.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
C:\Windows\SysWOW64\Aclpap32.exe
C:\Windows\system32\Aclpap32.exe
C:\Windows\SysWOW64\Afjlnk32.exe
C:\Windows\system32\Afjlnk32.exe
C:\Windows\SysWOW64\Amddjegd.exe
C:\Windows\system32\Amddjegd.exe
C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
C:\Windows\SysWOW64\Agjhgngj.exe
C:\Windows\system32\Agjhgngj.exe
C:\Windows\SysWOW64\Ajhddjfn.exe
C:\Windows\system32\Ajhddjfn.exe
C:\Windows\SysWOW64\Amgapeea.exe
C:\Windows\system32\Amgapeea.exe
C:\Windows\SysWOW64\Aeniabfd.exe
C:\Windows\system32\Aeniabfd.exe
C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
C:\Windows\SysWOW64\Anfmjhmd.exe
C:\Windows\system32\Anfmjhmd.exe
C:\Windows\SysWOW64\Aadifclh.exe
C:\Windows\system32\Aadifclh.exe
C:\Windows\SysWOW64\Accfbokl.exe
C:\Windows\system32\Accfbokl.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Bmngqdpj.exe
C:\Windows\system32\Bmngqdpj.exe
C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
C:\Windows\SysWOW64\Bffkij32.exe
C:\Windows\system32\Bffkij32.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
C:\Windows\SysWOW64\Bcjlcn32.exe
C:\Windows\system32\Bcjlcn32.exe
C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Bmbplc32.exe
C:\Windows\system32\Bmbplc32.exe
C:\Windows\SysWOW64\Beihma32.exe
C:\Windows\system32\Beihma32.exe
C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
C:\Windows\SysWOW64\Bnbmefbg.exe
C:\Windows\system32\Bnbmefbg.exe
C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Chagok32.exe
C:\Windows\system32\Chagok32.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cjbpaf32.exe
C:\Windows\system32\Cjbpaf32.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
C:\Windows\SysWOW64\Dopigd32.exe
C:\Windows\system32\Dopigd32.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
C:\Windows\SysWOW64\Dfknkg32.exe
C:\Windows\system32\Dfknkg32.exe
C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
C:\Windows\SysWOW64\Daqbip32.exe
C:\Windows\system32\Daqbip32.exe
C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
C:\Windows\SysWOW64\Deokon32.exe
C:\Windows\system32\Deokon32.exe
C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Doilmc32.exe
C:\Windows\system32\Doilmc32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 208 -ip 208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 396
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1124-0-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Afhohlbj.exe
| MD5 | 449dc24a5b37663c86265c6866191f31 |
| SHA1 | dfd54e09144b390562be70f3a24bb56c8a48384c |
| SHA256 | fa851bd1537fd04e1e4819ae50bd2287b14e0c58bf1a953284c3385893ae8877 |
| SHA512 | 622798585ce2669efceadba7f5648c4ec3d8dea919540c6ff4c751d8031322735f0846ef9a1cde7f29a569984a2c489478b45885a8385cfe5c93867f7d9aa7b0 |
memory/3888-8-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Anogiicl.exe
| MD5 | 8e07b22422e1141a054544ab29b939ae |
| SHA1 | c59a61e1ded88970deafb817d15c46a820bb4ef1 |
| SHA256 | c5e32cbb473b18bb6b15172e39ff9e209f1cc68aefe941abcf12e7e6048bdbd0 |
| SHA512 | 954460734b5c6e3126b5e73dee4a2de6817a015e3cec9f4dee05148e4e0c7e7e4ce1e002e1b58dbd391754942cbc75d614d7dcdf317c719c6ede8e16c01b12e9 |
memory/3300-20-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1312-24-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ambgef32.exe
| MD5 | 00cc46a45260273f5d720429496db84a |
| SHA1 | 414ec877f25dab9421ad528f192170ed9254aff9 |
| SHA256 | 70be01a48438776c4b47e049724fcd7a2883bf6c60dee499e75a3cdd91fe38a9 |
| SHA512 | bf3e8123c643297b2eddd5331099b409314593dd7c6f02c347425d4ec7c9322ce659633f4e9adda4cb58a9fe2779485c0cf1c60253cc875124f8629b3b8a3b85 |
C:\Windows\SysWOW64\Aqncedbp.exe
| MD5 | b7aef5fc5fd93e9975d4e9c7f42fd020 |
| SHA1 | c0dcd25d5fcf19adc3fc072e27430a6ff4569e85 |
| SHA256 | be480c219d1c5eecb8fd2e6f282b53cbc175b73d5573af7f7851f6393fc6e16d |
| SHA512 | 77336cbed35dc22870553e92d8559055ee252970ecb40e101e5b72eaebd6bc42de8ed20a0ce677ec1491540bcd7c5c9b27b6b1181d4a26d04895f111cd4a7441 |
memory/3068-32-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3932-39-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Aclpap32.exe
| MD5 | 5d20ad367eaf1a961cd9921bee8766e3 |
| SHA1 | 07624a57c09123fb9ca615053505e374b6e4ceda |
| SHA256 | 5e09a7ffcc97ab9f6603de6dc6139e51839404c37ae12148860d113dca7e6a1a |
| SHA512 | 5bd0d5e38caf97d292d72a6a92b6c9792f390026bc993d9145604912bd67e9d383a0e9db517dbec8088532b5f859db7849dbd58b3040c43b503115be0e9ba84b |
C:\Windows\SysWOW64\Afjlnk32.exe
| MD5 | 5af502d5d151ac040fd0841535db11f5 |
| SHA1 | a31e88fe9ced4bb20aa660cfe4d5813b06a17468 |
| SHA256 | f0c29d22b4e412316a76f6f41baf036dde094328cf9ca61da86adc670e9fec03 |
| SHA512 | fe8694e1b98d13096dccf2da7612465684efa44e225950ce15a436484894a078b4ab1bd4e69e4fdfa2943e44c39fad769dd65517521a915edfce4af3ad9af448 |
memory/4820-47-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Amddjegd.exe
| MD5 | a086d050390a4643b018b0bf6d9fd69a |
| SHA1 | 66917202f1efa67e66f97ae818d25cdceaf92e94 |
| SHA256 | 55b0842dc41be38e2c73eeedc272a2917d2327b6c31c3fff0ac1a90d83c3e84b |
| SHA512 | a2703fba6c1b69e55f73a561a4291782f393f93a2e6db8ef4cc84be076db7384476d75426a6d6ac129f03a4526c0068049d53b521fec36636d5495246d91f76d |
memory/2508-55-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Aeklkchg.exe
| MD5 | 6c303c0e2553fb10029daf840dcdbaea |
| SHA1 | 6fb7ae6df0fb971d12e6bfd27bb58a1d3ac122a3 |
| SHA256 | 2bd0003a2192505fe7d2b5e40c0a068c72ff51dbc166b343fa00ac2185d55bea |
| SHA512 | f28b191ffeb1b2b776c76c953b7877ab35e82f0ecab6c4e5bc2122c739f7dd1f6b112c1fe0db7654350cf30fa0c5f7353c9d7d9b8155993394fc02bc09810ced |
memory/3212-63-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Agjhgngj.exe
| MD5 | 4164d58af6a382a4ddc9c626b53f09f3 |
| SHA1 | c9f9184a5e60a08472614ba2d38798a557dffce1 |
| SHA256 | 78db79e7c2ec934a7e5231d2d7bdbd5f36231c13c1dca4de617dcb22ebcf8ac8 |
| SHA512 | 35c608620849317c5195d868367dd8cba18115baad0c95507656ef04c1beb1203c4b2ed984de28c9f0bf467f4890f8652824aff7cf0445e95450c63b3d535c5f |
memory/3712-71-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ajhddjfn.exe
| MD5 | 91ec7bfaba58306f9dd2c86dae527085 |
| SHA1 | 86a88773f5df3ab4ac84ef5f785addb6f231e052 |
| SHA256 | 822ffcdd6231efd11fe5313d78077a1e8b3f6a2ebd5f24dee446c45007b03d94 |
| SHA512 | cbc7bf6f0aa6fa754b0b796d8338f97145e9fb4c1baf6f43aff26fd13c9bee98ffaea2e0acef517e9d53600252935d8293ffe565f3b66bac7a9e849cf7d0ae88 |
memory/4864-79-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Amgapeea.exe
| MD5 | e3f127aacf6955cb0a4b849cb60160af |
| SHA1 | b25396b078dc15d3b91087e0c1876112714e3d16 |
| SHA256 | e738dc4cfcadf377a82d72d4fa70ebccf5256e1baddd5c7fd1eebe19f943a5e6 |
| SHA512 | 34f99ebc8f32e15b6aa76922e90ad12bc0684e0b4088ecabc518696cfeca1cf520f507e574705775b3055eedef466b07d0e97488dde143816b12f1bf491995c5 |
memory/4388-88-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Aeniabfd.exe
| MD5 | 644a917bc1ce8085de0847c798e80bcb |
| SHA1 | 14989a88c588f53831f7129cb41f02e682c41745 |
| SHA256 | 55e4c9e451c2099555c8f751b071fc26cc96532e57ee674820bdb5e91f50798f |
| SHA512 | 99d5f150ec90ee26334b6961b892be47168a4da188958f213c2536e0aaf4763c4a44ee77ae01757c7959a3680678bc14f6909e9bf98be26c51d3b6a6ef5dd002 |
memory/4308-95-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Afoeiklb.exe
| MD5 | 4850824d64ff7167b5eef191d4972ebd |
| SHA1 | 3b33eab289d0f2b52d10d66596553ef7b4c2567b |
| SHA256 | 6120ef875fa437cc4ee70bc5f6de9988e961fa76c7635bb93240dea8e2940ad9 |
| SHA512 | 12c23d2b64420b3c100f4cd8daf2603f17c863cef7e671a15795505a72d10ac7f013e7ead14d9f49d72b0be1a9ffebec6919af0d15f3b7eabab0f70ca14cccae |
memory/4868-104-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Anfmjhmd.exe
| MD5 | ec854ba29421f1fe4776f526fd5824bb |
| SHA1 | de6d9d872ebacc6a7d94564b73a994a4828b3394 |
| SHA256 | 7fbc58f58e230bfa7cf12d8742c56c2c9cc26dfcf5bc6ca43b42e4051d6a27ee |
| SHA512 | c5aeb0c6adde60c95f6201a2ecc939702250046aee0c0548dbfa008dabae0bcedaa0d4624f4de3ecc3f62425b044e6dd55914ac491f40319b2e8eb4c2a694244 |
memory/4016-111-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Aadifclh.exe
| MD5 | 61b849ac5eff84e4531b0720723e3834 |
| SHA1 | 86aacf713d0bdf5ee60f16e555111110d902e561 |
| SHA256 | 8e8d4afbfd2b56e23c85981264d800afec740670b7edcd762e6e39d168a2bd51 |
| SHA512 | e51c5eda91a4ff20822794f3b98612ff21af6db0e110dcc9b5c1bb84656953b4443415596620267e0a5c77c4a7187c6cb4582a3b670025d730db73cd4290643f |
memory/3224-120-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Accfbokl.exe
| MD5 | febcb736ec988a8d82fd2a8fccb60377 |
| SHA1 | 04fa47a068f6c60cb56620fee3aad7e14e4b1033 |
| SHA256 | 67158e527964f4e40f976825b1cc3555bfc090f3ea21796c61b86b7dea7ed618 |
| SHA512 | 7a95708cffe32f4ef4c853e1e1efb672448212efd56746bc94ce4f1193819163a64b30eb0a18cbad14e968fc9e5d6782b8bcfd831d85f4830e44f8a87e47ca12 |
memory/4248-127-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bfabnjjp.exe
| MD5 | 66448c7387eab0a57beb41c997fa969c |
| SHA1 | 4e8254b5ac371b1f6f0874da3895c8df243e7011 |
| SHA256 | 834df5529b198af5497cc463c80efd8fadb97c3f8f1bc062efb87f55c9985d83 |
| SHA512 | 0fd4f809c60d6af1b784407dd6eb6837066c86147e5b3890c524efc243ea30f99ae75321ce6081af2d12c391080e8628153a25060c772cf4798d94350df7e638 |
memory/2172-135-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bnhjohkb.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Bnhjohkb.exe
| MD5 | caa607c88915dca3b02c71f0c3fff531 |
| SHA1 | 6c86f4309ecd2bb91daf3ccf2d598204c26187f3 |
| SHA256 | f270ade1921d7c7b12631a05ff6edb08350501d6e78a9737bb1e742e9717ecf2 |
| SHA512 | 797cd70027f8c8805015e0d69c1aa95d3f84b52120699aad1f33852230c622bf70aa0d127a3e5991cbc85990788f1ce0ac0d4067c47ce4bc6363453ab7d280f1 |
memory/1780-143-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3208-151-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bcebhoii.exe
| MD5 | e1964255aef443d00307c192579c081b |
| SHA1 | 1be53b541acaab47ba10163a5fbdf92274fe1bd7 |
| SHA256 | bbce5602124372e37a9044c9f9d31221611343b4d4f096067a2390ff7ef7405f |
| SHA512 | 867e85e84c89a34db1b75464a3906c846640b76868a766153d221c9bd89e9a44cb2c26f0816af28681662ae2951d784d3d028d155ea1f1ddb373c471d1cdcd39 |
memory/4744-159-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bjokdipf.exe
| MD5 | e931729e1540a04d9e7faab99978ff21 |
| SHA1 | 9ce32cf90a663f4cb43d5c7cea3d29cb91502ab5 |
| SHA256 | a58e880c3835b9b49530860de470f30ca7bfd4484309c3404595946aaa9b9538 |
| SHA512 | 65c13da4a5a656afce74dcfaba74cde8b0b8c4f00839c25188cd7c0888816308104bdc6ad511d6ab19fdac917f72afd6c83c036ef48131d53891b513d0d21384 |
C:\Windows\SysWOW64\Bmngqdpj.exe
| MD5 | a42cfee061626f6c4b03fe8c629f1cd2 |
| SHA1 | 3eb2e5e34a4c169f15bea3ecc0ebac3aeec927eb |
| SHA256 | 467e951a7ac9ca495226a75a9fefa001e3de50f5960132faa7cb31a760bad179 |
| SHA512 | 262dadd4a6e54b126008fe3694c7586378d374a86ccda4f27ce71b21284a48da189f9295372eec82abb0a16fa800bb2e3e9074a9e0922ec4304442910385a5a5 |
memory/4232-167-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bchomn32.exe
| MD5 | 27d6b4061dd02c8cabfdeaf6a04985cf |
| SHA1 | d7ac99d86296af3e5038836b1c2b15d5c5888aec |
| SHA256 | 0d0c54a048d96e10db276876cf410359ddd36f8a35ac9d1ac84603fb87e2c5c6 |
| SHA512 | d5cbdec1f9481895c5e5c11260735094c35552d51094c1df2f82041125395db071c9dee72fc7c675bf3a5cd93685d40631f3d4fa1218805065793697b8f1f9f1 |
memory/4748-175-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bffkij32.exe
| MD5 | 32ac0b8ee203d3404a80ed65a292769b |
| SHA1 | 5ef43771931c26a095993b75a711df2ed666b3ae |
| SHA256 | 659390c697cace066d43a3d62d757e662d8c97cdc7fe2ad579143938e4df40c9 |
| SHA512 | 788fe16cacf649930b901067b17dcefa493f853aac57ba7aa38e05bbd2ecbdaace16c8f0c8e58b77f2ca5c757c33815a72e793a57ddd296bc25b7cb7d98200c5 |
memory/3728-183-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bnmcjg32.exe
| MD5 | 71288221df0faf83141f191fb78415be |
| SHA1 | c49325aebcad190fe9e6ddf466bfddf659f18fb3 |
| SHA256 | af9d7cc2e74f3f109383a5c7e03be55c3a70a1fa657a512bc63310257201a51c |
| SHA512 | e25586c2c53a5a1270ade2eb84aa642c2b1e840a8178eba32172586848144e14f8d64c897af4370d1b42185878a9ebb383dc0bcda82cdac0b34ce34ff31cc88e |
memory/4344-191-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Balpgb32.exe
| MD5 | 0e0ac72fa44268719b1453ba158d82d8 |
| SHA1 | 1b1a6eccc1c2999e5d2ec7531ac45f84a71867c1 |
| SHA256 | 8c6de298ca786d18b5d573f8aa15e9708bc01d3b978eb835aedac5cb61d2c81d |
| SHA512 | 281e486e610d9f00539026ab23110d92db1795f24d14bb263e87c04487ea2cc08791378d14647e296a0d563bbc5a6f0a8448dc9215a18e7247de81e5464cfdae |
memory/4760-199-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bcjlcn32.exe
| MD5 | ddd98ad4160f70dd075afe38c23c3162 |
| SHA1 | f08028c7ec2a82655d36f619a62c17b7869636ca |
| SHA256 | fd6088e9caf91a2cabd70623b8e20a037819bdd43a106c64eb72f3b024bd86f6 |
| SHA512 | 6a08ad2a74e722ee66bcb829afa8ec20e6c9cf52169671aa706555e5607c58b98574a3dade31d4f02062ccf6713399e499a559848a4ed45cb00701ba02814c29 |
memory/3504-207-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bfhhoi32.exe
| MD5 | 5ed541f4cd049ce2f15308b76c965a7f |
| SHA1 | bcde421f87cd9520e80b90a1657faa7d4a0a88e4 |
| SHA256 | 87b7656acf94d47c86cef64fbc357777f26d83020bd4355ac6b0981b29a4fbda |
| SHA512 | 6bb02133b6d1870cbb536bc2f0bed248299a00590cf069d55baf4de5dc65b5ebf5a0ed13a55b1b0dc32cc0f8be6ed42c755aae10dd25f05dcc65be3034883ff7 |
memory/768-220-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bnpppgdj.exe
| MD5 | 746ac6afbbd2b564b5c7a4c5bcac0e48 |
| SHA1 | 0840935da32cebcc8cc4c508c942a0680a081662 |
| SHA256 | ce63e770545b82cb54793f6b70de4cdee14f0792b6a24865831a14f46941e900 |
| SHA512 | ed34113d81c77f51f1a79408fbf28a2d5c524b70d0ac93156ec4e38e6c2de0e3d16c1a2b3a0cfa8ed3318844db7534230af5fb6b2e5ba7c2bd27af917a61a7fd |
memory/3464-223-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4352-224-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Beihma32.exe
| MD5 | e689f4a980194d9e66b08db2ba34678a |
| SHA1 | f15b471d3c255a0099f4d9855a8bfbe57544cd7b |
| SHA256 | 181e716750f5fc5499e2422a7cc6e19d302e2d130a9e1732b17d5d7bedb78c58 |
| SHA512 | 17402c565fd4c504a427e53040956b555e68c7809878cc2ebc66cc2e79b536bb090293240a54d0b3ae4ef7c340bee5ebd3654016bfe8335d9115099cb41c5585 |
memory/1988-231-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bhhdil32.exe
| MD5 | 91a51e543e345873ad61b9ff4ca1b123 |
| SHA1 | c633ca17448a814b77496728bf993a9d356ed34b |
| SHA256 | 7dea3798b6e778f2a307466ca9cae510b9b51f62490f1161d02d2ced9368112e |
| SHA512 | 0a1fbdaf3ed99e847b6c541e375c751ef96efd93957f438c1842a266faf7df02fe0c66ad0586e6904ea96d81362f7db9c0c67c46dd6543fb39878dfec66658fa |
memory/5016-239-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bnbmefbg.exe
| MD5 | 6467cbe283e5d958c84f257b35167bb2 |
| SHA1 | 80abd0ff71ed99488b234664ad1920afdab65b29 |
| SHA256 | 4fb862e509a43d0403935d7892705a6333da5e5aa69c1fec02ae5fb7ef7ec507 |
| SHA512 | 331066aa0ac4ee5c94b34babf547f693a14a82a88350da3ea7e34f0f0fea3469fdc289ab4b7a4d4caa463768c493282afb87a330ba385508a755625cd1b747ce |
memory/4012-247-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Bmemac32.exe
| MD5 | 0e8d8ad2c3919cbcafc59129afb8e188 |
| SHA1 | 84cb9a845e4f4b83e8b23edf601ab4a2d32d654c |
| SHA256 | 964dbb1bc03bc21c06c8c791090fe972fe01a96a81c9014b2ae3d479d0d25938 |
| SHA512 | a4f287814389a4fda15eadaa3de25ed395d66daadd03ab98fe3c196254bf7c2b8b712505c6b01e849c5ab1c0d77e4af34613f20bc0ea5861827e4f98ca19d0f4 |
memory/3032-255-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Chjaol32.exe
| MD5 | d5c267761015132d76d8855e064b6d9b |
| SHA1 | a39355e843b4153facdf8cae227780fe32589ab4 |
| SHA256 | b9732da5104526f374dcdcafd81f5ba394a9f0153990867db5550b734a2a4006 |
| SHA512 | d51b48a74a02180508e4c31abd91891cb8a890a53f5897267d4a4f33f00eae5e5f5832d566bd2e08bda51f1cb5ca51e94a736c327905721718a70803121581b0 |
memory/1904-263-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1936-269-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3772-279-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2480-281-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4460-287-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1500-293-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1552-299-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2560-305-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3176-311-0x0000000000400000-0x000000000042F000-memory.dmp
memory/436-321-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2440-323-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4920-329-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1732-335-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1684-341-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3748-347-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3908-353-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4552-359-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4960-365-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1252-371-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3960-377-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3972-383-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3012-389-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2184-399-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2688-401-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2080-407-0x0000000000400000-0x000000000042F000-memory.dmp
memory/868-413-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4272-419-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2096-425-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2092-431-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2620-437-0x0000000000400000-0x000000000042F000-memory.dmp
memory/208-443-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2092-450-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2620-447-0x0000000000400000-0x000000000042F000-memory.dmp
memory/208-446-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4272-453-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3972-463-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1552-490-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3772-498-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5016-508-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4012-506-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3032-504-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1904-502-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1936-500-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2480-496-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4460-494-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1500-492-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2560-488-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3176-486-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2440-483-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4920-481-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1732-479-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1684-477-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3748-475-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3908-473-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4552-471-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4960-469-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1252-467-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3960-465-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3012-461-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2688-458-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2080-456-0x0000000000400000-0x000000000042F000-memory.dmp
memory/868-455-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2096-451-0x0000000000400000-0x000000000042F000-memory.dmp