Malware Analysis Report

2025-08-05 17:02

Sample ID 240107-yb51cadfb6
Target a3f8bb01466184393106d692b3db7d15.exe
SHA256 56c94ba077d500b34815440ce21bb43cd22c32099d1bd95fd2ad5dbcb046d5a6
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56c94ba077d500b34815440ce21bb43cd22c32099d1bd95fd2ad5dbcb046d5a6

Threat Level: Known bad

The file a3f8bb01466184393106d692b3db7d15.exe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:37

Reported

2024-01-07 19:40

Platform

win7-20231215-en

Max time kernel

7s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apoooa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lmmfnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbgpkpnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gfgegnbb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gejebk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghkndf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdboig32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdogedmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hhbdee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fodebh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anlfbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fpffje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gligjd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Delmmigh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gehhmkko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hicqmmfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nodgel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Chkmkacq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ghiaof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gbqbaofc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gligjd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohendqhd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdanpb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fgkbeb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aijpnfif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jpepkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gnpmfqap.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdanpb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bobhal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glpdde32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjndlqal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Oalfhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fmjgcipg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nodgel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ookmfk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pkidlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpepkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gcglec32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apalea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bhdgjb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhbdee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fbgpkpnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cphndc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cielhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ghacfmic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cinfhigl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dodafoni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fqajihle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gaafhloq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Nodgel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Niikceid.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkmdpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oagmmgdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ookmfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohendqhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fodebh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oappcfmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkidlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgpeal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqhijbog.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdlkiepd.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anlfbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghacfmic.exe N/A
N/A N/A C:\Windows\SysWOW64\Apoooa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icifjk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjdldd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apalea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkdakjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aijpnfif.exe N/A
N/A N/A C:\Windows\SysWOW64\Apdhjq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnagk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfeppop.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdallnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Biojif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphbeplm.exe N/A
N/A N/A C:\Windows\SysWOW64\Beejng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdgjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbcfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balkchpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jefbnacn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjdplm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bejdiffp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfkpqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bobhal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chkmkacq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmgechbh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdanpb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cinfhigl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphndc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbfamff.exe N/A
N/A N/A C:\Windows\SysWOW64\Conkepdq.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbhbai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cicpch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpmhpbkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cielhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmmfnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Delmmigh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhkiid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodafoni.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdogedmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnqqgm32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
N/A N/A C:\Windows\SysWOW64\Nodgel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nodgel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Niikceid.exe N/A
N/A N/A C:\Windows\SysWOW64\Niikceid.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkmdpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkmdpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oagmmgdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Oagmmgdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ookmfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ookmfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohendqhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohendqhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fodebh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fodebh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oappcfmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Oappcfmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkidlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkidlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgpeal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgpeal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqhijbog.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqhijbog.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdlkiepd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdlkiepd.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anlfbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anlfbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghacfmic.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghacfmic.exe N/A
N/A N/A C:\Windows\SysWOW64\Apoooa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apoooa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icifjk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icifjk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjdldd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjdldd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apalea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apalea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkdakjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkdakjb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Fekagf32.dll C:\Windows\SysWOW64\Icifjk32.exe N/A
File created C:\Windows\SysWOW64\Hbappj32.dll C:\Windows\SysWOW64\Gjdldd32.exe N/A
File created C:\Windows\SysWOW64\Oklghebe.dll C:\Windows\SysWOW64\Hjndlqal.exe N/A
File created C:\Windows\SysWOW64\Lnflbh32.dll C:\Windows\SysWOW64\Hhbdee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpmhpbkc.exe C:\Windows\SysWOW64\Cicpch32.exe N/A
File created C:\Windows\SysWOW64\Geqakadc.dll C:\Windows\SysWOW64\Fnqqgm32.exe N/A
File created C:\Windows\SysWOW64\Giahhj32.exe C:\Windows\SysWOW64\Fbgpkpnn.exe N/A
File created C:\Windows\SysWOW64\Gehhmkko.exe C:\Windows\SysWOW64\Gcglec32.exe N/A
File created C:\Windows\SysWOW64\Bhfcpb32.exe C:\Windows\SysWOW64\Balkchpi.exe N/A
File created C:\Windows\SysWOW64\Gnnffg32.dll C:\Windows\SysWOW64\Chkmkacq.exe N/A
File created C:\Windows\SysWOW64\Pfpfldpo.dll C:\Windows\SysWOW64\Cicpch32.exe N/A
File created C:\Windows\SysWOW64\Kblbkm32.dll C:\Windows\SysWOW64\Fgiepced.exe N/A
File created C:\Windows\SysWOW64\Fmjgcipg.exe C:\Windows\SysWOW64\Jpepkk32.exe N/A
File created C:\Windows\SysWOW64\Nodgel32.exe C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
File created C:\Windows\SysWOW64\Lmpgcm32.dll C:\Windows\SysWOW64\Oagmmgdm.exe N/A
File created C:\Windows\SysWOW64\Bejdiffp.exe C:\Windows\SysWOW64\Bjdplm32.exe N/A
File created C:\Windows\SysWOW64\Dglbkjbg.dll C:\Windows\SysWOW64\Fncmmmma.exe N/A
File opened for modification C:\Windows\SysWOW64\Giahhj32.exe C:\Windows\SysWOW64\Fbgpkpnn.exe N/A
File created C:\Windows\SysWOW64\Hicqmmfc.exe C:\Windows\SysWOW64\Hfedqagp.exe N/A
File opened for modification C:\Windows\SysWOW64\Apoooa32.exe C:\Windows\SysWOW64\Ghacfmic.exe N/A
File created C:\Windows\SysWOW64\Conkepdq.exe C:\Windows\SysWOW64\Cgbfamff.exe N/A
File created C:\Windows\SysWOW64\Fgiepced.exe C:\Windows\SysWOW64\Fdjidgfa.exe N/A
File created C:\Windows\SysWOW64\Fncmmmma.exe C:\Windows\SysWOW64\Fgiepced.exe N/A
File created C:\Windows\SysWOW64\Binlfn32.dll C:\Windows\SysWOW64\Gejebk32.exe N/A
File created C:\Windows\SysWOW64\Ohendqhd.exe C:\Windows\SysWOW64\Oalfhf32.exe N/A
File created C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Pkidlk32.exe N/A
File created C:\Windows\SysWOW64\Qhiphb32.dll C:\Windows\SysWOW64\Qijdocfj.exe N/A
File created C:\Windows\SysWOW64\Bjdplm32.exe C:\Windows\SysWOW64\Jefbnacn.exe N/A
File created C:\Windows\SysWOW64\Maanfn32.dll C:\Windows\SysWOW64\Hafock32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hfedqagp.exe C:\Windows\SysWOW64\Hhbdee32.exe N/A
File created C:\Windows\SysWOW64\Fgnokb32.exe C:\Windows\SysWOW64\Fpffje32.exe N/A
File created C:\Windows\SysWOW64\Gbqbaofc.exe C:\Windows\SysWOW64\Gjijqa32.exe N/A
File created C:\Windows\SysWOW64\Ookmfk32.exe C:\Windows\SysWOW64\Oagmmgdm.exe N/A
File created C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pgbafl32.exe N/A
File created C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Qkhpkoen.exe N/A
File created C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Qjnmlk32.exe N/A
File created C:\Windows\SysWOW64\Bphbeplm.exe C:\Windows\SysWOW64\Biojif32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdjidgfa.exe C:\Windows\SysWOW64\Fnqqgm32.exe N/A
File created C:\Windows\SysWOW64\Qlgihhjl.dll C:\Windows\SysWOW64\Gligjd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nodgel32.exe C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
File created C:\Windows\SysWOW64\Hqlhpf32.dll C:\Windows\SysWOW64\Bhdgjb32.exe N/A
File created C:\Windows\SysWOW64\Lopdpdmj.dll C:\Windows\SysWOW64\Cinfhigl.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgbfamff.exe C:\Windows\SysWOW64\Cphndc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fnqqgm32.exe C:\Windows\SysWOW64\Mdogedmh.exe N/A
File created C:\Windows\SysWOW64\Idlgcclp.dll C:\Windows\SysWOW64\Qjnmlk32.exe N/A
File created C:\Windows\SysWOW64\Mlcpdacl.dll C:\Windows\SysWOW64\Balkchpi.exe N/A
File created C:\Windows\SysWOW64\Eoigpa32.exe C:\Windows\SysWOW64\Dodafoni.exe N/A
File opened for modification C:\Windows\SysWOW64\Gnpmfqap.exe C:\Windows\SysWOW64\Glbqje32.exe N/A
File created C:\Windows\SysWOW64\Gbchfi32.dll C:\Windows\SysWOW64\Glbqje32.exe N/A
File created C:\Windows\SysWOW64\Apalea32.exe C:\Windows\SysWOW64\Gjdldd32.exe N/A
File created C:\Windows\SysWOW64\Apdhjq32.exe C:\Windows\SysWOW64\Aijpnfif.exe N/A
File created C:\Windows\SysWOW64\Fgkbeb32.exe C:\Windows\SysWOW64\Fqajihle.exe N/A
File created C:\Windows\SysWOW64\Jaoaahnn.dll C:\Windows\SysWOW64\Jllqplnp.exe N/A
File created C:\Windows\SysWOW64\Nlpdbghp.dll C:\Windows\SysWOW64\Pqhijbog.exe N/A
File created C:\Windows\SysWOW64\Achojp32.exe C:\Windows\SysWOW64\Anlfbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gfgegnbb.exe C:\Windows\SysWOW64\Gnpmfqap.exe N/A
File created C:\Windows\SysWOW64\Gejebk32.exe C:\Windows\SysWOW64\Gfgegnbb.exe N/A
File created C:\Windows\SysWOW64\Onoflapg.dll C:\Windows\SysWOW64\Jipaip32.exe N/A
File created C:\Windows\SysWOW64\Fohodj32.dll C:\Windows\SysWOW64\Gfgegnbb.exe N/A
File opened for modification C:\Windows\SysWOW64\Gngcgp32.exe C:\Windows\SysWOW64\Gligjd32.exe N/A
File created C:\Windows\SysWOW64\Njelgo32.dll C:\Windows\SysWOW64\Aijpnfif.exe N/A
File created C:\Windows\SysWOW64\Mmdgdp32.dll C:\Windows\SysWOW64\Bbdallnd.exe N/A
File opened for modification C:\Windows\SysWOW64\Cphndc32.exe C:\Windows\SysWOW64\Cinfhigl.exe N/A
File created C:\Windows\SysWOW64\Oqjbqh32.dll C:\Windows\SysWOW64\Cgbfamff.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Afkdakjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblbkm32.dll" C:\Windows\SysWOW64\Fgiepced.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fncmmmma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmiiak32.dll" C:\Windows\SysWOW64\Gdboig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll" C:\Windows\SysWOW64\Ohendqhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" C:\Windows\SysWOW64\Pqhijbog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanfn32.dll" C:\Windows\SysWOW64\Hafock32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hahlhkhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhbdee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oagmmgdm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cielhh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ghkndf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gjijqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Biojif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll" C:\Windows\SysWOW64\Beejng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bjdplm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fqajihle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghiaof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" C:\Windows\SysWOW64\Nodgel32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Apoooa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Icifjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfkfemo.dll" C:\Windows\SysWOW64\Jpepkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmjgcipg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfn32.dll" C:\Windows\SysWOW64\Gejebk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hfedqagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll" C:\Windows\SysWOW64\Achojp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bpfeppop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fqajihle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" C:\Windows\SysWOW64\Bbdallnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gaafhloq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohodj32.dll" C:\Windows\SysWOW64\Gfgegnbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jipaip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gbqbaofc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Chkmkacq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll" C:\Windows\SysWOW64\Cmgechbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdanpb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cphndc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgpeal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fgiepced.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gligjd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jipaip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hfedqagp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pkidlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqhijbog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdlkiepd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aijpnfif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjfjb32.dll" C:\Windows\SysWOW64\Ookmfk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll" C:\Windows\SysWOW64\Anlfbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Balkchpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfhkk32.dll" C:\Windows\SysWOW64\Gaafhloq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ohendqhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dhkiid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbhagfe.dll" C:\Windows\SysWOW64\Hfedqagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fgkbeb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gfgegnbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneedo32.dll" C:\Windows\SysWOW64\Hddlof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nodgel32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oagmmgdm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qjnmlk32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 1344 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 1344 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 1344 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 2448 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Niikceid.exe
PID 2448 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Niikceid.exe
PID 2448 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Niikceid.exe
PID 2448 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Niikceid.exe
PID 2936 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Nkmdpm32.exe
PID 2936 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Nkmdpm32.exe
PID 2936 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Nkmdpm32.exe
PID 2936 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Nkmdpm32.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Nkmdpm32.exe C:\Windows\SysWOW64\Oagmmgdm.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Nkmdpm32.exe C:\Windows\SysWOW64\Oagmmgdm.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Nkmdpm32.exe C:\Windows\SysWOW64\Oagmmgdm.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Nkmdpm32.exe C:\Windows\SysWOW64\Oagmmgdm.exe
PID 2724 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Oagmmgdm.exe C:\Windows\SysWOW64\Ookmfk32.exe
PID 2724 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Oagmmgdm.exe C:\Windows\SysWOW64\Ookmfk32.exe
PID 2724 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Oagmmgdm.exe C:\Windows\SysWOW64\Ookmfk32.exe
PID 2724 wrote to memory of 2756 N/A C:\Windows\SysWOW64\Oagmmgdm.exe C:\Windows\SysWOW64\Ookmfk32.exe
PID 2756 wrote to memory of 368 N/A C:\Windows\SysWOW64\Ookmfk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2756 wrote to memory of 368 N/A C:\Windows\SysWOW64\Ookmfk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2756 wrote to memory of 368 N/A C:\Windows\SysWOW64\Ookmfk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2756 wrote to memory of 368 N/A C:\Windows\SysWOW64\Ookmfk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 368 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Ohendqhd.exe
PID 368 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Ohendqhd.exe
PID 368 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Ohendqhd.exe
PID 368 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Ohendqhd.exe
PID 2024 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Ohendqhd.exe C:\Windows\SysWOW64\Fodebh32.exe
PID 2024 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Ohendqhd.exe C:\Windows\SysWOW64\Fodebh32.exe
PID 2024 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Ohendqhd.exe C:\Windows\SysWOW64\Fodebh32.exe
PID 2024 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Ohendqhd.exe C:\Windows\SysWOW64\Fodebh32.exe
PID 2952 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Fodebh32.exe C:\Windows\SysWOW64\Oappcfmb.exe
PID 2952 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Fodebh32.exe C:\Windows\SysWOW64\Oappcfmb.exe
PID 2952 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Fodebh32.exe C:\Windows\SysWOW64\Oappcfmb.exe
PID 2952 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Fodebh32.exe C:\Windows\SysWOW64\Oappcfmb.exe
PID 2556 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Oappcfmb.exe C:\Windows\SysWOW64\Pkidlk32.exe
PID 2556 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Oappcfmb.exe C:\Windows\SysWOW64\Pkidlk32.exe
PID 2556 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Oappcfmb.exe C:\Windows\SysWOW64\Pkidlk32.exe
PID 2556 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Oappcfmb.exe C:\Windows\SysWOW64\Pkidlk32.exe
PID 1828 wrote to memory of 768 N/A C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 1828 wrote to memory of 768 N/A C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 1828 wrote to memory of 768 N/A C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 1828 wrote to memory of 768 N/A C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 768 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Pqhijbog.exe
PID 768 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Pqhijbog.exe
PID 768 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Pqhijbog.exe
PID 768 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Pgpeal32.exe C:\Windows\SysWOW64\Pqhijbog.exe
PID 2908 wrote to memory of 2988 N/A C:\Windows\SysWOW64\Pqhijbog.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2908 wrote to memory of 2988 N/A C:\Windows\SysWOW64\Pqhijbog.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2908 wrote to memory of 2988 N/A C:\Windows\SysWOW64\Pqhijbog.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2908 wrote to memory of 2988 N/A C:\Windows\SysWOW64\Pqhijbog.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2988 wrote to memory of 1252 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2988 wrote to memory of 1252 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2988 wrote to memory of 1252 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2988 wrote to memory of 1252 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 1252 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 1252 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 1252 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 1252 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 2372 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pdlkiepd.exe
PID 2372 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pdlkiepd.exe
PID 2372 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pdlkiepd.exe
PID 2372 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Pkdgpo32.exe C:\Windows\SysWOW64\Pdlkiepd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe

"C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe"

C:\Windows\SysWOW64\Onbgmg32.exe

C:\Windows\system32\Onbgmg32.exe

C:\Windows\SysWOW64\Pbkbgjcc.exe

C:\Windows\system32\Pbkbgjcc.exe

C:\Windows\SysWOW64\Apdhjq32.exe

C:\Windows\system32\Apdhjq32.exe

C:\Windows\SysWOW64\Afnagk32.exe

C:\Windows\system32\Afnagk32.exe

C:\Windows\SysWOW64\Bpfeppop.exe

C:\Windows\system32\Bpfeppop.exe

C:\Windows\SysWOW64\Bbdallnd.exe

C:\Windows\system32\Bbdallnd.exe

C:\Windows\SysWOW64\Biojif32.exe

C:\Windows\system32\Biojif32.exe

C:\Windows\SysWOW64\Bphbeplm.exe

C:\Windows\system32\Bphbeplm.exe

C:\Windows\SysWOW64\Beejng32.exe

C:\Windows\system32\Beejng32.exe

C:\Windows\SysWOW64\Bjbcfn32.exe

C:\Windows\system32\Bjbcfn32.exe

C:\Windows\SysWOW64\Cgbfamff.exe

C:\Windows\system32\Cgbfamff.exe

C:\Windows\SysWOW64\Conkepdq.exe

C:\Windows\system32\Conkepdq.exe

C:\Windows\SysWOW64\Cpmhpbkc.exe

C:\Windows\system32\Cpmhpbkc.exe

C:\Windows\SysWOW64\Dhkiid32.exe

C:\Windows\system32\Dhkiid32.exe

C:\Windows\SysWOW64\Delmmigh.exe

C:\Windows\system32\Delmmigh.exe

C:\Windows\SysWOW64\Dobdqo32.exe

C:\Windows\system32\Dobdqo32.exe

C:\Windows\SysWOW64\Cielhh32.exe

C:\Windows\system32\Cielhh32.exe

C:\Windows\SysWOW64\Cicpch32.exe

C:\Windows\system32\Cicpch32.exe

C:\Windows\SysWOW64\Cgdcgm32.exe

C:\Windows\system32\Cgdcgm32.exe

C:\Windows\SysWOW64\Cphndc32.exe

C:\Windows\system32\Cphndc32.exe

C:\Windows\SysWOW64\Cinfhigl.exe

C:\Windows\system32\Cinfhigl.exe

C:\Windows\SysWOW64\Cdanpb32.exe

C:\Windows\system32\Cdanpb32.exe

C:\Windows\SysWOW64\Cmgechbh.exe

C:\Windows\system32\Cmgechbh.exe

C:\Windows\SysWOW64\Chkmkacq.exe

C:\Windows\system32\Chkmkacq.exe

C:\Windows\SysWOW64\Bobhal32.exe

C:\Windows\system32\Bobhal32.exe

C:\Windows\SysWOW64\Bfkpqn32.exe

C:\Windows\system32\Bfkpqn32.exe

C:\Windows\SysWOW64\Bejdiffp.exe

C:\Windows\system32\Bejdiffp.exe

C:\Windows\SysWOW64\Bjdplm32.exe

C:\Windows\system32\Bjdplm32.exe

C:\Windows\SysWOW64\Bhfcpb32.exe

C:\Windows\system32\Bhfcpb32.exe

C:\Windows\SysWOW64\Balkchpi.exe

C:\Windows\system32\Balkchpi.exe

C:\Windows\SysWOW64\Dodafoni.exe

C:\Windows\system32\Dodafoni.exe

C:\Windows\SysWOW64\Bhdgjb32.exe

C:\Windows\system32\Bhdgjb32.exe

C:\Windows\SysWOW64\Eoigpa32.exe

C:\Windows\system32\Eoigpa32.exe

C:\Windows\SysWOW64\Fncmmmma.exe

C:\Windows\system32\Fncmmmma.exe

C:\Windows\SysWOW64\Fgkbeb32.exe

C:\Windows\system32\Fgkbeb32.exe

C:\Windows\SysWOW64\Fjlkgn32.exe

C:\Windows\system32\Fjlkgn32.exe

C:\Windows\SysWOW64\Glpdde32.exe

C:\Windows\system32\Glpdde32.exe

C:\Windows\SysWOW64\Glbqje32.exe

C:\Windows\system32\Glbqje32.exe

C:\Windows\SysWOW64\Gligjd32.exe

C:\Windows\system32\Gligjd32.exe

C:\Windows\SysWOW64\Hjndlqal.exe

C:\Windows\system32\Hjndlqal.exe

C:\Windows\SysWOW64\Hahlhkhi.exe

C:\Windows\system32\Hahlhkhi.exe

C:\Windows\SysWOW64\Hhbdee32.exe

C:\Windows\system32\Hhbdee32.exe

C:\Windows\SysWOW64\Hajinjff.exe

C:\Windows\system32\Hajinjff.exe

C:\Windows\SysWOW64\Hpbbdfik.exe

C:\Windows\system32\Hpbbdfik.exe

C:\Windows\SysWOW64\Hbqoqbho.exe

C:\Windows\system32\Hbqoqbho.exe

C:\Windows\SysWOW64\Ipdojfgh.exe

C:\Windows\system32\Ipdojfgh.exe

C:\Windows\SysWOW64\Ioilkblq.exe

C:\Windows\system32\Ioilkblq.exe

C:\Windows\SysWOW64\Ikpmpc32.exe

C:\Windows\system32\Ikpmpc32.exe

C:\Windows\SysWOW64\Ihdmihpn.exe

C:\Windows\system32\Ihdmihpn.exe

C:\Windows\SysWOW64\Iggned32.exe

C:\Windows\system32\Iggned32.exe

C:\Windows\SysWOW64\Idknoi32.exe

C:\Windows\system32\Idknoi32.exe

C:\Windows\SysWOW64\Jpdkii32.exe

C:\Windows\system32\Jpdkii32.exe

C:\Windows\SysWOW64\Jgncfcaa.exe

C:\Windows\system32\Jgncfcaa.exe

C:\Windows\SysWOW64\Jgqpkc32.exe

C:\Windows\system32\Jgqpkc32.exe

C:\Windows\SysWOW64\Jpfhoi32.exe

C:\Windows\system32\Jpfhoi32.exe

C:\Windows\SysWOW64\Jlmicj32.exe

C:\Windows\system32\Jlmicj32.exe

C:\Windows\SysWOW64\Jfemlpdf.exe

C:\Windows\system32\Jfemlpdf.exe

C:\Windows\SysWOW64\Kbokgpgg.exe

C:\Windows\system32\Kbokgpgg.exe

C:\Windows\SysWOW64\Kopokehd.exe

C:\Windows\system32\Kopokehd.exe

C:\Windows\SysWOW64\Kobkpdfa.exe

C:\Windows\system32\Kobkpdfa.exe

C:\Windows\SysWOW64\Kkileele.exe

C:\Windows\system32\Kkileele.exe

C:\Windows\SysWOW64\Kbcdbp32.exe

C:\Windows\system32\Kbcdbp32.exe

C:\Windows\SysWOW64\Kgpmjf32.exe

C:\Windows\system32\Kgpmjf32.exe

C:\Windows\SysWOW64\Kddmdk32.exe

C:\Windows\system32\Kddmdk32.exe

C:\Windows\SysWOW64\Konndhmb.exe

C:\Windows\system32\Konndhmb.exe

C:\Windows\SysWOW64\Lfjcfb32.exe

C:\Windows\system32\Lfjcfb32.exe

C:\Windows\SysWOW64\Lbackc32.exe

C:\Windows\system32\Lbackc32.exe

C:\Windows\SysWOW64\Liklhmom.exe

C:\Windows\system32\Liklhmom.exe

C:\Windows\SysWOW64\Lfolaang.exe

C:\Windows\system32\Lfolaang.exe

C:\Windows\SysWOW64\Leammn32.exe

C:\Windows\system32\Leammn32.exe

C:\Windows\SysWOW64\Makjho32.exe

C:\Windows\system32\Makjho32.exe

C:\Windows\SysWOW64\Mmakmp32.exe

C:\Windows\system32\Mmakmp32.exe

C:\Windows\SysWOW64\Mclcijfd.exe

C:\Windows\system32\Mclcijfd.exe

C:\Windows\SysWOW64\Mhilph32.exe

C:\Windows\system32\Mhilph32.exe

C:\Windows\SysWOW64\Mbcmpfhi.exe

C:\Windows\system32\Mbcmpfhi.exe

C:\Windows\SysWOW64\Mpgmijgc.exe

C:\Windows\system32\Mpgmijgc.exe

C:\Windows\SysWOW64\Mioabp32.exe

C:\Windows\system32\Mioabp32.exe

C:\Windows\SysWOW64\Nefbga32.exe

C:\Windows\system32\Nefbga32.exe

C:\Windows\SysWOW64\Npijoj32.exe

C:\Windows\system32\Npijoj32.exe

C:\Windows\SysWOW64\Mfaefd32.exe

C:\Windows\system32\Mfaefd32.exe

C:\Windows\SysWOW64\Mlkail32.exe

C:\Windows\system32\Mlkail32.exe

C:\Windows\SysWOW64\Mjjdacik.exe

C:\Windows\system32\Mjjdacik.exe

C:\Windows\SysWOW64\Mabphn32.exe

C:\Windows\system32\Mabphn32.exe

C:\Windows\SysWOW64\Mjhhld32.exe

C:\Windows\system32\Mjhhld32.exe

C:\Windows\SysWOW64\Mapccndn.exe

C:\Windows\system32\Mapccndn.exe

C:\Windows\SysWOW64\Mjekfd32.exe

C:\Windows\system32\Mjekfd32.exe

C:\Windows\SysWOW64\Mamgmofp.exe

C:\Windows\system32\Mamgmofp.exe

C:\Windows\SysWOW64\Mlpneh32.exe

C:\Windows\system32\Mlpneh32.exe

C:\Windows\SysWOW64\Mbhjlbbh.exe

C:\Windows\system32\Mbhjlbbh.exe

C:\Windows\SysWOW64\Llnaoh32.exe

C:\Windows\system32\Llnaoh32.exe

C:\Windows\SysWOW64\Lipecm32.exe

C:\Windows\system32\Lipecm32.exe

C:\Windows\SysWOW64\Ledibnco.exe

C:\Windows\system32\Ledibnco.exe

C:\Windows\SysWOW64\Lbemfbdk.exe

C:\Windows\system32\Lbemfbdk.exe

C:\Windows\SysWOW64\Lklejh32.exe

C:\Windows\system32\Lklejh32.exe

C:\Windows\SysWOW64\Lnhdqdnd.exe

C:\Windows\system32\Lnhdqdnd.exe

C:\Windows\SysWOW64\Lkgkoiqc.exe

C:\Windows\system32\Lkgkoiqc.exe

C:\Windows\SysWOW64\Ljfogake.exe

C:\Windows\system32\Ljfogake.exe

C:\Windows\SysWOW64\Lopkjhko.exe

C:\Windows\system32\Lopkjhko.exe

C:\Windows\SysWOW64\Lmbonmll.exe

C:\Windows\system32\Lmbonmll.exe

C:\Windows\SysWOW64\Knmamp32.exe

C:\Windows\system32\Knmamp32.exe

C:\Windows\SysWOW64\Kfeikcfa.exe

C:\Windows\system32\Kfeikcfa.exe

C:\Windows\SysWOW64\Kmmebm32.exe

C:\Windows\system32\Kmmebm32.exe

C:\Windows\SysWOW64\Knjegqif.exe

C:\Windows\system32\Knjegqif.exe

C:\Windows\SysWOW64\Kdbpnk32.exe

C:\Windows\system32\Kdbpnk32.exe

C:\Windows\SysWOW64\Knhhaaki.exe

C:\Windows\system32\Knhhaaki.exe

C:\Windows\SysWOW64\Khkpijma.exe

C:\Windows\system32\Khkpijma.exe

C:\Windows\SysWOW64\Kqdhhm32.exe

C:\Windows\system32\Kqdhhm32.exe

C:\Windows\SysWOW64\Kglcogeo.exe

C:\Windows\system32\Kglcogeo.exe

C:\Windows\SysWOW64\Kdmgclfk.exe

C:\Windows\system32\Kdmgclfk.exe

C:\Windows\SysWOW64\Jlbboiip.exe

C:\Windows\system32\Jlbboiip.exe

C:\Windows\SysWOW64\Jfhjbobc.exe

C:\Windows\system32\Jfhjbobc.exe

C:\Windows\SysWOW64\Jonbee32.exe

C:\Windows\system32\Jonbee32.exe

C:\Windows\SysWOW64\Jhdihkcj.exe

C:\Windows\system32\Jhdihkcj.exe

C:\Windows\SysWOW64\Jcgapdeb.exe

C:\Windows\system32\Jcgapdeb.exe

C:\Windows\SysWOW64\Jjmpbopd.exe

C:\Windows\system32\Jjmpbopd.exe

C:\Windows\SysWOW64\Jglgpdcc.exe

C:\Windows\system32\Jglgpdcc.exe

C:\Windows\SysWOW64\Jcpkpe32.exe

C:\Windows\system32\Jcpkpe32.exe

C:\Windows\SysWOW64\Ipbocjlg.exe

C:\Windows\system32\Ipbocjlg.exe

C:\Windows\SysWOW64\Incbgnmc.exe

C:\Windows\system32\Incbgnmc.exe

C:\Windows\SysWOW64\Ikefkcmo.exe

C:\Windows\system32\Ikefkcmo.exe

C:\Windows\SysWOW64\Iamabm32.exe

C:\Windows\system32\Iamabm32.exe

C:\Windows\SysWOW64\Imoilo32.exe

C:\Windows\system32\Imoilo32.exe

C:\Windows\SysWOW64\Ihbqdh32.exe

C:\Windows\system32\Ihbqdh32.exe

C:\Windows\SysWOW64\Ihpdoh32.exe

C:\Windows\system32\Ihpdoh32.exe

C:\Windows\SysWOW64\Iaelanmg.exe

C:\Windows\system32\Iaelanmg.exe

C:\Windows\SysWOW64\Ihmgiiff.exe

C:\Windows\system32\Ihmgiiff.exe

C:\Windows\SysWOW64\Heokmmgb.exe

C:\Windows\system32\Heokmmgb.exe

C:\Windows\SysWOW64\Hmcfhkjg.exe

C:\Windows\system32\Hmcfhkjg.exe

C:\Windows\SysWOW64\Helngnie.exe

C:\Windows\system32\Helngnie.exe

C:\Windows\SysWOW64\Hbnbkbja.exe

C:\Windows\system32\Hbnbkbja.exe

C:\Windows\SysWOW64\Hldjnhce.exe

C:\Windows\system32\Hldjnhce.exe

C:\Windows\SysWOW64\Hifmbmda.exe

C:\Windows\system32\Hifmbmda.exe

C:\Windows\SysWOW64\Hfgafadm.exe

C:\Windows\system32\Hfgafadm.exe

C:\Windows\SysWOW64\Hbleeb32.exe

C:\Windows\system32\Hbleeb32.exe

C:\Windows\SysWOW64\Hicqmmfc.exe

C:\Windows\system32\Hicqmmfc.exe

C:\Windows\SysWOW64\Hfedqagp.exe

C:\Windows\system32\Hfedqagp.exe

C:\Windows\SysWOW64\Hddlof32.exe

C:\Windows\system32\Hddlof32.exe

C:\Windows\SysWOW64\Hafock32.exe

C:\Windows\system32\Hafock32.exe

C:\Windows\SysWOW64\Gngcgp32.exe

C:\Windows\system32\Gngcgp32.exe

C:\Windows\SysWOW64\Gdboig32.exe

C:\Windows\system32\Gdboig32.exe

C:\Windows\SysWOW64\Gbqbaofc.exe

C:\Windows\system32\Gbqbaofc.exe

C:\Windows\SysWOW64\Gjijqa32.exe

C:\Windows\system32\Gjijqa32.exe

C:\Windows\SysWOW64\Ghkndf32.exe

C:\Windows\system32\Ghkndf32.exe

C:\Windows\SysWOW64\Gaafhloq.exe

C:\Windows\system32\Gaafhloq.exe

C:\Windows\SysWOW64\Gppipc32.exe

C:\Windows\system32\Gppipc32.exe

C:\Windows\SysWOW64\Ghiaof32.exe

C:\Windows\system32\Ghiaof32.exe

C:\Windows\SysWOW64\Gejebk32.exe

C:\Windows\system32\Gejebk32.exe

C:\Windows\SysWOW64\Gfgegnbb.exe

C:\Windows\system32\Gfgegnbb.exe

C:\Windows\SysWOW64\Gnpmfqap.exe

C:\Windows\system32\Gnpmfqap.exe

C:\Windows\SysWOW64\Gehhmkko.exe

C:\Windows\system32\Gehhmkko.exe

C:\Windows\SysWOW64\Gcglec32.exe

C:\Windows\system32\Gcglec32.exe

C:\Windows\SysWOW64\Giahhj32.exe

C:\Windows\system32\Giahhj32.exe

C:\Windows\SysWOW64\Fbgpkpnn.exe

C:\Windows\system32\Fbgpkpnn.exe

C:\Windows\SysWOW64\Fmjgcipg.exe

C:\Windows\system32\Fmjgcipg.exe

C:\Windows\SysWOW64\Fgnokb32.exe

C:\Windows\system32\Fgnokb32.exe

C:\Windows\SysWOW64\Fpffje32.exe

C:\Windows\system32\Fpffje32.exe

C:\Windows\SysWOW64\Fqajihle.exe

C:\Windows\system32\Fqajihle.exe

C:\Windows\SysWOW64\Fgiepced.exe

C:\Windows\system32\Fgiepced.exe

C:\Windows\SysWOW64\Fdjidgfa.exe

C:\Windows\system32\Fdjidgfa.exe

C:\Windows\SysWOW64\Fnqqgm32.exe

C:\Windows\system32\Fnqqgm32.exe

C:\Windows\SysWOW64\Aijpnfif.exe

C:\Windows\system32\Aijpnfif.exe

C:\Windows\SysWOW64\Afkdakjb.exe

C:\Windows\system32\Afkdakjb.exe

C:\Windows\SysWOW64\Apalea32.exe

C:\Windows\system32\Apalea32.exe

C:\Windows\SysWOW64\Ajecmj32.exe

C:\Windows\system32\Ajecmj32.exe

C:\Windows\SysWOW64\Agfgqo32.exe

C:\Windows\system32\Agfgqo32.exe

C:\Windows\SysWOW64\Apoooa32.exe

C:\Windows\system32\Apoooa32.exe

C:\Windows\SysWOW64\Ajbggjfq.exe

C:\Windows\system32\Ajbggjfq.exe

C:\Windows\SysWOW64\Achojp32.exe

C:\Windows\system32\Achojp32.exe

C:\Windows\SysWOW64\Anlfbi32.exe

C:\Windows\system32\Anlfbi32.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Aaheie32.exe

C:\Windows\system32\Aaheie32.exe

C:\Windows\SysWOW64\Qjnmlk32.exe

C:\Windows\system32\Qjnmlk32.exe

C:\Windows\SysWOW64\Qqeicede.exe

C:\Windows\system32\Qqeicede.exe

C:\Windows\SysWOW64\Qkhpkoen.exe

C:\Windows\system32\Qkhpkoen.exe

C:\Windows\SysWOW64\Qijdocfj.exe

C:\Windows\system32\Qijdocfj.exe

C:\Windows\SysWOW64\Poapfn32.exe

C:\Windows\system32\Poapfn32.exe

C:\Windows\SysWOW64\Pdlkiepd.exe

C:\Windows\system32\Pdlkiepd.exe

C:\Windows\SysWOW64\Pkdgpo32.exe

C:\Windows\system32\Pkdgpo32.exe

C:\Windows\SysWOW64\Pgbafl32.exe

C:\Windows\system32\Pgbafl32.exe

C:\Windows\SysWOW64\Pqhijbog.exe

C:\Windows\system32\Pqhijbog.exe

C:\Windows\SysWOW64\Pgpeal32.exe

C:\Windows\system32\Pgpeal32.exe

C:\Windows\SysWOW64\Pkidlk32.exe

C:\Windows\system32\Pkidlk32.exe

C:\Windows\SysWOW64\Oappcfmb.exe

C:\Windows\system32\Oappcfmb.exe

C:\Windows\SysWOW64\Ohendqhd.exe

C:\Windows\system32\Ohendqhd.exe

C:\Windows\SysWOW64\Oalfhf32.exe

C:\Windows\system32\Oalfhf32.exe

C:\Windows\SysWOW64\Ookmfk32.exe

C:\Windows\system32\Ookmfk32.exe

C:\Windows\SysWOW64\Oagmmgdm.exe

C:\Windows\system32\Oagmmgdm.exe

C:\Windows\SysWOW64\Nkmdpm32.exe

C:\Windows\system32\Nkmdpm32.exe

C:\Windows\SysWOW64\Niikceid.exe

C:\Windows\system32\Niikceid.exe

C:\Windows\SysWOW64\Nodgel32.exe

C:\Windows\system32\Nodgel32.exe

C:\Windows\SysWOW64\Nhdocl32.exe

C:\Windows\system32\Nhdocl32.exe

C:\Windows\SysWOW64\Gceailog.exe

C:\Windows\system32\Gceailog.exe

C:\Windows\SysWOW64\Bgaebe32.exe

C:\Windows\system32\Bgaebe32.exe

C:\Windows\SysWOW64\Edaalk32.exe

C:\Windows\system32\Edaalk32.exe

C:\Windows\SysWOW64\Ekmfne32.exe

C:\Windows\system32\Ekmfne32.exe

C:\Windows\SysWOW64\Fgdgcfmb.exe

C:\Windows\system32\Fgdgcfmb.exe

C:\Windows\SysWOW64\Figmjq32.exe

C:\Windows\system32\Figmjq32.exe

C:\Windows\SysWOW64\Fodebh32.exe

C:\Windows\system32\Fodebh32.exe

C:\Windows\SysWOW64\Fdqnkoep.exe

C:\Windows\system32\Fdqnkoep.exe

C:\Windows\SysWOW64\Ghacfmic.exe

C:\Windows\system32\Ghacfmic.exe

C:\Windows\SysWOW64\Lgngbmjp.exe

C:\Windows\system32\Lgngbmjp.exe

C:\Windows\SysWOW64\Kpfplo32.exe

C:\Windows\system32\Kpfplo32.exe

C:\Windows\SysWOW64\Kalipcmb.exe

C:\Windows\system32\Kalipcmb.exe

C:\Windows\SysWOW64\Jlhkgm32.exe

C:\Windows\system32\Jlhkgm32.exe

C:\Windows\SysWOW64\Gconbj32.exe

C:\Windows\system32\Gconbj32.exe

C:\Windows\SysWOW64\Gdjqamme.exe

C:\Windows\system32\Gdjqamme.exe

C:\Windows\SysWOW64\Gjdldd32.exe

C:\Windows\system32\Gjdldd32.exe

C:\Windows\SysWOW64\Gpjkeoha.exe

C:\Windows\system32\Gpjkeoha.exe

C:\Windows\SysWOW64\Gdcjpncm.exe

C:\Windows\system32\Gdcjpncm.exe

C:\Windows\SysWOW64\Fepjea32.exe

C:\Windows\system32\Fepjea32.exe

C:\Windows\SysWOW64\Fleifl32.exe

C:\Windows\system32\Fleifl32.exe

C:\Windows\SysWOW64\Fapeic32.exe

C:\Windows\system32\Fapeic32.exe

C:\Windows\SysWOW64\Fpohakbp.exe

C:\Windows\system32\Fpohakbp.exe

C:\Windows\SysWOW64\Fiepea32.exe

C:\Windows\system32\Fiepea32.exe

C:\Windows\SysWOW64\Foolgh32.exe

C:\Windows\system32\Foolgh32.exe

C:\Windows\SysWOW64\Fibcoalf.exe

C:\Windows\system32\Fibcoalf.exe

C:\Windows\SysWOW64\Fchkbg32.exe

C:\Windows\system32\Fchkbg32.exe

C:\Windows\SysWOW64\Fpjofl32.exe

C:\Windows\system32\Fpjofl32.exe

C:\Windows\SysWOW64\Fmlbjq32.exe

C:\Windows\system32\Fmlbjq32.exe

C:\Windows\SysWOW64\Ecfnmh32.exe

C:\Windows\system32\Ecfnmh32.exe

C:\Windows\SysWOW64\Ephbal32.exe

C:\Windows\system32\Ephbal32.exe

C:\Windows\SysWOW64\Emifeqid.exe

C:\Windows\system32\Emifeqid.exe

C:\Windows\SysWOW64\Ekkjheja.exe

C:\Windows\system32\Ekkjheja.exe

C:\Windows\SysWOW64\Emgioakg.exe

C:\Windows\system32\Emgioakg.exe

C:\Windows\SysWOW64\Elcpbigl.exe

C:\Windows\system32\Elcpbigl.exe

C:\Windows\SysWOW64\Kpkpadnl.exe

C:\Windows\system32\Kpkpadnl.exe

C:\Windows\SysWOW64\Mdogedmh.exe

C:\Windows\system32\Mdogedmh.exe

C:\Windows\SysWOW64\Icifjk32.exe

C:\Windows\system32\Icifjk32.exe

C:\Windows\SysWOW64\Jpepkk32.exe

C:\Windows\system32\Jpepkk32.exe

C:\Windows\SysWOW64\Jllqplnp.exe

C:\Windows\system32\Jllqplnp.exe

C:\Windows\SysWOW64\Jcciqi32.exe

C:\Windows\system32\Jcciqi32.exe

C:\Windows\SysWOW64\Jipaip32.exe

C:\Windows\system32\Jipaip32.exe

C:\Windows\SysWOW64\Jefbnacn.exe

C:\Windows\system32\Jefbnacn.exe

C:\Windows\SysWOW64\Jlnmel32.exe

C:\Windows\system32\Jlnmel32.exe

C:\Windows\SysWOW64\Jfaeme32.exe

C:\Windows\system32\Jfaeme32.exe

C:\Windows\SysWOW64\Khnapkjg.exe

C:\Windows\system32\Khnapkjg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 140

C:\Windows\SysWOW64\Lbjofi32.exe

C:\Windows\system32\Lbjofi32.exe

C:\Windows\SysWOW64\Lmmfnb32.exe

C:\Windows\system32\Lmmfnb32.exe

C:\Windows\SysWOW64\Kbhbai32.exe

C:\Windows\system32\Kbhbai32.exe

C:\Windows\SysWOW64\Kageia32.exe

C:\Windows\system32\Kageia32.exe

C:\Windows\SysWOW64\Kipmhc32.exe

C:\Windows\system32\Kipmhc32.exe

C:\Windows\SysWOW64\Jlqjkk32.exe

C:\Windows\system32\Jlqjkk32.exe

C:\Windows\SysWOW64\Jjjdhc32.exe

C:\Windows\system32\Jjjdhc32.exe

C:\Windows\SysWOW64\Jjhgbd32.exe

C:\Windows\system32\Jjhgbd32.exe

Network

N/A

Files

memory/1344-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1344-6-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2448-19-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1344-13-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Niikceid.exe

MD5 74c4187e6a80dab42cbdcf420544484f
SHA1 f4a5c9a121dc782648940ca7cfe48e1a4207ca74
SHA256 7306141424abcddbf95b3bb992d38fdb605447b6a4156e32167a43198f813bcf
SHA512 002235a1e76a9753e8090dfdd60514bee108a7ddff867632e36dd267c6905cdf5a15900ef93979b1c4761c4cfdfc08e01b1b7e1803d7b3a228dd6a690618bfb4

memory/2448-21-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Nkmdpm32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2852-47-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2556-127-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2908-166-0x0000000000400000-0x0000000000433000-memory.dmp

memory/108-252-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2112-285-0x0000000000220000-0x0000000000253000-memory.dmp

memory/632-295-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2200-316-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-328-0x00000000003C0000-0x00000000003F3000-memory.dmp

memory/3016-339-0x00000000001B0000-0x00000000001E3000-memory.dmp

C:\Windows\SysWOW64\Cpmhpbkc.exe

MD5 16615614f1c9efdcb5ea5c75168d7900
SHA1 9ada3282858519d96ab520581480340af561035a
SHA256 7d3845c60a91a5087b37a8656fc40d6647d75adca2099cc7af5fd143e70bb2ce
SHA512 149ab974afca5541601210141abda08d1e83cb48d280ab06a16695f6af22e607431ea2f4de9f14ecb21c4b1766ab3e7738ce6de75cfbfe1baa557c6b0c36c1cd

C:\Windows\SysWOW64\Cicpch32.exe

MD5 732d1f27aad3f2ab03e12c798f40cd87
SHA1 20c760f0e5381c7fa139586a400f5e76782ccc51
SHA256 d048c7f496acc0749f1d4685127abfc2e4646802669eccfdc4391d48be8db7e0
SHA512 38183eb3c4b644dd00ea3be6f7b942eb6d2fc4fe9935c090d5ddb84615f3f9dace38494316f3d8f79fa49bdecb92f9881da98d3d3bd0ed21300337666ff7948b

C:\Windows\SysWOW64\Cielhh32.exe

MD5 c1a484a019140d5696b332366396cee4
SHA1 3a8f8bc9f137c24a7c53790d8d166ea7d4490fac
SHA256 044887c0c72a65e3d2529c6992be7943848a0093d3143e343637202466be7fa4
SHA512 f6642f5566a327ddef2157b06ae1cca6fa2d3776b48f9d31bd0f61512c88cdf5793fb2222c76ab5b92f343530bb810a524a00a258fee06a530ba6581487da17c

C:\Windows\SysWOW64\Dobdqo32.exe

MD5 4e92369737c50f08cf9d7f0447dfc488
SHA1 4659bdd4d12cda062cdd7f2bcb5176a4307241f9
SHA256 bd6a36a343d34f45a8055edf8900e15a54ec385ec7512d7d837aaca2851ce782
SHA512 ffa1a1586259ce0ea69906ff5531170c25fe93640b342839be7354fb2e5b177d02eeb70397696eee0c07ca50ba614d54985aa18557ee2605ba234080cc6edbbc

C:\Windows\SysWOW64\Delmmigh.exe

MD5 55fd0d43f0df3167bee01b7689dab689
SHA1 6811089517ce794269e6ce2fc0e1e54f6e4b5833
SHA256 b2a2ea972e6c8f11d85e7e9a0695de84917767da8d653a12673e7620f2c1a909
SHA512 2e17f81fdfdc09e133090053d40d32e3748b7b0dd154685e1ae3d4e9b5892373534a41d9708f35a563447a394223d8cb0aaef15e7e773c77f0583090d70e2437

C:\Windows\SysWOW64\Dodafoni.exe

MD5 9ccf35cb09716369076b92c16ef63fc5
SHA1 013d583e70ebda202bf44a3374163ccb38ea1e06
SHA256 6446e21e3975a0b5bc274af78f74a72f1ec41d107541daf33b5a01515bc4a52c
SHA512 92a832867affa79095b4e2f0b9803082f26b4cfeae5e64cbd2e9bafcc6c3aa90c1f1c9823ec429fcc0078c128ac7f6c4a49bb4544bc309fdbf1f533267ead19c

C:\Windows\SysWOW64\Eoigpa32.exe

MD5 4cd025d8767ded1839fdad2c9aa92504
SHA1 69fcadfafa0996745cd1a25150f70093e2bcf1c9
SHA256 d9b68379df71d785caed9e2f210fd340b0b12ba40c68c370a89e704377527736
SHA512 f0889d79d45f504a0453feb3cac85cd2e1b4df3fae183f7c0631f5fa8391f8ea5a3b8d8090b895b05a398a8b85e52e4cec46d827672409ab145f586bb5e6ff3e

C:\Windows\SysWOW64\Fnqqgm32.exe

MD5 6c93399c8b01ecd23a79eff718407041
SHA1 e6d1baf08887154a2d6901c9bdcc6c878554128a
SHA256 924d2bffd9ffceaa1a3f5128c5987b9658d5a5cf23c97cb1f0165bce529cb029
SHA512 ab1e1a9eeccbf886791a82aaf903bebcd429843c895084d9d85c5092af2d1bcbdac84b610bf2f23be3353bb9367fd1a4ece24d80ddde48bdd7b265b65f63c36f

C:\Windows\SysWOW64\Fdjidgfa.exe

MD5 b9e69099385674ea971ad20e9a386be1
SHA1 534e9b735e64cb4ce818485a5934c82b0cd5a6c0
SHA256 34e7d70828769481b6104f55128ff2716291c09666f0ea0328151864df79d9d6
SHA512 36d37cdb8c685b48b5b0ad260efcaa46c45724f3d1a04359965d47bd7fa2e79edf027bec3536497a26fa3408244a1db386f51faa03aa52d3d813541e5a0f9833

C:\Windows\SysWOW64\Kmmebm32.exe

MD5 59160d7179225f2f58cdff0744079db0
SHA1 b2dc2bf79065385451eaf90489eeeb61ca6d94c2
SHA256 3c19afe0cb7565eb269e74e6e500d4754defdaae4213a8be743910c181bbbe02
SHA512 7320cbd70b4a796ae9cf347658124acc428de498873540bb78b67d2c5157680b6e5afd1dc47b716f40975fab778922f39a30fc7e9b6ba627e4020e94c436d089

C:\Windows\SysWOW64\Kdbpnk32.exe

MD5 14e149fc1009d7783f8bbd14ffde3f82
SHA1 439242ebacbe92bb7ca6eb08e6bb9e57dc223bd9
SHA256 441577ccd2aca2ef3a92e1a1f75a9c08100dda02d29606d6f4af7f3852a4c238
SHA512 62cb4b731aedec9504aa8a19cd512f7ba4f385dd299c0a33f731d57fc3644e00622d898941eb8d9f936b65aa890c2eeae367df9f83e78e6a4716343e6c5e6e4a

C:\Windows\SysWOW64\Kbcdbp32.exe

MD5 49249487e71685292493afdc07f36d06
SHA1 cbf201d9f1d95f6f644915692f6048d84b38f8f8
SHA256 06cae4eaa037b305b6ef53aa87a1ec1a76bf7a667ed7b333f78b0a90643879a9
SHA512 343264c59e7541e1a7d9e1e4a5df09f660524c252de31f8c8e908c68882181826549b42aed1e4ee73e1fc886a19bb5d9f9b79b883a0080266a16eeacdda94388

C:\Windows\SysWOW64\Knhhaaki.exe

MD5 fa4b90df97287d956b0908c554ee3ed4
SHA1 9f712b806287892c73d23bd33ff4e5e805ea218e
SHA256 4d307946c0381f45830c5d90f01bc17f104aed3dfbf9ea27f34d2fef425aa0fb
SHA512 f784c9a390bd8cb01a0041df86c81cca3cc505ea9a10176e4732195425e20d1cf8659874a22c0080d0fec99bf2dc444570d411f94623e9b601527df9bce92b62

C:\Windows\SysWOW64\Kkileele.exe

MD5 b251f5690f03e50635c5808e90692961
SHA1 d1eb5c118a32a8e63021141e46320d6e5a7a7e94
SHA256 abd0b12099b6ce5e70ae317470351a3d156356013222d486724289e849656eef
SHA512 e7105f5cd9d8a239372f316f78835597f7bf16b3a5223849634c36c26a4f28ae850a4c0d0e6a68a7d6b0e48adb84d1d4ac841020b1f8e85cc8ad68a88644c5d1

C:\Windows\SysWOW64\Kobkpdfa.exe

MD5 68ef2b2899e860dc195c3737a0fe0d29
SHA1 3f71ac58ec00b1d3e409e97b0f2cc3580136d67e
SHA256 ee773e107ff4c9481c54034ca0147344f4322c7db846e14b9b2c7399bd34442d
SHA512 c0ff7d72ffafc05c73da8dcb75d871121cc67eaa30c592d0fe68ee9b07349fee8d7e72aa17a9a37692f74e75b407583e0cb0831ef551390f1d93ba8db5911b71

C:\Windows\SysWOW64\Kglcogeo.exe

MD5 41ef17cd17eb1e34a8ea99e824d301de
SHA1 6f1c9d8b3305a8c633c943a1855a2c744f858370
SHA256 bea41ee31c56cce6cd2e51992c68a87851198f0300301d6dab1bdc56bbd7f3d5
SHA512 e974c28f73ba6e54fe145560e93451be0f136de351bd4f05fed880c9a01a3cb7296427f38af1e83ac5c674128a9161caab1027aa813fb583997f59729b98c95e

C:\Windows\SysWOW64\Jhdihkcj.exe

MD5 57f8b70cfacf5b629d83768321701b16
SHA1 3aabc0579bcf2fc4c3bf4d8ffd342eb23390eb83
SHA256 054460fc9c562d38d59ff940be139d2600f7d24c03c3839d0134fae616aebfa2
SHA512 3691d757a6e53ac22e7c3689a4ea216af957ae30f8c81fccb80de48b241e407c29a9b4303c04732b499835b35205a3f28d1c0e2cc0a3c5f2172db939d4898528

C:\Windows\SysWOW64\Jglgpdcc.exe

MD5 2077335effe7618ca09ef6283deeb2f2
SHA1 2584b92dbe5ced89329863b50be4d3437db916fa
SHA256 4c09747203ba592895afd1558adaac66c53ea2280364ad012de982cf76c0ccd0
SHA512 a7329f57576d848f8d46bf3effa5a0e2990e9c18d5f5b2a4665e8cb75c6af772c8da6e24afaaadb7e52cd113752947f7a3aef5bf97ccfa9fc8fe3d1c13a2d826

C:\Windows\SysWOW64\Incbgnmc.exe

MD5 1e8c2e2fd4ef475b38a46e4f29aeea74
SHA1 9c039683069b4d57d2771ecba83659847961c26f
SHA256 b17494f20858ef44e60cda5e4dffe8c7fdaf13b4dcc426df83ddeb67beac4d26
SHA512 72072b14c1cdce0fd57fa07d901b535ae29e41eeba4a189a2c03702218c277da8067c991b0bd7fe1b28ebc09686394fe92f698fd78a36699360ef407c1d20224

C:\Windows\SysWOW64\Ioilkblq.exe

MD5 fd04a3eaadd9f3a239e0e748548f7311
SHA1 4660c225961d92ab7bf0ae5bac7d1872a0a5805c
SHA256 5d0defae216b325ef2fd8d08fa8d157939717822234a94ba5584faf61cc78d6c
SHA512 095ae05c1621cc411a9486b15e84a60493fe9855ed2774e9c608ced745960d7db5f6d63266c16cae425fa4f903e50231726d7ce731318b51b14a719a0c6e1ebf

C:\Windows\SysWOW64\Ihmgiiff.exe

MD5 a6b3a1d0f3eb2cc4ee4d2c16f426920a
SHA1 77f1502f27bad0f9b8eb2ba7769fdea4029f03f8
SHA256 ec048e92d66c1257b654ee0e3178582a5a0519fd069b05408bcccaeb09fd9b95
SHA512 598ec3b03507e202ee41397b66c88ada2d8125615bddddafe4dc06f8fe71e48d364e8c2ca14c9335505221b5e1eaffbae81982f44603d20a5f878d2d7bd23911

C:\Windows\SysWOW64\Hbqoqbho.exe

MD5 3087bb145878b84390bf7b9fbffe4c6f
SHA1 2c15d4ce10fabc6e8367baf0a4181efff9bd44d8
SHA256 d2f3b0d836fb2e6c33f804fbc99a162980d68ad050ddada2b4c3484a38cf67dc
SHA512 bbba3ff1de8a8e649f9bea82baa69efb8ae763b7d2ffaf4268688966ded2b41ba55b853b657707b495b79e81d79d1dc8e63a43d188f3820d0c99e14d452b1e14

C:\Windows\SysWOW64\Hpbbdfik.exe

MD5 564b5f6c41d4270945aeb5b8231b1edb
SHA1 83d1c24a31466764ebb4b934435eea3be242f8e5
SHA256 02893bfab661d7ed09a41e35bf64fc3ec0c9464f8647d4ad2da65eb92c243ba0
SHA512 ce9b6dc43bf678d711b8b8e01631b421ca740f24c0a83e9c74bc72a815ecb5895e07869763a7623f28aab3e269fc85192b8d8f246ff105bcd332e15965edcde7

C:\Windows\SysWOW64\Hbnbkbja.exe

MD5 2f65e0554a2599bc9971a6abfc20a0b8
SHA1 be3f157758559e6bceb3f1433f2975b314e44080
SHA256 ab9212b171300c3b95ac14d2768beb996d303b8ff31c23ba22a49b5ea2818942
SHA512 c2f80c38dadb5b2fbc63de4ca094d54357109738b498cb7674a7dc46320f7fb31eb07a7eb4c630bd4012482d11da8b1ab8d5954d8e2ef0f7057bb3ee5f82fcaf

C:\Windows\SysWOW64\Hbleeb32.exe

MD5 03a3397de8ca4b67325bd09fc6127295
SHA1 b3b485c0cf1b0e07173f20a9f74d60f5697c43f1
SHA256 72a40b1d352403cf3a697795f665d7508c3d68c657849be1e30028f85ba96db3
SHA512 5f29543c45a6e730c1cd207296c35f89e243ff3a0d1f74c6dbf27cf5a114109c72fe99c83b312d9442370147637d29e5597722a0d226a6994cd67fad8634202f

C:\Windows\SysWOW64\Hicqmmfc.exe

MD5 1658bf490535bac9dbb595dbc7ce37ea
SHA1 2fc5383bdec833bcfc0cc1644edb7b9271cfd249
SHA256 11f00acd38b47c96eb31b9c072aae62589c695a4bc027115b947dbe0e76d84fa
SHA512 d0fae5cb210144a03d23b7caa22d8a22cf8ffea79b4510ce6b38903f5e268915e19036f84d3cf4b0985a2b62746a0792889ee5e8c21d95b7a349e8761bdd085a

C:\Windows\SysWOW64\Hhbdee32.exe

MD5 04040a913a7caa3f218c8e1d11b68451
SHA1 fb398b00bccfa343c02045ee7c294b06aff5950d
SHA256 e897b4e3d6a22ca255bce2291593b167451986ce67bda0d72e20ef43b2e0c62f
SHA512 3c4723623de33ce6193d7851d6035b95d705b0202d7ddb78fe9c4e2a1d1ca515ade13fac6c3a9994f5499e1b81d9c516e84407ac5cfe7d4b33dc61bb0844d8e1

C:\Windows\SysWOW64\Hahlhkhi.exe

MD5 5917171d172361442e6eea582e6db7b3
SHA1 da2b47d4328c8eecb89f495b5e0fcc0d2e5b3033
SHA256 8a253b860eb83b5129fda6b30af1f8abc11056cb380d82de541bbc7654f67ed8
SHA512 04d13f7326992d839b95c7eeb2cea317205c0ccc1b38e9005dee9d2e692c83467d209dd65db29b00456b0d93a52bdae8c52fd423cfc27a1f169181532b7d48e6

C:\Windows\SysWOW64\Hjndlqal.exe

MD5 f426f95f7b46931c389b95543176e5cd
SHA1 0f73fb7440288f138260dd9bcb31803a4d3f8359
SHA256 189194f7805c785a962c5dd45bea42374af3d2f6fe90195c31562465a4880cf3
SHA512 13e39fb1301fef8306f9af5726d10550a47539e45ccbabbda4e8f7cf687fa262d42880a29c7d39f09017b84979ffb6c8941cf7de0eb50b0cb66e78d71354c2e3

C:\Windows\SysWOW64\Hddlof32.exe

MD5 4e51f8106074bfa4bbaff2dbeb19db36
SHA1 9c36cfa6822a09afe027e6124d9ef775c56fb040
SHA256 eaa15f1a553138fd2775a65118a570d2991b9264a999866af26f27b2b285f637
SHA512 11d5ddb875bd69b0ed39ed4ebfbdf6abc3ac4520c38e1c9ff8b33b1e93a1373a08a29a1b31bad3a805570cee1ff91681ab0ac59c2b6380538f241cddfcc50f27

C:\Windows\SysWOW64\Gligjd32.exe

MD5 3059af8fe8ef0e7ff6f71b4eda01e6b6
SHA1 8160b70acde05ab9cf2c53ae880726015558a2bf
SHA256 f878a6ac281249370112553c2962ac86d07f06d7a6ab4d6b816fa9ba9dda70fa
SHA512 21f158c914122f3ce9c225d8c466cbdb92c22d9d4cbc03914deada7aac2168e5a3a27da475bb9cd9fc419fa8d8a03a4968484254d71a06632e3b23636b50d570

C:\Windows\SysWOW64\Gdboig32.exe

MD5 bf94b0d0b6d8b2cdba2ad565af0ea4ca
SHA1 268eeadd2a87d39adef4613f3a60e2524990e7d4
SHA256 4b8403f464ee324f1f4a2214014fbadc3eeed69db415a43698c9ba9aae15349e
SHA512 e07899c0f77f942c370413d589ae0947b1055bc9e6b7b9a678c7de8b2b50740b2e08d1f7d3864c52377cdd8bb6af8e6e65fd100139c817945422930edd7fbfc1

C:\Windows\SysWOW64\Gbqbaofc.exe

MD5 81ef78a27dd3e4160a5540d396734d0f
SHA1 830b9a2afe237466e20e5adb5cf0f20a48ba9029
SHA256 c4f0e408bcfcc07cbdac2363e5511f348d5922c64a1fdf13406f1c59e558b570
SHA512 263169e9ff7f18b86e5d2295fc0e1d830e9306f31d25c33d067ce9427a1899a9c464a10d1409f40c65c922fc744c6dd2c105e089942effe0d6838d68591815bf

C:\Windows\SysWOW64\Gaafhloq.exe

MD5 3ce9f5f294fdcf16657532fa4e8260f4
SHA1 58d0dbe77cf4feb5d2de9018fb4866b70e9934ed
SHA256 d799df05b0703791c95d87d1d26f78a57e4e3a413bb509e35b7f4a43e43977d4
SHA512 f92409174c51d6c289b48a17316086e58436e725b90d63744bd2ebffa8bbcc8dec6e5ee99ba8325b75e5dab61c15863c129b0b51e4d563ebc8765bc3c23ec98d

C:\Windows\SysWOW64\Glbqje32.exe

MD5 1d04e0267051ae260200e0e428cc17a7
SHA1 b72163739e2e33e76cf45efdc0ec0f463fc07122
SHA256 202b6222cea53ed84d4d1430efab3570982235e5891c6da0e6ada5558a854137
SHA512 8616f4278ce25899278e74e3482dbdff1a56d4ff418076c76ee06228520216b90bb726f6790cc61dd81c4ea72522351b5d6a1d942976e15a723f87e201183b94

C:\Windows\SysWOW64\Glpdde32.exe

MD5 44aa5a1309290f9b1303b5ef9ab871a2
SHA1 4c6daa04f460238e0b106442ad57cbb2984840aa
SHA256 a327f86e594a95e6fd072f8c96a5f68cffc035201494be69986cc57fe9088893
SHA512 8446f2ef403c78bb87f8df06fe2c7ee06343eb8be75346588f1165eaf7fc33b49d2f46bebb04e5ed6c0c7f18ed62ed2471229df116b873aded573ec5bc02a6d1

C:\Windows\SysWOW64\Giahhj32.exe

MD5 dcbcc87f312cea6e2d43e463574c648e
SHA1 a6ef45c78f2d678466fc1f5831d67dcfc2101dc8
SHA256 223fdf47ac7bd4a472f5a6c0d6e70bc4f66234da7f0c24f531675ababf7f85cd
SHA512 2f3744f9d3f55e25d9ad2131825399871332cfc7bf5ad9d1a29078ec7202107555c835e29087d0e1d397108ee8a1c8013ee8645f88c84c9548229c99787caa23

C:\Windows\SysWOW64\Fjlkgn32.exe

MD5 dedcdd6fb157ddfcfdd2b134cbc115ad
SHA1 254de6ae6a0c2f984e356a1b34146f65989fae91
SHA256 8e81ed14278e073c868e51dd25f186394d50c487a3a24811a1031a15b4a3ebbf
SHA512 6004d27faf05545cb6c2e45737a9b2137852b24187ccea3a1892d0e904f72e3d5a4d61d0533add8dc6dc343205afcf8e7287a29ac274695c7d622521ae505eda

C:\Windows\SysWOW64\Fgnokb32.exe

MD5 2563514b89d9b30113cd40637cafbb9b
SHA1 53b1ec6f42739872813f9da2a8edb0a1d5868059
SHA256 6bcc09d087afeef191c4a131ca07294f854f4f1aee3a1dbaaab5d89bbee2425f
SHA512 d7da059421702cdbebd9bb2b49ab91424b7e60975f2164168900881a795934b38e39cf5959e7da57fd53f6a57212caa1edfc49681ed8aa3f03254e3784261579

C:\Windows\SysWOW64\Fgkbeb32.exe

MD5 dccf939c04ede18348525cceb78693e5
SHA1 51e8bf4a45970e9af74bc09b7c76dc5ae6df072e
SHA256 597637b870e539a3c0e97be35d7b76c0a89185b7c523a36269ae82dcdb087a42
SHA512 5083a1ba3d59e5d91c4011df828008546bf11f21db5ed7907b81da94ff79db01ba6e4aeef02505d1dbcb6e370f3186f28c5d24a6e966ddbe381d0ec2b9cc7307

C:\Windows\SysWOW64\Fncmmmma.exe

MD5 1bb6406c9e48a6cfbc532ea711dc6048
SHA1 1e78451e47d5be471654921c8b22850c66049aa1
SHA256 930f836f8850572d76a81640b99e40e3413ac3606407535cf2e8b9c555cc647d
SHA512 f7ed08e887709e11ec2ef374ef6417cb46b0aff09f62cf972954ec2f0703bb1d84ffbf09c5621231a828b533151ee7ea3c8f70ea12fdec6a203e6ba000dd2cb5

C:\Windows\SysWOW64\Fgiepced.exe

MD5 a3788d2fb71131c6a16a86f237540dec
SHA1 550b24405f4cc579178e257564a9a8a2004812c7
SHA256 f73d907637878203b3d2f05727f33ecc310505f3105dd96f17f439a78af9786e
SHA512 fe3968be5f71f37dd0cf2ab4621b026e3df5213b0917d2d261f72a445828896c470a653ed3d60e4acafa28a6a23b044a68194068eda7ddce89813c95569e5055

memory/1604-359-0x00000000003A0000-0x00000000003D3000-memory.dmp

memory/3016-355-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/1604-353-0x00000000003A0000-0x00000000003D3000-memory.dmp

memory/1604-348-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3016-334-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-333-0x00000000003C0000-0x00000000003F3000-memory.dmp

memory/2200-323-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2260-322-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2200-321-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1472-311-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1472-306-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1472-301-0x0000000000400000-0x0000000000433000-memory.dmp

memory/632-300-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Acfaeq32.exe

MD5 fe8a3f75e3ed1daf93d0eabc5685e9cc
SHA1 076ce36d0dd4eaff195168078d48d01655ca7cc8
SHA256 cf43c00797f4c4796b75aba092cd548ad7baeb7b8ae80e951dcd72e2996ee8de
SHA512 66826e9be92eaf3724a3f9f193386969e664f66399cb8059db67d02ca130de958392d481e63ab8c163d033f716ca28db590dd7719f4784dabe7072e068b75b7d

memory/632-290-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aaheie32.exe

MD5 fd34b3b0d510110cb802e319589f8da8
SHA1 a40bfdc06b0a0dbcf82700f9755e3a27ff6a37c8
SHA256 04a52a93c3ce8e8b0aeb3db28f9a0f845f664a1ff832bc7231bac0fc54c15548
SHA512 bea6ce3d02bedcc45829c91728df264173867e3f81876bbb2ce2661c4c916e16da1881a66b93072ad2fc635214df0f9d57944f54299c246fa8269c81539c4820

memory/1296-280-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2112-279-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1296-274-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1296-269-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1664-268-0x0000000000300000-0x0000000000333000-memory.dmp

memory/1664-260-0x0000000000300000-0x0000000000333000-memory.dmp

memory/108-258-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1664-257-0x0000000000400000-0x0000000000433000-memory.dmp

memory/108-247-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qkhpkoen.exe

MD5 c34decaab27e7113bdc60a92a30ab7d0
SHA1 0dc2fe8f34d4700268629a8bb4b9c59858834a5e
SHA256 408919ed20fcc9b1a05955c1fb505311c3667130cc9aacff625d3dbfcd6b806a
SHA512 c622cc051aaa80213f10bd3bf1cb8f681f957cab15012111acee855f879d4c5d3b4eb07080198d4f31d442225dcde1006298109016507e894b6108c5468ecc87

memory/2276-246-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2276-236-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2248-232-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2372-227-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2248-226-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pdlkiepd.exe

MD5 5cfce880f9c0d8bf161f5244fa4989cb
SHA1 ec6b2b182a20fc0d69255369100203ab2a63d976
SHA256 b030399b090ec367206e06d7f21ac014260e0f0d8bd7588705a4a0778cd22870
SHA512 cd9c504834bbfd92c36e25e1bd4d74241c2bdb525ff02a85bbf6f11623a034be041deac63a10d6ec47c2e590b18138696ab3ec6cc7235cd52d457f78a4dac23b

memory/2372-219-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1252-207-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Pkdgpo32.exe

MD5 9d6dd6a65ddb9565fe97d5d7ad51d38a
SHA1 90eda647dbef561f135cbe493febe86f5a9ad6d8
SHA256 3d01257eca8fddc5f04ea08247f26639e333dce9950033f107a0e511d1e22741
SHA512 ab61ddb98974122b74ec3263bd6e11dfd82c4f88d81f8e14f8f400405204378cf74a35e0e1d44ab07134b4380f2d2c382e9b9f70dca70f69bcdbdf838d19acb1

memory/1252-205-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1252-198-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pbkbgjcc.exe

MD5 f39d54b6dfea37491105ec2ff4e56d14
SHA1 11df023d341b0f4c9daa03e9d779b95dfce445c4
SHA256 a83ed54a0996c329f8d2f295f255604a1a1aeb01373d2e57c875cca31b904efc
SHA512 013bec72a03e6838691d0df2e0cf9ab77644301d56885bfff7ddee4e52e37e305a37dc043cc7e20d6002612e4527fa5c28be611cc68195f34391d64ebf2436a6

memory/2988-191-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Pgbafl32.exe

MD5 3dfbcf9d1f7cae62643de9a504df34ce
SHA1 194f74177940d3af3c1f8e65d0727235afced32d
SHA256 be633a2b9d6424dd6376ced30bfe4d8b3d8da5fec96acbad44d0d9dd98c782d7
SHA512 07d1179b96f7d4513adde29d3b4e054a3c4676cfff817768723e09927d2a4ec43b40b94c9d9dcd8c836a57216ac59c28e712f01433541859e19382a8bbecf9b9

memory/2908-174-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Pqhijbog.exe

MD5 6c1b6b5296d43b3515009f6ce833cd0f
SHA1 aef82a7a4e0c1705891d22ff9a637eed40fe66a9
SHA256 130baf1dcb6c4baf18e542d68855401c0fc841425f171a94ded7bcb9f057cfb1
SHA512 908b3232c896c141f2c8e86048a2ad438ec21fd17b39e0f62426edb2c80dea55c38b178a95e436cdf41ea96fd0051678616218fe10ad13c0220441848e5e98de

memory/768-153-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pgpeal32.exe

MD5 52dc45866505e387fb78f55266134287
SHA1 f6572416d94446c3d59a2e9130c1cd48865abf63
SHA256 8cbe426f5545d9d24b6ebad46cdb0053aa31f8e654c8ace295df66f6b10a38ec
SHA512 765a8b81e733bbc7b2781932ffd9d52486b23de53b43360baef1bc2501a99b786cce5430ab0a43eb687e66f7319be36c022795fc1113be952d5ce31fc4e1f1fe

memory/1828-145-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pkidlk32.exe

MD5 9b1129f2513c6fc5b5011aba8a6df496
SHA1 a6dddcaf4cf7f98cedb94f093ebbf5fe0bea302b
SHA256 9dc918708206d16ccdaab8496458041581f0d772a31ac53ce3ca358d492068f9
SHA512 c429b9ededf4d317ba1bf207c72452dfd27c0c31a349dc058e58fa2cb228c6b725001f58cdb26a890792617127dc8b3a9f1943297b2f562e613d7429dbd2cb79

memory/2556-134-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Oappcfmb.exe

MD5 f4860aa07ad978b15689fbf3e73c49ed
SHA1 df790e4ad479f23874ed5bc24cfa03533df538c9
SHA256 900b7b3942556e98fef82c2291aff2b865278846cdb4853139b4b188894be6dd
SHA512 974dc6e89acee2cdee8f5ccf7a2fe25a821dce09bcc21d9f82fd67dce46f3d9105e4aeb085e7f22a33f30c837cd0323c552484c9d5f7a4e7d25384819a17b744

memory/2952-125-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Onbgmg32.exe

MD5 52acf27ada24f3249ab72c356128c36c
SHA1 b08be611beb02ffc07474b58282aa6aa89556904
SHA256 8898ce645b68d63d186819c27eec91dc0f6f0548196bc020ee1e3779a006da2c
SHA512 dbcb5e6fa3b9558ab2f0e3428a1a53abc6edf5c768403e36e673dd33ff19f578793671cf669b42ffd6ca8cc5eb17300409ad756e31ff5b8d7ea5936273d100fa

memory/2952-112-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2024-106-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2024-103-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ohendqhd.exe

MD5 b6065a3ee9d2542a4ba75e261e9d3089
SHA1 5892fa8f8c4fcb6d16c6f415092c994c7ac0a0c5
SHA256 848f6b4a261d850c828fd890459942ac94420ed5417ac7dad82e0488f404991b
SHA512 b20ebbf78064a0d83cb651ee07c7fa0df02c37921746046cc9fd0d0e08d699c6869be007cfb5f829573bf5b6bad454badb83efad497e58fda80e6df6e271e19f

memory/368-92-0x00000000004A0000-0x00000000004D3000-memory.dmp

memory/368-89-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oalfhf32.exe

MD5 8aa153cc9e5476ad575b18e9c440e1d5
SHA1 379dfcb99b8dc8698edbef75ea4bf64199fd7a76
SHA256 183114de12d872541ad9d69574dfe1566703749f9f258c326cb70fa255c0d050
SHA512 6dbb8e0b11ac56e80ac78540a7522d1a82990c3fa5c3e2f1081363d34ed5941448b3f02b2ca07d349e640ece5b2157ad8fa100d3c35999af672e5c5b464f8b0d

memory/2756-82-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Ookmfk32.exe

MD5 abce44bb1f2f9d60d7ceab5689b70716
SHA1 83d5100a395a66db6ca5d7f5801820954bce7f3e
SHA256 362f51b7c2c57571e5003da843fc94f7b9c62a3732b7cf3305ba4fc647573641
SHA512 00bd86e5b3e70c1aef9aaa67f564f2535227010914df7b170e0c7385e7a0d856e512866f751b3be74be3514dfcf10417b73eeef62c21c40ad53365e7c530e47f

memory/2724-65-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/2724-62-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2852-61-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Oagmmgdm.exe

MD5 5cc0b48515509a6e6c58303c854fef38
SHA1 4f348fdcb3b61d83ae0ffac740b183f76d48aa52
SHA256 5d4ded0186ae50aaf68849814ff07e9ee3bca704f72b5a87eed92a6d1ae40197
SHA512 cca537fb3dce07a1ab022abf87fc5a3d55860a898c6abf93dd1fbc25bdfd5ce3831d265422672f6f48392c35772e6cc93e3423f3df4bff827a78feffb1ceba95

memory/2852-55-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2936-41-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Nkmdpm32.exe

MD5 6d7b373d77467c403745372b8284433b
SHA1 d573cc7e57e2adaa72859ed5d3cfff7e8fbe4b1b
SHA256 dcfc982da44451813a8a464bcbfe654cb2ca180fe2d3ee59de7e1b9d1a736078
SHA512 ef8d0fff5e9aa9ab3c46cd208e006d2e6f16273e203a917e886777c2e42adc1595b4d608a363cdc592b72aa03ca5307571ea1bd05c4ec7baa7e8c7512b4d6814

memory/2936-33-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Niikceid.exe

MD5 52add455ee46b3e974cc8d5f4e59dcd2
SHA1 85805450d38b90afbd4b394eebc130fd7bc36cc9
SHA256 11709b0bc43c134663ed83d86fa2de938a358d3214cc7d63e09e82b721bda985
SHA512 810f4572944e5f7993ec0da554252eb658fc7f43f6fd5936ebffd25a0ec3ae053e0e63b76728dd90b0035121d99f03dee144e177a4cff362793e8bc52b73f53f

C:\Windows\SysWOW64\Nodgel32.exe

MD5 c71acfca15752bfd10a8f34bd72b999f
SHA1 ed85aee3974790413965ccc85c66135e77969027
SHA256 409ee2dc95dd258e0f78b7de4a95dfb0d6805aaaf92b89e8cb9064d4af4da48b
SHA512 b477d17ff1b5526a604e8a191795177cfc2c329d4422409ba4af3381a00ac8aa990e646b156a8f7854de54be31ff7eef3491553c9db0e7da703eaadbda892ab2

C:\Windows\SysWOW64\Nhdocl32.exe

MD5 26e8c21740d022c14057357fec71865b
SHA1 ad9bc078bb630a688ca786795e90cc382c62bc73
SHA256 3abe84081c430954f6888f4f684b7d96b6e484ac839d171b4d0e85621c18059a
SHA512 1658d4866d561e398d8ea1888728fb58303cfe070504aef48549cc93ad3518875a7d20ef68c481bafa7eaab12d16568e07002b3b881842a404c018d18e37b64f

C:\Windows\SysWOW64\Gceailog.exe

MD5 476645a116d36129f6a7df6524c60e41
SHA1 7d7fa8331241e480fc2f40250f947837bb6e87a2
SHA256 ecdf4b4c7a7043a6a293492479b26f6ea48ca84672508784b742f9bc360be434
SHA512 ed0184e8919269f68eb7f4fcbf11a803c9360819972e9c369a27f2f6d19fb9b466754d3bf93782aca5437af6fe25152cf91c3b54bd76e44869da73777a5f6d17

memory/2276-1830-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2600-1848-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1480-1853-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2108-1854-0x0000000000400000-0x0000000000433000-memory.dmp

memory/672-1865-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1800-1866-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1648-1869-0x0000000000400000-0x0000000000433000-memory.dmp

memory/800-1870-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bgaebe32.exe

MD5 f635526f35df77a1dcee304fd796d687
SHA1 d8e684fa1dc5d0c2b90cdb0154622d71b02c353d
SHA256 6d4217b8d76b1a4d8fac9bc2db7d10d9a50e56815725b2c417d9355fbec3c02d
SHA512 c34bdd20b4bb924013d3dcdaeef556b110a8a79d5f69f2ba4e86f234d91cf4dce3ffc2bd75d516adc2ca37d2ac360fd94b8550a7d369dee5b6a62cc43a33ee38

memory/2528-1874-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Elcpbigl.exe

MD5 a905e16dcadbe8e6a79ec1467b573ff9
SHA1 18bd967700fbe013cb810e6abf034b038d29ca0b
SHA256 37fd93579a6a5a6c7c5e9f588fb4a465a28ee66e5a73958c31169d11d83ad536
SHA512 1acd9e525e640c9d9e1ef3cd7f7611b4b86c792334417e428ba6b7e5278b32e30cb342605ccc8c6070a3e3ef12c1b63622bf58d0bc9bea8054f277706a63a496

C:\Windows\SysWOW64\Emgioakg.exe

MD5 d4f028564039ba2c2a415e901388b47f
SHA1 a80d4af7179b011fa1f313f6b47d1a95e7fd5395
SHA256 ebd30b32d1e4eb2a5b94e80178822fe1f009c9c52b723f61f87c13dc6779aa26
SHA512 56b39643887734ee14e27336202d9a14543bf231d1e1f2f833f21caadd8fbf6242e185a20eb3ba00972e9437b2149ca3202a18e500ac642de850d2e00f03cee5

C:\Windows\SysWOW64\Ekkjheja.exe

MD5 3810ebd4ee24fa317a37e6ac51a02430
SHA1 c2386e241ff4ed619d5c588812036fd5ac7a6a99
SHA256 f807706de8172b982687948137bd22ce7c838ea0a24694e75795cf7d4e248e95
SHA512 01b77a66443b6ffcb7cd3256ae6d00df45e8fa21cb18aa365d2acad77f057757426b2d2266c2052aa3b1d085ca261ddb6a2ea72d127be5d12c307c5818a020b8

C:\Windows\SysWOW64\Fmlbjq32.exe

MD5 cd8e31ec758d803744d2891bc50c2421
SHA1 991b43361c4e35ce2d9b024d45f1c8a898daac3e
SHA256 113d7247c6506c2e458c4f08909be647b08695782290b931b415ce8c82671fb4
SHA512 e58fef822ab6415bc92472c2ae72fe2a38c380fdae897c4dfd1b79f566039e6e97679fbc8aab0da092e935eb6402a589e4aae13b5bd29cb3ac67603d43a619f6

C:\Windows\SysWOW64\Fgdgcfmb.exe

MD5 1a96cfac97116222fa4044a64aef0b5c
SHA1 5605b21d1ce04e9d90ca244fe97f9b6ac0240b3f
SHA256 ee06fb3bf738be2fa15eec3216186e54ec2663b0a473f291f39df53a27fdad22
SHA512 af4eb9a1b042dabeee611e6f907b72c697eb979ab1cc1599cd55200c2b002f9950c54a02d59a6fd57c74298604797b2438723470d359008bb5b4577cdc6c4495

memory/900-2056-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kalipcmb.exe

MD5 fa6dffe485596280b8db54a157f910e5
SHA1 42ce4f9c922a911545a0c3f210558a95cfc25a17
SHA256 f145906c25f24bf642bd85f3802cf5bd71471ef0b769e7040c0c6bcfd3e48f8c
SHA512 1effd554bd194c42244a759e722c1076f38754076de8ace6e4057facc18c225f27a1527b79f3763628da8bb2d1f41ee4a5d74640657324066fb925ca6823e11d

C:\Windows\SysWOW64\Lgngbmjp.exe

MD5 23494d25bdc2be365d7f0e1288d8be18
SHA1 eb21e23c0a4491c35b2614f3c99f26c459b36dd8
SHA256 6dee176eae8b839997c928be63790bc51394318dbec7a3dc764ce55cc27c7548
SHA512 751f965f1942f6cce951b906392f1c48000b4dc51477865a82d0a583563d7809187ef2c4997f4b38352de6b171299f2a59165ea94a32f528132dcdb0a8bf238c

C:\Windows\SysWOW64\Kpfplo32.exe

MD5 3efb660c24ff8af2d6db0709bc4f0763
SHA1 2a927d983a9ee4f5684522dfa120a9a4760c1e39
SHA256 59474f31bd79eb0aa2b1029d013ef3c87460906b8cbbbab07ad6310f98f4ddf2
SHA512 5f19d3c5092b73a8922051ee39befbfe29e853a7c3a69569384bbec1b48fd3982f79c95ea5cd28dba419f16fa9049a63de815a07279c5cc2c4ce6bb965389daf

C:\Windows\SysWOW64\Jlhkgm32.exe

MD5 600da7b461272ca130a12f53807b9783
SHA1 43308e1ae30dd386c56a1b5a270864ade22c739e
SHA256 f561eaee991e34a333705bef4d329444750e3540acc4f1294cd371ead4052084
SHA512 2065c9c5d2fa9a42b7bc3d76f9ecbe9e7da8772bdf9acd792e26cdaa31202267d8162e4e1ea7d10bbb4d17852edd4de3e4dd825399dec377fa9b053b4c2b2076

C:\Windows\SysWOW64\Gconbj32.exe

MD5 81ded9f9886764f1a5596c1d6a31bd3e
SHA1 04275467b9f9748d3715b443410db7a42251295d
SHA256 70c922a2c6c4af9bfa7aecdff79d74c3979fe1a3e3f43324fabc0ac86e9ca0f8
SHA512 9eabc5a55af5b3868d213db7bccc04190a4b74335385ad4bd8246e5f5d793ff941731bf658f215c779171ff7ae52de68d9ca99cbc947617a635079f85a65e627

C:\Windows\SysWOW64\Gdjqamme.exe

MD5 fe7e8a5e28f8ccb952bbfe1269c48cd6
SHA1 127a17d04f7c0102edac82bc8bc2bf7c6ff5e24c
SHA256 ed849423a62fe078e5b635f984191011127fdbed5f3357149a430597b26b12df
SHA512 212eed82940558c660e83053f6b203fed49616c03a6f55faa193dbde04e3138e497e117336e8cbc7865fadc3b3a08bc33f5b2f12b747c84e7a8caf3f0dcaabcf

C:\Windows\SysWOW64\Gjdldd32.exe

MD5 36d55ec0def062ff4353970e1ce89c92
SHA1 362ccf408c9a7b610d01c5e279f5253cd207538f
SHA256 25b70a0f3bf9dac0df5c4fd048e7dc5219f0b38ba1cccc389e77232ee30a3aed
SHA512 a23d7fed0489a5e29f0a7eaaa095934aed824f4cff025a63fff177be99e6e13ae9d0e348bf085c616c08d66e2957eb260cbb5afb9a947091e7e0f534a810eac4

C:\Windows\SysWOW64\Gpjkeoha.exe

MD5 41a746834e2c70a9e328e36f93cb8bc6
SHA1 6a928329490d2f0a1756b01ce8245834fd136293
SHA256 88cc642b6412d5ac475dc5584619e4486d0fb9474b715402f46002eed35ee348
SHA512 f87807fd064b5d06dd8e4a921a51d2ba811ff859c27a6c9f88a3af9d446187bae653d1e7190743bab96992e82598749ee41fa5e337eef067e337bf063acb43ec

C:\Windows\SysWOW64\Gdcjpncm.exe

MD5 add63d515a84f744fbd9064a540d0527
SHA1 22294e0e9f44c97810b9447622f09ad5d1fde4f2
SHA256 567383c7d57f0bf14790420eb0e98dbd5abedb7333da73e8c6b1b07b483007e5
SHA512 4fefa93741ab989591da32186fcad5d9d821b6f3fc46fdda52c88103c778b841521e31fdec9473dfe1262a58ee7070f4ac66c9850bb91ce4312047a9f29ae5d5

C:\Windows\SysWOW64\Fepjea32.exe

MD5 647a32a97432c625d37003d254c874a5
SHA1 6f11f902974a0d5ae21b07037b07897d85bcf354
SHA256 afc7855be2377619264b098efbe92ae18ca31173f930ec4d582957d8931e16e8
SHA512 c580e76b875ecb043b4a8d4840ff8a348f270e37bbb16e1594a71a3bfae247a48b949c55b1a30ad9eaf9813b841eafbf55ef473414e62ebf29a25e1d16f79eae

C:\Windows\SysWOW64\Fdqnkoep.exe

MD5 fb5c41ad2ceee34cf850238c2c875fa9
SHA1 517829ea0961564bce6480dbce531f84025ac5b7
SHA256 8a24b7a3c4ad1948e8771432e8f345384f1171e5953307a9edccb0488fac89a1
SHA512 4b75980283da74bd6e116c941d632916c7420e3fddf8bfa0b3fa96d46d80461d829a29e0cf7d4f8b0cb3f9ab8b47552e9572cfecda645952fe45bcbd77dc259f

C:\Windows\SysWOW64\Fodebh32.exe

MD5 c3e106a357772c7f1994d2d17c3eb871
SHA1 49baf74795b18f79211ef20bb2dcc8c4d9dcbbb1
SHA256 5cfe04ef8600d58ea7739b033120a82782743bc5ac4b2f82505d7df40a9bec07
SHA512 c9e7a3763098c19ab6c0ea42db145d149014a7c286d67ff3e466260b0933897d43bbfb4167b3fc7413f6c32ecef20274792363c0a7b0f485ca558240ed202d84

C:\Windows\SysWOW64\Fleifl32.exe

MD5 df7b91569d4605abbbc0effe0dbb0717
SHA1 820b9af9ce7da8d8b8daf524f43f6e6dff8554ac
SHA256 e2496f2033581bdd86ac9f60e0b9ca6be474af3f301e0b0c1ca9337158db73a0
SHA512 1aab5e16e46c9bde8c54d6c0a88234026f585fde1e32732081a4b4bc35c822664c84643a72410a194e985c98707275bbaa257478adb23de2efb78fad0914b3e3

C:\Windows\SysWOW64\Fapeic32.exe

MD5 1a252b3447f3bbb49fb89fd78aa7d877
SHA1 57f93e4998926c5ebf33d1f9275f7014e4d50dcb
SHA256 b00fe0310753c509ab082cc3e9cf2a7ec0d2958da21047a3576293fdf2a01e46
SHA512 ba4d5aa2480d033caa796ad2de8194caa720860d2edeb015dc939502080a7983ba23027f0d8047a01d8a2ba795b05b1f85ee1b8b9fd6ca8dff81c33b8d10f368

C:\Windows\SysWOW64\Figmjq32.exe

MD5 f25127ef5d2151c69a2349c66aa0df8b
SHA1 c4cc37a9eb47cb7a02287019aeb25f3d91942a68
SHA256 5ae218c5ece308d35f6152f3e67d48d207142cb5478d10ee832d95b5ebd593f0
SHA512 12916624ffdaa9b7d1f2a559e6610d3fb372f1ae583730ef47bf3364bc4c8912ccbf66253c3a87c99bd4d7153df9b5f6cd4fd57f7a98c9bce5937675645867f9

C:\Windows\SysWOW64\Fpohakbp.exe

MD5 19958c92923d591ece5f1bcb22079727
SHA1 e4e97005dd6738fc26cab2acf0931f045479b958
SHA256 dffde87df1f078e8e42b836f6bbc86bbe5524f375b72fca70d417cd2d16ad343
SHA512 7aa8b92d93869c7b6ec04836d23d52e49730ed35e89352d0e06ddfc350bce76f42b23ae62a85fcf5bbc64aea73ef497cc14db482fda3dfd7068899db047debbf

memory/636-2015-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fchkbg32.exe

MD5 f98f78db7374c89e85a6c5da2ba6ade4
SHA1 419cbf9d404504e45fc81c4bcfbb5d71319d95e0
SHA256 ab65fcff98691ebca22dbb54e9da2c3a27e3dfd052e53fb8af4335cab5981df3
SHA512 67351587ce67f8fa9392061e0eac276f9022555437734982fff9b1cc94c0ceaf5194058a72b0f0a284a895516a89067978ac4b9f7c4ca325d27a5809aaf2a31b

C:\Windows\SysWOW64\Fpjofl32.exe

MD5 df2310ed4873dc584aa11e9de794a804
SHA1 bcf765ec8b1da045ba6b8377ea56b5caeb618670
SHA256 9c4116248d927ba90c681a2ae64fab0f722d8bd910c24e10748f1c79a7f50730
SHA512 c36499cbb517f0eaa32b3139467b1640a0aabc4277c1498c021fdb2d7743941c4e57587245a84e8286d9d4f7b856ac8200c514a57a68fab3684fab4a023f586e

C:\Windows\SysWOW64\Ekmfne32.exe

MD5 f2d45aed2bc376f0b8cfdfa837515681
SHA1 da2f03ece2a29bf6231c98d3bd19b2246d7c3b2e
SHA256 9c7be384fd003f7804b1c89a85b3b34ee326f7d9da3dcb3655ed6f2d5a2832d9
SHA512 24f35aeefc9d1c4dc434d91ee0f86dc1a44b4ad273a2b341d7060933a8e9c30cfcae49d2e577b00bf40adbad35ab89c9e56421120feb78f6eb2f3c147b393644

C:\Windows\SysWOW64\Ecfnmh32.exe

MD5 ac84a13fa3eb2b83ab184681cfa2a934
SHA1 8c2f1ed72018e9e94bb2cb7471954ee89f59f9b4
SHA256 61ff7213062cded40eafaf892bf84b7bb668cda5829357d8bad050e470e58b83
SHA512 01a3a14191c02e519644a3456f979d051d3fc64c4f0e8ab7d1dddee9178aef04fad40613df473dab36b9a55d4027a62afe8b2a2a0fd629918ba5e218c00a1b8e

C:\Windows\SysWOW64\Ephbal32.exe

MD5 526fcc9836a7fdc5ee1a533a78e7840c
SHA1 5375ebb8e55bae4fd82cbd1d4fb46c8c2abaa1c0
SHA256 34356fd248b7cedcd6c39e374ddfe8c6c4a3961ff67ac2a08d93df423c6cc3d0
SHA512 d23478cf59b58770be5ec33a0c7f9c2b32f580b534e4e8df07f579b816518b348978e45d9328c1ce5f0349037bc8a2c8eaa4f74fb3c21d78944ef354b1966810

C:\Windows\SysWOW64\Emifeqid.exe

MD5 22df984d4284d0c2bf52af9f5ed4aff8
SHA1 2275d4b3396ce2c6e23c02d58c87c5ae7f911138
SHA256 29b7e4e1448ddbe8e1781056af8f6ba2a1c9086b049e3a80acc1f1e119058d5c
SHA512 aaefb1ef4bfdf165d07a882707fa9fe92bfaefb3daac3476333711f0cb624604c757730183287a63cf3d5d82c63effe6e249387a96f5064c02cc62356a93b052

C:\Windows\SysWOW64\Edaalk32.exe

MD5 91343164fc1fc01f508fb9e43e06fd6f
SHA1 ffffd469bc7a4d6455ea1cb468ecdc53be602d14
SHA256 5ece978ae684e9800436bc19dcec816ee3216a4084cb4c1eeee1a578813b3bb2
SHA512 4464a741809ddb52f487c3f3590f8292dd84b55c2442c2e2dc905c18b21d130e56018149af822a5c195601b3642bfb4a687cfa111628a05ad4313018b189b408

memory/2892-1851-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1740-1847-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kpkpadnl.exe

MD5 f01f54a5a2254eeef5d1ed5832202d6a
SHA1 66b09c6cd0bde6d33a1a8e5b926e76cd7a078ac6
SHA256 369302c577169696419b680d7b26373a63f79d44b115d9723ecc6bbcc0f5b8f5
SHA512 cacc9ba19129c1cea55d2d26134c8e2640108a27f9489e63bdcff5a9734b5fe07c7f8b30a5cd57ed68d3a452d87f16be1b423eb3cc30a64ab53d8776937881ff

C:\Windows\SysWOW64\Mdogedmh.exe

MD5 6ae2fb474ef2f61864c8aec8c580b70f
SHA1 fce50b3badfd552d0e90473f241aedc98d86d85a
SHA256 e891346fca8ec9733db9d4ff9b2ae1dff4abea9efb330eabdc1e5554faaa32c4
SHA512 e5024ddfb29ec184b7454a866dd3e96418e567c403d1ea43e726a5323fce1cfa3d8914f5cb1d2d1ffb8aa216df593f1b8f8c7cd0b14e4fc03088bd0e84b28879

C:\Windows\SysWOW64\Icifjk32.exe

MD5 84962616ed8d4098daa9bc556917880a
SHA1 4c0b502205f9e05f7350735d3b20ca150c89329a
SHA256 977fa778ed6708cbbbb7d35f5570fbdfa858deb318a343c30b7dcf093726fb6d
SHA512 7e6a4b4d38cc434a2ed97ce19b13499de2b40c62271d15cfc42fc86ca7e83f5c2c4a92e585699800949cc0da49060ab5d381575fdd3a1083937f28c078137df2

C:\Windows\SysWOW64\Jpepkk32.exe

MD5 2c211a10c6955ad5160096c08f2f2c03
SHA1 0f3630e2cfbd72ff97873831fd1f2b5ae7cc9de4
SHA256 f8f281cbde3bbf17c0282e234115d1e52c56fadce4608c9afb8ffb54d38b74fc
SHA512 00773bd95957afee2542d16bd42080cf1698eabaabfcefebc82dc7eb74143e39d738213cf11ef243fa04ed05fc7ab290c624c8828e3dcca8a2fe95503adf8036

C:\Windows\SysWOW64\Jjhgbd32.exe

MD5 5d809aed2048f76f7b0d6b903c478ce3
SHA1 8f28f1ab59239a08f1b8bde75a74f08d4493a956
SHA256 2c2a5462d0a88ebf95e660fd81de084ab4b9a1c7524399e15e8b595dcc85a416
SHA512 bc08a8e16077ad3db62c860d07828f052b6604c6dbba66ce58923a6eb715cc5bf4d49f4ec467de9307e5e1d7c73be48f8c35aa3b7abdde65fec9b8b0afe4d66e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:37

Reported

2024-01-07 19:40

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jdhine32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jaljgidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jangmibi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jidbflcj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jangmibi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdhine32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jaljgidl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jigollag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jigollag.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmnaakne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jmnaakne.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jidbflcj.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Jaljgidl.exe C:\Windows\SysWOW64\Jidbflcj.exe N/A
File created C:\Windows\SysWOW64\Jdhine32.exe C:\Windows\SysWOW64\Jmnaakne.exe N/A
File created C:\Windows\SysWOW64\Honcnp32.dll C:\Windows\SysWOW64\Jfffjqdf.exe N/A
File created C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jfhbppbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Jangmibi.exe C:\Windows\SysWOW64\Jigollag.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jangmibi.exe N/A
File created C:\Windows\SysWOW64\Olmeac32.dll C:\Windows\SysWOW64\Jdhine32.exe N/A
File created C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jdjfcecp.exe N/A
File opened for modification C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jfhbppbc.exe N/A
File created C:\Windows\SysWOW64\Jangmibi.exe C:\Windows\SysWOW64\Jigollag.exe N/A
File created C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jangmibi.exe N/A
File created C:\Windows\SysWOW64\Qekdppan.dll C:\Windows\SysWOW64\Jidbflcj.exe N/A
File created C:\Windows\SysWOW64\Ehifigof.dll C:\Windows\SysWOW64\Jaljgidl.exe N/A
File created C:\Windows\SysWOW64\Lppaheqp.dll C:\Windows\SysWOW64\Jigollag.exe N/A
File created C:\Windows\SysWOW64\Ecppdbpl.dll C:\Windows\SysWOW64\Jangmibi.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdhine32.exe C:\Windows\SysWOW64\Jmnaakne.exe N/A
File opened for modification C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jfffjqdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jdhine32.exe N/A
File created C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jaljgidl.exe N/A
File created C:\Windows\SysWOW64\Jmnaakne.exe C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
File opened for modification C:\Windows\SysWOW64\Jaljgidl.exe C:\Windows\SysWOW64\Jidbflcj.exe N/A
File created C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jdhine32.exe N/A
File created C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jfffjqdf.exe N/A
File created C:\Windows\SysWOW64\Ggpfjejo.dll C:\Windows\SysWOW64\Jfhbppbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmnaakne.exe C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
File created C:\Windows\SysWOW64\Omfnojog.dll C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jdjfcecp.exe N/A
File created C:\Windows\SysWOW64\Dbcjkf32.dll C:\Windows\SysWOW64\Jdjfcecp.exe N/A
File created C:\Windows\SysWOW64\Ghmfdf32.dll C:\Windows\SysWOW64\Jmnaakne.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jaljgidl.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll" C:\Windows\SysWOW64\Jdhine32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll" C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll" C:\Windows\SysWOW64\Jmnaakne.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmnaakne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jidbflcj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jigollag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jigollag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jidbflcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll" C:\Windows\SysWOW64\Jidbflcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll" C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll" C:\Windows\SysWOW64\Jigollag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdhine32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jangmibi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jaljgidl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll" C:\Windows\SysWOW64\Jaljgidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jaljgidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" C:\Windows\SysWOW64\Jangmibi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jangmibi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jmnaakne.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jdhine32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll" C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe C:\Windows\SysWOW64\Jmnaakne.exe
PID 1956 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe C:\Windows\SysWOW64\Jmnaakne.exe
PID 1956 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe C:\Windows\SysWOW64\Jmnaakne.exe
PID 2736 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jdhine32.exe
PID 2736 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jdhine32.exe
PID 2736 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jdhine32.exe
PID 1488 wrote to memory of 444 N/A C:\Windows\SysWOW64\Jdhine32.exe C:\Windows\SysWOW64\Jfffjqdf.exe
PID 1488 wrote to memory of 444 N/A C:\Windows\SysWOW64\Jdhine32.exe C:\Windows\SysWOW64\Jfffjqdf.exe
PID 1488 wrote to memory of 444 N/A C:\Windows\SysWOW64\Jdhine32.exe C:\Windows\SysWOW64\Jfffjqdf.exe
PID 444 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jidbflcj.exe
PID 444 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jidbflcj.exe
PID 444 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Jfffjqdf.exe C:\Windows\SysWOW64\Jidbflcj.exe
PID 2312 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jaljgidl.exe
PID 2312 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jaljgidl.exe
PID 2312 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Jidbflcj.exe C:\Windows\SysWOW64\Jaljgidl.exe
PID 1472 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Jaljgidl.exe C:\Windows\SysWOW64\Jdjfcecp.exe
PID 1472 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Jaljgidl.exe C:\Windows\SysWOW64\Jdjfcecp.exe
PID 1472 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Jaljgidl.exe C:\Windows\SysWOW64\Jdjfcecp.exe
PID 5092 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jfhbppbc.exe
PID 5092 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jfhbppbc.exe
PID 5092 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jfhbppbc.exe
PID 5016 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jigollag.exe
PID 5016 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jigollag.exe
PID 5016 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jigollag.exe
PID 1020 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jangmibi.exe
PID 1020 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jangmibi.exe
PID 1020 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jangmibi.exe
PID 4372 wrote to memory of 684 N/A C:\Windows\SysWOW64\Jangmibi.exe C:\Windows\SysWOW64\Jdmcidam.exe
PID 4372 wrote to memory of 684 N/A C:\Windows\SysWOW64\Jangmibi.exe C:\Windows\SysWOW64\Jdmcidam.exe
PID 4372 wrote to memory of 684 N/A C:\Windows\SysWOW64\Jangmibi.exe C:\Windows\SysWOW64\Jdmcidam.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe

"C:\Users\Admin\AppData\Local\Temp\a3f8bb01466184393106d692b3db7d15.exe"

C:\Windows\SysWOW64\Jfhbppbc.exe

C:\Windows\system32\Jfhbppbc.exe

C:\Windows\SysWOW64\Kgmlkp32.exe

C:\Windows\system32\Kgmlkp32.exe

C:\Windows\SysWOW64\Kmnjhioc.exe

C:\Windows\system32\Kmnjhioc.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Lgneampk.exe

C:\Windows\system32\Lgneampk.exe

C:\Windows\SysWOW64\Lpfijcfl.exe

C:\Windows\system32\Lpfijcfl.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5484 -ip 5484

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 424

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mncmjfmk.exe

C:\Windows\system32\Mncmjfmk.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mcklgm32.exe

C:\Windows\system32\Mcklgm32.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mnocof32.exe

C:\Windows\system32\Mnocof32.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mnlfigcc.exe

C:\Windows\system32\Mnlfigcc.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Lddbqa32.exe

C:\Windows\system32\Lddbqa32.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Ldohebqh.exe

C:\Windows\system32\Ldohebqh.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kipabjil.exe

C:\Windows\system32\Kipabjil.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kdaldd32.exe

C:\Windows\system32\Kdaldd32.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Jdmcidam.exe

C:\Windows\system32\Jdmcidam.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jigollag.exe

C:\Windows\system32\Jigollag.exe

C:\Windows\SysWOW64\Jdjfcecp.exe

C:\Windows\system32\Jdjfcecp.exe

C:\Windows\SysWOW64\Jaljgidl.exe

C:\Windows\system32\Jaljgidl.exe

C:\Windows\SysWOW64\Jidbflcj.exe

C:\Windows\system32\Jidbflcj.exe

C:\Windows\SysWOW64\Jfffjqdf.exe

C:\Windows\system32\Jfffjqdf.exe

C:\Windows\SysWOW64\Jdhine32.exe

C:\Windows\system32\Jdhine32.exe

C:\Windows\SysWOW64\Jmnaakne.exe

C:\Windows\system32\Jmnaakne.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
IE 40.127.169.103:443 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 64.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1956-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1488-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1472-40-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1020-64-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4372-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/684-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3504-168-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3908-274-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2040-292-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-310-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4224-328-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1796-350-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5448-412-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5624-436-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5668-447-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ngedij32.exe

MD5 dcfefb26c87cc41ae92ceb25d682b920
SHA1 a9c802687fcf4190ee712c4434ab69c89a70db6c
SHA256 9a6e43739d85fdf2e4aba884c37cac7e644b85a71fb2afc7c04b5f7bb258c578
SHA512 e4ed08ee64a9eb05aa3ec1f6e1f6e8b1ba0dce170bcb1ddf491dc12af9243392e3dba6f3034188b73c433db023200387a11d1956b5d0b5e808a01c7b27060721

memory/5820-682-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5308-684-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5612-698-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5172-703-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5920-709-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5448-718-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5328-721-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5208-724-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3484-731-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1944-733-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3908-741-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4280-742-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5064-740-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4332-739-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2040-738-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1256-737-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2452-736-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-735-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5012-734-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4224-732-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3952-730-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3632-728-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4668-726-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5164-725-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5248-723-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5288-722-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5368-720-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5572-716-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5704-714-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5836-711-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6040-706-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6088-705-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5316-701-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5864-695-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6112-692-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5516-689-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5872-687-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6080-685-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5484-679-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Njacpf32.exe

MD5 59e6755e0fa91ada084c27b8008ab9d1
SHA1 ef1168163e42d2578ea89632cc85e114bafe8805
SHA256 b891b821f3b33bcf164ecad0be96591eb4c129c33f60467a7e9b7948a6b26f72
SHA512 9cda00e16be283f02161dd19e1d3ca1774bdcae26b3de8a2455a1002319c65d735e09689e1ea4129d797e04528bdec29a5efb20df675e780cf5f6a2a2411cad8

C:\Windows\SysWOW64\Njogjfoj.exe

MD5 5632f5059ad8318f306ba29c25735049
SHA1 9295be0326604adf632f636d54f3e9a095300df2
SHA256 bb4d53efe3668234f92909db4d95187cb4e37712ee1621033bb71a7dec6c29fe
SHA512 b36b6b05e0db9ccb79398c9f0e9e5f53e07d3336cac52f2472aae3ab8b028d8c8cf2f6daf8a931c9c99d739f763d1178f7bd965171b5767d772205efbea85d03

C:\Windows\SysWOW64\Nqfbaq32.exe

MD5 b68a6af5a5a7db51a13b85f2153bce5a
SHA1 6b77e11069d9746b783e4919f94abdda4b36aa41
SHA256 837923ba755381cda060bcdfe7cd3f8cc18fec64b99be1fdd4efb1600782c1c2
SHA512 bbcd25ce3c2656cf940db6031a52da963676bd9f230b28a2b24e990e04e541eca69e3c8e4c31cc43e6e22387f1b53869928098a39e30b7ad96f6686e66be5366

memory/5572-430-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5528-424-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5488-422-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5408-410-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5368-400-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5328-394-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5288-388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5248-382-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5208-376-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5164-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4668-368-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4576-363-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3632-352-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3952-343-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3484-338-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1944-322-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5012-316-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2452-304-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1256-298-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4332-286-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5064-280-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4280-268-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4568-262-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2572-256-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3996-252-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2264-240-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4672-232-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2124-224-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2716-215-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2732-207-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2428-203-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3608-196-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3332-184-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3400-176-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4596-164-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2788-152-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1604-143-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2908-136-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2300-129-0x0000000000400000-0x0000000000433000-memory.dmp

memory/968-120-0x0000000000400000-0x0000000000433000-memory.dmp

memory/892-112-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4152-103-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1552-96-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5048-88-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5016-56-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5092-48-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2312-31-0x0000000000400000-0x0000000000433000-memory.dmp

memory/444-24-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2736-7-0x0000000000400000-0x0000000000433000-memory.dmp