Analysis Overview
SHA256
f297ac15619b88a1895cce2ff6b834dded0ab2085e2fe42adb02d1cb67c66dd4
Threat Level: Known bad
The file 06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Gozi
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-15 17:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 17:02
Reported
2024-05-15 17:05
Platform
win7-20240419-en
Max time kernel
145s
Max time network
120s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Baildokg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnefdp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnippoha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gphmeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Boiccdnf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Claifkkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cckace32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cndbcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fhhcgj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dnneja32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emeopn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Emhlfmgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amejeljk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bghabf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Claifkkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dnneja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fpdhklkl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gkihhhnm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbkeib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdlnkmha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gangic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkihhhnm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Blmdlhmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnpmipql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgpgce32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnippoha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgmglh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgmkmecg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgpgce32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Cnippoha.exe | C:\Windows\SysWOW64\Cgpgce32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkkalk32.exe | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkbcpgjj.dll | C:\Windows\SysWOW64\Cnippoha.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjjddchg.exe | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpdhklkl.exe | C:\Windows\SysWOW64\Fhhcgj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fbdqmghm.exe | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpmgqnfl.exe | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkkgcp32.dll | C:\Windows\SysWOW64\Bpafkknm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fhhcgj32.exe | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkihhhnm.exe | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jondlhmp.dll | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| File created | C:\Windows\SysWOW64\Odpegjpg.dll | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpocfncj.exe | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmjejphb.exe | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gopkmhjk.exe | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Clphjpmh.dll | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Glfhll32.exe | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| File created | C:\Windows\SysWOW64\Ahcocb32.dll | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlfdkoin.exe | C:\Windows\SysWOW64\Hellne32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bingpmnl.exe | C:\Windows\SysWOW64\Boiccdnf.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgmglh32.exe | C:\Windows\SysWOW64\Cndbcc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgpdcgoc.dll | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hiekid32.exe | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Globlmmj.exe | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpqpdnop.dll | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiekid32.exe | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File created | C:\Windows\SysWOW64\Qoflni32.dll | C:\Windows\SysWOW64\Comimg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmjaic32.exe | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Elmigj32.exe | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| File created | C:\Windows\SysWOW64\Epieghdk.exe | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkamkfgh.dll | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| File created | C:\Windows\SysWOW64\Ognnoaka.dll | C:\Windows\SysWOW64\Cgmkmecg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgpgce32.exe | C:\Windows\SysWOW64\Cljcelan.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmlnoc32.exe | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdhaablp.dll | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogjbla32.dll | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghkllmoi.exe | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdapak32.exe | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgdmei32.dll | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkhcmgnl.exe | C:\Windows\SysWOW64\Dgmglh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eloemi32.exe | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gangic32.exe | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcaipkch.dll | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdfflm32.exe | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hellne32.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbkeib32.exe | C:\Windows\SysWOW64\Comimg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljpghahi.dll | C:\Windows\SysWOW64\Dgmglh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcplhi32.exe | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| File created | C:\Windows\SysWOW64\Iaeiieeb.exe | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmddhkao.dll | C:\Windows\SysWOW64\Boiccdnf.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdlnkmha.exe | C:\Windows\SysWOW64\Cckace32.exe | N/A |
| File created | C:\Windows\SysWOW64\Accikb32.dll | C:\Windows\SysWOW64\Bnefdp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgnijonn.dll | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gegfdb32.exe | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgmkmecg.exe | C:\Windows\SysWOW64\Bnefdp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffbicfoc.exe | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffbicfoc.exe | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpdcdhpk.dll | C:\Windows\SysWOW64\Bingpmnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Egadpgfp.dll | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fjilieka.exe | C:\Windows\SysWOW64\Fpdhklkl.exe | N/A |
| File created | C:\Windows\SysWOW64\Phofkg32.dll | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bghabf32.exe | C:\Windows\SysWOW64\Bnpmipql.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnefdp32.exe | C:\Windows\SysWOW64\Bgknheej.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bingpmnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" | C:\Windows\SysWOW64\Cljcelan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Comimg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dnneja32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eihfjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Boiccdnf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll" | C:\Windows\SysWOW64\Cdlnkmha.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cndbcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Emhlfmgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleajblp.dll" | C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bingpmnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bioggp32.dll" | C:\Windows\SysWOW64\Claifkkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Blmdlhmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bpafkknm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" | C:\Windows\SysWOW64\Cgmkmecg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dbbkja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkmmhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" | C:\Windows\SysWOW64\Gopkmhjk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" | C:\Windows\SysWOW64\Dgmglh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fhhcgj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gphmeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Boiccdnf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bpafkknm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bgknheej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" | C:\Windows\SysWOW64\Cbkeib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dbbkja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Emhlfmgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" | C:\Windows\SysWOW64\Bgknheej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cljcelan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cgpgce32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cljcelan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Amejeljk.exe
C:\Windows\system32\Amejeljk.exe
C:\Windows\SysWOW64\Aepojo32.exe
C:\Windows\system32\Aepojo32.exe
C:\Windows\SysWOW64\Boiccdnf.exe
C:\Windows\system32\Boiccdnf.exe
C:\Windows\SysWOW64\Bingpmnl.exe
C:\Windows\system32\Bingpmnl.exe
C:\Windows\SysWOW64\Blmdlhmp.exe
C:\Windows\system32\Blmdlhmp.exe
C:\Windows\SysWOW64\Baildokg.exe
C:\Windows\system32\Baildokg.exe
C:\Windows\SysWOW64\Bnpmipql.exe
C:\Windows\system32\Bnpmipql.exe
C:\Windows\SysWOW64\Bghabf32.exe
C:\Windows\system32\Bghabf32.exe
C:\Windows\SysWOW64\Bpafkknm.exe
C:\Windows\system32\Bpafkknm.exe
C:\Windows\SysWOW64\Bgknheej.exe
C:\Windows\system32\Bgknheej.exe
C:\Windows\SysWOW64\Bnefdp32.exe
C:\Windows\system32\Bnefdp32.exe
C:\Windows\SysWOW64\Cgmkmecg.exe
C:\Windows\system32\Cgmkmecg.exe
C:\Windows\SysWOW64\Cljcelan.exe
C:\Windows\system32\Cljcelan.exe
C:\Windows\SysWOW64\Cgpgce32.exe
C:\Windows\system32\Cgpgce32.exe
C:\Windows\SysWOW64\Cnippoha.exe
C:\Windows\system32\Cnippoha.exe
C:\Windows\SysWOW64\Ccfhhffh.exe
C:\Windows\system32\Ccfhhffh.exe
C:\Windows\SysWOW64\Comimg32.exe
C:\Windows\system32\Comimg32.exe
C:\Windows\SysWOW64\Cbkeib32.exe
C:\Windows\system32\Cbkeib32.exe
C:\Windows\SysWOW64\Claifkkf.exe
C:\Windows\system32\Claifkkf.exe
C:\Windows\SysWOW64\Cckace32.exe
C:\Windows\system32\Cckace32.exe
C:\Windows\SysWOW64\Cdlnkmha.exe
C:\Windows\system32\Cdlnkmha.exe
C:\Windows\SysWOW64\Cndbcc32.exe
C:\Windows\system32\Cndbcc32.exe
C:\Windows\SysWOW64\Dgmglh32.exe
C:\Windows\system32\Dgmglh32.exe
C:\Windows\SysWOW64\Dkhcmgnl.exe
C:\Windows\system32\Dkhcmgnl.exe
C:\Windows\SysWOW64\Dbbkja32.exe
C:\Windows\system32\Dbbkja32.exe
C:\Windows\SysWOW64\Dgodbh32.exe
C:\Windows\system32\Dgodbh32.exe
C:\Windows\SysWOW64\Dgaqgh32.exe
C:\Windows\system32\Dgaqgh32.exe
C:\Windows\SysWOW64\Dkmmhf32.exe
C:\Windows\system32\Dkmmhf32.exe
C:\Windows\SysWOW64\Dfgmhd32.exe
C:\Windows\system32\Dfgmhd32.exe
C:\Windows\SysWOW64\Dnneja32.exe
C:\Windows\system32\Dnneja32.exe
C:\Windows\SysWOW64\Eihfjo32.exe
C:\Windows\system32\Eihfjo32.exe
C:\Windows\SysWOW64\Emcbkn32.exe
C:\Windows\system32\Emcbkn32.exe
C:\Windows\SysWOW64\Ejgcdb32.exe
C:\Windows\system32\Ejgcdb32.exe
C:\Windows\SysWOW64\Emeopn32.exe
C:\Windows\system32\Emeopn32.exe
C:\Windows\SysWOW64\Emhlfmgj.exe
C:\Windows\system32\Emhlfmgj.exe
C:\Windows\SysWOW64\Ekklaj32.exe
C:\Windows\system32\Ekklaj32.exe
C:\Windows\SysWOW64\Ebedndfa.exe
C:\Windows\system32\Ebedndfa.exe
C:\Windows\SysWOW64\Elmigj32.exe
C:\Windows\system32\Elmigj32.exe
C:\Windows\SysWOW64\Epieghdk.exe
C:\Windows\system32\Epieghdk.exe
C:\Windows\SysWOW64\Eloemi32.exe
C:\Windows\system32\Eloemi32.exe
C:\Windows\SysWOW64\Ebinic32.exe
C:\Windows\system32\Ebinic32.exe
C:\Windows\SysWOW64\Flabbihl.exe
C:\Windows\system32\Flabbihl.exe
C:\Windows\SysWOW64\Fnpnndgp.exe
C:\Windows\system32\Fnpnndgp.exe
C:\Windows\SysWOW64\Fhhcgj32.exe
C:\Windows\system32\Fhhcgj32.exe
C:\Windows\SysWOW64\Fpdhklkl.exe
C:\Windows\system32\Fpdhklkl.exe
C:\Windows\SysWOW64\Fjilieka.exe
C:\Windows\system32\Fjilieka.exe
C:\Windows\SysWOW64\Facdeo32.exe
C:\Windows\system32\Facdeo32.exe
C:\Windows\SysWOW64\Fdapak32.exe
C:\Windows\system32\Fdapak32.exe
C:\Windows\SysWOW64\Fbdqmghm.exe
C:\Windows\system32\Fbdqmghm.exe
C:\Windows\SysWOW64\Fioija32.exe
C:\Windows\system32\Fioija32.exe
C:\Windows\SysWOW64\Fmjejphb.exe
C:\Windows\system32\Fmjejphb.exe
C:\Windows\SysWOW64\Fbgmbg32.exe
C:\Windows\system32\Fbgmbg32.exe
C:\Windows\SysWOW64\Ffbicfoc.exe
C:\Windows\system32\Ffbicfoc.exe
C:\Windows\SysWOW64\Fiaeoang.exe
C:\Windows\system32\Fiaeoang.exe
C:\Windows\SysWOW64\Globlmmj.exe
C:\Windows\system32\Globlmmj.exe
C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
C:\Windows\SysWOW64\Gegfdb32.exe
C:\Windows\system32\Gegfdb32.exe
C:\Windows\SysWOW64\Gpmjak32.exe
C:\Windows\system32\Gpmjak32.exe
C:\Windows\SysWOW64\Gopkmhjk.exe
C:\Windows\system32\Gopkmhjk.exe
C:\Windows\SysWOW64\Gbkgnfbd.exe
C:\Windows\system32\Gbkgnfbd.exe
C:\Windows\SysWOW64\Gangic32.exe
C:\Windows\system32\Gangic32.exe
C:\Windows\SysWOW64\Gldkfl32.exe
C:\Windows\system32\Gldkfl32.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Gelppaof.exe
C:\Windows\system32\Gelppaof.exe
C:\Windows\SysWOW64\Ghkllmoi.exe
C:\Windows\system32\Ghkllmoi.exe
C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
C:\Windows\SysWOW64\Gkihhhnm.exe
C:\Windows\system32\Gkihhhnm.exe
C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
C:\Windows\SysWOW64\Gdamqndn.exe
C:\Windows\system32\Gdamqndn.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gmjaic32.exe
C:\Windows\system32\Gmjaic32.exe
C:\Windows\SysWOW64\Gphmeo32.exe
C:\Windows\system32\Gphmeo32.exe
C:\Windows\SysWOW64\Ghoegl32.exe
C:\Windows\system32\Ghoegl32.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hmlnoc32.exe
C:\Windows\system32\Hmlnoc32.exe
C:\Windows\SysWOW64\Hdfflm32.exe
C:\Windows\system32\Hdfflm32.exe
C:\Windows\SysWOW64\Hgdbhi32.exe
C:\Windows\system32\Hgdbhi32.exe
C:\Windows\SysWOW64\Hnojdcfi.exe
C:\Windows\system32\Hnojdcfi.exe
C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
C:\Windows\SysWOW64\Hdhbam32.exe
C:\Windows\system32\Hdhbam32.exe
C:\Windows\SysWOW64\Hejoiedd.exe
C:\Windows\system32\Hejoiedd.exe
C:\Windows\SysWOW64\Hiekid32.exe
C:\Windows\system32\Hiekid32.exe
C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hellne32.exe
C:\Windows\system32\Hellne32.exe
C:\Windows\SysWOW64\Hlfdkoin.exe
C:\Windows\system32\Hlfdkoin.exe
C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
C:\Windows\SysWOW64\Ioijbj32.exe
C:\Windows\system32\Ioijbj32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 140
Network
Files
memory/2944-0-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Amejeljk.exe
| MD5 | 7cd245eacfdca38be92e58cc822ec7b8 |
| SHA1 | cf664f2859017ce368e010d8cf7f14ff1c558bad |
| SHA256 | b667672a909b9d77fde52e28e59b465e8f77cd4a63a311c7aed4c090fc58e9af |
| SHA512 | e0794b24b90528fc2c79dfa6070b617f4231de02ef2e2afddc015577d61ff24062d8670f226f66d229226f27388316cc0c0aa9f1c181f97be84a051dd737e162 |
memory/2944-6-0x0000000000290000-0x00000000002E3000-memory.dmp
memory/3032-13-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Aepojo32.exe
| MD5 | f578171109499a34d9541fa03ca345aa |
| SHA1 | a79c559bfd5e50ef610dbde2ec7d3f83889f3277 |
| SHA256 | b497ae962c71e6e91efe3624658f4fac4656c46cc721c93808d6731dd5f102a1 |
| SHA512 | 71670b36ff45e833597ea2cdd2e5aa8ea158106e8acf876ae49b74d2cb6d0430566f9f7553517b50f38414d38681b98895cd417b4ac0b32fd1a1ad83578be680 |
memory/2284-27-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3032-26-0x0000000000250000-0x00000000002A3000-memory.dmp
\Windows\SysWOW64\Boiccdnf.exe
| MD5 | d503d0704b4d898c6e0e98777c405967 |
| SHA1 | 6c34e3d968d113c10b47820fc15148dc2f2b6353 |
| SHA256 | de64e91f86d4d80ea8791bf3b7cf5a429b2ad3879707e75c4cd06b6a97e269d7 |
| SHA512 | cf6f8d0bcacb12b92b9cbb0496b28751b0046067d2379ad933306c9c63922836164ae8c2d6adcd2c48fb0ef7e64d02e4d47b2a7a0da110e308bc54a602f8d352 |
memory/2284-34-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Bingpmnl.exe
| MD5 | ae37272e6eaeb9504cb8a4062d2656ba |
| SHA1 | d297d21f34dec3dcd47a334b72ec5be64a0482ab |
| SHA256 | 68468adf850fa7262d82e459f2b0389f4fff165508a32ae7caa5a8f55a180200 |
| SHA512 | 6f3412c4b19a5c0c5dfbcd5ce64b5c6b1270985f338decadf2d839638f746f31d17670fef601f334456831e98719476a9c33d2722b7722c74f84674a8b3f00b5 |
memory/2900-53-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Blmdlhmp.exe
| MD5 | 697478cb72c1ea81563f0f0b7eaa245f |
| SHA1 | 48769be42a9d53020f4979c2b3c209e8e7bdef0d |
| SHA256 | 2897da5e3f942af5bd774baa6373c31f69d956af930375ba69b35cf7e5f283a7 |
| SHA512 | 6f9d16392aa36519390085ce6754b02b5dfc5532209ff7dae0350fce91652ce5df20503d4a57c899351c28e89ca1f0cd96d6535d2ca59e07deb0eacddd17ced9 |
memory/2900-65-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2716-71-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Baildokg.exe
| MD5 | 4519a4d221b2e11374df464b0878d1e5 |
| SHA1 | 232834bbe4925b254333bba759ba6b673a777e8a |
| SHA256 | 81af946164cfa05933efefb7d15aefc2058c3e6fb30603da6a0f26f9ccf46b2f |
| SHA512 | 28aac221275e8bc21a11c6bbd8542bed19409697048fa56ecd7f0888885b417f868ab021345055fbf7f527d6b0b5ff02f94111f7bae1a38531bb6362d7c6c7c2 |
memory/2500-81-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2716-75-0x00000000002E0000-0x0000000000333000-memory.dmp
\Windows\SysWOW64\Bnpmipql.exe
| MD5 | 5a5c15c6c5e3a817d3d5568c4065d9dc |
| SHA1 | 5fbb5a7188dbb35955dcc4781092378097f4b672 |
| SHA256 | 3dad5600e9f86a555e574c7d7bf6464afcd4bd1347d321db2805a2ca182a8474 |
| SHA512 | b74a7927706dc50ed9571a5e6430677bd34ea1f9fa66428cb4c8aecbae9dc6c8b29a8b7bd5e31ffcbfb2d3e5e92a3b7b819dd5729705378301d90687dab9e6f6 |
memory/2500-91-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2764-107-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bghabf32.exe
| MD5 | c1c518fb77a1f7788c3e262820a462e7 |
| SHA1 | b867fd47d76c97f0e650141a454acfb18ad51070 |
| SHA256 | c1cb4fa46fc0b558984211323a58717c29102f0ccd1ba55461f215e2e81a48d7 |
| SHA512 | 449d6a8374683a4b7b5955f69bf4d6ee09f02493c126009830394ee773f366fbe58898b162fd7e8bd7166db427cd7055a1809fddbbfd3fd45614e2b4cff79489 |
\Windows\SysWOW64\Bpafkknm.exe
| MD5 | 0e06ace187760861335deb5106c8559b |
| SHA1 | 9935b60760245af70122ad12bc7cdc6c6d266c43 |
| SHA256 | ffaac6f3d10bc22f351e582c6779732b9f5be7ba5527b7a80be79ef778ebf226 |
| SHA512 | 6cfb69c3719876966da6e6b0201e16aebe3922567ff47e37ebd6d32dab48273dde20aad382a8902bcc3a83e493f1839e44685b7de591e75d4605679da7560674 |
\Windows\SysWOW64\Bgknheej.exe
| MD5 | e0b15d46e0eb989169564db6de9332aa |
| SHA1 | e21c79ff5c76ab04ae563e1b9c7bc940e8bf3909 |
| SHA256 | 136b17790ae600cb1b46d996f071fd3b5129e47292628b3918f188efc3563a2b |
| SHA512 | 4ed499cabcbd24f6b56a59867fc66932c71c3eff093677ea3a5850a3b83fec87bceaea8fcbdc6c07e05146182db17110bd6a7d2ac01acdcdce17f671f9039019 |
memory/1628-132-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Bnefdp32.exe
| MD5 | c45c2cae8ee4385cd83cfaca0ca87134 |
| SHA1 | fc7bebda2146578af0c19fb88b7c36f8f92081fd |
| SHA256 | f52395cd99c1b3addeca3b4613220cd6e0650fe1245021cf6a8f13af8f091754 |
| SHA512 | b00742e32557ed2ddd0894ab8f781ae0aee40131074bb1096848f506d3082753f4e133e735630a9a9e5ddf1a1b34d6399334b3c4c5350564908d193c91ea210e |
memory/1628-144-0x00000000002F0000-0x0000000000343000-memory.dmp
\Windows\SysWOW64\Cgmkmecg.exe
| MD5 | b6db019ada29ff981c74d8c279e951e2 |
| SHA1 | 02e7d497ed6402fd24e5a82b9a113038ed53c647 |
| SHA256 | 6779f240e214d5168cee3a26f95d8027b2b2eeb18708daa94c48ea6b7b3f0174 |
| SHA512 | 2a3ec3784cd4a035474d7aa1272d0c9241e0c12b4f2179b779459cf428ad6f7871b81731b4270c4843d6749864cee3035424100631060293eddac537ea550965 |
memory/2180-158-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Cljcelan.exe
| MD5 | 82bc4c91ba1a734d413e67965291cb29 |
| SHA1 | 0f8201b8e34f3d5d7b12ca81199bc13f4855c172 |
| SHA256 | bffeb51707486a932ad2ff26b9c8823a383da3d28e0da421a446a0a3f3f59a35 |
| SHA512 | ab5e97fc44536fa827da2ce133e9488f25fc118d308a1865a3b25be93d96b91f43fca45ddd9ea563efdc5290d31b27a13afe96ae01a827e103a61cbd52d7699a |
memory/2180-165-0x0000000000460000-0x00000000004B3000-memory.dmp
\Windows\SysWOW64\Cgpgce32.exe
| MD5 | d0a47a234347ed5ee6bf42a63b688b7f |
| SHA1 | 6f90770b9814c8f4864670eb6dba7dd6b01bac7d |
| SHA256 | 68c37c1b3547a731604060ca15ec63ae9c72a37c8f977e6d9e3cf908d5aff97d |
| SHA512 | 1d3f8207956d7d26bc7427374e1d01f086625caa57be3011d7d4e16a13cd41aa1d06e377a598d4f2bcfe87e453aedcdb5ec351b1f1fdf405d66544a1bd79436f |
memory/1524-185-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Cnippoha.exe
| MD5 | 17fffcb33a43f62557555d9561f0c2a6 |
| SHA1 | 018f6b121db22c7d839646859edab3ec1ceca144 |
| SHA256 | 5a8812ea161e5202bfe91991fc21ee40a1bb6ab5eaf7ed461f55b6cc4c34db8f |
| SHA512 | dc8bd6b26d8f7a84de7618a3177c2042e9c82a4bd98a33ee1af28e9a83621e39019945731d37c92454b8837eca8da1a9b238498fbe981d546962661e493f8035 |
memory/1524-192-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1924-204-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1524-202-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Ccfhhffh.exe
| MD5 | 738d46575ccca719eb0aaa261646231c |
| SHA1 | beb9d9fc36fa74ba3bf26fd133ed731a8995310d |
| SHA256 | 4ce67347040838816869c574bb35b11d7a09a5d80960e974bc5d93daf5137cc3 |
| SHA512 | ae379fcc6673dcbd78c22142290fcb717cfcb1596381e14222f50e8fee952e355635d05a2c5df361248c131fb40ad6e012efd7fe72dbb48e13ff780663e0f143 |
memory/1924-212-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/2712-214-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1924-213-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Comimg32.exe
| MD5 | a41b148db6a1f3aba85c800981a5fb48 |
| SHA1 | a279bbbcd9ab6db1b941801013172093376e14be |
| SHA256 | 47a09352bcf71bfc973f1f526e40fc409e4502e3f6c697dfd8f2c59a7f069fbe |
| SHA512 | 44b791e333b504045210248595a2f36cbbb6606a7579ab31822287a020e6bf0d5a7baefafe8fd9c4a2e2acfd20c4dd8b40e733880394ec9349d90c076d15c116 |
memory/2712-225-0x0000000001FC0000-0x0000000002013000-memory.dmp
memory/2712-224-0x0000000001FC0000-0x0000000002013000-memory.dmp
C:\Windows\SysWOW64\Cbkeib32.exe
| MD5 | c6044b554cb0ab51759325c670b33c41 |
| SHA1 | 52855379853af116cfd821051c7109c6eb9a6875 |
| SHA256 | bb23a938d5ece4aba1eaa578f49d18046ec25285a6d813a1fabfc26fabb39cd2 |
| SHA512 | 8e3d0eadfac06a9387595f90667cb259bcf064af4560ab6a6b9c3deda70a2f5d055b6aaa919427e51a7378f537fd02992ee29ff77721cc8219474049796d8f73 |
memory/484-234-0x0000000002000000-0x0000000002053000-memory.dmp
memory/1476-236-0x0000000000400000-0x0000000000453000-memory.dmp
memory/484-235-0x0000000002000000-0x0000000002053000-memory.dmp
memory/1476-242-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Claifkkf.exe
| MD5 | be833a578526a40e5ae02aa1d041acc9 |
| SHA1 | 55c862ad04c38f7642a049021dbacbdfb6c680fc |
| SHA256 | 295a083d07a598107365f554778fac73cfa3109aee5016a8c811810f2e3d7476 |
| SHA512 | f560cee0fa2e03a35896c7863185abc63a9cdbdb01a4a9ecac5a08d9b566c4ccd030c9f0e049a92425c5badc361d487b96e19e891f069cb57cbc047605af6cf3 |
memory/1816-251-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1476-250-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Cckace32.exe
| MD5 | 70953f360aa0d87e21b97b5bc88331b7 |
| SHA1 | 7fe3a1910953c540e48c15cf053b1fc380906e32 |
| SHA256 | afdf82a8babb24260664f4bb09c39eca4a61e64e6206932d6805bca8917506bf |
| SHA512 | afb949e64f1a30079a371b79f176b18b4557a47622e5a8452111d43842ff82523d9accada9313a6407ad702e1c263e0f810fcef886e40a1316ed6e001766beee |
memory/448-258-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1816-257-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/1816-256-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Cdlnkmha.exe
| MD5 | 2eb8a35e30901cd7ea92201f5014b6ca |
| SHA1 | 0662b01715a2e980f1aff6f999362a3dc36faa8f |
| SHA256 | 8e665708f6209da0f97608704452038e72c6c721d15b6002902e372d477907b5 |
| SHA512 | 3f2bce9a1e1bb00eb2951dc863ea95aa892382ac45336c306906dbab2dd91af1e8fce5a1959e364d1ce658795ee59795463a13524e7af2b684a350b80e8bc2c5 |
C:\Windows\SysWOW64\Cndbcc32.exe
| MD5 | 448cca6cac9e478afafe4120fc124b63 |
| SHA1 | ef5ebcbdf30a903cfc63731e2ce6be0bf3a9e742 |
| SHA256 | bc2287e027637b3e0fe3cbf549d20f7025393014c3a477f036f51b563c3c0409 |
| SHA512 | 88b57712559f8c52fcfc26f93605177e79edc394e1a5e0d994caffeec83850b07eb0a5b53488fb20aa925649eafece3d3f07a6ac5963c54449a3d8aaffb52621 |
memory/2052-278-0x0000000000400000-0x0000000000453000-memory.dmp
memory/884-277-0x0000000000290000-0x00000000002E3000-memory.dmp
memory/448-272-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/448-271-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Dgmglh32.exe
| MD5 | c5cb8f2cc4fba084047463ce74948c63 |
| SHA1 | a4dc0aba2ce73931ce8f3fbd40b84b0835cdafe4 |
| SHA256 | 797b91684e231752030f32449fb58de708d014d6e4a4262cdd2327c72e98edd4 |
| SHA512 | 558780648eb3e3fea8d032f916647b25bcd88089eb8afa8d7fb05a45a42dfaf954fda0bdacc3a419d74b15b951fa237ccafc82c18e41282c49ddd11870fd6278 |
memory/352-289-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2052-288-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/2052-287-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Dkhcmgnl.exe
| MD5 | 0be94bc5c8dc3cf71b69f03cbbb4f352 |
| SHA1 | b5068f552552b87c0b988fe62a5e53608ca084da |
| SHA256 | 9d6759dd677dce7913a673b7eb179459d317eb056de91fd889d2836ab625fc3e |
| SHA512 | 4429c26b283ae77c5ad5147161e09f38631fa1b87d5f87c0be7c63586892b7f434ebb48d7ddd744488e292f861b6f6a4cac32a70ba7839ff4ca5e5bf9d51d1cd |
memory/352-299-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1496-300-0x0000000000400000-0x0000000000453000-memory.dmp
memory/352-298-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1496-310-0x0000000000320000-0x0000000000373000-memory.dmp
memory/1496-309-0x0000000000320000-0x0000000000373000-memory.dmp
C:\Windows\SysWOW64\Dbbkja32.exe
| MD5 | 47ec42299dbb15593afa70b82d109879 |
| SHA1 | 7ab15175a137fe52a66337041264cf606b16eee7 |
| SHA256 | 3e7a0af1f266fba09623f060a292d4d0aff6f8972903526c56e50b65c4d82dfc |
| SHA512 | 8d2a618950fffa00d4c3388ce6aadfae6e8b26bdd49fa0b2e8a9b7088b7164def7315ef28288328cbd5814099708ebfe0e30821193caca591c8fefccce78c38b |
memory/2456-315-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2892-321-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2456-320-0x0000000000660000-0x00000000006B3000-memory.dmp
C:\Windows\SysWOW64\Dgodbh32.exe
| MD5 | 9f07a0c5b20465ea845fceea8e340692 |
| SHA1 | 7888d3623a5532d878e65bead973cd29eb8f0696 |
| SHA256 | 7d952631e46d3e25502f086565e720c66c876fbd39ba3da62e5bdb3c9a92a47f |
| SHA512 | 1d78ceeaa39a9b821501a970a59dea59ffccd1e27c9dba36576b73c5d96608cdfd21094b2468c16591ba199dc07bf594df65be600187d7fe34db0775591287e7 |
C:\Windows\SysWOW64\Dgaqgh32.exe
| MD5 | eb7f7d90d09877a045395fc089073245 |
| SHA1 | d39e74aec3187adffba7f1119aeb4eab8ea22018 |
| SHA256 | 2867c123769e7675abaa482b5fc36e2fd72b8598c6113eb5a794ca66db0dcb40 |
| SHA512 | 6303d6ea8d17926f296609008d71e7669b88ff90cac2012ca206873c9f5f57783299f950d09d49f0df15847e6f0efdab6ecb5286a63c668c2aa7d3c10186027b |
memory/2700-342-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2684-341-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Dkmmhf32.exe
| MD5 | 98d2bd2d9f6bec9c7dd62cd37e581c93 |
| SHA1 | 034fbc9f6a4ce8f4cf63177fb971d588b022a21c |
| SHA256 | 2a19ec06e5c57a4e4e403b443fe429fbcd2d30bccb3feaf019ddbf886c897517 |
| SHA512 | 938919d6422cc3a5d86bda5e6966d200fa4aceb227d2c7394ad709973614ed09250085ca6da8c4864b712b974ca1900707e614af336fc61fbf65bd48b07033b6 |
memory/2684-336-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2892-335-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/2892-334-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Dfgmhd32.exe
| MD5 | a5fa97f1a89c1584e07330475223cca6 |
| SHA1 | 577d32f0a1aa01272fbce7807cae8c023736c283 |
| SHA256 | df9c2739423d4f88b352bccfc04027ad907980efb98481efb976c3cb8a66268c |
| SHA512 | 10176655c9a57cc56ef057244c5ffd5cc886344f05336d7c2c37be1b0e25c23030a07765c247d2887365770e7b96527e289f9909252cb8a8a1ef667fd868d84c |
memory/2700-351-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1160-359-0x0000000000320000-0x0000000000373000-memory.dmp
memory/1160-357-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2700-352-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Dnneja32.exe
| MD5 | 3f2922d37e8afa6506c1873075e4178d |
| SHA1 | aa8b2cdbd39600733bf131be1e946a8da41cb137 |
| SHA256 | 6369835cdac2b19a050d28bdb02f32aef554ad31ef20d13a0daabd048f50ec81 |
| SHA512 | 792396b5dc05576f3cf34bea64977b1b2374c1bf226a0e4d576169275cedf563fb5ada1075818af1e836b23760767f6adc25e8889333309e6485f08fc08b7ef6 |
memory/2308-364-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1160-363-0x0000000000320000-0x0000000000373000-memory.dmp
memory/2308-370-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Eihfjo32.exe
| MD5 | 0807719f1a6afd59f77023dd662b2d50 |
| SHA1 | 9c1c201b9cf25a0e7adc211a99f0bc119325b5fb |
| SHA256 | 47548180c7bbb775cfe325d11a7686cd5811cd499985bf031767e75b0b4bd3a7 |
| SHA512 | b2f2e0c0053c41cca60ed030c81f23c1c0954066414327bde9153b58a5a5ca21258686ba1a45a79f0e3aa4a9626d7e715a103da2833566218b4879d41dbe3f05 |
memory/2308-374-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Emcbkn32.exe
| MD5 | c30753762138295fa872f26caf3adaa6 |
| SHA1 | 86839362ddc96590a12719036ac172baecb2ae11 |
| SHA256 | 7a1211344ed876674137870df2fe059466a37807b80aaae2c1c356233910427b |
| SHA512 | fdfa73873c1f5535da905e6c73916701bf7575c616f43c0c1c17d9c19f8256b22560668448dcabccb88f14405ce541b5da1589267c9f2f20a0fd9de3ada3be2b |
memory/2672-385-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2560-384-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2560-383-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Ejgcdb32.exe
| MD5 | de7f719d4e42e9b114b255f306ddce41 |
| SHA1 | 32591981080108fc3da2712f73ad6c161acee3b8 |
| SHA256 | 9bc294ac071a423bce6a124acf97a2be4210567928ba8cf434df80d27833298f |
| SHA512 | 0bf2eccbfe2f9fc2e5c5adf688b065edfe0303d5f19f0dbe8356395ba5a3ce88754f993b3068d084ae521bddf1541e75fcb832343fcd075dd5bb3b19c5a484c8 |
memory/2996-400-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2672-395-0x0000000000460000-0x00000000004B3000-memory.dmp
memory/2672-394-0x0000000000460000-0x00000000004B3000-memory.dmp
C:\Windows\SysWOW64\Emeopn32.exe
| MD5 | 00208a7036d35a92a6ebeb5d48fb74cf |
| SHA1 | acc726f30f6c58ddb7d11f68106fd8d9d66575f6 |
| SHA256 | a0e4f4063e339e375a728c46451ea6c1bc206a532df57caf0a31a1c7560c327a |
| SHA512 | 4293307dd3732bcee8dbb70bf7be8b27c18ab3bebb36cce2fbf4dfbe49d407f466d4fee0c2304982ab9a246309535e5cd5b8fc88f9c96fd7ec86d90786cb57ac |
memory/2844-407-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2996-406-0x0000000000260000-0x00000000002B3000-memory.dmp
memory/2996-402-0x0000000000260000-0x00000000002B3000-memory.dmp
C:\Windows\SysWOW64\Emhlfmgj.exe
| MD5 | 54b04e98916d12f1538f498a93c502a6 |
| SHA1 | 644aef1890f9c72c9aa1287b10085bf3c0471728 |
| SHA256 | 8a9a26a1eac64fcc8a9984101fe8056f81b73d8241569cf44966bb1ed341af24 |
| SHA512 | bd9f81f8f1e529bb6264ac6c8d9771c83b4b4b8f1a57ea9cf6ffd5fc0b6237f7b62440d0815d97602ee00a0890df806b8c4e7f4bc8073945d9103415b6ca4ef7 |
memory/2844-421-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2844-420-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Ekklaj32.exe
| MD5 | 18d901a496424fc5212f7d4db51e2b78 |
| SHA1 | d2ff01b854e86e3d40f0113abf82e45e0288d5be |
| SHA256 | d68a93d9b161fc278857f4634c2928c1805fff55ec28417126bdfc1d46d43b86 |
| SHA512 | e07cde7ca6c78c1b8e165fe4105e04eb40c082a8201185680fbb40abab57d4057db3c702f1ffa810b642982d2ba44499ecdc4ae5b83a1db85b76ef935c2fbc02 |
memory/2972-427-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1980-432-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2972-426-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Ebedndfa.exe
| MD5 | 61f8d2a9b181fa39390555f4fad9b4f1 |
| SHA1 | 13a32fba5042c22ee92fb98fec5b58ebb19c8b5c |
| SHA256 | c5dc221afd217ada4611f1f5238b5fe84bac13fc769a9d1bf464add179c567b0 |
| SHA512 | ea6c8217ad08ff7b1259a98c5decc75b3b946e599cf31804ec39adcd79c28d9ab56c4802ff30ccc6482fb78fa7d71d56b5c8b1169d3e1dd7cb31dc52936e57df |
memory/1980-441-0x0000000000320000-0x0000000000373000-memory.dmp
memory/1680-448-0x0000000000360000-0x00000000003B3000-memory.dmp
memory/1680-452-0x0000000000360000-0x00000000003B3000-memory.dmp
memory/1272-447-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Elmigj32.exe
| MD5 | 590585e69961d6c207e45cb99e80b3a8 |
| SHA1 | ee4720247e62efce6a227fad27ab3446247410e8 |
| SHA256 | 89983e6ab296a7674c058b15f2944519c08bbf10b330249f3744f083ed1ccc01 |
| SHA512 | 6eca726316839bce84bd16efa957e3789c78ee6c5c04b05ee3a967cc920139696dfed4055e6e32c1d9ce387898cc4c350dcfcac26567c4c33dcb0c0f76fe6be8 |
memory/1980-443-0x0000000000320000-0x0000000000373000-memory.dmp
memory/1272-458-0x0000000000290000-0x00000000002E3000-memory.dmp
memory/1620-460-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1272-459-0x0000000000290000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Epieghdk.exe
| MD5 | 1dc88c1510b71fc407e008defcc52b83 |
| SHA1 | 26c7496980c7c2ad186845f40b89a758a3726848 |
| SHA256 | 23e2c7818b0d144283ed6584f3415b1996674c50312c55217cf78edcdabf5ca6 |
| SHA512 | 773e4f67ca461308d0e06aee920f6853a7e2838d763f2b47eec0677a61c45cb89d6aa250a1e39442e8a07ac6150c42854af9ab9f0831fcf266e26e759cfad4c4 |
C:\Windows\SysWOW64\Eloemi32.exe
| MD5 | 4b56d721471817d624da91a46f7456f3 |
| SHA1 | f48d69f6a03a08f9b5ac1e0056c321cd83284da8 |
| SHA256 | 6ad590fd6e792b3eee8ba0ccfc2331b4b7e7f34c6db7d9e8ad06452b2e82db55 |
| SHA512 | ce9c6e7dccc56ced83bb6e9c680f4190f13d90233d697704766056a41cbbf83f627f62c273715ed9ef1eab5510a40ad7acfd98a37bd0642873f88b70a2bdd70f |
memory/1620-469-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1620-473-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1092-470-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1092-481-0x0000000000460000-0x00000000004B3000-memory.dmp
memory/1092-480-0x0000000000460000-0x00000000004B3000-memory.dmp
C:\Windows\SysWOW64\Flabbihl.exe
| MD5 | f28b80ba389a071e440162a0f43b51d5 |
| SHA1 | 5e7f6df5631c559855553abb8e0680cf5c6f9867 |
| SHA256 | 94a9a4d6935d90353e75bcee441d22978c2806f5310aeab57eca9584a88d3c07 |
| SHA512 | 88faee45a20b205cb7fb40d7afb9f86e69e9d2336e9ff470571eb099694ca2666e7b1c7c9deca413204603e61706470257391f0a9309ee9e0198400f00f41e52 |
memory/1300-492-0x0000000000260000-0x00000000002B3000-memory.dmp
memory/1300-488-0x0000000000260000-0x00000000002B3000-memory.dmp
memory/1300-486-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ebinic32.exe
| MD5 | fddbd2466be8993485f233366f138ed8 |
| SHA1 | 0267e093e5b2bcf81f4a9447394119cb3ff4319f |
| SHA256 | af1b0656fb5f89934ca6e99c1493e716da41ded3a4f1894b680b2f9e581062b0 |
| SHA512 | ae65e2b71a4f4552abf7e55c67438a175eadadb7ca83c929415feefb3c6a57a7d57bc8ec866c533c783f8e5d25f3b53c2f0521124854792fa42c48c2acce1c34 |
C:\Windows\SysWOW64\Fnpnndgp.exe
| MD5 | cf87ff163d39600f6a2b3c7459bba4c4 |
| SHA1 | 7df075306826e22f659ebeb49973b1c780b829aa |
| SHA256 | b20b5f9cd3d1f3f67eecfc73930451a6d7a6f29f64a49b7477528db03436490c |
| SHA512 | 0211517d5250dbff04e18c264177c171bb34880ffaf865dd48dc4d57f218d7f3ea5bb9c656a159c353e6082d8e9c476c9334ee293b1dfbd08cb9b5d05691bc98 |
memory/2912-506-0x00000000002A0000-0x00000000002F3000-memory.dmp
memory/2944-505-0x0000000000400000-0x0000000000453000-memory.dmp
memory/264-511-0x00000000002F0000-0x0000000000343000-memory.dmp
C:\Windows\SysWOW64\Fhhcgj32.exe
| MD5 | a60304c69435828b12f218f84333795d |
| SHA1 | efde633d1ffd8463186acff357dad68d68fb3fe4 |
| SHA256 | 7c7a83f7ace1ff1ca6f4e7317e556dcb6308bf4df1341cb88c4dcdbfb8851512 |
| SHA512 | c4250fc04b2ce8ed82cf384441f8e0f9b94239d55c84fcbc3bdd0baff1758387d794c270944e2808576bb2d63d4cfc15d4a8d76756f3d93c200a13f4f5de1f5d |
C:\Windows\SysWOW64\Fpdhklkl.exe
| MD5 | 085fc92ea64b3109b85463fbfc72163f |
| SHA1 | cd770b9b6b98ed24ab2e94a5032f0fa00d39f488 |
| SHA256 | 1f827fa9682fb9f8c7741fe927545bab6c483cb8c33d10968a5715e428db1fe4 |
| SHA512 | 098aaf3430ea4e3d4f03555ac1de15a4ec232b73d4d2ad2d14dff3c0d123d4d054ed3fc669fd9350dbd7737252df3b1a19d294a6303ce1570501836075f32645 |
C:\Windows\SysWOW64\Fjilieka.exe
| MD5 | 18b66d03879161d8b5e3be1c3de560a1 |
| SHA1 | 4480a41b5083261d1ff4c9a31e285c995508f96c |
| SHA256 | d4734178140ab48d3669120c8ae4162e99342dee78dbd7f3fc32f7a9017886ca |
| SHA512 | e5ee0753ba4b3e26a12620a0126e5bf7e8d3d2932f38b38f83e342337dcf121bd377c03a3656be615c126bf8aa29d7159b3a2b39bcf9fbcd175b604915a975bf |
C:\Windows\SysWOW64\Facdeo32.exe
| MD5 | f5ecb065eacf2416e4b1389fa4126e2e |
| SHA1 | fbbe2cc7e75e7c4cf93f6ba5328d1d4e9167f950 |
| SHA256 | cdd1ed5090087ba6db2985d9aab83ca1986000902fdbf8dbbaa2837cd0e9907b |
| SHA512 | 69b0637e616a842e8bc5e5cdd977f9fcea96ba34d0d04478c53086292f573c8710245103a7dcd4aa20b8461ed1499451813fcbeb528cf734906662015a2be601 |
C:\Windows\SysWOW64\Fdapak32.exe
| MD5 | ebf8c777b2c763d927684c496c02b6c5 |
| SHA1 | 785c36623abd5395edd71c7b2aba2bc0c949a560 |
| SHA256 | 1ddf6349b0c9f590ac819cc3b7d3a0dcaa432d58f4de1e49cb6c72bd51617e50 |
| SHA512 | 8ce954d8effa9ad6dcae18793f292db5b4c6b194aaa0aab4fb4f1ffdff2842e221b84a6860895b3ab761e49cf5e28876639f828ffeaf1a910ff5ccc614ee9e5c |
C:\Windows\SysWOW64\Fbdqmghm.exe
| MD5 | 9579c1f20bd243a157d9bdedc85e9761 |
| SHA1 | 0fef431072a69d6d2f6e0fc8b0a70dbfff4c546c |
| SHA256 | d35a95fc40eff5fd717fecbde0ae77b2e7597948c0f04856821454bc4b6cc362 |
| SHA512 | f4e19284918acf861426b288e62018452c1f3c7ff5f9f0b80c7eacbcbcae5b866d8598d4b254c545e95362fee4f1f0b4c32093082578ad41bc1050ccda687cb3 |
C:\Windows\SysWOW64\Fioija32.exe
| MD5 | b6c16289643d7b1027fa6bd9029510d8 |
| SHA1 | ff9cf6bdd19c5373d2e0ddd1f4f84d2771a021e0 |
| SHA256 | 7935c33c83ad1de970c9adf1d3ac3d88bf159b8b9d918067250391e0678459b8 |
| SHA512 | c074c5172708253bc589749b11782a043fb45b9ecba3b09b440599ec67e3e19a0bff4fbc56014d7896392e4fd6b02920e7f5d4b78a702dd1a3c0dff3d63fc0e0 |
C:\Windows\SysWOW64\Fmjejphb.exe
| MD5 | 1b87623e44a2dbade523070a3e0ee368 |
| SHA1 | 57886827550c8d3542cb0d2e8ba64dbb54dacf45 |
| SHA256 | 851a90ae3960c739a55da5919aee081055c4a4ed913aa93ef6fb8b9eb7006456 |
| SHA512 | 1cabf939193dc1bc5d782cd6d7b59c0f4683b60cb9668b9852945da9c003bbd8b66e1a544322028dddaeb2f28fb6c288aac47a5a7627d8be4a6e3164fa122487 |
C:\Windows\SysWOW64\Fbgmbg32.exe
| MD5 | f28e96b36eb6898bb43416efee4eef68 |
| SHA1 | f070191d7e5534dc97f02d9c74f76739f34557b6 |
| SHA256 | 8390b34443ff40a9978192772a8738f9b5851c678fdeeceb3ce4d857bc42fd2d |
| SHA512 | 92a763b4eb9ab5f289e5ba4c82cec2f4425cdc09df71cb3fdde1ea3ae4e8b036dc8aeff913b7b9bda21c4dc9f1b5e3ab22ef846478edeab9cb119779df1636c5 |
C:\Windows\SysWOW64\Ffbicfoc.exe
| MD5 | 7b506c3252536da28ff3e97453f48db7 |
| SHA1 | ffda7a34c3a0f04e1376e3abfafef6cd1d6d32a3 |
| SHA256 | 588fcde651051f646bbe3107b1f9430379033d8a62ad893a6a5b111aba2cf5cc |
| SHA512 | 56c24b7a68dc85636f64619a1c945d02ab43e9900b44c50f4100ecbcab368efde0afdb1aefd35f6d6a1748f94eb6204696ea32e2aa012704499b64d82bef3bc8 |
C:\Windows\SysWOW64\Fiaeoang.exe
| MD5 | 550f58c1cf3c565af19f9d7506ed3f5a |
| SHA1 | f5eb4effbb3d4e44a2c4210e339b3720af6fec73 |
| SHA256 | b4c9c68fcd41c030f57eecaa67d34a50f308e63e9b8a14c570afd44a493a7c74 |
| SHA512 | b6b6af9bc4c07db958821027e641c64aa4f84fdbbefc3ed3808331cb5d2fdfddc2787a3a23e9004f81065c48b145f2f1eda4dced2a091b680fdb27f84291a6d3 |
C:\Windows\SysWOW64\Globlmmj.exe
| MD5 | 284468aa6c95fc7023ae35ac50cc35f6 |
| SHA1 | 37739f2b1d09ef152eafff4fc8c67f79c17e37f2 |
| SHA256 | 17b12f9b72c51ce66083f094ec54683582a1fda9d2c0f5447179572728ad0e6f |
| SHA512 | 00ccc307ae232d3bace6dd04d9ec1d6a73d0152a0f0515570edf2f44f543e84ba0eea6fef78935ddf64860cad236189cbdda2651263fe7a72cd879f47bc45ddb |
C:\Windows\SysWOW64\Gpknlk32.exe
| MD5 | 3aedf8787a29c45098e66761b94c491c |
| SHA1 | f441649f0ae5181f771882dd5ffd24a68f82d4fa |
| SHA256 | d16bd8108f5b9d0bc5556e0e8a94b27c98f4b457f151014e01c0c90f59f3fbc3 |
| SHA512 | 81d90562f89b30b62628f4ed279efa04767515267d06a97e3c099e099596806f811dc3f6c47e61148230f68ec0727effb2c9b0813de580829468f60b9cc9f2da |
C:\Windows\SysWOW64\Gegfdb32.exe
| MD5 | 03a153686e9bc7b87a0f158e6e99b931 |
| SHA1 | 7f563bb133a6d3debb6b41b82d2f6a34556998ff |
| SHA256 | bb9201f0ac14d7fb4cf1d060496d7a61fb15fade503766f4c2869abe9c62d1fc |
| SHA512 | 35ce201040a6f6b3cb53cd1675341a157e886c77e7a4c3b591e9ae96fa8d6645246f4b08d6eb4e824df88278fea0f957a0b6494fde7dd7233777d9a57d86a4c1 |
C:\Windows\SysWOW64\Gpmjak32.exe
| MD5 | 9086acd3a799c736cc95257f50266ebb |
| SHA1 | b44fceba0d246c0f997e84fad53606baddaca4a2 |
| SHA256 | 22e28b8c86b2fc520edd7082f13ec891b377930a7885c6a4f4c0b4a1a356f92e |
| SHA512 | e5b5e86d345a67666400b5bcc60b9c146da51849497bd9e0101888f305987c6c1f8cd67fefb131e47c61a3e42c8195356893539648b6e00fd7b8357116b55065 |
C:\Windows\SysWOW64\Gopkmhjk.exe
| MD5 | 4d4a52570ba584e63fc2df7f75ac5e5d |
| SHA1 | 30c035e5a7274ed2b5dce131ba84628a222d9cd4 |
| SHA256 | 3902b2d884acc0032201fcc48aaa1e606bae2af0ed1518418865d197550cded6 |
| SHA512 | d6b4507ed0acd96f71691df23b39ac135bd2f23da9a4eb296ae7d0990f2222d566694ca32a4d43d161a56d4a50b73603d7a4194a3dc7d532b73b57fd39b1bab6 |
C:\Windows\SysWOW64\Gbkgnfbd.exe
| MD5 | 7cf46207fa25a2071229fe82d0ec1de3 |
| SHA1 | f97db9a2a5919b75b516cddab80c688e61dfc8f0 |
| SHA256 | e52e2df3f9a921d5e6a23ebc6ff37b8f0f4ef68f011adde0a7ce025b70b0728a |
| SHA512 | 210933331ccb226b3e585981bc1cd76724d4f1e6d1a074df11728951f5d58ade709ebf9d672930206d80411ba118f7d8967ac2f30c16185cd74991441534367b |
C:\Windows\SysWOW64\Gangic32.exe
| MD5 | ef8e8d7466871381b6a3091009a8031d |
| SHA1 | c5479b6b1599fb74d0d64f231c3c332f4844a4ce |
| SHA256 | 712ab646c4392a542fae9ffc183c6779e9adbca55b5b555032dbc860d9d89f4c |
| SHA512 | bee745027398d520fdf429c66786826f6acb96e058236c0a20f98a0a7aebdf7aad111a321c0cac29ea6eeb1b4cf8b3630672bd3c5ff3481007b84befbda35080 |
C:\Windows\SysWOW64\Gldkfl32.exe
| MD5 | 649ac45e854491836b127dcb9c5dbf40 |
| SHA1 | ecd5c24defd23bc60af5d89cfa4caab8ae1728fb |
| SHA256 | 748b58e252934c5d0eace2e62ca59a9df78cf6df84f6919b7e9f66eeb58d5658 |
| SHA512 | 00c98753f3bd0b492e0b89b9608ebd10f86fa79440c31c4f2e2be8733c91931c33b06af02da3ab98f4396d3326bef72a5ed0a32ae2ec1e15996e780276da2cf9 |
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | e43a26fc4fb3a01cfd1b826841882bee |
| SHA1 | 7266f7ed185e90004dd2e0c06431a0cdcd9b7bfe |
| SHA256 | 7f43255168e20c7bee88b4ea1e3dd6f0aea426581f113a96c6104398fab2f762 |
| SHA512 | 89b5036040b8ece19be606e2b1bba7a41a7b86d7a1645f68495279d6fb473937853186a72d039a339f37bc0244cfce8b5b193bc30a18b4665efa6b8e0a53f648 |
C:\Windows\SysWOW64\Gelppaof.exe
| MD5 | 83c81544053e738fe94a7d7b29c30803 |
| SHA1 | a20f1b08808536814ce99e5856158d29c814dfc8 |
| SHA256 | b727c68c5023ceb65fbb5cf5eda5ffc952a1811fd5ede8d2f8c2a156c9baafec |
| SHA512 | 5185e50ce5e2d946f84268579caae0be7e07f69eda2af5e471197938ffeeca0ca51df4dbffb0f5375e22708175c61773d776758b7bfd68d8f874a20b9f8c80ef |
C:\Windows\SysWOW64\Ghkllmoi.exe
| MD5 | 60155088d17272df0f1ab6e3f43bf3b6 |
| SHA1 | 33f98e370aaa36f0a774872b0bf27519c9924f89 |
| SHA256 | 4b4179dbf88232276571054d997010fdaf74813a0284c0c40253eebd90dd7450 |
| SHA512 | 0d0cfbe47d779158648c98e224c507eb3737231f565e6a8baa85b8e2f4fb5ee6012d90bdd764bf41f82d2a924a7b59b412a4ba27b9a34a36a7aa9a40f564208b |
C:\Windows\SysWOW64\Glfhll32.exe
| MD5 | c90ceb4563772a6c8ebfc898fbadc3e5 |
| SHA1 | b6eef129f58d29e8c7862405d4063d9599b7ac3e |
| SHA256 | 2f49f3020fcf1f3185c3a29e99496318bc879b3f94494f7484b9efebe8e33a67 |
| SHA512 | b5e93206f5fe00cc8de4b86ed5bfd624ec2c3d0bcf41ceb76982f9f4072406d9707628f62309a919cc0f422b9981dcfcac0b79c2f34ef77a61443231b96584fa |
C:\Windows\SysWOW64\Gkihhhnm.exe
| MD5 | d16df3878876a0ed2cdcd7f605758b01 |
| SHA1 | fe067719e48035890e4b09bf4d07d46ab0aa1d04 |
| SHA256 | 3ad8dbe272cd5630a578c428e4deaf21fe4962294b42402f993070e0206a5e11 |
| SHA512 | 04dd2d03ce8629cc0fe7ddb24d84ca1bd13ebcc65bf26f2397288f95c6b8087b108ef562908d9a1ff8953a93748402faab70aedef52a2cf4b486e0514bab80a8 |
C:\Windows\SysWOW64\Gacpdbej.exe
| MD5 | b3c1caaa412447089d9c9a4115b0bedb |
| SHA1 | 1373df0e8d971a09290ee8db81cd54f3257482e1 |
| SHA256 | 469307f02c05f344b435fe085dde227f1c5882464685a56b4dc13697eec5ddc4 |
| SHA512 | 1c9f06bc5539e0f8f3e9a76039546a3b2b5ac5139bd4ab36ea81c2172fba9605a90da042b11eee0c673a9c972390a0006d0c3bbc1deaf7133bc36cc45555a560 |
C:\Windows\SysWOW64\Gdamqndn.exe
| MD5 | 6af2c1abbbc01ad06a0cdbc62d8a0bf6 |
| SHA1 | 64229ad3da9783e14e5a4376283fe8d2339de26f |
| SHA256 | b0cd1e64dff2b5982e7ccc6d38d2e92d7cf33f28c9cfd122c460fedc87f274c2 |
| SHA512 | bb4b36eeb5ece607d5b39f8bf4b1f8507ef94a1a98d9ba5deead0a22c0f2be328047aa0618b7ede6ae51612ced851b8996bb9343cadf46a0e0e3256d6aa99cd3 |
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | dfde972e39eda44dab8f1f8569885822 |
| SHA1 | a383a15807fa80d36a351c7b39fb4e565bc8fa3c |
| SHA256 | c452ad6df53da7c2c925f5055056ed3b5e7370beb163e681a364aa9a5ff6af8b |
| SHA512 | 1f18c73ff5f6c26884cfd745b3ca9e3d66b3cae79bc570d68a7b9e867d89b881af10598784c028f03b7678ba83f9d513b7a2f51aeaf1b9952a109e08afe699ca |
C:\Windows\SysWOW64\Gmjaic32.exe
| MD5 | 0a4c2be796d3004729e8606e222d2c39 |
| SHA1 | e2dd25bdf1716af7dd9136e4f2e98404471f96c4 |
| SHA256 | 0d87c580ddaa3ff9d6116c1b5d64ef96a1e928c9f92fe32154333ddafabc2b62 |
| SHA512 | 5f7fb1da82e201a99bf58f6162eb51a9224ff3c2d713349ce386018417616686f2eb036514c4bd2a5be395075e1c547ec080b8fd4d40df799c4817730f461551 |
C:\Windows\SysWOW64\Gphmeo32.exe
| MD5 | a779f6c32a261aa2ea1f4ad7aff3687b |
| SHA1 | 5863fe479c275d94e0e072a2b240b3049a64e7dc |
| SHA256 | 5bb19bc21ba0be8ca8e6be8ed2e1ea90b601cd045447be10e1ed2ddf604096f9 |
| SHA512 | e087e708087394506c1bbe72e88fe17dc00a96ef743493efe32d8a08e16f6b341752e21c86b5900180c3bf15c14b3c9125c5848a3b33d2515f666c3ef1354e1f |
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | 04c1a2c12586c5ac7b187e01f4b49119 |
| SHA1 | 47a25cb2a32af14c86a35db93c29c64a88aa8ed2 |
| SHA256 | 313f6b7c35b2eb829abbe2ce2e0cc910dc1acec747cdb6ccbb8b890281592e80 |
| SHA512 | 95a8c3164d24dbab7f0f55e95c58c29b5a4bc131710d13177b6a45e2ad65a0a74e3076e440991df638381d5353e01fb509c5310440addea3003e90f403526abd |
C:\Windows\SysWOW64\Hmlnoc32.exe
| MD5 | 5e962488881710450de5c9bae059f962 |
| SHA1 | c46542ff8c14a1b39767eecbf9905c3fee19bb6f |
| SHA256 | 570cdad4fd1560874e6bfffc0b7face1190c93847341dd77cce96c9d43bdd64d |
| SHA512 | 8b776848b7d7205d212ea9cde395636a004bc06ee2992aa8e10d1c57d39626da053f85da7e29cd7d073a466d2148b2688bbf48524e7ff797cda1343cc51d1f1d |
C:\Windows\SysWOW64\Hdfflm32.exe
| MD5 | a604c45620ed9c87fcc690957cbd4efa |
| SHA1 | fb880d39a685d400b24411efecfc69969efdcc4d |
| SHA256 | cdb5a4aa6f222ca7f11681c33278f3d63be4e7aaa3f57a46298cd6f024772a99 |
| SHA512 | 68f44cf056252b3d387d29b17e0688b918a66d06d5e77a9647a28e7bfe5ea14cf96e344cedc7c14dbec462b4844430fc50ac2445594d29a8b805eb0cc8ff2cb4 |
C:\Windows\SysWOW64\Hgdbhi32.exe
| MD5 | ae7d2dcc8f43631e7c56e45c4eaaae54 |
| SHA1 | e269b77403ca4e4c2ea2f9f12929568a47c01434 |
| SHA256 | 45181825ce9c9dfdd66a9a9f99af72b85ab6279f1aa9a34ac8d272c56c289d2d |
| SHA512 | b016ac853233b5b9b4de621dcc983f37fba6e78ddacfce337fe9f6534588c61ebd3a540b3e9c5e3784e40d7c7bf8d9bec9301b272d359751294bc8d1eb3a50df |
C:\Windows\SysWOW64\Hnojdcfi.exe
| MD5 | 8ecf2fe4a2bd44ddb6fa685d3e2c8463 |
| SHA1 | 660e18a15dd5deec87e0ca6869a74bfbb44f7525 |
| SHA256 | 57437d3da94300d6ba373555fcbc453ece820407d3c7763c5e6d865fdde1ab34 |
| SHA512 | 1358cae650b4aaa6ff194a7c704046985cc91d86ff461800977661f977b8dab5abf589d4ac0bd655851db1431c89251fc155a77872a32fdb80e2e3177e1c0b38 |
C:\Windows\SysWOW64\Hpmgqnfl.exe
| MD5 | f1727322838f6b9b993a8918c4a4265a |
| SHA1 | 2103d71fe815f0d77ab499f1df23ab8f6d2691a0 |
| SHA256 | 096f3f0943618da2ba5b6407dc1923f54c73f7b59b31e771e59efb5ab05b4774 |
| SHA512 | 8d6a1cde762a5b22ad54e93ce0b6aa9b62d8f928f60d38ce792dcab734485339e42b99544de119312333832693731a2f855657ea776906f5c557fd9579684816 |
C:\Windows\SysWOW64\Hdhbam32.exe
| MD5 | 7d9fb2aa95739d7676bdc270a70d1bf5 |
| SHA1 | 0bb061b3305cf13c75dd0e57e188b228509430de |
| SHA256 | 7c8681fbb28807729a5a47f2e4a7b8d6a7ba91547cbc0bc2b4513b223688e5c8 |
| SHA512 | 7b75073bd925be781674b2a5b5d9602ecc2c71bb1688fef934a188d0d0ce95fbe89405976f0ea05709ce83adeae8dfaaedaa67e604978250d27625a8a8a84824 |
C:\Windows\SysWOW64\Hejoiedd.exe
| MD5 | 010818adc9b964ab4a122de8c110da6c |
| SHA1 | a6b07aed4d559e021a671adddba3b2b55c8b059f |
| SHA256 | 425f901c6c5b76766ae75077bccb69ac3eb0313b021933208ed4584ed1b235f8 |
| SHA512 | 2ab2a2a493d77e1b0a4bed50783c73f56f643648829342336fe5047cb398d92eec4b71e751fd6ca71e31e4a6ed29720b2667ec8b18546439866373957d294dc6 |
C:\Windows\SysWOW64\Hiekid32.exe
| MD5 | 56b3a40135ae1bdcb0303fad156c0e42 |
| SHA1 | fe628cfd50140c3cf3b6c25d8f115e9a14d559c0 |
| SHA256 | 95a03c23a03d0c3a3aad46bbe31c444131a1d310496eb08287ad72d866bd6a97 |
| SHA512 | 19705df94172bf9b77c7bf9266ed9c4d1cd0b458c828765e425332233d8bfb0493e54a527604033b40c324c24434fc927661c247dcd5d4d19a847a9e75398dad |
C:\Windows\SysWOW64\Hpocfncj.exe
| MD5 | 4717e26cbfeb99da94b05e592a216597 |
| SHA1 | a815b9057a3f28c20adda7f1dadaedfa5e363061 |
| SHA256 | a1a22cbfc30a8eadddbe0a4e97998336264548926b77b365a5d3c70ac6dd5d75 |
| SHA512 | d193e08c810f92f2536fdaf03ef34826eb1c41d4c2febb8752ffa05530c2ef2f4d5d1c4ff081bceb4f47a2359598ae1b8373bb1534109a7608ece9ab8ed329fc |
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | 8568327dadeb1f25cd52f99ebdea3968 |
| SHA1 | 83b1259c6ea5df4738a38e3e6267f920a9c70e27 |
| SHA256 | a85d398108e0587760dab9a3c441a166f02f934e89d74a3f0570845c4517cb96 |
| SHA512 | 570430b8f1abdd868fd7a70ab3df37e412cb56fbe7db1ad89d936c4b6a811dea5ca348eb9bac36739f17d8d26db239af9a1d4aeea964d661e76db81bb7667971 |
C:\Windows\SysWOW64\Hellne32.exe
| MD5 | 9641a1a9c23d07e048a4257403a209f2 |
| SHA1 | 121aeec302dc96825dc233ef6d0e5be17a13d411 |
| SHA256 | 6d99bea06d4a3f7e5b90f2ea034fba2d3737058b4b681767119333903871a261 |
| SHA512 | dbe6859df433426bc87cb59886afaa759ad0eb74613816ace19a47e92fbe4898b91f862c9ca4628b430389533c399bc7b9ae77058acc78ccddaa8628618eef87 |
C:\Windows\SysWOW64\Hlfdkoin.exe
| MD5 | 7767a21df98969edb5cab54d1b26ff61 |
| SHA1 | 9ccc4bde4c0268632bc81d7259a9bdca3d8f365e |
| SHA256 | 9fada4f6122d7cb167aa73e2a46d83746393951899bfba75a76d79e725937b31 |
| SHA512 | d3049dffa4e621a3f38611a412aba0d9830b456d3b39bf0a2ca773ba543d17f61e29a0cfe782fadfe4e9710cb27c4a7c9c047a096c368f895404595fdcb2eb1a |
C:\Windows\SysWOW64\Hcplhi32.exe
| MD5 | f17bfdab1a01c61359d659ea5baebc6c |
| SHA1 | 037a53308f3fd7768e59757e6bf151b127bfd82c |
| SHA256 | 3dfffbfe1c82c2272a339ed2563e914e40dd1236370bd1d4133dab92df9bf00e |
| SHA512 | 2322c123880ece91e4bba75980536f36cc0fe376e770525c97f4344d5e3b85c9c4d430a4e5d24e29224ae20bc52c212565b2cb3fd1e2c87c521b19873a7897f0 |
C:\Windows\SysWOW64\Hjjddchg.exe
| MD5 | 77e50d6acbba6664a7f174c0e0df7005 |
| SHA1 | c2f7821c4988be91f341f88c9020598df30b48bb |
| SHA256 | 17abcaa5b439950414e902db96676890c5bbc975d9190a080854ec3b499dfda6 |
| SHA512 | be5e52e74463c89a0888671a01cacec17d83c956fa683214d8db41860dd325cfed38afae11d2a3a1209fd8c97f9dcdecd1ce3eb1e8646b2868522e3283c6d7cd |
C:\Windows\SysWOW64\Hhmepp32.exe
| MD5 | 32b8001b799ba0af297ea02ea448bc81 |
| SHA1 | 2a5351ea54d78d7850d0b35417688f610152a212 |
| SHA256 | 125e5e740b6e01b3bfe8881a85cbe0e493e4d7687a8cc6ef9449bfbc984ba832 |
| SHA512 | 172543c987303187c86f86ce5ae1dbc5eb9a43293fec374ede422e5c04ae24c109e784bbdcd6d39267172d9088ae5484402c0f3c1ca38af7a2619de564247c48 |
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | 8576a24a4211a12c70daa305de5b31bb |
| SHA1 | 2af36aecd651cc72ec071f50e636b18190ccf989 |
| SHA256 | 155f5ad24265d483a03220b634f9730d1e8b34d161da1a5acd18233969eadd52 |
| SHA512 | 42237feb3b80b84c17832bd19036f43d92ebfd235337cc5571f6d22b99273a76e7a882a48ec635f4bf43e32f1aa12010daa7fe4daa953ae23afab76e16dab107 |
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | 5396ecb1bd7b4efdad3635e39a29a9f0 |
| SHA1 | 92c1d11da5aa4c9f8f896322567359f5c243bd53 |
| SHA256 | 096562a0e8ac132cb6ae09b39ec78c4fa56540353bad5f476c97bd8894b7f62c |
| SHA512 | 1051a66df5b18f93f4ca7234eaf04f8c1df80101ae6230abeddb79214b47eb7598cf7189fa93d1480d6ee15be08509be4bd4c24da054a27a3f0d74499fb9bdb0 |
C:\Windows\SysWOW64\Idceea32.exe
| MD5 | a46a090c28770dcc515cbd36c40e1c8f |
| SHA1 | 25f8d27bd51adf425a2d66f2b1997a54500e9cd7 |
| SHA256 | 11ffb21f0472a638de3d4e11e858447da69c60fbac5a5367bb5273920a2cc328 |
| SHA512 | 0da5d0b3a8d965708ce3dbaa4a44cf1fb138ce8330034d174931e1bec9303c7fb2d020fa5221f8112125138a9d312d61b2d7f0e21e2f1d3ea64ff9304a9c2a93 |
C:\Windows\SysWOW64\Ihoafpmp.exe
| MD5 | f4937f43ec86b11d2df53cb04b9620df |
| SHA1 | 53d72be0b7a74b65f44650dbef68e9eaa0eed784 |
| SHA256 | e3aaa6fb6f580ba8dd316665712a1c98d23c1ccaebe686fe4b5aaa63cd602857 |
| SHA512 | 45f48a778aa39d90c460f2e8eb5d5cefa448eed42b7c9e58891635a8f2d2e6e8bcdd1cadd0d0d318fe9a94232c669b50def31b3947fcf04ccaf003890c325bae |
C:\Windows\SysWOW64\Ioijbj32.exe
| MD5 | 8c4e2fd3c2bfb40a90f973b4e8411fbb |
| SHA1 | be7855fea9eb41c43e6749159310cc015b45d084 |
| SHA256 | eee04f8aa735e60f87dd22ca3c640ce3e408bf2fd9cb1a647db9277f5584aa28 |
| SHA512 | 058c029802ad3cad8395529ba9c195fbc293634f8060db75904e6ee26b0e86c3ab3b20a1d05847f576d98f9ae75e33a3cb1c343a79ffd0185fffd7b16a636843 |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | 0602fc19c581848c514f3a32ec92d8a8 |
| SHA1 | 9c12fe0bfcf58756a0e665caeb8340a482a86708 |
| SHA256 | 24f715b4fd262b1eb1ee8d375a1a5706a54628ff489d41af769e58ee7e3c6f4a |
| SHA512 | 6ce3fa3e393b192a45f1089454136de38be5926d0df7376a384cee934a26224a8d5bdcb05a62bced360c7d2e21faca0401b456f91d0c4f7346039fd995fc62f0 |
memory/1680-1298-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 17:02
Reported
2024-05-15 17:05
Platform
win10v2004-20240426-en
Max time kernel
129s
Max time network
98s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dcfebonm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fflaff32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ifopiajn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpccnefa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Elccfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fopldmcl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjpeepnb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Laefdf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fcgoilpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fqohnp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhcnke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fbnhphbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbenqg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ifhiib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kipabjil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lpocjdld.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Efneehef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eqciba32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mnocof32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ipqnahgf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nqiogp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dcdimopp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Domfgpca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjcclf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fmapha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fopldmcl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmqgnhmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebploj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hbeghene.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idofhfmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iinlemia.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jagqlj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mnocof32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdiklqhm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkbchk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eoapbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jpojcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejgdpg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjepaecb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jaedgjjd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lgbnmm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgghhlhq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Himcoo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hmmhjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nqmhbpba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dllmfd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gcpapkgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kagichjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kpepcedo.exe | N/A |
Gozi
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ncldnkae.exe | C:\Windows\SysWOW64\Nqmhbpba.exe | N/A |
| File created | C:\Windows\SysWOW64\Hikfip32.exe | C:\Windows\SysWOW64\Hfljmdjc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hmmhjm32.exe | C:\Windows\SysWOW64\Hfcpncdk.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpfihl32.dll | C:\Windows\SysWOW64\Idofhfmm.exe | N/A |
| File created | C:\Windows\SysWOW64\Maaepd32.exe | C:\Windows\SysWOW64\Mjjmog32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcpebmkb.exe | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nqiogp32.exe | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fqaeco32.exe | C:\Windows\SysWOW64\Fijmbb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifhiib32.exe | C:\Windows\SysWOW64\Iakaql32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkillp32.dll | C:\Windows\SysWOW64\Ifhiib32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifjfnb32.exe | C:\Windows\SysWOW64\Ipqnahgf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckegia32.dll | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkbchk32.exe | C:\Windows\SysWOW64\Mgghhlhq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Idofhfmm.exe | C:\Windows\SysWOW64\Iiibkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjmhppqd.exe | C:\Windows\SysWOW64\Jaedgjjd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihaoimoh.dll | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpcmec32.exe | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibagcc32.exe | C:\Windows\SysWOW64\Idofhfmm.exe | N/A |
| File created | C:\Windows\SysWOW64\Npckna32.dll | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmpfpdoi.dll | C:\Windows\SysWOW64\Ijaida32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjbako32.exe | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nqfbaq32.exe | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgnnhk32.exe | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hihicplj.exe | C:\Windows\SysWOW64\Gjocgdkg.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfljmdjc.exe | C:\Windows\SysWOW64\Hcnnaikp.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbeghene.exe | C:\Windows\SysWOW64\Hadkpm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmqgnhmp.exe | C:\Windows\SysWOW64\Kgfoan32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kknafn32.exe | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fcgoilpj.exe | C:\Windows\SysWOW64\Fmmfmbhn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fqkocpod.exe | C:\Windows\SysWOW64\Fjqgff32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Himcoo32.exe | C:\Windows\SysWOW64\Hfofbd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jmbklj32.exe | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcbibebo.dll | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndbnboqb.exe | C:\Windows\SysWOW64\Nqfbaq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejgdpg32.exe | C:\Windows\SysWOW64\Ebploj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Goiojk32.exe | C:\Windows\SysWOW64\Gmkbnp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kpepcedo.exe | C:\Windows\SysWOW64\Kmgdgjek.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpocjdld.exe | C:\Windows\SysWOW64\Lmqgnhmp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ggcjqj32.dll | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| File created | C:\Windows\SysWOW64\Ggmlbfpm.dll | C:\Windows\SysWOW64\Domfgpca.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjepaecb.exe | C:\Windows\SysWOW64\Fbnhphbp.exe | N/A |
| File created | C:\Windows\SysWOW64\Impepm32.exe | C:\Windows\SysWOW64\Ijaida32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Elccfc32.exe | C:\Windows\SysWOW64\Ebnoikqb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ifopiajn.exe | C:\Windows\SysWOW64\Idacmfkj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bghhihab.dll | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dokjbp32.exe | C:\Windows\SysWOW64\Dllmfd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgekbljc.exe | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| File created | C:\Windows\SysWOW64\Mamleegg.exe | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fgpjnm32.dll | C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Dadofijl.dll | C:\Windows\SysWOW64\Gmkbnp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mnocof32.exe | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njljefql.exe | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fqohnp32.exe | C:\Windows\SysWOW64\Fjepaecb.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpojcf32.exe | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbkmec32.dll | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mamleegg.exe | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gjjjle32.exe | C:\Windows\SysWOW64\Gcpapkgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gjlfbd32.exe | C:\Windows\SysWOW64\Gbenqg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hionfema.dll | C:\Windows\SysWOW64\Haggelfd.exe | N/A |
| File created | C:\Windows\SysWOW64\Baefid32.dll | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkgmcjld.exe | C:\Windows\SysWOW64\Mcpebmkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Jehocmdp.dll | C:\Windows\SysWOW64\Dpemacql.exe | N/A |
| File created | C:\Windows\SysWOW64\Gddfpk32.dll | C:\Windows\SysWOW64\Fcikolnh.exe | N/A |
| File created | C:\Windows\SysWOW64\Kpmfddnf.exe | C:\Windows\SysWOW64\Kkpnlm32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fobiilai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kpccnefa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll" | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" | C:\Windows\SysWOW64\Jmbklj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll" | C:\Windows\SysWOW64\Lddbqa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll" | C:\Windows\SysWOW64\Ecbenm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ffekegon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll" | C:\Windows\SysWOW64\Hadkpm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll" | C:\Windows\SysWOW64\Hippdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll" | C:\Windows\SysWOW64\Iakaql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kagichjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll" | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mncmjfmk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ejgdpg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fopldmcl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmgdgjek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ehekqe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll" | C:\Windows\SysWOW64\Ffekegon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nqiogp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll" | C:\Windows\SysWOW64\Ejgdpg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eleplc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejjqeg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fcikolnh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll" | C:\Windows\SysWOW64\Kmjqmi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mcpebmkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhcnke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbfkb32.dll" | C:\Windows\SysWOW64\Epmcab32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll" | C:\Windows\SysWOW64\Eoapbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" | C:\Windows\SysWOW64\Jjmhppqd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll" | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kdcijcke.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Laopdgcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ffekegon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll" | C:\Windows\SysWOW64\Fqkocpod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gmhfhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hfofbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ifhiib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll" | C:\Windows\SysWOW64\Ffbnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll" | C:\Windows\SysWOW64\Fcgoilpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mgghhlhq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fqkocpod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll" | C:\Windows\SysWOW64\Kmgdgjek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll" | C:\Windows\SysWOW64\Kpepcedo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll" | C:\Windows\SysWOW64\Ebploj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ecphimfb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hmmhjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jdmcidam.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Dcalgo32.exe
C:\Windows\system32\Dcalgo32.exe
C:\Windows\SysWOW64\Dhnepfpj.exe
C:\Windows\system32\Dhnepfpj.exe
C:\Windows\SysWOW64\Dpemacql.exe
C:\Windows\system32\Dpemacql.exe
C:\Windows\SysWOW64\Dcdimopp.exe
C:\Windows\system32\Dcdimopp.exe
C:\Windows\SysWOW64\Djnaji32.exe
C:\Windows\system32\Djnaji32.exe
C:\Windows\SysWOW64\Dllmfd32.exe
C:\Windows\system32\Dllmfd32.exe
C:\Windows\SysWOW64\Dokjbp32.exe
C:\Windows\system32\Dokjbp32.exe
C:\Windows\SysWOW64\Dcfebonm.exe
C:\Windows\system32\Dcfebonm.exe
C:\Windows\SysWOW64\Dfdbojmq.exe
C:\Windows\system32\Dfdbojmq.exe
C:\Windows\SysWOW64\Dhcnke32.exe
C:\Windows\system32\Dhcnke32.exe
C:\Windows\SysWOW64\Dlojkddn.exe
C:\Windows\system32\Dlojkddn.exe
C:\Windows\SysWOW64\Domfgpca.exe
C:\Windows\system32\Domfgpca.exe
C:\Windows\SysWOW64\Dakbckbe.exe
C:\Windows\system32\Dakbckbe.exe
C:\Windows\SysWOW64\Ehekqe32.exe
C:\Windows\system32\Ehekqe32.exe
C:\Windows\SysWOW64\Epmcab32.exe
C:\Windows\system32\Epmcab32.exe
C:\Windows\SysWOW64\Eoocmoao.exe
C:\Windows\system32\Eoocmoao.exe
C:\Windows\SysWOW64\Ebnoikqb.exe
C:\Windows\system32\Ebnoikqb.exe
C:\Windows\SysWOW64\Elccfc32.exe
C:\Windows\system32\Elccfc32.exe
C:\Windows\SysWOW64\Eoapbo32.exe
C:\Windows\system32\Eoapbo32.exe
C:\Windows\SysWOW64\Ebploj32.exe
C:\Windows\system32\Ebploj32.exe
C:\Windows\SysWOW64\Ejgdpg32.exe
C:\Windows\system32\Ejgdpg32.exe
C:\Windows\SysWOW64\Eleplc32.exe
C:\Windows\system32\Eleplc32.exe
C:\Windows\SysWOW64\Ecphimfb.exe
C:\Windows\system32\Ecphimfb.exe
C:\Windows\SysWOW64\Efneehef.exe
C:\Windows\system32\Efneehef.exe
C:\Windows\SysWOW64\Ejjqeg32.exe
C:\Windows\system32\Ejjqeg32.exe
C:\Windows\SysWOW64\Ehlaaddj.exe
C:\Windows\system32\Ehlaaddj.exe
C:\Windows\SysWOW64\Eqciba32.exe
C:\Windows\system32\Eqciba32.exe
C:\Windows\SysWOW64\Ecbenm32.exe
C:\Windows\system32\Ecbenm32.exe
C:\Windows\SysWOW64\Efpajh32.exe
C:\Windows\system32\Efpajh32.exe
C:\Windows\SysWOW64\Emjjgbjp.exe
C:\Windows\system32\Emjjgbjp.exe
C:\Windows\SysWOW64\Ecdbdl32.exe
C:\Windows\system32\Ecdbdl32.exe
C:\Windows\SysWOW64\Ffbnph32.exe
C:\Windows\system32\Ffbnph32.exe
C:\Windows\SysWOW64\Fjnjqfij.exe
C:\Windows\system32\Fjnjqfij.exe
C:\Windows\SysWOW64\Fmmfmbhn.exe
C:\Windows\system32\Fmmfmbhn.exe
C:\Windows\SysWOW64\Fcgoilpj.exe
C:\Windows\system32\Fcgoilpj.exe
C:\Windows\SysWOW64\Ffekegon.exe
C:\Windows\system32\Ffekegon.exe
C:\Windows\SysWOW64\Fjqgff32.exe
C:\Windows\system32\Fjqgff32.exe
C:\Windows\SysWOW64\Fqkocpod.exe
C:\Windows\system32\Fqkocpod.exe
C:\Windows\SysWOW64\Fcikolnh.exe
C:\Windows\system32\Fcikolnh.exe
C:\Windows\SysWOW64\Fbllkh32.exe
C:\Windows\system32\Fbllkh32.exe
C:\Windows\SysWOW64\Fjcclf32.exe
C:\Windows\system32\Fjcclf32.exe
C:\Windows\SysWOW64\Fmapha32.exe
C:\Windows\system32\Fmapha32.exe
C:\Windows\SysWOW64\Fopldmcl.exe
C:\Windows\system32\Fopldmcl.exe
C:\Windows\SysWOW64\Fbnhphbp.exe
C:\Windows\system32\Fbnhphbp.exe
C:\Windows\SysWOW64\Fjepaecb.exe
C:\Windows\system32\Fjepaecb.exe
C:\Windows\SysWOW64\Fqohnp32.exe
C:\Windows\system32\Fqohnp32.exe
C:\Windows\SysWOW64\Fobiilai.exe
C:\Windows\system32\Fobiilai.exe
C:\Windows\SysWOW64\Fcnejk32.exe
C:\Windows\system32\Fcnejk32.exe
C:\Windows\SysWOW64\Fflaff32.exe
C:\Windows\system32\Fflaff32.exe
C:\Windows\SysWOW64\Fijmbb32.exe
C:\Windows\system32\Fijmbb32.exe
C:\Windows\SysWOW64\Fqaeco32.exe
C:\Windows\system32\Fqaeco32.exe
C:\Windows\SysWOW64\Gcpapkgp.exe
C:\Windows\system32\Gcpapkgp.exe
C:\Windows\SysWOW64\Gjjjle32.exe
C:\Windows\system32\Gjjjle32.exe
C:\Windows\SysWOW64\Gmhfhp32.exe
C:\Windows\system32\Gmhfhp32.exe
C:\Windows\SysWOW64\Gogbdl32.exe
C:\Windows\system32\Gogbdl32.exe
C:\Windows\SysWOW64\Gbenqg32.exe
C:\Windows\system32\Gbenqg32.exe
C:\Windows\SysWOW64\Gjlfbd32.exe
C:\Windows\system32\Gjlfbd32.exe
C:\Windows\SysWOW64\Gmkbnp32.exe
C:\Windows\system32\Gmkbnp32.exe
C:\Windows\SysWOW64\Goiojk32.exe
C:\Windows\system32\Goiojk32.exe
C:\Windows\SysWOW64\Gjocgdkg.exe
C:\Windows\system32\Gjocgdkg.exe
C:\Windows\SysWOW64\Hihicplj.exe
C:\Windows\system32\Hihicplj.exe
C:\Windows\SysWOW64\Hcnnaikp.exe
C:\Windows\system32\Hcnnaikp.exe
C:\Windows\SysWOW64\Hfljmdjc.exe
C:\Windows\system32\Hfljmdjc.exe
C:\Windows\SysWOW64\Hikfip32.exe
C:\Windows\system32\Hikfip32.exe
C:\Windows\SysWOW64\Hmfbjnbp.exe
C:\Windows\system32\Hmfbjnbp.exe
C:\Windows\SysWOW64\Hpenfjad.exe
C:\Windows\system32\Hpenfjad.exe
C:\Windows\SysWOW64\Hfofbd32.exe
C:\Windows\system32\Hfofbd32.exe
C:\Windows\SysWOW64\Himcoo32.exe
C:\Windows\system32\Himcoo32.exe
C:\Windows\SysWOW64\Hadkpm32.exe
C:\Windows\system32\Hadkpm32.exe
C:\Windows\SysWOW64\Hbeghene.exe
C:\Windows\system32\Hbeghene.exe
C:\Windows\SysWOW64\Hippdo32.exe
C:\Windows\system32\Hippdo32.exe
C:\Windows\SysWOW64\Haggelfd.exe
C:\Windows\system32\Haggelfd.exe
C:\Windows\SysWOW64\Hcedaheh.exe
C:\Windows\system32\Hcedaheh.exe
C:\Windows\SysWOW64\Hfcpncdk.exe
C:\Windows\system32\Hfcpncdk.exe
C:\Windows\SysWOW64\Hmmhjm32.exe
C:\Windows\system32\Hmmhjm32.exe
C:\Windows\SysWOW64\Ipldfi32.exe
C:\Windows\system32\Ipldfi32.exe
C:\Windows\SysWOW64\Ijaida32.exe
C:\Windows\system32\Ijaida32.exe
C:\Windows\SysWOW64\Impepm32.exe
C:\Windows\system32\Impepm32.exe
C:\Windows\SysWOW64\Iakaql32.exe
C:\Windows\system32\Iakaql32.exe
C:\Windows\SysWOW64\Ifhiib32.exe
C:\Windows\system32\Ifhiib32.exe
C:\Windows\SysWOW64\Iiffen32.exe
C:\Windows\system32\Iiffen32.exe
C:\Windows\SysWOW64\Ipqnahgf.exe
C:\Windows\system32\Ipqnahgf.exe
C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
C:\Windows\SysWOW64\Idofhfmm.exe
C:\Windows\system32\Idofhfmm.exe
C:\Windows\SysWOW64\Ibagcc32.exe
C:\Windows\system32\Ibagcc32.exe
C:\Windows\SysWOW64\Iikopmkd.exe
C:\Windows\system32\Iikopmkd.exe
C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
C:\Windows\SysWOW64\Jagqlj32.exe
C:\Windows\system32\Jagqlj32.exe
C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6536 -ip 6536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/1172-0-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3208-8-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dcalgo32.exe
| MD5 | 9eb58d1744fedc487b08df783459f3a4 |
| SHA1 | 5a9eda1f229306207cb0251e78dc02bf42922f43 |
| SHA256 | 2adc8a091f174dbceea14f7844056283183f399d8bdee34b0861fba29a0f686a |
| SHA512 | e069e93f9dccf353dd3d6955fab3ba2fb78e83cb3385f6f94ad9cf1b2447d6708fb0fa9d5b6a6fbfe5a201dfb7c64d123262dd3b70b123e273bdd210dc4834ca |
memory/1172-1-0x0000000000432000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dhnepfpj.exe
| MD5 | 8796079a441c7c6d72dbbb3fc8e280d2 |
| SHA1 | 895e277a24c475138172f8cb2cfac77fae201703 |
| SHA256 | afa34701d54616ae04b24ff98313aefd046f42c81c580cf833df90972c57590c |
| SHA512 | 38a834350be22335deaba9d28497d026bfb2d98086ca2d41a918442ee97bfb1a024078e70b52a01c393671cd205d492e73eedb68981fa75ab837378ded45eb22 |
memory/3268-22-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dpemacql.exe
| MD5 | 560e01d0fc7d7c55580a3f2738319230 |
| SHA1 | 692fc4933ecda844a162d94684e14c6dae5453eb |
| SHA256 | c03287c8083927d31dc6faff6631a692e3131470195caa9f0689978cc2967564 |
| SHA512 | a37c9bd6bb3be6f6049773c40be8391d5f4b375bf0cbc2509eac4e393038b318e8ba11cbc5cee566829fbc973c44f9ac2c25926b7d8aaf6055ba57bdb6c4b99e |
memory/3468-25-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1724-32-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dcdimopp.exe
| MD5 | bad6d54a9b568b251515547fe6261644 |
| SHA1 | be8a9b64b4425b2400e13adda61aaebf565cefc1 |
| SHA256 | c162f58039497812a9578a3d35fd398d9382cff4514ea1e1209de390d438c8ea |
| SHA512 | 31003cf08da8a134c6b06e3680dbc052b640e280b03fdc0a339eb451c88f5f7e6f5afc27da045c2b1ee8c93f76ef808c8ee5ef8984f407919e3ff6310202b625 |
C:\Windows\SysWOW64\Djnaji32.exe
| MD5 | 02d77b0fd99b7de7f782cf8dd80fc66a |
| SHA1 | 6f17070748d106e6748b8b1dd3d7d851b2a688fa |
| SHA256 | d66a697ed4c368f810a186070c16ad2660d128889c7e3bbdb107037f57d1bfb5 |
| SHA512 | 973718e57d88b2d635498c8ae8c92e2cc9fffec84d7bb08b1eaa5ba00f4930fe723cc438134e6d644592e3f835e1882051ba593fb273a3076059e6a6ed4a3dba |
C:\Windows\SysWOW64\Dllmfd32.exe
| MD5 | efe118b0724096f12ccb5ea6d1a9bee8 |
| SHA1 | 59c6abe0aaba7a62321da30af74985866e269f88 |
| SHA256 | bc4f7ace704e57a26d051b4faee776080c2b47fbbbf6f13cd43a4b8fc36bfb06 |
| SHA512 | feebcdcda1c3eba16401721ed15572e32a0a390b62ab6136162bd88174416a5945d3e5b711ab79417c5c6e7a0f1fbba5aa0e685c01720232854a4218d13fdce1 |
memory/4416-45-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3388-49-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dokjbp32.exe
| MD5 | 85195376558862a8024943d98fe1b8b5 |
| SHA1 | 2c111beb77718ff68e3fe5baf8e6ffbb1323b049 |
| SHA256 | 1a7feb687537c4bd2fb82c132285f52bb4005bb6818426f53389e88f9a916dca |
| SHA512 | 3c1704ce9431a30553d75695a12100ed96dc577cad2805d1b115d523efa1ea1e98ccbccd57c10d1132792717ec7838b51adf822387b57497b080a703279d6e48 |
C:\Windows\SysWOW64\Dcfebonm.exe
| MD5 | 461e6a1cdb20a8c043df0ed4bbca4c3f |
| SHA1 | c6b04a869f4f8b452f1b7433ffe013bdfc38278c |
| SHA256 | 20f361462199c24a2e38d53a5e274152168f8eef102bd86cb16214b6814c341a |
| SHA512 | bed6c60c719a5ded1bc2369428983f03e9dba2cb40503071523f905a2828bdbefcfba1ceeea6f7a6a40277adc51b306d3af8d7b888ecb96a8f97a3ae33e11c54 |
C:\Windows\SysWOW64\Dfdbojmq.exe
| MD5 | 5985b7099fda7a6448541821e31faef7 |
| SHA1 | a99536d9ed32d3af7172f64a044dd9dc93cd1f05 |
| SHA256 | b900b3037abeee01254b32599d69497132840258863838723045a03f2ae23bf5 |
| SHA512 | e82f6e30588c37421c5ca7334274e8101e5140174267672e2830368b7cdf5f30117bb7de59a1c444dadc6fdf25cf5376ad176a4e6c586261b13732467953dc3d |
memory/944-71-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4988-72-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dhcnke32.exe
| MD5 | 6b2addacab7344d2eb0d85a5e2e57687 |
| SHA1 | a223d2751535617569ca95e63429c04348311125 |
| SHA256 | 98d5ee2912db266b745494d07b9f607f9d1d43f0279e255312c4b60ee1f1b767 |
| SHA512 | e6ca9565c1801fada25a96e341511b21245320f072bf54288fb053f3c24922626448ba7d1f07e6465c80285c567c77a12a710470d95d98163681399aeb9b0fb4 |
memory/1828-80-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dlojkddn.exe
| MD5 | 4f6d931ac6a0fe83f405bdfcbfa44427 |
| SHA1 | 80e533f97d6bb4f2dc3e42413131ca22f9339e96 |
| SHA256 | c2bd1ae48e72364c4a322c37ce39c92472e917985deefd405b2f450a0f7131d0 |
| SHA512 | bd2d93d0287b23a61557a212eaa5ca8147d0eb60870a51b90776e27bdd872ae15ceca788b5d41b33fba8551f852a16e346be0d0038b5583694ac81741810b2bf |
memory/2008-88-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Domfgpca.exe
| MD5 | c6bea517c5ff836bd8245d6cc9aa8693 |
| SHA1 | 4c3a9e20ba25d1d034115f51d601eafd03e4402e |
| SHA256 | a21f54aa1f11b5e6bb3f3f3b2fbbe05523760bea728340e8a22c1d4c3098b3da |
| SHA512 | cf25652fec1240530daf0f5cf1574e427be6ba382baf0ddae3169a74542222d4a71f220684956ea69b14d54c7cb20911f624d2bfa2332c512f370a2360aee4c8 |
memory/2468-96-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dakbckbe.exe
| MD5 | b3360d90422e0262d4967f05c9d751ad |
| SHA1 | 7230ea947a37d838bc194303999fbed7269e5b70 |
| SHA256 | 7aabbbe12fb07d248478d2b90f6ced19c58e3d57648b74b2736f169cdb92f890 |
| SHA512 | 2426efe1cf9de77eaff465cc37e1093a5a5d0d4b6faa1ad59d57cd73f3c863dfcb1138a18fd0f70a0b78da3e96d078c282f1bef510cb01e9e15109c0a31cbea1 |
C:\Windows\SysWOW64\Ehekqe32.exe
| MD5 | 1a5f8c2344a16bcb75f009da186c51e7 |
| SHA1 | b42bd331af1eb762313687ff09741ded15949e1d |
| SHA256 | 09344762385bf3369fd76b37da6910cfe9d4c34b11a56f25c68a1483cf613859 |
| SHA512 | d6f8a3a3fb45363334428e872b082d926bfe165f87328a90f71f781b5a72262bcd305a70aaa278e11133edd0ebf43f6610af4ee828aa91f1b3b3b4c13ea5730a |
memory/2124-104-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4712-116-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1104-128-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Eoocmoao.exe
| MD5 | d551cb364fb096ddae576238e7e7b821 |
| SHA1 | 5b1f645bca1710860b082333436fc0a0f12c1295 |
| SHA256 | da77e7811d3e0a7e948b10ac7eda5478fad24f78a6448a65520242b00ac3b752 |
| SHA512 | a1d92e730b832c150a431e6e59c28714ab105b64c4d3cf18e8945f4413cdc4cecf55d62780a6a4a935f32dad61b7448a37459eb3ddd846d9d9a5e1be9df6ebd2 |
memory/2460-124-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ebnoikqb.exe
| MD5 | 156ced0520f0050171bf3d0cf694b167 |
| SHA1 | 1550dd5f6c2206f193c115d00bb05491035c08d3 |
| SHA256 | 96742b3ecc628bf1e3f2a059868c3e6e11cb7bb79f6e6c9a654f75484f2ef9c5 |
| SHA512 | 2676436746dd5727559f758e23a6d5fd8790cee28fe6a03a6c4091b129b99c0d79f7287d8b4c04e0507441a38d89459e0672e1cbea1f189ab8bc1bb51cece401 |
memory/4280-136-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Epmcab32.exe
| MD5 | d4f3711ea935b2c1d7fbb303cb5b9597 |
| SHA1 | f801d6299f909a88fcbaf6ab3422f8a4e3d1ec13 |
| SHA256 | d5cb2ecd474c4f768515e9e73843f07ba9a08befaff09cf4971cb79ad0a19e93 |
| SHA512 | 473aa91385dfbed36f1e2950b2d887007bd4fa389805f93a974644ea32d6497a712e2a3e575a9e55dec254acd981451fe25a71c28f938f53f59e7820ed812478 |
C:\Windows\SysWOW64\Elccfc32.exe
| MD5 | 1df18f095ba0443707cf2841b62aa3cf |
| SHA1 | c25b32cc9f0378c306bda9f2932ad7d12315d38f |
| SHA256 | 2bdac3bea4225ad3dcb1892618a745a12883449d133d6d77d562d074b6dac494 |
| SHA512 | 2b32b03ccbd1dc962ac48c15ca8e2284a2ff53135f3b527b96712bff2d9f12884f7aac2ee3099003a2735a311bf24fdd94e7062c769159be0d1f7cc1b2dbdc99 |
memory/3056-144-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Eoapbo32.exe
| MD5 | 44cc38deddc7ae9325d5ed7bbb5f5c18 |
| SHA1 | 02a7db6852ecb49cf0a33326d350861b61896f9f |
| SHA256 | 1d895a2a409a574d4bd6e124177ff4a217c669526d32d4ce851b4bd4016fd3fc |
| SHA512 | c177b32ecdad038e4dc4f4fed69c734cc4cda9e315bc7986e99647925ef32a7a6be97e6d04e87e5b44f853c041efa4b9a2709e4c30e750dc9956d9ea7bcebe20 |
memory/4616-152-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ebploj32.exe
| MD5 | 576dfe3a787f568ec218fb6e4ac6b2de |
| SHA1 | e455d6b59d090be03e9b085d39fbe936fed6cc68 |
| SHA256 | 1316a9a6c1fc243388d4daffca5e92d7886a0b2631bb53421b60eb6b9f85d719 |
| SHA512 | bb911909e24e469a5881bba199a97e7da47400951e7e532f3527aa5f68e459e7ba9708287471221a0204fc7288f3dd2ff0c77b5609dbe39348bbfc2bb3923846 |
C:\Windows\SysWOW64\Ejgdpg32.exe
| MD5 | 69d1e732e53ce26c4ab3055f319e64ae |
| SHA1 | 0fca6f3d479b245aa0064bd1005f446d371db1f1 |
| SHA256 | cbba0d7e1a769ae2d446e987ad7632bd8e56273d0e43a66e0c58f4df6a3d310b |
| SHA512 | 18f05dee3f0fc9352e8cea9051171ac718a4983d22384807dea84e8ca62ba3b663e587c6b488f3fcb1dae8df0d7507a01c85e7f2cbfb6d4ad977d81898ecc78b |
memory/1468-168-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Eleplc32.exe
| MD5 | 30f63e61381d8de2bbc9f5bd72cf1227 |
| SHA1 | d44983e0ceb4332905f8be45e797e4f1ae2dc91f |
| SHA256 | a64bad08fc6a7688fb507fbad68257ea56045237b0548a9879b5897615631b23 |
| SHA512 | 564a718d29e01185d27174524e760e9f29ddad43e9d82bb09f3661d49eb690b46d5bac5bda6eb58e9f3250ba742a6bc96e6a1eb9ed5c57bbf87c3292b9e1ec07 |
memory/3152-176-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ecphimfb.exe
| MD5 | 1a83c39a0f35bfc875e312856338b879 |
| SHA1 | 9a90bc417ff03ec27a2efec0ff46e133ed4f9226 |
| SHA256 | 0372347324c548fc479951fd545ff89d031ec52df4d850a568b2ee654095d059 |
| SHA512 | 942e57725735e9a8bc6435a9bf2064a254e74a67c6a76bf63caab34642c7795eb587ffd119e1aa985eddbdad4cbb6c324621fdd5926e808f2a029d8407865bb1 |
C:\Windows\SysWOW64\Efneehef.exe
| MD5 | ae05d32f9a0663334ab815ff2f065f17 |
| SHA1 | e73f45aac435b5a5ece2b45ce06425f4bd990656 |
| SHA256 | 532b1f4a7e0137dea54c25fc32ac9d98efb05cfe284aedf20e4194877a5e0537 |
| SHA512 | 13e369ca7b11c2d0e71e042bff96259c55df0d05215f23bfa3c555083943b09cf446a9b10bee4d55d70c3b53b9cc2386e3983225af9ab526682cf17ce8608702 |
C:\Windows\SysWOW64\Ejjqeg32.exe
| MD5 | aa2fb84e7980c7cfab15fa7fbe0e82fd |
| SHA1 | 0bd9617560e43877d77ffb688119cfccffc9a3ad |
| SHA256 | 8b7e0ccc7fe90ded0a59c13dd26c7f3e22835233a70ab86f0e87f584b04344e8 |
| SHA512 | 31c3fc364179e1db6fa24aa81567f8b366c3468799a7756c3f1100e589452449e1d5981e066cff212ece904cafdfda68d1e818dc45c67d5298da1dd8940f0795 |
C:\Windows\SysWOW64\Ehlaaddj.exe
| MD5 | 527493022680492a806fee69dea278e6 |
| SHA1 | 87bced2401ca1848e7b36b31fcd416df3418710b |
| SHA256 | fe430e2a3300a36ad615c67024fb370747176d2beca3d324413165ef802a5d47 |
| SHA512 | 975594d03660bd98b96654f366d16442b23be382d62db3ac7988e09e80783e30eb58bf30459ec0f481df1282d01954b6d3f3381ad69baf9cafb6a9e6192abc47 |
memory/4268-200-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2060-192-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Eqciba32.exe
| MD5 | d03ebfc841c792f03cea9daa9c7c0ac0 |
| SHA1 | 408280fd5cbb08ecb45965627a93ce410f3203be |
| SHA256 | 436c747f7d9825a62306fc8d24e61e5eece91104f9355f374923a2bd8e032279 |
| SHA512 | 907801120fa546af3fce24d6ae82ec820952d2a993ce71ce6a20d38e4fcb646d3f9b9f948ebfa6d80446046b6d6decd161ef3cda121a500ac3f2892f3fec74a7 |
C:\Windows\SysWOW64\Ecbenm32.exe
| MD5 | 8cfe4e54f5c2523b09d216bc14d9997f |
| SHA1 | 3b672f6190c359ea54a8b0d4dcf9be6f4d0934fd |
| SHA256 | 1f92a97ae6314e21fe6b6f18cba62a602f4c921cdb2ad7a4d76db5fa3d28e970 |
| SHA512 | 41c2b8c4ea87707ea3aad13085e952bea8e2f9f6d232e3240bf83f0e34a9708d2e1186e6d8393d73742cb7afb7a93e6cc44e6b079c6f3ba79ff8d056c791b1ca |
memory/5072-216-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Efpajh32.exe
| MD5 | 044fe22cbdbae6834ecab5e7e65d54dd |
| SHA1 | a6173920a58c4807b956034bc40eebe91c8a36cf |
| SHA256 | 15d40ad754d6b5db66e12b3775644c6fd75b95bf6dab7cbde7cee5ba077e0237 |
| SHA512 | 7d9dc50971cdc88986e0921991d5a133a5e4efe56b440a3d28034d9ed26c247d3d8285db062e450e1aea3ddd365907dcc766860e216b1e99867ed3ddafdf4639 |
memory/3920-232-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2880-224-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Emjjgbjp.exe
| MD5 | 13f5c0e3c298484c14c02c10f2127159 |
| SHA1 | b6dcc3ada8218d350ccd777d4114d94085f974d6 |
| SHA256 | 2560be26adb89244a69e6585c9600908c16e540ff9fc988df9b6308bfabf04d1 |
| SHA512 | 89cd20cad9b1a19acc19cdacdf9fe8ca7ceb040249f237891d087bc080ce0e541664eef721e840fbb8976e3f362b29ded2f5b21c31527975aa4414d9a14d9202 |
memory/2972-211-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2712-188-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ffbnph32.exe
| MD5 | cf3a94e696767deba894565a5449d89b |
| SHA1 | f81be50415b24b86766d73733225c9e281f1a488 |
| SHA256 | e2a30dab9859cbc34ff1e1861140bad00b59234ea7f0eab6bb080603ccdf8217 |
| SHA512 | d3c68ec14666af6baf947f2e8d5875ae29e538398c953d1928f1773cebc0de744f86e0642c84a3c6ffb9642352bda5c86a31c72a97ccf2a0a69482c83d2a5fcb |
C:\Windows\SysWOW64\Fjnjqfij.exe
| MD5 | 37026e54d63d3b82307e351a88a26303 |
| SHA1 | 18e13c48eff724dfb216aa4d8d2b8d7ac2ccf0fb |
| SHA256 | 59667574ac063c30d17a86bc48e029a08df2c25c7f771e817e4cafd929bbbe96 |
| SHA512 | d107c3ad30a4f17247208ec7878f154d0fce6c75a96fb5d164008d969bcfab2cce7dabd3096328c4eeada74358d7c42d495e126476573a2aad7b5c184b27a9c3 |
memory/1552-256-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3740-262-0x0000000000400000-0x0000000000453000-memory.dmp
memory/632-252-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ecdbdl32.exe
| MD5 | 335f53bd0677b7a674bdfb0904cd6f54 |
| SHA1 | e271cdf2ef8d9a9955c08456356768581cb5b5fc |
| SHA256 | d2fd7d9ae39503e7fe263cb269057f77e8c5b0ea78a42a95c06dff201aeeff2d |
| SHA512 | 62c6157ff4e1df93d02ece2f4428123cf005b5dc3a5a1e4e9e1095810516cb54c0069672cde8069551f9df310dff2f0d1582f835605c3061789322372a9a43fa |
memory/3528-268-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4784-244-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1080-160-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1160-274-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2076-285-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4060-300-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4108-302-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1812-308-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1864-314-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3956-320-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4948-326-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2820-340-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4996-349-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2348-348-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2780-360-0x0000000000400000-0x0000000000453000-memory.dmp
memory/664-366-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3320-371-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4400-383-0x0000000000400000-0x0000000000453000-memory.dmp
memory/540-389-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3168-400-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4376-404-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1808-411-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3732-413-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4528-419-0x0000000000400000-0x0000000000453000-memory.dmp
memory/452-429-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4432-431-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4680-437-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3860-443-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3228-449-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3536-455-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2496-461-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3508-472-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2540-478-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4232-488-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2308-495-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Hfcpncdk.exe
| MD5 | 60014c0d93cdeb3035fe1a3bb837d494 |
| SHA1 | 12f94fad7420eac32d189bd354dfd4cd45f414c2 |
| SHA256 | 1c7890be197776f7885b79a003f7202c7e5b6919d485dff7b00fdee64c086811 |
| SHA512 | 51f5f970ecd1c925454e22b146b4e7cd80d1fd1a8df146466e22c9d94f312e4a3757b0a3a008a1fdbb2873a88709859f1d6a83e3ea36d20816ee15edf6323ee1 |
memory/2512-501-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3972-511-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4608-513-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1076-529-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1172-530-0x0000000000400000-0x0000000000453000-memory.dmp
memory/216-531-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3120-537-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4292-549-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3208-548-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ifjfnb32.exe
| MD5 | 73d12b0f170a2cdfe1ef0829f8a3fc4a |
| SHA1 | da4f0eb26820676cf2aa56cbdabbfd40f4da3fa9 |
| SHA256 | 08ba654f19cab20356f79b5f91d0db31c7a4a452ce422875f56b789eacc35b8c |
| SHA512 | e2efbfdba7db5f3eb30009968dcb15a6108a816ebc898b6d2a1953d0e046a426a97e6bff24ceb92445dc33b58604765643cc881515116ed2405b80c79ba57881 |
memory/3268-555-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3728-562-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3468-561-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1724-572-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5016-575-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4416-574-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3388-581-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4628-582-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2096-592-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4988-595-0x0000000000400000-0x0000000000453000-memory.dmp
memory/944-594-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1828-601-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2948-602-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2008-608-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3480-609-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2468-617-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5172-622-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2124-621-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4712-632-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2460-634-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jaimbj32.exe
| MD5 | 44008ab0e6a67c75399ba09987e24b45 |
| SHA1 | 79c8825fa6775a5e07018cbaafe4004124b571d3 |
| SHA256 | dc41881702270acd0bdb0c86694fc15b3acaa8e5f9a2afc6e439bf2890d25f7b |
| SHA512 | aa07d6d817dde45694d509b5a2979a95670fab146b1be34658eb4eb25ca2330d811c790ab4028c9ca90d1a80c6d75a8dc3b14e2d086a7181691724ca8894ea06 |
C:\Windows\SysWOW64\Jjbako32.exe
| MD5 | 111801429e4083f7eb9a03278ebd9d17 |
| SHA1 | 01119b1484ee52bdda5e425bfb8869d485f0f29b |
| SHA256 | 95391061247559574ef17d87a0732f277572d307b3a513b87beede67da6f7e29 |
| SHA512 | 2aa59baab918c8b56570e027f5ce8f1bc6d6182cf09858195da238c42b1cafec785e13421372fd5cd4468e85a8ad6ff96e26bbd07a4a85c38007ec0995eb7308 |
C:\Windows\SysWOW64\Kkihknfg.exe
| MD5 | 17beb33a76b7d2517ec2677971c3972d |
| SHA1 | fcc11a538bad66dedcfff41c95df61308e2b12fa |
| SHA256 | 8b40fa0418390b2d60a9f8ed59f971747387de4cf7989dd5d39c5559b029a8d9 |
| SHA512 | 283afd694b926da437b3fd1799eb6ace3458fcf1269d5c0e2d5ea3ae3b651ed3cc1397e21e8cd9a80476912c5245c0cb7f608475ba35bdc03e3ecccf3f0d11a0 |
C:\Windows\SysWOW64\Kcifkp32.exe
| MD5 | e9d6e9e42093e79ddb4311b08b303cb5 |
| SHA1 | 97cea7a03fda533cc70bd7610c6a1f5fe5c62e56 |
| SHA256 | 52839c8b21f0809db4e01eeced4540c0cc2f3bbc5423c29d6e8b474d52a6a312 |
| SHA512 | 737052dc3bddd16bfb3f00211f3862d47712edbf1cfb047e577f524817eb0e2757ef86b5939837156a8a933c66cc4cf2e80e4681183c74184874378600a832f4 |
C:\Windows\SysWOW64\Kpmfddnf.exe
| MD5 | ab924f00831e57dcb9b5218f4f04669c |
| SHA1 | cbf08c74a8f32e08cfc2887e7f27991f655ab54e |
| SHA256 | ff0088993280c857e01fcab87c44c84126ef1b649ee4e0cb62258a22b6c541c2 |
| SHA512 | f6d86b1b1d29e3af2f11e8306aeddade1f36274f5cfce22157aecf474ee7a6ac952811460a537daa45702ddd4cead64994a2f22176ae052dd1aa1444399d530b |
C:\Windows\SysWOW64\Lcmofolg.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Ldmlpbbj.exe
| MD5 | deac51cd76f6d09533e2606f76b3f368 |
| SHA1 | e9fbb6f949a9cb895b721fd33a20381ff884a774 |
| SHA256 | 6d14436a94c18c21fd2b6c0cb8fc2dad0c12b17b6de17950e5d72ec88d7b722e |
| SHA512 | aac25e04742ffdcb050a8c68001825fda4122751a3dc6f0d69b889eab12ed7708c215eb2acd8d3439660bfa497daee13ce5aca13e85c71b9971c455f6e370f0c |
C:\Windows\SysWOW64\Lcbiao32.exe
| MD5 | 26a611de47eebaddc892ec95d2b87194 |
| SHA1 | 2b05b57d34c0e7389b270659f19280adda37e32d |
| SHA256 | 5bed1ab64d7e364fe2786199157d96f9f63f5b412ed096fed73e464502bf0d01 |
| SHA512 | 56f274e3b0b7d06684da0760fa4e0e59b05b7f520129246745bfdd45cbfabbe66449b8e5b91677c829de760b627f5777d4edab20481b76bf7d8f2b4a1ad6e2ea |
C:\Windows\SysWOW64\Ljnnch32.exe
| MD5 | 40c946b3e88363c3f565b569f8ef9bb0 |
| SHA1 | 221afd00de96e6e3b3f060120cd93caf46aed557 |
| SHA256 | 940d4a30a6b58b54a22a44e8e264e1cb13d4dd7e2c13589eba539a4f2b165972 |
| SHA512 | 058c2ef8d56d84ea32ade8b15657d716c378c49302d6605cddef690ffbfb871958d60bcf11a2b97db66ba3f3f65693feff121a84679c25abd14517d299555c8d |
C:\Windows\SysWOW64\Mcpebmkb.exe
| MD5 | 7c60c15d957c121958453d85f89abaeb |
| SHA1 | d4a0f040a2e7cfc06c3c322973fea7a97e511e0b |
| SHA256 | 114b90aa02c54ca9c5043367538ee1029616b16a82adc3149c0ea8fd98f99d5a |
| SHA512 | a212fae594127d2a02ed9d20c40a7e1d09cd9f8b8a8fc33263b1730ffd2f18b652b9262daa5e631a627d448422bdb1a0b87870410d45f6f27a632291a6d416ce |
C:\Windows\SysWOW64\Nklfoi32.exe
| MD5 | d8daba75deaf20311cc792336a148e45 |
| SHA1 | 81e6649ff71be92bf13849110bd82fa6658d71af |
| SHA256 | 8e402c51b8cb6f5ed5082fc45e5da18087dd8e14c2d49f2dc9389ccb5aa87879 |
| SHA512 | baea3ca24a6b058c87ac90d416d5b78c43dbbf7a9f83effaba7acb64e6c15ea10bdfda8a111d479b3b6c6e2b3e73a9daa7bc81c89637adbd4041cb47ee6f61cc |
C:\Windows\SysWOW64\Nkncdifl.exe
| MD5 | 9c3b22a84ba684cb8f6cdfb193da0f3d |
| SHA1 | be8ad3d7ccdfc2659a84bd4468b32394a7d4c630 |
| SHA256 | 4e8173619cab022f808874880a2b741348699eb3a06b4d7a437b642001acdbd5 |
| SHA512 | a142c764203c51203a1196be43c56c7bff80c652363fb9438edecac192759aef7b6f9f449dabd039fd2accd35facc94acf5c1cb5bebb811c6b5aef6b2b990d7d |
C:\Windows\SysWOW64\Ncihikcg.exe
| MD5 | 36b4dac4bf7531b4e36c21169957b0b8 |
| SHA1 | 0517418b64e1d5defd03a8d67daa1d6a4005f18c |
| SHA256 | b8a64dc55c676e92b82d452e7c28f8ae0e12f5c25b95f0ed4f806778c5c5337f |
| SHA512 | 085ccc086f8749384dbfd9f872df894184f1b93ab3674d829a81852477b41d1a32cec838ccad88dfb564d735be4952c0bcf5fb1156e83c4102fe00c35ef31338 |
memory/6944-1202-0x0000000000400000-0x0000000000453000-memory.dmp
memory/6752-1215-0x0000000000400000-0x0000000000453000-memory.dmp
memory/6616-1220-0x0000000000400000-0x0000000000453000-memory.dmp
memory/6712-1216-0x0000000000400000-0x0000000000453000-memory.dmp
memory/6396-1212-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5168-1260-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5192-1276-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5980-1314-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5940-1315-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5720-1326-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3888-1368-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2832-1376-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4608-1386-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2820-1445-0x0000000000400000-0x0000000000453000-memory.dmp