Malware Analysis Report

2024-10-16 02:34

Sample ID 240519-jtxdlahf2t
Target a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe
SHA256 a5a99920ec4f446e758b8304497290cb0ce666b9464fad9d622584f0d7553e8e
Tags
persistence gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5a99920ec4f446e758b8304497290cb0ce666b9464fad9d622584f0d7553e8e

Threat Level: Known bad

The file a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence gozi banker isfb trojan

Adds autorun key to be loaded by Explorer.exe on startup

Gozi

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 07:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 07:58

Reported

2024-05-19 08:00

Platform

win7-20240508-en

Max time kernel

147s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqlafm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdapak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dqjepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgbdhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apomfh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfinoq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cphlljge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epieghdk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfinoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gejcjbah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajdadamj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdakgibq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efppoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gegfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adhlaggp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ailkjmpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bingpmnl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baqbenep.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqjepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnippoha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egamfkdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fckjalhj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbdocc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbdocc32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Qnigda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Adhlaggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambmpmln.exe N/A
N/A N/A C:\Windows\SysWOW64\Aenbdoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ailkjmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Baqbenep.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckjalhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcmgfkeg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnigda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnigda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Adhlaggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Adhlaggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambmpmln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambmpmln.exe N/A
N/A N/A C:\Windows\SysWOW64\Aenbdoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Aenbdoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ailkjmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ailkjmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Baqbenep.exe N/A
N/A N/A C:\Windows\SysWOW64\Baqbenep.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dhggeddb.dll C:\Windows\SysWOW64\Fjilieka.exe N/A
File created C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Fdapak32.exe N/A
File created C:\Windows\SysWOW64\Hpqpdnop.dll C:\Windows\SysWOW64\Fmlapp32.exe N/A
File created C:\Windows\SysWOW64\Febhomkh.dll C:\Windows\SysWOW64\Gkihhhnm.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe C:\Windows\SysWOW64\Gacpdbej.exe N/A
File opened for modification C:\Windows\SysWOW64\Gogangdc.exe C:\Windows\SysWOW64\Ghmiam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File opened for modification C:\Windows\SysWOW64\Inljnfkg.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Cnippoha.exe N/A
File created C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Emhlfmgj.exe N/A
File created C:\Windows\SysWOW64\Fckjalhj.exe C:\Windows\SysWOW64\Ealnephf.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fjlhneio.exe N/A
File created C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Fphafl32.exe N/A
File created C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hckcmjep.exe N/A
File created C:\Windows\SysWOW64\Nokeef32.dll C:\Windows\SysWOW64\Hnagjbdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Baqbenep.exe C:\Windows\SysWOW64\Bgknheej.exe N/A
File created C:\Windows\SysWOW64\Pnbgan32.dll C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Alogkm32.dll C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Hecjkifm.dll C:\Windows\SysWOW64\Dkmmhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dqjepm32.exe N/A
File created C:\Windows\SysWOW64\Fnpnndgp.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Gbkgnfbd.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Cfinoq32.exe N/A
File created C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Epieghdk.exe N/A
File opened for modification C:\Windows\SysWOW64\Fcmgfkeg.exe C:\Windows\SysWOW64\Faokjpfd.exe N/A
File created C:\Windows\SysWOW64\Jkamkfgh.dll C:\Windows\SysWOW64\Filldb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Gddifnbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File created C:\Windows\SysWOW64\Cibgai32.dll C:\Windows\SysWOW64\Aenbdoii.exe N/A
File opened for modification C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Cfinoq32.exe N/A
File created C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gbnccfpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bpafkknm.exe N/A
File created C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Eflgccbp.exe N/A
File created C:\Windows\SysWOW64\Kgcampld.dll C:\Windows\SysWOW64\Eeqdep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Facdeo32.exe N/A
File created C:\Windows\SysWOW64\Njmekj32.dll C:\Windows\SysWOW64\Hgbebiao.exe N/A
File created C:\Windows\SysWOW64\Nfmjcmjd.dll C:\Windows\SysWOW64\Hogmmjfo.exe N/A
File created C:\Windows\SysWOW64\Fgdqfpma.dll C:\Windows\SysWOW64\Cnippoha.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fckjalhj.exe N/A
File created C:\Windows\SysWOW64\Jmloladn.dll C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Facdeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Inljnfkg.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Ambcae32.dll C:\Windows\SysWOW64\Eloemi32.exe N/A
File created C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Aenbdoii.exe N/A
File created C:\Windows\SysWOW64\Ognnoaka.dll C:\Windows\SysWOW64\Ckignd32.exe N/A
File created C:\Windows\SysWOW64\Bnpmlfkm.dll C:\Windows\SysWOW64\Eiomkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Ennaieib.exe N/A
File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hlakpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Qnigda32.exe C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Fbdqmghm.exe N/A
File created C:\Windows\SysWOW64\Fbgmbg32.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Hogmmjfo.exe C:\Windows\SysWOW64\Hlhaqogk.exe N/A
File created C:\Windows\SysWOW64\Oockje32.dll C:\Windows\SysWOW64\Cciemedf.exe N/A
File opened for modification C:\Windows\SysWOW64\Cndbcc32.exe C:\Windows\SysWOW64\Cobbhfhg.exe N/A
File created C:\Windows\SysWOW64\Fjilieka.exe C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File created C:\Windows\SysWOW64\Jondlhmp.dll C:\Windows\SysWOW64\Gacpdbej.exe N/A
File created C:\Windows\SysWOW64\Moealbej.dll C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hacmcfge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egamfkdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ealnephf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnigda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ailkjmpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahdmkl.dll" C:\Windows\SysWOW64\Bgknheej.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfinoq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gejcjbah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baqbenep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dngoibmo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" C:\Windows\SysWOW64\Cfinoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bingpmnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkodhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" C:\Windows\SysWOW64\Ckignd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dngoibmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enihne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Filldb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnpmipql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdjefj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" C:\Windows\SysWOW64\Dgmglh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckignd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjgoce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgknheej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" C:\Windows\SysWOW64\Cciemedf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll" C:\Windows\SysWOW64\Djbiicon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gldkfl32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Qnigda32.exe
PID 1520 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Qnigda32.exe
PID 1520 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Qnigda32.exe
PID 1520 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Qnigda32.exe
PID 2340 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Qnigda32.exe C:\Windows\SysWOW64\Afdlhchf.exe
PID 2340 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Qnigda32.exe C:\Windows\SysWOW64\Afdlhchf.exe
PID 2340 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Qnigda32.exe C:\Windows\SysWOW64\Afdlhchf.exe
PID 2340 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Qnigda32.exe C:\Windows\SysWOW64\Afdlhchf.exe
PID 1600 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Afdlhchf.exe C:\Windows\SysWOW64\Adhlaggp.exe
PID 1600 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Afdlhchf.exe C:\Windows\SysWOW64\Adhlaggp.exe
PID 1600 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Afdlhchf.exe C:\Windows\SysWOW64\Adhlaggp.exe
PID 1600 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Afdlhchf.exe C:\Windows\SysWOW64\Adhlaggp.exe
PID 2608 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Adhlaggp.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2608 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Adhlaggp.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2608 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Adhlaggp.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2608 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Adhlaggp.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2780 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 2780 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 2780 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 2780 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 3068 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Ajdadamj.exe
PID 3068 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Ajdadamj.exe
PID 3068 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Ajdadamj.exe
PID 3068 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Ajdadamj.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Ambmpmln.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Ambmpmln.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Ambmpmln.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Ambmpmln.exe
PID 2516 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Ambmpmln.exe C:\Windows\SysWOW64\Aenbdoii.exe
PID 2516 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Ambmpmln.exe C:\Windows\SysWOW64\Aenbdoii.exe
PID 2516 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Ambmpmln.exe C:\Windows\SysWOW64\Aenbdoii.exe
PID 2516 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Ambmpmln.exe C:\Windows\SysWOW64\Aenbdoii.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Aenbdoii.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Aenbdoii.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Aenbdoii.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Aenbdoii.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 1824 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Ailkjmpo.exe
PID 1824 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Ailkjmpo.exe
PID 1824 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Ailkjmpo.exe
PID 1824 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Ailkjmpo.exe
PID 1940 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 1940 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 1940 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 1940 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 1048 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 1048 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 1048 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 1048 wrote to memory of 1860 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 1860 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 1860 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 1860 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 1860 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2948 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2948 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2948 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2948 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2256 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2256 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2256 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2256 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2440 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2440 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2440 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2440 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bdjefj32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Qnigda32.exe

C:\Windows\system32\Qnigda32.exe

C:\Windows\SysWOW64\Afdlhchf.exe

C:\Windows\system32\Afdlhchf.exe

C:\Windows\SysWOW64\Adhlaggp.exe

C:\Windows\system32\Adhlaggp.exe

C:\Windows\SysWOW64\Aiedjneg.exe

C:\Windows\system32\Aiedjneg.exe

C:\Windows\SysWOW64\Apomfh32.exe

C:\Windows\system32\Apomfh32.exe

C:\Windows\SysWOW64\Ajdadamj.exe

C:\Windows\system32\Ajdadamj.exe

C:\Windows\SysWOW64\Ambmpmln.exe

C:\Windows\system32\Ambmpmln.exe

C:\Windows\SysWOW64\Aenbdoii.exe

C:\Windows\system32\Aenbdoii.exe

C:\Windows\SysWOW64\Aoffmd32.exe

C:\Windows\system32\Aoffmd32.exe

C:\Windows\SysWOW64\Ailkjmpo.exe

C:\Windows\system32\Ailkjmpo.exe

C:\Windows\SysWOW64\Bbdocc32.exe

C:\Windows\system32\Bbdocc32.exe

C:\Windows\SysWOW64\Bingpmnl.exe

C:\Windows\system32\Bingpmnl.exe

C:\Windows\SysWOW64\Bkodhe32.exe

C:\Windows\system32\Bkodhe32.exe

C:\Windows\SysWOW64\Bhcdaibd.exe

C:\Windows\system32\Bhcdaibd.exe

C:\Windows\SysWOW64\Bnpmipql.exe

C:\Windows\system32\Bnpmipql.exe

C:\Windows\SysWOW64\Bdjefj32.exe

C:\Windows\system32\Bdjefj32.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bgknheej.exe

C:\Windows\system32\Bgknheej.exe

C:\Windows\SysWOW64\Baqbenep.exe

C:\Windows\system32\Baqbenep.exe

C:\Windows\SysWOW64\Ckignd32.exe

C:\Windows\system32\Ckignd32.exe

C:\Windows\SysWOW64\Cljcelan.exe

C:\Windows\system32\Cljcelan.exe

C:\Windows\SysWOW64\Cdakgibq.exe

C:\Windows\system32\Cdakgibq.exe

C:\Windows\SysWOW64\Cnippoha.exe

C:\Windows\system32\Cnippoha.exe

C:\Windows\SysWOW64\Cphlljge.exe

C:\Windows\system32\Cphlljge.exe

C:\Windows\SysWOW64\Cgbdhd32.exe

C:\Windows\system32\Cgbdhd32.exe

C:\Windows\SysWOW64\Cciemedf.exe

C:\Windows\system32\Cciemedf.exe

C:\Windows\SysWOW64\Claifkkf.exe

C:\Windows\system32\Claifkkf.exe

C:\Windows\SysWOW64\Ckdjbh32.exe

C:\Windows\system32\Ckdjbh32.exe

C:\Windows\SysWOW64\Cfinoq32.exe

C:\Windows\system32\Cfinoq32.exe

C:\Windows\SysWOW64\Cobbhfhg.exe

C:\Windows\system32\Cobbhfhg.exe

C:\Windows\SysWOW64\Cndbcc32.exe

C:\Windows\system32\Cndbcc32.exe

C:\Windows\SysWOW64\Dgmglh32.exe

C:\Windows\system32\Dgmglh32.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dhmcfkme.exe

C:\Windows\system32\Dhmcfkme.exe

C:\Windows\SysWOW64\Dcfdgiid.exe

C:\Windows\system32\Dcfdgiid.exe

C:\Windows\SysWOW64\Dkmmhf32.exe

C:\Windows\system32\Dkmmhf32.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Dqjepm32.exe

C:\Windows\system32\Dqjepm32.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Dgfjbgmh.exe

C:\Windows\system32\Dgfjbgmh.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Ebbgid32.exe

C:\Windows\system32\Ebbgid32.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Efppoc32.exe

C:\Windows\system32\Efppoc32.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Fckjalhj.exe

C:\Windows\system32\Fckjalhj.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fcmgfkeg.exe

C:\Windows\system32\Fcmgfkeg.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Fphafl32.exe

C:\Windows\system32\Fphafl32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Gdopkn32.exe

C:\Windows\system32\Gdopkn32.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Inljnfkg.exe

C:\Windows\system32\Inljnfkg.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 140

Network

N/A

Files

memory/1520-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1520-6-0x0000000000290000-0x00000000002E3000-memory.dmp

\Windows\SysWOW64\Qnigda32.exe

MD5 83ef9b59d24713bfb290055e251c6d54
SHA1 31bdd4c29d30c9012704cefc2fbf81ae1d9d4ddd
SHA256 f3cdda71dfb85b7b4e959420065371d5d2136163e555bb4fe1e00a6b2a729b39
SHA512 a6b336e6dda3f2cd998354a7da50bd4cd1614558b59a154ef8a5c6f3a8407f5e04af36a8c2ec38dc3ba1044c521888c7a1ee942820ecf41de8c3611d25462d72

memory/2340-13-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Afdlhchf.exe

MD5 185abf45c0a8889512ce8ffa9db18afe
SHA1 fea846b6e3374dc6f41cb4ab3c5692b8e0ca0bd3
SHA256 9de4859c3ed0895b18085ef7b796b6bb9eeb947dcdc3c78497e1d40ef8df6ae6
SHA512 8aa2a05e5e93b4acfdc34708f03cd9d3363e70fdad86c511ae66274498f9c7d528cc097d90ac463a4d4bf0ba0429674da93038185e5c7cf8298f86c211cf6179

memory/2340-25-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1600-27-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Adhlaggp.exe

MD5 66acb33c84080d861d3dcaec5d93dff3
SHA1 bbe2bb27c830fab4d9b492ec8ebb61abdd03c40f
SHA256 dd7c7a07f2a12c550ae4c05e97ce98518139d597e015d55ea3bff547a05e3ca2
SHA512 693776fabcd8bee052c2eff7dcbb693546ffedbe9a62e487ab2bab747d935bbf9feea534aa5dc992b314a6cf5a61e8e2d775e3359b7ed18fa82c8a99a09ac790

memory/1600-39-0x0000000000250000-0x00000000002A3000-memory.dmp

\Windows\SysWOW64\Aiedjneg.exe

MD5 93da3a73ce36ecdd53e95cde5ee2d267
SHA1 90cd07bfefd5379cc054e2386e9b8d0ed6d07ab9
SHA256 6dd34b88e7dc63399d22ab2cbf6b3ac8bbff90eeea54abd0f21ac7fac50b095f
SHA512 c02652d74eb4bea99ce78cab66d50351846b43add7115c3eb82310b10621dbe1456d02e4ff4116c16ecf6873397646d731068b3bfb6e65a04a73880da547a598

memory/2780-53-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Apomfh32.exe

MD5 5f2abc93ed1315ae2f4f06830b066c7a
SHA1 aa612e3406cb9dc7fd615522089d4d765e1f6d96
SHA256 a200b0b7c59b147f20ce6774f22a1df410f53fe4b12397d0f8bb4f7bd2902804
SHA512 1e0a853e75015e624e5d70570d6e23a14375422b4cec4267d9f6118016faba079756716e85c7b4376010270cd56e3ecda78c10f8ad497b5e9348523ff9a18b5e

memory/2780-65-0x0000000002020000-0x0000000002073000-memory.dmp

\Windows\SysWOW64\Ajdadamj.exe

MD5 3d1e6f5d6f5c4466424dfcce1846fb8f
SHA1 71209794fbc3c4543496c3f2dce3e59089abd4e5
SHA256 64a069c5f3090510701fb252484a9104e35a6b856b4a5498fda68b7f2ebd0b76
SHA512 d1b41d0f012f539d665eb8a4a123274e128c821ee0349a33f9f5cbe43c37a3a45699092c612412f0ab80e52b7b0ec541c7986abf1b910ec0966905ef6458b4df

memory/2544-79-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Ambmpmln.exe

MD5 cd2f7c061d7eb76192b744c19eefa7df
SHA1 f5affe09814acd28e9cc28f2ae72e22600cdf493
SHA256 f649475b3c908d1a1d6a6238a152ce2d3d499fdd7498ba8a6c440fef00d3818a
SHA512 771aa3487483cb59645e647e87670da82f6b44f5d62236b85ee73d046891f55a5676f3957cab17c1fbca9dcc55d390f6c2b8109b48f0b0f4a8825d275dbeb524

memory/2544-87-0x00000000002E0000-0x0000000000333000-memory.dmp

memory/2516-106-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Aenbdoii.exe

MD5 e369d73378232eed0719478c40a129e5
SHA1 7f73deb44ae314ad3d3dca7720549af6dd73f8a2
SHA256 dd0f5bdee48133e034b1547257d71202ceab3f4e71973fea1acf3387bf9bd0cc
SHA512 84cca11f624f9524c96169e087f8e4e75a6b107e93ee1e3ff3dc89941f6d32935e006e8437f02cd0e262a42699b4f952bb564c8e8661a829d74522241ceb73ee

memory/2516-100-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Aoffmd32.exe

MD5 be2603ee2384fbbf75981a200a58c7bf
SHA1 f53ad778d38b115120769afd534160132a52e5c8
SHA256 a7cedc455313a7505b88174c038495031221a94c49e9a11b382e59dbafcb6666
SHA512 5aea164074cf4590811feb2970eabfb9aef37a3c6f0c7fee9fcd3b31b373a14a6153e57201e19f02c1702e1667433bfbea937bd6a7099b38887fe902fd1d99ba

memory/2968-118-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1940-132-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ailkjmpo.exe

MD5 8acb6d1d0bd4358b62f725c1255d4005
SHA1 742db26416ba2e3db214af6554bc56348ce147e5
SHA256 e2217203765674e095af6a8ea85c6008c37306427ba0875bad30f53b9d8d0268
SHA512 7d64f17a74c7e798bc8f6db77a0d3cbe13ef4746eb28c50d0852927874d46af82bf923a30ea2331d0dee189ae7c7e92c05f790275b95a2888323c22f43d0e552

\Windows\SysWOW64\Bbdocc32.exe

MD5 50b53a8dcba3e350ba72980a9c8501f1
SHA1 d5c0dbe8502a73c14fdcd5404ecd619161fb5206
SHA256 024cedfdfdb13c37941a21297d62ad48008da6d11fd855a499bb213d5884167f
SHA512 2fa324afcd32fc62edb78d48be89d470732d662c9732bccb8f1c0cb39a0076980c1ea9be78bdf307e15ca85f4fade40221621df1c9ddb6d833aa8ebbbe6e299a

memory/1940-145-0x0000000000300000-0x0000000000353000-memory.dmp

\Windows\SysWOW64\Bingpmnl.exe

MD5 bfd77b90f86aebdd1072e4873ead9c4e
SHA1 21506b0d0bb61cb3dc9235f58ff61c4cea03809f
SHA256 ad01ec14e8910b46022d3985cf8429eb4b063d76865e37a5c2c37dad03aa6635
SHA512 470f86008369f58c4f678b742c21b82bd046e81a44731573ff7948fd4a0a2d991197f3371eef2b6b69bb7a4baaae59de69185f2852c65242dde5445677cd0383

memory/1860-158-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Bkodhe32.exe

MD5 aac23418b87d2afe7b21c2643c455864
SHA1 3051da67553f43330b1fcbf22df71c6c01dd81e6
SHA256 c8cf9765d61b909d8b933ac892f21eaeb636ee346e000d61a633f59f8954f015
SHA512 3b4c45fd74036c0dd4ec43c75a0ef722985d2477233c4fb430917c9cc1e410df184d5e18fa4965e90a292c97dc88269ac41cc4c22cfb5b7e20013bbfd7b5450b

memory/2948-171-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Bhcdaibd.exe

MD5 05b7dbbb5b98e7a5a3d379161f1a0df3
SHA1 38d6faa0d28dae52083294095d21f4e4f8ae58e8
SHA256 5a874e99ac766750cbdd18c479e90cc35bde7eadd727a0572c5994f1ef309c23
SHA512 42eca24eef8c468270c204ca53b587f6d05de50acefdc61740a2beb59db13d7f93d1f297b5eef66c8f75995b6e60844df092313e1ed398e93886e312bd94e2e8

memory/2256-184-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Bnpmipql.exe

MD5 2f73d8d160b762e1e3d7bce54f49c861
SHA1 f5739418a000505b0417aeab2217c651646eba15
SHA256 b0525a215a3914c0083e4e4de344aae2d69a4e2dee0badd9f802b0ab74a63ddb
SHA512 7c3c97b127c2cd2834b1703024ab66a162ca0d79e9439cbef3dd1d3f9de807fd705c2810508ac4b20417b0af99dd4b1e574690bb596909dc5fcaa545e3d25e64

memory/2256-192-0x00000000002F0000-0x0000000000343000-memory.dmp

memory/2256-198-0x00000000002F0000-0x0000000000343000-memory.dmp

\Windows\SysWOW64\Bdjefj32.exe

MD5 291ac50a38d65e2749bb36485bd0437b
SHA1 b058691f97e9c6e5da620671487401df8cdf794e
SHA256 468c6d7bb16dcee33a47e574b77a1d7327dc430be33d1a16fe4da84f24bda7c0
SHA512 819fe8fd91cbfb73554b69b2406b75bc89d55e1b2c434686e1fefc196695a35beda93b25f803fa8139470e1486b97a5cd32e3f73c043cdc6fdf3efd1f534c4b0

memory/2440-211-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/1160-213-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2440-212-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/1160-220-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Bpafkknm.exe

MD5 c278aaf293540b3bb1b2a204110c5113
SHA1 85e822e8b1cb1d3fab24c0a2b1dd45b80b8f30ff
SHA256 f2f014eda3049e8ca273c46ffc0aed1c5476cda69c0b329158d388fbf8eb3b82
SHA512 9978d6f1ffc9c90a1ada46f970643e3ed8e4d724a0445f61a4ddd5414825718602f52d7dace5a769056008d67b82924e63af1e628e37292cc898c9118829a4c0

memory/1160-224-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1756-230-0x0000000000320000-0x0000000000373000-memory.dmp

C:\Windows\SysWOW64\Bgknheej.exe

MD5 d2c81f5680a9e1a703ae20784bb11cf3
SHA1 dceb4ff4a73c09c511cd4ed2690fa1a10e8773d0
SHA256 57a6ec2ef4c9cc50eab9079411c6810418e95512b702c5654f6b156c43bf5d8f
SHA512 3b6561627ad50edca5883bb71ed467bc942e5fc4ec3cf25a5e4336ebd6baf17045da4e46b4e7114b00660dd17be4010297a22f1618ffbe8a9f1abed39bbca493

memory/2032-235-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1756-234-0x0000000000320000-0x0000000000373000-memory.dmp

memory/2032-244-0x0000000000260000-0x00000000002B3000-memory.dmp

memory/2032-245-0x0000000000260000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Baqbenep.exe

MD5 5c3214813b8b6ccac882e0e7f652eeac
SHA1 067720b6cbc83869dc3afe66c04a31ccf22af17e
SHA256 b9eb088056c614ba9e79ecc6abbb1109f21b37cd80e7ba21a52401e619edb325
SHA512 a12b2d3b6dcac35f6e2f1edba2ab504df3cec6a85aebfe3b14526c25725e00ebbcfb90b1149ec7977b4dcd0b199aafc2b3f66222f81003985c56dc773c446e34

memory/2912-246-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2912-255-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2912-254-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ckignd32.exe

MD5 904880e29399c20f26c0fa4fa0949906
SHA1 4f9cf651a00337f56e7c6df4919178e998c7eaaa
SHA256 ed54b2193e017e3251ae8482f23c5dca004a19f468df75d4807e121ab55d87b0
SHA512 3201e1efba305bb3bce2a35ef21c86ab68cdc5b5fed17a1979b0ec9b88d91719178dc86c167f65a78d633e5d24dec06ce1ca0b37fc6f071bd68ab14e8b3065ca

memory/1780-261-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cljcelan.exe

MD5 a493e68929d533b208d6a785a31f62f7
SHA1 4341a11a1e56b155e341f02f74852229d4d3b1f6
SHA256 bbdca5df394e67e92ee34bc5aac7fafa89dc04469cd9efcd0d2c016cfaaae2f5
SHA512 a57761d32ed8f483e8d27de1fd2a6fa450b4ae5f87e0a7f832a69076085c4bd04069097e3c63397e965574c36b5635f3978dc6552d2b1e7294cb05c71bc26981

memory/1780-275-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2308-276-0x0000000000310000-0x0000000000363000-memory.dmp

memory/1780-274-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Cdakgibq.exe

MD5 91b6850f15eccfabdd8706408908bfa3
SHA1 dc03d7f637208e9c5cbffbb5996125988a8380cf
SHA256 75f113f9ba5fe89df741096fc0732ee4b8d4935a16df3844c218c07e9451434a
SHA512 3ba72a7a8173d07dd58c9ea025a0702d78307e755004f4c606f932359e34e6dd89b2b1999a00a71d2a2604f1ac1c5b390be739f10e5ca7a0024cef0cdadf81dc

memory/1880-277-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cnippoha.exe

MD5 37ecb345124fd3cc27e06e3943ff4a4d
SHA1 db167d080bbab0ec92541b348664525f6a019da9
SHA256 968b0c257d346953bb473f2ed939feeea051029a1eb679babe69cf29d5534050
SHA512 c07c4bcd217f1ff9fd7b6ad4041100a662154e8b1c62e1386859926fd3e614a45e8082b2a095bde9ffcd2cc7086d1cee58878903efdd37607a5bc7fdb293f789

memory/1380-288-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1880-287-0x00000000002B0000-0x0000000000303000-memory.dmp

memory/1880-286-0x00000000002B0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Cphlljge.exe

MD5 1ae058649e2c14e0dd420004cb23172b
SHA1 e2dde88c52735892acc8f09c3ccbd118d2bc4790
SHA256 da7cab08f93215b443de1588b0b2275194e9adf0dd3aef27992f32ea2c9a3fe2
SHA512 e0dc9a2630d8ca768d72b3c48c11dbb07449608497ddc7a6635b4190d679374988b26729271f77c70f4ef5c73cbae44730d57a2be5e0394e5ed7090212c3301c

memory/356-303-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1380-302-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/1380-301-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/356-307-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/356-309-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/3056-310-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cgbdhd32.exe

MD5 35ebdb2e3d78e629904d0c46edb64a82
SHA1 ac39cb4ed4cb19b17ee05373b1530e5dd904d952
SHA256 df2d68cb21c25541bce37e49aec8a9357517a1052643bf5d9973e6f12d67a2c7
SHA512 32cc66bec572d6874dffbc99a01cb41bcedad97eaa0ada0f1a34c893ddb9c9e7f45ee7d175de8c5dfc9b0d0722af438971a3ab3e14544c5bb428aeae395007bb

C:\Windows\SysWOW64\Cciemedf.exe

MD5 104a50a4c021524aef5426fe7a235d02
SHA1 d7960c759dc1de5f234019ab2a548d900537e454
SHA256 a0d78ba54cd81277a69437fc28ad924ab69288220d641f31023c36c5edfbd4ac
SHA512 a0b3a488bda705e703d4a2dd3d46a29431b99580b5b2be64f66d25d5f9a61b5f974550b8561c8c189b1fc4323ec0f8441e871679501a7b3ea3cce8705167f6d6

memory/3056-320-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/3056-319-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/2132-321-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Claifkkf.exe

MD5 be833a578526a40e5ae02aa1d041acc9
SHA1 55c862ad04c38f7642a049021dbacbdfb6c680fc
SHA256 295a083d07a598107365f554778fac73cfa3109aee5016a8c811810f2e3d7476
SHA512 f560cee0fa2e03a35896c7863185abc63a9cdbdb01a4a9ecac5a08d9b566c4ccd030c9f0e049a92425c5badc361d487b96e19e891f069cb57cbc047605af6cf3

memory/2132-331-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2132-330-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1728-332-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ckdjbh32.exe

MD5 5ff3b917ac698e5f1932cdc5146c74aa
SHA1 b092641b52f0bdf680de87c094e87042dfe2b8c2
SHA256 9afe97dcec8ea9f35113d01c4781df385b241040c478922767b3e920bd82cd5c
SHA512 15eb6151743e02d9b5cae0d2c10c796c7f1d8c44d8d5dc48d8111299dec7688a9edd562f5cfcad96576bb732ce63bbf7290f2fcb52867da5b0ba6cdb00d11f41

memory/2112-346-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1728-345-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1728-341-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2112-353-0x0000000000340000-0x0000000000393000-memory.dmp

memory/2112-352-0x0000000000340000-0x0000000000393000-memory.dmp

C:\Windows\SysWOW64\Cfinoq32.exe

MD5 00bd37478c73c7988daf106faa8df9f0
SHA1 1dd5dfefcd4ebf5b9a3362107fdc9a8988daca85
SHA256 6a92bf7e2cacdd70e471430998cff292a3366e31df41ed39686619f1abfff9b0
SHA512 19b18e5e81ec90f38de915a795d05b75224c6c7ca9aff0badf08170c9f2cbe7e6cf909a68d2345a895344d2f11185cd692940cf06637ceb44a14273c77191307

memory/2828-358-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3064-369-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2828-364-0x00000000004D0000-0x0000000000523000-memory.dmp

memory/2828-363-0x00000000004D0000-0x0000000000523000-memory.dmp

C:\Windows\SysWOW64\Cobbhfhg.exe

MD5 07c457048104a2326780667b094cf483
SHA1 e3110668e6b5c53ebabfadaaea59c315cb49b65a
SHA256 9b0dac1b09134bd461b3c4a028134f9082aa74b8a51d6ec3f368d887baa41efd
SHA512 9f2954b0bef8c5234966739fe42800037b1430b7bdb06fd6803a90522117345638deee1a36b93d57695ddbbf0751ccba9a54547b9bccbe7eb3cae956dd2f6e6d

memory/3064-375-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/3064-374-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2620-376-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cndbcc32.exe

MD5 d976ade43f38be17496ec9f73e6d0669
SHA1 523164ca1da41eef2be95f4198d56f34badd26c8
SHA256 929b6e8576123a335001e4f49cb1da7af00947598bad525a81543fa6cb9ad2f8
SHA512 048cd31df12ef63b09c09d1269b5b14a2bf3a03668f6813ed7e1de3c50daaa2ece92cf8adbbad09ea85fca7e52f2574431abc8ae5db252548b9a6cd103c23f6f

memory/2620-386-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2620-385-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Dgmglh32.exe

MD5 c5cb8f2cc4fba084047463ce74948c63
SHA1 a4dc0aba2ce73931ce8f3fbd40b84b0835cdafe4
SHA256 797b91684e231752030f32449fb58de708d014d6e4a4262cdd2327c72e98edd4
SHA512 558780648eb3e3fea8d032f916647b25bcd88089eb8afa8d7fb05a45a42dfaf954fda0bdacc3a419d74b15b951fa237ccafc82c18e41282c49ddd11870fd6278

C:\Windows\SysWOW64\Dngoibmo.exe

MD5 d94d4fc494b675739a76f2d48d4406f5
SHA1 4635583d97dddf2960a39d5610a4e390cf756bc7
SHA256 f7eb2c5cd63ab8d35955e7cfa45b91c97a84dcf425d21e0de80457c1c844c904
SHA512 3453275e0fd5f9cbe3f2f26a2dc567566cd50a511a718bcc523a075756da435c4adfdcf3a08d05718854653cf27b35b13fa1c29d6b06af2b8c7812e6ff5759c0

memory/2540-397-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2816-396-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2816-395-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Dhmcfkme.exe

MD5 f292ee6a3789cc949b3bf42cda4cd270
SHA1 22e0ffaec48440e7e17ec0ef54ac7ff393772494
SHA256 98bd05f90b381ea90fbb7af93cc130663ce5f3750afcb870bdc81ace547cc2b2
SHA512 1f8c400c312dcfb0cc6f03b21d7ac6009f81645c147618c46aac3587121be57b5817bc5186af0873f3b5a1b487614cfa1d8445525272336365c1585c67a68bcb

memory/2540-406-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/2536-407-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2536-417-0x00000000004D0000-0x0000000000523000-memory.dmp

memory/2536-416-0x00000000004D0000-0x0000000000523000-memory.dmp

C:\Windows\SysWOW64\Dcfdgiid.exe

MD5 2e0165767f6b0ca0b7f0e1d8ea4ea978
SHA1 dfe0ad31478bc1e8805194acd1a81a27fd11441b
SHA256 59ba05d72b5dc9e42afcc3b0e66e738c4c2402e140d8e02898bf6f708eb725f3
SHA512 b420337da6e592dc7c2d1d1e7963aa3a0d100fac64be3d4c0cea2969307ff908b64387416a94fa428eddc78292145163b36f670894139081af300a01af4614f7

memory/2980-422-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dkmmhf32.exe

MD5 5f97a7e2ba11deda47eedf33ba2aff8f
SHA1 d6c0d8c539278e01f63280137b64ec85cee66534
SHA256 81987b9b704286f22d74b783436bac5ef877eabcc6f601fb1fad314bd9352991
SHA512 9b68f353483bcb5c8655ae486749a92987ce3fc89d8b5fc0f02f036738642a823e810f9ee804e1ab2628bfec15bdb1de069f25d874df3aac7a474fe8c3e4814e

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 9cde32f2b516888f977e572d05cf2834
SHA1 2b7e7bc6d82d42d4ec2227f6c40a4b96648eef91
SHA256 f24749e1159c6cc0082f7d11f2392b696b5c7800dff7f16f826d6f29b7b8cf64
SHA512 f7cfbd1825e5b4eb7b958d890240b4000bb4cd7ffcccda57db4b8d8e145f45401f8e70603614e05814c09553b1c6ca9ed111b14b5bfb6c57d81298111216f56d

memory/1292-439-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/1292-441-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/1244-446-0x0000000001F90000-0x0000000001FE3000-memory.dmp

C:\Windows\SysWOW64\Dqjepm32.exe

MD5 1bd1a558c82f0cb4dc2fb1daea0289f1
SHA1 0ea9632c4e3d1b04663871f876a4bb3bdb504e6f
SHA256 eb6de77ce5012fc2aa3e010fd63f4fb41d7b9879ca10391ad5ea9d171a996014
SHA512 1f49e7a05343a3e78e9832b3042cce129c6973b42f133c575da0a1ebe5625bf0a324c704a45d7dd38b3392bd22bb6bb5e0332baae4c3bd060d8c3b69befec833

memory/1244-442-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2328-447-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2328-453-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Djbiicon.exe

MD5 4505598b5ef857a5639e53b15b38b11b
SHA1 2ca38cf86b46a98b84794b6adbcdc2ecb3c60b76
SHA256 5a82b74fd99547940a7a5b782156b1fd6b21d0ca970057eb59c1ede15382d2bc
SHA512 8fc4820db1724b6d35c51affc915a266ce4b8f298d6cc4e2cb52b1a6e9794c252610fc48471c615f5d82cc9daad34e38b58aa792fc12282acf4d13630644a8c7

memory/2328-457-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1028-461-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dqlafm32.exe

MD5 912bb42705ec325ef6f8c96066751f67
SHA1 e971a4c02aaa146aa120d5ef73491829f998522d
SHA256 c85878d0f1f9b4b81be65de17c2512f8eb33b354bad1dad2921b8a3f1b704ece
SHA512 fff29d9c98b8f770b1bd2876c5e8ecfb93837dbf454488f9d64e4c7c677dca58d81d3b8af552f80bb3959eb1cd4c1cb30f5e9d251d1b58fa4e16f60872bd96ba

memory/1028-472-0x0000000000320000-0x0000000000373000-memory.dmp

memory/1028-471-0x0000000000320000-0x0000000000373000-memory.dmp

memory/1520-474-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dgfjbgmh.exe

MD5 914cb9ef30a9935540607138ddc1c253
SHA1 f1443f12cfdecb8633c9f93c6014eac42d0799ec
SHA256 8610c5d5a917027b0fea10947d1ed69f329b312c35958819470a06a0c1be481d
SHA512 c9f2a9ba951f7232af69a8d846495b1c21672a4ee6b29a86092575482b281f69efa3bc88b842a36a9c9429a557e02ebc0cc2e918213fd96b4ed11c23b711eb09

memory/2752-478-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2752-487-0x0000000000320000-0x0000000000373000-memory.dmp

memory/2752-488-0x0000000000320000-0x0000000000373000-memory.dmp

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 d2440f84e36878a4bd217c513e915ea6
SHA1 ce44600918b1c5593d5538115cc7bbea1f361166
SHA256 830fe77b0cf933f25bce96d31697de09d8de1bff019b700c42de489fcee31973
SHA512 e4516a4c8a4b6861bbefc2ab080f080ea9ab14fc57238bf61beb3332fc23eef02dc37ff318ab5189afce368ad6a0c4b2e3ab69b8df7274ca8a744fb385af0637

memory/2288-489-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Eflgccbp.exe

MD5 2e0f39113cdccb304dee078b1c7e283d
SHA1 b29e571ee10844a6ff8fc68f2815a6b6bbbb27b3
SHA256 a27f32dd425ef91910524f6b80555b2f220d79049c8ad97696ab01ffb4e91352
SHA512 ea183aaa54d993341514dd718c405df7c0c8c6cbb2d7f29cb467fe9e8288fb1e1f5cc51301353c398494eb8586ea17ac6f15b814d02469533a36b857f9882bcc

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 de7f719d4e42e9b114b255f306ddce41
SHA1 32591981080108fc3da2712f73ad6c161acee3b8
SHA256 9bc294ac071a423bce6a124acf97a2be4210567928ba8cf434df80d27833298f
SHA512 0bf2eccbfe2f9fc2e5c5adf688b065edfe0303d5f19f0dbe8356395ba5a3ce88754f993b3068d084ae521bddf1541e75fcb832343fcd075dd5bb3b19c5a484c8

memory/1652-510-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2988-509-0x0000000001F90000-0x0000000001FE3000-memory.dmp

memory/2988-503-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2288-502-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2288-501-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ebbgid32.exe

MD5 625a26171c75523353af78072881b5c3
SHA1 bc0ae88cc2a1f15626f6d04f91b9a4a912c7a061
SHA256 7197e37da8ff6fbb57356759cddf315d6768e7e7b8b90a5b626bca8d89518fa5
SHA512 a967b760f323aee96bc3f99d4706fa275345ef57233ff24027c55a6c86a84ad7f3b7b2f2e36e4f26ef7e1d48c3fe795ba9e7a5764d950824296675c308d1e713

memory/2836-522-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 917fcf3e08593024c571af5edfa2513e
SHA1 205942f5786b21edb641e3847b9a1e22bb318c47
SHA256 5bfebe7100c87e171235effc3319292118034e06b09acd94cff1808af3cb94fb
SHA512 dee2dcf10fc376e8c795a5eb243e3f73dfc6b7f1faa76bff04a3c634c6371e604d0b0606b253615c8df18136e62dc79efee5bfe83b690518c531705ced05dd9d

C:\Windows\SysWOW64\Emhlfmgj.exe

MD5 54b04e98916d12f1538f498a93c502a6
SHA1 644aef1890f9c72c9aa1287b10085bf3c0471728
SHA256 8a9a26a1eac64fcc8a9984101fe8056f81b73d8241569cf44966bb1ed341af24
SHA512 bd9f81f8f1e529bb6264ac6c8d9771c83b4b4b8f1a57ea9cf6ffd5fc0b6237f7b62440d0815d97602ee00a0890df806b8c4e7f4bc8073945d9103415b6ca4ef7

C:\Windows\SysWOW64\Enihne32.exe

MD5 3789983f5a697101e5b65d459aa6b308
SHA1 814e579ee2cc632ae271b5fbc823a65ebc50df4f
SHA256 e468502d467648691ac88b8ed3488889da71ccd6f9c94926116c708125b124cd
SHA512 1336813c671771635d3525c402d9123e24d8b886440dc9bc52b3869c407699a77a0dee10e574cf8dec9218989029363bfd156e70e411d01ebb0cd8b83c88390c

C:\Windows\SysWOW64\Efppoc32.exe

MD5 61facb0db76654f8aff6a8598426b462
SHA1 50228d828ed74acf2cb2bb25feb2303a58c93ca2
SHA256 69987d6bbb18ce630a1c087f5cc38ce1ce247bdc18f9f7fbc3ce7e302c81ca4a
SHA512 e85a460d4e7ca8e23bfac00be20c25c294447b20f949911c6097676c798cf402d94e6f040bfbb93769697115e14977dfaa375dc5416deb71e3daf8bfb8e87a08

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 4c311d035199fe6b02450f624dcc292a
SHA1 b0653a545ff07686a096eb58f2cd6fc1eb94fb9c
SHA256 f4cd9c4c693c2f290f46cca3a33e488d4d03fbaca9b078c9a7beb71bbb9ad6ad
SHA512 b668178dbcf9fcaee172a301d58b9bbc8d65aead26ad2476985336f3d28a965c73917304a9036a29702b2b4c3fb305748616470b9c36182ff50f8c08ab170dbe

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 4c0da3534c8effe0e14e7ca7d0a9b4ae
SHA1 5c372becdc5bb084b9505776ccf06878860d5b46
SHA256 4b988712dc2922f8a47ce420620ced5c458c9039c9f9201a35dc9fe6e5c2eda6
SHA512 b29fb820eec0b3b131eaae7e2b37ab68ea90f471577b04e43e97ccee4cad66d866009bab8c97e37346d1788d083ad50fcac95666683470288e7141805fb9bb2b

C:\Windows\SysWOW64\Epieghdk.exe

MD5 dfa6380bf1c63269cfa09fdfe4ceb2fb
SHA1 9e395dbabbce5b650c3b75a66ff24448e66394de
SHA256 22dd93655f117ee2ec79497632497624eb6b77e3fe1e969131cef1d23e7b1ad8
SHA512 e3561aca2b180c8cfcf3b442a3655a12c0ef314dbece60a571d57b4ccb03e1a35f05d1822026bcc5a341300a9987c70a9f26d11376f9fc29160d0d0ffebc60e6

C:\Windows\SysWOW64\Enkece32.exe

MD5 f3c09f431298b2a6dc77941363466126
SHA1 cc9f57e277568467646d8d2f3060c1b628c7bc89
SHA256 edd61e39926fad0a4ec8bb6cc6a67ac7357260587acb1de824beab65439d0ec7
SHA512 ae88fb1cd71fc5f6744901c5473095ea7c6910ee55c9a02e23384f415559eb82d842f833866e64eca28c97f5b357a2fdb33ecf44bd56ca1cb2667b48dbac8a45

C:\Windows\SysWOW64\Eeempocb.exe

MD5 9b2e340db439dc8307c459c9bbb9f881
SHA1 356c4b4154108978babd0837771a6490f0a42902
SHA256 587a2fde31388e304083310f6bd2e113b6fa0e3a8aaf3aa17898d1a8181488db
SHA512 239ffc95e59dcfa40a5cefc2d5b56f90cf925929d39f3a27519deab387ac4a075e33dd7e158880d7b3e7fe0f36a6739849c272bfa777d0974fe50cc6e8ba1ceb

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 5533e298f957dd635f4e0b9965c0e9e8
SHA1 99e86a1d54f3567ac195967d5c5bd39727e0a070
SHA256 1df2ad697bf912b9647257358dfb40eaa029456f6d922809d78f081a5e97fca1
SHA512 8aafea1c65f93d8dbc1a09d5d0eb8582b010c54dad56fd1c01edcada2470e883cd3621302cdc2abca50b34b9e86aacdc1106b725918984ecd82d45bbe143d38f

C:\Windows\SysWOW64\Eloemi32.exe

MD5 4b56d721471817d624da91a46f7456f3
SHA1 f48d69f6a03a08f9b5ac1e0056c321cd83284da8
SHA256 6ad590fd6e792b3eee8ba0ccfc2331b4b7e7f34c6db7d9e8ad06452b2e82db55
SHA512 ce9c6e7dccc56ced83bb6e9c680f4190f13d90233d697704766056a41cbbf83f627f62c273715ed9ef1eab5510a40ad7acfd98a37bd0642873f88b70a2bdd70f

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 acb6034d1e074c21390eceb1b9ea6dab
SHA1 8049306bec5696f5bb8b1ab79ad21f88477b5679
SHA256 714e4dbc049c50af841225252a486340e746c682c4d4613bd467fa6e041d08ec
SHA512 18ceed97f59fceb8c118a5a019f01f9834580db35f5778e6ab59ce8596969e78e63e8234d86dfa08e1556a7ce03cab9645349889fec695f2270cca481c249b28

C:\Windows\SysWOW64\Ennaieib.exe

MD5 40a98159f79ebea70991b17e4b8f9fc4
SHA1 cd32a25fa39c78e0a53beba57c5f3161cc2e0515
SHA256 682302e238fc47745693d33210003afee09084eba2e3a98f6e93174b684f30bf
SHA512 99fd4869c3b4c1eb7de64230105766f1f90c63134b392262b415e65923c08bf1c703873fda3faeea831ec153e0885b682e63cfa31da9bdcb13b43240bde1f202

C:\Windows\SysWOW64\Ealnephf.exe

MD5 2753230ad0f5ab8c9cc8467c1ad5dbfd
SHA1 57ac2d549b8b5d2b0a7c0c45e226dd8f7563a7d9
SHA256 915d722b6a2274c49c4d6f705a63d72afcda15c0e042ddc6ac7a3e38eb02241e
SHA512 20ffa71eb541af063c9c0751acd8be6f94dd69071e9f68c2bc53c7f12d5d2b0829f5db0e7dbb4120e271986a02303c6731067e27e04882170b1715d0c0d0fa21

C:\Windows\SysWOW64\Fckjalhj.exe

MD5 e567d730cb01d50752dca865b8391ae8
SHA1 8a43de6e519ada485aabd4fb33e25ea482940db7
SHA256 5249b0878944b30058104c0ea2550f2d1afdb27b122ce0d5db8ca8795cced2cb
SHA512 8bccbd67ff01d4105a6b116789e9bb5480b09facb2b539db9bacc2c38ed1ba0bd0208cc443ed276211fd3fa2ffec7a9d2ecd0aa16a7edb6ff030a39c9b86770d

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 efa00bd3fc19a1356ef3d982a9c603e4
SHA1 fc19c4086890c308e5df02d4ec2b196bb7e915ad
SHA256 62a609357aecda9c54a56035bf68b45334d1f2768f1d07c0681b2740a4a31eef
SHA512 beb6212d75e9120771620ec8d9bdd94fb695724246914c625b073629b37574bcbe73c6690fad66a4c48d54cda9c05c2faae4f41f41017c3cddba659b0d327f00

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 ff97bead2bcf3da5d6517003a7aff916
SHA1 ee210246c6443eccf4cb6927d0a9031b4fb0e722
SHA256 e09558538d72a01748ae80d3e3d6c9cb389a449dc25e34cf61fed64fd64d8bf3
SHA512 3245c4c5f6f48042b4cafb49a349242669673fc0816f2bf48237e14702d236b2f8f23d203553f567426ba25ba9fad97aa9213bffe475f3d4dcc481fb2f1f774a

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 4945d2ba187a7472fba014e4ba3a2c70
SHA1 8e537e825a2c2d0bfbea0d34fccecbcb06ed32bf
SHA256 53c780db89f3d461cbf05119ab373bf7cefca367f455d550f6c76b5e62c9a877
SHA512 17c74acba482b9de9465518f70c159a5a991165ed95f625002c416a6be97271caeecc2bd2c975e76e4f941441e29e6e3fa5ab6dee81aacdabfae3f98a971a21b

C:\Windows\SysWOW64\Fcmgfkeg.exe

MD5 8ef794f6e4f3c03a9f4068bbf3fdad31
SHA1 9d0fd9258ba69881ae2525866dd711f59a44336c
SHA256 96ec1c4a8c23b61b32dcdc7d2dd4a8e21a1441c41b76d3df534a2fcd36cb9c2e
SHA512 987755c2621377b7c51d68ce060b749e0c44ec909d2dc6f115a18b694d426723901e8e86c829cd690bd26174414a2dac07e61d046c71c8b4a0b0413a208b38b7

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 e03bcbfc639f8b9c17141669d51ac0c3
SHA1 1cd1c203eba17083ea254215fb77effa14b7955f
SHA256 11f538ebbc68705bc80fa647942c571ca9047550ba6631ef69318ac2f8dd9848
SHA512 3fe12bc0538c4ee763ce2a9ef874eea54d5cc130b1f66bfd0b45e77dcd695e3d6f58e6d6a54ea5dfe5d7a071be9b07df6ef93d68e21c60bdd026a950690ed400

C:\Windows\SysWOW64\Faagpp32.exe

MD5 ccab5d1d139fde85dabc03982bb09e61
SHA1 bd199d21835cdfcc077ae5a122d9343f8a948eac
SHA256 5a3dd76286a287bfe1e0214ddcab9f46f6070b7cfd4924fe988245053de31f1c
SHA512 1545ba97602d4f949afb8738b2ed677b8ee86d958a1274b973355757ca9ce11fe804b6c64d2f5a7e3ae38186d5ec2cfc876da1484b0fc5b399a36cba81281c7b

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 f8b5a11b4199700bb4cfa0587dd54878
SHA1 87b4b8eadd6b3742b320f9492dbee8606defe1b0
SHA256 b037cff5b6fc365cb0af72cf752d950254c6b43e7a6440d3c56f0c548d27c1c7
SHA512 4b29102774d8f0c119acff02af307a63ece850ccf86f6d05deaba7caa2782861631ed26755851b94df468a989814b9190791860cc80931c1de6046eee24c3c78

C:\Windows\SysWOW64\Fjilieka.exe

MD5 2c1321b49eec8927f6d5672de572d4b7
SHA1 4f067a2ba7ff07a4251ca9f079c2fa5cb09da8e4
SHA256 4627c4bb0d52464a91306c208b9a806824d5a9dcf19be78fc82eb36d67107d51
SHA512 e3820427a6da9716fa6d317c65b0c30c56bf0642aa98741fff744db6a894a1842af37358adabb93d79640823f3a5d29cab66994f88bf57f7634d2e95afb0d85b

C:\Windows\SysWOW64\Filldb32.exe

MD5 ffc388a678b386419146404e59ff7ef1
SHA1 c3cc616a158c9f609338238e7a448b0b4ce37281
SHA256 a1ae9a1ef10d5ef2e941b8ac14154c4ac19c523266c6335c04fec04aecf58664
SHA512 a5c55276e29e9806b7668103257b61f1ec7005e2db8ebcff05e04f2958799e696208eb3e640d0a5a9a1d925728eaf62aafbd94d881b0b7bb8fc01f179600c559

C:\Windows\SysWOW64\Facdeo32.exe

MD5 f5ecb065eacf2416e4b1389fa4126e2e
SHA1 fbbe2cc7e75e7c4cf93f6ba5328d1d4e9167f950
SHA256 cdd1ed5090087ba6db2985d9aab83ca1986000902fdbf8dbbaa2837cd0e9907b
SHA512 69b0637e616a842e8bc5e5cdd977f9fcea96ba34d0d04478c53086292f573c8710245103a7dcd4aa20b8461ed1499451813fcbeb528cf734906662015a2be601

C:\Windows\SysWOW64\Fdapak32.exe

MD5 ebf8c777b2c763d927684c496c02b6c5
SHA1 785c36623abd5395edd71c7b2aba2bc0c949a560
SHA256 1ddf6349b0c9f590ac819cc3b7d3a0dcaa432d58f4de1e49cb6c72bd51617e50
SHA512 8ce954d8effa9ad6dcae18793f292db5b4c6b194aaa0aab4fb4f1ffdff2842e221b84a6860895b3ab761e49cf5e28876639f828ffeaf1a910ff5ccc614ee9e5c

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 9579c1f20bd243a157d9bdedc85e9761
SHA1 0fef431072a69d6d2f6e0fc8b0a70dbfff4c546c
SHA256 d35a95fc40eff5fd717fecbde0ae77b2e7597948c0f04856821454bc4b6cc362
SHA512 f4e19284918acf861426b288e62018452c1f3c7ff5f9f0b80c7eacbcbcae5b866d8598d4b254c545e95362fee4f1f0b4c32093082578ad41bc1050ccda687cb3

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 8c604679600d8b4e3d9fed88e6c8f61f
SHA1 e738818da412c417c82745d018280432b8439d35
SHA256 d2b011beeca5d05a31bdd2ce8b5b464eb158bc3fcf2976d3c785909b2d76d255
SHA512 8bbdc7a5cf3b61d9b3f4e243dfee7f951e97e8099a7024d7c244151faa20896cefe702b18b055a165e469b1871bf605d6b976251176f68487138d1c97446f553

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 1b87623e44a2dbade523070a3e0ee368
SHA1 57886827550c8d3542cb0d2e8ba64dbb54dacf45
SHA256 851a90ae3960c739a55da5919aee081055c4a4ed913aa93ef6fb8b9eb7006456
SHA512 1cabf939193dc1bc5d782cd6d7b59c0f4683b60cb9668b9852945da9c003bbd8b66e1a544322028dddaeb2f28fb6c288aac47a5a7627d8be4a6e3164fa122487

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 7eda98a040118d838e646517800aa174
SHA1 d827db335e5aac051c14864715c1565ba7b18041
SHA256 5dd53030748194a1496ca64e935277b3a07d57457a82337346da7f7ae9dc7397
SHA512 541543b7be654d46591d0596a6ebcd9062aed885ce1a5fd9ec70bc295ce04b17d09cae3db898982b00dbbe6ec46042a66461b7a156feee81ddd71566d7f54570

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 f28e96b36eb6898bb43416efee4eef68
SHA1 f070191d7e5534dc97f02d9c74f76739f34557b6
SHA256 8390b34443ff40a9978192772a8738f9b5851c678fdeeceb3ce4d857bc42fd2d
SHA512 92a763b4eb9ab5f289e5ba4c82cec2f4425cdc09df71cb3fdde1ea3ae4e8b036dc8aeff913b7b9bda21c4dc9f1b5e3ab22ef846478edeab9cb119779df1636c5

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 550f58c1cf3c565af19f9d7506ed3f5a
SHA1 f5eb4effbb3d4e44a2c4210e339b3720af6fec73
SHA256 b4c9c68fcd41c030f57eecaa67d34a50f308e63e9b8a14c570afd44a493a7c74
SHA512 b6b6af9bc4c07db958821027e641c64aa4f84fdbbefc3ed3808331cb5d2fdfddc2787a3a23e9004f81065c48b145f2f1eda4dced2a091b680fdb27f84291a6d3

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 ca1ca9f263ffb75f4b4069e88c75aeb8
SHA1 92a08c4c61fd9ee3332d2fd8e2bc59a148525422
SHA256 97438659463d2e7d7f0777b8c271cae5869f174431410c306fd3f3b7b909211f
SHA512 c68cd0fbdbb4f800f4ccf39209db4530d5b48903b7139bc2f8a045a3d44512c1722bdd3c677bcf55b295e2168871baa7cb51d1efa75dd465a5a2f56ee8549144

C:\Windows\SysWOW64\Globlmmj.exe

MD5 284468aa6c95fc7023ae35ac50cc35f6
SHA1 37739f2b1d09ef152eafff4fc8c67f79c17e37f2
SHA256 17b12f9b72c51ce66083f094ec54683582a1fda9d2c0f5447179572728ad0e6f
SHA512 00ccc307ae232d3bace6dd04d9ec1d6a73d0152a0f0515570edf2f44f543e84ba0eea6fef78935ddf64860cad236189cbdda2651263fe7a72cd879f47bc45ddb

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 14cde730e80e33aa4bbcfa347c67f41b
SHA1 8a2a3799959c15dfe158d152a56ae24a5dfea5b0
SHA256 c23712836feba7114cc442aad2a692b6a942305d155bcca4ad5564a97ff0afe0
SHA512 694f861e420bd0be55fdd28501fef7ab4b8a419f86d760395d86dcf709d0041447b4a3279839bf8bd1002db8d105bf2d8d930b8db8ea4adcde40b7e4fbae7883

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 fa2636fa2badd438070e280180d319e5
SHA1 efc4b117d1d42d305743784ae3e0c9bc6196f5a4
SHA256 8fbfa58ee39d65cd5d08503aa6c9390da913bc897f27174a2170cd27bf9b02fd
SHA512 c7a65481340907d78af66238042ef9f97fef27a9249656bc72adbabf19ba4fe72a795bc167af20848a7a5924c32049ebd2db2f00a7ea7dd5c6b1323231bb8f89

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 bf988b8bc10918459ac247fd7adfa626
SHA1 92187a7d5de6c75d3dbf0536a31e48c07f1722bf
SHA256 2483e713132f20950156fb86304bbdd3526a62e935c99543e69f2c386cabaeb1
SHA512 e054681d02bd8d093b977e6e026869431a16542c834e2aef53dcab78df3f0e967aa234a59a0e20b5b2b5de224f9df742f0bf17ccff5a41cf98b1b53337ddb3e2

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 945023613f032355173e117878165301
SHA1 f22a0f435c6474fed60340ef53943efff075a023
SHA256 a4cade24d69cd540fb9bf8a67d00552d2ec8dcaec281e9beb9962727c5c769bc
SHA512 9f60087ac4daf1dbe43ed6279ecaeb4a3e3b5752c25c067b3fe1b841e6fd81ea0a0f722c64d9cac8f423f14a4871a4d1173aca93fea38aedde60a8045800dcf0

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 10619449ed97c1fd327a652e59d8241f
SHA1 d4aba77bf3184cdf8304517331875876ac67e7e8
SHA256 f220ebf104e2a6994add223211b35ba5661893d15fe7cf7b41d34e4c19f3ff2b
SHA512 fede42b992f3813db1bbafc5227479b87bedc80016ab5e0c5d67de142469cfa2725c967d88a4e283e5abfcaa498318f2d8a0ec87444a60f0ef1e885af1fadaf1

C:\Windows\SysWOW64\Gangic32.exe

MD5 ef8e8d7466871381b6a3091009a8031d
SHA1 c5479b6b1599fb74d0d64f231c3c332f4844a4ce
SHA256 712ab646c4392a542fae9ffc183c6779e9adbca55b5b555032dbc860d9d89f4c
SHA512 bee745027398d520fdf429c66786826f6acb96e058236c0a20f98a0a7aebdf7aad111a321c0cac29ea6eeb1b4cf8b3630672bd3c5ff3481007b84befbda35080

C:\Windows\SysWOW64\Gejcjbah.exe

MD5 9868f5c7caa4ac603c4ef2564717c259
SHA1 04d20d694714bd6dff88d629129688b079dcd240
SHA256 06a37b7658e74a95ef39c5bf1ac27eb67182541c2e698943607a38c2568b9988
SHA512 9e66b6435bb21847b551f6b6708bd2407ea5aa9e82d86cc9486b6fbdb5668fe1c7f4b26c5c1f9be48af2f66d9ebb29b6049c3407f09d286987da7c294742d9e8

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 06b1fce94e09d93dd427135517750b2e
SHA1 fba58333629eb802e22b0cf548c9422b28ea241b
SHA256 4f1aaf9caf5f0679ff71e3e1a8f3168137b405446679fde7a30271f908df1f94
SHA512 adf4a23273a9eadbb6abbf0978539132016838a95cd85067aac74332f581835cf7af85dd54d960c1d73dab12ea3064793e3eba25d4ac92fff0f983406157d13f

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 649ac45e854491836b127dcb9c5dbf40
SHA1 ecd5c24defd23bc60af5d89cfa4caab8ae1728fb
SHA256 748b58e252934c5d0eace2e62ca59a9df78cf6df84f6919b7e9f66eeb58d5658
SHA512 00c98753f3bd0b492e0b89b9608ebd10f86fa79440c31c4f2e2be8733c91931c33b06af02da3ab98f4396d3326bef72a5ed0a32ae2ec1e15996e780276da2cf9

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 bdfaa18ec5de7765405da9f9801d9b7c
SHA1 718e36dcde3994481118668b456515d05cdca9ae
SHA256 4198be33bf0c9d42b86ecf00330fa15a85d20e5beba96967f74e1dca692982fa
SHA512 c7d17d00f59ea50fdf39c688d14804ba42456a4233fc5df075420969b51a70350acc7a2cc8e247fdc68a4ea4b3f57d498c4f7940be73e9aa2077d2087a1e54fc

C:\Windows\SysWOW64\Gelppaof.exe

MD5 83c81544053e738fe94a7d7b29c30803
SHA1 a20f1b08808536814ce99e5856158d29c814dfc8
SHA256 b727c68c5023ceb65fbb5cf5eda5ffc952a1811fd5ede8d2f8c2a156c9baafec
SHA512 5185e50ce5e2d946f84268579caae0be7e07f69eda2af5e471197938ffeeca0ca51df4dbffb0f5375e22708175c61773d776758b7bfd68d8f874a20b9f8c80ef

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 c04a1616534dbfe0980416e431349934
SHA1 49f98740c294a41f6a2ba025ad12d625013b0a43
SHA256 4906f844ec853695790b3c9639cff0fcd8140cc1dea206ab005a6ac9252f2e42
SHA512 515e7bada830cd0562106e5e6ac97bd81200a886c736ca16e7c942a01ce9e0fd1c45cb3e0f433e9357f98a6de98a492117af9b38b64a99a91bb0439fb603d62d

C:\Windows\SysWOW64\Gdopkn32.exe

MD5 2267b6ea6b50662d383b45bdb98f5768
SHA1 4fc4796c166c137fa78bea941a991f82c8d0e369
SHA256 bc68ed9c78d6bccef1dd64afae87e0b83e2d14532b6d5bc8cc70bf7161c88a0a
SHA512 289ff7deb26ecc88a00ad4a7afcb8bca1740828263ea0195f28013f36465ff560ff90a3675a512bc704392b91b0095a1e785ec9848edae1ed2fd383388c9bf1d

C:\Windows\SysWOW64\Glfhll32.exe

MD5 c90ceb4563772a6c8ebfc898fbadc3e5
SHA1 b6eef129f58d29e8c7862405d4063d9599b7ac3e
SHA256 2f49f3020fcf1f3185c3a29e99496318bc879b3f94494f7484b9efebe8e33a67
SHA512 b5e93206f5fe00cc8de4b86ed5bfd624ec2c3d0bcf41ceb76982f9f4072406d9707628f62309a919cc0f422b9981dcfcac0b79c2f34ef77a61443231b96584fa

C:\Windows\SysWOW64\Gkihhhnm.exe

MD5 d16df3878876a0ed2cdcd7f605758b01
SHA1 fe067719e48035890e4b09bf4d07d46ab0aa1d04
SHA256 3ad8dbe272cd5630a578c428e4deaf21fe4962294b42402f993070e0206a5e11
SHA512 04dd2d03ce8629cc0fe7ddb24d84ca1bd13ebcc65bf26f2397288f95c6b8087b108ef562908d9a1ff8953a93748402faab70aedef52a2cf4b486e0514bab80a8

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 d56e16ddc4240bd06c2afa30bce5311f
SHA1 555fd08be66945d2cd9de639c68c8dcf437b204a
SHA256 ad31dae62402ecc5fbd2e9e1a379a6f58725064a8aa9c503415d5e3dc2055178
SHA512 a8f65f5edb5c7fde1b90709f77178d57d0770060049556299535c28b4cb28ff75e3cb938e182a42b23a8a1aded14bdfc738fc4c2675b82efd9c6b5ae399d7e96

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 b3c1caaa412447089d9c9a4115b0bedb
SHA1 1373df0e8d971a09290ee8db81cd54f3257482e1
SHA256 469307f02c05f344b435fe085dde227f1c5882464685a56b4dc13697eec5ddc4
SHA512 1c9f06bc5539e0f8f3e9a76039546a3b2b5ac5139bd4ab36ea81c2172fba9605a90da042b11eee0c673a9c972390a0006d0c3bbc1deaf7133bc36cc45555a560

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 6af2c1abbbc01ad06a0cdbc62d8a0bf6
SHA1 64229ad3da9783e14e5a4376283fe8d2339de26f
SHA256 b0cd1e64dff2b5982e7ccc6d38d2e92d7cf33f28c9cfd122c460fedc87f274c2
SHA512 bb4b36eeb5ece607d5b39f8bf4b1f8507ef94a1a98d9ba5deead0a22c0f2be328047aa0618b7ede6ae51612ced851b8996bb9343cadf46a0e0e3256d6aa99cd3

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 9e21dfed4d70030ae3cf96e31ef60307
SHA1 cd0fd30ffc5f27dd159ab37f2c4f68108f2ee4b7
SHA256 6eb479819de375076f17033832b1883d957da600109160659567e1f840a6ee0f
SHA512 201cff214ddfffe3e8c4117e4452add26ad67c40969c7807935dd6c714b32b3e5dfd0012bf83f8f68158797abf5c2c2f0304548ec2f64f1d02ef1da26ae2da66

C:\Windows\SysWOW64\Gogangdc.exe

MD5 ecafc0565845ed5ab65801e7a183ae08
SHA1 09ee889ed37fbae613809ec4b481104ca038dc7f
SHA256 e443f7c4c9ab974ff7f3cfd4028daa0dca7a97df2e121c60b6a3e9dd6d2bc75b
SHA512 9add56bb4bde75078b794fc25b100d893a750db01e6f276621e129540d9f1cc177528a92bcf814047d1de2967252bcb32346b2307a9c236eee906fd829b7732b

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 0a4c2be796d3004729e8606e222d2c39
SHA1 e2dd25bdf1716af7dd9136e4f2e98404471f96c4
SHA256 0d87c580ddaa3ff9d6116c1b5d64ef96a1e928c9f92fe32154333ddafabc2b62
SHA512 5f7fb1da82e201a99bf58f6162eb51a9224ff3c2d713349ce386018417616686f2eb036514c4bd2a5be395075e1c547ec080b8fd4d40df799c4817730f461551

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 a779f6c32a261aa2ea1f4ad7aff3687b
SHA1 5863fe479c275d94e0e072a2b240b3049a64e7dc
SHA256 5bb19bc21ba0be8ca8e6be8ed2e1ea90b601cd045447be10e1ed2ddf604096f9
SHA512 e087e708087394506c1bbe72e88fe17dc00a96ef743493efe32d8a08e16f6b341752e21c86b5900180c3bf15c14b3c9125c5848a3b33d2515f666c3ef1354e1f

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 b6c6bd009132d8ff0199561e34ee80d1
SHA1 60c5e8eb73778bf33a5d203efb69956b01dc703f
SHA256 b3f74ec44731ccff8d5cb90e04092e86b7f8e4218711b262cdf02557e7b9eea7
SHA512 0a71a9cd247e3f7876c8161d5cff7d8305388bdf580bc1f77429d53a60bd3b8c2516c5aa45cfbacb65a917ef6bbcee87d909bf25eaf5d535572a35aedf09b669

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 cd78bf159e64c0067dd444fdf547a5e9
SHA1 864d238c405145de5092e8cad1b17fb3b26f4e3f
SHA256 3576f2c0ac70c245d61a340a0bfbfb0eb255debac7d07c8a2c6c57fed4d59035
SHA512 5ae89b84cd16e0dbf8515ca6a56a6713ec99dfd3b8c521a81d01f2737be7216c71b2709d0bad6594f12a9e8b372d7b0e6c6c9a6667f596bc84e1cd13237658cb

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 d5078f51ae5b6207336499190d0fda5a
SHA1 d0c04a95fef64f2e2744c4711899e1780e40c1c1
SHA256 b71f4cf2dc67a2e4df3141fad19e1d717fc5cadb9ab53178c68eb8b218a2e671
SHA512 a3241b73591f02ceff88c2e54b5c99e65664d8d62fefc00c57bc0bcb02d8e2fc2cf70b5e6b379c79d4bf11b6f915fc0a1eecd7bd8fd7edd62ca029bc3d562006

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 fe830f6354f4d335e92b15496f914e6a
SHA1 6655939e2ea89b992c4a68329da5d48fdf796408
SHA256 056664ca28ea2de789fdf65f90804ba1db5c9310176b3c37b1fb9cf267ccfc46
SHA512 4f2df0fd378bed3770022bdaddbe8db1ff3b90e60739b97298d4781e76dc7edeacb1089a7363d332dfb59016a8020fda4de4b056c48973c7ae03d4423ba3bdd4

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 40fd754f452e8c8b0424c621156a7719
SHA1 bdf58eede4a4ca0bde0e58b0add4386445e648e8
SHA256 1f4ac4163c3113458ad413d9e8e838cca7cd63c383675850bc671f3e80200943
SHA512 560028d7bde14fec210e515a681a0a4359d952523ebe7c2eb9127e45948b7d47e225363cb36441a55165d58185916e1ce09298884a90392d9fd757024b23fd55

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 f045b30f03a7de8b30f31d5d56acf364
SHA1 f6b85dd14727d4e8a0e12de039eda2777ea1effc
SHA256 bc8b73372dcdaff4ee1d833d8ba222b9e77d0184b908d2749463ac2a79b0b889
SHA512 7f053f1616e724fa29c209abede71edce7af891e84cba90545d9cfc0c32061c837e6f9bfcfbbb611759c1812c3da735e560c7eeca887548e9b31ca062f77d3fa

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 ba89b7db39cd54f515797b9a45a5784b
SHA1 c45ce9b3d994d94821a100d1e5b1970dcb10c8cd
SHA256 3b1972ed5f9ed296d3739ad0703d8f8c3b1814af335169f71da7c079dc40424a
SHA512 fdde0265b4ff692695a949d9848708e70a6c27f065cae0c1004d8a2b30159356e0bcdde3e447af14452d7a00561cc98c57fcd6426c165d980c4760699429df1b

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 425f8aba8bde3af75a8ff44f316e8694
SHA1 238339ed694830d7817be7426f190b3563a9d3ce
SHA256 88e1b38ff4c7735f9bb76b202c22d0a124e7a6eb6c686c26b56967326b16cee1
SHA512 9bb937ebf865d6f59cebc90bcc621318fb4b0ff30a0e1baa4ea112ddf703545aae80cd44dec1fb66f81bf6f3f75322775d9936450c68e0b0d2a3d6d8e863572a

C:\Windows\SysWOW64\Hobcak32.exe

MD5 e055c964bee9d95f01c98e98651271a4
SHA1 4ad052c53827de0316c2e3bb09177719c3c4e0ae
SHA256 2b1a4059834cee96423aabc3b43449bf778d93e88e23eaf12c43e53dd31b3ade
SHA512 d50470d38c66dac55c5ae427781a3adcc6f659d4a8f572acf722e48b7565ff3536eb972efb242d54879eee158e40390ed369a297d15523f235b7b130bde78192

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 d17bf8beec31ac209530b6985a3024ca
SHA1 9e454e838c6423121ae7910a9e66bc05013fe872
SHA256 b91c8fbdf3484d3a34dd51c5637f5b9050ef33bb6074902756ff2efd9fd0ab54
SHA512 abb921070634ea7747e81fe7ef5625cd6a18da58a0d55e86fcdb4b841f188fae9040148404f7495df7bc1d737c13fc37ececc19311e0c95ec6d4d4f4ebf6b3b0

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 6c1324fae688a7c141b7151f28fb561c
SHA1 7268e1ebb72914d7901717c8596e914a22214bf2
SHA256 6da5733d9aa13c6696046dcd37fb38ffc1177197d3d7a7f00eacdc26c06e9e96
SHA512 4c086f40a039184f0201220d33abe47ad40c350ea280d8616b20a61decc48898e2e9ab4c343ce8c8cc1103d85a219c9aa2b257146d1d07157d58d6e302c4b2d1

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 77fbf35f9ef5210b7d0154461affb5bb
SHA1 caef5423bec3beb7c582724cf4867120909c1c49
SHA256 4429b8e8e500d64e8842c37840ca0ea11fca7ced2be36bd4dca4167fc320b5a9
SHA512 6269f8928c2ebac704bd873dcbc1a7a0e133bb9abc03e83c5ab6e4ede279bbdb217452afd4d8a6e93436dfd6256506148d38ad0481dd1bab34d5e616d458f59d

C:\Windows\SysWOW64\Hpapln32.exe

MD5 b1f372fc2d2f7638f0abff94b0559600
SHA1 570812436da169e2325aaddad940e29aa932c6c3
SHA256 57aa5b19969312ee64dfada111704131c276244c62fcd7cf94dac44689ba3a93
SHA512 4aecb6afb05ffe92c1d6f81bc818787619ab28d07892c312542168d2b79bcf58eeb0d00bed8558cde2f293c2015cd5f4e77ede9795cbb6ea4e6ce96fcd772336

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 3f6a5e40b97dfbc03aa29d50234caa3a
SHA1 ddfe35b84e483a6f087902cc5e4e0078a252518a
SHA256 ba259d25c05b75a560b6eeda9260d5810d3cb67dfa19db6708c98a1421b6d156
SHA512 3743d5a0ba7355e24a0911796372eb3803e426f75906b71312e06417e3deb7f124ed65f4e20980f264ac2db8ead01902bade893f490b0f49b64000cd282733f7

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 301ade487e50794cc7168289c37b415c
SHA1 c7568087fc6853c388c78241174bf07afcb81bbe
SHA256 9d8610227644ae2ab67bf4cff091b723aeb840d1af4a26d96773fbf9f980b644
SHA512 66be85a58a8c2ca9526c3936a6ad9e1368f940626f167372755fc86a64627f465bb235ad04b7f6f935f7ad991f4f6d3b1c2dfbb7c921ca58581a8c695ad4ca75

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 85c7f52de6fb91a7b6c91aaeb3a86eb7
SHA1 7b7d46ff249492c6c72ef57e7d982f34dda5fcc2
SHA256 792e3fe4abf95e4b5578ec330f3adc1aaeea0e1ea45997cb8f1ef2ef26655dbd
SHA512 b579f24014e612aa8379a5186a4d085eb8f8e2e91e483bf5c593a37131dbbb2b8d1d4888931b05e5267527a61b901ccc28da56030de83ebe11df239a3be45546

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 3d22540093a4a599a0ec5aea07339fae
SHA1 70f66500d549366cf9c1e29e59373dc2a4fdd2f5
SHA256 a83b9d12050c49675d8d7b863c2309879c018043d821c1dedacc1a3233cb2559
SHA512 517735ef1431f92e820dfe8ee370e0323e5be58144a08b2975c6fc235cfc2984df3d36bb493ac8e26bd8f4bc804cd5128396f2b8dd5df25b438016c24bcdfd18

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 bb1e69b3f613ae224e1bb91cf51911c5
SHA1 96933c513581b8b01aaede3bfea4004cd585d09e
SHA256 e1809e82bdcd533b06bf53ffc254f36127dd7d4ee9ed7633dee78c64e13fc980
SHA512 5efa70886ace66e63959781f363c51c96d9b3cfb66fe28506f22562f0b44dbd4514406aa72fd5a28c0fa4f659a217855a906a6aa8a29adb41442250ca958ca9a

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 f4937f43ec86b11d2df53cb04b9620df
SHA1 53d72be0b7a74b65f44650dbef68e9eaa0eed784
SHA256 e3aaa6fb6f580ba8dd316665712a1c98d23c1ccaebe686fe4b5aaa63cd602857
SHA512 45f48a778aa39d90c460f2e8eb5d5cefa448eed42b7c9e58891635a8f2d2e6e8bcdd1cadd0d0d318fe9a94232c669b50def31b3947fcf04ccaf003890c325bae

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 20a9973b74af1ce5ac63289b731dca7b
SHA1 dcf05955e667ad65dd63e1ac981eef23e771a7a4
SHA256 b02e51db961fada41efdf9d8ef1a48edc758001b5af87c63dd3f0b0a41b3fcd9
SHA512 f0473d4410449d17c0b45469f667be701e62646ab04eac1dd74f39f3bdc448c45b768fe2e134a17c6070894abf5a1b4c4a6b173c1fb42bb8fc998f4e87a7359a

C:\Windows\SysWOW64\Inljnfkg.exe

MD5 bb0b3543e2cdbe8ddea5aaf151bf6b29
SHA1 54145aac8cf02b2bce5f7481d8f67ba084c40969
SHA256 16f822d29bc6d062fdf5ddc2e4b11d1035e744cee45048c6e732feb34569c71c
SHA512 ae48e7a95d458c2ea0a83400146489b58dd408a0c6b27b1bed656b320cb53ab502a28637925dd6f1eaa5e413d07fd5662d75e417c565560165ce8ee5a03cc7eb

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 a71948a1c8660ba93e28b191cbd90f9c
SHA1 c9a4e9747ae78048859c0516bffbd4f1cb52c02c
SHA256 67b0d2a509d9c217349f6db363789efa0e1b15da6ed75a0ab61e39fa8fb12aa2
SHA512 ecf30bf6f2994560cf252917044c0bfebcf515dcf65e48e76f4db573798e39424da7aa19d96662ae7824b366a0cf21ce531900064026f8797ec5fff5d1800b70

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 07:58

Reported

2024-05-19 08:00

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnepih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nggqoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhfee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqiogp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Liekmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lilanioo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgekbljc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kcifkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njacpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbapjafe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcifkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcpllo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldaeka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kpccnefa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgfoan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lilanioo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjjmog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcpllo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnhmng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgbnmm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpappc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kilhgk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kacphh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nafokcol.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldaeka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nafokcol.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbapjafe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lddbqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mglack32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liekmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpcmec32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnocof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdcijcke.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmccchkn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnepih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpccnefa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcpebmkb.exe N/A

Gozi

banker trojan gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kmegbjgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpccnefa.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbapjafe.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgmlkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kilhgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kacphh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdcijcke.exe N/A
N/A N/A C:\Windows\SysWOW64\Kknafn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmlnbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcifkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgfoan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liekmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lalcng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgikfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmccchkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpappc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcpllo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnepih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpcmec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lilanioo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhmng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldaeka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklnhlfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddbqa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgbnmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjqjih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpkbebbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgekbljc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnocof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiklqhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkbchk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnapdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamleegg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnhmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkepnjng.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcpebmkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mglack32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjjmog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnfipekh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpdelajl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnnhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkjjij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnhfee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nacbfdao.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Njogjfoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nafokcol.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqiogp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Njacpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhkac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqklmpdd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncihikcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkqpjidj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnolfdcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqmhbpba.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggqoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkcmohbg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Bpcbnd32.dll C:\Windows\SysWOW64\Kcifkp32.exe N/A
File created C:\Windows\SysWOW64\Efhikhod.dll C:\Windows\SysWOW64\Liekmj32.exe N/A
File created C:\Windows\SysWOW64\Lgikfn32.exe C:\Windows\SysWOW64\Lalcng32.exe N/A
File created C:\Windows\SysWOW64\Dnkdikig.dll C:\Windows\SysWOW64\Lalcng32.exe N/A
File created C:\Windows\SysWOW64\Lpappc32.exe C:\Windows\SysWOW64\Lmccchkn.exe N/A
File created C:\Windows\SysWOW64\Geegicjl.dll C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Codhke32.dll C:\Windows\SysWOW64\Mjjmog32.exe N/A
File created C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Mnfipekh.exe N/A
File opened for modification C:\Windows\SysWOW64\Nacbfdao.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqklmpdd.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Kdcijcke.exe C:\Windows\SysWOW64\Kacphh32.exe N/A
File created C:\Windows\SysWOW64\Pdgdjjem.dll C:\Windows\SysWOW64\Mkbchk32.exe N/A
File created C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mgnnhk32.exe N/A
File created C:\Windows\SysWOW64\Bheenp32.dll C:\Windows\SysWOW64\Ldaeka32.exe N/A
File created C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Nafokcol.exe N/A
File created C:\Windows\SysWOW64\Lnepih32.exe C:\Windows\SysWOW64\Lcpllo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lilanioo.exe N/A
File created C:\Windows\SysWOW64\Egqcbapl.dll C:\Windows\SysWOW64\Mgnnhk32.exe N/A
File created C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nqiogp32.exe N/A
File created C:\Windows\SysWOW64\Majknlkd.dll C:\Windows\SysWOW64\Nqiogp32.exe N/A
File created C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Nqklmpdd.exe N/A
File created C:\Windows\SysWOW64\Bnjdmn32.dll C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File created C:\Windows\SysWOW64\Ogndib32.dll C:\Windows\SysWOW64\Lmccchkn.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mamleegg.exe N/A
File created C:\Windows\SysWOW64\Mkepnjng.exe C:\Windows\SysWOW64\Mcnhmm32.exe N/A
File created C:\Windows\SysWOW64\Nqklmpdd.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Nqklmpdd.exe N/A
File created C:\Windows\SysWOW64\Ogpnaafp.dll C:\Windows\SysWOW64\Ncihikcg.exe N/A
File created C:\Windows\SysWOW64\Hehifldd.dll C:\Windows\SysWOW64\Kbapjafe.exe N/A
File created C:\Windows\SysWOW64\Ihaoimoh.dll C:\Windows\SysWOW64\Kdcijcke.exe N/A
File created C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Lgikfn32.exe N/A
File created C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lilanioo.exe N/A
File created C:\Windows\SysWOW64\Dnapla32.dll C:\Windows\SysWOW64\Lilanioo.exe N/A
File created C:\Windows\SysWOW64\Oedbld32.dll C:\Windows\SysWOW64\Mgekbljc.exe N/A
File created C:\Windows\SysWOW64\Dgcifj32.dll C:\Windows\SysWOW64\Mamleegg.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mkepnjng.exe N/A
File created C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Nacbfdao.exe N/A
File created C:\Windows\SysWOW64\Ljfemn32.dll C:\Windows\SysWOW64\Nbhkac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File created C:\Windows\SysWOW64\Akanejnd.dll C:\Windows\SysWOW64\Kknafn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgbnmm32.exe C:\Windows\SysWOW64\Lddbqa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mnapdf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Kmegbjgn.exe C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Lmmcfa32.dll C:\Windows\SysWOW64\Kpccnefa.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgmlkp32.exe C:\Windows\SysWOW64\Kbapjafe.exe N/A
File created C:\Windows\SysWOW64\Lppbjjia.dll C:\Windows\SysWOW64\Lgbnmm32.exe N/A
File created C:\Windows\SysWOW64\Kpdobeck.dll C:\Windows\SysWOW64\Mpkbebbf.exe N/A
File created C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kmegbjgn.exe N/A
File created C:\Windows\SysWOW64\Jjblgaie.dll C:\Windows\SysWOW64\Kilhgk32.exe N/A
File created C:\Windows\SysWOW64\Legdcg32.dll C:\Windows\SysWOW64\Nnhfee32.exe N/A
File created C:\Windows\SysWOW64\Bghhihab.dll C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnocof32.exe C:\Windows\SysWOW64\Mgekbljc.exe N/A
File created C:\Windows\SysWOW64\Nacbfdao.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File created C:\Windows\SysWOW64\Kgmlkp32.exe C:\Windows\SysWOW64\Kbapjafe.exe N/A
File created C:\Windows\SysWOW64\Ckegia32.dll C:\Windows\SysWOW64\Lnhmng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Ipkobd32.dll C:\Windows\SysWOW64\Njacpf32.exe N/A
File created C:\Windows\SysWOW64\Addjcmqn.dll C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kmegbjgn.exe N/A
File created C:\Windows\SysWOW64\Kkdeek32.dll C:\Windows\SysWOW64\Kgmlkp32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbapjafe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgbnmm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgekbljc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjjmog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll" C:\Windows\SysWOW64\Kilhgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmccchkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lilanioo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll" C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnocof32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Nggqoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll" C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Liekmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kbapjafe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll" C:\Windows\SysWOW64\Mjjmog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgfoan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjqjih32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnocof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll" C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lalcng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lddbqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll" C:\Windows\SysWOW64\Mgekbljc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll" C:\Windows\SysWOW64\Kpccnefa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll" C:\Windows\SysWOW64\Lnepih32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjjmog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kilhgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpappc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mglack32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcifkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncihikcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll" C:\Windows\SysWOW64\Kgfoan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcpllo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lgbnmm32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 1984 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 1984 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 2072 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kpccnefa.exe
PID 2072 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kpccnefa.exe
PID 2072 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kpccnefa.exe
PID 1064 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 1064 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 1064 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kbapjafe.exe
PID 1576 wrote to memory of 3312 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kgmlkp32.exe
PID 1576 wrote to memory of 3312 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kgmlkp32.exe
PID 1576 wrote to memory of 3312 N/A C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kgmlkp32.exe
PID 3312 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Kgmlkp32.exe C:\Windows\SysWOW64\Kilhgk32.exe
PID 3312 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Kgmlkp32.exe C:\Windows\SysWOW64\Kilhgk32.exe
PID 3312 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Kgmlkp32.exe C:\Windows\SysWOW64\Kilhgk32.exe
PID 5044 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Kilhgk32.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 5044 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Kilhgk32.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 5044 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Kilhgk32.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 1368 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kdcijcke.exe
PID 1368 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kdcijcke.exe
PID 1368 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kdcijcke.exe
PID 1556 wrote to memory of 736 N/A C:\Windows\SysWOW64\Kdcijcke.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 1556 wrote to memory of 736 N/A C:\Windows\SysWOW64\Kdcijcke.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 1556 wrote to memory of 736 N/A C:\Windows\SysWOW64\Kdcijcke.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 736 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kmlnbi32.exe
PID 736 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kmlnbi32.exe
PID 736 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kmlnbi32.exe
PID 2008 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kcifkp32.exe
PID 2008 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kcifkp32.exe
PID 2008 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kcifkp32.exe
PID 1664 wrote to memory of 900 N/A C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kibnhjgj.exe
PID 1664 wrote to memory of 900 N/A C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kibnhjgj.exe
PID 1664 wrote to memory of 900 N/A C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kibnhjgj.exe
PID 900 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kpmfddnf.exe
PID 900 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kpmfddnf.exe
PID 900 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kpmfddnf.exe
PID 2620 wrote to memory of 628 N/A C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kgfoan32.exe
PID 2620 wrote to memory of 628 N/A C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kgfoan32.exe
PID 2620 wrote to memory of 628 N/A C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kgfoan32.exe
PID 628 wrote to memory of 3928 N/A C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Liekmj32.exe
PID 628 wrote to memory of 3928 N/A C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Liekmj32.exe
PID 628 wrote to memory of 3928 N/A C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Liekmj32.exe
PID 3928 wrote to memory of 4468 N/A C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Lalcng32.exe
PID 3928 wrote to memory of 4468 N/A C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Lalcng32.exe
PID 3928 wrote to memory of 4468 N/A C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Lalcng32.exe
PID 4468 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Lgikfn32.exe
PID 4468 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Lgikfn32.exe
PID 4468 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Lgikfn32.exe
PID 1216 wrote to memory of 888 N/A C:\Windows\SysWOW64\Lgikfn32.exe C:\Windows\SysWOW64\Lmccchkn.exe
PID 1216 wrote to memory of 888 N/A C:\Windows\SysWOW64\Lgikfn32.exe C:\Windows\SysWOW64\Lmccchkn.exe
PID 1216 wrote to memory of 888 N/A C:\Windows\SysWOW64\Lgikfn32.exe C:\Windows\SysWOW64\Lmccchkn.exe
PID 888 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Lpappc32.exe
PID 888 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Lpappc32.exe
PID 888 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Lpappc32.exe
PID 1920 wrote to memory of 224 N/A C:\Windows\SysWOW64\Lpappc32.exe C:\Windows\SysWOW64\Lcpllo32.exe
PID 1920 wrote to memory of 224 N/A C:\Windows\SysWOW64\Lpappc32.exe C:\Windows\SysWOW64\Lcpllo32.exe
PID 1920 wrote to memory of 224 N/A C:\Windows\SysWOW64\Lpappc32.exe C:\Windows\SysWOW64\Lcpllo32.exe
PID 224 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Lcpllo32.exe C:\Windows\SysWOW64\Lnepih32.exe
PID 224 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Lcpllo32.exe C:\Windows\SysWOW64\Lnepih32.exe
PID 224 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Lcpllo32.exe C:\Windows\SysWOW64\Lnepih32.exe
PID 1192 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Lnepih32.exe C:\Windows\SysWOW64\Lpcmec32.exe
PID 1192 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Lnepih32.exe C:\Windows\SysWOW64\Lpcmec32.exe
PID 1192 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Lnepih32.exe C:\Windows\SysWOW64\Lpcmec32.exe
PID 4664 wrote to memory of 3716 N/A C:\Windows\SysWOW64\Lpcmec32.exe C:\Windows\SysWOW64\Lilanioo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kgmlkp32.exe

C:\Windows\system32\Kgmlkp32.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Liekmj32.exe

C:\Windows\system32\Liekmj32.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Lnepih32.exe

C:\Windows\system32\Lnepih32.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Lddbqa32.exe

C:\Windows\system32\Lddbqa32.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mgekbljc.exe

C:\Windows\system32\Mgekbljc.exe

C:\Windows\SysWOW64\Mnocof32.exe

C:\Windows\system32\Mnocof32.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.250:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 250.83.221.88.in-addr.arpa udp
BE 88.221.83.250:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/1984-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1984-5-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kmegbjgn.exe

MD5 404c7e14f75d0ce60d0cecaef2a4751d
SHA1 9882ff48ed8893f37d1ec00a026e493cc0c4b21b
SHA256 15848ba4d351a313f8c9acd47f6fa4322b0697ea0f0b9bea60d876e2c16b9315
SHA512 b8b5ff5f4d354d4f37add91663c43b52c22834944d7f2c874cfb0d9757dff1f49386c869b2658bbbb7065c5c8a39d972061c33883c8875a1df727ae5a4f86311

C:\Windows\SysWOW64\Kpccnefa.exe

MD5 c6cdeaedf29cd2ca068c9cf1758c218e
SHA1 b47c0bb135647af9a158c93987f66e974a83b826
SHA256 144d0a5c43c4c90b3f8d6a4594070688578ad953135ce00e38efdea37ab8e11a
SHA512 a903a7c104d6704ff6e5efd9614598727557746afd3dbc4cb4e35768b45816fc271d8800ef9571700a3ccfa0dba6add6ef357af378e3cdb06fd57fadb2ef05cb

memory/2072-13-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kgmlkp32.exe

MD5 588ddca9d65a415222e9b543e8b03328
SHA1 df8715c715c6a476e260351c6846840ee9022b6a
SHA256 1ffc0647dd52aa6e57fa3e2e6051b08903629a265e10944e128eb7c289f156f8
SHA512 5f8222ac76fa4faf909db70059486aff0ef33defa798465682740e8a4b89c56cff69cf8281ee13c9792aab8ba29f20555f298b317f2e65c28ff9243bebccef2f

memory/5044-43-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kilhgk32.exe

MD5 dc4984be6dcefcf1b3a201623bbef4cb
SHA1 d086310a3e9dda610869fecd26dfd2193a0d7b65
SHA256 556228e16266cb7d30c16d5655c1b36e77e6f04bfd94f8e3787add700142def9
SHA512 b1a5b20a5bfcb8ea4ab1c619727c596c4f1020fa11ebe57f023b9955ecfcf251e1037553c6d36c4844d29b4089022fe339ae3175f14d5b177d7f690cbe91e3fe

memory/3312-37-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1576-29-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1064-28-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kbapjafe.exe

MD5 17beb33a76b7d2517ec2677971c3972d
SHA1 fcc11a538bad66dedcfff41c95df61308e2b12fa
SHA256 8b40fa0418390b2d60a9f8ed59f971747387de4cf7989dd5d39c5559b029a8d9
SHA512 283afd694b926da437b3fd1799eb6ace3458fcf1269d5c0e2d5ea3ae3b651ed3cc1397e21e8cd9a80476912c5245c0cb7f608475ba35bdc03e3ecccf3f0d11a0

C:\Windows\SysWOW64\Kacphh32.exe

MD5 c0eb2278045d5106d988b086faf34c78
SHA1 df70623a3904a281b385a695cf5ddf0f108a632b
SHA256 ba9014bb9ec370776a98d569e9cecbb1d3fcc3bac703267843ccb3ab9fdf2edd
SHA512 52c66074f34975bc808e7ffa5e8a1de0f9fed37ee6a9805dea7e8618ee86473612e19f7e5350505e1f137f052aea815ef0da033d5f8cece86d0f38541ba38b68

memory/1368-49-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kdcijcke.exe

MD5 1b5f6137cfd07f7ae9594f1b12433e41
SHA1 ccaa46df642e000dc98feb5ab5217a5c9ef78c11
SHA256 bea49e7988e43e60bea36013a06a4833231fd8325d99078bba805196bd1e20d1
SHA512 755a4a30dc073b024872f283ae78d7372067da7619f5ce1530effdefc59df168c6a8afbe8bb811a911671cf1d5b3991c002853ed1f0f145cb4033425782ae601

memory/1556-57-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kknafn32.exe

MD5 ecc461a394868e874acb7ac601c23f76
SHA1 fd18aa3262096fa955725cf221b3ba492eefbb55
SHA256 513fcf1a47b9f0d726a0e57bfe3e86f8a69ba7dcbbd01313d33f9eb804bb3d94
SHA512 25a4fab7591c75516a0e8df9b59d7159c25e6ae0d8df62b2933ac17136252c2a837c81fa1302351e08728122b5f5d463d1f59289e2d24f116d6be0c84c3981c7

memory/736-65-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kmlnbi32.exe

MD5 22ca64a6b495486110ba11aa34e28606
SHA1 6aba4c2e39cc9973a5efc02b6183a71695951143
SHA256 ed8b5f118afe6dc5e0123a239869f386a51e3e4d423a4e700dfcf5c69d29be63
SHA512 688875d3c10f5ebf80177c077518d6f9faaaa5e7cf00af5626d9c292dbc0e7b0a272d676351bc34841c98d864bafa2354a84791cdcca9b52fe9c879a72341177

memory/2008-73-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kcifkp32.exe

MD5 4a50b9493c9f0eebe029262259f5d442
SHA1 91ccd0c6d99cde81e68a1945df6745b4a0e9b56f
SHA256 3b5b4e01bbea778bae88c57b2bcbc463e7a11f7e07b120d0aba577b04755666f
SHA512 73dff43119bfba93adca45cb9533f200ba59618468f7240320017be80cf591159b6c3ac7b672523b3ef51a59e5f18d50771dcc69bf00d0e33d00bb2241e3685f

memory/1664-80-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kibnhjgj.exe

MD5 8994313164ce9ffc09e372d836b1159c
SHA1 7374e5be620a87d05d24eb1a7728790ae61adfa7
SHA256 d5cd966e5b4d004c577302284c2c1b631c1b6b28585b3b4a674400260bd7ef9f
SHA512 3c6b6d71a5b856896b51ecef43063b018c22627ac1054cfa8ed591398cd71f8e17ec9205e50f083aca8b43643daa2583fcada4e6ccb63f11fb0aca267056bb17

memory/900-88-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kpmfddnf.exe

MD5 785b09bcf7820bba974586abc9123655
SHA1 8e0a8ae41a8d7e3d021ee6c4d6c4c3d9e81a8492
SHA256 4c882aa6a4892b258fd4a9c581350f4e2708a4c7c55b9b40c7218783828c08dc
SHA512 416ec1992210fd2b0446084c8f0af5bbf2b9771e2d3e50d22b082fcdc704a097f248a2b5a540b11d7bc9cc097d8468ffae42672922c6cbfaefa86be43b057c9d

memory/2620-97-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kgfoan32.exe

MD5 99a362e97e10c11e5ab470c9a76d2ba8
SHA1 46818f200dcf5535fcce21c7bc751c4ee19ac271
SHA256 ca173776015f6dfb2412a3e86d4afe3f48d2d20ecbdae232c1f9108000a8f923
SHA512 55f12f3d981340371503b2b22b398d05960ce07c06378833c86408aabf755ac5cb226e98b3963d464abb04fe7eab1bb199ad2888ca207bd64e4ffebb06cd8c14

memory/628-105-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Liekmj32.exe

MD5 49966d948fb641152fff9de0fd7141e6
SHA1 3206ba486e392c92ff7fce71ff8b7709ee2b79b4
SHA256 95aa8b5cf27f359f124174f9909a49f6be0bb261158a8ac6239b9bad58ea04c0
SHA512 fa54d369369875871f03c8e7154f6cd076f3c5be2fb0af0d8abfcf99402dfd7d663c12e9ce816b6d5a1cfaafa5f43e96252a0a6c291c8ff47ad394773a770ba0

memory/3928-113-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lalcng32.exe

MD5 a84e0cc4da1cf41ea01cfbda603e0b2f
SHA1 c59c880f1bdcaea395ac2c9da5b48af79a8f1585
SHA256 a3061fa062d63c3279fc2810d7e7c3f1a26d25d569011636c3e0aa8d2b141c3b
SHA512 83e22d395e02aad0d4c7c856ebb2e8c03d13deaaed320167f8be0f01bb1d2fd67c26924e64f7e5348a463009e878bee3c2279b000f853ea0fcaf84d6cfda265d

memory/4468-121-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lgikfn32.exe

MD5 cd8d83d2bc67e1ef79bc22df60ef6f5d
SHA1 66ce7922cd0191facb06784f8869f7d3a724e566
SHA256 d61c4f39a39f0f0d9bfbfc987f65b2b228291474f68f29d750e876d7416ff88b
SHA512 1859077a5efdadbc222da1b285033a2dbbcb04994489a4a0acad923442c201089aa7c3d2eee4a13b91ba24a94167eb89e079b539077ef77a89b3f0cc337ebc5f

memory/1216-129-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lmccchkn.exe

MD5 97fe1f0b6fba6c6ded1b09eb2f8316fc
SHA1 41357593d6a8c491dec0b7ae8e3527ad801439af
SHA256 f2e660ca74dd9d78184bc05d32a56d1cc196101df9139efca3e8b787f5320991
SHA512 96364579ea25b9d0d03de9ae65aadfc71bf32536c6af31cf48e2eb907e8aa0ca2fee9ac735304b6a7aa49dfaf23b63f32738546628059e313a9f97195675f787

memory/888-137-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lpappc32.exe

MD5 425f29c1ad773593a806a13f3b52e428
SHA1 4cac78b042ee8383d5572dd98e25108c99b250c6
SHA256 85a1c2305f3cbeedafdd0c2faebfab11a7d07aa68bd25b070f6f2ae2f78af565
SHA512 59b7ad61266055840922bc5f7bac3af272dcdddb62d7700f1f3c008b840cc07de4f78a69503f96307cbf93119c095708f74eaa09ade57b477e85f11589e1445e

memory/1920-145-0x0000000000400000-0x0000000000453000-memory.dmp

memory/224-152-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lcpllo32.exe

MD5 52014c21c3603ec6a1cc33d2b1102cf7
SHA1 bdba845eab88a4b46a3612c1e5d7b8eb3355359e
SHA256 bdd42cca2a602700f04b5458a1964cff908e5339c7ec23e06a3c105b31602915
SHA512 d9034db4a883be41338aaf78f12cb0e94ae4835b22fc47d12b1010e9c5c8bda4b6583298c1a3e2f845db7595125b92de40ca0bcb5a106c87f1917eac88094684

C:\Windows\SysWOW64\Lnepih32.exe

MD5 70ab24fb6829d4dae2b6750040505204
SHA1 adfd244da9ba79be7364b3064d038ca29b7d545f
SHA256 46653985ee2b1faac5c53387ffa3ebd3a91b3eafb928071ee8047091f777f9a0
SHA512 dc2f6118c1da4ba46d27d39b6fd62ceb9c0e1e0e48d2f4b363b6d6ab7c445504938c7d671402de3ebda9cec037f0020eabb9ae35bcd3f032017662f5994baee7

memory/1192-160-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lpcmec32.exe

MD5 26a611de47eebaddc892ec95d2b87194
SHA1 2b05b57d34c0e7389b270659f19280adda37e32d
SHA256 5bed1ab64d7e364fe2786199157d96f9f63f5b412ed096fed73e464502bf0d01
SHA512 56f274e3b0b7d06684da0760fa4e0e59b05b7f520129246745bfdd45cbfabbe66449b8e5b91677c829de760b627f5777d4edab20481b76bf7d8f2b4a1ad6e2ea

memory/4664-169-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lilanioo.exe

MD5 917ba7abac68c66129435f47f9746d6d
SHA1 16d7f382083b7c18592097278fdf5a022256cff2
SHA256 3139b71391cecc5cfdf43cc3324aaa4ec0efe2f2547b53456e757326253fd50f
SHA512 57ff1d28e07c8513ec8b205eb539c306098b9fd6a0529ba56e0df8b9d8df9f0593d19d3e4c74ea35f74427f08d98a45412d561952e28551c0e7fd247b9c27ddf

memory/3716-177-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lnhmng32.exe

MD5 0e80a509ced0c07746e6dfbb0a778f1e
SHA1 a3d576dc49262797d01045d27b1ef49985f27787
SHA256 0b9a1f86369208f442d8f3f5f9f6cdef429b081dd43a90a2f0aef742adc1015d
SHA512 82c9e86887c49c610b913b77d91b290ccfde89600ee979347317fc9f6eb3ba1c0036f86670312a7027875aa5c13dfc499d63a1d8c2049089dd9aa9e320cc44ab

memory/3708-185-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ldaeka32.exe

MD5 af85e4cb0322a5b5d4a476da64d47eff
SHA1 bbf6f6417efbe333b3fff7a4d0946d8825803be4
SHA256 a497677842b955600e7a8e5cc8a7e2bde4d82c690bb4c1240c848ce204eb54d6
SHA512 080ebeb3ab65c11462b67959b0fa00e30af1ab25b2c347c399e2c0a248b3c902f53556ca82f142c1d996d23f40e41eae475bfd571a2647702bfce14d71f162e7

memory/3632-197-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lklnhlfb.exe

MD5 9d8cb8ec9cebb4ecf149307b681e1c09
SHA1 b699f2cf18d6cedc98fd2f11b4adb1fffe08eedb
SHA256 dbd7947c852dcb0984ae6ee24eef012cf9ae7e01f7bc0428d1de1d37db4184bc
SHA512 014ec89d7720e2916c9d058cc5fba31e5ca138c4dceec17e75f861b6865e70bd6a303490402a9e3e56a959d616721f64b00bf8088a035b05a2264ee5feadff4b

memory/808-201-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lddbqa32.exe

MD5 12edc9c456393db1948687c5e23b788e
SHA1 02096fae5daa315ffba1d24003fbf3cc7692dd62
SHA256 31e0a9d4af121a71280f10c50b568376cd33d58b35917eb038987bc9d5f84349
SHA512 1e019b52d278a72c7a5ce716767d346dbf8c91b7a3605603728d570b6a937aa5aaa7c9b34c8431048a8765b73e206140bc32aea276ec1b6d7c212fea42a8ba5a

memory/4008-209-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lgbnmm32.exe

MD5 aed1afaf488671e5872b00c4d5783cd9
SHA1 4ffd99344d83daf2ec29aba0edd43108b836dfc3
SHA256 478011deb43df297c7a5845ba6d0b30c48255db88af2a39443e6791cf9961c69
SHA512 6ed384670cd79ef12a5bdc11452df7ff79749636f7f84712702477ce4a31211b77e0acfefc51bede98c649b1edc11a4eda412aeb48b7044ac4ac0310221b195b

memory/1420-217-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mjqjih32.exe

MD5 b3f3038c96e509e1994fe34998e8ba7c
SHA1 9291b77910d439f2928588feacd70254e4355f97
SHA256 19e2e22db3c8cbfe550c538b849c191c109d15227fd9a57d2113013a1d307ce9
SHA512 cce61c2927a827a585b59765dcadbe5d7c673383c29ab0ba6a9bbd4ef57b86d1a3a23f11ed9030962c3ecca79eadb523d3bb1d303c1dfa52639fdc7a225e62e0

memory/1004-225-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mpkbebbf.exe

MD5 bc71cbf30cb9204624001243e0f4a2d7
SHA1 92d79c733b82704768d3a69745112851b5e34468
SHA256 1ab2949eefdda27c7f0352f74bcab5f5d91fec40e5c747b0f49ec10af11a62c6
SHA512 fca20d91f88ce27a69b00bc317a275a4f076c71098d70e086ed3cb6c546c1b6dac8f07bdfb6231ff71b7e533f7524f3930631e9fa9fd1b0582a5858c31b803f6

memory/4000-233-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mgekbljc.exe

MD5 f40cac85f22fb26147870a79b6a542ec
SHA1 c3e9943fa9ef4a8a259e6c347e7678be16f06ed3
SHA256 65ae8af0fb774a9f0af96800be040785f094a7bbcce301159ef10bb826b1cfcb
SHA512 c827bdedc6fd8124536370732d94d13308592c3bbbd92b17ead025b47d67676f77dc1544a8f887eb124ab585a3667968f1258b72238160a57ec436283c49bfe0

memory/3496-241-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mnocof32.exe

MD5 91c6c9f5e6cfda169a675749d31610ad
SHA1 d6c0c749faac630b8b028ff5194f6ebc4edb334b
SHA256 bad641e0d72cf8e63dcb2ae7f3b814b37c05ae1c9ba07a1fb293c6ea836f4894
SHA512 40648995976c2ec43146ffbe6905eb0aba250b41a1b7c6fe5b9b75459b59816b4484bbbc42d0f68f739390cbf9a0b8b90afb6234e0ceb294f2f8442a57342aec

memory/3140-248-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mdiklqhm.exe

MD5 f327cb1be3d3432a61a79ea79265dde8
SHA1 74aa41d7420e1b58fb2d4be53fda033c1bbc76f7
SHA256 7cfb91b2d431fa5cc468e43c1199d77b97e4a57e234114c405b6fe48ea1cf866
SHA512 eb9521487836dc1a0d021b68d89a9c660fb565ad56a69eb85107e985cdff8e1879419d1c4aa863a0cf0a38eaaf950facc2627ed1fa544c93e096cd9d546b9181

memory/4344-257-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1540-267-0x0000000000400000-0x0000000000453000-memory.dmp

memory/872-269-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2064-275-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1212-286-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4652-287-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1792-293-0x0000000000400000-0x0000000000453000-memory.dmp

memory/448-309-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4808-314-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1276-316-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3268-327-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4156-337-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2436-339-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2464-345-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1112-351-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2416-361-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4424-363-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4200-369-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3492-380-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5072-386-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2368-392-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3944-402-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2356-404-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1084-410-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2476-421-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4728-422-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2476-426-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2368-433-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2436-451-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4808-461-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3708-497-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3632-495-0x0000000000400000-0x0000000000453000-memory.dmp

memory/808-493-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4008-491-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1420-489-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1004-487-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4000-485-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3496-483-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3140-481-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4344-479-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1540-477-0x0000000000400000-0x0000000000453000-memory.dmp

memory/872-475-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2064-473-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1212-471-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4652-469-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1792-467-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3036-465-0x0000000000400000-0x0000000000453000-memory.dmp

memory/448-463-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1276-459-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1048-457-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3268-455-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4156-453-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2464-449-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1112-447-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2416-445-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4424-443-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4200-441-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4932-439-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3492-437-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5072-435-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2356-430-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1084-429-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4728-425-0x0000000000400000-0x0000000000453000-memory.dmp