Malware Analysis Report

2024-10-16 04:50

Sample ID 240602-earlsahg7s
Target 305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe
SHA256 cec874dce92a056c7d8e63e725bd508190d49ae1745e07f0817398ccd495b04d
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cec874dce92a056c7d8e63e725bd508190d49ae1745e07f0817398ccd495b04d

Threat Level: Known bad

The file 305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 03:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 03:44

Reported

2024-06-02 03:45

Platform

win11-20240426-en

Max time kernel

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lpocjdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngedij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lklnhlfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ijfboafl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imgkql32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdhine32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ldkojb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mgekbljc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iakaql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Imgkql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kknafn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ijkljp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jjbako32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmccchkn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lcdegnep.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgneampk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lklnhlfb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdmegp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jdhine32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjbako32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpcmec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lphfpbdi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mamleegg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nafokcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Majopeii.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifhiib32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpgdbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbfpobpb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdopod32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdcijcke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lgneampk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mncmjfmk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Iakaql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifhiib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiffen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icljbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijfboafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iapjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibagcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imgkql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idacmfkj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijkljp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpgdbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbfpobpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmkdlkph.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmnaakne.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdhine32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjbako32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfhbppbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpaghf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkfkfohj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmegbjgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdopod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkihknfg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kacphh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kinemkko.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdcijcke.exe N/A
N/A N/A C:\Windows\SysWOW64\Kknafn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpjjod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kckbqpnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpocjdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldkojb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkdggmlj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmccchkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpcmec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgneampk.exe N/A
N/A N/A C:\Windows\SysWOW64\Laciofpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcdegnep.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklnhlfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphfpbdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lknjmkdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnlfigcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpkbebbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgekbljc.exe N/A
N/A N/A C:\Windows\SysWOW64\Majopeii.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmokb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkbchk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamleegg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnhmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkepnjng.exe N/A
N/A N/A C:\Windows\SysWOW64\Mncmjfmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmegp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkgmcjld.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjjmog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdpalp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnnhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nacbfdao.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndbnboqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nklfoi32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ijkljp32.exe C:\Windows\SysWOW64\Idacmfkj.exe N/A
File created C:\Windows\SysWOW64\Lnohlokp.dll C:\Windows\SysWOW64\Mgekbljc.exe N/A
File created C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Icljbg32.exe N/A
File created C:\Windows\SysWOW64\Kdopod32.exe C:\Windows\SysWOW64\Kmegbjgn.exe N/A
File created C:\Windows\SysWOW64\Kpjjod32.exe C:\Windows\SysWOW64\Kknafn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lmccchkn.exe N/A
File created C:\Windows\SysWOW64\Dihcoe32.dll C:\Windows\SysWOW64\Nacbfdao.exe N/A
File created C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbfpobpb.exe N/A
File created C:\Windows\SysWOW64\Bdiihjon.dll C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
File created C:\Windows\SysWOW64\Jifkeoll.dll C:\Windows\SysWOW64\Lpocjdld.exe N/A
File created C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Mdpalp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njacpf32.exe C:\Windows\SysWOW64\Ncgkcl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jmkdlkph.exe N/A
File opened for modification C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kkihknfg.exe N/A
File created C:\Windows\SysWOW64\Kbdmpqcb.exe C:\Windows\SysWOW64\Kacphh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kpjjod32.exe N/A
File created C:\Windows\SysWOW64\Dgcifj32.dll C:\Windows\SysWOW64\Mamleegg.exe N/A
File opened for modification C:\Windows\SysWOW64\Idacmfkj.exe C:\Windows\SysWOW64\Imgkql32.exe N/A
File created C:\Windows\SysWOW64\Jgengpmj.dll C:\Windows\SysWOW64\Mkbchk32.exe N/A
File created C:\Windows\SysWOW64\Mdpalp32.exe C:\Windows\SysWOW64\Mjjmog32.exe N/A
File created C:\Windows\SysWOW64\Fibjjh32.dll C:\Windows\SysWOW64\Ndbnboqb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibagcc32.exe C:\Windows\SysWOW64\Iapjlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbfpobpb.exe N/A
File created C:\Windows\SysWOW64\Dbcjkf32.dll C:\Windows\SysWOW64\Jjbako32.exe N/A
File created C:\Windows\SysWOW64\Jchbak32.dll C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
File created C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mkbchk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcdegnep.exe C:\Windows\SysWOW64\Laciofpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mnlfigcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mpmokb32.exe N/A
File created C:\Windows\SysWOW64\Bclgpkgk.dll C:\Windows\SysWOW64\Ibagcc32.exe N/A
File created C:\Windows\SysWOW64\Hfkkgo32.dll C:\Windows\SysWOW64\Idacmfkj.exe N/A
File created C:\Windows\SysWOW64\Iljnde32.dll C:\Windows\SysWOW64\Jkfkfohj.exe N/A
File created C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File created C:\Windows\SysWOW64\Ndclfb32.dll C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
File created C:\Windows\SysWOW64\Geegicjl.dll C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File created C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nnmopdep.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nnmopdep.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbdmpqcb.exe C:\Windows\SysWOW64\Kacphh32.exe N/A
File created C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Lkdggmlj.exe N/A
File created C:\Windows\SysWOW64\Njacpf32.exe C:\Windows\SysWOW64\Ncgkcl32.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Jbfpobpb.exe C:\Windows\SysWOW64\Jpgdbg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnlfigcc.exe C:\Windows\SysWOW64\Lknjmkdo.exe N/A
File created C:\Windows\SysWOW64\Hnfmbf32.dll C:\Windows\SysWOW64\Mdpalp32.exe N/A
File created C:\Windows\SysWOW64\Ibagcc32.exe C:\Windows\SysWOW64\Iapjlk32.exe N/A
File created C:\Windows\SysWOW64\Cmafhe32.dll C:\Windows\SysWOW64\Lkdggmlj.exe N/A
File created C:\Windows\SysWOW64\Mgekbljc.exe C:\Windows\SysWOW64\Mpkbebbf.exe N/A
File created C:\Windows\SysWOW64\Lcdegnep.exe C:\Windows\SysWOW64\Laciofpa.exe N/A
File created C:\Windows\SysWOW64\Eqbmje32.dll C:\Windows\SysWOW64\Lmccchkn.exe N/A
File created C:\Windows\SysWOW64\Nnmopdep.exe C:\Windows\SysWOW64\Njacpf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Icljbg32.exe N/A
File created C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Jkfkfohj.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkihknfg.exe C:\Windows\SysWOW64\Kdopod32.exe N/A
File created C:\Windows\SysWOW64\Joamagmq.dll C:\Windows\SysWOW64\Kknafn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Lkdggmlj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
File opened for modification C:\Windows\SysWOW64\Jkfkfohj.exe C:\Windows\SysWOW64\Jpaghf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdcijcke.exe C:\Windows\SysWOW64\Kinemkko.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Lpfihl32.dll C:\Windows\SysWOW64\Iapjlk32.exe N/A
File created C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kpmfddnf.exe N/A
File created C:\Windows\SysWOW64\Dempmq32.dll C:\Windows\SysWOW64\Iakaql32.exe N/A
File created C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdhine32.exe C:\Windows\SysWOW64\Jmnaakne.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmnaakne.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ibagcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbfpobpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll" C:\Windows\SysWOW64\Lpcmec32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mdpalp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijkljp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" C:\Windows\SysWOW64\Nafokcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll" C:\Windows\SysWOW64\Iapjlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Idacmfkj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdhine32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll" C:\Windows\SysWOW64\Jpaghf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdcijcke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll" C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" C:\Windows\SysWOW64\Ijfboafl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jdhine32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpmokb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll" C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" C:\Windows\SysWOW64\Jbfpobpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijfboafl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lpocjdld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll" C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll" C:\Windows\SysWOW64\Icljbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kknafn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lgneampk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ijfboafl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iapjlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kdcijcke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgekbljc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iakaql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" C:\Windows\SysWOW64\Nnmopdep.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe C:\Windows\SysWOW64\Iakaql32.exe
PID 3272 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe C:\Windows\SysWOW64\Iakaql32.exe
PID 3272 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe C:\Windows\SysWOW64\Iakaql32.exe
PID 4796 wrote to memory of 4240 N/A C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Ifhiib32.exe
PID 4796 wrote to memory of 4240 N/A C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Ifhiib32.exe
PID 4796 wrote to memory of 4240 N/A C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Ifhiib32.exe
PID 4240 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Ifhiib32.exe C:\Windows\SysWOW64\Iiffen32.exe
PID 4240 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Ifhiib32.exe C:\Windows\SysWOW64\Iiffen32.exe
PID 4240 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Ifhiib32.exe C:\Windows\SysWOW64\Iiffen32.exe
PID 2392 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Icljbg32.exe
PID 2392 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Icljbg32.exe
PID 2392 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Icljbg32.exe
PID 3328 wrote to memory of 3560 N/A C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 3328 wrote to memory of 3560 N/A C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 3328 wrote to memory of 3560 N/A C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 3560 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Iapjlk32.exe
PID 3560 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Iapjlk32.exe
PID 3560 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Iapjlk32.exe
PID 2036 wrote to memory of 3508 N/A C:\Windows\SysWOW64\Iapjlk32.exe C:\Windows\SysWOW64\Ibagcc32.exe
PID 2036 wrote to memory of 3508 N/A C:\Windows\SysWOW64\Iapjlk32.exe C:\Windows\SysWOW64\Ibagcc32.exe
PID 2036 wrote to memory of 3508 N/A C:\Windows\SysWOW64\Iapjlk32.exe C:\Windows\SysWOW64\Ibagcc32.exe
PID 3508 wrote to memory of 3128 N/A C:\Windows\SysWOW64\Ibagcc32.exe C:\Windows\SysWOW64\Imgkql32.exe
PID 3508 wrote to memory of 3128 N/A C:\Windows\SysWOW64\Ibagcc32.exe C:\Windows\SysWOW64\Imgkql32.exe
PID 3508 wrote to memory of 3128 N/A C:\Windows\SysWOW64\Ibagcc32.exe C:\Windows\SysWOW64\Imgkql32.exe
PID 3128 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Imgkql32.exe C:\Windows\SysWOW64\Idacmfkj.exe
PID 3128 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Imgkql32.exe C:\Windows\SysWOW64\Idacmfkj.exe
PID 3128 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Imgkql32.exe C:\Windows\SysWOW64\Idacmfkj.exe
PID 1708 wrote to memory of 760 N/A C:\Windows\SysWOW64\Idacmfkj.exe C:\Windows\SysWOW64\Ijkljp32.exe
PID 1708 wrote to memory of 760 N/A C:\Windows\SysWOW64\Idacmfkj.exe C:\Windows\SysWOW64\Ijkljp32.exe
PID 1708 wrote to memory of 760 N/A C:\Windows\SysWOW64\Idacmfkj.exe C:\Windows\SysWOW64\Ijkljp32.exe
PID 760 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Ijkljp32.exe C:\Windows\SysWOW64\Jpgdbg32.exe
PID 760 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Ijkljp32.exe C:\Windows\SysWOW64\Jpgdbg32.exe
PID 760 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Ijkljp32.exe C:\Windows\SysWOW64\Jpgdbg32.exe
PID 1956 wrote to memory of 4088 N/A C:\Windows\SysWOW64\Jpgdbg32.exe C:\Windows\SysWOW64\Jbfpobpb.exe
PID 1956 wrote to memory of 4088 N/A C:\Windows\SysWOW64\Jpgdbg32.exe C:\Windows\SysWOW64\Jbfpobpb.exe
PID 1956 wrote to memory of 4088 N/A C:\Windows\SysWOW64\Jpgdbg32.exe C:\Windows\SysWOW64\Jbfpobpb.exe
PID 4088 wrote to memory of 3872 N/A C:\Windows\SysWOW64\Jbfpobpb.exe C:\Windows\SysWOW64\Jmkdlkph.exe
PID 4088 wrote to memory of 3872 N/A C:\Windows\SysWOW64\Jbfpobpb.exe C:\Windows\SysWOW64\Jmkdlkph.exe
PID 4088 wrote to memory of 3872 N/A C:\Windows\SysWOW64\Jbfpobpb.exe C:\Windows\SysWOW64\Jmkdlkph.exe
PID 3872 wrote to memory of 112 N/A C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 3872 wrote to memory of 112 N/A C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 3872 wrote to memory of 112 N/A C:\Windows\SysWOW64\Jmkdlkph.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 112 wrote to memory of 3124 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jmnaakne.exe
PID 112 wrote to memory of 3124 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jmnaakne.exe
PID 112 wrote to memory of 3124 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jmnaakne.exe
PID 3124 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jdhine32.exe
PID 3124 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jdhine32.exe
PID 3124 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jdhine32.exe
PID 2740 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Jdhine32.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 2740 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Jdhine32.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 2740 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Jdhine32.exe C:\Windows\SysWOW64\Jjbako32.exe
PID 1144 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jfhbppbc.exe
PID 1144 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jfhbppbc.exe
PID 1144 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jfhbppbc.exe
PID 4064 wrote to memory of 3236 N/A C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jpaghf32.exe
PID 4064 wrote to memory of 3236 N/A C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jpaghf32.exe
PID 4064 wrote to memory of 3236 N/A C:\Windows\SysWOW64\Jfhbppbc.exe C:\Windows\SysWOW64\Jpaghf32.exe
PID 3236 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jkfkfohj.exe
PID 3236 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jkfkfohj.exe
PID 3236 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jkfkfohj.exe
PID 2672 wrote to memory of 3280 N/A C:\Windows\SysWOW64\Jkfkfohj.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 2672 wrote to memory of 3280 N/A C:\Windows\SysWOW64\Jkfkfohj.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 2672 wrote to memory of 3280 N/A C:\Windows\SysWOW64\Jkfkfohj.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 3280 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kdopod32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Ifhiib32.exe

C:\Windows\system32\Ifhiib32.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Icljbg32.exe

C:\Windows\system32\Icljbg32.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Iapjlk32.exe

C:\Windows\system32\Iapjlk32.exe

C:\Windows\SysWOW64\Ibagcc32.exe

C:\Windows\system32\Ibagcc32.exe

C:\Windows\SysWOW64\Imgkql32.exe

C:\Windows\system32\Imgkql32.exe

C:\Windows\SysWOW64\Idacmfkj.exe

C:\Windows\system32\Idacmfkj.exe

C:\Windows\SysWOW64\Ijkljp32.exe

C:\Windows\system32\Ijkljp32.exe

C:\Windows\SysWOW64\Jpgdbg32.exe

C:\Windows\system32\Jpgdbg32.exe

C:\Windows\SysWOW64\Jbfpobpb.exe

C:\Windows\system32\Jbfpobpb.exe

C:\Windows\SysWOW64\Jmkdlkph.exe

C:\Windows\system32\Jmkdlkph.exe

C:\Windows\SysWOW64\Jbhmdbnp.exe

C:\Windows\system32\Jbhmdbnp.exe

C:\Windows\SysWOW64\Jmnaakne.exe

C:\Windows\system32\Jmnaakne.exe

C:\Windows\SysWOW64\Jdhine32.exe

C:\Windows\system32\Jdhine32.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jfhbppbc.exe

C:\Windows\system32\Jfhbppbc.exe

C:\Windows\SysWOW64\Jpaghf32.exe

C:\Windows\system32\Jpaghf32.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kdopod32.exe

C:\Windows\system32\Kdopod32.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kinemkko.exe

C:\Windows\system32\Kinemkko.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lkdggmlj.exe

C:\Windows\system32\Lkdggmlj.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lgkhlnbn.exe

C:\Windows\system32\Lgkhlnbn.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lgneampk.exe

C:\Windows\system32\Lgneampk.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Lphfpbdi.exe

C:\Windows\system32\Lphfpbdi.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mnlfigcc.exe

C:\Windows\system32\Mnlfigcc.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mgekbljc.exe

C:\Windows\system32\Mgekbljc.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mncmjfmk.exe

C:\Windows\system32\Mncmjfmk.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 72 -ip 72

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 72 -s 448

Network

N/A

Files

memory/3272-0-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Iakaql32.exe

MD5 f93e452d875bc003e34667fb8e4e0526
SHA1 cf4c4bc10012792285bf16ec2c43f6f544fa96c1
SHA256 2117ffc07baeb954d623ff14f11b530ac81316397f2f0c487db22ddbcb1a466d
SHA512 612941a7db66fad7fe0390d5abbff0b930f874da61a9a97cd4bc7813699b17e43620447eb0cf84c3e0565725d9b40debe38334a33a4bbcc6a5942de77aa24f75

memory/4796-8-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ifhiib32.exe

MD5 2929086ae785be8e152d977edc14533a
SHA1 61ce0448459ec67b4b76d738d1730a2af3e92843
SHA256 1f5374e9906a03e5762b23cb52c78e5267e73500caf2028b9142b3a7fb24a915
SHA512 b8f8816f436db12769c94dc19da5858afca8b08a0803771553717be0601af602072639e2659ae277ff747d8ba83e6c10693fa87de1b4c3b97082494cfe554b5b

memory/4240-16-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Iiffen32.exe

MD5 9b4f20cf2554ecf98e172e0ccfd7b0f3
SHA1 cb3917c5cc4e5c18fc4627f75002e60ec7c8d6f0
SHA256 181229132bb3e2aed5e7299062f905e91221c5db6957230721a747ee597569e9
SHA512 a0494913fc853499491923870d72650703fd4d9bf5c52805ea025c3e2b023a095e06ee4e29b882c3c48ab9520d732191dd36e578ca4c60544ec5d0f1d36114af

memory/2392-23-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Icljbg32.exe

MD5 8a8d64c3a880d4c4ee8c5de3b46b89a9
SHA1 3a52a7b1b3bddcc3420363b77d22d9bdde339602
SHA256 c61c42aedb5b42e63c58d9be911d85411ef0037a6e58d84e2584865b4ce76a0f
SHA512 4c8f527b7d5b376800b05ac57e9717ff7109333da684d8639b76de81b69b476011f39cf98febd109ea0bbfa2bb4c55c1081e633830be17ac9004f6d2dd02d389

memory/3328-32-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ijfboafl.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Phogofep.dll

MD5 4177178705e7980f7097f66dace451c2
SHA1 0426c707802e8e70d2b89a384de31e739f4610cf
SHA256 8645e263c0593bac7acc2cddd9aa8d7d34ff592ca0bf5d572467d14487ef332d
SHA512 5ab6dda9f3362bee8b54513b3c6c108a21267e86d5f047863ccd7bc7b7725c7f2baa9e22b1522cd841b1542e85ba00f496cfee3d1f68606783ecac49b0bcf364

C:\Windows\SysWOW64\Ijfboafl.exe

MD5 60f7054d64df3ac4ce472cb4d11dc36c
SHA1 87a903c1c3f281e12834b0f114a762686a1a0bef
SHA256 65cf52800f8e2ed4bbad1aac7c84795484fadd40ad9cffedbdccb3529b83b918
SHA512 a2908468985293cfe542fba9c2c8b2ec001a9cb9fc6db76abfe94fb881d7282130b8e84214c22b3b7976b2ee746cc8cd972d711782c5eb7efbfed3383f88a31f

memory/3560-40-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Iapjlk32.exe

MD5 39c458ce325a0a8475d874997e425c4f
SHA1 4a1422c88f155396d2f0858852a6696f0f282d3d
SHA256 1992121394a8dea4d7654ef21cdcacda3305b2e0a52678f195ddad614591e723
SHA512 4ec6480ad4cb4e1d49f73004c8a00a842075fe987cd311e73e75cc81a13a9be176f6a37b29f7cd0d5577a8f5678153eb4e29f4a465d8a1613b1afb82a86ec887

memory/2036-52-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ibagcc32.exe

MD5 be5097cc82604fcea1b69d6874034b9e
SHA1 d9219849602e5ff905a2e7c6b0412d350a34dfaf
SHA256 555af9d7ede0ebb029eb26f8af481d6accdc7d5f45a9c3e16fe9bd83ba1e929e
SHA512 37f73b1b6a1a1732aa336e61eb3e1b8962b7ad1a7c86fdda894cfcea1bc4b3f91cc40f330393c5d232c56977ce913743426ea26320d6b7c5c2a32d6640ecb8be

memory/3508-56-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Imgkql32.exe

MD5 cb2b45dcfe3db31748be45a342711a51
SHA1 80286eb68fb3a24e95023ec124357db0633a24ba
SHA256 151483b8d5f38e07cf6ee6ee8aa2661df969b54d58c886fb76385afc32981faa
SHA512 af4e0a1de355a926fcf8bff46d5e6b0c171375cd4606bc40397ea3299b30edfaba81c8bbb5dd000e284707aef5b5a057923498d905695f25c940daa5295adc8d

memory/3128-63-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Idacmfkj.exe

MD5 cfffa6a57ecc6bd32cf34633dbd0cf94
SHA1 ce955fa389021c8c7a3d1cd70cd7dfe051a5ae94
SHA256 5099b8b7747b54a067960ee7afd7f751ab8c17e67119419b649e5b5d7bbcf0b8
SHA512 ce849a579946d0698317f000c17a63396310f98f929f98ef51f81b769094c4ba4c52433a028aa6584d2406433d88270b0155284c9e191fbe627b5981bd0a3435

memory/1708-71-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ijkljp32.exe

MD5 daf741065df8b24f12ed3a779256984e
SHA1 b2c9ab658cbb25397f5611a534db029c5a2f3f79
SHA256 ac2945d4e04ea64c6d08baa38fa35250988f7bf0692554b31e60480fd81f349d
SHA512 d3aa4d36b8a9a80f671ba466cdeac66d89eec7ba70e190de1fc5c5219106c88f71dffaa4ce5f2b340185208de3f8a3b19b7b78900dc56fc589e7475897ef12ef

memory/760-79-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jpgdbg32.exe

MD5 dc988affc10eb4abf09241e97ea822be
SHA1 676885bb891b10fff660c506536f9828deec5977
SHA256 89a7d82e3475af1c69a3e19be98e358d280d4cb99729e181098a90e13aca833b
SHA512 52d626bf5a46183c1174385e4bd6dffc6a612373ae3ec87ee38c9499597dec3ab74bfbfbb3a21c5461824308ec20ed038a82b8f3db7cb5794086a4f07182a3af

memory/1956-87-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jbfpobpb.exe

MD5 7ad5f534898dd6a1f15d586d4f8d8bf4
SHA1 9d7a1fd2c74c256e21e934987984083b62b558ee
SHA256 04b1abf7a258d451a76c6a0e674cb83539a3df0cb8107ceb0a588a93f8b3c11f
SHA512 0ec8acaaea9e9fbde9e72689d91373d25c9d6f72053e7b045d4c7159ded100c9cee7699d3f510d46d2505c736c024fcda9310e2168e5e5fb39f75988aaa72d01

memory/4088-95-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jmkdlkph.exe

MD5 a3611564fbe2e4f29541551af56826a0
SHA1 9d544761dde4b228d50d6a961f5731972c917ca9
SHA256 43c51f49922ae126e97108738d3f5b1336b25a9f7d7ffc4524e4856a78defac8
SHA512 b250ebd07d311905c0994431899df2bf3cc0f6544e0d7dbbea2d973f1ae13c83730adbc6fba3b5f2760918794eb46824c1780d66717edae4b44954b683867ff7

memory/3872-103-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jbhmdbnp.exe

MD5 f1c5a0c29d5fe2ec7d375b662353849c
SHA1 3ce4629dec2839e6b35741e5669c651e3dd16d35
SHA256 6758cd971ec0d4e0b2eb8b2489b4bd73388c836e5ccc54548c1cc651576aaf6f
SHA512 7b3d7e2245e94e7b31ffe861e49bd9b14079311c1f32c6d775bb326250cc9691cddd01e768ae4a5db33e5807d9500f0592083bba1cb00452a7610eb0f5cdf835

memory/112-111-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jmnaakne.exe

MD5 328a0f9ed35de50742cdd11d3223174e
SHA1 493685d86542f5189d8f0bf6207372c527d1a046
SHA256 f97d483462b1714a26f0dfbe915ac36ccdf3ebdb1baa6f159c558ae2e6960aca
SHA512 df95fcd6d90151a7b39e4ceb50dc25c14d887d097fd729a115b2b8d754027a3f158faac580d3720b4b1917b09110b6a072d1b03b7e84bbc0a88ae1f51ee20241

C:\Windows\SysWOW64\Jmnaakne.exe

MD5 b137f49f3fa61d643b7ac1e886d5a50a
SHA1 792464a6904ee2b35d2c1857ca7d66b1e586eb58
SHA256 1188eb02f263c8b86de32bc73077ca40c3bd7f872e96ae028eb238e5b40ceab1
SHA512 1b90ee7b8e5adf64ef85adab4a6445263d57e3ba73ab04b6117f083070dffef33d9637e863f12deabb823095d94f089e19326c5fcb23caa1d74252f7f4c5e1a3

memory/3124-119-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jdhine32.exe

MD5 81d097d2e72f646c220bd94fe42b656b
SHA1 cb2bb43090f4f5f8dcd917f856e0159b9799f7c1
SHA256 1bae6fb2d534312884f852b558cc755fd2aa948ed38e3ee64e3d69811d201861
SHA512 8b51253b9b7b2af728eb9ed3be7c9be862f15ea4f65875e71920ac331061cde8e31b8e23e5ae5899f97f926b926ad9cf0cdd5e9cd2d2c7393442aea2f9180884

memory/2740-128-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jjbako32.exe

MD5 80f18d1ee3f9c3462750c47e515ccf90
SHA1 06456dcc0c2c2c2c71a9c9a51db7320bef2cc7ae
SHA256 4fb0c2db5ea95ef4825c33557f83d74f1fbe2d658770367aa9921edc2cb2fa55
SHA512 10f91a7da9a8a8536a84d2532a604a9ad98a03129e9c7430bcbb7c007c4cf37bd308d6428c023a1e2ad793ffece36623d138cca19cfec3db931d76efc193d496

memory/1144-135-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jfhbppbc.exe

MD5 1090eadfa9ace05a6b095a58e6cb2fbf
SHA1 d1bfa0d81da15d5080aedba41d0e5d6068966e5c
SHA256 03b581b9861eb76e0cb4c6dc7dbbdab673fa4d975b9a22a4e7b51f9ca0eb491c
SHA512 3265037457aed37bb9b94d921bfbe9df6ec50ecc12e523b75295283ca7dbebc67bb99cbb0aa819393847dbd0c60f6d0a51ab3b75c4d2ab1642814ae6fcd268ae

memory/4064-144-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jpaghf32.exe

MD5 634fed082f567e856dfd8bb4a3dc6ea7
SHA1 e403298d6a74a4317eb62a13f75752e10dc16d46
SHA256 6ba3ab70f4604cb623f9b959dcec4573d5fff1f6fb44c072586c8b14c65e7a28
SHA512 d200e50a900da259171e93bdb35bf9b20f53884f81486dd0836240fd585c7f2efef62aabbef7b8853eec04e9a44b281e0c105e24e63c2c3b9d067e45d790a84d

memory/3236-152-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jkfkfohj.exe

MD5 096139892eb2a79f6a737b885885634e
SHA1 0e302d67e3f863b598fb67b7daf3fc4edccae554
SHA256 90f1493216ab5642b26c65bf9bf04c5955adc70746b76343b8321e4c52002bf1
SHA512 6d97e352f06f39e305977e61357492e32a6eee187ddbadaacf9fead860d2781a0dd4ce0e602bc2c9c7b46a4f0e42c00fba0626e89dc2ec0299dab12982ff9531

memory/2672-160-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kmegbjgn.exe

MD5 0e4c5bf1996f80f0dc814fa8d8c70453
SHA1 7b309c93939bc3e67a2ce49b96352a8203f06d5c
SHA256 5f611bc10011f46759044c86a088308b548c743339973471bdd86106e4d494e2
SHA512 c55e3cc3edd18bdd847b89a59dd3ccd1f1acf077775d505e86175e0db9bb9312fe3f3b7eaa63ea55fa55ab999a38ea04d912aed57b33c35003b398af3d64481a

memory/3280-168-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kdopod32.exe

MD5 e1b34d630e05fd1886479bd27c110ef7
SHA1 d536148e4f56e9fe0a57f8071dd7a6af6c59d431
SHA256 ebd176d0b6552fa338e5fdc080e8c37119da95a58ca1b5933f1bb99ac65d2879
SHA512 9ee22b332f8866ad1859adb384f3a3a190bb05e7ecacd284b2490855705408c6cb0af2840682618199f82772b016019461c4b65d83df4d30296db9de74c65b33

memory/2976-176-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kkihknfg.exe

MD5 684a066ae07029dc5046b453780595b1
SHA1 77239d36bc97525ad780fca9d2a1a24ecf474221
SHA256 f5a03517a608eceff01a48ed3efa2db3694bcfa2edc2740cc559b3016dc0e8cc
SHA512 de99422a9849cd40bb349fff2c049d6149133ae614efc7509ea5e57744c4a1e71cff6591698203047eb13a73c4457b434d62b2e0f7c142bf4f067d4de48cc4b5

memory/1424-188-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kacphh32.exe

MD5 d087e0ad5f1e369b8c83265344c95d56
SHA1 63d24fb5a85fcd6afc379d079b23b00c78f110aa
SHA256 627951282bf1e41d2bb26b112d46af06174b7beb63f964a8c33a0ce9a738c20f
SHA512 046b181def58c4d8cc1e4d09880453124b3d8b54e7c734ddcea2e8d9f7bd7af827cdcea4553b816d57f15655f0d6ce68a905e94afe0b76184e38f1d1c78572b4

memory/4508-192-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kbdmpqcb.exe

MD5 28b37497f4c49efef3527c66a014e026
SHA1 20fd565c5e90fe568551b2b688cced8710c0ca39
SHA256 534343ad29536988aa6b4674eb0afeeedadef42a8ad691750e5f6ed6c33ef7ac
SHA512 e0a136b553677578a53a0a39460b55a69d598fb46727e0877c739ee415c07145e649338be39cb07fe55476f8c08d6c3c6215950a13eeeb7a4d9e15898dfcead2

memory/220-200-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kinemkko.exe

MD5 973a47ee1da07a1713e1393264a0c37f
SHA1 9611fd1180a4c964bdbd4f507f2300dc30e17c14
SHA256 cc54360a44eb02950e52ef4b500df19abfcb6fbc270dd73e5ac39a191e59336e
SHA512 163952361cea387f6164cff7405b1a247a13d955777bdc672d40490f09599f63c7bdfb0706e89db6cc278a51049d7d41c77f385eb29ce003a934adb35b6fa99f

memory/1664-207-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kdcijcke.exe

MD5 8935bfa586d0a659a9d9a25856283649
SHA1 7fffeb7402691ca86562fa8947b9d9a0173945c6
SHA256 afea05ae90979cab369e8d2fa98576a0aae3de2189494787d0ae3369a1caaf3f
SHA512 3eac5840af2ecb0626e83344f0da4838d9219cfdfab6e084e4791812947a49856d6f632aa8603571a7b59adc9886e3599df9d15129944e47015c0da1b2442e19

memory/2164-215-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kknafn32.exe

MD5 f0c9fc8186937494965102c6a1579497
SHA1 41e2e8d01a876627e304baf6a2254bf4c5916590
SHA256 70426183b8100dbbefad143dc040bdbcc32b03574703ddcf3cb170f9426dce39
SHA512 9fd302009e3400bc9029c5211c74ae30ec00dfaa6180a25a7ef5f5d6093b848a556b2bea0fb752d434b7c28b8414b7c6039f8ce0f5c180638e6fe0508421c64c

memory/2940-224-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kpjjod32.exe

MD5 4ac7f21696bb6c2ca0ce8fa308dfb665
SHA1 c842bd2fae79f625c0e99a4f2aa716aba2054472
SHA256 d21aca5722fafa9ffebb45eb257fb7e6eb2224114470ce651aaeb10ceac010dd
SHA512 688ff5de68673516455f1075c7457e617f2f14436a120f9c242aa30c32b89760d84d665ee1918fb6217c85d940ac2f59c13718ed0f2c323c566907e55762276b

C:\Windows\SysWOW64\Kpjjod32.exe

MD5 a910cc2b4df56e0675b30757a2014291
SHA1 9a57f64d6ec6968a60cbd1a8b790aa8fc4e97081
SHA256 52ea71527121b2ac6ac29ace955b364f37d71c50527345c95be108ebc1aaa068
SHA512 7b33f50f0b52d344c2994754f071f9903a5044513c65e5709d908bce8767a3b188a97aff3e0ec6838329f1e7415001543198e5b67c166ed2f31c37b930d899e7

memory/4692-232-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kibnhjgj.exe

MD5 cd6c89251816702f225088258537e27a
SHA1 7a8d4996809024f77cf455d8f92d17fd4b0bc737
SHA256 cd07034af61e72fadca5beee74f5178029e75e33a263919a4c42612d611c0312
SHA512 5336baa20c33d1369c043809d87891af07efb0121550d0a85f05fde4325d6957a7ffef15c588d02a4ae63a527f3abadbec1d20f3ab396a979744905d5d9ed06b

memory/2832-239-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1756-248-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kpmfddnf.exe

MD5 f07bfcccca75eb7e88018f3ae0233c30
SHA1 6441491e2c535c9f85b6c6c15758e43fca3c1f90
SHA256 bf97c9b7ad658a64eaf902a7b2d96de75f01244582119974947b0594250a750c
SHA512 8e6ac18a6ac9409b07b4b853939a564af8455b28b25f6d1d06bd08b1ae0c09057e7de98fadf4176a8fb1420c90399550512ca7c68f8dd7d9416160ab9bc40010

C:\Windows\SysWOW64\Kckbqpnj.exe

MD5 7638e2d8bbc0518c7877bf1cc660c51a
SHA1 45e1ecfafc40fbd247acb92a841b589e3c1d3c78
SHA256 aed8e4a79552dd257faf495b9eb7e9faa6e6d126542a840e1f49838d3e2d3e42
SHA512 aabfec4b4329e99f14250c962e432b117c1cbcf5d9179baebba92a1e530e7663b372e338f813bf6e4ad0ca24f5891868b0709160868480963d56bd2ec63539ff

memory/1560-255-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1196-262-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4752-268-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3100-274-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2676-284-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3984-286-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ldmlpbbj.exe

MD5 1e21ac07f824f5006ad8956d95654c0a
SHA1 14c047f8e53ac4fac4e355ea74d909955a774f42
SHA256 4c142f79e3ab95ff43170dd393c95b31454eedb6efa47e1f6a7bc84e9c1a69d7
SHA512 1108ad8695f18f8e94ddb8dc5fd05f331717a94375529b891a959ebc3097484b6e8851e9b3ca7fcdbd7099b578202580d5eb7958acbe6e2336b7f681d065bd32

memory/2236-292-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4272-298-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lpcmec32.exe

MD5 d85a6f43b5bca80264c4ef4b3f2859ad
SHA1 ef6ddb0f896396cd3aa8273976ca0890ab6effcd
SHA256 ffbee54c98f5ce7ffd68ae963634b2ce551d91da688e9aa695ffb317e5a2b900
SHA512 37289fe0e957045c360d7fa3e291de6c0e290a35af80855f77477a4ddbaeddd1ba434f3c5d0ac586f762bda786ab2f37c557c41ff3b6da3b25630940c1d816e9

memory/2888-304-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lgneampk.exe

MD5 b9ab1a42704fdacffcbf663e98626c96
SHA1 77dca2f0849144ceac56de55762728701f15b72c
SHA256 f7dd0d2e126aa784ce690b70422a77758e66185e81428f53e7a03b2b271dd178
SHA512 a1608ead68dfd33e043c6c821419910d53e25612fea06e41cdf59342e7491071d751d31f017b70df320504d6c363a05aea81ead1476beca57bef86082d2f1d9a

memory/4808-314-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3564-316-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2996-322-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1288-328-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lphfpbdi.exe

MD5 55dac7a48916424d74d8f783d9419093
SHA1 cccb7749d5c31b2e8b49d7407a2b3d309bbbb9ee
SHA256 041db6e9f9791fcffdcfe085530d90b68d2b916dd18e3e94a345d71c60e346b6
SHA512 b5850c8fba161326d646c37c4fd9d81679787b3cda0264df80a2de53c85e9c32d6ca9988001a99d883de5e1287f5d2df2df40477b017c4c2728f7c4e379de7a5

memory/5032-334-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3392-340-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1960-346-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2904-352-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mgekbljc.exe

MD5 cc9d44bbdb7a721a02279eb1a09047b1
SHA1 c607c4bc8872f61bdd89bc6577f7a71a615c8ce5
SHA256 4d9141cc0aa55838aed206345d027062ef6334aef816bd4b0a677d033f96a38d
SHA512 ad256931cca188f12e10bb9ff0b61b85f1c05d5a3422ece2d73c235189a625d0f940c087e529ce98bbd840f0a0b8d1809eb0fb1eac46ff06e99c21fb5698cb1b

memory/2660-358-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1072-364-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1216-370-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mkbchk32.exe

MD5 f2cd58554437f6e7ca5664772de4c0be
SHA1 de938ab7452a84e201f43b1b88b550fa2e9ccceb
SHA256 24f3ad7c26d8b377293ca25eb500a9804cf6a93d49f92b50efdb4e1f0d9af33e
SHA512 c554d596e7c4828e3f242b214f375f07437b53b711c29970933dcc243f37d1eaaa26ec972ac316488e504e1f5130e0f6b1ffafb6e4e628c5522a053c776c4652

memory/1400-376-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1996-382-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1716-388-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4044-398-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1392-400-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mdmegp32.exe

MD5 9b991bbe19c5d4345fa130ac537d0418
SHA1 637c3bd39e906ec8faa2e5917ffbf00f1c500e2b
SHA256 e3ad3f5908b526e92075f38dfe00338b8649713a0e85b435a05807c2217a2273
SHA512 3b31e6a5877a5c84fda6197daef153981c163a0f7093b3b016405024e6880c21b2194b0d0b698fce3797fddb14d048042f1c5af40c251f15df8cc00767873ea3

memory/3840-411-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3552-412-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4416-418-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mdpalp32.exe

MD5 14d50c4daf98ff431830c412e09e0fdf
SHA1 efa9a84fce83b83dd603c511c7b8c88114d209e5
SHA256 cc1bad35d5081aac5a572863630e9203f27dc4549c64e97ca286a09c519f02fc
SHA512 e2972749016891c2f103e282185b7837bb964bd0de146894fbe123eaf65fd093cb1aac6e45fbe0370ef0ec9af58ce88ae3f4615f49b8958dd364c56fb9176d7e

memory/420-424-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mgnnhk32.exe

MD5 f20e90f8037d092646fcf6f4c1c5a781
SHA1 8e658a7453d3766db924b4d4c0d3e65d47598578
SHA256 e35f56a7b77a959954851ee99a998bef52f152741a0496af9a46c35f5a27214c
SHA512 7070ff0aad49515fbd683b7498b8fa5bf4bba3791e4d02493a92b08495d430ed39972549df781b851f76b4efbfd593d3acbce8b121fcefd30abff426de009912

memory/4880-430-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1100-440-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4612-442-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3220-448-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Nafokcol.exe

MD5 a1abbc580d85d8f8158fa8f3e087a9a6
SHA1 58309e2e8d113574375c6735c1ecfad26d358b9a
SHA256 d2c8654ab6bcd297012a8f49ccd1aa043345623c248d51e3f28f63fd7d977e1d
SHA512 e7ac75674dccdcd65d0f9a25f3213350a07c677c922846b5b659f7b81673e503c07adde863d7001ea475c2df9104b5d30c8b8df6a6a591295952700852357186

memory/2032-454-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5080-460-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3108-470-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3684-472-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3448-478-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4916-484-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4364-494-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3716-497-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3884-502-0x0000000000400000-0x0000000000441000-memory.dmp

memory/72-508-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3716-510-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3448-512-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4916-511-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3884-509-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2032-515-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1960-529-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2904-528-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2660-527-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1072-526-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1216-525-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1400-524-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1996-523-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1716-522-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1392-521-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3552-520-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4416-519-0x0000000000400000-0x0000000000441000-memory.dmp

memory/420-518-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4880-517-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4612-516-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5080-514-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3684-513-0x0000000000400000-0x0000000000441000-memory.dmp