Analysis Overview
SHA256
11c0f2eb3016a33c62f47764eaaa5874acdc0028cd77003e803e7b2a638623dd
Threat Level: Known bad
The file 0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:30
Reported
2024-06-03 22:33
Platform
win7-20240508-en
Max time kernel
145s
Max time network
125s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bagpopmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ecmkghcl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkaqmeah.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cdlnkmha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffnphf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmoipopd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhjgal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ffnphf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cllpkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bpafkknm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmcoja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjpqdp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bagpopmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dgfjbgmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bpafkknm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cndbcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djbiicon.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Admemg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkodhe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aoffmd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdlnkmha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Filldb32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Gbijhg32.exe | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ioijbj32.exe | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| File created | C:\Windows\SysWOW64\Pccobp32.dll | C:\Windows\SysWOW64\Aoffmd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cljcelan.exe | C:\Windows\SysWOW64\Bcaomf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lghegkoc.dll | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Faagpp32.exe | C:\Windows\SysWOW64\Fcmgfkeg.exe | N/A |
| File created | C:\Windows\SysWOW64\Cibgai32.dll | C:\Windows\SysWOW64\Admemg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ahokfj32.exe | C:\Windows\SysWOW64\Aoffmd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oadqjk32.dll | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgahch32.dll | C:\Windows\SysWOW64\Fcmgfkeg.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdapak32.exe | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ooghhh32.dll | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gaemjbcg.exe | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdhaablp.dll | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjpqdp32.exe | C:\Windows\SysWOW64\Cllpkl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Elmigj32.exe | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Elmigj32.exe | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ejbfhfaj.exe | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fddmgjpo.exe | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pabfdklg.dll | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcplhi32.exe | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojhcelga.dll | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljenlcfa.dll | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gldkfl32.exe | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| File created | C:\Windows\SysWOW64\Jondlhmp.dll | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpmgqnfl.exe | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmqgncdn.dll | C:\Windows\SysWOW64\Dgfjbgmh.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndkakief.dll | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmcoja32.exe | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Opanhd32.dll | C:\Windows\SysWOW64\Bkodhe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Glfhll32.exe | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gaemjbcg.exe | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkpnhgge.exe | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhjgal32.exe | C:\Windows\SysWOW64\Cndbcc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hggomh32.exe | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhmepp32.exe | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbkeib32.exe | C:\Windows\SysWOW64\Cjpqdp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiqbndpb.exe | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hhjhkq32.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjnifgah.dll | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhjhkq32.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hhmepp32.exe | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aoffmd32.exe | C:\Windows\SysWOW64\Admemg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aoffmd32.exe | C:\Windows\SysWOW64\Admemg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djbiicon.exe | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgfjbgmh.exe | C:\Windows\SysWOW64\Doobajme.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmhfjo32.dll | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bpafkknm.exe | C:\Windows\SysWOW64\Bghabf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlbodgap.dll | C:\Windows\SysWOW64\Copfbfjj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Doobajme.exe | C:\Windows\SysWOW64\Djbiicon.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajdadamj.exe | C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Cndbcc32.exe | C:\Windows\SysWOW64\Cdlnkmha.exe | N/A |
| File created | C:\Windows\SysWOW64\Naeqjnho.dll | C:\Windows\SysWOW64\Dqhhknjp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipjchc32.dll | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpmgqnfl.exe | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ihoafpmp.exe | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajdadamj.exe | C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcaomf32.exe | C:\Windows\SysWOW64\Bkfjhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfoihbdp.dll | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dqhhknjp.exe | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fiaeoang.exe | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgilchkf.exe | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cljcelan.exe | C:\Windows\SysWOW64\Bcaomf32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkodhe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkaqmeah.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dqhhknjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" | C:\Windows\SysWOW64\Ffnphf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cljcelan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opanhd32.dll" | C:\Windows\SysWOW64\Bkodhe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamcl32.dll" | C:\Windows\SysWOW64\Cbkeib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkfjhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll" | C:\Windows\SysWOW64\Fmcoja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bagpopmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" | C:\Windows\SysWOW64\Copfbfjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeohn32.dll" | C:\Windows\SysWOW64\Bkfjhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fmcoja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Doobajme.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" | C:\Windows\SysWOW64\Ajdadamj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cllpkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cndbcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajdadamj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhjgal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Ajdadamj.exe
C:\Windows\system32\Ajdadamj.exe
C:\Windows\SysWOW64\Admemg32.exe
C:\Windows\system32\Admemg32.exe
C:\Windows\SysWOW64\Aoffmd32.exe
C:\Windows\system32\Aoffmd32.exe
C:\Windows\SysWOW64\Ahokfj32.exe
C:\Windows\system32\Ahokfj32.exe
C:\Windows\SysWOW64\Bagpopmj.exe
C:\Windows\system32\Bagpopmj.exe
C:\Windows\SysWOW64\Bkodhe32.exe
C:\Windows\system32\Bkodhe32.exe
C:\Windows\SysWOW64\Bkaqmeah.exe
C:\Windows\system32\Bkaqmeah.exe
C:\Windows\SysWOW64\Bghabf32.exe
C:\Windows\system32\Bghabf32.exe
C:\Windows\SysWOW64\Bpafkknm.exe
C:\Windows\system32\Bpafkknm.exe
C:\Windows\SysWOW64\Bkfjhd32.exe
C:\Windows\system32\Bkfjhd32.exe
C:\Windows\SysWOW64\Bcaomf32.exe
C:\Windows\system32\Bcaomf32.exe
C:\Windows\SysWOW64\Cljcelan.exe
C:\Windows\system32\Cljcelan.exe
C:\Windows\SysWOW64\Cllpkl32.exe
C:\Windows\system32\Cllpkl32.exe
C:\Windows\SysWOW64\Cjpqdp32.exe
C:\Windows\system32\Cjpqdp32.exe
C:\Windows\SysWOW64\Cbkeib32.exe
C:\Windows\system32\Cbkeib32.exe
C:\Windows\SysWOW64\Copfbfjj.exe
C:\Windows\system32\Copfbfjj.exe
C:\Windows\SysWOW64\Cdlnkmha.exe
C:\Windows\system32\Cdlnkmha.exe
C:\Windows\SysWOW64\Cndbcc32.exe
C:\Windows\system32\Cndbcc32.exe
C:\Windows\SysWOW64\Dhjgal32.exe
C:\Windows\system32\Dhjgal32.exe
C:\Windows\SysWOW64\Dqelenlc.exe
C:\Windows\system32\Dqelenlc.exe
C:\Windows\SysWOW64\Djnpnc32.exe
C:\Windows\system32\Djnpnc32.exe
C:\Windows\SysWOW64\Dqhhknjp.exe
C:\Windows\system32\Dqhhknjp.exe
C:\Windows\SysWOW64\Dmoipopd.exe
C:\Windows\system32\Dmoipopd.exe
C:\Windows\SysWOW64\Ddeaalpg.exe
C:\Windows\system32\Ddeaalpg.exe
C:\Windows\SysWOW64\Djbiicon.exe
C:\Windows\system32\Djbiicon.exe
C:\Windows\SysWOW64\Doobajme.exe
C:\Windows\system32\Doobajme.exe
C:\Windows\SysWOW64\Dgfjbgmh.exe
C:\Windows\system32\Dgfjbgmh.exe
C:\Windows\SysWOW64\Emcbkn32.exe
C:\Windows\system32\Emcbkn32.exe
C:\Windows\SysWOW64\Ecmkghcl.exe
C:\Windows\system32\Ecmkghcl.exe
C:\Windows\SysWOW64\Eijcpoac.exe
C:\Windows\system32\Eijcpoac.exe
C:\Windows\SysWOW64\Eeqdep32.exe
C:\Windows\system32\Eeqdep32.exe
C:\Windows\SysWOW64\Ebedndfa.exe
C:\Windows\system32\Ebedndfa.exe
C:\Windows\SysWOW64\Elmigj32.exe
C:\Windows\system32\Elmigj32.exe
C:\Windows\SysWOW64\Eajaoq32.exe
C:\Windows\system32\Eajaoq32.exe
C:\Windows\SysWOW64\Ejbfhfaj.exe
C:\Windows\system32\Ejbfhfaj.exe
C:\Windows\SysWOW64\Ebinic32.exe
C:\Windows\system32\Ebinic32.exe
C:\Windows\SysWOW64\Fjdbnf32.exe
C:\Windows\system32\Fjdbnf32.exe
C:\Windows\SysWOW64\Fmcoja32.exe
C:\Windows\system32\Fmcoja32.exe
C:\Windows\SysWOW64\Fcmgfkeg.exe
C:\Windows\system32\Fcmgfkeg.exe
C:\Windows\SysWOW64\Faagpp32.exe
C:\Windows\system32\Faagpp32.exe
C:\Windows\SysWOW64\Ffnphf32.exe
C:\Windows\system32\Ffnphf32.exe
C:\Windows\SysWOW64\Filldb32.exe
C:\Windows\system32\Filldb32.exe
C:\Windows\SysWOW64\Fdapak32.exe
C:\Windows\system32\Fdapak32.exe
C:\Windows\SysWOW64\Flmefm32.exe
C:\Windows\system32\Flmefm32.exe
C:\Windows\SysWOW64\Fddmgjpo.exe
C:\Windows\system32\Fddmgjpo.exe
C:\Windows\SysWOW64\Ffbicfoc.exe
C:\Windows\system32\Ffbicfoc.exe
C:\Windows\SysWOW64\Fiaeoang.exe
C:\Windows\system32\Fiaeoang.exe
C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
C:\Windows\SysWOW64\Gbijhg32.exe
C:\Windows\system32\Gbijhg32.exe
C:\Windows\SysWOW64\Gicbeald.exe
C:\Windows\system32\Gicbeald.exe
C:\Windows\SysWOW64\Gpmjak32.exe
C:\Windows\system32\Gpmjak32.exe
C:\Windows\SysWOW64\Gejcjbah.exe
C:\Windows\system32\Gejcjbah.exe
C:\Windows\SysWOW64\Gldkfl32.exe
C:\Windows\system32\Gldkfl32.exe
C:\Windows\SysWOW64\Gbnccfpb.exe
C:\Windows\system32\Gbnccfpb.exe
C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
C:\Windows\SysWOW64\Gmgdddmq.exe
C:\Windows\system32\Gmgdddmq.exe
C:\Windows\SysWOW64\Gdamqndn.exe
C:\Windows\system32\Gdamqndn.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
C:\Windows\SysWOW64\Hkpnhgge.exe
C:\Windows\system32\Hkpnhgge.exe
C:\Windows\SysWOW64\Hlakpp32.exe
C:\Windows\system32\Hlakpp32.exe
C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
C:\Windows\SysWOW64\Hlcgeo32.exe
C:\Windows\system32\Hlcgeo32.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hhjhkq32.exe
C:\Windows\system32\Hhjhkq32.exe
C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
C:\Windows\SysWOW64\Hogmmjfo.exe
C:\Windows\system32\Hogmmjfo.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
C:\Windows\SysWOW64\Ioijbj32.exe
C:\Windows\system32\Ioijbj32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 140
Network
Files
memory/2848-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2848-6-0x0000000000290000-0x00000000002C3000-memory.dmp
\Windows\SysWOW64\Ajdadamj.exe
| MD5 | fa5d4d63d856a2d0c22473340e03fafe |
| SHA1 | c07c65f3c822296b6295c819266dd078738b075b |
| SHA256 | 450b136fdb2ace29a9a964c355a5ff62b34ca53fd56116fb8dfa0fa240cb10e2 |
| SHA512 | e2d6bde486d08816827391a90d3ceefcfd5317a0eda8dcfe91f81894b358efa8065f2b874ba5e2429818cf9a7ab8a35603366c82b711e1c28b69950ffbdf38cf |
memory/3028-13-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Admemg32.exe
| MD5 | 03058f2522f5cc1d63712a405cde473e |
| SHA1 | b1016baf1255251f817b79a7c8a8c58416fb3ef8 |
| SHA256 | c1d47c8d30908a0bcc028ae012485a0f9c129ebefe1a0a777ad19e2d35ea111d |
| SHA512 | 9c44d2d0ee0285ef02f84487beed5737491da3ca3bc019f24ea008482c49e73754439c26ccfa25f571c53acabc19592fe7757449194f75b2c8883e3ced898654 |
memory/2060-28-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-27-0x0000000000440000-0x0000000000473000-memory.dmp
memory/3028-26-0x0000000000440000-0x0000000000473000-memory.dmp
\Windows\SysWOW64\Aoffmd32.exe
| MD5 | 23a68fe4c96ece4d81bea3397684cf02 |
| SHA1 | f0530e863af04fe6d0c43e066f8b7d51b12ffcf7 |
| SHA256 | 39143feb072b4386cdc265ebde1bae0b7d84f53f7d1a284f785375fbf7d57c1a |
| SHA512 | d2cd0d15c9c17faa0a9bda8b5311269233d52c4fe4659bc53339c2751b9f4d3f024077a367de3d901d0dd3b1b3465337a4a9ac8859c5e0757089aff0a2248c82 |
memory/2060-37-0x00000000002F0000-0x0000000000323000-memory.dmp
memory/2752-42-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Ahokfj32.exe
| MD5 | b11d2c00b268c836a2ccf4d18867af88 |
| SHA1 | 4801b83734f5a8fad7c8f246626fc3b6d5afba1f |
| SHA256 | e4cb0eb5e0b5d78044096e28156efc729cff777ec3aea26b222a78ffc15e4a64 |
| SHA512 | 7aefeac52f2e0e751c6b15fb304efc05f1abb83f7425e91afaae0c33598d2ebad5bbce3a14b110f9755fee097cb6af31e9b4250a0dd3a5d156412163be4b6fe9 |
memory/2744-55-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Jkdalhhc.dll
| MD5 | 9a6e36987b77b0bb3ce2b445f129882b |
| SHA1 | fdd829aa049828af49185af1e193bdc27bff8a1b |
| SHA256 | b1a67fe5fd7fffaebe7dc41b48c24e116298042eaed15bea99c8a896e03d30fb |
| SHA512 | 933a65126b0c6081f01c8b9081a3a76a46411b3b94f78d8b857405e55e0fbe77387d2610e6f6dfd3ac0f172468108c91eaa5f140ee1bf0db578d95b20faaefc4 |
\Windows\SysWOW64\Bagpopmj.exe
| MD5 | c3748dd17476cfab6925e27169806d2d |
| SHA1 | 40d57b473f22c47af003afa9c43a97b76dc06b85 |
| SHA256 | 280a86b43310050d062ca4d655b31e18209b5d17a7234363d46e13e80dd4c9bc |
| SHA512 | ff71b7184cb2b4848866973ec1e0418ea943c246e29c2ca25f358f886cafb6967944f9a3d906b17c7b6386756d993fea73ab7abe429bbda0e93acf16a9182d67 |
memory/2744-65-0x0000000000280000-0x00000000002B3000-memory.dmp
\Windows\SysWOW64\Bkodhe32.exe
| MD5 | 56cf2816c7db1744707b30d83cd47b88 |
| SHA1 | dcef8c05165192c4820e4735668058eefaeb070f |
| SHA256 | b737816023f68846236fd43d062d4df43dbca5dcc1ba0ba9525eb7a069f32428 |
| SHA512 | b6371ae6e0642b481dab755f56d0631c00d0655ca3f19f7780a5d01e890198180ac5bb558cd0bb623b94ef60d629799db2e918af4dded2dc7a05811ab22f8963 |
memory/2536-82-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2196-81-0x0000000000310000-0x0000000000343000-memory.dmp
\Windows\SysWOW64\Bkaqmeah.exe
| MD5 | ae38ab291f4367214664162ddbe3aeed |
| SHA1 | 9924836b427a564fb261b6d6d7bdfc3033d58d05 |
| SHA256 | 249d023d1c7615e53a6c6e43326ff8ac481926d85cc2b60ad24e344a7c316523 |
| SHA512 | dc3046ba7d1f9f4326e6ed90715648d100dff97b80c16afbb5c62e76d4a834d15481c8a55f3078901faff995d998abdbc533b043fbb406916eab0f4ff293a5ac |
memory/2536-94-0x0000000000260000-0x0000000000293000-memory.dmp
memory/2404-96-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Bghabf32.exe
| MD5 | fd12521507f38faf50efbcbdc005fd86 |
| SHA1 | 0ce8f1dcf2e0c4df02aba1a2afffe0a197fee1aa |
| SHA256 | c9dda46f193e9dd5444b18bcbd0ed7406deb682d54d95b9415dccad9144e1611 |
| SHA512 | 059f62b80c00e995c37ddbfeb5b382771c6da957106b7565cc526843872d64a44a0295bdd6576b576b86f05b664551724dac215e32a399f034576fb438b962d9 |
memory/2584-109-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2584-117-0x00000000002D0000-0x0000000000303000-memory.dmp
\Windows\SysWOW64\Bpafkknm.exe
| MD5 | 716f0fbcb18d9ad03f791d11297c4133 |
| SHA1 | 1377b260082bf591049f8e73ebd9020a94cc860e |
| SHA256 | 56f05247ee707a9d54f6989cf132db23ac0b8fe8bb6550fb1fc95604c652b3d7 |
| SHA512 | 1cfdf8eb7c7d06b6370ad51cc8e870337bf85426756c47ef7bf02fc5ebd7aa1221e14b4eacf6feac5118dd4cb8dd2665768a88d36a40bb4d877d576f501f6381 |
\Windows\SysWOW64\Bkfjhd32.exe
| MD5 | 1b20bf538c8d16be6194acae8b52f460 |
| SHA1 | 037da6e216d137a95d4e19a8b7d5cf98ad62a355 |
| SHA256 | 2015e9e9c6accd1f028803656df46eea7d532667525acac2d1f40074111ceb72 |
| SHA512 | 356d1c65c9a9a9f3317d3d34b9ac4315eac0c9dc2c2d17361a491ea80b75d90c8119e574482d6a8760e2efc1db87a22c2354124fffbe51d1d7c76b31580e35ec |
memory/2432-135-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Bcaomf32.exe
| MD5 | 05fbf358db5af076dfcc2d4bf58ac481 |
| SHA1 | 933ef6add53d84232f3948306f0b7dbd5475a1ce |
| SHA256 | 20c7b58dbe588f23514dfd536957263b9feab6d043ae9c94509b634563c8f40c |
| SHA512 | 11ed43362807b871d3389ef69a6c708929f01efb1a4b6e38cfe93cf52e242e1e0fe1671f1b94c12eafff61b6b34442f9a3ce9051be19a262a0fc045928a71108 |
memory/2432-147-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1636-149-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Cljcelan.exe
| MD5 | a897a5c6a2e23d71585d65e6db2bf2f9 |
| SHA1 | a182c576f29e96ee66181f313cef8f2f63d1d9a9 |
| SHA256 | d0fb12b8329223a0edcf1cc7647ee5273314b403434d0ebfca36d376654f24a6 |
| SHA512 | e2c9d9fe3fa6eddf67c8ceed4ae6b1f81cd94a64737d187e857a0a84d409fdb4fe1fda09bf5dcde643e1e5deac6e41e973f143b781e607e306085b0d1c5b4b22 |
memory/344-162-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Cllpkl32.exe
| MD5 | 88589cfbeda5fff638adce627a5c82ed |
| SHA1 | 4685eb81bd210a8896b7d08ecedbb1a556ec7ff1 |
| SHA256 | a8da72732be265e120c37b7d63408a49c3634798147715286b1141db661f5888 |
| SHA512 | d06503faf2032d760373910e5de6d11b50e7fd37e7e9357caf71dcd715664a040f2b2babf15b0806ba6be7197855f71b6c2ed07271fca838d7149e9e169f1585 |
memory/344-169-0x0000000000290000-0x00000000002C3000-memory.dmp
\Windows\SysWOW64\Cjpqdp32.exe
| MD5 | dd527651d89666a42286ac3c76956781 |
| SHA1 | c33dcbc00d9d91b247fc8c40cbecf977c4ddb7ee |
| SHA256 | 90d322031ef6006f05c7585b8667dface09ff91a03dd6ed64845b4f90a99e4b7 |
| SHA512 | 2aa4b51daff8683e588b13f4ee190fa3e40d45893b77737e0ffb56dc47545da81dcde1053f7e08ca9bbee3368ea86a6daf6ae0ed756fc60619726856d50d610a |
memory/1760-189-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1276-188-0x00000000002E0000-0x0000000000313000-memory.dmp
\Windows\SysWOW64\Cbkeib32.exe
| MD5 | e6d360f4a9d57204b31df0b21e5dd088 |
| SHA1 | b1590c3aa086eb9e6272cc0356848b8cd955db89 |
| SHA256 | d967699f67020f259edbd8f22dcde8887ed3b6dbcb222c5c3fed679e54091e9e |
| SHA512 | 413a8044ed05c6ff042a753d1d22bfcc588d66facfc65ef1bec34d997f4f6d6a90dc4beb1cb6d546e84fbdef1b312bb904348ad1912f087e1f6c5eb1c6aa21d5 |
memory/1760-201-0x0000000000310000-0x0000000000343000-memory.dmp
memory/2840-203-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Copfbfjj.exe
| MD5 | 5b540529b1c3d0a212c4f888bc3afe94 |
| SHA1 | 718c522dc99ba021fa9a2ca60f19e0052ddf1cb2 |
| SHA256 | a7df8dd13ac7a31749b0d55fc217efdb9f56697a4056e1cb3e00a399bf57c860 |
| SHA512 | 784ca013576167966ef269a66d4f0ca95748cef68b9cd18f2d24cc5c3ddab397e25e6b3721311a3edc520c229252bf85689c660db663b023a07e22b8a333b28d |
memory/2240-216-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2296-227-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2240-226-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Cdlnkmha.exe
| MD5 | f411dd70daadc16ff6eac7d91f6c4f11 |
| SHA1 | 8fef5fd260aa871d122baaca2e5e1c277f4950bd |
| SHA256 | eb63ced04d768d8973664fb8d160e4340f960b0771c88ae4446079b95c9eb54b |
| SHA512 | 0a4168ae8990817ac384cd0473068cc85652bb17774ad05097baeb1828a51df237db1f96963ba3874c12efd3854e54d726cb521a49da2d65d43bb3ebfb06db65 |
C:\Windows\SysWOW64\Cndbcc32.exe
| MD5 | 2c56cc989938a543d1cf2a605fc09c21 |
| SHA1 | 26ac93ffa28c08165b764c2bce4b932bb647501e |
| SHA256 | 0a1ea448f16cfdfd81533644784e68e9894a640605c3a405e6fa464287c4db92 |
| SHA512 | edf62366863ced089ded5a19ba4ee2faf84fe1dfc9b57576348fcdfd46c769ae75e7445f4eccdcfcd8dc6144a16c69370c0bd6bf22b97d7655a5122367d3fdf6 |
memory/2296-236-0x00000000002A0000-0x00000000002D3000-memory.dmp
memory/960-237-0x0000000000400000-0x0000000000433000-memory.dmp
memory/960-243-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Dhjgal32.exe
| MD5 | e4d99ff14216e0d3da36ddfa8d344d83 |
| SHA1 | 26d18c0a8021117f86abe2ce922a6dfbe0a991f8 |
| SHA256 | 7fbeede6d2b2edab1439d7460807bca608f1e3aa0624ddc9220dac770124227f |
| SHA512 | 2e70e41c1e60bd8d6bc419d1440fd5519b86f170bfaa66ba6c33960d3d45ff5b5de2c126a42ec1e9f7ede2f562e122e11a64d59378e6f2428fbd1492f6ea54c2 |
memory/1988-247-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dqelenlc.exe
| MD5 | 1f06a9c3b75ab4aa687bba77c860618e |
| SHA1 | a175a89a1b69cc048b9af6e71361e1373c7ecc5f |
| SHA256 | ecd074c2776465e33418dcf4893a7d616c3d945c554f16df8f34bf3369b0d210 |
| SHA512 | 5d7ff9be728e917173e706a8f295ef76510f9d48b8e220f7e9817d19394129fa6fa5628112e3f1ecf8f2bc92e3828e30a6373eaad3581494f188bd03537e7020 |
memory/1988-256-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1520-257-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Djnpnc32.exe
| MD5 | dbb40ed9085a8a05182f8e0c143e49c7 |
| SHA1 | adbf369c9c7d43fccaed39a6b909e31dcbe419a9 |
| SHA256 | 5e7c898bd1eb87e0eb3c509656e9fede0167d687cc7010279027d7393e1f0b57 |
| SHA512 | c46cc4a8de83e44c34e78f95552969af9074f308fe3039bca298659ec3517c958b3392f31ff2d2cb97e0d1e614ea810b2c77502d962b1b9a36c59d96f4276207 |
memory/1520-263-0x00000000002B0000-0x00000000002E3000-memory.dmp
memory/1100-267-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dqhhknjp.exe
| MD5 | e253b6f4ec6b3a402244c2467c9e4ff8 |
| SHA1 | 092c1125e59557581c65a275877097d1da6552e5 |
| SHA256 | a98f7abddb30c39baaf9861194c7b3b9053dd7702391bc36283c7ded3cfb5f02 |
| SHA512 | a2d6fd79959d82e1b6b71f558d0411ee6cac32c749eb8e41dabe0ab6c04e9f9728982fe04adaf68ae89eda4ff0355e4363d72119ac2012a00cc1c4f8a0917990 |
memory/1072-277-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1100-276-0x00000000007A0000-0x00000000007D3000-memory.dmp
C:\Windows\SysWOW64\Dmoipopd.exe
| MD5 | 4726c08275ad46ca4684bd177a60c7f9 |
| SHA1 | 617987298cf13e2f2fd7ad96cd7f6fa8030a8e9c |
| SHA256 | 2e049b57977feff90f6743f0464f7ea817c35bab1d3a186b2a258ccf9fd7da88 |
| SHA512 | 2e1d3d314a3a8ef5d97a584526ae3b56e8335e29b1f187dfef5a7489036598577e00eece02fd69dc9b735818d4ab4deb91107f7f04b42aa0043f740a61c98965 |
memory/1012-289-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ddeaalpg.exe
| MD5 | 0e4e26ec004d7104261755e82a00b6ad |
| SHA1 | 72852731b4597353240f250c8b80986313ddb341 |
| SHA256 | f40ec528327bb5d0af0c47310e1e443344a90d719e76ce591a3044b30fbb0afc |
| SHA512 | 01777e7470dd9dfca8a06fdab5a28eb27e9eb28d40f84e0cebf94dacdcf8c5779996275aabab5067a2001d2aeb4caea1b4a0ffc5c9f076c6ecc85cd151ff9730 |
memory/1756-296-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1012-295-0x00000000005D0000-0x0000000000603000-memory.dmp
memory/1756-302-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Djbiicon.exe
| MD5 | 5b8a59408f63bf1191df771fe9bc4af0 |
| SHA1 | d7384d710e4a3cccee09c26faccf44062a1ac22b |
| SHA256 | ec39272fb55d910fbf46f49c9c1889bbaac6be9e89a552f774b21c89e84189f4 |
| SHA512 | df5a67bea511f3ac8f706d3006c9043c9e34046566c000290eb59ec401973c83d074b53309e5c43bbe926ac2e664e59873aa0eedad569389d24759efeff85643 |
memory/1756-306-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2820-307-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Doobajme.exe
| MD5 | 146fbabe8930bb1eb0fbc4e5930f945c |
| SHA1 | 3601234e0cd5384fa0ba25a40c58cc100aefbd92 |
| SHA256 | d04330a5db44b6d2f8894ecb9e15f3431cde2919ade9e20dbb79258607e9c874 |
| SHA512 | 799e870105907a93071e5919cdb8f3ec26f11990a1b2badca6efd583f0510e6fea23a57f21becc74ad3ea7d42fa298abd013eeb8bd8a861cf6b454c9334a27f8 |
memory/1820-318-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2820-317-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2820-316-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Dgfjbgmh.exe
| MD5 | ae47ea8be70c735f255b9c3b31738d05 |
| SHA1 | 59bebbe90c66398f960f0daf39f4fb86851805a6 |
| SHA256 | c8c08bdf429de0335984a3ce006d37fb7b7e2cc7c64890eec024b42d3ad59fb1 |
| SHA512 | 31da32a03e9df6e2862a1ca407baf983cd66cb149a3cb65b1e939894d2a6bdff3816d2d44877d2636d20eaada7b43d79df1463257a7da7ae150696c58ab28d3e |
memory/1820-327-0x0000000001F70000-0x0000000001FA3000-memory.dmp
memory/1820-328-0x0000000001F70000-0x0000000001FA3000-memory.dmp
memory/1704-333-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Emcbkn32.exe
| MD5 | 0413aa9c5863156b1d8ece16075851db |
| SHA1 | 8badb9f738a9609c22afac61aeca170cfa4b28c0 |
| SHA256 | dece7905ccd5582e6456a8734999265a4a2ccf2e11a2b1a5165fb0ac5d0fb047 |
| SHA512 | 0f1645c5d2188b060616f6380e63df94d4c955b5ff8218d7accce851d180903ab876552d35b9a9ea559520cfef429b5c25fa080c362a5ecfed2075ee94b67b76 |
memory/1552-343-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1704-342-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/1704-338-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/1552-346-0x00000000002A0000-0x00000000002D3000-memory.dmp
C:\Windows\SysWOW64\Ecmkghcl.exe
| MD5 | cbfc7260b16a3f9d436a7134fe73f6c8 |
| SHA1 | 2bb607143b1e75aad4d6080ee1c88a0728448bc3 |
| SHA256 | 9dacf2d7d16ab083c4d25c2af2e4427b62938254fbb7b7e4fc766c42523da694 |
| SHA512 | 9fd43743f20d8b7ae167a3f5a19d585c14c7f2f05198b8506fb9925167289d99f591421b479f5c6777adb8aafcdc5f2e44dcd402908bb586c764d84a3c457043 |
memory/1552-354-0x00000000002A0000-0x00000000002D3000-memory.dmp
memory/1056-361-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1056-360-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Eijcpoac.exe
| MD5 | 86657bcc7828a3f817fd50a7e10ff99a |
| SHA1 | 1d5010b840bea1b1442aea54d90013a6eb24bdd2 |
| SHA256 | e7e033584362559476c0adbcaddc0870d0034c356fc9a71f4a15a933234d2e30 |
| SHA512 | 5ce74151322d9b05263c49a811bca05da2a0372c754730fe8f7f436572b239bccd308e0caeaa1d2c80a945aacdd0dad1b63445db7e94794c3bd8184ff4bbb65f |
memory/1056-356-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2728-362-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2728-371-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Eeqdep32.exe
| MD5 | 5a0bc5c0352c467c53f7528795e0aed2 |
| SHA1 | edb60b760ffc6fa78eb9051470b9248c5bebbb43 |
| SHA256 | c8ea96c4861aad87018f3e8b779da332a9147975c7676d9ff8ad6b16d1d1511d |
| SHA512 | 2470429eff4cd22596890db04a0078413c597bb50812bd371e877df748aadeea061adc6da23ed21eeb95d8b2634eff6e23471aa8c7e3a8a613fa059d8f210d0e |
memory/2784-373-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2728-372-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Ebedndfa.exe
| MD5 | fabfdc3d3e9b02fa8719c61f6919f31a |
| SHA1 | f3725180c43714579755d9a4c05e8bd6f84de726 |
| SHA256 | 9179402b44cd062a4d5f9cdd4d506d32fffd28f5c2d8b4f3ef88ae51b54af230 |
| SHA512 | 504ae37fdd29d2243991e2ab7959a0e052bcfe17987a25b67360b8cb474dbd465bc802da7a1a20b05b66ffbfcdd99ad96efa6fc8abdc514cca41a82b669aeab7 |
memory/2784-383-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2548-384-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2784-382-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Elmigj32.exe
| MD5 | 0e762bd30024f25032fd151e257aa09e |
| SHA1 | 68ce1b65811902d578ecded7512acd8875b417de |
| SHA256 | 1d324426269bd014f85ab73b818f744fe59fd6d6f44321bd3456274142f90b8f |
| SHA512 | ff2216c6156b1ab3279176d7f7778363d9a8aefcfe0173d1ef3966965e760af0148fd9fa874a434064be2090bad6a42360226b1b44bd4ce13184b1a4e3924291 |
memory/2520-395-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2548-394-0x0000000000310000-0x0000000000343000-memory.dmp
memory/2548-393-0x0000000000310000-0x0000000000343000-memory.dmp
memory/2520-404-0x0000000000290000-0x00000000002C3000-memory.dmp
memory/2940-406-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2520-405-0x0000000000290000-0x00000000002C3000-memory.dmp
C:\Windows\SysWOW64\Eajaoq32.exe
| MD5 | 3afecc64c17c81deb5ceb65815388948 |
| SHA1 | 9ca287446b167e37910e8ce90279e9faaf7967dc |
| SHA256 | acead1b7bd714f859e51f828cdd6f4f55db3efd426a8b53f10b89140d4dd7a9f |
| SHA512 | a611cd2aaecb4404c00972641701c259f7614b1dd8e859a0c232e9d51f301b0d9beea9c03e515d5abbf2954ad0e504b96d93b09702eae2278abc536b03750d70 |
C:\Windows\SysWOW64\Ejbfhfaj.exe
| MD5 | 117a93b14a934d8d752946f4efb3dfcc |
| SHA1 | 8018dc74ccadeefefdfe0979b6b625224cd7c633 |
| SHA256 | c7043a077f82baed4d9afabef2f175487c8a1fc6df89ae604d51fa1088b24045 |
| SHA512 | 8360ca556c0b83d57975f0ab3183a12628433cb324c3f2411f2b2d18f5cbad3a82c71f66671d2c5129a9ba36e4cf222ac37f9fedbef21b1d77620ddaed83379e |
memory/2940-419-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1448-421-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2940-420-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1448-423-0x0000000000340000-0x0000000000373000-memory.dmp
C:\Windows\SysWOW64\Ebinic32.exe
| MD5 | 90c5909f979640265d2a3eb73086c23e |
| SHA1 | 9f2cb762c20513684cb48a962102a8c86841aca2 |
| SHA256 | 0f995464410e7065c8439b25579d9080bb7f6cddc71abada1565dc4fbae8cc40 |
| SHA512 | 3617df5608458d5e0ed4334bc6f85ebd15b326e98cf9a12bd89211123416ef6f399151a750c4bb379906e8c6ea35d20203a78cf04656459481e3f4492d8d5a99 |
memory/2844-428-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1448-427-0x0000000000340000-0x0000000000373000-memory.dmp
memory/2336-439-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-438-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2844-437-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Fjdbnf32.exe
| MD5 | 68a14dc3979d90fdd876be5b9327ff40 |
| SHA1 | 607d8b56522c92fe078c3c30f20d6adb21c5aa79 |
| SHA256 | 82cc5c0624c2d21cb589ae4dc13abdf7f7c6e7f70f6f18361345296763505902 |
| SHA512 | c7649816db424fb3e2ef77e0b89961ca983bef2088a3f5a67f5fb3ba95d5f7f322cbb36aa8923dc4e3461f96d994fcb16416b9d297ff3fdc0ab8a9b64e5080ae |
C:\Windows\SysWOW64\Fmcoja32.exe
| MD5 | 67718ec32c9f78f7f13715f093b5b692 |
| SHA1 | 50a62314f5992a1ad5e6dbc2c5a1b48dc4df0633 |
| SHA256 | ef685bfeabdc80fc9c9dab4dd1bbfa8c6c2ffc635b378b2c97c41444c2b33e6f |
| SHA512 | da87d2b6ca6f2ac6971e78beb44715d1a1e8b217f959b79bf304a065bdb3dc245a94789e15e1b426b7bcb41f9fe24a1901e9deabcf35f6ee978ee05933061237 |
memory/1292-450-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2336-449-0x0000000000260000-0x0000000000293000-memory.dmp
memory/2336-448-0x0000000000260000-0x0000000000293000-memory.dmp
memory/1292-459-0x0000000000290000-0x00000000002C3000-memory.dmp
memory/1292-460-0x0000000000290000-0x00000000002C3000-memory.dmp
memory/308-461-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fcmgfkeg.exe
| MD5 | b82363664a3c514e083273a6cc740628 |
| SHA1 | e6c8ca0876988e968c2244f96a4796ab467e391b |
| SHA256 | 161108d89a609212edd1180af66e9fead97bc8defbb506a13d6912688a2c8b2c |
| SHA512 | 6fba86800fec7894a860e7eb1498ec5cb39e57fee51857b667521f93b718726f32bd16689f5e83b3e7d46359eef078e438c2630414cbb4f48bfc73007200e640 |
C:\Windows\SysWOW64\Faagpp32.exe
| MD5 | 3c5d31efe1fc15aa1f1e0d12cb4f21f7 |
| SHA1 | c88657bd2b903c0db8e380c77916b8baa68ac9c4 |
| SHA256 | a0383226c29fa135e7c2a9fb80e766c18b388e85c1fab853e9366651a5d23c54 |
| SHA512 | ec878b612ea76ba79e100b550c530d794885d5e573aef5912d05509031366daab11964a9a6c936839c2f748cffc918fa18f870ae54f23a57af87ffa70e36de87 |
memory/1508-472-0x0000000000400000-0x0000000000433000-memory.dmp
memory/308-471-0x00000000002B0000-0x00000000002E3000-memory.dmp
memory/308-470-0x00000000002B0000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Ffnphf32.exe
| MD5 | 31fc4c1a99029b2a470d6bcf51d99eb2 |
| SHA1 | b764c81d93994d0bf2aacacd9707ecb5d207b6f7 |
| SHA256 | 1e7fe18c87c5aaafbabebcd916cb02dc0eb4c498f5b033a88474693c2e11d8a8 |
| SHA512 | 5b5c4538645e06b6ddf50666a77e293f8f36a88c305337cccad71bf1a71da649efb6e796e5c8b076f6cb98f7fdda15903402c64bbfc8a0722e5f7da1bdb843a2 |
memory/1256-483-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1508-482-0x0000000000290000-0x00000000002C3000-memory.dmp
memory/1508-481-0x0000000000290000-0x00000000002C3000-memory.dmp
C:\Windows\SysWOW64\Filldb32.exe
| MD5 | 3e27f06c65626e603fbaa3bdd2c2da43 |
| SHA1 | a7471ebae4d63205edccb06887a288abd5dc3ac6 |
| SHA256 | 2b4ed49bac9a2024322163b0d46ff5a1488508cf6f2d40572ff1cdfe3e73ca57 |
| SHA512 | 5a946e559f261b6713934a4eaf21598daea302653bddcd9f2c3c578aed6a16bb4b9eea619cae836d809fe4f3dcd479f7b9125f395394b7c42dbfc81a05e36c1d |
memory/1256-492-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2264-494-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1256-493-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Fdapak32.exe
| MD5 | 3acaac81d924664c5f2a232f2f8d79cf |
| SHA1 | 5a245db3c453b26ec057a98d2d78342faceb31f9 |
| SHA256 | 19bf24712049bf0288bf2afb6b6ea2f4773236d4367a7e288784c09d18275199 |
| SHA512 | ef0a0410df9d03721a279f87eb5d4de7c9fd043c4a290ce93303e5a62537e8e8472e5b97f1dda251bc295bfd7545efe213bed53a5d20664839939e35758af29e |
memory/2264-500-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Flmefm32.exe
| MD5 | 1d7bbd199418c818b6d8c64e2fd7c266 |
| SHA1 | 0dbb67e8e2bbdfb050e9e783719ae94ea46a09b5 |
| SHA256 | 238f0715ad31ec756fb55d9b7d4c98f5f11118bec4eb0768043f83dcb7d67e77 |
| SHA512 | 898b4fed12eb96f07a77cea123793388bbd6987e6190edc9ac294d0d3876791153f9cd4b0b397a71cdc9159c1b34688fa982d4e0f7cd4fa15cf8f9f71efd3ac8 |
C:\Windows\SysWOW64\Fddmgjpo.exe
| MD5 | 4d345148070c99e3fa6fe5495750b830 |
| SHA1 | fd6ba3c38b856ca93284de8255fe10a4981617d0 |
| SHA256 | fe9c6101e86ef6fb8d93e96a781f546c4358da46b1729b227e38413f000cfca8 |
| SHA512 | da2ea310ea678b7c0f993512c6e9d214566e7b94f5ffee98d3b053f670c494c6e2a4536fe37d56dba7becd25cc41ebc555d4c41a7924c12725f111f883224f4a |
C:\Windows\SysWOW64\Ffbicfoc.exe
| MD5 | d02afdf756015b275a1d13ab7fba68fd |
| SHA1 | ba49bc73050efdae3902e0d05a67c94a9dee3fcc |
| SHA256 | a72ede8242bf2084c994e3504993ca4adb5e18bb98b610f0d0b9b708980b1042 |
| SHA512 | 2909ddd97d9c5f4808cbf6c919fc486b87f1d90d53b8cc47715b72a0801e3342f9b042214925bcfaf951983e8563becac3302373d4fb0cdf780ab8ba7353d547 |
C:\Windows\SysWOW64\Fiaeoang.exe
| MD5 | 8e1311be9b81e1b833f9d12d77e9cda2 |
| SHA1 | 631f610997520699ca91ded721b3f11759398b08 |
| SHA256 | b7abde5a1da85fd289180a176bea6c72e45566884300d114ad9e4bbecfa0d462 |
| SHA512 | 8dcdd660b8d4d8a680ce3be1a22710b218fc30a022550db3db1bedbd94b886247fb86883447a8209cd6680f99c49fb512ac191786636ca812e50b38fa294c5bb |
C:\Windows\SysWOW64\Gpknlk32.exe
| MD5 | 4f5ad76bd5d49b79b4013cab9ae0d354 |
| SHA1 | 623749560aa3f53b4878e57d734356d52133f9ac |
| SHA256 | 7b47a146d19634f01325ca6133412a9981b3631cd26cb033ad5e297e3a5cf83c |
| SHA512 | 4569391283369cbb41d36b4275de79d13e1c2ac20479890e25397b1ee2384820530af4013cc041807ba5d6eb7178a8d5d266b2778b3dc7924ae10034ddc056b8 |
C:\Windows\SysWOW64\Gbijhg32.exe
| MD5 | 7ed5559402b889ebc698ef1116673973 |
| SHA1 | 0eb7fded30a13eef875c4238d69a8ce38381b254 |
| SHA256 | 28c5129c71bf32ae66b54f5c894efa9046ae8c64dd479545ae93b1aa80a38279 |
| SHA512 | 1c820411cd6b6ccd79c529a9544a6d82339fc98a8056c72d616b52247f87c496b646f9cf40e7667002bc517de9db998a99ff3e7394eb019aa744b3bd283942f0 |
C:\Windows\SysWOW64\Gicbeald.exe
| MD5 | 10fc83e09342571b66cdb1dea83d137a |
| SHA1 | f4639e673c32c17306a76c9133b4e6a992572415 |
| SHA256 | c805e197bd02cf0864ca414959558968319187acc00cd7a5d6b32fc37e57af87 |
| SHA512 | d99b4b27f5881bc63200d863508963bd52d113b525e609f10062e567b5f62d3f072b0e2a95282eb8163ceff2eb5c3d746962bbab5fdf1c1f353ad25a8e431b03 |
C:\Windows\SysWOW64\Gpmjak32.exe
| MD5 | d077da832e33574742dd0203973b3bac |
| SHA1 | ad3a91303a46718c2c0cf67bfa4de1f87ea98637 |
| SHA256 | cc5314afbe2b117e42da6f6578f682db64069a018c934bcc07ede1e51a3641ed |
| SHA512 | 0941a8aeff25fd79f70922846b50dd505e22afd64c58329772d0eb9b775c54572192096fa5380c0c0f9de2d7ce429170ae2cc911b28c904725fabe8f38bcf0f7 |
C:\Windows\SysWOW64\Gejcjbah.exe
| MD5 | 309ffa994529eef3fb34a544e31491d9 |
| SHA1 | 0b160ef8bec422749c5a9e67c7c4127840cd3c0a |
| SHA256 | dab435a6d4b154a489f24cb54311742ada0657c23362cf78421d43ac0476336b |
| SHA512 | 8f8757a3339a69acded7a6047fa14d05560ccd8f2c025aa9b58ae2e1761dd1a46557c4e5b52b41c31b2c7f94584fc2cdfb80610bc98a3eda6b818da57f099076 |
C:\Windows\SysWOW64\Gldkfl32.exe
| MD5 | 6df370f452e31886c543e5797db07256 |
| SHA1 | 1eeed8940612fd6d16a0a66e04a4d12fbb2f67c9 |
| SHA256 | 17518f31329310c4773f610527a11d32a7f3d1c14cfed97b66b60f478fe57351 |
| SHA512 | 1483b3b3cbce642bc07c4bc6b11b7cbac2c56420c6405536a97647c0280595de161293b071006834990cefe52795542cd87e4bfe43b973c609c8fae959f4311f |
C:\Windows\SysWOW64\Gbnccfpb.exe
| MD5 | 63f262b546e9126be13e062f57ba4751 |
| SHA1 | be68eb53c8cda6c337da6186ab92d89cdd1febda |
| SHA256 | e3c08058b1459e88b23c8d1684462a68722d1c3c405ef4c5e36ab8fa17adc2ba |
| SHA512 | a1b6a7d5091f9e905666607e7bbd27579391a5c74ae6080c8aa6be28f46590f4aab5e82c9560c9d9e6b7be3ecd82df8e66769d340e68a6159c9f0138404dd778 |
C:\Windows\SysWOW64\Gaqcoc32.exe
| MD5 | dadc06bae9b7da2372786747c1eaafce |
| SHA1 | b6890415764e47fea1593c05933aa508ba3ca058 |
| SHA256 | 8164af798c539ed4599e5afde17d7462a786c46dccface35632cd8d8d8ff26a2 |
| SHA512 | 337634438ec155b17e9d3d2a72143b7da8d3dab46db6eda2e0e9c5cad92526ec9e546e84cd3b7b0e5fa439bf951ccca4c7e45855100e61e8836e00ec7f39b6f5 |
C:\Windows\SysWOW64\Glfhll32.exe
| MD5 | 0e20a57b8fb1e27f108616ad4acb1f35 |
| SHA1 | 0712090ce82d2a7d4ae4b45928d26b25098c4041 |
| SHA256 | 415ebd4faac155c9ba9bb5a083ea9403ff982d7af6882d3e6e47e350440d2388 |
| SHA512 | 97933b3653649f991764036543afb983c93ff651e050919141b65f2f11b318ffa4c80d7d6bbb7a5c6d0e53bb3095cd1931846a7c836bd8d54f9fad40e384a008 |
C:\Windows\SysWOW64\Gmgdddmq.exe
| MD5 | 792df3d64a4ba14a7df43b715ca0f11f |
| SHA1 | 4d848812e249413dbdfe453dea6dc15881d5225b |
| SHA256 | 6f1a48b3f77be2ff88fd52e15e15eb32b502ef73d8109774f63f4b06b5c85308 |
| SHA512 | 5a0e09adeb39de2da272d4ca71677bb7243f29d236c5be89e931ec7f467e7a025929ca03b9d2578bc44efcbe8e37c3b6b4a645133906e4d2473ae6f9c260baa3 |
C:\Windows\SysWOW64\Gdamqndn.exe
| MD5 | f4e960a562cb99a3b1ab369494cdaf0d |
| SHA1 | f9c861266fdfe8d52c934aba701922bb39be47e1 |
| SHA256 | 8cb464d21a2ab61323f742da947536e3a8af89bd5964526edf3c25e8b1b1780d |
| SHA512 | e2ba7e093fbd0029a5d41be39a7e52a35fe684ce69548491e026950513335b5b297eba4a37f1770e4e22183da4654e62d66b541fa1e84d54e3745908cb063985 |
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | f17a046dd9aaf4aa9a3d19b5a994b2ff |
| SHA1 | 003bad15641fcb88fccf99f3525b7db7b815a1c4 |
| SHA256 | 120108ea43bd30f77a73057e53ebeab9867398815df29c67c466da1952395e8d |
| SHA512 | 6981ecb7f41faa609cccf71676b16494073b06f5f69f8cad4154b695e00b9b2d455d38dbcbc6b7641f0056215efe2722d71baaedabc218be57af33e53457c05a |
C:\Windows\SysWOW64\Gaemjbcg.exe
| MD5 | 50f4a6cc37ad1af7059a9a4655384255 |
| SHA1 | ab4b55ccc7e66de52758133abd74b4347701112d |
| SHA256 | 96419fc3246c1613a260fa7dcca150669f399e56b4b135900a8619bae0ecc440 |
| SHA512 | 061ad43b3c908e52a19a04e4acffbb9b1edc55a0898c6ac1bf67c698c7587e3bf04cebf68d05d298aed035eb0d93c1193e7dcfe0eab15ef3129d8a70e71bda28 |
C:\Windows\SysWOW64\Gddifnbk.exe
| MD5 | 6daafd936d65fac362442bd3dc368222 |
| SHA1 | 0f78019a1f810bfdc904eccfe3358d6842442e29 |
| SHA256 | 4162c6815228ff8d23c9607b509420aae0c80041563c6b3ebb39d666301880ba |
| SHA512 | 935d01af1d82a9e7a63ff9d7705f4cf4911ebb6e8cb5942f362c8d59db1cb233251deeaa1cefc4c279dbf2aecc5e1d7a21dd29e5435d6174286ba477857dae5c |
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | a64712259c7cf307e42154da7992e1d7 |
| SHA1 | c6df8e579ec585fcd432e265ea7ab79e9399e61b |
| SHA256 | de31f33f91931d951b852dc0aaa4d02168960435886196c063764e2ed622ce40 |
| SHA512 | efb9549b0f9b2b9ef0c40653c25738144cec7037bc9db1434a10b813b499316449749c497ad578c99160cc557300d05fa7fe37ccd81a460d4632e3fee21fdda5 |
C:\Windows\SysWOW64\Hahjpbad.exe
| MD5 | a21ef94b3ac7e93a7e03637b4c397505 |
| SHA1 | 59184683c7944028a360cb9413cf94910c34e4ab |
| SHA256 | 13bb0b88d17cc2f82fde909c4f44f98a9de6775a7b4e20423dbe483af53e8c16 |
| SHA512 | ad9cd2d365b35d8d7c08a5731d71e0344a587fa68d2a604aa0c9e0621b5f7d3f0c9d1060be0f86b7020dd194803b590db3a365a8132b28cdc62761d159ac8641 |
C:\Windows\SysWOW64\Hcifgjgc.exe
| MD5 | bd8a7d6c5e56585c47d9ff3ef50c2f74 |
| SHA1 | 4ee9f294ffd655f81bf0a91e2474f28d98e9cabf |
| SHA256 | 71d8a12dbc9530eb6cf24bbe00adca45bb57f6bffbb2695c7cdda8729dab16a7 |
| SHA512 | 7e9af5e4684b4433c522c5b9101baca43f0c81c5c4ee20dd2f282f390a710c3c352b2f95b4e38b1a5bf1a5250172615ef581b3d98af743d560ba847ac885a7f1 |
C:\Windows\SysWOW64\Hkpnhgge.exe
| MD5 | 484b9d03c2c1a2b77047808d001faead |
| SHA1 | c282b79d526542af5a6e9c040499182f6ef83907 |
| SHA256 | 9b43607c8a6cca18e90238b895ce443b966729a088b9b328c1f1fc81cd112449 |
| SHA512 | 804a173a28c943e760d6c2a189ad59c732daf0a49bbd9a14fd676345182f59cb1e1b72afa43885a8da831f054243a2f7c358176645422cd78c4dbd921fcb791c |
C:\Windows\SysWOW64\Hlakpp32.exe
| MD5 | c62efd3cd2afd28308615b5790e66f8d |
| SHA1 | 43974cb864b924de114f501bd58edd4353511836 |
| SHA256 | e554f04e3a04919f9c2689fdadc55d6e6dff5a1ae54ca923731e676a38a7f498 |
| SHA512 | b0415d21cb6677d5915ad791d594e4b3fd97ad465f64605b8409f0a9c53e4f0c11d0571ab6a2ab451eda4a95da5bcaef3b051db6188e279208f756c398a2a83e |
C:\Windows\SysWOW64\Hpmgqnfl.exe
| MD5 | 8fe2c48cda28210c377b5b2f51216171 |
| SHA1 | 0c36fd174364d33fa6f54d64bf077103ac23da1c |
| SHA256 | fb07790aeb388e82b726c3d362a41f5a363552730b409664270ad1cdbbcce2e7 |
| SHA512 | 1b96b73c5ffe5bd580a5edda6208028877e011f8a1e05a3f1637a592ac4c8a113b40020415334b05eae25ea476cba553371c6052d1a253e9b1473c313be5fb5e |
C:\Windows\SysWOW64\Hggomh32.exe
| MD5 | 133472fdc4ff518ca5378fe05ce7486f |
| SHA1 | eddb33f3fd30849a10dcec76aced6ad675d79a0d |
| SHA256 | b112798f47e7431f50a76e45b99b05dec020abdedf952b8d9f66ec49302dc977 |
| SHA512 | de921bb9eb45fcb8b2b5ee323ce4fd0626b8c0e0a2773667951b705950badf84c4e09778c3fd693cf904f5323cab1868f5d39897d11cddc7b89d1760cb593ecf |
C:\Windows\SysWOW64\Hlcgeo32.exe
| MD5 | 4f22af363a76884de7af57b0415a638a |
| SHA1 | 9d1f69792e7cc1ca90f4b44f6d9ce41048fae8c8 |
| SHA256 | 8fb7ef9d3aedcec5edfff5aee337713148ca183a32220cbdea20d28e79d7e92a |
| SHA512 | 75f809ce6e6a4f499bd30e6bbef0b5c0dc7540cedd326e9c6be1a40c9710db96becf8ffb258c84d190349ca1b545a4664fe77161723633fa2618c24cd80aae18 |
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | 78466693381caf1438d869dac09cf482 |
| SHA1 | ab15160d8966a65d76e5a9b2e8085b39e1315064 |
| SHA256 | 55c25cc8b15efabad6f78848f4a6fed9423593cf94179754b5b2e1aedd9a1de6 |
| SHA512 | f3a2083d543d237bc7d5a3accf056dfa8fc7dfcb45fa8b6bafd3dae0bf400e3bd000ca045d8e55843173cbbb31c2a70f1824846cd5cc2953931ca95aac38b2d0 |
C:\Windows\SysWOW64\Hhjhkq32.exe
| MD5 | a4b61dd43a9bb199fb91420caa25127e |
| SHA1 | 4c5df1a8029225c8a6377db7ee26565204cdd4e9 |
| SHA256 | 40940763000f0d5a6f417af1b26e2bd93d6f8f030c136483c9bf61fd99e611a0 |
| SHA512 | 15282a52e0083a89ef7594987cd832380faec18660b36e5ba20e0a517241417f91bd5b4259226f5b7eafe84f103c3102c986cf7951c3d84fcf9e092e196dc7ca |
C:\Windows\SysWOW64\Hcplhi32.exe
| MD5 | 10648169b8537059fc6f1399684bb8e1 |
| SHA1 | d0d435f0c527b4fe59a88dada6d3783eed0dbcc7 |
| SHA256 | af69756b4940682f5f0443ffece9ce4d6118cdf464c093acc33e2976d8bc220f |
| SHA512 | 046feccb904de37ed1d190487540bac3800bb1bb94913660dbecc53be389de46a1566005712b49fe392c680731e34e502e0251fdba777c18c819869e35f88ca0 |
C:\Windows\SysWOW64\Henidd32.exe
| MD5 | b9c1709624bd0cf2354e7be859f39e1e |
| SHA1 | 6553f25f3dd431dc8823138098349d0580d19d24 |
| SHA256 | a88ecb7af8bc6f92246dfac88453befdf8756416d9733b898198d5778fd94ab3 |
| SHA512 | 3d370c22fe76d9f2f545bbe0169e5e8b68ebf46ebdebff1988639ba720034d9b8214d8baa596aa1b877dd3a9a3491526505f8e2040498511961248914feb8f9a |
C:\Windows\SysWOW64\Hhmepp32.exe
| MD5 | 65dca769fcaf6b48963e08c0a367526f |
| SHA1 | c0222c51e824055a4d6c9f8a906ac162ee901231 |
| SHA256 | 45129d73f5e3f97146eb6d6a8a895eaeaf479d7160b7b7aeb1c237aa81a4b3b0 |
| SHA512 | 6a46a6eb6d70eb37d43815f3b8e7120c5b65828074db0ccfc8506e469a3b1fff03ebac25ae0892d7d1e13f11063ebf813f304c4582685b2298c61de3646f5d06 |
C:\Windows\SysWOW64\Hogmmjfo.exe
| MD5 | 9d531bfd9ac11cdf3292296549ee8bf6 |
| SHA1 | e538cf1131df3e31726f775ee8942b143da7129e |
| SHA256 | 55cda2f9b9ce33ea668f5ea306df518ae283594692f3486fc76fb7a71d13612f |
| SHA512 | 92d6161225b070a009933e2c9cac081501847dbe904c045b38e29c517575002285ba3cc9baefb67799d84a592fbd4fc12b575a34ac414364d3cbd347625e14d0 |
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | e754242a24c13570821edfbc01cbbb28 |
| SHA1 | ec9876f2cba5e61d3c0c622542c63bbca27f8d01 |
| SHA256 | b4703054b4ed45e81f1457f27d638bb24adad759d88371240ccdb5f7202ca335 |
| SHA512 | 08f18a46f7ec9491926df75e854e672d86f991d5374e74c8b10ea311c6bf59fb234f1611e1081f44a12718c36e2731739ba546160e18e5b009426655df37f517 |
C:\Windows\SysWOW64\Ihoafpmp.exe
| MD5 | 87e4180e6908e014509cdc953c962323 |
| SHA1 | 2018ecaf80a8d9bfc84e5214c0e364fc9821fded |
| SHA256 | 7b0b2ad2f908dbfcc24ee91d7fb841a1d1796c14b98b500e6d19d5949503a05f |
| SHA512 | 145cf17132e2c7ef5faefb789c4d7bc1b4b5826a1a006a255f6e4a463b4705a1721348f65382641ecf68fb56621a30eb07c8b81f4af3a17ee750188becd056ce |
C:\Windows\SysWOW64\Ioijbj32.exe
| MD5 | 1359c65e106dbfda263129c88fa5bbe9 |
| SHA1 | 59b5456f36464c62e2cd22abcac6f695d2c01483 |
| SHA256 | ed5722977e5e29c5f87483228b90c4b0d6dd4f810b9f408c8ee695dec07c439c |
| SHA512 | c2bba477c40fa45a165210904477da5d57e93fdab61bb66207aa14452d0e4859e6be90d133b269dc3ab0a2fafbafda3fe620c06c9b3d816576fe1f3df2bef2be |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | ae4fba12244c2ad73def97cdc69ebf24 |
| SHA1 | b18b49fde26f8fbd46b310f05a29f5413e0d3da3 |
| SHA256 | 790266fa59c6ac3ec0c2e47de580633e91737e5a92757182542b9e03fe248ba5 |
| SHA512 | a957259cc50f9a4d160863e05120eb01529110f6c0967b7364fa0667ff3d6bbf3ed79e5da0e62f7ef17fe2ae6f8437ab5078c684ff9537f783e8d7d72025d7cf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:30
Reported
2024-06-03 22:33
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gofkje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jfaedkdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jpijnqkp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jplfcpin.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmppcbjd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ehnglm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkfoeega.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgddhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acjclpcf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cojjqlpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pmidog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Liddbc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Eamhodmf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdgdgnbm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcmgfbhd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Heocnk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpnchp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Flnlhk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Kiidgeki.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Likjcbkc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acnlgp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Belebq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Onholckc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiefcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Lebkhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mpjlklok.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afjlnk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bnlnon32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fkciihgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ocnjidkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pjhlml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jpgmha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mdjagjco.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffimfqgm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcpclbfa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ilidbbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jlpkba32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aqppkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dddojq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fojlngce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gblngpbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hcmgfbhd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hmfkoh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Andqdh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Peqcjkfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bopgjmhe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eoolbinc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mbfkbhpa.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Dogogcpo.exe | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jefbfgig.exe | C:\Windows\SysWOW64\Jbhfjljd.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpablkhc.exe | C:\Windows\SysWOW64\Mmbfpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kboeke32.dll | C:\Windows\SysWOW64\Acjclpcf.exe | N/A |
| File created | C:\Windows\SysWOW64\Aabmqd32.exe | C:\Windows\SysWOW64\Andqdh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaepqjpd.exe | C:\Windows\SysWOW64\Ajkhdp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flfelggh.dll | C:\Windows\SysWOW64\Mdhdajea.exe | N/A |
| File created | C:\Windows\SysWOW64\Aqppkd32.exe | C:\Windows\SysWOW64\Anadoi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Beihma32.exe | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfghpl32.dll | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pflplnlg.exe | C:\Windows\SysWOW64\Pdkcde32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjpckf32.exe | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Daqbip32.exe | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| File created | C:\Windows\SysWOW64\Liddbc32.exe | C:\Windows\SysWOW64\Lffhfh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lpebpm32.exe | C:\Windows\SysWOW64\Lljfpnjg.exe | N/A |
| File created | C:\Windows\SysWOW64\Phkjck32.dll | C:\Windows\SysWOW64\Lmiciaaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpjlklok.exe | C:\Windows\SysWOW64\Mlopkm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gfngap32.exe | C:\Windows\SysWOW64\Gcojed32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbjoljdo.exe | C:\Windows\SysWOW64\Clpgpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Anfmjhmd.exe | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbceejpf.exe | C:\Windows\SysWOW64\Kpeiioac.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgokmgjm.exe | C:\Windows\SysWOW64\Ldanqkki.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mdhdajea.exe | C:\Windows\SysWOW64\Mlampmdo.exe | N/A |
| File created | C:\Windows\SysWOW64\Njqmepik.exe | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdkcmdhp.exe | C:\Windows\SysWOW64\Bbifelba.exe | N/A |
| File created | C:\Windows\SysWOW64\Agkbbg32.dll | C:\Windows\SysWOW64\Daolnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Collmj32.dll | C:\Windows\SysWOW64\Edpnfo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikpaldog.exe | C:\Windows\SysWOW64\Iefioj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajkaii32.exe | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdlgno32.dll | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gblngpbd.exe | C:\Windows\SysWOW64\Gkaejf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lffhfh32.exe | C:\Windows\SysWOW64\Kdgljmcd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ojjolnaq.exe | C:\Windows\SysWOW64\Ocpgod32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfdjmlhn.dll | C:\Windows\SysWOW64\Ofqpqo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qfcfml32.exe | C:\Windows\SysWOW64\Qceiaa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Linjpeof.dll | C:\Windows\SysWOW64\Eolpmi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gohhpe32.exe | C:\Windows\SysWOW64\Gmjlcj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gdhmnlcj.exe | C:\Windows\SysWOW64\Gbiaapdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njqmepik.exe | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ckpjfm32.exe | C:\Windows\SysWOW64\Cecbmf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Klljnp32.exe | C:\Windows\SysWOW64\Kebbafoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Klqcioba.exe | C:\Windows\SysWOW64\Kibgmdcn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Llemdo32.exe | C:\Windows\SysWOW64\Ligqhc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dboiieof.dll | C:\Windows\SysWOW64\Obidhaog.exe | N/A |
| File created | C:\Windows\SysWOW64\Lphoelqn.exe | C:\Windows\SysWOW64\Lmiciaaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnpllc32.dll | C:\Windows\SysWOW64\Nggjdc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Icnpmp32.exe | C:\Windows\SysWOW64\Ilghlc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmhnkg32.dll | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cacamdcd.dll | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aejfpjne.exe | C:\Windows\SysWOW64\Alabgd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfoiokfb.exe | C:\Windows\SysWOW64\Ibcmom32.exe | N/A |
| File created | C:\Windows\SysWOW64\Khchklef.dll | C:\Windows\SysWOW64\Jpnchp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aglemn32.exe | C:\Windows\SysWOW64\Acqimo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iihkpg32.exe | C:\Windows\SysWOW64\Ibnccmbo.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmkjkd32.exe | C:\Windows\SysWOW64\Bjmnoi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaqgek32.exe | C:\Windows\SysWOW64\Aldomc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbiaapdf.exe | C:\Windows\SysWOW64\Gkoiefmj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcjpfk32.dll | C:\Windows\SysWOW64\Lgmngglp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cagobalc.exe | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgbdlf32.exe | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jcllonma.exe | C:\Windows\SysWOW64\Jmbdbd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmbfpp32.exe | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afjlnk32.exe | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bclhhnca.exe | C:\Windows\SysWOW64\Beihma32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Nnqbanmo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbnajo.dll" | C:\Windows\SysWOW64\Ffkjlp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll" | C:\Windows\SysWOW64\Nfgmjqop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll" | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dknpmdfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gbdgfa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Iblfnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mgkjhe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bdolhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Collmj32.dll" | C:\Windows\SysWOW64\Edpnfo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jplfcpin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll" | C:\Windows\SysWOW64\Acjclpcf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjljbfog.dll" | C:\Windows\SysWOW64\Fkciihgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lekehdgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll" | C:\Windows\SysWOW64\Ogbipa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll" | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahamf32.dll" | C:\Windows\SysWOW64\Aaqgek32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnenbk32.dll" | C:\Windows\SysWOW64\Cbjoljdo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll" | C:\Windows\SysWOW64\Hkdbpe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Icnpmp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mlopkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cbjoljdo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" | C:\Windows\SysWOW64\Ndfqbhia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Qjpiha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppelifin.dll" | C:\Windows\SysWOW64\Qajadlja.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fojlngce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lboeaifi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll" | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgnafam.dll" | C:\Windows\SysWOW64\Dhidjpqc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fdgdgnbm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gkoiefmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll" | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll" | C:\Windows\SysWOW64\Mgkjhe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll" | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Pdpmpdbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Peqcjkfp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlbaq32.dll" | C:\Windows\SysWOW64\Gcojed32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmann32.dll" | C:\Windows\SysWOW64\Gfngap32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gofkje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfeopj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Lpcfkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bhikcb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cogmkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhkicgk.dll" | C:\Windows\SysWOW64\Gdcdbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll" | C:\Windows\SysWOW64\Mnebeogl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pnonbk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll" | C:\Windows\SysWOW64\Jpnchp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qceiaa32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Okjbpglo.exe
C:\Windows\system32\Okjbpglo.exe
C:\Windows\SysWOW64\Onholckc.exe
C:\Windows\system32\Onholckc.exe
C:\Windows\SysWOW64\Oqgkhnjf.exe
C:\Windows\system32\Oqgkhnjf.exe
C:\Windows\SysWOW64\Ogaceh32.exe
C:\Windows\system32\Ogaceh32.exe
C:\Windows\SysWOW64\Ojopad32.exe
C:\Windows\system32\Ojopad32.exe
C:\Windows\SysWOW64\Okolkg32.exe
C:\Windows\system32\Okolkg32.exe
C:\Windows\SysWOW64\Obidhaog.exe
C:\Windows\system32\Obidhaog.exe
C:\Windows\SysWOW64\Pgemphmn.exe
C:\Windows\system32\Pgemphmn.exe
C:\Windows\SysWOW64\Pclneicb.exe
C:\Windows\system32\Pclneicb.exe
C:\Windows\SysWOW64\Pbmncp32.exe
C:\Windows\system32\Pbmncp32.exe
C:\Windows\SysWOW64\Pcojkhap.exe
C:\Windows\system32\Pcojkhap.exe
C:\Windows\SysWOW64\Pjhbgb32.exe
C:\Windows\system32\Pjhbgb32.exe
C:\Windows\SysWOW64\Pcagphom.exe
C:\Windows\system32\Pcagphom.exe
C:\Windows\SysWOW64\Pbbgnpgl.exe
C:\Windows\system32\Pbbgnpgl.exe
C:\Windows\SysWOW64\Peqcjkfp.exe
C:\Windows\system32\Peqcjkfp.exe
C:\Windows\SysWOW64\Pjmlbbdg.exe
C:\Windows\system32\Pjmlbbdg.exe
C:\Windows\SysWOW64\Qecppkdm.exe
C:\Windows\system32\Qecppkdm.exe
C:\Windows\SysWOW64\Qjpiha32.exe
C:\Windows\system32\Qjpiha32.exe
C:\Windows\SysWOW64\Qajadlja.exe
C:\Windows\system32\Qajadlja.exe
C:\Windows\SysWOW64\Qjbena32.exe
C:\Windows\system32\Qjbena32.exe
C:\Windows\SysWOW64\Qalnjkgo.exe
C:\Windows\system32\Qalnjkgo.exe
C:\Windows\SysWOW64\Alabgd32.exe
C:\Windows\system32\Alabgd32.exe
C:\Windows\SysWOW64\Aejfpjne.exe
C:\Windows\system32\Aejfpjne.exe
C:\Windows\SysWOW64\Aldomc32.exe
C:\Windows\system32\Aldomc32.exe
C:\Windows\SysWOW64\Aaqgek32.exe
C:\Windows\system32\Aaqgek32.exe
C:\Windows\SysWOW64\Ahkobekf.exe
C:\Windows\system32\Ahkobekf.exe
C:\Windows\SysWOW64\Aeopki32.exe
C:\Windows\system32\Aeopki32.exe
C:\Windows\SysWOW64\Ajkhdp32.exe
C:\Windows\system32\Ajkhdp32.exe
C:\Windows\SysWOW64\Aaepqjpd.exe
C:\Windows\system32\Aaepqjpd.exe
C:\Windows\SysWOW64\Aniajnnn.exe
C:\Windows\system32\Aniajnnn.exe
C:\Windows\SysWOW64\Bhaebcen.exe
C:\Windows\system32\Bhaebcen.exe
C:\Windows\SysWOW64\Bnlnon32.exe
C:\Windows\system32\Bnlnon32.exe
C:\Windows\SysWOW64\Bdhfhe32.exe
C:\Windows\system32\Bdhfhe32.exe
C:\Windows\SysWOW64\Bnnjen32.exe
C:\Windows\system32\Bnnjen32.exe
C:\Windows\SysWOW64\Bbifelba.exe
C:\Windows\system32\Bbifelba.exe
C:\Windows\SysWOW64\Bdkcmdhp.exe
C:\Windows\system32\Bdkcmdhp.exe
C:\Windows\SysWOW64\Bhfonc32.exe
C:\Windows\system32\Bhfonc32.exe
C:\Windows\SysWOW64\Bopgjmhe.exe
C:\Windows\system32\Bopgjmhe.exe
C:\Windows\SysWOW64\Bejogg32.exe
C:\Windows\system32\Bejogg32.exe
C:\Windows\SysWOW64\Bhikcb32.exe
C:\Windows\system32\Bhikcb32.exe
C:\Windows\SysWOW64\Bbnpqk32.exe
C:\Windows\system32\Bbnpqk32.exe
C:\Windows\SysWOW64\Bdolhc32.exe
C:\Windows\system32\Bdolhc32.exe
C:\Windows\SysWOW64\Bkidenlg.exe
C:\Windows\system32\Bkidenlg.exe
C:\Windows\SysWOW64\Cbqlfkmi.exe
C:\Windows\system32\Cbqlfkmi.exe
C:\Windows\SysWOW64\Ceoibflm.exe
C:\Windows\system32\Ceoibflm.exe
C:\Windows\SysWOW64\Cliaoq32.exe
C:\Windows\system32\Cliaoq32.exe
C:\Windows\SysWOW64\Cogmkl32.exe
C:\Windows\system32\Cogmkl32.exe
C:\Windows\SysWOW64\Ceaehfjj.exe
C:\Windows\system32\Ceaehfjj.exe
C:\Windows\SysWOW64\Clkndpag.exe
C:\Windows\system32\Clkndpag.exe
C:\Windows\SysWOW64\Cojjqlpk.exe
C:\Windows\system32\Cojjqlpk.exe
C:\Windows\SysWOW64\Cecbmf32.exe
C:\Windows\system32\Cecbmf32.exe
C:\Windows\SysWOW64\Ckpjfm32.exe
C:\Windows\system32\Ckpjfm32.exe
C:\Windows\SysWOW64\Cbgbgj32.exe
C:\Windows\system32\Cbgbgj32.exe
C:\Windows\SysWOW64\Cdiooblp.exe
C:\Windows\system32\Cdiooblp.exe
C:\Windows\SysWOW64\Clpgpp32.exe
C:\Windows\system32\Clpgpp32.exe
C:\Windows\SysWOW64\Cbjoljdo.exe
C:\Windows\system32\Cbjoljdo.exe
C:\Windows\SysWOW64\Chghdqbf.exe
C:\Windows\system32\Chghdqbf.exe
C:\Windows\SysWOW64\Ckedalaj.exe
C:\Windows\system32\Ckedalaj.exe
C:\Windows\SysWOW64\Daolnf32.exe
C:\Windows\system32\Daolnf32.exe
C:\Windows\SysWOW64\Dhidjpqc.exe
C:\Windows\system32\Dhidjpqc.exe
C:\Windows\SysWOW64\Dkgqfl32.exe
C:\Windows\system32\Dkgqfl32.exe
C:\Windows\SysWOW64\Ddpeoafg.exe
C:\Windows\system32\Ddpeoafg.exe
C:\Windows\SysWOW64\Doeiljfn.exe
C:\Windows\system32\Doeiljfn.exe
C:\Windows\SysWOW64\Deoaid32.exe
C:\Windows\system32\Deoaid32.exe
C:\Windows\SysWOW64\Dlijfneg.exe
C:\Windows\system32\Dlijfneg.exe
C:\Windows\SysWOW64\Dccbbhld.exe
C:\Windows\system32\Dccbbhld.exe
C:\Windows\SysWOW64\Dddojq32.exe
C:\Windows\system32\Dddojq32.exe
C:\Windows\SysWOW64\Dkoggkjo.exe
C:\Windows\system32\Dkoggkjo.exe
C:\Windows\SysWOW64\Dahode32.exe
C:\Windows\system32\Dahode32.exe
C:\Windows\SysWOW64\Dlncan32.exe
C:\Windows\system32\Dlncan32.exe
C:\Windows\SysWOW64\Eolpmi32.exe
C:\Windows\system32\Eolpmi32.exe
C:\Windows\SysWOW64\Edihepnm.exe
C:\Windows\system32\Edihepnm.exe
C:\Windows\SysWOW64\Eoolbinc.exe
C:\Windows\system32\Eoolbinc.exe
C:\Windows\SysWOW64\Eamhodmf.exe
C:\Windows\system32\Eamhodmf.exe
C:\Windows\SysWOW64\Ehgqln32.exe
C:\Windows\system32\Ehgqln32.exe
C:\Windows\SysWOW64\Ekemhj32.exe
C:\Windows\system32\Ekemhj32.exe
C:\Windows\SysWOW64\Eekaebcm.exe
C:\Windows\system32\Eekaebcm.exe
C:\Windows\SysWOW64\Ehimanbq.exe
C:\Windows\system32\Ehimanbq.exe
C:\Windows\SysWOW64\Ekhjmiad.exe
C:\Windows\system32\Ekhjmiad.exe
C:\Windows\SysWOW64\Eabbjc32.exe
C:\Windows\system32\Eabbjc32.exe
C:\Windows\SysWOW64\Edpnfo32.exe
C:\Windows\system32\Edpnfo32.exe
C:\Windows\SysWOW64\Eofbch32.exe
C:\Windows\system32\Eofbch32.exe
C:\Windows\SysWOW64\Eadopc32.exe
C:\Windows\system32\Eadopc32.exe
C:\Windows\SysWOW64\Ehnglm32.exe
C:\Windows\system32\Ehnglm32.exe
C:\Windows\SysWOW64\Fkmchi32.exe
C:\Windows\system32\Fkmchi32.exe
C:\Windows\SysWOW64\Fcckif32.exe
C:\Windows\system32\Fcckif32.exe
C:\Windows\SysWOW64\Fhqcam32.exe
C:\Windows\system32\Fhqcam32.exe
C:\Windows\SysWOW64\Fojlngce.exe
C:\Windows\system32\Fojlngce.exe
C:\Windows\SysWOW64\Fdgdgnbm.exe
C:\Windows\system32\Fdgdgnbm.exe
C:\Windows\SysWOW64\Flnlhk32.exe
C:\Windows\system32\Flnlhk32.exe
C:\Windows\SysWOW64\Fchddejl.exe
C:\Windows\system32\Fchddejl.exe
C:\Windows\SysWOW64\Ffgqqaip.exe
C:\Windows\system32\Ffgqqaip.exe
C:\Windows\SysWOW64\Fhemmlhc.exe
C:\Windows\system32\Fhemmlhc.exe
C:\Windows\SysWOW64\Fkciihgg.exe
C:\Windows\system32\Fkciihgg.exe
C:\Windows\SysWOW64\Fooeif32.exe
C:\Windows\system32\Fooeif32.exe
C:\Windows\SysWOW64\Ffimfqgm.exe
C:\Windows\system32\Ffimfqgm.exe
C:\Windows\SysWOW64\Fdlnbm32.exe
C:\Windows\system32\Fdlnbm32.exe
C:\Windows\SysWOW64\Flceckoj.exe
C:\Windows\system32\Flceckoj.exe
C:\Windows\SysWOW64\Fcmnpe32.exe
C:\Windows\system32\Fcmnpe32.exe
C:\Windows\SysWOW64\Ffkjlp32.exe
C:\Windows\system32\Ffkjlp32.exe
C:\Windows\SysWOW64\Gkhbdg32.exe
C:\Windows\system32\Gkhbdg32.exe
C:\Windows\SysWOW64\Gcojed32.exe
C:\Windows\system32\Gcojed32.exe
C:\Windows\SysWOW64\Gfngap32.exe
C:\Windows\system32\Gfngap32.exe
C:\Windows\SysWOW64\Ghlcnk32.exe
C:\Windows\system32\Ghlcnk32.exe
C:\Windows\SysWOW64\Gofkje32.exe
C:\Windows\system32\Gofkje32.exe
C:\Windows\SysWOW64\Gbdgfa32.exe
C:\Windows\system32\Gbdgfa32.exe
C:\Windows\SysWOW64\Gdcdbl32.exe
C:\Windows\system32\Gdcdbl32.exe
C:\Windows\SysWOW64\Gmjlcj32.exe
C:\Windows\system32\Gmjlcj32.exe
C:\Windows\SysWOW64\Gohhpe32.exe
C:\Windows\system32\Gohhpe32.exe
C:\Windows\SysWOW64\Gbgdlq32.exe
C:\Windows\system32\Gbgdlq32.exe
C:\Windows\SysWOW64\Ghaliknf.exe
C:\Windows\system32\Ghaliknf.exe
C:\Windows\SysWOW64\Gkoiefmj.exe
C:\Windows\system32\Gkoiefmj.exe
C:\Windows\SysWOW64\Gbiaapdf.exe
C:\Windows\system32\Gbiaapdf.exe
C:\Windows\SysWOW64\Gdhmnlcj.exe
C:\Windows\system32\Gdhmnlcj.exe
C:\Windows\SysWOW64\Gkaejf32.exe
C:\Windows\system32\Gkaejf32.exe
C:\Windows\SysWOW64\Gblngpbd.exe
C:\Windows\system32\Gblngpbd.exe
C:\Windows\SysWOW64\Hiefcj32.exe
C:\Windows\system32\Hiefcj32.exe
C:\Windows\SysWOW64\Hkdbpe32.exe
C:\Windows\system32\Hkdbpe32.exe
C:\Windows\SysWOW64\Hbnjmp32.exe
C:\Windows\system32\Hbnjmp32.exe
C:\Windows\SysWOW64\Helfik32.exe
C:\Windows\system32\Helfik32.exe
C:\Windows\SysWOW64\Hmcojh32.exe
C:\Windows\system32\Hmcojh32.exe
C:\Windows\SysWOW64\Hkfoeega.exe
C:\Windows\system32\Hkfoeega.exe
C:\Windows\SysWOW64\Hcmgfbhd.exe
C:\Windows\system32\Hcmgfbhd.exe
C:\Windows\SysWOW64\Hflcbngh.exe
C:\Windows\system32\Hflcbngh.exe
C:\Windows\SysWOW64\Heocnk32.exe
C:\Windows\system32\Heocnk32.exe
C:\Windows\SysWOW64\Hmfkoh32.exe
C:\Windows\system32\Hmfkoh32.exe
C:\Windows\SysWOW64\Hodgkc32.exe
C:\Windows\system32\Hodgkc32.exe
C:\Windows\SysWOW64\Hcpclbfa.exe
C:\Windows\system32\Hcpclbfa.exe
C:\Windows\SysWOW64\Hfnphn32.exe
C:\Windows\system32\Hfnphn32.exe
C:\Windows\SysWOW64\Himldi32.exe
C:\Windows\system32\Himldi32.exe
C:\Windows\SysWOW64\Hcbpab32.exe
C:\Windows\system32\Hcbpab32.exe
C:\Windows\SysWOW64\Hioiji32.exe
C:\Windows\system32\Hioiji32.exe
C:\Windows\SysWOW64\Hoiafcic.exe
C:\Windows\system32\Hoiafcic.exe
C:\Windows\SysWOW64\Iefioj32.exe
C:\Windows\system32\Iefioj32.exe
C:\Windows\SysWOW64\Ikpaldog.exe
C:\Windows\system32\Ikpaldog.exe
C:\Windows\SysWOW64\Iehfdi32.exe
C:\Windows\system32\Iehfdi32.exe
C:\Windows\SysWOW64\Ipnjab32.exe
C:\Windows\system32\Ipnjab32.exe
C:\Windows\SysWOW64\Iblfnn32.exe
C:\Windows\system32\Iblfnn32.exe
C:\Windows\SysWOW64\Iejcji32.exe
C:\Windows\system32\Iejcji32.exe
C:\Windows\SysWOW64\Imakkfdg.exe
C:\Windows\system32\Imakkfdg.exe
C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
C:\Windows\SysWOW64\Ickchq32.exe
C:\Windows\system32\Ickchq32.exe
C:\Windows\SysWOW64\Ibnccmbo.exe
C:\Windows\system32\Ibnccmbo.exe
C:\Windows\SysWOW64\Iihkpg32.exe
C:\Windows\system32\Iihkpg32.exe
C:\Windows\SysWOW64\Ilghlc32.exe
C:\Windows\system32\Ilghlc32.exe
C:\Windows\SysWOW64\Icnpmp32.exe
C:\Windows\system32\Icnpmp32.exe
C:\Windows\SysWOW64\Ibqpimpl.exe
C:\Windows\system32\Ibqpimpl.exe
C:\Windows\SysWOW64\Ifllil32.exe
C:\Windows\system32\Ifllil32.exe
C:\Windows\SysWOW64\Iikhfg32.exe
C:\Windows\system32\Iikhfg32.exe
C:\Windows\SysWOW64\Ilidbbgl.exe
C:\Windows\system32\Ilidbbgl.exe
C:\Windows\SysWOW64\Ipdqba32.exe
C:\Windows\system32\Ipdqba32.exe
C:\Windows\SysWOW64\Ibcmom32.exe
C:\Windows\system32\Ibcmom32.exe
C:\Windows\SysWOW64\Jfoiokfb.exe
C:\Windows\system32\Jfoiokfb.exe
C:\Windows\SysWOW64\Jimekgff.exe
C:\Windows\system32\Jimekgff.exe
C:\Windows\SysWOW64\Jmhale32.exe
C:\Windows\system32\Jmhale32.exe
C:\Windows\SysWOW64\Jpgmha32.exe
C:\Windows\system32\Jpgmha32.exe
C:\Windows\SysWOW64\Jcbihpel.exe
C:\Windows\system32\Jcbihpel.exe
C:\Windows\SysWOW64\Jfaedkdp.exe
C:\Windows\system32\Jfaedkdp.exe
C:\Windows\SysWOW64\Jioaqfcc.exe
C:\Windows\system32\Jioaqfcc.exe
C:\Windows\SysWOW64\Jpijnqkp.exe
C:\Windows\system32\Jpijnqkp.exe
C:\Windows\SysWOW64\Jbhfjljd.exe
C:\Windows\system32\Jbhfjljd.exe
C:\Windows\SysWOW64\Jefbfgig.exe
C:\Windows\system32\Jefbfgig.exe
C:\Windows\SysWOW64\Jmmjgejj.exe
C:\Windows\system32\Jmmjgejj.exe
C:\Windows\SysWOW64\Jlpkba32.exe
C:\Windows\system32\Jlpkba32.exe
C:\Windows\SysWOW64\Jplfcpin.exe
C:\Windows\system32\Jplfcpin.exe
C:\Windows\SysWOW64\Jfeopj32.exe
C:\Windows\system32\Jfeopj32.exe
C:\Windows\SysWOW64\Jehokgge.exe
C:\Windows\system32\Jehokgge.exe
C:\Windows\SysWOW64\Jpnchp32.exe
C:\Windows\system32\Jpnchp32.exe
C:\Windows\SysWOW64\Jblpek32.exe
C:\Windows\system32\Jblpek32.exe
C:\Windows\SysWOW64\Jeklag32.exe
C:\Windows\system32\Jeklag32.exe
C:\Windows\SysWOW64\Jmbdbd32.exe
C:\Windows\system32\Jmbdbd32.exe
C:\Windows\SysWOW64\Jcllonma.exe
C:\Windows\system32\Jcllonma.exe
C:\Windows\SysWOW64\Kfjhkjle.exe
C:\Windows\system32\Kfjhkjle.exe
C:\Windows\SysWOW64\Kiidgeki.exe
C:\Windows\system32\Kiidgeki.exe
C:\Windows\SysWOW64\Klgqcqkl.exe
C:\Windows\system32\Klgqcqkl.exe
C:\Windows\SysWOW64\Kdnidn32.exe
C:\Windows\system32\Kdnidn32.exe
C:\Windows\SysWOW64\Klimip32.exe
C:\Windows\system32\Klimip32.exe
C:\Windows\SysWOW64\Kpeiioac.exe
C:\Windows\system32\Kpeiioac.exe
C:\Windows\SysWOW64\Kbceejpf.exe
C:\Windows\system32\Kbceejpf.exe
C:\Windows\SysWOW64\Kebbafoj.exe
C:\Windows\system32\Kebbafoj.exe
C:\Windows\SysWOW64\Klljnp32.exe
C:\Windows\system32\Klljnp32.exe
C:\Windows\SysWOW64\Kdcbom32.exe
C:\Windows\system32\Kdcbom32.exe
C:\Windows\SysWOW64\Kbfbkj32.exe
C:\Windows\system32\Kbfbkj32.exe
C:\Windows\SysWOW64\Kmkfhc32.exe
C:\Windows\system32\Kmkfhc32.exe
C:\Windows\SysWOW64\Klngdpdd.exe
C:\Windows\system32\Klngdpdd.exe
C:\Windows\SysWOW64\Kdeoemeg.exe
C:\Windows\system32\Kdeoemeg.exe
C:\Windows\SysWOW64\Kfckahdj.exe
C:\Windows\system32\Kfckahdj.exe
C:\Windows\SysWOW64\Kibgmdcn.exe
C:\Windows\system32\Kibgmdcn.exe
C:\Windows\SysWOW64\Klqcioba.exe
C:\Windows\system32\Klqcioba.exe
C:\Windows\SysWOW64\Kdgljmcd.exe
C:\Windows\system32\Kdgljmcd.exe
C:\Windows\SysWOW64\Lffhfh32.exe
C:\Windows\system32\Lffhfh32.exe
C:\Windows\SysWOW64\Liddbc32.exe
C:\Windows\system32\Liddbc32.exe
C:\Windows\SysWOW64\Lmppcbjd.exe
C:\Windows\system32\Lmppcbjd.exe
C:\Windows\SysWOW64\Lpnlpnih.exe
C:\Windows\system32\Lpnlpnih.exe
C:\Windows\SysWOW64\Lbmhlihl.exe
C:\Windows\system32\Lbmhlihl.exe
C:\Windows\SysWOW64\Lekehdgp.exe
C:\Windows\system32\Lekehdgp.exe
C:\Windows\SysWOW64\Ligqhc32.exe
C:\Windows\system32\Ligqhc32.exe
C:\Windows\SysWOW64\Llemdo32.exe
C:\Windows\system32\Llemdo32.exe
C:\Windows\SysWOW64\Ldleel32.exe
C:\Windows\system32\Ldleel32.exe
C:\Windows\SysWOW64\Lboeaifi.exe
C:\Windows\system32\Lboeaifi.exe
C:\Windows\SysWOW64\Lenamdem.exe
C:\Windows\system32\Lenamdem.exe
C:\Windows\SysWOW64\Liimncmf.exe
C:\Windows\system32\Liimncmf.exe
C:\Windows\SysWOW64\Lmdina32.exe
C:\Windows\system32\Lmdina32.exe
C:\Windows\SysWOW64\Lpcfkm32.exe
C:\Windows\system32\Lpcfkm32.exe
C:\Windows\SysWOW64\Lgmngglp.exe
C:\Windows\system32\Lgmngglp.exe
C:\Windows\SysWOW64\Likjcbkc.exe
C:\Windows\system32\Likjcbkc.exe
C:\Windows\SysWOW64\Lljfpnjg.exe
C:\Windows\system32\Lljfpnjg.exe
C:\Windows\SysWOW64\Lpebpm32.exe
C:\Windows\system32\Lpebpm32.exe
C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
C:\Windows\SysWOW64\Lebkhc32.exe
C:\Windows\system32\Lebkhc32.exe
C:\Windows\SysWOW64\Lmiciaaj.exe
C:\Windows\system32\Lmiciaaj.exe
C:\Windows\SysWOW64\Lphoelqn.exe
C:\Windows\system32\Lphoelqn.exe
C:\Windows\SysWOW64\Mbfkbhpa.exe
C:\Windows\system32\Mbfkbhpa.exe
C:\Windows\SysWOW64\Mgagbf32.exe
C:\Windows\system32\Mgagbf32.exe
C:\Windows\SysWOW64\Mipcob32.exe
C:\Windows\system32\Mipcob32.exe
C:\Windows\SysWOW64\Mlopkm32.exe
C:\Windows\system32\Mlopkm32.exe
C:\Windows\SysWOW64\Mpjlklok.exe
C:\Windows\system32\Mpjlklok.exe
C:\Windows\SysWOW64\Mdehlk32.exe
C:\Windows\system32\Mdehlk32.exe
C:\Windows\SysWOW64\Mgddhf32.exe
C:\Windows\system32\Mgddhf32.exe
C:\Windows\SysWOW64\Mmnldp32.exe
C:\Windows\system32\Mmnldp32.exe
C:\Windows\SysWOW64\Mlampmdo.exe
C:\Windows\system32\Mlampmdo.exe
C:\Windows\SysWOW64\Mdhdajea.exe
C:\Windows\system32\Mdhdajea.exe
C:\Windows\SysWOW64\Mgfqmfde.exe
C:\Windows\system32\Mgfqmfde.exe
C:\Windows\SysWOW64\Meiaib32.exe
C:\Windows\system32\Meiaib32.exe
C:\Windows\SysWOW64\Mlcifmbl.exe
C:\Windows\system32\Mlcifmbl.exe
C:\Windows\SysWOW64\Mdjagjco.exe
C:\Windows\system32\Mdjagjco.exe
C:\Windows\SysWOW64\Mcmabg32.exe
C:\Windows\system32\Mcmabg32.exe
C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
C:\Windows\SysWOW64\Mmbfpp32.exe
C:\Windows\system32\Mmbfpp32.exe
C:\Windows\SysWOW64\Mpablkhc.exe
C:\Windows\system32\Mpablkhc.exe
C:\Windows\SysWOW64\Mdmnlj32.exe
C:\Windows\system32\Mdmnlj32.exe
C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
C:\Windows\SysWOW64\Miifeq32.exe
C:\Windows\system32\Miifeq32.exe
C:\Windows\SysWOW64\Mnebeogl.exe
C:\Windows\system32\Mnebeogl.exe
C:\Windows\SysWOW64\Ndokbi32.exe
C:\Windows\system32\Ndokbi32.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Npfkgjdn.exe
C:\Windows\system32\Npfkgjdn.exe
C:\Windows\SysWOW64\Nebdoa32.exe
C:\Windows\system32\Nebdoa32.exe
C:\Windows\SysWOW64\Nnjlpo32.exe
C:\Windows\system32\Nnjlpo32.exe
C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
C:\Windows\SysWOW64\Ndfqbhia.exe
C:\Windows\system32\Ndfqbhia.exe
C:\Windows\SysWOW64\Nfgmjqop.exe
C:\Windows\system32\Nfgmjqop.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Ndhmhh32.exe
C:\Windows\system32\Ndhmhh32.exe
C:\Windows\SysWOW64\Nggjdc32.exe
C:\Windows\system32\Nggjdc32.exe
C:\Windows\SysWOW64\Nnqbanmo.exe
C:\Windows\system32\Nnqbanmo.exe
C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
C:\Windows\SysWOW64\Oncofm32.exe
C:\Windows\system32\Oncofm32.exe
C:\Windows\SysWOW64\Ocpgod32.exe
C:\Windows\system32\Ocpgod32.exe
C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
C:\Windows\SysWOW64\Ojllan32.exe
C:\Windows\system32\Ojllan32.exe
C:\Windows\SysWOW64\Oqfdnhfk.exe
C:\Windows\system32\Oqfdnhfk.exe
C:\Windows\SysWOW64\Ocdqjceo.exe
C:\Windows\system32\Ocdqjceo.exe
C:\Windows\SysWOW64\Onjegled.exe
C:\Windows\system32\Onjegled.exe
C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
C:\Windows\SysWOW64\Pmoahijl.exe
C:\Windows\system32\Pmoahijl.exe
C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
C:\Windows\SysWOW64\Pfhfan32.exe
C:\Windows\system32\Pfhfan32.exe
C:\Windows\SysWOW64\Pnonbk32.exe
C:\Windows\system32\Pnonbk32.exe
C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
C:\Windows\SysWOW64\Pclgkb32.exe
C:\Windows\system32\Pclgkb32.exe
C:\Windows\SysWOW64\Pfjcgn32.exe
C:\Windows\system32\Pfjcgn32.exe
C:\Windows\SysWOW64\Pnakhkol.exe
C:\Windows\system32\Pnakhkol.exe
C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
C:\Windows\SysWOW64\Pdkcde32.exe
C:\Windows\system32\Pdkcde32.exe
C:\Windows\SysWOW64\Pflplnlg.exe
C:\Windows\system32\Pflplnlg.exe
C:\Windows\SysWOW64\Pjhlml32.exe
C:\Windows\system32\Pjhlml32.exe
C:\Windows\SysWOW64\Pmfhig32.exe
C:\Windows\system32\Pmfhig32.exe
C:\Windows\SysWOW64\Pdmpje32.exe
C:\Windows\system32\Pdmpje32.exe
C:\Windows\SysWOW64\Pgllfp32.exe
C:\Windows\system32\Pgllfp32.exe
C:\Windows\SysWOW64\Pjjhbl32.exe
C:\Windows\system32\Pjjhbl32.exe
C:\Windows\SysWOW64\Pmidog32.exe
C:\Windows\system32\Pmidog32.exe
C:\Windows\SysWOW64\Pdpmpdbd.exe
C:\Windows\system32\Pdpmpdbd.exe
C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
C:\Windows\SysWOW64\Qqfmde32.exe
C:\Windows\system32\Qqfmde32.exe
C:\Windows\SysWOW64\Qceiaa32.exe
C:\Windows\system32\Qceiaa32.exe
C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
C:\Windows\SysWOW64\Qqijje32.exe
C:\Windows\system32\Qqijje32.exe
C:\Windows\SysWOW64\Qcgffqei.exe
C:\Windows\system32\Qcgffqei.exe
C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
C:\Windows\SysWOW64\Ampkof32.exe
C:\Windows\system32\Ampkof32.exe
C:\Windows\SysWOW64\Aqkgpedc.exe
C:\Windows\system32\Aqkgpedc.exe
C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
C:\Windows\SysWOW64\Anogiicl.exe
C:\Windows\system32\Anogiicl.exe
C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
C:\Windows\SysWOW64\Aclpap32.exe
C:\Windows\system32\Aclpap32.exe
C:\Windows\SysWOW64\Afjlnk32.exe
C:\Windows\system32\Afjlnk32.exe
C:\Windows\SysWOW64\Anadoi32.exe
C:\Windows\system32\Anadoi32.exe
C:\Windows\SysWOW64\Aqppkd32.exe
C:\Windows\system32\Aqppkd32.exe
C:\Windows\SysWOW64\Acnlgp32.exe
C:\Windows\system32\Acnlgp32.exe
C:\Windows\SysWOW64\Afmhck32.exe
C:\Windows\system32\Afmhck32.exe
C:\Windows\SysWOW64\Ajhddjfn.exe
C:\Windows\system32\Ajhddjfn.exe
C:\Windows\SysWOW64\Andqdh32.exe
C:\Windows\system32\Andqdh32.exe
C:\Windows\SysWOW64\Aabmqd32.exe
C:\Windows\system32\Aabmqd32.exe
C:\Windows\SysWOW64\Acqimo32.exe
C:\Windows\system32\Acqimo32.exe
C:\Windows\SysWOW64\Aglemn32.exe
C:\Windows\system32\Aglemn32.exe
C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
C:\Windows\SysWOW64\Anfmjhmd.exe
C:\Windows\system32\Anfmjhmd.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Accfbokl.exe
C:\Windows\system32\Accfbokl.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bjmnoi32.exe
C:\Windows\system32\Bjmnoi32.exe
C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
C:\Windows\SysWOW64\Bagflcje.exe
C:\Windows\system32\Bagflcje.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
C:\Windows\SysWOW64\Baicac32.exe
C:\Windows\system32\Baicac32.exe
C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
C:\Windows\SysWOW64\Bgehcmmm.exe
C:\Windows\system32\Bgehcmmm.exe
C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Beihma32.exe
C:\Windows\system32\Beihma32.exe
C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bnbmefbg.exe
C:\Windows\system32\Bnbmefbg.exe
C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
C:\Windows\SysWOW64\Belebq32.exe
C:\Windows\system32\Belebq32.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
C:\Windows\SysWOW64\Cnicfe32.exe
C:\Windows\system32\Cnicfe32.exe
C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Chagok32.exe
C:\Windows\system32\Chagok32.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
C:\Windows\SysWOW64\Dopigd32.exe
C:\Windows\system32\Dopigd32.exe
C:\Windows\SysWOW64\Dejacond.exe
C:\Windows\system32\Dejacond.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Daqbip32.exe
C:\Windows\system32\Daqbip32.exe
C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
C:\Windows\SysWOW64\Deokon32.exe
C:\Windows\system32\Deokon32.exe
C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Dddhpjof.exe
C:\Windows\system32\Dddhpjof.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 9324 -ip 9324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9324 -s 416
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/836-0-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Okjbpglo.exe
| MD5 | 939bb1b39458fdadfc765ff7e6647b52 |
| SHA1 | 35b26382b99d4b958ab27d91871f47752bd17ad3 |
| SHA256 | 7a8b3c7e1e8840c01858b2b8814ea6ba874c46b4deb3f00386bd4bffeb5ba166 |
| SHA512 | 1bf248af7c86beb9043abb5fad603833f7d75b018febc6e873b782557762df96fc8afcb24eb74000372784e10589641dad2fc04559d43d15c601063c6c100a8d |
C:\Windows\SysWOW64\Onholckc.exe
| MD5 | adecc417737203a2b3b40b97c849e1f2 |
| SHA1 | b43f45af33d131be9d69b5a2961ce376a3d0d94a |
| SHA256 | 07d4106ec33db2132075050fb1d8a43990eb20a520dddd1f3ebcc17820f0095a |
| SHA512 | bb8720a4656c3c606233ebf66efd7f385d81cfca15a2669966c6f5d9ca4f87b7fa36b2e27e90e88c6e49515f3306097fb9549c350de55516c2da89dad3c38d03 |
memory/2152-20-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3092-12-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4496-28-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ogaceh32.exe
| MD5 | ec07c92b3e661e90a7d3faf44d65bfa3 |
| SHA1 | 120b897aa665cee1c47fef93bcda1df4986598ea |
| SHA256 | b0d0e33af18f9d827b825b1c8d16aa60c9837b69cd0d3cd972450b865095f3fe |
| SHA512 | 10a7d514df5d20347e9eb5ab42d4d52b4e8400581f08f05f935fefb81523911f99f2de1687a4a30a55dd3b5158e8703f0607c99e584723d1218488a40fef2d96 |
memory/1012-36-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ojopad32.exe
| MD5 | f517485281f67f003953fd0d395ef93a |
| SHA1 | e6ab81110421c2865c389b6c003b603add2f184f |
| SHA256 | a21772760022cddc7eb60f7e2f3d6555e2633e0f5d8f2416f8449e369d7ed389 |
| SHA512 | 2827170914a5bb62493bafafe9c7f6f8c2f056775efad784dedc3827527cb1537cbd2788faee62a75ac9e9b13514ffe2b73fd3a202132fc1d07ceb590df6a36c |
memory/4768-40-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qgphkcho.dll
| MD5 | 5350fffeb6aed09123c97d93bccccd96 |
| SHA1 | 4ea12c1cb3a7e95372c0476c501493593072790e |
| SHA256 | c6d861df1a8214c1fc9423d50c212748e300c83faf4b0d1d94dde48d94f8f9a7 |
| SHA512 | 38012da8c857ea62ba2b1befe54b6ff5cb80b7152ba0c4dd9c783e304f9243a6c9d385d77b002cf73d905fcd3c20ae19eec0f8f72be4d5a2fc0e34b6620ec1cd |
C:\Windows\SysWOW64\Oqgkhnjf.exe
| MD5 | 6dfa4eaf1afb3ab2178b89f4a76861fb |
| SHA1 | f506404355d8a99a28895a9ae8c1287fba70fd3c |
| SHA256 | 11b096bdce8d675a2d30c5be9f9ad414bdd429930e761dd872162f0aebf7a562 |
| SHA512 | 7a4fdcaef2aacb628a465debf84973419f33f5cdcfe38437046b81ac70355e31eb714f45427d0773277e6e4281e9efae463ec5baffd938b8f5188b7d8cf777e9 |
C:\Windows\SysWOW64\Okolkg32.exe
| MD5 | b3645eee553b94aa3108d2ea75097b89 |
| SHA1 | cca022a984505e3de2d94484389ea641f989ce7a |
| SHA256 | 386684c2a5ced57603c5cccecf39a13b726eb8057aae7ec3cde27a04153ab6f1 |
| SHA512 | 9fb31b3989f2836f3108cedcb08bafc5f0e7502b016bb5d1dcb72c545749b6ad35b6d19ddbf1c8068e4202fbaeba5be4c4528d27b8ff4b22b1e0ff0d219a9690 |
memory/888-48-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Obidhaog.exe
| MD5 | 71e87174383dff51298011f8495224f1 |
| SHA1 | c1c41ead8b60c48e89dea8004cb5bb9bf5bcc37e |
| SHA256 | 32d5d81d478f54f77ac9bd7fa5fb425a2a2ffb9a26ba5b4408e602f9c71ef896 |
| SHA512 | 3dcab4a8ee2343032189ae30e4e9cb5d980f2a2a3b597fa34dbdcf14778134937450f545d224d15951649103d178f42ef66b9a85edaf2f29eda1b59f9b9b7735 |
memory/336-56-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pgemphmn.exe
| MD5 | 12cfbe5967d045dba2a2a3398b025f2b |
| SHA1 | c34d5d471b028405bfcb6e0be0a068e86582d247 |
| SHA256 | 30a6f4b934596f5e91f6b6bc07b7db3e75627185b17d69b2a930934211b63caa |
| SHA512 | b26caa001e0f7e7d000fd7ec5569c58105ba0dcc30565903a48187e707b7cd07781857497cc992cd1d6dd6832325c598f376ac898bee5367b20f505a59b23000 |
memory/4232-63-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pclneicb.exe
| MD5 | 6685c24caf061d31054bb08d9f97df17 |
| SHA1 | 98c05e0c8fd0bf5eb43976b465b2cb64fe58bfb0 |
| SHA256 | 643789ea8076f3734cda64a351a610f8227d939319e4cb8693561f03f013ea64 |
| SHA512 | 434963f56bbed6e08aa7e68c451a27b1ed5b25df958066e6e1aadec7382708627795ee2626cbbc0c546a491bf5482b98e5ce89c03a2149b5af8f53d2625f22e2 |
memory/3000-71-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pbmncp32.exe
| MD5 | 9f1b52b98473c88b397a5e1775c83b1d |
| SHA1 | c52e105bef20463272594b82562adf3d121cacd1 |
| SHA256 | 173f4ab3272408085b7659945132d0f9b745e2279e9981335bbcf320501d6b5a |
| SHA512 | 82e69928e0228caee8bb5976895150b02663cd6536142f4d60b5b7694764e74ff9649e9283cc4ba2917fa96ab5b6799d2d62f500f05879fc1c3985c7f8ad1203 |
memory/1472-80-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pcojkhap.exe
| MD5 | dce619d91c1e6defc3de7bc51ba22ff4 |
| SHA1 | 678a7df3797cf0f6dd9b341bc4c77303f6a69033 |
| SHA256 | 9f9dc0d351ad69033820135fe1c810792d24a5f6d52943ad4e291f7132e1713e |
| SHA512 | 382655223041e985fc0ebb727c5524f1073d8d74e0d8a1d8f5657a2e1d20a3b12e6ccb3adf11e96da40bc19065c321294737d3e1e331c4f17a140cb03e289b4c |
memory/452-88-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pjhbgb32.exe
| MD5 | 116439f559fef0297b58e6dae3802ffe |
| SHA1 | 815b009b7ea5e837199524ce751b86d135d29639 |
| SHA256 | 435a8fcb4bfeb1bd1aa747ad51e6f6a2311aed00185037adfb8aefec4a6c9580 |
| SHA512 | 30e0c7a8def02e01c113e753a05b4bbc4e1cc82f3b885471755bdd39010a838292c50d18d2eaee38967b5b9c1d50790418885f3f2cfd8a27afc7cfddc4c6f7dd |
memory/1692-95-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pcagphom.exe
| MD5 | 47f404a2e0a42c7d92f5799897648dbc |
| SHA1 | 5903a6540ed89f0066ae51d61c8df23466c8c9c5 |
| SHA256 | 26af60c71180a75a35ef34bcc388fcdd81a8558f0ca85ef85bae4494059f38e7 |
| SHA512 | 66b21e9950f4e08320bb70719de985c2122858a51f83d0afac4082106c2920293b4b6b17b87b3c14f2a49c426f0f7f5218d5c14a49425033d7d37a1f1fcbbdf9 |
memory/1288-103-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pbbgnpgl.exe
| MD5 | 2c800b94a27c17ee2ffe203b4eb2ff1e |
| SHA1 | 81b30d711667036c74ef960356bfedbc4c315894 |
| SHA256 | 71519c6d683b5c4676b15209d6dddb8d864c3bdd89b405fa8d4aefa0fce610dc |
| SHA512 | f08e3153745842480a187cae83fa637452ed8f6125441303a8abbe908ef46787dec592261cafd0f616b101a29698caae688bc5014751d4026a37a9fb7d7a6408 |
memory/1904-111-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Peqcjkfp.exe
| MD5 | 10580c67ec2178dad057c5cf8a109685 |
| SHA1 | 9629e57a2dd5925a01f98c064ca8438c8d393900 |
| SHA256 | 80890bf276926053ea75c529d3356a13368f74809c010b29c0c9c3d8e40836be |
| SHA512 | 79fae70203c2b2ec060fa2f961fc473fde4e517ac853f225e2dda7b273c070729ab1eb552083d20249a6b6d59226b1246b9361d22efc0c804a4855209480bdda |
memory/4500-120-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pjmlbbdg.exe
| MD5 | ff4ea61039c31e2561c861de467616c9 |
| SHA1 | 97c2abecd86b36d1a58a956832e86dfc4f4de080 |
| SHA256 | 9e58905a0f8163ee722dea0f59b3fe6800975e4f11d0a11f813e6a134eafec3a |
| SHA512 | d6b9ef3598b665fa77e218d11dbb9dd497fee15e458bad20c74af79f64bff13a69d92179dd3a7618372e5bf92400308ca8760086cb58a88016a65d112570491a |
memory/860-128-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qecppkdm.exe
| MD5 | ec6f28cf8190cd5b351195053e6b42da |
| SHA1 | f6c50a8cffcb5feb15ce4ac993e41110490e0b1d |
| SHA256 | 971baf1bf31b24380d0d1e99c73d91a4ba441c0d03f43261589dd7e46af81d5f |
| SHA512 | 92d1f4b9e602f163c16e2fe1998730bc6308ee46d93a974cf60fc0db4569e66b31499c0b16d36fcb41b8c2c18ec273904189000026a86990607177a3d324ed55 |
memory/2876-136-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qjpiha32.exe
| MD5 | 3aae1b87e25601e2c75c3874d37488e8 |
| SHA1 | 670627aa5017b8a12a52ca6e3be0c41dc277b54d |
| SHA256 | f918f9e421ff21c04063b97fe06d970522255d1e9361378182803186b7be6c3f |
| SHA512 | a0e9aedcdedd7280aa21d3b7ebb48b648f42a5be0e40e01bd03ff00f9ebdd525da90cbacb13b7b852341b7ba09b59989c1c427f764e8461890bb3211734cd937 |
memory/1676-143-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qajadlja.exe
| MD5 | 76c2fad9776c8e30254073166d33b58f |
| SHA1 | 5edaf12fc363924256a3d94a9ad23632552d36dc |
| SHA256 | 0e04ac3959bed828165ff36246122fbb10cc9ea6a9f226b5cd36a4f7002daee9 |
| SHA512 | 34929e68dc6977c20a27ac226054c896056c22b010ec02dd06966c08f39bd03254c9dc2328db6815f7c17eabe7393c2ccd8a86ce65b6fa8e9585b78c7003290c |
memory/1204-151-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qjbena32.exe
| MD5 | 41968c100884792264409994ffd195d6 |
| SHA1 | 4227090cdbb3e73e980f41db196cdfceaf2b38c2 |
| SHA256 | 87120ac36c5494f5a14dfb4ab80a1c0236c60395e9ccd54ec56e226b39245666 |
| SHA512 | 3c20c92f664696cac1a780e33585a8626d3787ee25d870c75689160aa9da590504326fcc516c1af2d76901872bde6c364bbeccb44331d9e0c3aab32f8600209d |
memory/2856-159-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qalnjkgo.exe
| MD5 | 5d7c406f54da10ade75deb3b9dd67159 |
| SHA1 | 56fc979676bb3a0dc93ef94fc25c8f33ad2c8643 |
| SHA256 | 755337eba8c395ab7ea18ef32f2c355ede502fceedeb30e0b969914398c05929 |
| SHA512 | a5c89baf71436a27508e71159bd1966dfddc019966621c6f41e431a896965bca62259bcbf8a65472a0e0071786eb86f23c02a4e5ab6b6389d96892390ed41f48 |
memory/5024-168-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Alabgd32.exe
| MD5 | 3c6a0e187f34e9aaa8e1c66bdb9d667c |
| SHA1 | 0e9938afca6c1ddc02322eac7b7179f8cd1a0cb7 |
| SHA256 | cffdf862642d7da6c03dbbfe64b823a0596c42d792a52d7cde3a59183821af42 |
| SHA512 | 28ed8d7f1cc61c3b3b76fe91f23737502f20c0bdd1c2fe18936bcfebdbe60539035f0b06fdc493f533d2878b0386ff96aa27412e8373e9af50201ccd33d930ac |
memory/1252-175-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aejfpjne.exe
| MD5 | 48b5d64034e82a06df4d295295346500 |
| SHA1 | d69830ec31b1bb7c401bde1babdae8813c548821 |
| SHA256 | a8f9877ee96e3dceaed2b4e962fd38b4ba148dd47fb72a73d89c191126aa8262 |
| SHA512 | d06d34cbd2060fc95885781f85e18fac2a45f4e08b3fcef6cec27f5f178513eb701d3659516bf9d8e22e83eab2368b7a7dcab14aaaccef3abfaf22aa13234c92 |
memory/4416-184-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aldomc32.exe
| MD5 | 85d31a6fb88d9de2c36677289b8c0226 |
| SHA1 | c04765bc79ec72852f6e58a5481bcb91669df38e |
| SHA256 | 82aa773e9a7d8b1fcc2e918633fc3001e9dc0584a771d8f120ef7b9efbc146bd |
| SHA512 | 6391b1aa0bf68c40d2e7743c14915a87a3e8f15ad7d9770632e801bc0d9765c06130fbc2fe5c5ddafb9c3607b657d50d684c2870378066105c5bb9353d845dd2 |
memory/2716-191-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3292-204-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aaqgek32.exe
| MD5 | e3285147cbde7562fec2ab5b2e4fd490 |
| SHA1 | fcb829c14964e800e69fe0a181cd3f246888aadd |
| SHA256 | 4933a8832d7845ad1bd585fb5744aeeba0eaa016405d59787e63bedaf6bb5fe7 |
| SHA512 | e7c3a2f47f50149f24a806b47774d2bc88e08226f3464199bb7fcad1035efad92f848fba051e80282a9fbd1026d5016171c2c62bfc9cb2aae12baa9bec47a9f5 |
C:\Windows\SysWOW64\Ahkobekf.exe
| MD5 | e006c7549b5b641f47c72c98185ffaf9 |
| SHA1 | e0800997ca0434d6d98143a1a654ce66dc38ba01 |
| SHA256 | dfa0743465b5e85959f619cddbd23ff2afc428853ce1f72e83005a7c840869ca |
| SHA512 | f2c40356987e7e585dca7acc34f0f079e375e332453492250f07ae198d2891d692b08fbb38f6af0ac6b7dbe82e2fd309b9012a5732d34d9c321ef4a3cc54b9b9 |
memory/2020-208-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aeopki32.exe
| MD5 | fc9d8ef4ae8c973d4c33a53ba8e4b77a |
| SHA1 | f383da3d8f11c0e616885bd29eed3eeb231060ad |
| SHA256 | c422e4d47351c7d5206e797c8d4b43a6922167e441e934483be3a35205e49afa |
| SHA512 | 2d387b7377319f0910d2cc020d19c2e3b83666cad47ed17270da8fa45ad874be98253d8054e3e1fcdc0fd3e74b9d937f2f344ad44289a28a0c6b60571e04afc8 |
C:\Windows\SysWOW64\Ajkhdp32.exe
| MD5 | 9ad60c3ebf63e5a732b814edf8af8ba9 |
| SHA1 | 66d80cacdb8f8586e260c26e0c9d263f9bfc82f2 |
| SHA256 | 299c64bb2c80ac689fc6ecc6a683ee9b07d905d3235b90d07e13ddf4a2ff1faf |
| SHA512 | fbd23eef8cab00ef616abfda8ffea5e8237c706587686ee6c48e1cf229ed6ff90de2a0e75d628a023e8952c46a536c5229d96256f77dd0ec219e4fa45b98e362 |
memory/3592-220-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1228-224-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1992-231-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aaepqjpd.exe
| MD5 | ad41f45aceae6536e77e661ff7d88e6d |
| SHA1 | cca9d68fe398ea24581da4b0fec5dd0622dcc6a1 |
| SHA256 | b1ebb7eb2a9b42960ecd1e029aa04b2a7a878a1e954c1a900bf633921e375841 |
| SHA512 | d4c6876da1dc14fa4700d4e55d632c2445cd00809ed5136c7379cceb70427b309cb6213ae7e809c875b40660d5a63aa6ccf2cc7adcca1422dba9d937f825643c |
C:\Windows\SysWOW64\Aniajnnn.exe
| MD5 | 762e05b2f2f2cb91d4f2dfb5eb70e53f |
| SHA1 | 591df31455a7bdfe0c0eafd7bef0d2701f606bdc |
| SHA256 | 2d3dd90c69ae41d75725f8ff9d7e7e59a99995f65a0fff31cc0a98085b3f7902 |
| SHA512 | b31e052c4c753d167ec82dbb154cf6764d8b069adf885a321da8096bab495a6b9c58233d876349f50b9a2cbbb61ae09f6467dbedc3c5602295185947d83c8d7d |
memory/1084-240-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bhaebcen.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Bhaebcen.exe
| MD5 | d46c7cbab315e67e7c9763147463008d |
| SHA1 | cc14ccc076149fac88a47e870f7e96abf4990fb7 |
| SHA256 | 752cfeb2e75f97a448ec3ab09b69c419cd02d5440827262a729ddf59a479e8bd |
| SHA512 | 9329b40fbd1b6c654a5964f121b4e8ac2a5a2dc874e7c9d6a6f5f49e6a2bb626e4635d21c9b4acec776bf81f0924df965cd1a7db99ee9cbb5c8cafc58b6b0ab6 |
memory/4324-248-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bnlnon32.exe
| MD5 | f7fa995652e0e6a13efd7a973c434ade |
| SHA1 | 3396af4e79eb38179f14283469a80c44b267daad |
| SHA256 | b781a5d464e23e28c232de1fa1b4dbd015b35938e54016f6be81cc297f321272 |
| SHA512 | 1987114b92bcd6b2c2b17511f8b9f92acbfa11be24ff2bfe5ffb156eecd58c530e3ec4987d6a11294b94308c85a141562bd5b11a4a9d15123bd365b04abe29fb |
memory/2896-256-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3040-262-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1844-272-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1376-274-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1580-284-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1752-286-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3208-292-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bhikcb32.exe
| MD5 | 4835e015befafd7ecf32efd141b98fde |
| SHA1 | 6ec5ec379f6c4ce41918c9a927e9801bbf7511eb |
| SHA256 | a88f9f12ec28b1b5e1b86eedd3d6972c8a00c3f60f5204141ff28eecd4a0c8ff |
| SHA512 | aa6640c9aaf0d41344c558ff64ead8f1ef234a2003df0bf47b700b1879c67d3f7ced78083ed6d3961b102c170c0897db53860995909d2ff56a740e36c3f63351 |
memory/4044-298-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3108-304-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3116-310-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1040-320-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3924-322-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4528-328-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4104-334-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2620-340-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1624-346-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4560-352-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3148-358-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3660-364-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4312-370-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4804-378-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1688-382-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3356-388-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4384-394-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4040-400-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Chghdqbf.exe
| MD5 | b9415abc8e1fe08d538cf9557f3543e7 |
| SHA1 | de7a36ff2fd08553342a2490c84176b2653c1ef7 |
| SHA256 | 18583da67ed7082c9ba7b85e559bb964c6839f9e1eda46b2fbe4d70ba3c6a2a2 |
| SHA512 | dd5eda04f19fdac1fe9b971a7517adfa107f36330e9cde9d0bf1f2aa466a2fbcce575363247ea94548397acfa4272a805742001adbc40b6da64fcf020b0b3433 |
memory/4920-406-0x0000000000400000-0x0000000000433000-memory.dmp
memory/640-412-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2812-418-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1000-429-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1068-430-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1896-440-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1680-442-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4576-448-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3308-454-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4292-464-0x0000000000400000-0x0000000000433000-memory.dmp
memory/432-466-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2908-472-0x0000000000400000-0x0000000000433000-memory.dmp
memory/636-478-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3760-484-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4332-485-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3096-491-0x0000000000400000-0x0000000000433000-memory.dmp
memory/400-497-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2488-503-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2532-509-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1004-515-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3612-521-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3376-533-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1404-532-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Eabbjc32.exe
| MD5 | c04bc0aa3a9b5462ed2aa791bce2b6c0 |
| SHA1 | 76cba9e8d583e86633c8dd03b1c143d5cf434ae3 |
| SHA256 | 092b0d185d9c5c6ce95bee31f9a9dff7aea338cc01006f99987697bd735573e3 |
| SHA512 | b5a94356cb91d7ab6a4f45b087529ca506e6ccf72b46824ebc1dbafa5373c8bb0be5bfac3272857b6fd2d6a59900f1927f9a36898482de6e0405731421ce95aa |
memory/836-539-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4108-540-0x0000000000400000-0x0000000000433000-memory.dmp
memory/876-546-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2472-552-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4956-562-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4640-568-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4768-570-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3596-571-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4396-578-0x0000000000400000-0x0000000000433000-memory.dmp
memory/888-577-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5136-585-0x0000000000400000-0x0000000000433000-memory.dmp
memory/336-584-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4232-591-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5180-595-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3000-598-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5224-599-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Hcbpab32.exe
| MD5 | 958c60dcad7e41f39fc0a44fe16d624d |
| SHA1 | b7923cb29754523a558d3971512d0fad794cea2f |
| SHA256 | 2fa325249938744f5ec5e4f0da0a356eb81c1c5c64e7ea2a5befb935ec318c6a |
| SHA512 | e6c9494b70b8bee832e5dc1222ab8b4078c7e1b20db38d48baa279402d4e3e4a77a3a1d55eb3c6fa040d23a824f58b098460ca81d02c3ed7e84e02c691dac9bf |
C:\Windows\SysWOW64\Jcbihpel.exe
| MD5 | b79862c0dae9fcc052761f99fbf0ceb5 |
| SHA1 | f77425ae797a473602d1766a067dad2a5d4c3665 |
| SHA256 | 60b5f3b31032368bfa8e12f2ec65bce97bea13f8b77c5a82c5dace5227a90132 |
| SHA512 | 1c6c7551288f4351786f2334b72fb277d02dee385533e4978be101b146f381969372b2e94ffc761fa848a6c5d95c7adba5e2da858f077cc66c82cdbfd18977a9 |
C:\Windows\SysWOW64\Jplfcpin.exe
| MD5 | 6b4ffccfe259667f54b3eae6161f589f |
| SHA1 | 96b1c7ddcdef531b4a88f6141dc8f08b6a150844 |
| SHA256 | 14958a083861164b3c15f9c78e573e9d11c4a1d88bda17f78b89605a6f4474d8 |
| SHA512 | 834e95e739eded3c7ffbeaf68b0487319997d44273e110aa8a1a58fa3eb5897dc66d160170c2ab9ad70f1e76f0df025730cd7d2b9559e21999e9b3f1789e0afc |
C:\Windows\SysWOW64\Jehokgge.exe
| MD5 | 6d2fe3ec4e25b7f75a09a5e40a8047c6 |
| SHA1 | 26c7a3606d3c6ad320c172b7a399a071b947a756 |
| SHA256 | 497cbe5c082fb25f185d1866dca466b239669ec8800e6f9340bc4ba86fee4c06 |
| SHA512 | bb2a6d28f450991b54114d6ee568422eeb5bed0246a918c3dcd8720f474181cfc23fb9fe9c75fc1a5f06d07d1e72be5e8665e6f2b4a8d206b06e6c1cfd3d738b |
C:\Windows\SysWOW64\Kdnidn32.exe
| MD5 | c181c738379ad562d18ac901b950a12d |
| SHA1 | 6a9658a3bbc1a97f0f4940b9f10a3caeb30ac423 |
| SHA256 | bfb3bc6f9d49db4417d65e5359e5cac85032bbb65895eafdb112fa43f38617b6 |
| SHA512 | 930ea291a2b4fc09d0185c940b077f8a1577b0b2829b35a924a862f9ffa4fc45eaea1a53c9af87fbc8f521aa54bea83d53944984bcc91f095791aa1a91a62fd6 |
C:\Windows\SysWOW64\Kbfbkj32.exe
| MD5 | d6a236dfdd3959fb6ee38350e18712f4 |
| SHA1 | e34fe404379e7a0ade76cae55a78e712dc4c8216 |
| SHA256 | 325ae265f060c7477aed2876342b740e5150b90a5d0c0091faad91735175537a |
| SHA512 | 11ce3d8b7cf4702d4974cf2beae5256f6da78f78c31f1d1c8c644ea6068d4cd608d663608510fd220bc63781258a82fd71fde254ccaad428201b6c539cae33e6 |
C:\Windows\SysWOW64\Kdeoemeg.exe
| MD5 | c5511bb3b4197d03ebd287b9236e0391 |
| SHA1 | 21c478348343e19db0cf7fb506409d915a720e0f |
| SHA256 | 11797096b7eae5078033c72fac25106ccd549e31c027fa154bc7cd1e534b4a7b |
| SHA512 | 8dd9b73b7fcdb0f38ffa16268d4ead63293cfbfd1eac14113d10874b85260dbb126546f90fb04fd6dba4cbca813d7e8e2b06875eb754676d98dd52a48a379b52 |
C:\Windows\SysWOW64\Lboeaifi.exe
| MD5 | c74a7dce700d1d9e5f59002c2b5201de |
| SHA1 | 97b0b1b6716391337241592498c005443c97339a |
| SHA256 | 2a926f1ef92ee77547b5e23d07a363885e526e4511a2b0ae342043821132d352 |
| SHA512 | 67df96903c735fc24d2a49097466b508997b0f555f801dcadb602791f8e318a65d3bf548243e54fdbc04d4c999a919fc1b2f4a04cde1bafa2d0e06142f848d9b |
C:\Windows\SysWOW64\Lgmngglp.exe
| MD5 | ed9c2bae5366c43ba7659a547bd41958 |
| SHA1 | 0244cd4d6478582e8d036f613b00210a567de568 |
| SHA256 | 1cdd28ed0c23637e76fc2bfd1c17de3ff04bb9b68e5a7ca19c3bcfa7be1c3a94 |
| SHA512 | 268d0fba8e199a9ae93cafef8ce85585ed55637913d4ef2238d5902805c1aeee264b5f30c162cee29b7b1e7cf468e2ab8a51f442b6c75d4c5e3b1d26c7dda352 |
C:\Windows\SysWOW64\Mbfkbhpa.exe
| MD5 | 0cf5b469114bd149b5ad9a3b330815b1 |
| SHA1 | 292938890f2042a411d81bc631e5116c814d3614 |
| SHA256 | 5d5332dcb2f8b1ad0e803844229ef63df44078e750af913878ede8d3d1708c2c |
| SHA512 | 98657c3c3c05185765c52b75fb2ded3313ec377265649053fdcf607ac9da88be51e577a29c6f855ed02042baabfb76d99e2afcefefec46df78b20f067b033337 |
C:\Windows\SysWOW64\Mcmabg32.exe
| MD5 | 60ecad299423c0afd3737577fd847994 |
| SHA1 | 867abbbf6ed93011a390051544c182ff3cf484b2 |
| SHA256 | 383901cb9ba7bd8f1f46cea3200f6189650965b611d72b9f98373dc5f5e2037b |
| SHA512 | ee8516d172c98cda6d7ed64a04be39dc91e05a074d8125ef03566d1e117d40124bfd6430ffff75247192333e3d5f3cbdce5ba28e5bb626ef48fc8053e5acde62 |
C:\Windows\SysWOW64\Mnebeogl.exe
| MD5 | 01298b3bd803b19e4f97dffc8c263751 |
| SHA1 | 61f31951fad47195bb577eeb2f9639ca5f582959 |
| SHA256 | 594f43c46e7aefbbf276ad17076aa095ac6f79c3d141cb30e6231df61c915913 |
| SHA512 | be4f7c979d5edce3430c401cc9e465a7bb12bbacce77ade0e7a0b829b4f2a2e114a2fee42bb6474af7cf341387bcb0f6f11f89f56624f94d3c5ec170edad4a77 |
C:\Windows\SysWOW64\Ngmgne32.exe
| MD5 | b558e0238cb9be08611719e9ee4f8b55 |
| SHA1 | 66730a0cc032f876f1486eddbb57a55eeb54c647 |
| SHA256 | 7d55a291a9701dc6301530458867314856cdebb3cf3dfcc365e43204dbf1c8b3 |
| SHA512 | ef947ee9be15281d95f2f2936e0006d7fdafc617d136bd704e3d9be71366ca1e91815b6bd5f9d27ccf40f1b63d1c0227ad133f34acb21b2871eae5ecf773b1fd |
C:\Windows\SysWOW64\Njqmepik.exe
| MD5 | 33cb2e53df74fec56f85a52265807319 |
| SHA1 | 75d74e0407a7a0b9564d4a4e08d6ba7de19c0276 |
| SHA256 | 4720db71ef17c05f26542aa765f6a3c3a83aef9e56deea344d340a3c8c655648 |
| SHA512 | f9d9a99d14018d92b7937f169a913130da2b260e514eaaaa0dac6827dfd09983ee79c12c8cb88d8996cf9c5e445dfe7313ba61a8f75b0aadd123b749ce297ff2 |
C:\Windows\SysWOW64\Ocnjidkf.exe
| MD5 | 76cc0343ed80aa7ff42d4ee763cdfa02 |
| SHA1 | 84e71e00886eb166cb17175c3dece68382e1892b |
| SHA256 | 7d3d9402d48ec0bde148fc735d1f0e2d9e01cf43b8749d9031b26b45424af82d |
| SHA512 | 99e9792108ec79401cb996a18e37cd6ea91508959c644cbe3b9ca738dad01d83e3063e0bfac9f74c611e85c711a7cbe08cb7287aba18424c129e45753d7258f0 |
C:\Windows\SysWOW64\Ocpgod32.exe
| MD5 | a87d213f63e4b2505a0482e2c85e71fd |
| SHA1 | c4e4b2ebc8ed2758fb7549caf33b09b57e56d921 |
| SHA256 | 1ab53739df8c15fafe10f176321d998ca43c1bce5ea3f688dfa2fb28cf3f9a4a |
| SHA512 | dab80013760822eeb6c95a22018733d52bb4e2fa4102d43eff577e3e5f5ea0fef79f476a6d7f9efe94ee1983459e7c267182a22a8e708f54c47c3b47d72c0986 |
C:\Windows\SysWOW64\Ocdqjceo.exe
| MD5 | 773f50f22fd06ec4c67e46910edcdd91 |
| SHA1 | a3b7c591c6e4769080f4da86a26c41417451708d |
| SHA256 | 0100a4da717edbc72dac2c659bf962bcbede0965c9f1d4699373e689fd19647f |
| SHA512 | 652b8b98cc31c236acaab8a809990fd5920827f5fa79cc089d89331ce64f86cf52cf242f0541dd1b5b14fea90654d0ecba890d119e0aa65c0d3db811a33cf720 |
C:\Windows\SysWOW64\Pmoahijl.exe
| MD5 | 89dc4bd19f97402f2648c39190a90492 |
| SHA1 | 4b7f25be09efe392c540530f278b7c1d5fb6f0cc |
| SHA256 | 29845316e63cbe95467d4b984d42ee8b14f14371aa0017cce4e2457b1e372be5 |
| SHA512 | 3b45134dc225cf5d72dcf58d30e63e1210bf15a4d517cc9d3e55897be9e118329f02d43c4e97d30c6a6074653c8ffcf529c8cb33cd418c931c9ab8b8680d2ddb |
C:\Windows\SysWOW64\Pclgkb32.exe
| MD5 | 8ee6fac5c113d96247bfb9be46768c92 |
| SHA1 | e4f1328fce8d3bf4064c1e5889d191cd61c655ff |
| SHA256 | 15053e4e7d6f700d7c6a8722e9c63b2bd6820ea7f81539cbb337d017a888d783 |
| SHA512 | abb25eaa8f0bcb735cea896fb13608aba37ce651290b45c1ca35870d1fd6e3fd9308f9bd4491d0eefd864c34762c75c5ea3bc312c88eb6864a38deb6d7ae3d5a |
C:\Windows\SysWOW64\Qceiaa32.exe
| MD5 | 793762f3a2db3dc200c782d7974389b3 |
| SHA1 | d1f138291f049dacff7bbb9ffcebc2c6c3a904bb |
| SHA256 | 0c8178eea5bd3a44d4872c6ed663634504fe0b02d7d38c3e8fe5a6ffde1f34e4 |
| SHA512 | ca60a00f16dd7bef535903f605611c6a3984c52967a9fb1b539b1914ec68cf17a424f90d385a0a67efe090e9a01d31547a7fdc1631f79299ed0330e9247bea06 |
C:\Windows\SysWOW64\Qgcbgo32.exe
| MD5 | 604a3dc9db2f277b91be7373b732afaf |
| SHA1 | b6791448dd016cb8bd421a71857786966cb1242a |
| SHA256 | c8471b2d20486554a3cd87572b520c6275c6fa304bea266145c8d0e1351ad7ec |
| SHA512 | ac6fc3d46755ac2497cb8056ac4e30a436fd3196765a9eb572b9bd924134db5ff4d21162eb0f57b76d7d25c43ceedd016c5d227406d78ab459e13a22372052c8 |
C:\Windows\SysWOW64\Bgehcmmm.exe
| MD5 | a5d817314fa0d62539a1b7a61bec1f1a |
| SHA1 | 77d091e9231829982afe853a8ea1b4e3ad9b6e29 |
| SHA256 | 29db3ad74b983c9769023ac69c0e24ccf798de92752c24956caa825b328727db |
| SHA512 | 3bcf2f034fcfe2dd0c990741bbcd3ea4194da33d4717804d71d7a8dffe0e2f8dacd25d4c7eba12c7075ced2691468ae2984f0fee704f1e0d415310c06a28a869 |
C:\Windows\SysWOW64\Cabfga32.exe
| MD5 | 8076d07a247d4711e4265b9ed22274bd |
| SHA1 | 8db9cb581a47a897b606a009b52f33c5bbf45fc3 |
| SHA256 | 53d51a2a40370293f80230c1a812e8976e4203d9fd84d0d2a68254f241de32ce |
| SHA512 | 48786fad9fff0ada8e83ac0dfdfda51d1c117dddc26e45e2fc594e034f2feb58883415fec45e9b6d68d9f60aae5283a7c168e7ff5819693761c23e95fd267333 |
C:\Windows\SysWOW64\Ceqnmpfo.exe
| MD5 | 2720db5769195c41d2294bdf6f506a4a |
| SHA1 | 66b415e3dfe86649f7b68d6a940d74898e0b6811 |
| SHA256 | de7772d52c35d1cea375079845139cf268a9bc3ec726d3a95928461d0181df09 |
| SHA512 | 1eb382fbc32ab27e77ac19285f81d7e13c1f6f4e9ed4ba843ec2e72eb27887ee472879b4a6157a517574eba46c9d6d24bbc6c90c9de04aefec67ef35f32a6735 |
C:\Windows\SysWOW64\Dopigd32.exe
| MD5 | 4097b5f34e2b3a066d03362787dc0e0f |
| SHA1 | 6943f2d37bdbc360fd295748a00d016c7ee149db |
| SHA256 | a0a2d87c6c89132487c2cf518de557d35c39ffb341e11c67a6c2a8c29204e366 |
| SHA512 | ed16f2fa98f76948443d623eb0b136e42d1e77bfb821bd79ed10a0679579454be363f83e6440a062f9a25202dfd25d02090c9deff9fba5960891c4530266cad1 |
C:\Windows\SysWOW64\Dfnjafap.exe
| MD5 | 175d87257d099388b2690d2db41c4f76 |
| SHA1 | fd1a789159af4bac42095ecbd8f6276c8f179f33 |
| SHA256 | c50793aa22715227812f2364cfc7d07ff72a0c704c79bbac9268a1123c6de73e |
| SHA512 | 508bf2ab0128352a68c78f3c476b327c4b4a2912f02cf24f161d250ab1bd0656d0142d6307868b208695ba074d7d33aa1f6100277fd554f89d44257fb55546a9 |