Analysis Overview
SHA256
e0da8e4cb37982904155d625bcbde89039ff853bebeb645548ab872c983f59ee
Threat Level: Known bad
The file 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 12:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 12:45
Reported
2024-06-13 12:48
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
102s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nafokcol.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojmcld32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibcmom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffimfqgm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gfembo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iejcji32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Miemjaci.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pcjapi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkaejf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hckjacjg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Onjegled.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pbbgnpgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddmhja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dahode32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olfobjbg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kipkhdeq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ffkjlp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dldpkoil.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdialn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ogcpjhoq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmbdbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lfhdlh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdkldb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fllpbldb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbbkaako.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cenahpha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojalgcnd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcjapi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abbpem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Becifhfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldleel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lljfpnjg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pnfkma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abemjmgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjbndobo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjbndobo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kajfig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mkbchk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hfnphn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkljak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ecmeig32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Megdccmb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndaggimg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eapedd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nepgjaeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkjmlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ilghlc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpjcdn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Leihbeib.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gokdeeec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kemhff32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmfmmcbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Baicac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gcimkc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lingibiq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nfjjppmm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ddmhja32.exe | C:\Windows\SysWOW64\Dekhneap.exe | N/A |
| File created | C:\Windows\SysWOW64\Iledokkp.dll | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nafokcol.exe | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Chmbmidf.dll | C:\Windows\SysWOW64\Pcjapi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebooppnl.dll | C:\Windows\SysWOW64\Ojmcld32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldanqkki.exe | C:\Windows\SysWOW64\Lljfpnjg.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpjlklok.exe | C:\Windows\SysWOW64\Mipcob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjcbbmif.exe | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| File created | C:\Windows\SysWOW64\Acqimo32.exe | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmllipeg.exe | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgfoan32.exe | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gefncbmc.dll | C:\Windows\SysWOW64\Lgpagm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qalnjkgo.exe | C:\Windows\SysWOW64\Qnnanphk.exe | N/A |
| File created | C:\Windows\SysWOW64\Colffknh.exe | C:\Windows\SysWOW64\Ckpjfm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Baicac32.exe | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mnfipekh.exe | C:\Windows\SysWOW64\Mjjmog32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pclneicb.exe | C:\Windows\SysWOW64\Pqnaim32.exe | N/A |
| File created | C:\Windows\SysWOW64\Becbkfdh.dll | C:\Windows\SysWOW64\Colffknh.exe | N/A |
| File created | C:\Windows\SysWOW64\Jlednamo.exe | C:\Windows\SysWOW64\Jmbdbd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dodbbdbb.exe | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dodbbdbb.exe | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kgfoan32.exe | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
| File created | C:\Windows\SysWOW64\Filmclmj.dll | C:\Windows\SysWOW64\Ocqnij32.exe | N/A |
| File created | C:\Windows\SysWOW64\Faihkbci.exe | C:\Windows\SysWOW64\Fojlngce.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcpclbfa.exe | C:\Windows\SysWOW64\Hodgkc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Naqcfnjk.dll | C:\Windows\SysWOW64\Faihkbci.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjmjdbam.dll | C:\Windows\SysWOW64\Pdmpje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpflfc32.dll | C:\Windows\SysWOW64\Anpncp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flioncbc.dll | C:\Windows\SysWOW64\Dbaemi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bapolp32.dll | C:\Windows\SysWOW64\Dafbne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbdgfa32.exe | C:\Windows\SysWOW64\Gofkje32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgimcebb.exe | C:\Windows\SysWOW64\Miemjaci.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmgmnjcj.dll | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njcqqgjb.dll | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njacpf32.exe | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Alabgd32.exe | C:\Windows\SysWOW64\Acjjfggb.exe | N/A |
| File created | C:\Windows\SysWOW64\Anbkio32.exe | C:\Windows\SysWOW64\Aldomc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dafbne32.exe | C:\Windows\SysWOW64\Dccbbhld.exe | N/A |
| File created | C:\Windows\SysWOW64\Fchddejl.exe | C:\Windows\SysWOW64\Fkalchij.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nacbfdao.exe | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| File created | C:\Windows\SysWOW64\Njcpee32.exe | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ddmhja32.exe | C:\Windows\SysWOW64\Dekhneap.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fhqcam32.exe | C:\Windows\SysWOW64\Febgea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gdcdbl32.exe | C:\Windows\SysWOW64\Gfpcgpae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lljfpnjg.exe | C:\Windows\SysWOW64\Likjcbkc.exe | N/A |
| File created | C:\Windows\SysWOW64\Cagecd32.dll | C:\Windows\SysWOW64\Pkfblfab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhaebcen.exe | C:\Windows\SysWOW64\Becifhfj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qecppkdm.exe | C:\Windows\SysWOW64\Pbddcoei.exe | N/A |
| File created | C:\Windows\SysWOW64\Pllfhkno.dll | C:\Windows\SysWOW64\Blpnib32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jmpgldhg.exe | C:\Windows\SysWOW64\Jehokgge.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lgpagm32.exe | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocbakl32.dll | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmfhig32.exe | C:\Windows\SysWOW64\Pjhlml32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ambgef32.exe | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| File created | C:\Windows\SysWOW64\Eocqqdjh.dll | C:\Windows\SysWOW64\Demecd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmmjgejj.exe | C:\Windows\SysWOW64\Jfcbjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmjehihl.dll | C:\Windows\SysWOW64\Dohfbj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qmmnjfnl.exe | C:\Windows\SysWOW64\Qceiaa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Becifhfj.exe | C:\Windows\SysWOW64\Abemjmgg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Daaicfgd.exe | C:\Windows\SysWOW64\Docmgjhp.exe | N/A |
| File created | C:\Windows\SysWOW64\Olhlhjpd.exe | C:\Windows\SysWOW64\Ofnckp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Odocigqg.exe | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| File created | C:\Windows\SysWOW64\Codhke32.dll | C:\Windows\SysWOW64\Mjjmog32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffhoqj32.dll | C:\Windows\SysWOW64\Kfoafi32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojalgcnd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bhaebcen.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Elgfgl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhcgd32.dll" | C:\Windows\SysWOW64\Ghaliknf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cbjoljdo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hmjdjgjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jimekgff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqgbjkm.dll" | C:\Windows\SysWOW64\Jeklag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kfoafi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gmoeoidl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hmjdjgjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ncfdie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjpehcm.dll" | C:\Windows\SysWOW64\Obdkma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cojjqlpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkljak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll" | C:\Windows\SysWOW64\Eeidoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eapedd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Faihkbci.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fhgjblfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ognpebpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lpappc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bhaebcen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eolpmi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Febgea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Imfdff32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pclgkb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ogogoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" | C:\Windows\SysWOW64\Gokdeeec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll" | C:\Windows\SysWOW64\Nepgjaeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojllan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qgallfcq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ncfdie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ckedalaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dlncan32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lmdina32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qnnanphk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hbpgbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pqnaim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmcmk32.dll" | C:\Windows\SysWOW64\Ajneip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddpeoafg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gdqgmmjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndaggimg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Odocigqg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Accfbokl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gbdgfa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hodgkc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikngm32.dll" | C:\Windows\SysWOW64\Pqnaim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeeep32.dll" | C:\Windows\SysWOW64\Aealah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhilj32.dll" | C:\Windows\SysWOW64\Gbbkaako.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kplpjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" | C:\Windows\SysWOW64\Mdkhapfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndbnboqb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhbgqohi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dldpkoil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
C:\Windows\SysWOW64\Njfmke32.exe
C:\Windows\system32\Njfmke32.exe
C:\Windows\SysWOW64\Nbmelbid.exe
C:\Windows\system32\Nbmelbid.exe
C:\Windows\SysWOW64\Ndkahnhh.exe
C:\Windows\system32\Ndkahnhh.exe
C:\Windows\SysWOW64\Ogjmdigk.exe
C:\Windows\system32\Ogjmdigk.exe
C:\Windows\SysWOW64\Ojhiqefo.exe
C:\Windows\system32\Ojhiqefo.exe
C:\Windows\SysWOW64\Oqbamo32.exe
C:\Windows\system32\Oqbamo32.exe
C:\Windows\SysWOW64\Ocqnij32.exe
C:\Windows\system32\Ocqnij32.exe
C:\Windows\SysWOW64\Okhfjh32.exe
C:\Windows\system32\Okhfjh32.exe
C:\Windows\SysWOW64\Onfbfc32.exe
C:\Windows\system32\Onfbfc32.exe
C:\Windows\SysWOW64\Odpjcm32.exe
C:\Windows\system32\Odpjcm32.exe
C:\Windows\SysWOW64\Ogogoi32.exe
C:\Windows\system32\Ogogoi32.exe
C:\Windows\SysWOW64\Ojmcld32.exe
C:\Windows\system32\Ojmcld32.exe
C:\Windows\SysWOW64\Obdkma32.exe
C:\Windows\system32\Obdkma32.exe
C:\Windows\SysWOW64\Odbgim32.exe
C:\Windows\system32\Odbgim32.exe
C:\Windows\SysWOW64\Okloegjl.exe
C:\Windows\system32\Okloegjl.exe
C:\Windows\SysWOW64\Onklabip.exe
C:\Windows\system32\Onklabip.exe
C:\Windows\SysWOW64\Oqihnn32.exe
C:\Windows\system32\Oqihnn32.exe
C:\Windows\SysWOW64\Ogcpjhoq.exe
C:\Windows\system32\Ogcpjhoq.exe
C:\Windows\SysWOW64\Ojalgcnd.exe
C:\Windows\system32\Ojalgcnd.exe
C:\Windows\SysWOW64\Oqkdcn32.exe
C:\Windows\system32\Oqkdcn32.exe
C:\Windows\SysWOW64\Pcjapi32.exe
C:\Windows\system32\Pcjapi32.exe
C:\Windows\SysWOW64\Pkaiqf32.exe
C:\Windows\system32\Pkaiqf32.exe
C:\Windows\SysWOW64\Pqnaim32.exe
C:\Windows\system32\Pqnaim32.exe
C:\Windows\SysWOW64\Pclneicb.exe
C:\Windows\system32\Pclneicb.exe
C:\Windows\SysWOW64\Pjffbc32.exe
C:\Windows\system32\Pjffbc32.exe
C:\Windows\SysWOW64\Pnbbbabh.exe
C:\Windows\system32\Pnbbbabh.exe
C:\Windows\SysWOW64\Peljol32.exe
C:\Windows\system32\Peljol32.exe
C:\Windows\SysWOW64\Pkfblfab.exe
C:\Windows\system32\Pkfblfab.exe
C:\Windows\SysWOW64\Pndohaqe.exe
C:\Windows\system32\Pndohaqe.exe
C:\Windows\SysWOW64\Pabkdmpi.exe
C:\Windows\system32\Pabkdmpi.exe
C:\Windows\SysWOW64\Pgmcqggf.exe
C:\Windows\system32\Pgmcqggf.exe
C:\Windows\SysWOW64\Pnfkma32.exe
C:\Windows\system32\Pnfkma32.exe
C:\Windows\SysWOW64\Pbbgnpgl.exe
C:\Windows\system32\Pbbgnpgl.exe
C:\Windows\SysWOW64\Pcccfh32.exe
C:\Windows\system32\Pcccfh32.exe
C:\Windows\SysWOW64\Pkjlge32.exe
C:\Windows\system32\Pkjlge32.exe
C:\Windows\SysWOW64\Pnihcq32.exe
C:\Windows\system32\Pnihcq32.exe
C:\Windows\SysWOW64\Pbddcoei.exe
C:\Windows\system32\Pbddcoei.exe
C:\Windows\SysWOW64\Qecppkdm.exe
C:\Windows\system32\Qecppkdm.exe
C:\Windows\SysWOW64\Qgallfcq.exe
C:\Windows\system32\Qgallfcq.exe
C:\Windows\SysWOW64\Qnkdhpjn.exe
C:\Windows\system32\Qnkdhpjn.exe
C:\Windows\SysWOW64\Qajadlja.exe
C:\Windows\system32\Qajadlja.exe
C:\Windows\SysWOW64\Qgciaf32.exe
C:\Windows\system32\Qgciaf32.exe
C:\Windows\SysWOW64\Qnnanphk.exe
C:\Windows\system32\Qnnanphk.exe
C:\Windows\SysWOW64\Qalnjkgo.exe
C:\Windows\system32\Qalnjkgo.exe
C:\Windows\SysWOW64\Acjjfggb.exe
C:\Windows\system32\Acjjfggb.exe
C:\Windows\SysWOW64\Alabgd32.exe
C:\Windows\system32\Alabgd32.exe
C:\Windows\SysWOW64\Anpncp32.exe
C:\Windows\system32\Anpncp32.exe
C:\Windows\SysWOW64\Aanjpk32.exe
C:\Windows\system32\Aanjpk32.exe
C:\Windows\SysWOW64\Acmflf32.exe
C:\Windows\system32\Acmflf32.exe
C:\Windows\SysWOW64\Aldomc32.exe
C:\Windows\system32\Aldomc32.exe
C:\Windows\SysWOW64\Anbkio32.exe
C:\Windows\system32\Anbkio32.exe
C:\Windows\SysWOW64\Aaqgek32.exe
C:\Windows\system32\Aaqgek32.exe
C:\Windows\SysWOW64\Acocaf32.exe
C:\Windows\system32\Acocaf32.exe
C:\Windows\SysWOW64\Alfkbc32.exe
C:\Windows\system32\Alfkbc32.exe
C:\Windows\SysWOW64\Abpcon32.exe
C:\Windows\system32\Abpcon32.exe
C:\Windows\SysWOW64\Aeopki32.exe
C:\Windows\system32\Aeopki32.exe
C:\Windows\SysWOW64\Ahmlgd32.exe
C:\Windows\system32\Ahmlgd32.exe
C:\Windows\SysWOW64\Ajkhdp32.exe
C:\Windows\system32\Ajkhdp32.exe
C:\Windows\SysWOW64\Abbpem32.exe
C:\Windows\system32\Abbpem32.exe
C:\Windows\SysWOW64\Aealah32.exe
C:\Windows\system32\Aealah32.exe
C:\Windows\SysWOW64\Ahoimd32.exe
C:\Windows\system32\Ahoimd32.exe
C:\Windows\SysWOW64\Ajneip32.exe
C:\Windows\system32\Ajneip32.exe
C:\Windows\SysWOW64\Abemjmgg.exe
C:\Windows\system32\Abemjmgg.exe
C:\Windows\SysWOW64\Becifhfj.exe
C:\Windows\system32\Becifhfj.exe
C:\Windows\SysWOW64\Bhaebcen.exe
C:\Windows\system32\Bhaebcen.exe
C:\Windows\SysWOW64\Blmacb32.exe
C:\Windows\system32\Blmacb32.exe
C:\Windows\SysWOW64\Bbgipldd.exe
C:\Windows\system32\Bbgipldd.exe
C:\Windows\SysWOW64\Bdhfhe32.exe
C:\Windows\system32\Bdhfhe32.exe
C:\Windows\SysWOW64\Blpnib32.exe
C:\Windows\system32\Blpnib32.exe
C:\Windows\SysWOW64\Bjbndobo.exe
C:\Windows\system32\Bjbndobo.exe
C:\Windows\SysWOW64\Cojjqlpk.exe
C:\Windows\system32\Cojjqlpk.exe
C:\Windows\SysWOW64\Cecbmf32.exe
C:\Windows\system32\Cecbmf32.exe
C:\Windows\SysWOW64\Cdfbibnb.exe
C:\Windows\system32\Cdfbibnb.exe
C:\Windows\SysWOW64\Ckpjfm32.exe
C:\Windows\system32\Ckpjfm32.exe
C:\Windows\SysWOW64\Colffknh.exe
C:\Windows\system32\Colffknh.exe
C:\Windows\SysWOW64\Cajcbgml.exe
C:\Windows\system32\Cajcbgml.exe
C:\Windows\SysWOW64\Cdiooblp.exe
C:\Windows\system32\Cdiooblp.exe
C:\Windows\SysWOW64\Chdkoa32.exe
C:\Windows\system32\Chdkoa32.exe
C:\Windows\SysWOW64\Ckcgkldl.exe
C:\Windows\system32\Ckcgkldl.exe
C:\Windows\SysWOW64\Cbjoljdo.exe
C:\Windows\system32\Cbjoljdo.exe
C:\Windows\SysWOW64\Cehkhecb.exe
C:\Windows\system32\Cehkhecb.exe
C:\Windows\SysWOW64\Cdkldb32.exe
C:\Windows\system32\Cdkldb32.exe
C:\Windows\SysWOW64\Chghdqbf.exe
C:\Windows\system32\Chghdqbf.exe
C:\Windows\SysWOW64\Ckedalaj.exe
C:\Windows\system32\Ckedalaj.exe
C:\Windows\SysWOW64\Doqpak32.exe
C:\Windows\system32\Doqpak32.exe
C:\Windows\SysWOW64\Dbllbibl.exe
C:\Windows\system32\Dbllbibl.exe
C:\Windows\SysWOW64\Dekhneap.exe
C:\Windows\system32\Dekhneap.exe
C:\Windows\SysWOW64\Ddmhja32.exe
C:\Windows\system32\Ddmhja32.exe
C:\Windows\SysWOW64\Dldpkoil.exe
C:\Windows\system32\Dldpkoil.exe
C:\Windows\SysWOW64\Dkgqfl32.exe
C:\Windows\system32\Dkgqfl32.exe
C:\Windows\SysWOW64\Docmgjhp.exe
C:\Windows\system32\Docmgjhp.exe
C:\Windows\SysWOW64\Daaicfgd.exe
C:\Windows\system32\Daaicfgd.exe
C:\Windows\SysWOW64\Demecd32.exe
C:\Windows\system32\Demecd32.exe
C:\Windows\SysWOW64\Ddpeoafg.exe
C:\Windows\system32\Ddpeoafg.exe
C:\Windows\SysWOW64\Dhkapp32.exe
C:\Windows\system32\Dhkapp32.exe
C:\Windows\SysWOW64\Dkjmlk32.exe
C:\Windows\system32\Dkjmlk32.exe
C:\Windows\SysWOW64\Dbaemi32.exe
C:\Windows\system32\Dbaemi32.exe
C:\Windows\SysWOW64\Dadeieea.exe
C:\Windows\system32\Dadeieea.exe
C:\Windows\SysWOW64\Deoaid32.exe
C:\Windows\system32\Deoaid32.exe
C:\Windows\SysWOW64\Dhnnep32.exe
C:\Windows\system32\Dhnnep32.exe
C:\Windows\SysWOW64\Dkljak32.exe
C:\Windows\system32\Dkljak32.exe
C:\Windows\SysWOW64\Dohfbj32.exe
C:\Windows\system32\Dohfbj32.exe
C:\Windows\SysWOW64\Dccbbhld.exe
C:\Windows\system32\Dccbbhld.exe
C:\Windows\SysWOW64\Dafbne32.exe
C:\Windows\system32\Dafbne32.exe
C:\Windows\SysWOW64\Dhpjkojk.exe
C:\Windows\system32\Dhpjkojk.exe
C:\Windows\SysWOW64\Dllfkn32.exe
C:\Windows\system32\Dllfkn32.exe
C:\Windows\SysWOW64\Dojcgi32.exe
C:\Windows\system32\Dojcgi32.exe
C:\Windows\SysWOW64\Dahode32.exe
C:\Windows\system32\Dahode32.exe
C:\Windows\SysWOW64\Dhbgqohi.exe
C:\Windows\system32\Dhbgqohi.exe
C:\Windows\SysWOW64\Dlncan32.exe
C:\Windows\system32\Dlncan32.exe
C:\Windows\SysWOW64\Ekacmjgl.exe
C:\Windows\system32\Ekacmjgl.exe
C:\Windows\SysWOW64\Eolpmi32.exe
C:\Windows\system32\Eolpmi32.exe
C:\Windows\SysWOW64\Echknh32.exe
C:\Windows\system32\Echknh32.exe
C:\Windows\SysWOW64\Eefhjc32.exe
C:\Windows\system32\Eefhjc32.exe
C:\Windows\SysWOW64\Edihepnm.exe
C:\Windows\system32\Edihepnm.exe
C:\Windows\SysWOW64\Elppfmoo.exe
C:\Windows\system32\Elppfmoo.exe
C:\Windows\SysWOW64\Eoolbinc.exe
C:\Windows\system32\Eoolbinc.exe
C:\Windows\SysWOW64\Eamhodmf.exe
C:\Windows\system32\Eamhodmf.exe
C:\Windows\SysWOW64\Eeidoc32.exe
C:\Windows\system32\Eeidoc32.exe
C:\Windows\SysWOW64\Ehgqln32.exe
C:\Windows\system32\Ehgqln32.exe
C:\Windows\SysWOW64\Ekemhj32.exe
C:\Windows\system32\Ekemhj32.exe
C:\Windows\SysWOW64\Ecmeig32.exe
C:\Windows\system32\Ecmeig32.exe
C:\Windows\SysWOW64\Eapedd32.exe
C:\Windows\system32\Eapedd32.exe
C:\Windows\SysWOW64\Ednaqo32.exe
C:\Windows\system32\Ednaqo32.exe
C:\Windows\SysWOW64\Eleiam32.exe
C:\Windows\system32\Eleiam32.exe
C:\Windows\SysWOW64\Eocenh32.exe
C:\Windows\system32\Eocenh32.exe
C:\Windows\SysWOW64\Ecoangbg.exe
C:\Windows\system32\Ecoangbg.exe
C:\Windows\SysWOW64\Eemnjbaj.exe
C:\Windows\system32\Eemnjbaj.exe
C:\Windows\SysWOW64\Edpnfo32.exe
C:\Windows\system32\Edpnfo32.exe
C:\Windows\SysWOW64\Elgfgl32.exe
C:\Windows\system32\Elgfgl32.exe
C:\Windows\SysWOW64\Eofbch32.exe
C:\Windows\system32\Eofbch32.exe
C:\Windows\SysWOW64\Eadopc32.exe
C:\Windows\system32\Eadopc32.exe
C:\Windows\SysWOW64\Eepjpb32.exe
C:\Windows\system32\Eepjpb32.exe
C:\Windows\SysWOW64\Fljcmlfd.exe
C:\Windows\system32\Fljcmlfd.exe
C:\Windows\SysWOW64\Fkmchi32.exe
C:\Windows\system32\Fkmchi32.exe
C:\Windows\SysWOW64\Fohoigfh.exe
C:\Windows\system32\Fohoigfh.exe
C:\Windows\SysWOW64\Fafkecel.exe
C:\Windows\system32\Fafkecel.exe
C:\Windows\SysWOW64\Febgea32.exe
C:\Windows\system32\Febgea32.exe
C:\Windows\SysWOW64\Fhqcam32.exe
C:\Windows\system32\Fhqcam32.exe
C:\Windows\SysWOW64\Fllpbldb.exe
C:\Windows\system32\Fllpbldb.exe
C:\Windows\SysWOW64\Fojlngce.exe
C:\Windows\system32\Fojlngce.exe
C:\Windows\SysWOW64\Faihkbci.exe
C:\Windows\system32\Faihkbci.exe
C:\Windows\SysWOW64\Fdgdgnbm.exe
C:\Windows\system32\Fdgdgnbm.exe
C:\Windows\SysWOW64\Fkalchij.exe
C:\Windows\system32\Fkalchij.exe
C:\Windows\SysWOW64\Fchddejl.exe
C:\Windows\system32\Fchddejl.exe
C:\Windows\SysWOW64\Ffgqqaip.exe
C:\Windows\system32\Ffgqqaip.exe
C:\Windows\SysWOW64\Fdialn32.exe
C:\Windows\system32\Fdialn32.exe
C:\Windows\SysWOW64\Flqimk32.exe
C:\Windows\system32\Flqimk32.exe
C:\Windows\SysWOW64\Fooeif32.exe
C:\Windows\system32\Fooeif32.exe
C:\Windows\SysWOW64\Fbnafb32.exe
C:\Windows\system32\Fbnafb32.exe
C:\Windows\SysWOW64\Ffimfqgm.exe
C:\Windows\system32\Ffimfqgm.exe
C:\Windows\SysWOW64\Fhgjblfq.exe
C:\Windows\system32\Fhgjblfq.exe
C:\Windows\SysWOW64\Foabofnn.exe
C:\Windows\system32\Foabofnn.exe
C:\Windows\SysWOW64\Fbpnkama.exe
C:\Windows\system32\Fbpnkama.exe
C:\Windows\SysWOW64\Ffkjlp32.exe
C:\Windows\system32\Ffkjlp32.exe
C:\Windows\SysWOW64\Fhjfhl32.exe
C:\Windows\system32\Fhjfhl32.exe
C:\Windows\SysWOW64\Gkhbdg32.exe
C:\Windows\system32\Gkhbdg32.exe
C:\Windows\SysWOW64\Gododflk.exe
C:\Windows\system32\Gododflk.exe
C:\Windows\SysWOW64\Gbbkaako.exe
C:\Windows\system32\Gbbkaako.exe
C:\Windows\SysWOW64\Gdqgmmjb.exe
C:\Windows\system32\Gdqgmmjb.exe
C:\Windows\SysWOW64\Ghlcnk32.exe
C:\Windows\system32\Ghlcnk32.exe
C:\Windows\SysWOW64\Gofkje32.exe
C:\Windows\system32\Gofkje32.exe
C:\Windows\SysWOW64\Gbdgfa32.exe
C:\Windows\system32\Gbdgfa32.exe
C:\Windows\SysWOW64\Gfpcgpae.exe
C:\Windows\system32\Gfpcgpae.exe
C:\Windows\SysWOW64\Gdcdbl32.exe
C:\Windows\system32\Gdcdbl32.exe
C:\Windows\SysWOW64\Gmjlcj32.exe
C:\Windows\system32\Gmjlcj32.exe
C:\Windows\SysWOW64\Gohhpe32.exe
C:\Windows\system32\Gohhpe32.exe
C:\Windows\SysWOW64\Gbgdlq32.exe
C:\Windows\system32\Gbgdlq32.exe
C:\Windows\SysWOW64\Gfbploob.exe
C:\Windows\system32\Gfbploob.exe
C:\Windows\SysWOW64\Ghaliknf.exe
C:\Windows\system32\Ghaliknf.exe
C:\Windows\SysWOW64\Gmlhii32.exe
C:\Windows\system32\Gmlhii32.exe
C:\Windows\SysWOW64\Gokdeeec.exe
C:\Windows\system32\Gokdeeec.exe
C:\Windows\SysWOW64\Gbiaapdf.exe
C:\Windows\system32\Gbiaapdf.exe
C:\Windows\SysWOW64\Gfembo32.exe
C:\Windows\system32\Gfembo32.exe
C:\Windows\SysWOW64\Gmoeoidl.exe
C:\Windows\system32\Gmoeoidl.exe
C:\Windows\SysWOW64\Gkaejf32.exe
C:\Windows\system32\Gkaejf32.exe
C:\Windows\SysWOW64\Gcimkc32.exe
C:\Windows\system32\Gcimkc32.exe
C:\Windows\SysWOW64\Gblngpbd.exe
C:\Windows\system32\Gblngpbd.exe
C:\Windows\SysWOW64\Gdjjckag.exe
C:\Windows\system32\Gdjjckag.exe
C:\Windows\SysWOW64\Hiefcj32.exe
C:\Windows\system32\Hiefcj32.exe
C:\Windows\SysWOW64\Hmabdibj.exe
C:\Windows\system32\Hmabdibj.exe
C:\Windows\SysWOW64\Hopnqdan.exe
C:\Windows\system32\Hopnqdan.exe
C:\Windows\SysWOW64\Hckjacjg.exe
C:\Windows\system32\Hckjacjg.exe
C:\Windows\SysWOW64\Hfifmnij.exe
C:\Windows\system32\Hfifmnij.exe
C:\Windows\SysWOW64\Helfik32.exe
C:\Windows\system32\Helfik32.exe
C:\Windows\SysWOW64\Hihbijhn.exe
C:\Windows\system32\Hihbijhn.exe
C:\Windows\SysWOW64\Hkfoeega.exe
C:\Windows\system32\Hkfoeega.exe
C:\Windows\SysWOW64\Hobkfd32.exe
C:\Windows\system32\Hobkfd32.exe
C:\Windows\SysWOW64\Hbpgbo32.exe
C:\Windows\system32\Hbpgbo32.exe
C:\Windows\SysWOW64\Heocnk32.exe
C:\Windows\system32\Heocnk32.exe
C:\Windows\SysWOW64\Hijooifk.exe
C:\Windows\system32\Hijooifk.exe
C:\Windows\SysWOW64\Hkikkeeo.exe
C:\Windows\system32\Hkikkeeo.exe
C:\Windows\SysWOW64\Hodgkc32.exe
C:\Windows\system32\Hodgkc32.exe
C:\Windows\SysWOW64\Hcpclbfa.exe
C:\Windows\system32\Hcpclbfa.exe
C:\Windows\SysWOW64\Hfnphn32.exe
C:\Windows\system32\Hfnphn32.exe
C:\Windows\SysWOW64\Himldi32.exe
C:\Windows\system32\Himldi32.exe
C:\Windows\SysWOW64\Hmhhehlb.exe
C:\Windows\system32\Hmhhehlb.exe
C:\Windows\SysWOW64\Hkkhqd32.exe
C:\Windows\system32\Hkkhqd32.exe
C:\Windows\SysWOW64\Hcbpab32.exe
C:\Windows\system32\Hcbpab32.exe
C:\Windows\SysWOW64\Hfqlnm32.exe
C:\Windows\system32\Hfqlnm32.exe
C:\Windows\SysWOW64\Hioiji32.exe
C:\Windows\system32\Hioiji32.exe
C:\Windows\SysWOW64\Hmjdjgjo.exe
C:\Windows\system32\Hmjdjgjo.exe
C:\Windows\SysWOW64\Hoiafcic.exe
C:\Windows\system32\Hoiafcic.exe
C:\Windows\SysWOW64\Hbgmcnhf.exe
C:\Windows\system32\Hbgmcnhf.exe
C:\Windows\SysWOW64\Iefioj32.exe
C:\Windows\system32\Iefioj32.exe
C:\Windows\SysWOW64\Immapg32.exe
C:\Windows\system32\Immapg32.exe
C:\Windows\SysWOW64\Ikpaldog.exe
C:\Windows\system32\Ikpaldog.exe
C:\Windows\SysWOW64\Ibjjhn32.exe
C:\Windows\system32\Ibjjhn32.exe
C:\Windows\SysWOW64\Iehfdi32.exe
C:\Windows\system32\Iehfdi32.exe
C:\Windows\SysWOW64\Ipnjab32.exe
C:\Windows\system32\Ipnjab32.exe
C:\Windows\SysWOW64\Iblfnn32.exe
C:\Windows\system32\Iblfnn32.exe
C:\Windows\SysWOW64\Iejcji32.exe
C:\Windows\system32\Iejcji32.exe
C:\Windows\SysWOW64\Iifokh32.exe
C:\Windows\system32\Iifokh32.exe
C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
C:\Windows\SysWOW64\Ickchq32.exe
C:\Windows\system32\Ickchq32.exe
C:\Windows\SysWOW64\Ibnccmbo.exe
C:\Windows\system32\Ibnccmbo.exe
C:\Windows\SysWOW64\Iemppiab.exe
C:\Windows\system32\Iemppiab.exe
C:\Windows\SysWOW64\Ilghlc32.exe
C:\Windows\system32\Ilghlc32.exe
C:\Windows\SysWOW64\Ifllil32.exe
C:\Windows\system32\Ifllil32.exe
C:\Windows\SysWOW64\Iikhfg32.exe
C:\Windows\system32\Iikhfg32.exe
C:\Windows\SysWOW64\Imfdff32.exe
C:\Windows\system32\Imfdff32.exe
C:\Windows\SysWOW64\Ipdqba32.exe
C:\Windows\system32\Ipdqba32.exe
C:\Windows\SysWOW64\Ibcmom32.exe
C:\Windows\system32\Ibcmom32.exe
C:\Windows\SysWOW64\Jimekgff.exe
C:\Windows\system32\Jimekgff.exe
C:\Windows\SysWOW64\Jpgmha32.exe
C:\Windows\system32\Jpgmha32.exe
C:\Windows\SysWOW64\Jbeidl32.exe
C:\Windows\system32\Jbeidl32.exe
C:\Windows\SysWOW64\Jedeph32.exe
C:\Windows\system32\Jedeph32.exe
C:\Windows\SysWOW64\Jlnnmb32.exe
C:\Windows\system32\Jlnnmb32.exe
C:\Windows\SysWOW64\Jfcbjk32.exe
C:\Windows\system32\Jfcbjk32.exe
C:\Windows\SysWOW64\Jmmjgejj.exe
C:\Windows\system32\Jmmjgejj.exe
C:\Windows\SysWOW64\Jbjcolha.exe
C:\Windows\system32\Jbjcolha.exe
C:\Windows\SysWOW64\Jehokgge.exe
C:\Windows\system32\Jehokgge.exe
C:\Windows\SysWOW64\Jmpgldhg.exe
C:\Windows\system32\Jmpgldhg.exe
C:\Windows\SysWOW64\Jpnchp32.exe
C:\Windows\system32\Jpnchp32.exe
C:\Windows\SysWOW64\Jeklag32.exe
C:\Windows\system32\Jeklag32.exe
C:\Windows\SysWOW64\Jifhaenk.exe
C:\Windows\system32\Jifhaenk.exe
C:\Windows\SysWOW64\Jmbdbd32.exe
C:\Windows\system32\Jmbdbd32.exe
C:\Windows\SysWOW64\Jlednamo.exe
C:\Windows\system32\Jlednamo.exe
C:\Windows\SysWOW64\Kemhff32.exe
C:\Windows\system32\Kemhff32.exe
C:\Windows\SysWOW64\Klgqcqkl.exe
C:\Windows\system32\Klgqcqkl.exe
C:\Windows\SysWOW64\Kbaipkbi.exe
C:\Windows\system32\Kbaipkbi.exe
C:\Windows\SysWOW64\Kmfmmcbo.exe
C:\Windows\system32\Kmfmmcbo.exe
C:\Windows\SysWOW64\Klimip32.exe
C:\Windows\system32\Klimip32.exe
C:\Windows\SysWOW64\Kpeiioac.exe
C:\Windows\system32\Kpeiioac.exe
C:\Windows\SysWOW64\Kfoafi32.exe
C:\Windows\system32\Kfoafi32.exe
C:\Windows\SysWOW64\Kmijbcpl.exe
C:\Windows\system32\Kmijbcpl.exe
C:\Windows\SysWOW64\Kdcbom32.exe
C:\Windows\system32\Kdcbom32.exe
C:\Windows\SysWOW64\Kedoge32.exe
C:\Windows\system32\Kedoge32.exe
C:\Windows\SysWOW64\Kipkhdeq.exe
C:\Windows\system32\Kipkhdeq.exe
C:\Windows\SysWOW64\Kpjcdn32.exe
C:\Windows\system32\Kpjcdn32.exe
C:\Windows\SysWOW64\Kbhoqj32.exe
C:\Windows\system32\Kbhoqj32.exe
C:\Windows\SysWOW64\Kmncnb32.exe
C:\Windows\system32\Kmncnb32.exe
C:\Windows\SysWOW64\Kplpjn32.exe
C:\Windows\system32\Kplpjn32.exe
C:\Windows\SysWOW64\Lbjlfi32.exe
C:\Windows\system32\Lbjlfi32.exe
C:\Windows\SysWOW64\Leihbeib.exe
C:\Windows\system32\Leihbeib.exe
C:\Windows\SysWOW64\Lmppcbjd.exe
C:\Windows\system32\Lmppcbjd.exe
C:\Windows\SysWOW64\Llcpoo32.exe
C:\Windows\system32\Llcpoo32.exe
C:\Windows\SysWOW64\Ldjhpl32.exe
C:\Windows\system32\Ldjhpl32.exe
C:\Windows\SysWOW64\Lfhdlh32.exe
C:\Windows\system32\Lfhdlh32.exe
C:\Windows\SysWOW64\Lekehdgp.exe
C:\Windows\system32\Lekehdgp.exe
C:\Windows\SysWOW64\Llemdo32.exe
C:\Windows\system32\Llemdo32.exe
C:\Windows\SysWOW64\Ldleel32.exe
C:\Windows\system32\Ldleel32.exe
C:\Windows\SysWOW64\Lfkaag32.exe
C:\Windows\system32\Lfkaag32.exe
C:\Windows\SysWOW64\Lmdina32.exe
C:\Windows\system32\Lmdina32.exe
C:\Windows\SysWOW64\Ldoaklml.exe
C:\Windows\system32\Ldoaklml.exe
C:\Windows\SysWOW64\Likjcbkc.exe
C:\Windows\system32\Likjcbkc.exe
C:\Windows\SysWOW64\Lljfpnjg.exe
C:\Windows\system32\Lljfpnjg.exe
C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
C:\Windows\SysWOW64\Lebkhc32.exe
C:\Windows\system32\Lebkhc32.exe
C:\Windows\SysWOW64\Lingibiq.exe
C:\Windows\system32\Lingibiq.exe
C:\Windows\SysWOW64\Lphoelqn.exe
C:\Windows\system32\Lphoelqn.exe
C:\Windows\SysWOW64\Mgagbf32.exe
C:\Windows\system32\Mgagbf32.exe
C:\Windows\SysWOW64\Mipcob32.exe
C:\Windows\system32\Mipcob32.exe
C:\Windows\SysWOW64\Mpjlklok.exe
C:\Windows\system32\Mpjlklok.exe
C:\Windows\SysWOW64\Mchhggno.exe
C:\Windows\system32\Mchhggno.exe
C:\Windows\SysWOW64\Megdccmb.exe
C:\Windows\system32\Megdccmb.exe
C:\Windows\SysWOW64\Mlampmdo.exe
C:\Windows\system32\Mlampmdo.exe
C:\Windows\SysWOW64\Mdhdajea.exe
C:\Windows\system32\Mdhdajea.exe
C:\Windows\SysWOW64\Miemjaci.exe
C:\Windows\system32\Miemjaci.exe
C:\Windows\SysWOW64\Mgimcebb.exe
C:\Windows\system32\Mgimcebb.exe
C:\Windows\SysWOW64\Mmbfpp32.exe
C:\Windows\system32\Mmbfpp32.exe
C:\Windows\SysWOW64\Mpablkhc.exe
C:\Windows\system32\Mpablkhc.exe
C:\Windows\SysWOW64\Mcpnhfhf.exe
C:\Windows\system32\Mcpnhfhf.exe
C:\Windows\SysWOW64\Menjdbgj.exe
C:\Windows\system32\Menjdbgj.exe
C:\Windows\SysWOW64\Mnebeogl.exe
C:\Windows\system32\Mnebeogl.exe
C:\Windows\SysWOW64\Ncbknfed.exe
C:\Windows\system32\Ncbknfed.exe
C:\Windows\SysWOW64\Nepgjaeg.exe
C:\Windows\system32\Nepgjaeg.exe
C:\Windows\SysWOW64\Nilcjp32.exe
C:\Windows\system32\Nilcjp32.exe
C:\Windows\SysWOW64\Nljofl32.exe
C:\Windows\system32\Nljofl32.exe
C:\Windows\SysWOW64\Ndaggimg.exe
C:\Windows\system32\Ndaggimg.exe
C:\Windows\SysWOW64\Ngpccdlj.exe
C:\Windows\system32\Ngpccdlj.exe
C:\Windows\SysWOW64\Nnjlpo32.exe
C:\Windows\system32\Nnjlpo32.exe
C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
C:\Windows\SysWOW64\Ncfdie32.exe
C:\Windows\system32\Ncfdie32.exe
C:\Windows\SysWOW64\Neeqea32.exe
C:\Windows\system32\Neeqea32.exe
C:\Windows\SysWOW64\Nnlhfn32.exe
C:\Windows\system32\Nnlhfn32.exe
C:\Windows\SysWOW64\Npjebj32.exe
C:\Windows\system32\Npjebj32.exe
C:\Windows\SysWOW64\Ncianepl.exe
C:\Windows\system32\Ncianepl.exe
C:\Windows\SysWOW64\Nnneknob.exe
C:\Windows\system32\Nnneknob.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
C:\Windows\SysWOW64\Nfjjppmm.exe
C:\Windows\system32\Nfjjppmm.exe
C:\Windows\SysWOW64\Olcbmj32.exe
C:\Windows\system32\Olcbmj32.exe
C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
C:\Windows\SysWOW64\Olfobjbg.exe
C:\Windows\system32\Olfobjbg.exe
C:\Windows\SysWOW64\Ofnckp32.exe
C:\Windows\system32\Ofnckp32.exe
C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
C:\Windows\SysWOW64\Odocigqg.exe
C:\Windows\system32\Odocigqg.exe
C:\Windows\SysWOW64\Ognpebpj.exe
C:\Windows\system32\Ognpebpj.exe
C:\Windows\SysWOW64\Ojllan32.exe
C:\Windows\system32\Ojllan32.exe
C:\Windows\SysWOW64\Olkhmi32.exe
C:\Windows\system32\Olkhmi32.exe
C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
C:\Windows\SysWOW64\Onjegled.exe
C:\Windows\system32\Onjegled.exe
C:\Windows\SysWOW64\Oqhacgdh.exe
C:\Windows\system32\Oqhacgdh.exe
C:\Windows\SysWOW64\Ocgmpccl.exe
C:\Windows\system32\Ocgmpccl.exe
C:\Windows\SysWOW64\Pnlaml32.exe
C:\Windows\system32\Pnlaml32.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pjcbbmif.exe
C:\Windows\system32\Pjcbbmif.exe
C:\Windows\SysWOW64\Pnonbk32.exe
C:\Windows\system32\Pnonbk32.exe
C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
C:\Windows\SysWOW64\Pclgkb32.exe
C:\Windows\system32\Pclgkb32.exe
C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
C:\Windows\SysWOW64\Pdkcde32.exe
C:\Windows\system32\Pdkcde32.exe
C:\Windows\SysWOW64\Pgioqq32.exe
C:\Windows\system32\Pgioqq32.exe
C:\Windows\SysWOW64\Pjhlml32.exe
C:\Windows\system32\Pjhlml32.exe
C:\Windows\SysWOW64\Pmfhig32.exe
C:\Windows\system32\Pmfhig32.exe
C:\Windows\SysWOW64\Pdmpje32.exe
C:\Windows\system32\Pdmpje32.exe
C:\Windows\SysWOW64\Pmidog32.exe
C:\Windows\system32\Pmidog32.exe
C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
C:\Windows\SysWOW64\Qmkadgpo.exe
C:\Windows\system32\Qmkadgpo.exe
C:\Windows\SysWOW64\Qceiaa32.exe
C:\Windows\system32\Qceiaa32.exe
C:\Windows\SysWOW64\Qmmnjfnl.exe
C:\Windows\system32\Qmmnjfnl.exe
C:\Windows\SysWOW64\Qddfkd32.exe
C:\Windows\system32\Qddfkd32.exe
C:\Windows\SysWOW64\Qffbbldm.exe
C:\Windows\system32\Qffbbldm.exe
C:\Windows\SysWOW64\Ampkof32.exe
C:\Windows\system32\Ampkof32.exe
C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
C:\Windows\SysWOW64\Anogiicl.exe
C:\Windows\system32\Anogiicl.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aclpap32.exe
C:\Windows\system32\Aclpap32.exe
C:\Windows\SysWOW64\Amddjegd.exe
C:\Windows\system32\Amddjegd.exe
C:\Windows\SysWOW64\Agjhgngj.exe
C:\Windows\system32\Agjhgngj.exe
C:\Windows\SysWOW64\Ajhddjfn.exe
C:\Windows\system32\Ajhddjfn.exe
C:\Windows\SysWOW64\Acqimo32.exe
C:\Windows\system32\Acqimo32.exe
C:\Windows\SysWOW64\Anfmjhmd.exe
C:\Windows\system32\Anfmjhmd.exe
C:\Windows\SysWOW64\Accfbokl.exe
C:\Windows\system32\Accfbokl.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
C:\Windows\SysWOW64\Baicac32.exe
C:\Windows\system32\Baicac32.exe
C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Bcjlcn32.exe
C:\Windows\system32\Bcjlcn32.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Cfmajipb.exe
C:\Windows\system32\Cfmajipb.exe
C:\Windows\SysWOW64\Cenahpha.exe
C:\Windows\system32\Cenahpha.exe
C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Chokikeb.exe
C:\Windows\system32\Chokikeb.exe
C:\Windows\SysWOW64\Cnicfe32.exe
C:\Windows\system32\Cnicfe32.exe
C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
C:\Windows\SysWOW64\Cnkplejl.exe
C:\Windows\system32\Cnkplejl.exe
C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
C:\Windows\SysWOW64\Dfknkg32.exe
C:\Windows\system32\Dfknkg32.exe
C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
C:\Windows\SysWOW64\Deokon32.exe
C:\Windows\system32\Deokon32.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Doilmc32.exe
C:\Windows\system32\Doilmc32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 11100 -ip 11100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11100 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1776-0-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1776-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Kaemnhla.exe
| MD5 | eef6340bfcbfc31f9ccfb7a18677cbbc |
| SHA1 | e5b301fd43a6ce9eced74e4a017b4e7ba012b9e8 |
| SHA256 | 573e69aecd24052fd7f9bea56cd4abb4c9ec17e0e882fb9939c49a5f2e4b1a03 |
| SHA512 | a3ec51bc7b64f09fa79a9112baa551db0aabbc3f968eaf79355b1805649fb08951eb70094c3f5954d33431ecfc48381ae89a185af9f42e01cd61a959125cf16c |
memory/4896-9-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Kbfiep32.exe
| MD5 | 83f1fb590a17919ef6eb652eb7692f12 |
| SHA1 | b7862207e067fd4d3534f80f19672bf22de11c9e |
| SHA256 | 801684c292c238648c6260a2cf68722a2f26f318406bd3448e40ea99a95f017a |
| SHA512 | abc4afd22f001816b5d60c811096789f0e822a409a151180e880bc02e66feb5966f7b41ee223e7fdb3cf5d8538c51fe1b87edbc6c7e0ed359616b05f57c79f21 |
memory/216-17-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Kknafn32.exe
| MD5 | d1b8e554bca7584ef116dd1fa6856d54 |
| SHA1 | fcdc5b26f20275b2ccbb789a8e1eb9bfcd3ce04d |
| SHA256 | 41f02527da81b5c19679085f6ccb353c380ea143f5651d1f388d9e28b5986c15 |
| SHA512 | d8d743e809c3a1217c96d332ca81517f1795c5dfdf8c7b8b450dedc85b9e47e1e8bb0675e5962d240ac9c7f682fb6e3f32ab96ad48af890a126576dffd3375da |
memory/1092-29-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Kmlnbi32.exe
| MD5 | fd398ad76ec481283b6faa5daad372b6 |
| SHA1 | 49d66a9afc7e88e101e677c5419a386d5d4d33e6 |
| SHA256 | 2ad0b1da96ec22f4f85836586dd849a6997b15d008815ff2cec6664b5972e896 |
| SHA512 | f9a220942cf811cc77f1f758407c1ce2495e55c48af29091ac94df1b06fdb7ea304e502cc3db4b6a50d4df31bc1ed40f4cdebf4b771cb8bb2ded64c909ab985d |
memory/2880-33-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Kpjjod32.exe
| MD5 | 00aa8ffe70ea6f954e4dbdb0b64b567c |
| SHA1 | 39d86d26d618bb9c95a728921207f60665ea57bf |
| SHA256 | a1d1a08ae2f86832af6dec6f4896c1085f97ee5800f26c82d0ac1b99f532e235 |
| SHA512 | f1ebe859752ce412f64744f5acac09f0eb394ef11b7e00fb7fe4646af7f9d9e3da579aabd35736af31e08c5ee8f20739eea01316d9bfbd798faf38c4796aad1d |
memory/3792-45-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Kgdbkohf.exe
| MD5 | b687d7f97d68ec65271deb2745d938fb |
| SHA1 | dfb1d6d3f5a94e631d50908a4abe87b915b167e5 |
| SHA256 | 47c410edf235e9c68dcd374ee1cb454f56ddb4900824cc6c4c496ed146b6ed41 |
| SHA512 | 3e0563709bcc96ac984c2622abc2de6f1f24f06a4cad41c533f4422079728b13d51334919141a2ac2f380e5cd7423a77b11a3b7c3c12afa940db8b6a877d0437 |
memory/4092-53-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Kibnhjgj.exe
| MD5 | 3c572664ab8c536dc8de76842c49ea58 |
| SHA1 | 97e8a02e9f1f2602de2b9abffc01cd05f26a245b |
| SHA256 | 27f37b0ce367791d407e9457d75fc815ce44c494705168be282d014c14cf4d9d |
| SHA512 | e8a072b994b5bf9f2a0d82f5ea8bbf958e95e22d836a6626cfdf388014c372a6d1f59b005c6ba9177ca58fc14122181be04f5eb1fab3e1419f7667e7142510b9 |
memory/4148-57-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Kajfig32.exe
| MD5 | fcf5df208c7065cc211288f1a6f1592a |
| SHA1 | 2448694163722053efe4809bd934c5adf37d078d |
| SHA256 | e7bc1ec9eb8e4337ca432715997bff5164ed7cb89ed66edb3c0c0aec25eaf651 |
| SHA512 | 4fbd0e0f01e36536da60d0b1350243e8222f49d0cbccf2c1a1e26a7cf4d0316051d461b0e6d4fdb6eb3c0ac3de225ac8ed9f3b7f539230a58b2161694bf2edc6 |
memory/5096-65-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Kdhbec32.exe
| MD5 | 94749194081fe1cd12d1cc586d6cc2e3 |
| SHA1 | e57fbebfa355c6f3fe4b1e56342dbd2c983ca364 |
| SHA256 | e2665cc43177fe054ac1363633d7812050a2b96065a7c205ba96abb8013ff53b |
| SHA512 | e26a98bff3d575080cfb5de6e3861e39b064da781ae43c7e482aba69b163d63c82087cd667f756f4fe11a474e58b397ac25aa249d7cc03d5ff7c18a63be9dbb0 |
memory/1696-73-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Kgfoan32.exe
| MD5 | d9e5154ae4c937a824c4a0e476b87ddc |
| SHA1 | 0f9e3e0fb40d66e4251a36b058c2c90453be19a3 |
| SHA256 | 9b1d29ffc2d5eb256911a75d87fea2d8e59305dd057a54fc90c67eb11066b409 |
| SHA512 | dfda0f112be9e751359b5d850fc7ad9742c6936d136641c3d903f04e4e54c2813f6d01f4622bf6ce35ea4db0f6796b62f5e5479db237090eedb89d354861a2a5 |
memory/396-81-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lmqgnhmp.exe
| MD5 | 40a694b561b5ab3d0dd5e87886daa4ad |
| SHA1 | 1ed874e6f5cf20916e81de24f0c55c689af58c83 |
| SHA256 | d20a5defcd50b0c764ae0125945d6c982e7031e404db5d4dcf027ac6120258b4 |
| SHA512 | ac53b91a47151f9f823756dd1cdbe7d6628205ed4ad123afaf59a5a9bd3823989a31a0cda70de04d7fafd5581a8f7647b7a3ebd5a10fd79d20aff92f41780e5d |
memory/2164-89-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lpocjdld.exe
| MD5 | e60bb814eff1205d83f06310d33bd64b |
| SHA1 | d50b48ea3bb61a3cc7b64e33b0c3eb8aaab65adf |
| SHA256 | c266f928e90ad697cfce192b0b760430b34bb28dd1cd1a71a1285c1fa396b0c0 |
| SHA512 | 3d413d578a5fda794426e5a05d8b4a3a7a69523962a55d0fcc4ec481a844229b62f01037fdbb71a2b651a4977a9ed32414b3c4c8970a7b17b9367e2058c78008 |
memory/724-97-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lcmofolg.exe
| MD5 | e032334564aa18230dacc752afb1b2df |
| SHA1 | 1d0f496da7378614cccba81cc9c738fa50ba736d |
| SHA256 | 8ad00944cb0360cffb639fc8c16276483d153d1170464dcf9206558364c7362b |
| SHA512 | d2b10142c5a2b8aa0bf1d39f69e37337cf254297d46331ff391b1d9c0a872e7cd3536a743305d74ceaca432e7bc91e91647be369108a0a2371b67615c6f12e17 |
memory/1796-105-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Liggbi32.exe
| MD5 | bd766000d0d8e848180b59b4e25103a8 |
| SHA1 | 5d09698ad734a2f0f6cb9f20d72baec80a02a37f |
| SHA256 | 53f0eac1e04c8b003acc0c4cf43f1b76e6ceff03d160dd5b2419d17e180c7579 |
| SHA512 | 350fd8ad021ef924171a9723c795576d916b54d27a1f5cc0c8a175054d625e4ec4626adf33ff763eca870d04dcf4d60931a49d1b5d4be5371dd98271ed9709eb |
memory/3480-112-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lpappc32.exe
| MD5 | 820ebeb06f1daf6f4dea2aef74a1f000 |
| SHA1 | 0fcc319688f6140a238d758aa4f5a355179af91a |
| SHA256 | a1285f49ad501321ea2cdf242d362e4510c028d72f4f5da864919e43e42d0fad |
| SHA512 | d34006db01675bf3625f0d5ff31f2a329bd2d82fc12eb5e6df87ed3d6ae251f5e37a7fb2c7476563486583eb607e766085233ae225cfbcf1e193a5da144ed746 |
memory/2392-121-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lcpllo32.exe
| MD5 | 6e92b84bcdf4ad131d6e741d1c9e5a56 |
| SHA1 | 8910350de17fa80b006bf3d7ca06764e3a34e060 |
| SHA256 | 142aade024687f746f943bc4bd40d3585b4bd1f7f4b368b1d8250d39f18d68ed |
| SHA512 | 456d130439824c36b282bba3a39c7c23432406fb55f8d5ea6fa2cde83df9591e30284bae8244f4201ba14bf22384e55ea790e5fb348c9f114ed7394142adcb53 |
memory/2468-129-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lijdhiaa.exe
| MD5 | d1707a1bafd8d84bedf8a520aae4e38a |
| SHA1 | 0ebf5e7f7ffdb58f3c995e5f104eda1c09f3aa60 |
| SHA256 | 938b29955a79edebbe7e7a9c8045c57513a90c3a299f0ba6873f86d0138de2f6 |
| SHA512 | 3a74fdf3b909ead2bc540872cc248c52bf59903acbdfc8b03baa33ee01e5ed4bb3bc85ca480da219694e2158ccb1a17fde6f6a57c55fd0cb8cc9d8a683b8fd5f |
memory/3752-137-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lpcmec32.exe
| MD5 | 7706273f58d9cec4f39dfab1f2f75079 |
| SHA1 | 2b66014b1d566e6e86423ebc8edf0d4f6a4590c8 |
| SHA256 | 1edcb33512b759ecad7c5b66c7f8221ae4795361a4508dbc7d84fc00f19d02c1 |
| SHA512 | fcd5e337dc5b1e759bb31bb8668e88893ae9c0fb223fabee284375423fe6c3541dd62448c6ebc6fa9f75bd58d33a69ad3918fde00879eac60bb8c42638a75344 |
memory/1388-145-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lcbiao32.exe
| MD5 | 38cb89d911f49def9b7292b089991969 |
| SHA1 | 6fe02cd25351d185c0456b2d41bda01a8eac1c56 |
| SHA256 | 14a007798fe67b98fbbb6a1fba1984f088020c3376f6c4aefbf65e2c3e56d693 |
| SHA512 | aec608db11b2171d96e829db7c96251864bcdf17b78c16b6807b423e469f7e51b4d6cd6c73f83297417938d9532a99259285a5c2ab73f1a65e9a8d09fa0c9281 |
memory/64-153-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lnhmng32.exe
| MD5 | 723e34adb035e4acc307cb65a171fa7e |
| SHA1 | 84566643b22660315f784949883bb8bca678f0a6 |
| SHA256 | 103eea2dbc307125ae0d39c3caa96b6b98bb4cd50fcc0c72cec1609d998e58fa |
| SHA512 | 8b08236f2a1a9df535eff4bc4b0f0900f2b7e6acdb93ca156277bb01d28fce94b9655daea5de73156a35f16775d4696ec5af9db593839c5039bd705fa7356804 |
memory/1360-161-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Ldaeka32.exe
| MD5 | ba66c27abdd5a3bbbdf1890d50cb9864 |
| SHA1 | baec0738fe76792860959ed050aa3d7cf7b3989c |
| SHA256 | 6140e510f53c1ebf3ce207fa12dd358dcd8a2886ade5049fa248a6dcbd1a540c |
| SHA512 | 5fc788f5959ea738ada143340d30ddf4218ef5d0f9cdfd7e6ca23b9630a259ad6a5029130eac2ad4a2c73014f0a58f9f1acf0ae66d03d1d7e1c37bc11e462d01 |
memory/3996-173-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lgpagm32.exe
| MD5 | 7b4983146d8e4261cfbe823ecbb9cc3a |
| SHA1 | 3c170ffb8c84e7d2e250240b47108bf73c4fa72d |
| SHA256 | 9dd7d3c3844aaa5eb820ffbf293f790b3f53f48236dfc0c80b1ecca7a59e4f90 |
| SHA512 | 352de9ca91f641e5614caf4e30ece2621f1d30bc4b157af3ce1a03926371169d2a0568e2cfc265f55437737fd41b002c683f96de5f98a098c01bd976c53a109e |
memory/3388-177-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Ljnnch32.exe
| MD5 | 696a2c32baec1423cdc67ee82bf667d5 |
| SHA1 | e7fdf32cb462f68d5d2905c58f4968c20d89a4da |
| SHA256 | d43ba0ea9f001a4e3d3b3332ab97d7676b70dc63f9349d08fe353390cd77bf3c |
| SHA512 | ab123f8120894936605bc3032d5d01a5d8b82eda10bde055e0a024c5530083cf7315f81a85f048f00574ce02eff5de3cf9c123b9533d72cba3e62497f7801b22 |
memory/5080-185-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Laefdf32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Laefdf32.exe
| MD5 | 1b7befd350d1baa4fe24732a46bd4812 |
| SHA1 | 9e5c7f83d96a3b47194ad6af69d377ab30b3002e |
| SHA256 | 524c4b38fa55f8527e97ef12a35a6f58024ccde8fa8aa70496bfe9a8f36c6ba8 |
| SHA512 | 03dbca4df9c9f7ad099c4ca4370448a7f7cca739da04dbc0df20445d317c76273eba15ef1564cac33c6011b4ad833e459b428f94ca5861f77d82c9769afb0fa0 |
memory/3272-193-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lcgblncm.exe
| MD5 | 9108b2b22381b49ff549ad2a0c3b0db4 |
| SHA1 | d37a0361bb1b57679be7eccca84d2af5dbc33c21 |
| SHA256 | f828a9bc8f40a74dbb8c920864ce6726422553f521d6055bc8a60ff5b18b68ee |
| SHA512 | 777bda3a9aed32ecfd9aedf25c7137410f375aea6eaa9585830807409bd3679d4921c34df191f798a165cfc139ab589ee9c86babd894ad4527a22242c62c93fd |
memory/2424-205-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Lknjmkdo.exe
| MD5 | fd622014b98eda55fa93f87613da1567 |
| SHA1 | fb9c2619cedb44cc16e0f394991b9e8a20c11374 |
| SHA256 | 15f6748623056720a7fd3bd254a267510a0f782d3096d1af1474e6e4a85c053f |
| SHA512 | dd3338b0e0e50265e37ebd7c3f5125be6ff0e47c69ffd8a95b850d644957a6aa07c86e4ea299dc6821aa0e9e8aa18d998f91ecdd9b8f2d1957a62d26e4f4c274 |
memory/4468-209-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Mnlfigcc.exe
| MD5 | 4fddf297c41561f078d0fc3e3e10d519 |
| SHA1 | 2edf683ac6e3cb4d58feb49eb0156181487e4956 |
| SHA256 | 5035b5d1fc274521b3b2655432471e4c0bbdbd1c2027880edf174d26b0d5f9b2 |
| SHA512 | 17267074deaf9cd882e4a4e62d1c9803cb2b553c2b8d44a36ac35fdc67749600f792acf770fc8c6a77deea55fb9ca7a70881257f8bc728e53c181a20726d4125 |
memory/5060-217-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Mdfofakp.exe
| MD5 | 200478aa187ea6b220f1b4d7f423e1e6 |
| SHA1 | 85a9fab1e2a548b38f641cf7a60f23d63711d26f |
| SHA256 | 0f363d7bd06286a7fc88b11aa9355dae279fd785627fd8c8639390d868382cb1 |
| SHA512 | f63cbd5b562ac77400a121d851e9882c4197d1b883a6e399866d399de879e1a0049f8a5fef81e23264ec6e00f588dc2d930cd1d1231b985de59f0b94dc5a58ba |
memory/808-224-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Mjcgohig.exe
| MD5 | 84bdcd9ba2c8ec8df55c429bfe538498 |
| SHA1 | 3580062e796baa9a15f49e1d5ddf6577f46208c4 |
| SHA256 | 18c7bb82126e4ba04f0e7159d89a23714f2aff1e4085cf9915c10a1e090fc53f |
| SHA512 | 1571bb371ccb590bba8f3ffef3435b20989a1426f3f009fce3fb8f4bc8443ce37baeed9ccd50cd5cee8cc29377d2254ce08b2130d06f5e1b016dbfac4c2c9fac |
memory/3204-232-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Mpmokb32.exe
| MD5 | d93329c72547bebdc8c3442690014637 |
| SHA1 | 1ffe8b30b1ae96563c2287ca85936a7acdf9b0cd |
| SHA256 | 3c899144fdeba210b6aaf6118a6ba04dbe30afcdf812dd4a959bb4be113bef18 |
| SHA512 | 4ff206e5e7344863679f445d3e8cb817ec4559fba9ce7eeb14563f4366bd4fe4bcbb3e677a405482c35dc9d4e4fa3c44394a88ac5b2273afd5baf94dfa58d02b |
memory/3224-241-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Mkbchk32.exe
| MD5 | d23f0a583bb3cdb76e55e9b29a2de5f8 |
| SHA1 | ceb3a59aff981992f1ff1db48577ac21e7ab1760 |
| SHA256 | 46a9a33cbe65ce8b03cf205696effd4df8ccc63ec74567f95a6f9e445fce5ba4 |
| SHA512 | 76dcea1333dd51fe6a005b4088ed6d7a0c199412c30f29cf5953c6e6699a474095bb640fa3cf6a9d302163616d3eae6bffea035d37db98916b6b7fe6cca8dbbd |
memory/2648-250-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Mnapdf32.exe
| MD5 | acbc18d2b63dd85fc3da9b0fc9a3720d |
| SHA1 | 06cda309c1fbda6f24e78493c3ae91f759fd6db6 |
| SHA256 | 1d16f228868ee9e113eef98b7099ee2771ad2165382b5ad54b4a8b3022aaf3b4 |
| SHA512 | 68f8408e5bda1b0a661b9df3dd74dc496caadb9b8f766794590fd4005ee8ba21d7a263c12c93d5e8a31bb9b8db76d2e2aae448663a21e29f99661f33e36ac783 |
memory/1280-256-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4032-263-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1636-269-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4028-275-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3908-285-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4808-287-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1560-293-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2300-303-0x0000000000400000-0x0000000000443000-memory.dmp
memory/944-305-0x0000000000400000-0x0000000000443000-memory.dmp
memory/656-315-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4272-317-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2044-323-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3648-329-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4828-339-0x0000000000400000-0x0000000000443000-memory.dmp
memory/700-341-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4056-347-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3800-357-0x0000000000400000-0x0000000000443000-memory.dmp
memory/612-363-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4408-365-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4620-371-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2804-377-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4940-383-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3088-389-0x0000000000400000-0x0000000000443000-memory.dmp
memory/884-395-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1552-405-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3664-410-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2640-413-0x0000000000400000-0x0000000000443000-memory.dmp
memory/776-423-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4568-429-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4420-431-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1516-437-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3848-445-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4832-454-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Onfbfc32.exe
| MD5 | be74bcf511a5235afcc56bd694b76769 |
| SHA1 | 064cb9e27928e8b7e7facb2b06df0f2c42a62f69 |
| SHA256 | ada91b84c74b14129f7a1ca83d4f54b95b2f04c6761c629a5646e0e9c50a0853 |
| SHA512 | acce29831dbfc109a9cd9fc74e5dcdf5e98e6e757325aabfd4521f8e24f2414ea0ee1250b5b91b43b30095aa0695c917adb5567667adbf3e8f8f78f4414839b1 |
memory/1740-455-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2504-464-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2336-471-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2920-477-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1656-479-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4292-491-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4024-490-0x0000000000400000-0x0000000000443000-memory.dmp
memory/5012-501-0x0000000000400000-0x0000000000443000-memory.dmp
memory/860-506-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1876-509-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Ogcpjhoq.exe
| MD5 | 23ce1d2e84f8ef1d74e7414fca761928 |
| SHA1 | ec92d908a84376c5c64878e6865e7a0e4151b53d |
| SHA256 | 5d69e38ebe077e2f28748ba3d4e59e951aa8eed5a27cc4f5d109aea58dc45161 |
| SHA512 | 021357febe389cbc655de2346c936f04978ba26d55b1406916f4e2ea6620e4116d26db6690a6ec84eb528c7f4e8bf5ae467642876f76e69750ededeba4da6e1a |
memory/2412-515-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2168-525-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2432-531-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3852-536-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1776-539-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1896-540-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Pqnaim32.exe
| MD5 | 5debbaa6e531b392ae529e4758b9b31f |
| SHA1 | 535f5ca6c39862d075f858cb584cd80ab6c9579e |
| SHA256 | bf02d0a0eb7a81bb2d144db1c1b4073eae0b54c66ac44b39088c2d081bafa90d |
| SHA512 | 541e55a0eb2192b492968a25c1ee6a4549c2ab21aeeb9b653b6cc26ad66c45da7ba99bc98a9794f3f896c32a40de748322221513bf31e6ef10b9b7258d1c83d6 |
memory/3676-550-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4328-553-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4896-552-0x0000000000400000-0x0000000000443000-memory.dmp
memory/880-564-0x0000000000400000-0x0000000000443000-memory.dmp
memory/216-559-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2296-566-0x0000000000400000-0x0000000000443000-memory.dmp
memory/820-573-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2880-572-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3792-579-0x0000000000400000-0x0000000000443000-memory.dmp
memory/512-583-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4600-586-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4720-595-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4148-592-0x0000000000400000-0x0000000000443000-memory.dmp
memory/5096-599-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Qnkdhpjn.exe
| MD5 | 03f8d4f8936139375d9a23337245c760 |
| SHA1 | f6c669b9b656a557309f8b8e99434f946c114ac3 |
| SHA256 | 9fb97bd713d15c0d98172d3a9b8f9ea7ec515fdf30175f0c1233ceef94cb1c2e |
| SHA512 | 68300226c1b38934823819d0d1ad4bc05c6cd6ba8f96c4092ac682b0b84af48ff5d6bda741bacc43c1c52b8b7f282dccab35dbeea26339851e3ab489edd189be |
C:\Windows\SysWOW64\Qgciaf32.exe
| MD5 | 7528c4362640e0960acd466b97bd098e |
| SHA1 | 07b38423030926ac2defc618b8a15d721414cd1c |
| SHA256 | ba52109e0e945287171abe2fac757976cb3a0d9ff559de07a3be221599d8b872 |
| SHA512 | 03ae6fcb5fd8dde932cc00def9edd3006953c1253f4b78799ce59ad9487a4e730d8db1ff57b58073b8ba3904bf6b556b0e712dd2e528e9779b42bb8f6020ef27 |
C:\Windows\SysWOW64\Cojjqlpk.exe
| MD5 | a288252435b251f4826dec49f0844842 |
| SHA1 | c39afeeedf2478cd014110da5be321dd779b8d9d |
| SHA256 | 38278e62a673348847b7525aa1d4adb4f92a3db82ebbffef3ab5596ba78945b4 |
| SHA512 | d33243be1798417d8b37756693a802ae2aaad79bec520c4ff5ee8ad62d266cb967f94263abc5d100055f58cdd4670e4addfa13fba3de815c3d5ed44f61c5561c |
C:\Windows\SysWOW64\Cdfbibnb.exe
| MD5 | d941aee691bc767c36ff1e214a6eae35 |
| SHA1 | 468e12db2f56fb8237d4534d63d92b07c20f5bef |
| SHA256 | ea3c3acb2c6675c1cd101766a0672326b8eb26e3dadf2e7f24460fcd1b7b55a6 |
| SHA512 | ca902e05ccdd48103d12080c18d35ac9573cc9f45ccc52880a1a952ef1be6f870105293f4758dbd467a34dfbe3ca6fb9c9c305bdc791460a430bff7f8c52ddf9 |
C:\Windows\SysWOW64\Dhnnep32.exe
| MD5 | d1217c8b955f7a7abaaad7892b8d5bfa |
| SHA1 | 9b5998544d3f31d43b6375378a1606d6f445766e |
| SHA256 | 4454d31e70c7f4b84b9484527eb8df4b904aa4c584538107fc5c73a26c6ab207 |
| SHA512 | b77f33ac17d6a2bf7f7a51905f0ea2470addcc5c4939cf29d8faf3c0e0a2a2cd03069a4558f9240d3565883930202228a8e65cc77782603127715f75b5e76db8 |
C:\Windows\SysWOW64\Dojcgi32.exe
| MD5 | 909f873970ea815d88295cfbb302a0ff |
| SHA1 | 406645d9fedeab481320cbdf1569916a74b19bd2 |
| SHA256 | 51f101e8d9178757822867187b1a60ea7472e75bd9d960feaa8b5d3fdea6d597 |
| SHA512 | 4f2f60d02d2cdedefd32a7feb7a7dd05deddc5b6dd002663f86d7fc9fb2da8e4354f702304bbc37f6091860689448981810e7309d6ee411a5a94b56b391cce44 |
C:\Windows\SysWOW64\Dahode32.exe
| MD5 | a74a39b3f07d35431237a0b7259636c6 |
| SHA1 | 670d3a05d3f9c54c794b13549288879878a32b3e |
| SHA256 | 324efc1bfa59f797e0f52eb6c0cadfd35eaa8a5b993aea6852462563fc314d0f |
| SHA512 | 1de98b6e195c2bcb3a3b39d9ace771b22c2f1c12fff63c6acbb08fccf2def3a4e2a5ab2c23eb7b7a6ad1185bb6f4ef70b6beb3075e5cdc232f1c5100b108d76f |
C:\Windows\SysWOW64\Dlncan32.exe
| MD5 | d9d267fcee2d6615d7409844ac8b4117 |
| SHA1 | 15c3caf69a3c6c5322f324dfad679d4ac64feeb3 |
| SHA256 | df8711a025bdda3cfb92b78b9be40a08fe41e044d11bbfd374eb29d7330d0071 |
| SHA512 | 50e7d2a9a0b124e0b1de6c762c2d659dded46e4e285a37554d475f6b1693b761a43f93c7d3e2c2cbc68d58584e8bc39d4bc4e4645ac1fb1df42e824422b76123 |
C:\Windows\SysWOW64\Elppfmoo.exe
| MD5 | 111e4c0543b73f451c22abcb729c785d |
| SHA1 | 63808106273cf7bdc8819feab2dda56cd307d490 |
| SHA256 | 65e3e41e2c68d2e6952fd36c056dad27d816d1abd657d3f018a56066077fc178 |
| SHA512 | 383a50c31e7b88584c8413c1438e250b5737c2ab870517ea05eeb8da844364348f624983cc3d23c64ae108a16fba09955e1d6a246f57029c8803fc26e58c2135 |
C:\Windows\SysWOW64\Ednaqo32.exe
| MD5 | 18ee010f7c7845120e5ea64d31cb3528 |
| SHA1 | 72c0d412830a34ff5e066b07f0c3ccf5ca93fcbb |
| SHA256 | 3fd1617e3f77f4ef8ec137e713da905597222a51069f45e55f1e7c0fda35c1bc |
| SHA512 | 4a787407d28bfd55684814b3d2cc20727c21b62bd41d7cca64b68831f0afed824a8eca608a5d31ee34ca66a562dd8c66069d4900ad44a9436d21e5e3c6e17458 |
C:\Windows\SysWOW64\Edpnfo32.exe
| MD5 | 1e2d9593caa1742f75dd2eef1cac8bf9 |
| SHA1 | c60607efbb049416257d691342ecdc2621d9b20b |
| SHA256 | 19cfb974eb7444daabb9ba11e12200e9436ad4138a0444b390c46706bb205a03 |
| SHA512 | 84b900f34fbe1ffa7598221182a926a3e9c227dc2592af30750ffd65522ed355d8b1a47292c123a10741f9b7e9a024815a01b7b6fe499376b6a1f5139897f54d |
C:\Windows\SysWOW64\Eofbch32.exe
| MD5 | 3c686126c5fb06b8ea1dfc534d7bddba |
| SHA1 | 8fd59a143ddf67d291276c9cfe09424a01f8dfd9 |
| SHA256 | 6845e786cebe723f60d349b9e85f3c02eb57c72a2ddae11c95f5bc6b262f87c6 |
| SHA512 | c25d99c4b995d0ff310549451d8fadd06ff843168e84ced360a02493727d7e92c5dd4a0a80937ee6ae0bd13bae696e0ed0310668ab5f8a723353e8ab6a1606b3 |
C:\Windows\SysWOW64\Eepjpb32.exe
| MD5 | 702e19d307e898917cc860a6713c2c5e |
| SHA1 | b8a1bb7bdfefd7788c51608d20b13011a93a30af |
| SHA256 | 723a71448602515cf700b6390324b808f95cedf97b0a2588593b98f0db75af97 |
| SHA512 | 5726acec0753b79958f7a23b2133197d0ee03548728b200086579b72d068fb60ca08b4302209cf21b98440e9a0d101f502c056706aa7ffcaa993d3ac495b1803 |
C:\Windows\SysWOW64\Fhqcam32.exe
| MD5 | 09de7a28168a536d0a8e97a5310d2471 |
| SHA1 | 26047b043e20dfd8da98dd1ee7c492b723f6a5c1 |
| SHA256 | 0eea968e37239ac5f877a6787a409203129dcb6e578bd52d915e6d70b808484d |
| SHA512 | cc27d02be177f82cb42c37f138d4919476ec0fe1a6867ac29115524839d63717e597ccb0f9559a896368a3c66787d64f1c5431c4075ea6b9fc9df5a7cb9bf72d |
C:\Windows\SysWOW64\Fbnafb32.exe
| MD5 | d9d543761072e2ffece71514e84933e3 |
| SHA1 | 0de153620acae615a0272d4624a48073d2000698 |
| SHA256 | bab54d1c51731e0db6f28c3e0f2f706a1baf208739690f15d4a79392eef1e67f |
| SHA512 | 2da6f1565dd0407989bfacf35d04b85dfa18355675b9feb33783cf4022c10eff8f05a23d7e0bb2a1dc1f01a3396857e9795d9c95d94bb8b81203876469d03de2 |
C:\Windows\SysWOW64\Gododflk.exe
| MD5 | b2ae9f5bde1bfb30ca48c175efda294a |
| SHA1 | a7c80f125622c03393d38e005a6919d136c77a9b |
| SHA256 | 9821149d20718020f9637fa60493bdaf31f0da21c6542e62c4c2ed8b7b90d5c5 |
| SHA512 | 2c603bc949af0946ee2cbeb1de446c0c7628bb33db72ed6b5b4c1017bff3428bb72f953d612fd7f7e864a2f468ae06ea179fc3412254c6674bbe8963bdd744e8 |
C:\Windows\SysWOW64\Gfembo32.exe
| MD5 | 03acfc13d44e6968e59d3e6cf296d5e5 |
| SHA1 | 1349da3d445f3a175d5db0256451270847a3bc73 |
| SHA256 | 7cb6fe7c62eb165025ad434e46dae2519dca7fa89936194beb9549902f0f85d0 |
| SHA512 | b685962a09304e06f755c1960fed50b882ffc60112179cc78eb192aa288a8cd6f1c7cf6e6f5459ad0b5617bcad8a59bcf7a8c34d80c5e523b7e11d4f4d5ec214 |
C:\Windows\SysWOW64\Hkfoeega.exe
| MD5 | 85826a4edf6b84bf85f8b484bfa7cc2d |
| SHA1 | 48f8f9876673c9cdba4cca991a196312fbdb6606 |
| SHA256 | 3e21f0f39713b3a408418e9f1df4d9485e287d557c787cc11b1f1d44bc5ea32a |
| SHA512 | 0e047373bea9f6b884c53e9dbccb534ffb84da1b51b109bf6d09bbe323fa6e6823aa14a7d0c9f50d0b3968108db99219c5ff28218716ce340616309b86d82295 |
C:\Windows\SysWOW64\Hfqlnm32.exe
| MD5 | d0b7d526a98584fa3e0ec8802c2a63c2 |
| SHA1 | 945997d57c201114720aeaacf007613b503688d3 |
| SHA256 | 16e369025a88dfeb3661733ee98f83808f4fa74a88396b9ea177f12df0c4ac09 |
| SHA512 | 2e4b8372663ba5ac5cabf470c466119d2f0e17e7a3dd13ffe2fc312703602c2cb41dce3f3c22776736657043fec53480d90af34e287e0421e2178419958b8921 |
C:\Windows\SysWOW64\Iifokh32.exe
| MD5 | 212d87a39ad3b54cb3a455d830e58d82 |
| SHA1 | 711170deceecfc01e5e236345df08dc8591525fb |
| SHA256 | a0adde03b89f4d835622e72d500d14272dc868bb13c8729f305507ba0530610f |
| SHA512 | ba24e299d8238589c7adaa5aa9aa34c40e88d32b8dd88c67c3cc9cd36672505b4503e4d4b253697c4295b344b7c7d85e57db507293b8653340955bf00672fc0c |
C:\Windows\SysWOW64\Iemppiab.exe
| MD5 | 9e77a17efc17f7222c0b787d14e54df8 |
| SHA1 | d13deceed41b9c377c4cc5aecfa2f1b54a70491f |
| SHA256 | 536e1f93b2b7077f425a3cbeeca46201ab3cc42255b939eafbc858bc4305dd4f |
| SHA512 | 8f9c99b5806a2999ff2011958bc9477d94f77ec1a8e6cc0946e267dedc6bfc6b78acc2bb1771db08b8fd9cd53c36de3820b1bbdafe0e97082ee4b5d4460301a0 |
C:\Windows\SysWOW64\Jimekgff.exe
| MD5 | dcd76f33f3bc18f5315d2a622b7bc6ed |
| SHA1 | d2af303fd8a200e2c4aabec5059d20491ed4d107 |
| SHA256 | 1bc5c4a532288dc136966f758b9e502688e6103a76ad926200ce318a9e4ce7fe |
| SHA512 | 6928b4b76eb2b49ae9cd0edfdc1fd0defb8fd1645e91ff9c3f359958add0fec9f83ea2fd41b5aa75a4d9b8d1f5332bfe2c52af84e347c65f4bf99df944825c81 |
C:\Windows\SysWOW64\Jedeph32.exe
| MD5 | 277f5d6335df3067a370702bc8f9c541 |
| SHA1 | b50891794c717f339781603c1b3fe0f424462193 |
| SHA256 | 38042bdb546f601ced6fcae0d437efe0469c2231155e76dd2644db8179231632 |
| SHA512 | 0386d09c77b5e22002629ab81a12bfa4d4103202ffac7e5d7dbb1ade5f1cfeec1c008a0aad86df6dda36c3e3f978e0784fc46d0ffab5f2e411958b6814a27f0a |
C:\Windows\SysWOW64\Jifhaenk.exe
| MD5 | 360ac56bbe402b147612d210f4baf991 |
| SHA1 | 591cebeea3153b43e56cda5a3ad89323eef8018e |
| SHA256 | 9b0ebfa2f5d2beba1cfd0dee94832becf6a319a8b7619158429899c055490ed0 |
| SHA512 | 04b98eb2959a3bbc892f449aba14474e78dd56e8a0be02944942b02f1ba4c96980868a20705f687dfdef80c4ac5869a13ed16b933ddcf8bf192c64a306be0444 |
C:\Windows\SysWOW64\Kbaipkbi.exe
| MD5 | 5a58ca5a1dc71f7ecf700a98fc6b8729 |
| SHA1 | 803b1e4654afd22048b60ccc1db6f560844ba823 |
| SHA256 | b95f22b8bfe88dffabc69bc91653c320197471bde9ea7b1d96b7eaffd884f850 |
| SHA512 | 8c59fed65c6d28baabed89cc2328b3cb61455e66c540e1fcf210db35ae74b700c77b2b4fe3ef1f329fc7a407bc8eee4ae07fea56f793fcf759b45b88c34deea3 |
C:\Windows\SysWOW64\Kpeiioac.exe
| MD5 | b01fecefc6f90cc241e08d7439879fb5 |
| SHA1 | 6d264973284a81f8ce1f38f25beef8b966a43460 |
| SHA256 | 01cc42f31261a3338cb1537347cce85865a82ff1ff0720e3a5ae579bded328cb |
| SHA512 | 491a8a986cbcf01b569d35165f739e2a831222f01d4df732d1207a792b12f731e4cde7f069e5b5f6c22d801bf78d5ab2dc446bb7a1e87c82338519ad23e8824f |
C:\Windows\SysWOW64\Kdcbom32.exe
| MD5 | 0207c887e3f044c2c5f4f6ad750573bb |
| SHA1 | de7f4f4a23f29b6f743096c22dc932670fe87e7b |
| SHA256 | f7c11defcaa2c6d4fb3e519efbea87d6f354d50bfbdd06dd50565c865166345d |
| SHA512 | e69b9b09e5048aa123e319b7fee6e68a369792b5edb67b71c12634821cbe4ff869d45a21397792211cdfb2e2131a1a61316ebba4d2306c9faf37e9527090df24 |
C:\Windows\SysWOW64\Kipkhdeq.exe
| MD5 | 2fc1dd62a50cf46b09c88919d1552ddd |
| SHA1 | bc6f5350d97625cb6770dd1fcfcc7504a9842b85 |
| SHA256 | 70c50f1de5e85baced26fc59fd879f76cde726d7b89a596f9d6b097a5d3c2f62 |
| SHA512 | 15ae528d70b8b08e4b0c5e7de0f4fb6c9b2afbb6136a7c31152e40882cfa67c9acc3ef2885969cf00f5ac023114e3979bce845358908240a2c30fad639a87d95 |
C:\Windows\SysWOW64\Llcpoo32.exe
| MD5 | 36dfc3252ac3b9b82083da5d6bff7fdb |
| SHA1 | 254842dd65b0a8bb7f8aabf48765c56b2c3173d8 |
| SHA256 | 2994a9cc9d61ee92ac12b24140a626cf33b38af10c913e9c97bbf475bcdc5166 |
| SHA512 | 272aec85323cfe8c5349280947cc902019a94c360e8ff138a560fb3ebcf478d6fb9feb6030c01050b1eeefe0df11ba60c58753a178cc7638decc4035f76ef081 |
C:\Windows\SysWOW64\Lekehdgp.exe
| MD5 | a20f29075eb44d4ae15a20877674c1b6 |
| SHA1 | 34943e6094bee7bed8a6608a441791d6b46166a2 |
| SHA256 | 92b220b92a69c949b5a19ec24f63d1ef54a1d6a246a69daade986fb05caf10fb |
| SHA512 | ac326613ac9a6f010d094ee6b1abfec18bf27ffb4f6d19cae0938659c9147f0d68f08833a048d91fdda40c1e7a9e4d2deb9682cf5448f08435e0afef232cd355 |
C:\Windows\SysWOW64\Lmdina32.exe
| MD5 | d598bb0b3b417f1b35720e0529806b49 |
| SHA1 | 860448e188f8a961f67cf7275dcd4f0f1390dd53 |
| SHA256 | 3bca1fb3f63b7f57f3c6bdbb3edea319d9fb220d8b638848196a4859e44ec01e |
| SHA512 | 8f6b9a97146aa6ed19fefaac015f44c8a3f3ecd6776c54187e8f6698b7f5c7514cbacbe323e8df96ddaa6fe4b4b3910329bd2fd59e95be3ab1ff031193919283 |
C:\Windows\SysWOW64\Mipcob32.exe
| MD5 | f688e6fbb73c2c38119a4dcd17308a94 |
| SHA1 | 001e4601d60b543986fd6638f1bb9eb885dc55cd |
| SHA256 | f6211bdd45347db39a03fb7b63ec45feddb189841caff3481b275a6b35180327 |
| SHA512 | a815bbdaa08d02af07584a88771b76bda62fabbbec487557cda5751e76908329ef4047f95c16a1b477827504c4417c35fa6be161db7182b36529d52b53f44f76 |
C:\Windows\SysWOW64\Miemjaci.exe
| MD5 | bab0d1b07bcca513b671d8fc0cfdb617 |
| SHA1 | e01e140118ecb5910a183cf0987b8715e36a1422 |
| SHA256 | a36c7b964b6d8c8153e66caa9666715ac45438bdabe90bbdf780d53731d35b1d |
| SHA512 | a6cd18d9f8b4c8c6ddd5f806260d3c30a02aa2b68b98ce59ca9310f7cca63d895f9840797148df8c114f4dfb38a7ac5242e5807268b9f1d5fa98b030d9cd3689 |
C:\Windows\SysWOW64\Mnebeogl.exe
| MD5 | 7ddac9faed407aa75782fb08b7bf97d0 |
| SHA1 | 80849fdbed7725d66c861f68ff3eb944cbe720f1 |
| SHA256 | 2849104c1b4dca1e2e47befbb30d92cd4b5b44c347659e9095d240dfc9cdc34d |
| SHA512 | c8828c4e4c2643eb39e8e6d0a98dcf6a58e6656bea01e3ba16bf2555c4636911ab318e4764bdbf51c1e0fd8aa15cf878c969f6a8e4a3e0d6a6ee52be8718c3ac |
C:\Windows\SysWOW64\Nljofl32.exe
| MD5 | a704c6cf1e30c0f542e4e911948d74d2 |
| SHA1 | c9aab2aca005d3248e57b9cb073940bdcccbd5a0 |
| SHA256 | bcecc3a6c51de761bd178a6581c41608052aff4ed48b9e6f69c5c9ce3c307e0b |
| SHA512 | 5ccec5e8f42dae4e50e3a84be0bb1035b65741c812307a60caa0ea895bb3a4cbf225c1bb8ed2e0cc0a120c8942bccf30debdfaa004a0cdc0e6a66b424633ee3e |
C:\Windows\SysWOW64\Nnjlpo32.exe
| MD5 | 2d79e3753afe0bd2d8c1d1d874498b2b |
| SHA1 | 16fd188e5b6915b0edbd6f987544b752281d15ab |
| SHA256 | c35f38b4d734052342e524bbf37affb8dc10cd8187c4157c1c103904eae88e01 |
| SHA512 | f7c8e46c974319ee6a8050fe4b1f911558f04d8dd678003ea0b54fdebbc7e5a347c68dc1356df7476f40108e9bc514aefe04d8f91e9c723054c695cea2d67e25 |
C:\Windows\SysWOW64\Nnneknob.exe
| MD5 | fccbef1949b5fc920168de0d57fcffe9 |
| SHA1 | 172d16e5b62be5e56f541c763b785d473018ca73 |
| SHA256 | ece5fdfec98016b01cd8ec6b3e62921bb0b6ee10984e440cfd6513c9b59344e9 |
| SHA512 | 85663ba5b3c25cd2f64cf577d74cd5ab5d423300e8c96cbfd7825c4b1ab1606b0f21080a7fc0d8eac8b262c151bb28d7f369021ff5f3eb98ee81bd9d24a58b76 |
C:\Windows\SysWOW64\Olcbmj32.exe
| MD5 | 93a45900b2eddd7acd6dee9b2dd34bc0 |
| SHA1 | 1c34ad615a5b156d2b82cebccc0adbeba6b64d4c |
| SHA256 | 99a9be741b079a36feca2938547239d5828288018ed4a02fdb33ef8b4ea6cf59 |
| SHA512 | c8fedb592e032940ba22ecb69cc7517ec36e7466e0a647a6ffc095dea3d812a6fa426018cb4d69c36403b46dfa509a7c18af0837c6455b20af5a0a9de29bf2b8 |
C:\Windows\SysWOW64\Oflgep32.exe
| MD5 | 7a7e5c600516e820da3e07604bb345c2 |
| SHA1 | 514055fc75407efa7f750f0bb515ddc89b6c5a5b |
| SHA256 | 0d793d32e01a40e1f2d41265780862d370e53c4c159c3d569fdcf0bddc68e12a |
| SHA512 | cc2c4e044e5f3423f060ad0713005de4d82ccda7c00743b0cfaf000baec7d69a5bc55231d01d0427a113f2f501b3763015b39fab78dc6640bdc94e8b46912177 |
C:\Windows\SysWOW64\Odocigqg.exe
| MD5 | de22ac67fb178ef848d1cd41ca137683 |
| SHA1 | 757136051314fb99f0417edf94759cd7defc0c86 |
| SHA256 | 4bb7a4853903a6aedce62456efb7964b2ef93297c4ced4642e363a5445a6983a |
| SHA512 | bbdbd406da598e97088ab56552cbbc46cb49a188fc1c2194807320384f0f72e3540c18d17e7758a11403f0c680e9fcae21965affe9cba308748671f012aea4b1 |
C:\Windows\SysWOW64\Olkhmi32.exe
| MD5 | 30b1c7a14bb9b62cddf89feb9ca50547 |
| SHA1 | 0734a9cfa1d38a14d867483cb924f5dd850047c2 |
| SHA256 | 6112aa24fe8441ea02b8bbb6601153d3d6008a27244eb71eff7932844c0593a3 |
| SHA512 | 0d920111bc3d2e341bb073bdcb3a40c831f74462c90e731f4d43f6c9e67c3591d40c6c6d7ad74c27b3a66336e5bf9b943aaf58af6e703b21a31748eb431184b7 |
C:\Windows\SysWOW64\Pmidog32.exe
| MD5 | 9854653db03cfb29237e449736760497 |
| SHA1 | 45cb46c194a55134be9e5829499850bf7da2860b |
| SHA256 | 23bdb89c8dc61c9cd76d6856ff53b319acf9a3b254c5b008e3b7d7f86c5c3bc8 |
| SHA512 | d33ea805b5a4584912456f22d151f92e6917bd3af2094e07e48402e7538ee3746b52389a240599ae3f851bbf13771ea2e8796f9740433407f3189a87f6ca2a36 |
C:\Windows\SysWOW64\Qceiaa32.exe
| MD5 | 7f6452ac98d2cac18638c7054e68afaa |
| SHA1 | 134426daba45ae381c69b9a74e4dd032c28123c8 |
| SHA256 | 9b69480c54472a092c2ad225fe561af976e4d8fa9fe2b6e3020d11f744bb137b |
| SHA512 | 0b7c92e6df51e03f72da4f2bc33a9608536c271ede635edeed30bf8a95f992c48a7df5b1fd44118d82a7586c48eeae52a8b12d99fa28d72c5f3aa7143506bbae |
C:\Windows\SysWOW64\Acjclpcf.exe
| MD5 | 1e8c1287724b8fbf15d734179832533a |
| SHA1 | 03f49d0187209277e3f2fc19959d89c5af7476df |
| SHA256 | 692713ed6dc49d72d4534fe5f3f9c41d4eb50d38a98dbe713343c8ea4477ef73 |
| SHA512 | e5ac93612c3fe3a919b99913858f199a3bf6f66196d6cfb461e077d72170cd1068891a350785684ce72153f35a7af09d7111bffa15e875f683e4ce1bac4fa40b |
C:\Windows\SysWOW64\Ambgef32.exe
| MD5 | b4b38816e4a7a2aaa90d7821154fa715 |
| SHA1 | edf2c7e28ad381b45a16a7e6458527ba82c5f662 |
| SHA256 | f7f8848bd874ac0b545e36c67bc6c7b3a1d6e7f95eb4b3de7b2c2223516d5862 |
| SHA512 | 31120ceba75a65332f0bac6b0d34e177453fe241cd26acda7e2c5173cb5b88332e9fb744c89b3468355c03ce27d4acb8ba3d58c7896a0264c05c715f48e483f5 |
C:\Windows\SysWOW64\Agjhgngj.exe
| MD5 | 273b5309ebf5f4c2bd4223afc4bc41c0 |
| SHA1 | 3fa6bfe9043aff0ea24960c9d5e45c647431fd89 |
| SHA256 | 054de93257b53922c87ea6afcf3bcf3a669bebac5a8291d6822fec3521b39b62 |
| SHA512 | 7495b64afcffbb82b610ce1d040de0ac4054798c1899535fd71c72ab88b772bdbd7ca1b4e7a92133509591f959793da4d590ad54563f655be0f0d9562b7b0bc8 |
C:\Windows\SysWOW64\Acqimo32.exe
| MD5 | 81ff3710e5e1b81746a31cd5522ff109 |
| SHA1 | 5e07b3358a4413934f8580d0505eef5b5dc3a05a |
| SHA256 | 1cd4ec3ed17c073df4b79616abe02a9d72f860a967d5aaef9f22c88b1494fa38 |
| SHA512 | 32f65fe666e24885ffe08ffae80b5870d1063248065829f6885c1551f89bd35baf8535159e0c2537f214b1e216a72d1b03871327c68f986cd2e346bc68cea763 |
C:\Windows\SysWOW64\Agoabn32.exe
| MD5 | b1b4cc0bd4474a2cc7cc6db292fd7696 |
| SHA1 | fa7439250837ae274d5a9e1327f4b49a06b91ffb |
| SHA256 | 9f4942c78e5d185b38475d15e6676c2ef1d5922ea2cabf384b071b3811fab4a7 |
| SHA512 | 18830cb844d86c39ca39b2b5046686dbbfc85d4b099d39fcf043575eb924a7d7e7a119aa2016934fc4d9dfc99b00b5e82c12f853c4d874930845850e1e7ed42c |
C:\Windows\SysWOW64\Cjkjpgfi.exe
| MD5 | 253d371f485ebd7700c37d5aa8091fe1 |
| SHA1 | 321c86c1c160277c08b0584f207ffa2e52b420ab |
| SHA256 | abd94942a96db14ed95f6f440f4127ebdf9a4349ba1a286aa3c9c4fac2054dde |
| SHA512 | c06a62cd051c80c2c836d8df1c8285518f87a2f51cb306dedfd4aa35f14d4625b12afebba7b5de978e76b224bc538348c3cce78acbf171244e45983d3f52843f |
C:\Windows\SysWOW64\Chokikeb.exe
| MD5 | a493d61cbc156ef6fae0194cb9bf1952 |
| SHA1 | 9780421965abaa0207e8ee16dd1750cc72f92f7a |
| SHA256 | 669532b6b7f655358792181dfc0a505000f4380392eb933ff5450109c521038f |
| SHA512 | fe820844d701d17d1356e0014a1c28e624fb1e30d0c0323bd26af9040dce3b95ef9a7733c5773450450b5663802f67dfa97a135f317d60dbacd018e6269eb37a |
C:\Windows\SysWOW64\Cdhhdlid.exe
| MD5 | 45fd45039d51961ab1a9c849a77126da |
| SHA1 | c757d556df3fc01e694b263e254eacc2fab80b18 |
| SHA256 | 92b12390bd70a9832422d81ef2e5410281f25663684dc8a61dd82b809094121c |
| SHA512 | d8fbd83ce5616299759a8be4359f02ee3889edb77d8a351e92c64a25876f74d8bb517d9a17ca55b0f90b8401f544c92530b99f3d12a042af99a1e5ef781cc012 |
C:\Windows\SysWOW64\Ddjejl32.exe
| MD5 | 760c2e840af77a0d214bc6d6fe5fc735 |
| SHA1 | cff779b974ed8f432e44d1333ed452021e7da925 |
| SHA256 | 9cc03dda57cb3e125efab3ce1edeef7eabc9ede97379cab9ef8b12fd04672f8d |
| SHA512 | 1a236d4faa4337eff1c5fdd34db70d07bda4bce80d04a2231ef09489b7c0b6d83649af55fb61d5e61333de5219bd0e1e7943a4b60cbaba5c4d07a3048567cdf9 |
C:\Windows\SysWOW64\Dmcibama.exe
| MD5 | d03a33edaacc95c6997fa56a0d9a47d0 |
| SHA1 | 044463d019fdef28b544bc4e8f071936ba61afee |
| SHA256 | 8ad76778c3dafb488e21cdc989635507981af709a0ee4402dddcec765d0cfb7a |
| SHA512 | 2278efdf69b68b32534bb2e73eaae397c978f1a1b40b0d3bd93cdc7d0fc9649139a3ab3c04386b4ef59e9b63e3a2fe5b1b44e399e7a651354062e9b48fa12bbb |
C:\Windows\SysWOW64\Dfnjafap.exe
| MD5 | b46ed2dbb0fb012b78611961bbbb7558 |
| SHA1 | 3674ff151de1f0d62fe676556f716da5ed50ef78 |
| SHA256 | 414c2cc09d58ce5180528c027ea90a5b6cb1fba3186609e20a81d62c4c93c4a3 |
| SHA512 | 9bc77a7173a2aa8afc9cd1f3c480f2b026a9bfaa57f47d3817c515bcba78927af05c0a466b63d5c6ead5633e7474dd96999827cbf6ec0bf990fe7ebbfa1f60e6 |
C:\Windows\SysWOW64\Deagdn32.exe
| MD5 | 4f7dfa63c63bf8d106f11a57d945f867 |
| SHA1 | cc7e2fc63b8bb7ed990f685a4fad3219cd88e2ce |
| SHA256 | ef80544ab52b4765f6affbeb4bc8a76f64ee9461e6cada17f9c639698c87522e |
| SHA512 | 28d56d4ac6430b2971f17f1988bfa93fffc0ae0d1c468c74c05d79beacfd8e4237e1039f059bb8831839d029cdbbcaf0167d90f0acc48282dddcb7a49ed23f10 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 12:45
Reported
2024-06-13 12:48
Platform
win7-20240611-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ohhkjp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aeenochi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qeohnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aeenochi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnielm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ohhkjp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qeohnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnielm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Qeohnd32.exe | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljhcccai.dll | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| File created | C:\Windows\SysWOW64\Aeenochi.exe | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgjcep32.dll | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkglameg.exe | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdlpjk32.dll | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pnimnfpc.exe | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hqlhpf32.dll | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdqfkmom.dll | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Faflglmh.dll | C:\Windows\SysWOW64\Ohhkjp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qeaedd32.exe | C:\Windows\SysWOW64\Qeohnd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cophek32.dll | C:\Windows\SysWOW64\Aeenochi.exe | N/A |
| File created | C:\Windows\SysWOW64\Amelne32.exe | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfnmfn32.exe | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfbnoibb.dll | C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlpdbghp.dll | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aniimjbo.exe | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmogdj32.dll | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbappj32.dll | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cacacg32.exe | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cacacg32.exe | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ohhkjp32.exe | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikhkppkn.dll | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pkidlk32.exe | C:\Windows\SysWOW64\Ohhkjp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfnkga32.dll | C:\Windows\SysWOW64\Qeohnd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmdgdp32.dll | C:\Windows\SysWOW64\Bnielm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Imogmg32.dll | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eioojl32.dll | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aeenochi.exe | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Apalea32.exe | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebjnie32.dll | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mlcpdacl.dll | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmclhi32.exe | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbbjgn32.dll | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| File created | C:\Windows\SysWOW64\Aniimjbo.exe | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Afnagk32.exe | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Opacnnhp.dll | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Baadng32.exe | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| File created | C:\Windows\SysWOW64\Mabanhgg.dll | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkidlk32.exe | C:\Windows\SysWOW64\Ohhkjp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afnagk32.exe | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjbcfn32.exe | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhfcpb32.exe | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Poapfn32.exe | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| File created | C:\Windows\SysWOW64\Acpdko32.exe | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Acpdko32.exe | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ecjdib32.dll | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Naaffn32.dll | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bnielm32.exe | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajcfjgdj.dll | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnimnfpc.exe | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgbafl32.exe | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pqjfoa32.exe | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Poocpnbm.exe | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amelne32.exe | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjbcfn32.exe | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmclhi32.exe | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Okoafmkm.exe | C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Gneolbel.dll | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apalea32.exe | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ennlme32.dll | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Baadng32.exe | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll" | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll" | C:\Windows\SysWOW64\Ohhkjp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aeenochi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll" | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aeenochi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnielm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll" | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll" | C:\Windows\SysWOW64\Okoafmkm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" | C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll" | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll" | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Odjbdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll" | C:\Windows\SysWOW64\Pkidlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll" | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll" | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" | C:\Windows\SysWOW64\Qeohnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll" | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bnielm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ohhkjp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Okoafmkm.exe
C:\Windows\system32\Okoafmkm.exe
C:\Windows\SysWOW64\Odjbdb32.exe
C:\Windows\system32\Odjbdb32.exe
C:\Windows\SysWOW64\Ohhkjp32.exe
C:\Windows\system32\Ohhkjp32.exe
C:\Windows\SysWOW64\Pkidlk32.exe
C:\Windows\system32\Pkidlk32.exe
C:\Windows\SysWOW64\Pnimnfpc.exe
C:\Windows\system32\Pnimnfpc.exe
C:\Windows\SysWOW64\Pgbafl32.exe
C:\Windows\system32\Pgbafl32.exe
C:\Windows\SysWOW64\Pqjfoa32.exe
C:\Windows\system32\Pqjfoa32.exe
C:\Windows\SysWOW64\Poocpnbm.exe
C:\Windows\system32\Poocpnbm.exe
C:\Windows\SysWOW64\Poapfn32.exe
C:\Windows\system32\Poapfn32.exe
C:\Windows\SysWOW64\Qeohnd32.exe
C:\Windows\system32\Qeohnd32.exe
C:\Windows\SysWOW64\Qeaedd32.exe
C:\Windows\system32\Qeaedd32.exe
C:\Windows\SysWOW64\Aniimjbo.exe
C:\Windows\system32\Aniimjbo.exe
C:\Windows\SysWOW64\Acfaeq32.exe
C:\Windows\system32\Acfaeq32.exe
C:\Windows\SysWOW64\Aeenochi.exe
C:\Windows\system32\Aeenochi.exe
C:\Windows\SysWOW64\Afgkfl32.exe
C:\Windows\system32\Afgkfl32.exe
C:\Windows\SysWOW64\Apalea32.exe
C:\Windows\system32\Apalea32.exe
C:\Windows\SysWOW64\Amelne32.exe
C:\Windows\system32\Amelne32.exe
C:\Windows\SysWOW64\Acpdko32.exe
C:\Windows\system32\Acpdko32.exe
C:\Windows\SysWOW64\Afnagk32.exe
C:\Windows\system32\Afnagk32.exe
C:\Windows\SysWOW64\Bnielm32.exe
C:\Windows\system32\Bnielm32.exe
C:\Windows\SysWOW64\Biojif32.exe
C:\Windows\system32\Biojif32.exe
C:\Windows\SysWOW64\Bjbcfn32.exe
C:\Windows\system32\Bjbcfn32.exe
C:\Windows\SysWOW64\Bhfcpb32.exe
C:\Windows\system32\Bhfcpb32.exe
C:\Windows\SysWOW64\Bmclhi32.exe
C:\Windows\system32\Bmclhi32.exe
C:\Windows\SysWOW64\Bkglameg.exe
C:\Windows\system32\Bkglameg.exe
C:\Windows\SysWOW64\Baadng32.exe
C:\Windows\system32\Baadng32.exe
C:\Windows\SysWOW64\Cfnmfn32.exe
C:\Windows\system32\Cfnmfn32.exe
C:\Windows\SysWOW64\Cacacg32.exe
C:\Windows\system32\Cacacg32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 140
Network
Files
memory/2996-0-0x0000000000400000-0x0000000000443000-memory.dmp
\Windows\SysWOW64\Okoafmkm.exe
| MD5 | 291e292617abad23289f77d5e422663b |
| SHA1 | 8199cf98c7f7b0308bdde5d63d34089d315f9153 |
| SHA256 | 6725ea58f5f0cfcb4bf900094f861747099dd23a71877f61edd45a7441d0d7fe |
| SHA512 | 316d1f1a3843b8e8649bc06dc25362a781ee5f83be8ea822576f45c502ac67029d955e16bacc9c5b51b49c72e82d82ecfe07a0825fd821f29a3d3a1b107ba5bc |
memory/2996-6-0x0000000000220000-0x0000000000263000-memory.dmp
\Windows\SysWOW64\Odjbdb32.exe
| MD5 | c6037ac00e47ab3203ead8999558de70 |
| SHA1 | 94535021d5c6b32fe8b44412c9ed2aad6fd08763 |
| SHA256 | 6e5d1dd9273ec1306a538d4471604e300b97e6bce07ad7991012f0e996b1a018 |
| SHA512 | 504743309040ba55df47100ea54e8ba617f97b8d2c6cf84c9c0d7b33cfcb4745287128f9acee956931aa1d29da2d36bb461451a252c1b0e88f9ddf57c1e7d6bd |
memory/2948-20-0x0000000000220000-0x0000000000263000-memory.dmp
\Windows\SysWOW64\Ohhkjp32.exe
| MD5 | 447c3cf1679b888fc4d6313496477dfe |
| SHA1 | 230b704ead52b0220de14df77f477fec0abfe466 |
| SHA256 | 99b5d356287e86caa28395138ed1acdfaebb8fc63360d5f3f53125f7f70a06ec |
| SHA512 | 71ca25e2fe059bc8d8df7bf72a5c3ffb2457a9d30c3e7c7f23ec87fb63729384cfbc7c97068e2aa4b5529fd6b897653da4f195f1b22afa9ef723b2711a298d90 |
memory/2624-33-0x0000000000220000-0x0000000000263000-memory.dmp
\Windows\SysWOW64\Pkidlk32.exe
| MD5 | 495ba8dcf2cf3867418dbf04aa49e25c |
| SHA1 | 4b065d2dc21d09743e5348186c40bc4c3f7f058a |
| SHA256 | 73d833ab4835600fe705ff6c7d77e50b8d577722c7e92b634af7f004acbc0ae5 |
| SHA512 | f31bb1de6e2b92ba95edcba2da2b328838780ba33f06d89b22e2eaa136f5a90d0bf3f61e69291a7bc306d1837a615e5c5f346afb828575fba99a1ebfa594a86f |
memory/2604-47-0x0000000000250000-0x0000000000293000-memory.dmp
memory/2604-45-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2604-52-0x0000000000250000-0x0000000000293000-memory.dmp
\Windows\SysWOW64\Pnimnfpc.exe
| MD5 | ad22b3a015b02b3a51a781c3b8aeaa11 |
| SHA1 | b27ec9199a253add8cff7b0c6b10bfe76b600171 |
| SHA256 | cc3356dbe417fd850bd6f81961c388099f572b7fb74f1d21bdd809fc5a47732a |
| SHA512 | 6b6d7991b33045969ccc09c07c3c5af1684dc030202a7900649bf3e076e4827e0a7569c183aa18db195f6347b2d695e890a1913d2495407db8093e478dcd8826 |
memory/2612-61-0x0000000000330000-0x0000000000373000-memory.dmp
memory/2224-67-0x0000000000400000-0x0000000000443000-memory.dmp
\Windows\SysWOW64\Pgbafl32.exe
| MD5 | 8a282571db771e7cfae7c3105adefdcc |
| SHA1 | 8341347a0fa7fc1c1e1c97e3e2e5a02e95bffb10 |
| SHA256 | 43f477357098d42fe89a1bc75ad4f03009dd46e956aaff8309b09898bac02bdd |
| SHA512 | d74018d035cdec28e85ed295d18efe8da5bbe08c96cfc512b232d36321ce7827541b3230757fdfabd1ab40d36fac820aff888a8ccefef52ba7f01663f99e5726 |
memory/2572-80-0x0000000000400000-0x0000000000443000-memory.dmp
\Windows\SysWOW64\Pqjfoa32.exe
| MD5 | 7fee9ca77877843399ae7af00459a6d2 |
| SHA1 | 669af7fd07caa7bf2907c8d594e2ede3cac54b7b |
| SHA256 | 0cb60e121628cb45078ced3c8657f9ec1bd727470b10beb4a9c437989b9a0ee4 |
| SHA512 | 58b6b5e6bfddb3ea11d07f746c8ce0a4083e22d04c4d4577d724ab2f305b7b77ef0f86ee3bf861fee3c841b68949296c55b60558dbe328f5cb7ddb47c4491873 |
memory/2572-88-0x0000000000220000-0x0000000000263000-memory.dmp
\Windows\SysWOW64\Poocpnbm.exe
| MD5 | 49f1c833b1a46b30c7ec022f56e1e97f |
| SHA1 | ad4f8b898d8939de46661e2d846cd70f2c550c2b |
| SHA256 | 5f3aa34f34a84e13a108e9a6a1e6dbc62ad46a7577f5d923b3b977814fcfcf5a |
| SHA512 | 9fe9c94d23ad38676ed19b33244ff55936f2b20ed6c747436b436a522d029227fa325f70ae03623b2aef190a207ebc8108027f29a52d0787e71d3cbe43b537ec |
memory/2472-106-0x00000000003A0000-0x00000000003E3000-memory.dmp
\Windows\SysWOW64\Poapfn32.exe
| MD5 | 2bd054af100e447a2a82844029e18b9b |
| SHA1 | 71290f715c2ecdb27a0b98437fc4cec8f6ef40fb |
| SHA256 | 4c67c74e1b07cd91b379e80ceecc9a7c841cb79c646869931cac280af8a209d3 |
| SHA512 | a181f097978f37c5b23d446b1eb07a4a0267c06b7bc923fd10f13c7155da734f6556853d810f4e8ac1753c58d64b68e4d3adef4ff716d9bab57d0f2b7b684e86 |
C:\Windows\SysWOW64\Qeohnd32.exe
| MD5 | cd95b3c04248328bfc1218bc27ebeb14 |
| SHA1 | 358dfe1f71c0adb38b15685eb73108f8f049ff72 |
| SHA256 | 209291b408262ecf556b7f36169d23bf91dd22a048abdf02e3709282a2c4d45c |
| SHA512 | 21c9aae386459e08e6113c5e8df71ec60430464c7a2b9267cb4f66eba02431ef914900146f55646e33323ab599e8fa94b51a6a1aaf0e7aabe25daa574f9e8872 |
memory/840-131-0x00000000002F0000-0x0000000000333000-memory.dmp
memory/840-125-0x0000000000400000-0x0000000000443000-memory.dmp
\Windows\SysWOW64\Qeaedd32.exe
| MD5 | 2a14aa94c341e481288287a6c1ae7f4b |
| SHA1 | 52b5c19e153968ff01cdacea648c742c872c842d |
| SHA256 | c9e743edd5aea21f3c67709dbf5b3407515eb7bb82443f49074e960707caaf58 |
| SHA512 | b06fdae67738a8e8ddbf89ae15dbaa7eb86fce39a370de168e1bfa92b22f65ff8579246d08e5d02d7763791fb982a19c40e7739058dd56a54a6b2f3e1fa691d2 |
\Windows\SysWOW64\Aniimjbo.exe
| MD5 | 8ee74cd8fb22297ae06c4b5f95deaa74 |
| SHA1 | 648b8529a83bdae401380e051cd56c5c8b1e85dc |
| SHA256 | 6db5ba59d88f094b1be6bca29d3a5bb14be83a075c786aadfdc32315ca8287f8 |
| SHA512 | f82b1b6157e4f35c967f278644460683d79721090f117dc7a75695724d7adbdac984fee3f0c2d1c817597fad0226858dc7cdcab70a635b84723c91037f737683 |
\Windows\SysWOW64\Acfaeq32.exe
| MD5 | 4d69b6320f6c0f3047ba6e276dd1ccc1 |
| SHA1 | 9f261acb8aebf4ce14b29a9b665cc3331a2c21cf |
| SHA256 | 4e5622664e4ba093e69ef049e9096dc86724ec18affb1f618f2dfab4d6dfa299 |
| SHA512 | c218a54c7cee17dc42bc93f8b75e534f7278737fa751967f88cca682d62fe5eedbd5e46109cbbf285c659d7ed103e196969b1695272aa50a82a5bf7584a4e930 |
\Windows\SysWOW64\Aeenochi.exe
| MD5 | e209e59f9dc475ebc5b998a302205ed1 |
| SHA1 | b4192f00203206dd590f113c65979dfbd544c02e |
| SHA256 | a3d276a4a5f0c5cd10c4f96c5424dc474c0b0d1f1bb7dd249e101342212f2e59 |
| SHA512 | 45485506f28b2d4a1e3d3a2a31e3d4b5d84bfa43f8f46591e65d3cdcce01a608dc4a34f0efd2467d87d05da3524f944cc83001cb90eb559ae480912a96185a6b |
memory/1732-187-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1816-180-0x00000000002D0000-0x0000000000313000-memory.dmp
C:\Windows\SysWOW64\Afgkfl32.exe
| MD5 | 7a29503d9679cff55f88109984a10dcc |
| SHA1 | 16949b98b64037c4c6806a45c1b3a40a4f4af106 |
| SHA256 | 4859a18c2d1a1df22dbb3d396e571a9daae7a7ab3a1ce03fcf61d6e58120bcee |
| SHA512 | 90e0d6018ad1ff682f62ace5759634422fb1fdd004dec590b208b04c74f573d56e11d6fe619b1621d19832f87f42870c9a08ae5320694630aebb166bbc5a64e8 |
\Windows\SysWOW64\Apalea32.exe
| MD5 | 3da4f9c6e352fd4a236ec35c6dceb2b0 |
| SHA1 | 72ebff2466ac698eee83548c632493923e227b14 |
| SHA256 | 3694aae1874343287142a9bb5b2deb86142638bc53de12a7069b029acd7165be |
| SHA512 | d43247a509c099b7b381ed531341ea61befeeac872203fe5aad840606c7b830c3935e0b5a7662e45d0fe7b53917e3e4981e2b7e70ad49d050992065c7ec282d0 |
memory/1988-204-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1620-222-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Windows\SysWOW64\Acpdko32.exe
| MD5 | 40210b6cddb4597d6bbf5490992d26e9 |
| SHA1 | 8e44d826afba7cf424d72f099d04658553cf988f |
| SHA256 | 247a354e1e30ed19ecb5a22c611b369c0654f53a558492d83ea2960fd534ece8 |
| SHA512 | dc8f3b3acad72f575f3f50366e69561afaba7f8d575b976f581ad33860a68b5f3d9b9fefa29a0877f86d5f74903c75f2d6ab16ca45cc7b7b24c4ddbf620450fb |
memory/1620-232-0x00000000005E0000-0x0000000000623000-memory.dmp
C:\Windows\SysWOW64\Bnielm32.exe
| MD5 | e8e48236cde5f71b5862c9eca944d213 |
| SHA1 | 694108b971d0c02ff7b61c724d6eea84c2b1261f |
| SHA256 | 7eac4f612670f9aa14e305a553e8db7655393114e03de2fcc4e92bb5d17b59d7 |
| SHA512 | a2d4de74ff8e43fa6e7813dd393a5498dcc5e30b88a585a6e6f9c838f5c724c53dcbf694c2337a43cbcf88b355c032cb71a9295829873235992daa79574cb4a0 |
memory/1664-255-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2120-254-0x0000000000220000-0x0000000000263000-memory.dmp
memory/2460-265-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2460-275-0x00000000002A0000-0x00000000002E3000-memory.dmp
memory/896-285-0x00000000002A0000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Bhfcpb32.exe
| MD5 | aa5e2c015a312d17271cf8248a5eb8e5 |
| SHA1 | 717fb04e18a9bbe9ead052e965a164d39b2aa42d |
| SHA256 | ed22ede437dd87a7d45fd7a10dd31707fdc0da7c25c3cb881d39643e79a96fa2 |
| SHA512 | 4c9587891eada59383ae2b6aff2310bfc1261541d97d86baff2424207f4d0f136f3dfaa01b27243522ca5e5e813e92cbd9aad4090e787a50128df00a3f352a2d |
memory/896-286-0x00000000002A0000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Bmclhi32.exe
| MD5 | ade7d5fea5d6aa425bdac3e547a08a9c |
| SHA1 | a2e542cc105ee5306d7993e64309043c592d43a6 |
| SHA256 | 0e1a5ba8a538be2ff38969522faa6703ff973df55da73ca9b372dfed42561fc0 |
| SHA512 | 6dc843315e0fac3050298d5554b829909970841721182a6667e6163cc759b95b66f2b9162b22fad7e9a786569b8a3fccadbf1748e05274328947e505df261c0d |
memory/1544-309-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2944-325-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2944-329-0x0000000000220000-0x0000000000263000-memory.dmp
memory/2052-335-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2052-337-0x0000000000220000-0x0000000000263000-memory.dmp
C:\Windows\SysWOW64\Cacacg32.exe
| MD5 | 80f47e13b19b153456833d3322ea5f5c |
| SHA1 | 9b54ca85689ebd57dc8f8b179e085a696280347d |
| SHA256 | e1d73d44e14e7206eccb62fe5ad3c84e01412e9b2d1833b7c857990012442af0 |
| SHA512 | 34b2ba247dd299bedf02d999792204ff28ac292d8d253670f1130899c32bc27a532e0d07efba4111498928e13026cc91c7982e08b7b4e5a92f65c526294a2187 |
memory/2676-342-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2052-341-0x0000000000220000-0x0000000000263000-memory.dmp
memory/2944-330-0x0000000000220000-0x0000000000263000-memory.dmp
C:\Windows\SysWOW64\Cfnmfn32.exe
| MD5 | e94696ef63005004ae85338bf0906f99 |
| SHA1 | c23296f338ab5573f8ea8b3253f2c1bc3b37e297 |
| SHA256 | 64ba51cadc9ab727bacdc8f5fe20ec9ff99a495b1cf5b0b316fd23161287b5c4 |
| SHA512 | 52fe1111346dba9b2e926d0c04781864eaf2debb88baa257f3bef3f988ea5bac07ab221e6fb7ed689b6f07c6bc9a15c2d8426d1d20e9c02398368f42e80a667b |
memory/1544-324-0x00000000003A0000-0x00000000003E3000-memory.dmp
memory/1544-322-0x00000000003A0000-0x00000000003E3000-memory.dmp
C:\Windows\SysWOW64\Baadng32.exe
| MD5 | 19f8a785a492b05c91615ebce282a047 |
| SHA1 | e33caf9f169268968e227afc4140e76972ae6942 |
| SHA256 | d306fb49b45fcaa966bca3d3f4125e2ee517e846399c56290293bf412200ce83 |
| SHA512 | 2cb38b04cd41c524b3e9bde5750e85cfeb38da3effd2f000a757906d52578197b392501157e5e041b3aa46072222b6c62567a6f369c4d6897a63768a2a0abee2 |
memory/2092-308-0x0000000000220000-0x0000000000263000-memory.dmp
memory/2092-307-0x0000000000220000-0x0000000000263000-memory.dmp
C:\Windows\SysWOW64\Bkglameg.exe
| MD5 | ad3fe4b398e9da9dcd76c37237bc05cf |
| SHA1 | 959594ec8aec26125213aa7f3fb42f49fef1f766 |
| SHA256 | efe2c32b0a6830307e7f8d7003a5813687a44d14cf6e33e67f53953c1f00bbfa |
| SHA512 | 24fc7577e579b773482a149f077387f174da6057a42a70199e5917683c9d5d3f760227d456bc65a89fb45c3e952b3c4c2263e4b06ae0e3c49e298e43bea77f66 |
memory/2092-298-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2032-297-0x0000000000220000-0x0000000000263000-memory.dmp
memory/2032-296-0x0000000000220000-0x0000000000263000-memory.dmp
memory/2032-291-0x0000000000400000-0x0000000000443000-memory.dmp
memory/896-276-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2460-274-0x00000000002A0000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Bjbcfn32.exe
| MD5 | 1365454a2c5178d916d962cde6c1d066 |
| SHA1 | ce7d84272e1022b997b69a23f2148bdc167e56de |
| SHA256 | e2813a74879c74f7890438ce3befea9ba3b922f862f348b10fff43a5195fd517 |
| SHA512 | 710d0fd8c255ca8a3d7b694b7b4791f701a209d128cfc32090773b251558665370cbc939fbfe2ce62a3cb833be67b5a2a8a08e70e61d3b9624e3f7020daae72c |
memory/1664-264-0x0000000000220000-0x0000000000263000-memory.dmp
C:\Windows\SysWOW64\Biojif32.exe
| MD5 | c34ca6d132f408d92583d14072e8401c |
| SHA1 | 03ea3e97b3286c8514d61a8676b32265a8a407bf |
| SHA256 | 19740436444f779e3d01edfddb61241ff78686d0294c590d44f54d022ed03390 |
| SHA512 | 3aa7664d8e1bb95c9fccaf250831e1ca780aeb836dfe934ac5fc448fa22becc025df58c3818b2a26ee05ed92b71257dd650b4c7702f1175adc4480ffbb88f3e4 |
memory/2120-253-0x0000000000220000-0x0000000000263000-memory.dmp
memory/2120-248-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2388-243-0x00000000002A0000-0x00000000002E3000-memory.dmp
memory/2388-240-0x00000000002A0000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Afnagk32.exe
| MD5 | f83b255acfa6c91a1d85aab1a5260254 |
| SHA1 | 5a377449e7251211bb50b99d336d3883cdeb9792 |
| SHA256 | ce2c7a59b899e7ff029a6fb5930bfbf58fd146d8efce00f4a96ba49fef496cd4 |
| SHA512 | e00dcf9f29b0f3290e2c1824b18b297c28a9a6c4d8447f18308a26e156467a2769d37212205ade69eef9a3e8923b9e306f0e57ec71e97a9642e89be033fadbf6 |
memory/2388-236-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1620-231-0x00000000005E0000-0x0000000000623000-memory.dmp
C:\Windows\SysWOW64\Amelne32.exe
| MD5 | 611cbde340705f2689fa4bf269a04d92 |
| SHA1 | b58eeff7d13277ffba2e570471bb223ab1943f54 |
| SHA256 | 554afda285f0eba354f5210d17389544196ef7f28bb1e216d5007dd466e2b443 |
| SHA512 | 424ee99cdf0fb2be7878f90fde82b20c9287d6048b76134c8fc2a24776d903dd82d8447a761e0b15ca4eb244ec951b341f7c44becac5a25c0c84b283d6e647f1 |
memory/3016-212-0x0000000000400000-0x0000000000443000-memory.dmp
memory/568-171-0x0000000000220000-0x0000000000263000-memory.dmp
memory/568-159-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1188-151-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1648-140-0x0000000000220000-0x0000000000263000-memory.dmp
memory/2996-343-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2948-344-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2624-345-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2612-346-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2224-347-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2572-348-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2472-349-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2184-350-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1648-351-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1188-352-0x0000000000400000-0x0000000000443000-memory.dmp
memory/568-353-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1816-354-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1732-355-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3016-356-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1620-357-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2388-358-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1664-359-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2460-360-0x0000000000400000-0x0000000000443000-memory.dmp
memory/896-361-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2032-362-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2092-363-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1544-364-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2052-365-0x0000000000400000-0x0000000000443000-memory.dmp