Analysis Overview
SHA256
d1b37734ac3e49a96ecb7cdc5e4581792c2bd49487abbf14e6762b3fe44ccb3e
Threat Level: Known bad
The file 9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 03:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 03:21
Reported
2024-06-14 03:23
Platform
win7-20240611-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mlfojn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Lapnnafn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfmffhde.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nadpgggp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbkameaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nkbalifo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Kcakaipc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aajbne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Magqncba.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdacop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmagdbci.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agfgqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Kbkameaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pmagdbci.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfpclh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nmnace32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ocfigjlp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pckoam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Lfmffhde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mdacop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nmpnhdfc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mooaljkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nmnace32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kicmdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcfqkl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkbalifo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Odoloalf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ncbplk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Lfpclh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ohendqhd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Knmhgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Knmhgf32.exe | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
| File created | C:\Windows\SysWOW64\Pndpajgd.exe | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aniimjbo.exe | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdlbongd.dll | C:\Windows\SysWOW64\Mlfojn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nckjkl32.exe | C:\Windows\SysWOW64\Nmnace32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncbplk32.exe | C:\Windows\SysWOW64\Nmpnhdfc.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnnffg32.dll | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| File created | C:\Windows\SysWOW64\Negoebdd.dll | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmagdbci.exe | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajpjakhc.exe | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkhfgj32.dll | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdkgocpm.exe | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Chkmkacq.exe | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mofglh32.exe | C:\Windows\SysWOW64\Mdacop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fibkpd32.dll | C:\Windows\SysWOW64\Ndemjoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Elonamqm.dll | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbkbgjcc.exe | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Liplnc32.exe | C:\Windows\SysWOW64\Lbfdaigg.exe | N/A |
| File created | C:\Windows\SysWOW64\Olonpp32.exe | C:\Windows\SysWOW64\Ocfigjlp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Baohhgnf.exe | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdacop32.exe | C:\Windows\SysWOW64\Mlfojn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kicmdo32.exe | C:\Windows\SysWOW64\Knmhgf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Liplnc32.exe | C:\Windows\SysWOW64\Lbfdaigg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohaeia32.exe | C:\Windows\SysWOW64\Nkmdpm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaolidlk.exe | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmgechbh.exe | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbgjqo32.exe | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mlfojn32.exe | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjojco32.dll | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckpfcfnm.dll | C:\Windows\SysWOW64\Cgpjlnhh.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcakaipc.exe | C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnddig32.dll | C:\Windows\SysWOW64\Lfpclh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oancnfoe.exe | C:\Windows\SysWOW64\Ohendqhd.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqjfoa32.exe | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnecbc32.dll | C:\Windows\SysWOW64\Lfmffhde.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lbfdaigg.exe | C:\Windows\SysWOW64\Lphhenhc.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocfigjlp.exe | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcnaga32.dll | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajbggjfq.exe | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihmnkh32.dll | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| File created | C:\Windows\SysWOW64\Lapnnafn.exe | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhpjaq32.dll | C:\Windows\SysWOW64\Ogkkfmml.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajpjakhc.exe | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aajbne32.exe | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mhhfdo32.exe | C:\Windows\SysWOW64\Mooaljkh.exe | N/A |
| File created | C:\Windows\SysWOW64\Qijdocfj.exe | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agdjkogm.exe | C:\Windows\SysWOW64\Aajbne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Knmhgf32.exe | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
| File created | C:\Windows\SysWOW64\Aobcmana.dll | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncmdic32.dll | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaloddnn.exe | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| File created | C:\Windows\SysWOW64\Lphhenhc.exe | C:\Windows\SysWOW64\Lfpclh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcfqkl32.exe | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mlfojn32.exe | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Magqncba.exe | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffjmmbcg.dll | C:\Windows\SysWOW64\Pmagdbci.exe | N/A |
| File created | C:\Windows\SysWOW64\Imjcfnhk.dll | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpggbq32.dll | C:\Windows\SysWOW64\Agfgqo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Diaagb32.dll | C:\Windows\SysWOW64\Mmneda32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nmpnhdfc.exe | C:\Windows\SysWOW64\Nkbalifo.exe | N/A |
| File created | C:\Windows\SysWOW64\Lhnnjk32.dll | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qodlkm32.exe | C:\Windows\SysWOW64\Qijdocfj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmogdj32.dll | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nfolbbmp.dll | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ceegmj32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll" | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lbfdaigg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" | C:\Windows\SysWOW64\Ohendqhd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Agfgqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll" | C:\Windows\SysWOW64\Lbfdaigg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll" | C:\Windows\SysWOW64\Mhhfdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mooaljkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ocfigjlp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll" | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ocfigjlp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgpjlnhh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nmpnhdfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcnkg32.dll" | C:\Windows\SysWOW64\Kbkameaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll" | C:\Windows\SysWOW64\Mlfojn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Magqncba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll" | C:\Windows\SysWOW64\Ndemjoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ogkkfmml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lcfqkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ncbplk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll" | C:\Windows\SysWOW64\Cgpjlnhh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll" | C:\Windows\SysWOW64\Kcakaipc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaapnkij.dll" | C:\Windows\SysWOW64\Olonpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll" | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ncbplk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnaga32.dll" | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mlfojn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cgpjlnhh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll" | C:\Windows\SysWOW64\Mooaljkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll" | C:\Windows\SysWOW64\Mdacop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll" | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll" | C:\Windows\SysWOW64\Kicmdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll" | C:\Windows\SysWOW64\Mmneda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndemjoae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Nmnace32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll" | C:\Windows\SysWOW64\Nkmdpm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll" | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mooaljkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mhhfdo32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Kcakaipc.exe
C:\Windows\system32\Kcakaipc.exe
C:\Windows\SysWOW64\Knklagmb.exe
C:\Windows\system32\Knklagmb.exe
C:\Windows\SysWOW64\Knmhgf32.exe
C:\Windows\system32\Knmhgf32.exe
C:\Windows\SysWOW64\Kicmdo32.exe
C:\Windows\system32\Kicmdo32.exe
C:\Windows\SysWOW64\Kbkameaf.exe
C:\Windows\system32\Kbkameaf.exe
C:\Windows\SysWOW64\Lghjel32.exe
C:\Windows\system32\Lghjel32.exe
C:\Windows\SysWOW64\Lapnnafn.exe
C:\Windows\system32\Lapnnafn.exe
C:\Windows\SysWOW64\Lfmffhde.exe
C:\Windows\system32\Lfmffhde.exe
C:\Windows\SysWOW64\Lfpclh32.exe
C:\Windows\system32\Lfpclh32.exe
C:\Windows\SysWOW64\Lphhenhc.exe
C:\Windows\system32\Lphhenhc.exe
C:\Windows\SysWOW64\Lbfdaigg.exe
C:\Windows\system32\Lbfdaigg.exe
C:\Windows\SysWOW64\Liplnc32.exe
C:\Windows\system32\Liplnc32.exe
C:\Windows\SysWOW64\Lcfqkl32.exe
C:\Windows\system32\Lcfqkl32.exe
C:\Windows\SysWOW64\Mmneda32.exe
C:\Windows\system32\Mmneda32.exe
C:\Windows\SysWOW64\Mooaljkh.exe
C:\Windows\system32\Mooaljkh.exe
C:\Windows\SysWOW64\Mhhfdo32.exe
C:\Windows\system32\Mhhfdo32.exe
C:\Windows\SysWOW64\Mapjmehi.exe
C:\Windows\system32\Mapjmehi.exe
C:\Windows\SysWOW64\Mlfojn32.exe
C:\Windows\system32\Mlfojn32.exe
C:\Windows\SysWOW64\Mdacop32.exe
C:\Windows\system32\Mdacop32.exe
C:\Windows\SysWOW64\Mofglh32.exe
C:\Windows\system32\Mofglh32.exe
C:\Windows\SysWOW64\Mgalqkbk.exe
C:\Windows\system32\Mgalqkbk.exe
C:\Windows\SysWOW64\Magqncba.exe
C:\Windows\system32\Magqncba.exe
C:\Windows\SysWOW64\Ndemjoae.exe
C:\Windows\system32\Ndemjoae.exe
C:\Windows\SysWOW64\Nmnace32.exe
C:\Windows\system32\Nmnace32.exe
C:\Windows\SysWOW64\Nckjkl32.exe
C:\Windows\system32\Nckjkl32.exe
C:\Windows\SysWOW64\Nkbalifo.exe
C:\Windows\system32\Nkbalifo.exe
C:\Windows\SysWOW64\Nmpnhdfc.exe
C:\Windows\system32\Nmpnhdfc.exe
C:\Windows\SysWOW64\Ncbplk32.exe
C:\Windows\system32\Ncbplk32.exe
C:\Windows\SysWOW64\Nadpgggp.exe
C:\Windows\system32\Nadpgggp.exe
C:\Windows\SysWOW64\Nkmdpm32.exe
C:\Windows\system32\Nkmdpm32.exe
C:\Windows\SysWOW64\Ohaeia32.exe
C:\Windows\system32\Ohaeia32.exe
C:\Windows\SysWOW64\Ocfigjlp.exe
C:\Windows\system32\Ocfigjlp.exe
C:\Windows\SysWOW64\Olonpp32.exe
C:\Windows\system32\Olonpp32.exe
C:\Windows\SysWOW64\Ohendqhd.exe
C:\Windows\system32\Ohendqhd.exe
C:\Windows\SysWOW64\Oancnfoe.exe
C:\Windows\system32\Oancnfoe.exe
C:\Windows\SysWOW64\Ogkkfmml.exe
C:\Windows\system32\Ogkkfmml.exe
C:\Windows\SysWOW64\Odoloalf.exe
C:\Windows\system32\Odoloalf.exe
C:\Windows\SysWOW64\Pdaheq32.exe
C:\Windows\system32\Pdaheq32.exe
C:\Windows\SysWOW64\Pnimnfpc.exe
C:\Windows\system32\Pnimnfpc.exe
C:\Windows\SysWOW64\Pqjfoa32.exe
C:\Windows\system32\Pqjfoa32.exe
C:\Windows\SysWOW64\Pbkbgjcc.exe
C:\Windows\system32\Pbkbgjcc.exe
C:\Windows\SysWOW64\Pmagdbci.exe
C:\Windows\system32\Pmagdbci.exe
C:\Windows\SysWOW64\Pckoam32.exe
C:\Windows\system32\Pckoam32.exe
C:\Windows\SysWOW64\Pmccjbaf.exe
C:\Windows\system32\Pmccjbaf.exe
C:\Windows\SysWOW64\Pndpajgd.exe
C:\Windows\system32\Pndpajgd.exe
C:\Windows\SysWOW64\Qijdocfj.exe
C:\Windows\system32\Qijdocfj.exe
C:\Windows\SysWOW64\Qodlkm32.exe
C:\Windows\system32\Qodlkm32.exe
C:\Windows\SysWOW64\Qqeicede.exe
C:\Windows\system32\Qqeicede.exe
C:\Windows\SysWOW64\Qgoapp32.exe
C:\Windows\system32\Qgoapp32.exe
C:\Windows\SysWOW64\Aniimjbo.exe
C:\Windows\system32\Aniimjbo.exe
C:\Windows\SysWOW64\Acfaeq32.exe
C:\Windows\system32\Acfaeq32.exe
C:\Windows\SysWOW64\Ajpjakhc.exe
C:\Windows\system32\Ajpjakhc.exe
C:\Windows\SysWOW64\Aajbne32.exe
C:\Windows\system32\Aajbne32.exe
C:\Windows\SysWOW64\Agdjkogm.exe
C:\Windows\system32\Agdjkogm.exe
C:\Windows\SysWOW64\Ajbggjfq.exe
C:\Windows\system32\Ajbggjfq.exe
C:\Windows\SysWOW64\Aaloddnn.exe
C:\Windows\system32\Aaloddnn.exe
C:\Windows\SysWOW64\Agfgqo32.exe
C:\Windows\system32\Agfgqo32.exe
C:\Windows\SysWOW64\Aigchgkh.exe
C:\Windows\system32\Aigchgkh.exe
C:\Windows\SysWOW64\Aaolidlk.exe
C:\Windows\system32\Aaolidlk.exe
C:\Windows\SysWOW64\Blobjaba.exe
C:\Windows\system32\Blobjaba.exe
C:\Windows\SysWOW64\Bbikgk32.exe
C:\Windows\system32\Bbikgk32.exe
C:\Windows\SysWOW64\Bdkgocpm.exe
C:\Windows\system32\Bdkgocpm.exe
C:\Windows\SysWOW64\Baohhgnf.exe
C:\Windows\system32\Baohhgnf.exe
C:\Windows\SysWOW64\Chkmkacq.exe
C:\Windows\system32\Chkmkacq.exe
C:\Windows\SysWOW64\Cmgechbh.exe
C:\Windows\system32\Cmgechbh.exe
C:\Windows\SysWOW64\Cpfaocal.exe
C:\Windows\system32\Cpfaocal.exe
C:\Windows\SysWOW64\Cgpjlnhh.exe
C:\Windows\system32\Cgpjlnhh.exe
C:\Windows\SysWOW64\Cmjbhh32.exe
C:\Windows\system32\Cmjbhh32.exe
C:\Windows\SysWOW64\Cbgjqo32.exe
C:\Windows\system32\Cbgjqo32.exe
C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 140
Network
Files
memory/2980-0-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Kcakaipc.exe
| MD5 | 85a1a45cda04c381316c752155701001 |
| SHA1 | 932c407b57b3dd1ad43831b2bd144b5f08878f7c |
| SHA256 | 6f385ec6e7091e6f65c03ba5fcecb0530ac5f815a40a229b3951aa0e466e92d6 |
| SHA512 | 74fda81fed991efbef5c75041400a008a76114b3f68bda7c699f995637cb8acc0e85e21e49e8e7d8dda15c9e1915221eb37fd5c5f26bd7da75c10100932476f2 |
memory/2980-6-0x0000000000220000-0x0000000000261000-memory.dmp
memory/2980-13-0x0000000000220000-0x0000000000261000-memory.dmp
\Windows\SysWOW64\Knklagmb.exe
| MD5 | fb4ce1931233de7ec6797666525875d2 |
| SHA1 | d6030d3582579eb1cf1c786c0f65f5efd103c7eb |
| SHA256 | 58a970e8d34d612378509ecadbf7d42e9623e81221e69d2b1d4b29632b7dfce2 |
| SHA512 | 4db234900707a96eecd3ac15fe0932fda7e7170ceb583d1b3e2a167047750d6abbbede32e1a601205272a60aa07d86a6bdc55acdb180e7ff64f963097fadc578 |
memory/2148-21-0x00000000002B0000-0x00000000002F1000-memory.dmp
memory/2148-27-0x00000000002B0000-0x00000000002F1000-memory.dmp
C:\Windows\SysWOW64\Knmhgf32.exe
| MD5 | cc2f248ec8baf607c43928cd0361619e |
| SHA1 | 9c3e780e0d53bedfe9e645dc9492ca5a38223ded |
| SHA256 | e1ba6e6dc5003ab2ecc1475e18bb8e4cd532f18ca01e6cdd6e22766b062c0c74 |
| SHA512 | f25f37e395a2633cf15d2350e0b401cf07c42e147f642610565dfbd31ddc90af47c2f3ec5dcd9f6b30c546d970c25d255844233d114036dc93589dc5215b9725 |
memory/2808-41-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2624-34-0x00000000002A0000-0x00000000002E1000-memory.dmp
memory/2704-54-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Hoaebk32.dll
| MD5 | 7e268ffee038960d1ed0d59defc606b7 |
| SHA1 | 54145d0e8a9cbee22994ef90f079ca566de12771 |
| SHA256 | 3d3929ae3accaa16c7fa8394e1e6548b735ad18f922510d197d8c57af4bccec3 |
| SHA512 | f626bdbfca17f25b28557ecb38e97107a9c2282aae734c110bca026587c973fe0edd5bb0b4d4fdab945e985f2e82559d838ff4b7dd2d62ee75811b4b1f07d2af |
memory/2704-67-0x0000000000270000-0x00000000002B1000-memory.dmp
C:\Windows\SysWOW64\Kbkameaf.exe
| MD5 | 9d28ce28bb4a8ebd58d718148ef76a3b |
| SHA1 | 1079bf39ab27cfd21a8e3a7c4ac458a7291792cc |
| SHA256 | fc11dec52546f2237a42e8a885c506c2dd3bb73d4f8397a9f58d87c4e56b5cc5 |
| SHA512 | 954b5573d09be3380aaddb14efa2a929f51c2f12290b01d23b987c2bc4a118605dee4b20123e4e22f205ce0ce529ae7285dd21c01418cdd7176b0f546c86aee0 |
memory/2504-68-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Lghjel32.exe
| MD5 | fd3503de3a5d80e9b178ae9b8d1ac5c9 |
| SHA1 | ce49270a7fd0d969ac401640104263ba5f609d41 |
| SHA256 | d3d4ff7e0b6edc2c8c41301c8e96ad4ccbda3750121abc216e4d3e1d50566ce4 |
| SHA512 | 43d436f0634a386a70aabb5f7b313845e4d936de161dd28bcc7c6194e09b9308bbb11093fed1333ce6ae5e4fcca6aeb0ee7e875ec5264bcb1e9aceb6f530a91e |
\Windows\SysWOW64\Lapnnafn.exe
| MD5 | 1d8608f1e27d405ffaad2327275e43a6 |
| SHA1 | 6991d8cbcd4a2c48b3844b312c8e1401b9f7d533 |
| SHA256 | 672f454d4a91a134d5c935f0dc637f9e99e5e9a939214db6bbe7e3d168eeb69a |
| SHA512 | ef33b8848c58005f04445202952e024f381fa86359c5b1a3c9aa4772d32aa839f8bb7ffaf5d1d6391c403fbfbeb5decbdfba271db0b020692c3c40da9a8407d4 |
memory/548-95-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Lfmffhde.exe
| MD5 | 1eeda41089cea70fbd4172b1076cf8a3 |
| SHA1 | e792146e4e1055cec1a26ca39c9520f6043a8761 |
| SHA256 | 3aa1b2be050da4292f4bbdcede795151715919a1b8b11720de8cb12876e4f581 |
| SHA512 | df16c2f00aa9fef62080c331570b584024335413fd66384edc36f01bacbdfe72b4712f18f94285f2242bcb13a17bd878444e7165256b608d29619109aeb4eff8 |
memory/1372-113-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Lfpclh32.exe
| MD5 | 75432ac00f4fc329d20934a6aa461ab9 |
| SHA1 | c27f207c67f3db0bd1f01b03cc6252145da4cba8 |
| SHA256 | 7ca604bcc2de40ad097ea7623a7ae12cc150b10a877ac24313aa32c9fabec948 |
| SHA512 | 4d303b0fff1406fe4fe6c9c6d5d226dd67a5ebb4b0fcd535ba439cae880229161ff885c6ad56cf9adb6807bf21dd3a4d57c46fb37f4f6b4c3ab2cf9c0e2427c6 |
C:\Windows\SysWOW64\Lphhenhc.exe
| MD5 | f5ae742496b6da1f20d2706a804a0a78 |
| SHA1 | f88c54fb951168960cad45203d26ce439b271846 |
| SHA256 | b01b749e84ac462dfde4aa2dcff2659c19e9e09fbe9785df557cf8aba36f2983 |
| SHA512 | 213d1b385c70d94197159dd05658c8a33af9ddb6e479cbe7b789eaacfb2d7d7a94c2ed1686ed20fcacec89b0919411789f8f45f937668c0111b85ea4796dc42e |
C:\Windows\SysWOW64\Lbfdaigg.exe
| MD5 | d342768282d35f360b09ff1ba244db7a |
| SHA1 | fd91fe9fe7175f610d1edddf9a5f9a53293c4bf6 |
| SHA256 | d5906ddd7a55f31860030eea5955a04fff632514951c696b685041ccf91ef126 |
| SHA512 | e3cb051fd9dfdbf5f35b583ad528fcfc0f2b088223a494469535456f9b4e1ac7e7bbb1c88963f242b65c2c7576fa3a62cb588bcecc119f2ff4da5cb070c83860 |
memory/1992-148-0x0000000000260000-0x00000000002A1000-memory.dmp
C:\Windows\SysWOW64\Liplnc32.exe
| MD5 | ba535b028f84c87723f58276d21975bc |
| SHA1 | 19d5638d748bb1158110c2986670a136ffb50693 |
| SHA256 | e6745d68adbd62d96167e575521d2820f5dbe14f66eed0793bc8b67cfe20eaeb |
| SHA512 | a103147d99f32b06c5f6e656e2f2939022a9f6aabcf118800783620f7dcb7bde1ef76601b08ee939f8b567632f07f250d16cd543551280648629291df09441bb |
C:\Windows\SysWOW64\Lcfqkl32.exe
| MD5 | 96d19897c86bdd2248bec8c0cf1260bd |
| SHA1 | 03787751f2eb076ffbf40f3914218036de9e2f82 |
| SHA256 | bff5002bbe4dea64a283900dbb4e01243ab30a593273f14b5ac2bf2c50aae90b |
| SHA512 | cef5bd27d78dc418b6972144ed04d44399d6514e1c0f305147fa6043f2bd0ba429071aac05211132e8a21dfa8582b695ddc2202894d78d531b661e7309f670a3 |
memory/2428-182-0x0000000000260000-0x00000000002A1000-memory.dmp
C:\Windows\SysWOW64\Mooaljkh.exe
| MD5 | 30e3ed23d83de7a35f493eb97b52cddb |
| SHA1 | d554f323fc727a977d0832aa647cb3a28e63fa97 |
| SHA256 | 46c820c1f5558639792f50a7bd1994d61e4629d53f71889d664ae5bf60702ba6 |
| SHA512 | 60600d9518946f722bf43191937944e4a58891528be2b1c2dee73f429234420ba053c3ad2b8acdadf6e564bf553e94f1b0384dc1c0bd752da99028b603cfe565 |
memory/2776-214-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2776-224-0x0000000000220000-0x0000000000261000-memory.dmp
memory/1960-226-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Mlfojn32.exe
| MD5 | 66ea4a7731e2c5ff1fe502d633543b4b |
| SHA1 | 3e32e248b8abd41463a29419aba701bb1d7d82b1 |
| SHA256 | 2bda8d49b17987a2171bac32d98f951cdd29d441367f04b10e52c4db85a3e40b |
| SHA512 | e74550cec23dc5c1f635800b51a2d4410c3ff7204dc524d8a5b68af4d80fcfa8e5e9550a763a905199374e76764c706b4ff5d345516f68d718c320ab5febdd56 |
memory/2348-245-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1892-256-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Mgalqkbk.exe
| MD5 | 0dc58625e98bb2158b81fa45ad6e3957 |
| SHA1 | 59810f6bab14d34072538373492ac9fe571b9cbe |
| SHA256 | 63d92ff7747b9bf0ded049985122ed3f1b19989a960359dad298159bf548fe3e |
| SHA512 | d6dd466e4133125f3df999b331ec3ce96ae0f57eab1a6759b85c4541922bfe69c4ca67d4bd7ea0ca043982d98968ddd4ff41bcece9db331666de70c6b47b8269 |
C:\Windows\SysWOW64\Magqncba.exe
| MD5 | 817da6f088487613fd320064321f1f0b |
| SHA1 | 62e486fdc70a532d208227eaf0f0fb1865b85ef9 |
| SHA256 | 2eaa2aeee0b8be93616af82263d589f8b6dd2d4221919eb25a6418d3f60d3083 |
| SHA512 | c89e61255fd52c1d9ba970385e61ede6e4cfb654e34e36c6e17025ac6bac809d395937bc9d628ad59335f8edd3f28c1741125255b6f6b57341478016965f41cb |
memory/1352-286-0x00000000003A0000-0x00000000003E1000-memory.dmp
C:\Windows\SysWOW64\Nmnace32.exe
| MD5 | e848029288f75722811cf3eeb659e391 |
| SHA1 | 8b143fac97377640b3ae912f9e2451006a0fd783 |
| SHA256 | fcafcaf6bfd3fa81f5d09ed44ef8bc36f561ac81e0b4f2ffb3edc53339b6cb5e |
| SHA512 | 28a122663c6ac75f102f79924ccb4d5710987f6a94d3e3c8a7e4cf80796c17a7dd344cefcd6c233eb2954f532755673a8333e480cd1cffee2375a4cf9fbe5edd |
memory/2020-321-0x0000000000450000-0x0000000000491000-memory.dmp
memory/2320-320-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2020-319-0x0000000000450000-0x0000000000491000-memory.dmp
memory/2020-318-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1464-317-0x00000000001B0000-0x00000000001F1000-memory.dmp
C:\Windows\SysWOW64\Nkbalifo.exe
| MD5 | 61a2e9e966751640c6d5e6edafad9af8 |
| SHA1 | f694e80936d5ebb77d5c293fd4b7c74c3cc00b1c |
| SHA256 | f7d9eead31c5ca679eae8e9367856a3f188fd7e0ba8a97551428ea5b37b29e17 |
| SHA512 | b0b43cfc7a918ee6548f7c66372fc1663de123037e5a67b9f96a7e1b3f6622fcc43b4fc4cae9be25bb7e4dea0c1d4a85ae4ca83554bbbe806656b39a59c68729 |
memory/1464-313-0x00000000001B0000-0x00000000001F1000-memory.dmp
C:\Windows\SysWOW64\Nmpnhdfc.exe
| MD5 | 5e576fef794bcebd583201cc5b80d169 |
| SHA1 | 18000c0c92adcb7bc5dd75be79c2c8e012a577e8 |
| SHA256 | ff69ce20bf6c4f9680bb5741940faa2edaeced76f571ad69bcd0fbc439e41288 |
| SHA512 | 235a523a8f327389048c9db4aa474dc51d0aabf2a60d3a3608eae3736cd4ec8272dcf06a9fe9d15711575af471d1a17c8d7e65f8790e468aac8063be337ea242 |
memory/2076-347-0x0000000000220000-0x0000000000261000-memory.dmp
C:\Windows\SysWOW64\Nadpgggp.exe
| MD5 | 6c4fe022c587150bc66d9421f5a57ed9 |
| SHA1 | df723528f4acdac485d2a1d1e74c717ab2927c90 |
| SHA256 | 5ff16ff20b57b20305965d67b03f1e831d3994288b7f70f164eea3b8c1c254eb |
| SHA512 | 82f067242f436321c1e27c75c49e2e3805a0874092cf1cc50ab66ae49e038c8bd1f7aff9a72065cca2cd1980265885e1e01c999f104e24e839aabf64f6f12bf3 |
C:\Windows\SysWOW64\Nkmdpm32.exe
| MD5 | 05d629334868ebcdbe4b661d498cfdca |
| SHA1 | 3c485a93928cf79b16c234e9b20b3a87a59cf24a |
| SHA256 | f632ac5219a070df0af7e9b2c33377d871b2d1be4758212b7c5f463a33b5bd26 |
| SHA512 | 9b330542892834edd431813cca544fe3b76ae3483b3a8a67dbb01fe7fb6317815ac6b1cb83d2b495260ad969bc9c3f77a3644c9fb46b98e17b3ce1c580d77b0c |
memory/2652-365-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3056-364-0x0000000000450000-0x0000000000491000-memory.dmp
memory/2568-387-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2568-397-0x0000000000230000-0x0000000000271000-memory.dmp
C:\Windows\SysWOW64\Ohendqhd.exe
| MD5 | 25cc19a67adc2944f4e8369501bb7157 |
| SHA1 | 95a30f30eb9b6405c1f38ab08fcad26b794b0701 |
| SHA256 | f9b6dc6f7f0d4082de69f6e737565ed513e1019de078d87b155c09224b1cadc3 |
| SHA512 | bfac45f1721f07ec6ef3a9769ddff3af77816a81bd6bf15e4f9cde8b17b73e4a4c6b3e5709cf57bad234b8bcb60091adf86163896b81a060c546fb84d8c0d176 |
memory/3060-424-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ogkkfmml.exe
| MD5 | 10c940ef477adc3a215712966749578b |
| SHA1 | 2c836bff90c4bc49375ba4bd57e0622dc91ab8eb |
| SHA256 | b92a15508dbbe3a5d4bc4b91d418b650a9ac047304117475c698a5ffeb7cce47 |
| SHA512 | cdbcba62bd68b1f77366d36a50171811bfd2cab4654e6d562f6ecd250ea7bb6e331f7a3bdba01a79502d7fd871b1434a4391fb17a84183bafe8a67911c7285d2 |
memory/2240-431-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3060-430-0x00000000002C0000-0x0000000000301000-memory.dmp
memory/272-445-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Pdaheq32.exe
| MD5 | 7049cfa2b0e39b313724b1f8ce3a0de2 |
| SHA1 | d71ed17b99e38c6e929af292ab274f124a2ff220 |
| SHA256 | 735ee925c93f384577df38a01c8c542c2e826bc416c1e06e48a6ab12562f7e95 |
| SHA512 | 4b3cea2c865e2bfb59b99bb90b4a35523166da8781e489bb3e8b79ef107a2bb37d8a38969ca0a9d0c39e97691eb874e40b795e5fce35a53558dff54260218fa8 |
memory/1040-457-0x0000000000400000-0x0000000000441000-memory.dmp
memory/272-454-0x0000000000220000-0x0000000000261000-memory.dmp
C:\Windows\SysWOW64\Pnimnfpc.exe
| MD5 | 5d27512044d9edaa564a52fb7100eb83 |
| SHA1 | 99d3fe72895b1325a1909978c77c8851cd90aaba |
| SHA256 | 6bd02fa9a04693a738766363d0df4ccf2cf483f5d62b22850cd07cea4e636d4d |
| SHA512 | 34b9765d18411273572890097fdc72115e88bf58b0f682b3f7f7a45fe2c082226746694d3422446b17b26802e99f72041359e42b791ab1ed8b791ea842fcd1cc |
memory/2772-478-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Pbkbgjcc.exe
| MD5 | 5a79cec8046ff8335883f58d7a65e809 |
| SHA1 | 6f4bd2fdb13fe1adfdbafa2dff527d6b6ccadd09 |
| SHA256 | 6ff9fcb91d375a02bb99f29f7e234a2f51c9bbca39f7520ac5caa3afac67a9c9 |
| SHA512 | e95fc825a220f0497a9650fb20bbdb330bb67c2744f94f0d3e9a3e7e3db367ef9dee458270bfeaa75441e18bd848342d3da82eaa82f3875332d400c2ba9b25bf |
C:\Windows\SysWOW64\Pmagdbci.exe
| MD5 | a901709b81de11f394eae1946387bc8e |
| SHA1 | f205ad7726c808b8ee0ce5f1262793290ccb173c |
| SHA256 | e9cf9e14e1cb9c3c6e27042c9155b0324094ce676fe923d5a08c8f88f761ac59 |
| SHA512 | 23ad49c0c775f2b8e075a77c496416eb19e27e194712299333a42c5fba541b41f387bc580f911a0a30cfc67cf2adfc8c14a9fe1e2c6263500d6570f7cf74beb3 |
memory/2772-492-0x00000000002D0000-0x0000000000311000-memory.dmp
C:\Windows\SysWOW64\Pckoam32.exe
| MD5 | cc96aefb4cfd688a26af2d088e7d0078 |
| SHA1 | 162a1983bc00f55b637ef840e00d760ffcc28be0 |
| SHA256 | 55153c80be78572e8b073ef9baf65dc3b963d4eb3b9f87439f135f3d88e5e5bf |
| SHA512 | 369cad6231926c5fa60c972792337b1ff56949ad58f06f255befdeec4a62f2c00a09f8d64a2839a4451188a86312a376fef626c8ab0e6d14d286f2fc9df381c2 |
C:\Windows\SysWOW64\Pmccjbaf.exe
| MD5 | fa185255763ba4f04762083b162abd4a |
| SHA1 | 4c4f834ea2911936849954e1206fc48bce1ea974 |
| SHA256 | 31413bd1edae8b1e990673b6b4c415a0c19b3a57346edb983cafadda494e7318 |
| SHA512 | 6066ad5b074cb140d035bbd7a564d608614ab268aac1ea490fe5b2ad936648031138efe3091dee86972a84b64be9d9a126e35735b3d1a72d8a43f8bf72489e7b |
C:\Windows\SysWOW64\Pndpajgd.exe
| MD5 | 5f5ac9b24d43d5f46d34f03ef23d9938 |
| SHA1 | 1c9477b388eafab13f2ec3f68910a9993e87ff28 |
| SHA256 | b3ffbe333100804e725a333da4f2db882125cfe2bbd164c80a655d3319dfa61a |
| SHA512 | d59283bf42da4c0272a0208bfb15b9b6bba0ad71bdf7a9d1bf7c810755c4d1b47221a6a56795bf9c15a21463e399e7804bf49b9894a9357b7ae7f55268d5a29f |
C:\Windows\SysWOW64\Qijdocfj.exe
| MD5 | faa16f8fc9b4af979e9ce2f896c37869 |
| SHA1 | fb649d5d604b391256be4a259a17eef5c63faaf4 |
| SHA256 | 487d22ea758aff622249eee986d93db9fbbbe717648e931c2c9cd41c1ccdeea0 |
| SHA512 | a0d3384f311216b70c8119574e2c9e97367cffa3b12c76e9b326fbe7a308494608a5a67a62b1a70f8f78c30688ba92e85be7cd04257d08620d9e0cfa2ec51043 |
C:\Windows\SysWOW64\Qodlkm32.exe
| MD5 | 5d210e3e30ee069bbdc1a6f49a0b31df |
| SHA1 | 8a038cc21a115798e89f28b1a9874245b93860d0 |
| SHA256 | c19977e4219809f1e86ecd15526c0233efc45c4a8b47e0f99553a20c4ba8f58d |
| SHA512 | cfe71e05111def038e26631e5d585e9a96c56adff5bd9c280f817307dfd1a9bbe9d0c33b8e4de4eec24542f256a18f2e6964ac161aa42c77985c4fa0867de5ea |
C:\Windows\SysWOW64\Qqeicede.exe
| MD5 | 5059bc10eefdb872d067d09d3a6f0216 |
| SHA1 | cb371c84ba4b1b55c718e4dbb33557dd258934cf |
| SHA256 | a62e9fcc4a7f139ac8f2435c058969e8f2a51972db79e32f2a993aee799ac1ea |
| SHA512 | 074088365f7111600407f75b7fd7896aada7cfcf555c9808a5bb0c4590e992ab122a4547de47224dd6641bfdd18db1bc8eac5a060c773fa52c0ea5bb4c6a5e86 |
C:\Windows\SysWOW64\Qgoapp32.exe
| MD5 | 1e38f980dd6f43a86a461f458f3aea83 |
| SHA1 | 2027aae403a774985b0562530c9bc2306f85d201 |
| SHA256 | b730ab013503d4cdaa470406a43e96f0c6da3092d6b0a0df8e774157247a8225 |
| SHA512 | fe9cfa5e73ef4c31bc998483eec816dace29b609ab2323a25a7689696361e952c61307667c345b1dd16cdf081ebe80ad20177f6e568a54e88b827a50169e87f8 |
C:\Windows\SysWOW64\Acfaeq32.exe
| MD5 | 716192759fc9bca494c0ec9567cac1f3 |
| SHA1 | 8938d2a968fe2fbf26128de4be369ddb8a4af23c |
| SHA256 | 365585ae1dd9c8cab518f88adfbde50140226f3fbd11ae99c1e8e5944ff61e81 |
| SHA512 | 7f236ab8ba7ac346bc2c56d0f316f1f1fedd4deab3d04029633b28f06fb577dfcfa9f533ac38ec37c9f713ba23f56f596e39e2c1dc7f2fe0f93d47ccb9873909 |
C:\Windows\SysWOW64\Aajbne32.exe
| MD5 | 09c2518e13b783a2c1a63684af13f127 |
| SHA1 | 02a4d0cfc3ab533d458ce2fd038e96ce84e67540 |
| SHA256 | cb41347568dac8a868ba7810e50f1fb1f6445f5b3851e4d9d3202f0bed94894d |
| SHA512 | 85447c1e4143a090840d632f8650498e5db8b60186227ed2fd64a28171932961007b9cc48b87afee93205ff4d7c8aaa7f24c435f80e871eaae25bb2e87f438b3 |
C:\Windows\SysWOW64\Agdjkogm.exe
| MD5 | ccb51f127aa137e54e8b289e52997eb7 |
| SHA1 | 22bd2561ed896389f00d03e6ef8ef30ba335e797 |
| SHA256 | 2868a7d8feefcf326a15ef2554d18da230b4ed09a09e38af53ac5c84a0ba39ad |
| SHA512 | 3316bfec1bd5700e15a5453a3c28770d83a9ee264c7baa20eca7f80985eaef48a1cda04089742ae39f1b26a2569f32aefb2fef7b015103efcf56ba15a7f361c1 |
C:\Windows\SysWOW64\Ajbggjfq.exe
| MD5 | 04714a903bb6bf9e84e52f5746551868 |
| SHA1 | eeff4401cfc10431622715575c6c6fe8c0185559 |
| SHA256 | adc51a1c8a217c5b642117d7beb2c94466f0e21aa49bc1abf019517d3151c3a6 |
| SHA512 | f6c064552fb9c85dac28b9b8adc65e4167109bc3f7e695b60e3c5c4676afc22e2b92ba07cfc72355b7b4c0b306686965efb36baaa27bfe0661f6ad674ea26f8e |
C:\Windows\SysWOW64\Agfgqo32.exe
| MD5 | 78cc48726c3ca27d80630e811f415859 |
| SHA1 | e2ae374e4cd090f09ea38ca7c0a60eaa4fc24af9 |
| SHA256 | c5eb74d23d5ea9f8f2b7add21cbfb89cf1ac926d669a2274ee94aa4bc1935469 |
| SHA512 | 773280ec53f0506169ca5f62b02d76c22cd5bb8bed0a5c23936f0fa362b2822aa4cfcd8c66c1f18e99476b791216c6a45c8f4aaac719405b5add2e750c62b81d |
C:\Windows\SysWOW64\Aigchgkh.exe
| MD5 | 2a70f61603fd4eafd003754e004ad4ef |
| SHA1 | d98efc72751bccddd5bdd2a295ebf97d590fb1f4 |
| SHA256 | 222f833f0b5adf827077fe8e7dace67c7e564d6a76c71cb4c068a3b6013e8b73 |
| SHA512 | 02b19708c59cbd4dfd8f67d70450104f6b0145096b813aaef203c66bdc149b4aa3153ce1236d469921a80af9cc8ac628a33bd4a471aa7771471a363f1bf5ecea |
C:\Windows\SysWOW64\Aaloddnn.exe
| MD5 | ea26c253d846250ff320fbd3d833ad86 |
| SHA1 | a707de60be73add20e25f501652c71afac832a7b |
| SHA256 | 7409223b214a19e957da652b6f1d1659108692f4559267b35f7776bfd9951ec9 |
| SHA512 | 6115e80fc4ae37bda3cbe260d10ac8b8830f21d47b988066ab28b571810dcbb2ab8f79a624fd5b6eaa1dfa784f7a71dc27cd70c18145f0c0fb0c99c8af9c8b98 |
C:\Windows\SysWOW64\Ajpjakhc.exe
| MD5 | d5d721ad4a0d6fef71ad3ff046c49e99 |
| SHA1 | 4e7667cab416a06992a1896a65733425ffc88b9d |
| SHA256 | 2c626574b162a582043e958784663c7194b4a8a8de2b73e5549deefceb678050 |
| SHA512 | 2e8e52f867f48239403abc3896c59047ed08ced9f6791eb1fdffe53476d1da7fd93d11d8e1712932083e23febc50fa56650a764e4ba714a4a96576ac758cb278 |
C:\Windows\SysWOW64\Aniimjbo.exe
| MD5 | 6653f5f5ad1380a1037ad73372cbf018 |
| SHA1 | 0b8807f47b1dbb829aaa574fc8214cf101e33160 |
| SHA256 | 8deec44f1f6269083cb637c173eaaa238efe862aa373a3398a561dd67d95cb1d |
| SHA512 | dd7f77eb296cb4f87913224a05015fd121da79fe8a56d26100e0858be00415964036a6b1b5095aeb5ee1cd3a4de04a07ba6921b3f54c99c80b0f62c74117e5af |
memory/2704-495-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2300-494-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1732-493-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2772-491-0x00000000002D0000-0x0000000000311000-memory.dmp
memory/2808-473-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Pqjfoa32.exe
| MD5 | a35575cd1074e8d7dba45524a04b34e7 |
| SHA1 | 36246786bdb43fe6a4b4d0db72109429e96523d4 |
| SHA256 | b98378213062f445a60c4bab18281623f917eeae663d428565f7bff05f7a8150 |
| SHA512 | d678f1875e82c4aa8e2a6755050a5a7b9c02e10ce4d95eb269521da7e5760dd1b809c7e9eada9d48c2c709443e73bfa9bda9841d94987f9e0e4f1fe9da3cd250 |
memory/2392-469-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1040-467-0x0000000000450000-0x0000000000491000-memory.dmp
memory/2624-462-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2148-451-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2980-441-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2240-440-0x0000000000220000-0x0000000000261000-memory.dmp
C:\Windows\SysWOW64\Odoloalf.exe
| MD5 | cdab56830e429aaab72cd65ca034fc54 |
| SHA1 | 59219c1e75d3f9ae0229ec202f1772b2791c094f |
| SHA256 | a9e6ed938f65dd783021198169b3844f4e7d6c2625495e05b9001c1225a622d0 |
| SHA512 | 0ccfffb0b5769710f0f11d05d4e6fc945e71b2bbe9cbfcf5289f549bd0966410e73a807e66c270a9c7c48466e94655f9aaba1a9a4634605a178b6a1a8d0563a8 |
memory/3060-429-0x00000000002C0000-0x0000000000301000-memory.dmp
memory/772-418-0x0000000000220000-0x0000000000261000-memory.dmp
memory/772-419-0x0000000000220000-0x0000000000261000-memory.dmp
C:\Windows\SysWOW64\Oancnfoe.exe
| MD5 | 038cc7b96fe5abdd794dfc82b2d1748c |
| SHA1 | 984ebfbeb6807a3724e9b2efac91142c7a04af12 |
| SHA256 | adf5e8a82420923dcdb6d84e92dfa5c8247c24a497355e2fd73a4ce12ed96640 |
| SHA512 | 19ab8ba871bbf0933b0a9fc344a5dc9e6c2818298d66e29718137f160087e5a05d69a77e9522817b6f1781f795eee6ae0ef143e466d0183baf879090064c6363 |
memory/772-409-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2472-408-0x0000000000450000-0x0000000000491000-memory.dmp
memory/2472-407-0x0000000000450000-0x0000000000491000-memory.dmp
memory/2472-402-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2568-396-0x0000000000230000-0x0000000000271000-memory.dmp
C:\Windows\SysWOW64\Olonpp32.exe
| MD5 | 89e67d36ad30d431a0da3f97823f0cb1 |
| SHA1 | 4be31ede65f5c68801eecd3983f2ba6d03ca4c66 |
| SHA256 | e69dac56cf7dbaa456f4d75889e49b2ba8d495c6ae83f62b56f2735515effb53 |
| SHA512 | 8452c2445e14496b18cc22390e558cfd7f904ec46e1d4dbc567bddf94d21e9ee991a9516a344c45b728b1797b29ebb51da4afdc2219254a2912c26493e3cfdf2 |
memory/2656-386-0x00000000002A0000-0x00000000002E1000-memory.dmp
memory/2656-385-0x00000000002A0000-0x00000000002E1000-memory.dmp
C:\Windows\SysWOW64\Ocfigjlp.exe
| MD5 | b2334ad5fd23d46e4be6fbde4d13b66f |
| SHA1 | 480711ce0f4c9f343b3fd135bca5c85f4b189148 |
| SHA256 | 876dcf60bb44483c762ef5a21e6d5d752cd17d5ef6c6160dc3d8f2c8a283ac38 |
| SHA512 | ea87cfeba47f2f077e604ee1536e42c4843619367f3a2d29ea04021e165cdb25a8434474851fb038518fa4a87233ecbc4d5069da25aaec7e0b643139d5e2db50 |
memory/2656-380-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2652-375-0x00000000002E0000-0x0000000000321000-memory.dmp
memory/2652-374-0x00000000002E0000-0x0000000000321000-memory.dmp
C:\Windows\SysWOW64\Ohaeia32.exe
| MD5 | f51666ba151134692e63988ad806f5a0 |
| SHA1 | 2b9de39a4ef48f91cae7a1804b6fadd3e2b53720 |
| SHA256 | 547b87b03953d43b37c2d7fd6bb06331370228e7875c492590c35335662e30e4 |
| SHA512 | d61c0c9ad57d7cfb1714dd3041288c9697b36ae0a4cd91390bebc498e2d1ec9a023f7820045092caceb13ed111d9b6e30ddadc974b0209edaf9b906595681779 |
memory/3056-363-0x0000000000450000-0x0000000000491000-memory.dmp
memory/3056-359-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1692-353-0x0000000000220000-0x0000000000261000-memory.dmp
memory/1692-350-0x0000000000220000-0x0000000000261000-memory.dmp
memory/1692-346-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2076-341-0x0000000000220000-0x0000000000261000-memory.dmp
memory/2076-340-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2320-339-0x00000000001B0000-0x00000000001F1000-memory.dmp
C:\Windows\SysWOW64\Ncbplk32.exe
| MD5 | c8e8cc7acadf6fd2107456ec599a8cb0 |
| SHA1 | c84fdca63dd395173a04bc4182ace7b570f5fff0 |
| SHA256 | 5b302c15d78e0e798a2d5c582dc298a82a7a75e6e53212f461edd016e9169126 |
| SHA512 | b86fe8f032434bb680515ea631c8b4ab3bfce27e1ad7f48889a1dd9936d6f838100fa509dcb7f4340e1d9e7bd835355469324656fd1aef613badf0133ea9f6d6 |
memory/2320-335-0x00000000001B0000-0x00000000001F1000-memory.dmp
C:\Windows\SysWOW64\Nckjkl32.exe
| MD5 | 75d91982e92bea12959bb1e3b0486077 |
| SHA1 | 4021ed93508548145497e39f824d4432f0abce74 |
| SHA256 | ce16e6e16e20c5cd7240af85aeb499555cf408466f33b2ee14a7b20b5e9a950e |
| SHA512 | 5f16f3d7605c5afbef11c3e4f254c513c14b6c9fe81a19ae0061daa784f6bed60190793f6914bd5a9df4cb2095199b0d9100183d2cf4d4b8ce3bc96a92d23563 |
memory/608-296-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1464-299-0x0000000000400000-0x0000000000441000-memory.dmp
memory/608-298-0x0000000000220000-0x0000000000261000-memory.dmp
memory/608-297-0x0000000000220000-0x0000000000261000-memory.dmp
memory/1352-291-0x00000000003A0000-0x00000000003E1000-memory.dmp
C:\Windows\SysWOW64\Ndemjoae.exe
| MD5 | a446c3497f059c4a082bffb494f954d7 |
| SHA1 | a22a9673d02f5c4cf81b8f6a722583d15170aaaf |
| SHA256 | 4b6ae64d572884a9a0844e1bbb26b8bde51f261a37ca5b01c693a7f42a21d846 |
| SHA512 | 48ff98d03aa925abce26aa32b3d9ac0714a2cba7939d83d9fa265cb00f01490614e378e837bb1c559eda79f9ed274c9573b64537c45f53abfc2520079e2fe5e5 |
memory/1488-277-0x0000000000220000-0x0000000000261000-memory.dmp
memory/1488-276-0x0000000000220000-0x0000000000261000-memory.dmp
memory/1488-271-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1892-270-0x0000000000290000-0x00000000002D1000-memory.dmp
memory/1892-267-0x0000000000290000-0x00000000002D1000-memory.dmp
memory/2348-255-0x0000000000790000-0x00000000007D1000-memory.dmp
memory/2348-254-0x0000000000790000-0x00000000007D1000-memory.dmp
C:\Windows\SysWOW64\Mofglh32.exe
| MD5 | 9182982f087f1d831e52903e3e394e83 |
| SHA1 | 25013c74ca42f7b5dae7a84f666bbd8e7c41e1ea |
| SHA256 | 7f0eee09bbbf74514cf48d20e5b9ed3cf09afa3c26b60fc891c62d19c01f7655 |
| SHA512 | e9f171fac317a4d06aeac4521f3d03edd265a26036fc394978e04e1fdfbcafeb6b3da7d0f4af6cfeb7382f648f130b2a7a52fbfda622e7981d1d989f31dda56f |
C:\Windows\SysWOW64\Mdacop32.exe
| MD5 | b5e6d8512a9d53d3b5929b30ade232a6 |
| SHA1 | 4502e36571260a29f7a260699764d95ec45a0210 |
| SHA256 | b4cea3ee1c530174d76f32c79034f5016aa7846720f3ded0975c5dc999e4fae4 |
| SHA512 | 7d74c1910746d9dee96dea65fcf698fad7b2364f6ad512807bafb2143d91129d2a5d054d7ec1562e642016f82cad8f98d2923a0c265d59e25ffb17b0dc927967 |
memory/2132-236-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1960-235-0x0000000000220000-0x0000000000261000-memory.dmp
memory/2776-225-0x0000000000220000-0x0000000000261000-memory.dmp
C:\Windows\SysWOW64\Mapjmehi.exe
| MD5 | ca9a2916c4499d0587faf03cdf1ecc75 |
| SHA1 | 9f59ef988452ac1192f3283821517fafbaca561e |
| SHA256 | 634545e8c0a15359b419ae82df3d9ffdd4f5b85761004921c764a0f05169d0a2 |
| SHA512 | 015654220c68df52582a96269f7c407e316721764ea78dc5abe605ea017cce9c229dc539cc0e19afee307965d029c3ca551d1f2113c19c2ff2106e047dc6804b |
C:\Windows\SysWOW64\Mhhfdo32.exe
| MD5 | ba8036ad81b25e22d75a1a69a417cdb4 |
| SHA1 | fe633f87abc102988b89676d7d44c4e865726aa4 |
| SHA256 | c045cba1abf247533f056b786878f422552b3ff128ddaf869f1d3c27df24dd88 |
| SHA512 | 9baffae26afdca864feb245f1cd817ebd277615af8626446450f60c1801cbcbef2fcad5637ad02950b27b896289d058b064cc565edca183b75545115d919035a |
memory/2280-201-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Mmneda32.exe
| MD5 | a770df9c6f01fd71df368d5b57bcfab9 |
| SHA1 | 19ee2ba3c5aa5b4b729293e205ff85999ac47bf7 |
| SHA256 | 98704479dbc2588360711ed39ac39b16a6c52a931da246f6159c49687abb644a |
| SHA512 | bc89f052e92b2e1beab8a0eead61ee7a846e88998a781a2cb3eea5a16ae9361aa4e523e8ff0b472df5f0005b75398577155884763464de4d8d9766fc3723164f |
memory/800-188-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2428-174-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1408-161-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1992-135-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1372-121-0x0000000000220000-0x0000000000261000-memory.dmp
memory/548-107-0x0000000000450000-0x0000000000491000-memory.dmp
memory/1200-88-0x0000000000450000-0x0000000000491000-memory.dmp
memory/1200-81-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kicmdo32.exe
| MD5 | a60beaf1245ddd5e4efb33191699000d |
| SHA1 | 2b34c766018d2fe60cc90009e98b15e22595f6ea |
| SHA256 | 9523d4e3283e15ea4476370b5f3ba5cc260e7151bae6574caee4ef2ba543956f |
| SHA512 | 46ea26c2fd9f5c2cc2dd545c1a349ea38e279455ff0b175fcfd2ca70258fde9bb58ba1b372063e0f2f50b9ce703862b539e8a689d315084518eee8e17def5988 |
C:\Windows\SysWOW64\Aaolidlk.exe
| MD5 | bdfc1f95a56f34922ef649decbb7b99c |
| SHA1 | 2574bb109a2975d29006f232e885ee2820f9bea6 |
| SHA256 | 14ced57d8e745eac94825c73c406ca13a11936069410916840498056665f3f1c |
| SHA512 | d0b41ab168a195d134b81fa84479bc7f8bc8be9cc94ef6ce220ff05acd3cb5e45d4ce0e60cc95fa511fe25f0ad654a8c828afa883df7ad737004006084a45234 |
C:\Windows\SysWOW64\Blobjaba.exe
| MD5 | 74e1e848e934505d706e6a070528bf1c |
| SHA1 | da54cc9c4e17c88c1adcaf926202266dd3cc7f83 |
| SHA256 | 717671e0f5afdfdf8db4a3149ac0d15d13c33c12ce778e9693a03a543f316eee |
| SHA512 | b99eca28d207d213fed727d05040ed27870fcce26c885d05598a4940ec2a1b189ac1bf6a3d7d9507088f44e00954006614af2578fde09157e36f86aaa6047fc2 |
C:\Windows\SysWOW64\Bbikgk32.exe
| MD5 | 79c3381a2cc22f2475b9d32fe17db5c3 |
| SHA1 | 0ebe8ea73d7039ef78f71e52b6293c4867cd91b3 |
| SHA256 | 362fb8806dd264b44fec4e4dc29beaedb447264abdf7cd39dab71fc4e14a597b |
| SHA512 | 725c999c6574a57eacaf49696085f2659cca8cea6b443e9bffbad2e69cfbf2865d798e105fba5023bae3a057f779adb9aadd92cb78068f6731984e8623948d7b |
C:\Windows\SysWOW64\Bdkgocpm.exe
| MD5 | 0f1a75e47aa4df7e4637b13e479eac3c |
| SHA1 | 5c516b8030786999f49147f0c31a07fe4a698754 |
| SHA256 | b930e387c97bfa9c517309755359584998cfc65b13140bee51a3deed7db1b7be |
| SHA512 | 8c87958176edc4db18b0ab38b6b8b092cb9d88743def1c189d8ad517156b10532822aed4e59d26986a6b7dcefd931d6cef30cc3230ef625bce7e5a7fcf35afc9 |
C:\Windows\SysWOW64\Baohhgnf.exe
| MD5 | 5b650681825ef9485271b0492ab1d05d |
| SHA1 | bf64a0380f4aa29bd030360c725d250238f64df4 |
| SHA256 | 6b0c2fd872f332dfa34267b3732a0a2068156d77a3648b6569ce78deaf50451c |
| SHA512 | 4efd7a63a57fdd6c1d41d4a123a2d9c870df25de52ee73bc2bd3d831c1dbe29e0f34a46523ecef422f815159152839d44d8a6cb583aacb1f83b2f7c9eb11164a |
C:\Windows\SysWOW64\Chkmkacq.exe
| MD5 | aab90ee8f5870f19427bdcf60d719342 |
| SHA1 | 4e451375f45eeeeab65fc6d90f9e923456559b21 |
| SHA256 | faa65503575f7c478f3db1e9119ec12a74e945eff9aadd6c6fa1eeb774e8dc26 |
| SHA512 | d6f26d2c3ca31f574564610be9706f9a2444eee0763ffb2ad8e9aa3827e709a03e1d8031c9ffbfb60aa1e7dbf88a4c169190cdb749bc5dab9cdcde6bc325fbf1 |
C:\Windows\SysWOW64\Cmgechbh.exe
| MD5 | 266e507a1d4b8ccc9dd3a77e3eefaa88 |
| SHA1 | 3b99abbc58cc269a97f110b2226e23ef5c5e149a |
| SHA256 | 98861b353d0c19037e1ceb1771258443ffceef256e08116b6948e2d9d1b4904c |
| SHA512 | 68b908ba8800a5e114c6193bfe9e8b6b91030ee730e276b38de179a2608ffbadcf1290bd88955f0188150b9d90cce7c6db1fcfddf4742583700417cc62d21c4c |
C:\Windows\SysWOW64\Cpfaocal.exe
| MD5 | 7716420204e49db13b50ad550fd1520a |
| SHA1 | fab3151cd76c62dd93386b86cdb898e6b6ab8e98 |
| SHA256 | c67440a0881d065fe6bcbfa8d0159aced6b287c8230f29acd7bbcbbb23a8a2ec |
| SHA512 | 6e5e86aec787d61255c12e01c621dd47a68233cc89a73d9d641848da43dc43d3d74beed479ec72e950ad6f57e9ae8fedc94316eb6674a4f5fe930dd0b59df268 |
C:\Windows\SysWOW64\Cgpjlnhh.exe
| MD5 | 28cc8a23e403423384fce98f2528c56c |
| SHA1 | 2668438878c6049316db2747a85dc613578697ea |
| SHA256 | a25fcc0a483835e18ec9759f50f23ac673aee3eed1c95fdaadc72fa6f5a9ceb8 |
| SHA512 | 70bef3c406cdacd6ce92c35e994ef57a51a13730ae8d24e3da798a092deca14b2791adf3dd5486103e664bd4cf4543b3689dd44c88e2e4b8a4cc26984c0d435b |
C:\Windows\SysWOW64\Cmjbhh32.exe
| MD5 | abd9107b3b8c8d62d04cf1645d1c5bb0 |
| SHA1 | f00feb804331a27f0b7b8a01b95199ac94c179b8 |
| SHA256 | c8fbf4f4f9ebb35242a9cc538eb56d4f78f13bad54be138b95efc2a29e714938 |
| SHA512 | c65c91007ea4f68ca12116d08f6e5f9a3430d4660d4086d9f5b40866f57f3393217b34528cc07ae7a8026b655c6799de2fe3ff0219115975f0dfde74cda8064f |
C:\Windows\SysWOW64\Cbgjqo32.exe
| MD5 | 65fa60193688b8e779f2dc7ac52758c1 |
| SHA1 | acec9c0b3911d174018849f28a41e06c54cded18 |
| SHA256 | 69b4570958044327161ddc0aee968bb472482198cdaf4a6f2fc78cc040ece52c |
| SHA512 | 1f003d18ee9d66d722ba01b25b55dec2538193d3c4dbd1099d0daa72403b446093315b25003a4bcb21cf4bcbb7a435ac056bb7d8bd1f435699f1690a0ce05bff |
C:\Windows\SysWOW64\Ceegmj32.exe
| MD5 | b40db9e0a2f4e589994f32f8a9e1496e |
| SHA1 | 7bcf2a1f3ede7d69e9367f1f3dfc7bb3d20d884b |
| SHA256 | e634780f14e3a07424879779a8bccf47012d9608a6d498de71fc30f8f46e042e |
| SHA512 | 1075c14ed5b381df1899beeab3558a6542b17eaa9e4fb550f9192e4cfbf4a4e9b7d1e40db551fcfd57a297698355e84b2c73418e0ce41dec27463313edf27128 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 03:21
Reported
2024-06-14 03:23
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
124s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Imdnklfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ejjqeg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Eqciba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fodeolof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gbcakg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gjjjle32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gqkhjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jbocea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkgdml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Lpcmec32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebeejijj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hikfip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgmlkp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mcklgm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gjjjle32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjpeepnb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldohebqh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gmhfhp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gfedle32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Liekmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ldmlpbbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpenfjad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Haidklda.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgfoan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ecmlcmhe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkbchk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpcmec32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ejegjh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fqohnp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fodeolof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Imgkql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Liekmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldkojb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eqciba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hmklen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hpihai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jiikak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fbqefhpm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gjapmdid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjfihc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jdcpcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Kpepcedo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpolqa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gfqjafdq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gjclbc32.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Fijmbb32.exe | C:\Windows\SysWOW64\Fbqefhpm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbocea32.exe | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgfoan32.exe | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| File created | C:\Windows\SysWOW64\Peeafpaf.dll | C:\Windows\SysWOW64\Gmhfhp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpgkkioa.exe | C:\Windows\SysWOW64\Himcoo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ldohebqh.exe | C:\Windows\SysWOW64\Lpcmec32.exe | N/A |
| File created | C:\Windows\SysWOW64\Giacca32.exe | C:\Windows\SysWOW64\Gfcgge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mpolqa32.exe | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Imgkql32.exe | C:\Windows\SysWOW64\Ifmcdblq.exe | N/A |
| File created | C:\Windows\SysWOW64\Kaemnhla.exe | C:\Windows\SysWOW64\Kbdmpqcb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lkgdml32.exe | C:\Windows\SysWOW64\Lgkhlnbn.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipmack32.dll | C:\Windows\SysWOW64\Ibccic32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kdhbec32.exe | C:\Windows\SysWOW64\Kajfig32.exe | N/A |
| File created | C:\Windows\SysWOW64\Djmdfpmb.dll | C:\Windows\SysWOW64\Gfedle32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdcpcf32.exe | C:\Windows\SysWOW64\Iinlemia.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfjbmnlq.dll | C:\Windows\SysWOW64\Fjepaecb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gmhfhp32.exe | C:\Windows\SysWOW64\Gjjjle32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Giacca32.exe | C:\Windows\SysWOW64\Gfcgge32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbfpobpb.exe | C:\Windows\SysWOW64\Jdcpcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghmfdf32.dll | C:\Windows\SysWOW64\Jjpeepnb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncihikcg.exe | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hboagf32.exe | C:\Windows\SysWOW64\Gameonno.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibooqjdb.dll | C:\Windows\SysWOW64\Hbckbepg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibccic32.exe | C:\Windows\SysWOW64\Ipegmg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eqbmje32.dll | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpcmec32.exe | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| File created | C:\Windows\SysWOW64\Epmjjbbj.dll | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcnhmm32.exe | C:\Windows\SysWOW64\Mpolqa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qchnlc32.dll | C:\Windows\SysWOW64\Hpgkkioa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Haidklda.exe | C:\Windows\SysWOW64\Hfcpncdk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jpjqhgol.exe | C:\Windows\SysWOW64\Jbfpobpb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njcpee32.exe | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ehekqe32.exe | C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfqjafdq.exe | C:\Windows\SysWOW64\Gmhfhp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgcifj32.dll | C:\Windows\SysWOW64\Mpolqa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jplifcqp.dll | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ldkojb32.exe | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lcgblncm.exe | C:\Windows\SysWOW64\Laefdf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgblmpji.dll | C:\Windows\SysWOW64\Icgqggce.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iakaql32.exe | C:\Windows\SysWOW64\Iidipnal.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikjmhmfd.dll | C:\Windows\SysWOW64\Imdnklfp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lcdegnep.exe | C:\Windows\SysWOW64\Laciofpa.exe | N/A |
| File created | C:\Windows\SysWOW64\Gqffnmfa.dll | C:\Windows\SysWOW64\Mcklgm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kflflhfg.dll | C:\Windows\SysWOW64\Imgkql32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkjjij32.exe | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File created | C:\Windows\SysWOW64\Opbnic32.dll | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmggiogn.dll | C:\Windows\SysWOW64\Ejjqeg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpckhigh.dll | C:\Windows\SysWOW64\Gjjjle32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcggpj32.exe | C:\Windows\SysWOW64\Gqikdn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kaemnhla.exe | C:\Windows\SysWOW64\Kbdmpqcb.exe | N/A |
| File created | C:\Windows\SysWOW64\Liekmj32.exe | C:\Windows\SysWOW64\Kgfoan32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldkojb32.exe | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibmmhdhm.exe | C:\Windows\SysWOW64\Iakaql32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkcmohbg.exe | C:\Windows\SysWOW64\Nggqoj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fphbondi.dll | C:\Windows\SysWOW64\Ejegjh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ppgjkamf.dll | C:\Windows\SysWOW64\Ejlmkgkl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fifdgblo.exe | C:\Windows\SysWOW64\Fbllkh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Imppcc32.dll | C:\Windows\SysWOW64\Kgfoan32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkpgck32.exe | C:\Windows\SysWOW64\Mjqjih32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmalco32.dll | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eagncfoj.dll | C:\Windows\SysWOW64\Gameonno.exe | N/A |
| File created | C:\Windows\SysWOW64\Kpepcedo.exe | C:\Windows\SysWOW64\Kilhgk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcglnp32.dll | C:\Windows\SysWOW64\Fijmbb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kpepcedo.exe | C:\Windows\SysWOW64\Kilhgk32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gmhfhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gjclbc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Kipabjil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll" | C:\Windows\SysWOW64\Goiojk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Lpcmec32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Laefdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll" | C:\Windows\SysWOW64\Jpjqhgol.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll" | C:\Windows\SysWOW64\Fbllkh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Giofnacd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ehekqe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Imgkql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jpjqhgol.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll" | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Kmlnbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fifdgblo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gqikdn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Kgmlkp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kgmlkp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll" | C:\Windows\SysWOW64\Kgdbkohf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" | C:\Windows\SysWOW64\Ldohebqh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mcnhmm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll" | C:\Windows\SysWOW64\Nqfbaq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gjapmdid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jbfpobpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Kaemnhla.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ecmlcmhe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll" | C:\Windows\SysWOW64\Kaqcbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gameonno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" | C:\Windows\SysWOW64\Mcnhmm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fjqgff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Lilanioo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll" | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll" | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll" | C:\Windows\SysWOW64\Ibccic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll" | C:\Windows\SysWOW64\Jiikak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Kdopod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" | C:\Windows\SysWOW64\Lkdggmlj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll" | C:\Windows\SysWOW64\Lkgdml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll" | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebeejijj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll" | C:\Windows\SysWOW64\Gbcakg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll" | C:\Windows\SysWOW64\Hpenfjad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ifmcdblq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Majopeii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll" | C:\Windows\SysWOW64\Gqkhjn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ifopiajn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Ehekqe32.exe
C:\Windows\system32\Ehekqe32.exe
C:\Windows\SysWOW64\Eckonn32.exe
C:\Windows\system32\Eckonn32.exe
C:\Windows\SysWOW64\Ejegjh32.exe
C:\Windows\system32\Ejegjh32.exe
C:\Windows\SysWOW64\Elccfc32.exe
C:\Windows\system32\Elccfc32.exe
C:\Windows\SysWOW64\Ecmlcmhe.exe
C:\Windows\system32\Ecmlcmhe.exe
C:\Windows\SysWOW64\Eflhoigi.exe
C:\Windows\system32\Eflhoigi.exe
C:\Windows\SysWOW64\Eqalmafo.exe
C:\Windows\system32\Eqalmafo.exe
C:\Windows\SysWOW64\Ecphimfb.exe
C:\Windows\system32\Ecphimfb.exe
C:\Windows\SysWOW64\Ejjqeg32.exe
C:\Windows\system32\Ejjqeg32.exe
C:\Windows\SysWOW64\Eqciba32.exe
C:\Windows\system32\Eqciba32.exe
C:\Windows\SysWOW64\Ebeejijj.exe
C:\Windows\system32\Ebeejijj.exe
C:\Windows\SysWOW64\Ejlmkgkl.exe
C:\Windows\system32\Ejlmkgkl.exe
C:\Windows\SysWOW64\Eoifcnid.exe
C:\Windows\system32\Eoifcnid.exe
C:\Windows\SysWOW64\Fjnjqfij.exe
C:\Windows\system32\Fjnjqfij.exe
C:\Windows\SysWOW64\Fmmfmbhn.exe
C:\Windows\system32\Fmmfmbhn.exe
C:\Windows\SysWOW64\Fjqgff32.exe
C:\Windows\system32\Fjqgff32.exe
C:\Windows\SysWOW64\Fomonm32.exe
C:\Windows\system32\Fomonm32.exe
C:\Windows\SysWOW64\Fbllkh32.exe
C:\Windows\system32\Fbllkh32.exe
C:\Windows\SysWOW64\Fifdgblo.exe
C:\Windows\system32\Fifdgblo.exe
C:\Windows\SysWOW64\Fqmlhpla.exe
C:\Windows\system32\Fqmlhpla.exe
C:\Windows\SysWOW64\Fckhdk32.exe
C:\Windows\system32\Fckhdk32.exe
C:\Windows\SysWOW64\Fjepaecb.exe
C:\Windows\system32\Fjepaecb.exe
C:\Windows\SysWOW64\Fqohnp32.exe
C:\Windows\system32\Fqohnp32.exe
C:\Windows\SysWOW64\Fbqefhpm.exe
C:\Windows\system32\Fbqefhpm.exe
C:\Windows\SysWOW64\Fijmbb32.exe
C:\Windows\system32\Fijmbb32.exe
C:\Windows\SysWOW64\Fodeolof.exe
C:\Windows\system32\Fodeolof.exe
C:\Windows\SysWOW64\Gbcakg32.exe
C:\Windows\system32\Gbcakg32.exe
C:\Windows\SysWOW64\Gjjjle32.exe
C:\Windows\system32\Gjjjle32.exe
C:\Windows\SysWOW64\Gmhfhp32.exe
C:\Windows\system32\Gmhfhp32.exe
C:\Windows\SysWOW64\Gfqjafdq.exe
C:\Windows\system32\Gfqjafdq.exe
C:\Windows\SysWOW64\Giofnacd.exe
C:\Windows\system32\Giofnacd.exe
C:\Windows\SysWOW64\Goiojk32.exe
C:\Windows\system32\Goiojk32.exe
C:\Windows\SysWOW64\Gfcgge32.exe
C:\Windows\system32\Gfcgge32.exe
C:\Windows\SysWOW64\Giacca32.exe
C:\Windows\system32\Giacca32.exe
C:\Windows\SysWOW64\Gqikdn32.exe
C:\Windows\system32\Gqikdn32.exe
C:\Windows\SysWOW64\Gcggpj32.exe
C:\Windows\system32\Gcggpj32.exe
C:\Windows\SysWOW64\Gfedle32.exe
C:\Windows\system32\Gfedle32.exe
C:\Windows\SysWOW64\Gjapmdid.exe
C:\Windows\system32\Gjapmdid.exe
C:\Windows\SysWOW64\Gqkhjn32.exe
C:\Windows\system32\Gqkhjn32.exe
C:\Windows\SysWOW64\Gbldaffp.exe
C:\Windows\system32\Gbldaffp.exe
C:\Windows\SysWOW64\Gjclbc32.exe
C:\Windows\system32\Gjclbc32.exe
C:\Windows\SysWOW64\Gameonno.exe
C:\Windows\system32\Gameonno.exe
C:\Windows\SysWOW64\Hboagf32.exe
C:\Windows\system32\Hboagf32.exe
C:\Windows\SysWOW64\Hjfihc32.exe
C:\Windows\system32\Hjfihc32.exe
C:\Windows\SysWOW64\Hmdedo32.exe
C:\Windows\system32\Hmdedo32.exe
C:\Windows\SysWOW64\Hpbaqj32.exe
C:\Windows\system32\Hpbaqj32.exe
C:\Windows\SysWOW64\Hfljmdjc.exe
C:\Windows\system32\Hfljmdjc.exe
C:\Windows\SysWOW64\Hikfip32.exe
C:\Windows\system32\Hikfip32.exe
C:\Windows\SysWOW64\Hpenfjad.exe
C:\Windows\system32\Hpenfjad.exe
C:\Windows\SysWOW64\Hbckbepg.exe
C:\Windows\system32\Hbckbepg.exe
C:\Windows\SysWOW64\Himcoo32.exe
C:\Windows\system32\Himcoo32.exe
C:\Windows\SysWOW64\Hpgkkioa.exe
C:\Windows\system32\Hpgkkioa.exe
C:\Windows\SysWOW64\Hfachc32.exe
C:\Windows\system32\Hfachc32.exe
C:\Windows\SysWOW64\Hmklen32.exe
C:\Windows\system32\Hmklen32.exe
C:\Windows\SysWOW64\Hpihai32.exe
C:\Windows\system32\Hpihai32.exe
C:\Windows\SysWOW64\Hfcpncdk.exe
C:\Windows\system32\Hfcpncdk.exe
C:\Windows\SysWOW64\Haidklda.exe
C:\Windows\system32\Haidklda.exe
C:\Windows\SysWOW64\Icgqggce.exe
C:\Windows\system32\Icgqggce.exe
C:\Windows\SysWOW64\Iidipnal.exe
C:\Windows\system32\Iidipnal.exe
C:\Windows\SysWOW64\Iakaql32.exe
C:\Windows\system32\Iakaql32.exe
C:\Windows\SysWOW64\Ibmmhdhm.exe
C:\Windows\system32\Ibmmhdhm.exe
C:\Windows\SysWOW64\Iiffen32.exe
C:\Windows\system32\Iiffen32.exe
C:\Windows\SysWOW64\Ipqnahgf.exe
C:\Windows\system32\Ipqnahgf.exe
C:\Windows\SysWOW64\Ibojncfj.exe
C:\Windows\system32\Ibojncfj.exe
C:\Windows\SysWOW64\Imdnklfp.exe
C:\Windows\system32\Imdnklfp.exe
C:\Windows\SysWOW64\Ipckgh32.exe
C:\Windows\system32\Ipckgh32.exe
C:\Windows\SysWOW64\Ifmcdblq.exe
C:\Windows\system32\Ifmcdblq.exe
C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
C:\Windows\SysWOW64\Ipegmg32.exe
C:\Windows\system32\Ipegmg32.exe
C:\Windows\SysWOW64\Ibccic32.exe
C:\Windows\system32\Ibccic32.exe
C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6300 -ip 6300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 412
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
Files
memory/2536-0-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ehekqe32.exe
| MD5 | b7bf5d7550d7d09bb3bc221015a69df2 |
| SHA1 | bbb751a69b25c01ed2133605e29add5d8ea73f5f |
| SHA256 | e3510d37ceec05098eca4d7f323c94002efdae84113f43001366496ee2c9cf45 |
| SHA512 | 6034ac7ab9b2d51f7c1b86e5f7fa8ebf2375c2d9394c8c7250feff0135d2c169af76c10b203bb0a4d3f563f63659987e51f491a1cba4d96c8d1ed28894a109e7 |
memory/2188-7-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Eckonn32.exe
| MD5 | ab8ebb54c40d2fb11b9f761001c92098 |
| SHA1 | f44cff0ea921891c4048a50b85cdfef8b8280f4e |
| SHA256 | eab198b4be3ecf4f202a33950bbb08cb69e118321cdc191f67d45ece13a26ad3 |
| SHA512 | 9f9a2674bef3b49278af08d7ff3a246735183c327cc32fccdb4c7fb6e737ccfa8998cb09455bc601bd75abf5837cf1cbacb243428d558c0470d6d1da626a5b93 |
memory/3704-16-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ejegjh32.exe
| MD5 | 9626ee7e669e6770a4219a5cacd11484 |
| SHA1 | 1bc758b82d31efff1028a6923377d9f34c085a1a |
| SHA256 | 5f15938f797817942933d0998c8eb686c56dc122fb5d3a3179e5e362c49ff44d |
| SHA512 | 101ea6fa89a3ef87d702ca339c0e0b402618a46d288b61ecd85c0adfe12b9aed86bf91e69ea349b54ec90fb948e932e7b312ca8295a9f919f946cb37aeeaf409 |
memory/5140-23-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Elccfc32.exe
| MD5 | cf0a43d227823fe1e74251c8fb365308 |
| SHA1 | e762c0779f5fd304e2944f7532646a0c147faf3b |
| SHA256 | 5bd5378fd9d6b2eb3d666e32a60a03b3b12312ba0b1bbe891bca436e94ee3aba |
| SHA512 | 0da0bf0cf3a223da5dceab9f7e96b7c2a96f864d24b5f1f135a0116f9386765f6e009a8c24abf44f43c17b82ea1d6cf243c9c421209e4f60d0da3d0a901ffbeb |
memory/3096-31-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Eoodnhmi.dll
| MD5 | be94038599898f29adc1f8bd2f6b01ef |
| SHA1 | b529e48cac4568a73f68fb9a1c81e555b8007ab2 |
| SHA256 | 1cade1c6898ac2b2be85690d09271e1b010c3d59406575688b706965de03c364 |
| SHA512 | 171ebdf4b1f0e8debe4d2ec42f1ad83a3bf6c0c344ac1d1be8f4cb6aa41d5fb78851516e5c33a66302a9032bdc50b74741cceeaca2ac7cf5cb0e6780b9aebaa0 |
C:\Windows\SysWOW64\Ecmlcmhe.exe
| MD5 | 3722f4e0820153b9fdcd8c07b7a6c265 |
| SHA1 | 836aa69fb8f11444eacad66ae94e9fd905309d88 |
| SHA256 | e7b44fb7f2d10c2c75dc1b1a770742011ffa550c10d86d500647a7a6fe044bc4 |
| SHA512 | aa439b09f86f31083fbe198180e8d68d81220aee996842953c25d7328275b24ee10a22ffb92c009a94c0f0a4253b2d9e44ba9165399fd1ffbadf7fb7f1479f63 |
memory/5168-40-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Eflhoigi.exe
| MD5 | ca2ebf166f042548effb04c279f2dfbf |
| SHA1 | 92bb08869f158c8da2c350d288b2a3933eb412b6 |
| SHA256 | 3adebdd15691c43f27bb6618308d58f52ffd204908f9163f489bc22472e670e8 |
| SHA512 | fd8bfeb1813f410260525c2eb6e917e59d1c4f280ed35d4f069ed06efffa35c0a0d0d1935fab897e611b794a3e98fc69aa46ba8dd27575ac137d756d79264616 |
memory/5152-48-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Eqalmafo.exe
| MD5 | 55ab994242e3f91b80d8c099392e46fe |
| SHA1 | c4765e4644948ad7b4d41182380377a1d53e9513 |
| SHA256 | 73450ec28f3b0262b691943b1392e524426ff2888dcbff98a96e95f8ec168d3f |
| SHA512 | d7748ccae234024ead5633de63cc639bd88a6da6e8c25d4bc8bd9cee2f931d60d2cc24b231b285c35cc1db1e41ad73d80ca7b8f133d403624cac1c25b1b69173 |
memory/436-56-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ecphimfb.exe
| MD5 | b8022b423cd1f3f95a98da96ea8778fa |
| SHA1 | aaa34ac15671773f9e040314d5525a06297afc96 |
| SHA256 | 8ee049aa0bb7f1f1c217b5ffd261bf946b9d8a50ae5f5c5ac9acc80f3bd829a4 |
| SHA512 | b11a16d5568a29eb9ca5300bc58360066f08e2668cde9a4361deeb3fe4a35a2772568d0266b4926dd234f1cbb0ba6538b094fa044ee39ba5c436e582955656b3 |
memory/5380-67-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ejjqeg32.exe
| MD5 | b685d6ed1684e72b9a0e13bd92f12747 |
| SHA1 | 0dae6b756f781366317db84e6c8d4ae34a460a9d |
| SHA256 | e7ca994969f1bedbce3dc87f6a1dd6b4e0fc8ea5fe2ea37933e5f1f87383a036 |
| SHA512 | 53a3445c3009c11b9bb18be2d6fa4c3a10939c47a2e4903723b49acc73f87c9881e5bfbfb4cee154db3f7334fdf8b7c47e4c4cdb9b63abe34eeab7581d10e67f |
memory/1188-72-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Eqciba32.exe
| MD5 | f631f35c2c7154fabe2ab8e0b8fd84f9 |
| SHA1 | b4283d2f8436904c4c2a86d4c098371be60f0f39 |
| SHA256 | 9f0c0e958d2eee2c18a77b4e3c3cb4a7b180b917d4adbad0355274b9cde46c1e |
| SHA512 | 6139054744331af4b713a6b64f2e076d468e843498c5c302012fc88071c50940be18b59799163df6060dce587872daf22e4215e518aa596710114ef6ed82b182 |
memory/920-80-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ebeejijj.exe
| MD5 | 2c0e867c56316cb956fb41aba562a10e |
| SHA1 | fffe5fa6591524dc4aeec9dbf857ce96c799e2c1 |
| SHA256 | 2e3081a95ab5fccd75c0ef948c1172d925f65cd938f65e878e6b0cdb3d5592c4 |
| SHA512 | fd7e4ac5c4f19976154aa692f14db613570bc9c1951a2bf18d4c33b8f3b6951e0c8225054241568da205f3969ab1b1824d511fa7bc1253c3b8bb48e112b69ef5 |
memory/5264-88-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ejlmkgkl.exe
| MD5 | db5005b317d7086c5e08080dea7bc2dc |
| SHA1 | 0335320b03387778bb8827a33560d3f5048f6f9b |
| SHA256 | a3a09a6f1007702490705bcf10ae12d43874bbd081671bf5c909047b59268056 |
| SHA512 | 6d079b9ccac1b7e5374531fa5952b944a722422a019cd0b3379d55093dfd6cde03c01d2c2be6de52e75347f733bffa414940b07b67705bc30471237e6143ac66 |
memory/3188-96-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Eoifcnid.exe
| MD5 | 3a69273c5f609d2792ae1574785682dd |
| SHA1 | 88a921fc9787948bd79481b96bee1d7470586660 |
| SHA256 | ba9d7fe7c627af07645bf593cf3535cebc74123962e7299bef7fe529517a1f6c |
| SHA512 | 7816a43a5c171ba5cd48274260464be1667445b58c1136fc8d2f8f73de22f4da95ecc2373ed0e9edb83c48834769ebf2c28f89053f96b59ce6c05c51782d55f0 |
memory/4228-104-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fjnjqfij.exe
| MD5 | 1fdb5de0cf840c71b9d02509947d8ccb |
| SHA1 | bfa24846fde95d6d4524acb08cf4d014700bcc60 |
| SHA256 | 7ec0593e98cfad5b433aef7e1349b12ba36e7b541db8b789fb5223039ea2f295 |
| SHA512 | 74faf0584516b9596f36b3feddb2a54dd2fd646aa545f175163671938e09a44dc7df29eafc203bf1eb8e8228ef9db3db38ffdc822f00f37ec81cfe4028f87d28 |
memory/5776-112-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fmmfmbhn.exe
| MD5 | 055f8a509c6cd2ec4e181b0890b053b9 |
| SHA1 | 47036a0da1b035c07d2715820880807cd1331f00 |
| SHA256 | 31ce583bd7255575dc22971256265f74df7df702fa36c98d6cb848f04379931c |
| SHA512 | f872472a1e5e2dbf5b344d343e3c0aa7c30e8b57d98c541be968d0e96841df24f51d241b9735ba59ff46d5bb03d407b31f6b23df934b24b4659a4e2f5d2212d5 |
memory/1492-120-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fjqgff32.exe
| MD5 | 1d3246538f9624dd1781f2b7e5767a50 |
| SHA1 | 4cdaf6e7e3f117c58a5079d22b1230050d547fa6 |
| SHA256 | 7dd131f19362275f446382c5f6e3e8ad85b9617b95a24ff0858e161e810371f1 |
| SHA512 | f954b2304ae8bd0461965a6ad504a9cdd3d3d18658f9b543bdb153f2a1df3c23938764f57c04e20b5b4100f90ef85d785c89d5d89835e8e13046f724a1750ee6 |
memory/3876-127-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fomonm32.exe
| MD5 | c198d218db5c6b636b1808909fbc88ca |
| SHA1 | b1a2759fff9e1228db00e24eee6612f0173b371c |
| SHA256 | bf50557317e71e4b4ac0a57dda031e5b1ab70f392be60d862af754d1d473685e |
| SHA512 | 7086256ac30ae2d43564b2e8f6cc0cb2adec19c3831b611358c52a82af357142c236a6e8c8bebc7875767fbe636459e7ef1fd27d5a8cd8c37b73da2453b9db34 |
memory/680-136-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fbllkh32.exe
| MD5 | 6b7a4aa544c9cd449aeb729d3226e484 |
| SHA1 | e825ac91eccb5a1cd699a469fe49943134b30ca0 |
| SHA256 | 8d8ff0d8dca2f1057deb0ba4833b75d17802c2613d9870a19fb55dd465ae7257 |
| SHA512 | c66952c5888ed075781feee52c90e5573b602e516bc1545f43953c3398d7978a36baeba3fa7d252fc97c82409238af82a727019dbd6e103328c5a05a9ede8533 |
memory/3120-144-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fifdgblo.exe
| MD5 | e2c057aab19a74659d2a2721a9f5a85c |
| SHA1 | c8e5d8437686d7e11ce675c99ad8edfdc3a639c7 |
| SHA256 | 8cd97afd1ddf2402105a302944f57c642f6632ca9c09e765d8346bef688cc08b |
| SHA512 | c51e1772bd3dc5332b433094d9641680e5f0bab8c0472116bface7ccf5dab04d798e55c6fa6e782dd39617841d68e901dd013b051a324bd988d753c20d3092bf |
memory/5960-153-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fqmlhpla.exe
| MD5 | facbd3ace867187348d509b3f57b52b5 |
| SHA1 | f3f3bdacee989a160c75e6175dd53fef3d5b40e8 |
| SHA256 | cd5136fb87219c33666e72f381d9efa8255effb65ff2e4af7c3653ac98c62a94 |
| SHA512 | ad6cc0fe79f3c4ba35c02e39f32ddbc69fd5982723b97966c7f125aebb0a694e55e5cba9230125a714f10b0091ad2ebb4426c0446875c59c5ac02955c0e8bb66 |
memory/3916-160-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fckhdk32.exe
| MD5 | aeff2e401d12dc0a62472aecbe97aaf8 |
| SHA1 | 654204982d256190f5d28d0f5a1965245e326b38 |
| SHA256 | 02629a29353dcf8f4d0766666740312fecbaa53edd6bdbebd535ff560a0418f9 |
| SHA512 | e1aafda1da234e0b8978b75a6386e0a797a95668ebe8fad9fbd93dc014d752b8c1abae3723a8193f07dc7311783e563b187471c8da4d6c9d495dd0096202c1ba |
memory/2548-168-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fjepaecb.exe
| MD5 | 40bc26ff994d98feb8e83742ae6ea2af |
| SHA1 | 21277c3a71b02d0a3d62581c2cf5a460592086d6 |
| SHA256 | 6574eb8957c790d743e6b6e45d27a7f7354644b302821ae0016d8b4cdb951ce2 |
| SHA512 | 80605119707c74470d6c1b1d9b41fc0a6d96aaf80ee49d905dce0569c4592372bc495f3b74e907d2619e607c6e5ce7c323f79273d4a4ff8f965a612cad5ea1e5 |
memory/1944-176-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fqohnp32.exe
| MD5 | e500dfb5003c791a0ece2df2f1f8b343 |
| SHA1 | e4b381546c0f1bee384066ad1842774bd1b51e85 |
| SHA256 | 2c2d395b60eccf84ae1ee9411cb6fb68349fb75755d73aee221081389164b2f7 |
| SHA512 | 0fa231a2027463bd7714d904fa3dfc044130cc6ed758fd3cb007ca2c2aa1da0ecc9c97dda84d50685d51d394ddb3282f7caeb30d647844642503570ac0f7d6a1 |
memory/5936-184-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fbqefhpm.exe
| MD5 | 50ea26909967733d2cb3e7ba9b4b66af |
| SHA1 | 14af96b3241549420320964705c172f5058387ae |
| SHA256 | 2ec1cab72290d64a5733daa7b99e928dc7a73f4994ca58faa99a77f10ba201f7 |
| SHA512 | e31e964ab9f41f38906d4e46f3372fd1ee212cde83cf8664aeb7b976c61ada496191d30a82c6dd87f136617965cae61a87596968fb0973cf0c432a83ca73b6f9 |
memory/5432-192-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fijmbb32.exe
| MD5 | 7d2c14eee43c2da0530585da3d0592f2 |
| SHA1 | 4d94a7ee6581936203c3fb58bedba15edccdfd6d |
| SHA256 | e5b1754dd7f93e2ea912b5da38992a9e09574e26312c408c2737af4e94da31cc |
| SHA512 | 87befea8045506b240910f8ee08703d5c6a8eee41a27a2a8d1ed723e170455e534a082ab783d9fc670868a92ae7b883d810c051ec062729eabf286c2db367da5 |
memory/5416-200-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fodeolof.exe
| MD5 | 62a74691446b58939825c624ccf7ab3e |
| SHA1 | b90a41bf63166de8b906b07d18174715d39d9fbd |
| SHA256 | cae2ef6563d7e24061b0670359f9e1819e8240eea9640f9c405eabeae3ecf5f9 |
| SHA512 | 9b37d3b9135284f75973f64b24a4e7efb6f6c9d9a14516b46c4aa714bd0c0512876e2191eafd1343e93e532d3d1c9e6b8be6860e797d7a6b3e1a2d5f8f83f3fd |
memory/2452-208-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Gbcakg32.exe
| MD5 | 21154b865052bcb2e9b7cf8414835b19 |
| SHA1 | 280106058c2348cf36d07cc1b33051fa0a0ab0c9 |
| SHA256 | 1ea6372c6f970f3b0a4bd2d15319be18e707e35c52578b80148e29951c647d63 |
| SHA512 | ee2aff92d665617f6a3be39ffe3d473e8f202a5bbff085137c44d549e8500aaec04b35d16502bc2c2ed644bbd85828993372f4e3981ecb3e4b3b965963f04d93 |
memory/1632-220-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Gjjjle32.exe
| MD5 | 2396dfe30b228d60b66a23c0ed810348 |
| SHA1 | a2b1f292bd43ccd578b1956c44b8c4a038ab07aa |
| SHA256 | 05bcc8c3326cab07524541af75a5fac39303344b697dcd898f01dd63704032ff |
| SHA512 | 6930fd288689adedc9fe7ba4f83162a554a3c51ef3db2cf760364cfdfdcebe6af189a8e52f829605df9df7dc7dc420dde9fcd3e4f54ce2d9f7897d98dbad0326 |
memory/2368-224-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Gmhfhp32.exe
| MD5 | dec4140fab3ff5e077a148d1e85fc3ca |
| SHA1 | 564a5e9a86865fd404b357bad52e473f147732ac |
| SHA256 | e40f07999122571cc1ab772c9b3e0cdf7da89e9645b69b8cd85657e18aaefeb9 |
| SHA512 | 22f3dbfc1b7215e76e8bbefa550c390453b9366cccc4f6040e99fd84b0ea7c70a9f7ab49b94499829bc8d6be0c7355b7d57b8d95c046489407e2b512705f3bb5 |
memory/2872-232-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Gfqjafdq.exe
| MD5 | 6cf3523c2a05161e3708709b81adf08c |
| SHA1 | 83e064670d1c9a98e27f9f3900c9722b001f50d8 |
| SHA256 | ca288e6756cc782ea46c216ad44a4055c24f90795e1b16f7495295e05e893a13 |
| SHA512 | 843722cee0198e49796d0f064fc6f0a411ebca5fa492273dce5eb4543188710af063fb0edebc9003b978247300b8b60332e9cf5a933c9203f163ab97ea2c6ae4 |
memory/2556-244-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Giofnacd.exe
| MD5 | d1dc171eafb977bc21c6a96b743f55e8 |
| SHA1 | a3ab8dab4687327a29221270bd1687690f72b74f |
| SHA256 | 868091a39ec77e0ecc9ff58d320c0e26e94af7889cd2c8f12a2c7d4f5d19e0de |
| SHA512 | 57bdec20e950ca817df5859f979689198cc8f108d380aabdb5a0ed87d551b17871f3c7e27b399b63ba063c9680243646b9f648d909b4ee17569e584d6648a3f7 |
memory/4764-248-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Goiojk32.exe
| MD5 | 8c08bd786adb8d93248c889dd06c5649 |
| SHA1 | bd76fa94f4591fdeefe59eea92960c042afd2785 |
| SHA256 | f68470a66ae64b02a26fb97fde55f2d4d28a1ca83cd70a83a4c326498ca53f47 |
| SHA512 | cb7bb27338757513fe89375e373cab2389524c5a4d76fd174aac52c731d0f7c450ae783227b63fe47e47e6404219a3583adb7c41a4e250feb385e272c0a57530 |
memory/5320-258-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3708-266-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5708-268-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1232-274-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Gcggpj32.exe
| MD5 | 228aa3e939b921f4d32a39024c44285d |
| SHA1 | 6f4a5a53a85fd3033813a548d34663191b08c82f |
| SHA256 | f63dd792a273e6c40053261d2ab60914290114ef17da4d18db8a64282eeb264a |
| SHA512 | 54c555d2383d3a67b17da07db6d5a59c5af20c55674edc02195a2373327f9afda371b46b981ea391369ea014913af7fd5adaafff343f55237fb7f88df005e070 |
memory/2540-281-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4168-286-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4844-292-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1544-298-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4284-308-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4276-315-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2136-316-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Hboagf32.exe
| MD5 | cb0edff9d8378628bfe6930ae3ed96ec |
| SHA1 | 7a72802e7faeca4070eb0b8d93a06e22cc5e89ef |
| SHA256 | e433f633f3ddac0d8a339cfabf4b7788bd4f4c9d9b231713e9a75e6a35b6ddc3 |
| SHA512 | 69b0bd6dc85053548ab8a5e3d32b9eb6476f505b6c86507ea8e38e42f87b80064f8acdf113a51063c5dc0f2ed767ad5b3e832f72dc19a5a0abed6487c834d84a |
memory/1780-326-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1868-328-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Hpbaqj32.exe
| MD5 | 6cb7541b54e87f14267ca2d1e2659055 |
| SHA1 | 96b7c24b99fffba56b228654588da9c9d0230e4b |
| SHA256 | be72b8aacee518e4e6f18df676c480a68147e58150244a77a047278404e2ee17 |
| SHA512 | 211077733afd3f1c49fe76fb7bacf010bce3c780e5374c942d15cd9451623aa11e03dcc058d10068b81b9d2a278279ee8a3a3c42d95ad5a32f1a20351434e916 |
memory/2788-338-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4596-344-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4584-350-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5284-352-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3796-358-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1800-364-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4708-372-0x0000000000400000-0x0000000000441000-memory.dmp
memory/716-376-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4836-382-0x0000000000400000-0x0000000000441000-memory.dmp
memory/6048-388-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3572-394-0x0000000000400000-0x0000000000441000-memory.dmp
memory/464-400-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2592-406-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1640-412-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2280-418-0x0000000000400000-0x0000000000441000-memory.dmp
memory/6056-424-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5384-430-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5712-438-0x0000000000400000-0x0000000000441000-memory.dmp
memory/804-447-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3988-448-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5308-454-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4064-460-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1468-470-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4112-476-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1700-482-0x0000000000400000-0x0000000000441000-memory.dmp
memory/6036-489-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4188-490-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5688-496-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5752-503-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3952-508-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1620-514-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jjpeepnb.exe
| MD5 | 2b008c1d3346e5aa4edf1dd3cff02d7a |
| SHA1 | 42f817eaccc4931163ebf1500777c38a5c4e11ac |
| SHA256 | b09b0876f50b104ea9d3970dceed1a8be679b795592798776de6e8f5ea5eae03 |
| SHA512 | 424d05c7ccbd88aca1362db27ef1302b62e1f353cb7eb1f340a7ad35c227c705d382d952776521993c9b9b3713ab1d259a8067ffcf48606e23b0df9c62bcfa73 |
memory/2876-520-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1252-526-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4668-532-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jaljgidl.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4932-542-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2536-544-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2416-545-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2188-551-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3800-556-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3704-558-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4824-563-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5140-565-0x0000000000400000-0x0000000000441000-memory.dmp
memory/312-566-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3096-572-0x0000000000400000-0x0000000000441000-memory.dmp
memory/404-577-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5168-579-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5884-584-0x0000000000400000-0x0000000000441000-memory.dmp
memory/932-592-0x0000000000400000-0x0000000000441000-memory.dmp
memory/5152-590-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3508-594-0x0000000000400000-0x0000000000441000-memory.dmp
memory/436-593-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kpjjod32.exe
| MD5 | bbbd8fa85bd0d2bf70a261149eb1cb84 |
| SHA1 | e67a11c3bcdc1a5dbd25e5d257c34ad4be5bd73d |
| SHA256 | 190131766f6b22eb6513ace6e30961678f2d0a1afaa123f2cec9bd8ceb47d6d3 |
| SHA512 | 64fd5f3c048abef840f92dec0642583e811f5db31caf6797e89b0771b7dd89e80b150171c6758d40b9f0d04d45e5f780f78629a8d3a8e33d796724f94b100f76 |
C:\Windows\SysWOW64\Kajfig32.exe
| MD5 | 52cc77170f09110cb66a3b72d3cd3abd |
| SHA1 | 6e8fe9dd5d8e8ea6591dcd8ea44fb69433e1ce38 |
| SHA256 | 1471dc9e761d7c9299eb45bbecafa51c81f8a37f2b66720507898ada831c64ef |
| SHA512 | bfdddbd10eca61e31e1db0dbd12f908d6fe5ab26f0524fe9f818b36142b893b8df4febb7ebb2e8e820424f43edebfcc18c2cadcfea57a70506dedfbc4bbfd3ec |
C:\Windows\SysWOW64\Laciofpa.exe
| MD5 | 280b5ece6f2f44a377a02a6a77c997e9 |
| SHA1 | af7cdb7d3d6594db7946186c97542fbffadd2ad7 |
| SHA256 | 7959ee9c98e859b217290d1d43a4e3b463fea254b3b60041fae1c4d2b17d1c6b |
| SHA512 | 528660261f54df03053aaed2514e902c0ca26d276a55085385f87d8e0c6bbb6844f0184a73e068b94de875691a01c5f1cf181343a8e83c6e1921350a96e1ac47 |
C:\Windows\SysWOW64\Lklnhlfb.exe
| MD5 | c559d6be9c37d2e46db57cddbdf4f5f0 |
| SHA1 | fbce2ecb9f4f68a4d41a4a72b17723423d432094 |
| SHA256 | ac245197de0dc8e7f9c52218a93e864628c6abf0a32e568e9a692a655bffecf0 |
| SHA512 | 9576a383b3d46b7c95e2e8a28e2e3f93f37cfec184d9fac5c4767c1bfe92ac9d2606a5f0475ac0c08f7684b93a5ca0671ef993b5600931b0e7c4c5fcf6bee2b8 |
C:\Windows\SysWOW64\Mjcgohig.exe
| MD5 | 28a5a591ddfe471a5fc857e6d97d9c61 |
| SHA1 | 23150e36aaa56de940766b363dc75273e1d70742 |
| SHA256 | ea252c1e4b2bb4f976003970e18f74d6b16350eb933f92d5dd9cc597f3d62e5c |
| SHA512 | 4930e8509874ecc7fd3e68fb27fcb357d66c1693b1431ab19750e896b8aa830b1ad85e5ec0facf4b9f1e994050ceef40e68937dfbbd865cb617479f9f60d475c |
C:\Windows\SysWOW64\Nddkgonp.exe
| MD5 | 7f643717b90671254c78903674cf39ff |
| SHA1 | 645b64005cca277801aa6a3594f0cbc29c6546a0 |
| SHA256 | 16c41d86b91a714f2f5a51cc2e66b9087391912236c6b422531a70a4fc1e1a6a |
| SHA512 | 95e5a28e1bbf9333ddd54fad61ff7080de02b307abe76baaa047d13fefddb6ed3e45c9d3136c65cfede6664df2550dd289dab4a71de5a818a5b76cdaf7508a01 |