Malware Analysis Report

2024-10-24 17:54

Sample ID 240509-1salwage7w
Target 08411dc581db97808136e5ca7690cfd0_NeikiAnalytics
SHA256 86f9bebcff206f4ec578e5884151bc028a79cc1f8d0505ffd8d52c1766d63e66
Tags
persistence gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86f9bebcff206f4ec578e5884151bc028a79cc1f8d0505ffd8d52c1766d63e66

Threat Level: Known bad

The file 08411dc581db97808136e5ca7690cfd0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

persistence gozi banker isfb trojan

Adds autorun key to be loaded by Explorer.exe on startup

Gozi

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 21:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 21:54

Reported

2024-05-09 21:56

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clcflkic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inljnfkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Comimg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gonnhhln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilknfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnefdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Flmefm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dodonf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdakgibq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjilieka.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhjgal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Comimg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gieojq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cphlljge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efppoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eloemi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdopkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Claifkkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eloemi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iknnbklc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpeofk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffnphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpeofk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpeofk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Djefobmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Eloemi32.exe C:\Windows\SysWOW64\Eeempocb.exe N/A
File created C:\Windows\SysWOW64\Ffkcbgek.exe C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
File created C:\Windows\SysWOW64\Cmbmkg32.dll C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Eflgccbp.exe N/A
File created C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Epieghdk.exe N/A
File created C:\Windows\SysWOW64\Blnhfb32.dll C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Chhpdp32.dll C:\Windows\SysWOW64\Gldkfl32.exe N/A
File created C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A
File created C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Ilknfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Bcaomf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Clcflkic.exe N/A
File created C:\Windows\SysWOW64\Dnneja32.exe C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File created C:\Windows\SysWOW64\Lpbjlbfp.dll C:\Windows\SysWOW64\Eeempocb.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Flabbihl.exe N/A
File created C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Flabbihl.exe N/A
File created C:\Windows\SysWOW64\Fjilieka.exe C:\Windows\SysWOW64\Ffnphf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gieojq32.exe C:\Windows\SysWOW64\Gejcjbah.exe N/A
File created C:\Windows\SysWOW64\Fenhecef.dll C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Jdnaob32.dll C:\Windows\SysWOW64\Iknnbklc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Inljnfkg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Cfbhnaho.exe N/A
File created C:\Windows\SysWOW64\Ppmcfdad.dll C:\Windows\SysWOW64\Dmafennb.exe N/A
File created C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Eajaoq32.exe N/A
File created C:\Windows\SysWOW64\Hpkjko32.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Hejoiedd.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Ilknfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dmoipopd.exe N/A
File created C:\Windows\SysWOW64\Eloemi32.exe C:\Windows\SysWOW64\Eeempocb.exe N/A
File opened for modification C:\Windows\SysWOW64\Fcmgfkeg.exe C:\Windows\SysWOW64\Faokjpfd.exe N/A
File created C:\Windows\SysWOW64\Mhfkbo32.dll C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Gmibbifn.dll C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Lkoabpeg.dll C:\Windows\SysWOW64\Gejcjbah.exe N/A
File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File created C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Gphmeo32.exe N/A
File created C:\Windows\SysWOW64\Oockje32.dll C:\Windows\SysWOW64\Comimg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Dcfdgiid.exe N/A
File created C:\Windows\SysWOW64\Lefmambf.dll C:\Windows\SysWOW64\Dmoipopd.exe N/A
File created C:\Windows\SysWOW64\Njqaac32.dll C:\Windows\SysWOW64\Eflgccbp.exe N/A
File created C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Fiaeoang.exe N/A
File created C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Djefobmk.exe N/A
File created C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File created C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Eloemi32.exe N/A
File created C:\Windows\SysWOW64\Kcaipkch.dll C:\Windows\SysWOW64\Ggpimica.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Gbolehjh.dll C:\Windows\SysWOW64\Ebedndfa.exe N/A
File created C:\Windows\SysWOW64\Fiaeoang.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Alogkm32.dll C:\Windows\SysWOW64\Hcplhi32.exe N/A
File created C:\Windows\SysWOW64\Bhpdae32.dll C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Beehencq.exe N/A
File created C:\Windows\SysWOW64\Comimg32.exe C:\Windows\SysWOW64\Chcqpmep.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfinoq32.exe C:\Windows\SysWOW64\Claifkkf.exe N/A
File created C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dgodbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe C:\Windows\SysWOW64\Fdoclk32.exe N/A
File created C:\Windows\SysWOW64\Hfmpcjge.dll C:\Windows\SysWOW64\Bgknheej.exe N/A
File created C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cdakgibq.exe N/A
File created C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Ffpmnf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Ffpmnf32.exe N/A
File created C:\Windows\SysWOW64\Gpmjak32.exe C:\Windows\SysWOW64\Ghfbqn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcfdgiid.exe C:\Windows\SysWOW64\Dqhhknjp.exe N/A
File created C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhjgal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdakgibq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmoipopd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" C:\Windows\SysWOW64\Fjlhneio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Globlmmj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gdamqndn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" C:\Windows\SysWOW64\Dnneja32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Flmefm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epieghdk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bgknheej.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ccfhhffh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gonnhhln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ggpimica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ccfhhffh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" C:\Windows\SysWOW64\Eilpeooq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnpmipql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpicol32.dll" C:\Windows\SysWOW64\Cngcjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefmambf.dll" C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" C:\Windows\SysWOW64\Cfbhnaho.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2972 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2972 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2972 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2356 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Beehencq.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2356 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Beehencq.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2356 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Beehencq.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2356 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Beehencq.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2620 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2620 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2620 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2620 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2624 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bopicc32.exe
PID 2624 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bopicc32.exe
PID 2624 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bopicc32.exe
PID 2624 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bopicc32.exe
PID 2580 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Bopicc32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2580 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Bopicc32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2580 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Bopicc32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2580 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Bopicc32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2468 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2468 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2468 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2468 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2496 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bnefdp32.exe
PID 2496 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bnefdp32.exe
PID 2496 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bnefdp32.exe
PID 2496 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bnefdp32.exe
PID 2556 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2556 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2556 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2556 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 1892 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 1892 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 1892 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 1892 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 2824 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cpeofk32.exe
PID 2824 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cpeofk32.exe
PID 2824 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cpeofk32.exe
PID 2824 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cpeofk32.exe
PID 1288 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Cpeofk32.exe C:\Windows\SysWOW64\Cdakgibq.exe
PID 1288 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Cpeofk32.exe C:\Windows\SysWOW64\Cdakgibq.exe
PID 1288 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Cpeofk32.exe C:\Windows\SysWOW64\Cdakgibq.exe
PID 1288 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Cpeofk32.exe C:\Windows\SysWOW64\Cdakgibq.exe
PID 1680 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 1680 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 1680 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 1680 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 1524 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cphlljge.exe
PID 1524 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cphlljge.exe
PID 1524 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cphlljge.exe
PID 1524 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cphlljge.exe
PID 2752 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 2752 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 2752 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 2752 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1208 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 1208 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 1208 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 1208 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 2064 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Chcqpmep.exe C:\Windows\SysWOW64\Comimg32.exe
PID 2064 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Chcqpmep.exe C:\Windows\SysWOW64\Comimg32.exe
PID 2064 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Chcqpmep.exe C:\Windows\SysWOW64\Comimg32.exe
PID 2064 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Chcqpmep.exe C:\Windows\SysWOW64\Comimg32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Beehencq.exe

C:\Windows\system32\Beehencq.exe

C:\Windows\SysWOW64\Bnpmipql.exe

C:\Windows\system32\Bnpmipql.exe

C:\Windows\SysWOW64\Bghabf32.exe

C:\Windows\system32\Bghabf32.exe

C:\Windows\SysWOW64\Bopicc32.exe

C:\Windows\system32\Bopicc32.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bgknheej.exe

C:\Windows\system32\Bgknheej.exe

C:\Windows\SysWOW64\Bnefdp32.exe

C:\Windows\system32\Bnefdp32.exe

C:\Windows\SysWOW64\Bcaomf32.exe

C:\Windows\system32\Bcaomf32.exe

C:\Windows\SysWOW64\Cngcjo32.exe

C:\Windows\system32\Cngcjo32.exe

C:\Windows\SysWOW64\Cpeofk32.exe

C:\Windows\system32\Cpeofk32.exe

C:\Windows\SysWOW64\Cdakgibq.exe

C:\Windows\system32\Cdakgibq.exe

C:\Windows\SysWOW64\Cfbhnaho.exe

C:\Windows\system32\Cfbhnaho.exe

C:\Windows\SysWOW64\Cphlljge.exe

C:\Windows\system32\Cphlljge.exe

C:\Windows\SysWOW64\Ccfhhffh.exe

C:\Windows\system32\Ccfhhffh.exe

C:\Windows\SysWOW64\Chcqpmep.exe

C:\Windows\system32\Chcqpmep.exe

C:\Windows\SysWOW64\Comimg32.exe

C:\Windows\system32\Comimg32.exe

C:\Windows\SysWOW64\Claifkkf.exe

C:\Windows\system32\Claifkkf.exe

C:\Windows\SysWOW64\Cfinoq32.exe

C:\Windows\system32\Cfinoq32.exe

C:\Windows\SysWOW64\Cdlnkmha.exe

C:\Windows\system32\Cdlnkmha.exe

C:\Windows\SysWOW64\Clcflkic.exe

C:\Windows\system32\Clcflkic.exe

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dodonf32.exe

C:\Windows\system32\Dodonf32.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dcfdgiid.exe

C:\Windows\system32\Dcfdgiid.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dnneja32.exe

C:\Windows\system32\Dnneja32.exe

C:\Windows\SysWOW64\Dnneja32.exe

C:\Windows\system32\Dnneja32.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Djefobmk.exe

C:\Windows\system32\Djefobmk.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Ecpgmhai.exe

C:\Windows\system32\Ecpgmhai.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Eilpeooq.exe

C:\Windows\system32\Eilpeooq.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Efppoc32.exe

C:\Windows\system32\Efppoc32.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fcmgfkeg.exe

C:\Windows\system32\Fcmgfkeg.exe

C:\Windows\SysWOW64\Ffkcbgek.exe

C:\Windows\system32\Ffkcbgek.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Ffnphf32.exe

C:\Windows\system32\Ffnphf32.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gdopkn32.exe

C:\Windows\system32\Gdopkn32.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Inljnfkg.exe

C:\Windows\system32\Inljnfkg.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 140

Network

N/A

Files

memory/2972-0-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Beehencq.exe

MD5 d5f251d7fb14a6a4577ef0b0aecfc677
SHA1 4f25686dc855a82b8ec974433d679354edec1a79
SHA256 4eb5db6c47a9f21b891d2a63db96ae2fdcf912d625b2ac986e5ff9028a792d48
SHA512 d2362743d4e844a55af9f0d041c57cf1a792762834b2c8b628d2a342eb02fc3a0f5f242e9421454428ae74219fc9f8b2e88e726771bf58a3b19888e61759a660

memory/2972-6-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2356-13-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Bnpmipql.exe

MD5 907032586563f4d448dce30fe759e0cd
SHA1 d31bc0d977569e88855c86cd201c3c8ccf3a8b3c
SHA256 828396254ac6a92d442f72a75e9cc5fea9ec53423abb2cbd5f2d25c51bba09e8
SHA512 b8d8258b2c4f9aa9d4c32c9fee4d306f5f0b5ff8634f3ce1db2126b8b3b4a5701482095a12094ada9ead0174143188f68dfffbb7ba66d8bfd2912527aa072269

memory/2620-28-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2356-27-0x0000000001FB0000-0x0000000002003000-memory.dmp

memory/2356-26-0x0000000001FB0000-0x0000000002003000-memory.dmp

\Windows\SysWOW64\Bghabf32.exe

MD5 c8d1a764d3c85241d0bbebe454ee78b4
SHA1 6546e7e69e96b9978fd23a7d4498bdda92e459ad
SHA256 ebe8dc19da8bf85134dbeade537f655e26aee43f347446d7fcb0cbaae24f0d38
SHA512 255114abbcaf4ef701409ed3a02035de7d9037f1468118b49c96e9413dfbf4869ba9ae468a228082c8b9a7b102f39a7c24f2352424cb750749233d66efba3256

\Windows\SysWOW64\Bopicc32.exe

MD5 1a6043cdd8df85d3f8e63296790c1582
SHA1 c30ae21dcbb023fa57637e6d40eba4f2b290d4b5
SHA256 59df648d6816f7d6325befa8cd6a24c54db14ccb7b1b093c49103aa47c0c11e4
SHA512 c1f5ce3b308317d56b17e65277d9ac0df6afcd0d6dfdd9789b6df9c6bf0788a050f7df409321684d3f8e7e62838c1ac6bf53f3776c16f377b447d04bac95f9fb

memory/2624-49-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/2624-47-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Bpafkknm.exe

MD5 82d0a1b83c3d793ccb0eea478c466cf9
SHA1 a9b4a2f2915b36f86dea47151ebfcbce3bb5d169
SHA256 563e8430c98e7110f3ce8230aab339cadf142eebf51cc5d15efa88fe8a21a811
SHA512 cf647b671ed2b134bff13b3068dda98ab9b5c0e8d46642ae4cf268777c6c497ab58e583d7b9e87b11f896f15a377da6be25484765c14110d0c0d609ad2c9b3e8

memory/2580-66-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Bgknheej.exe

MD5 294640171035a6a617166e7dd6b92a93
SHA1 df52807ab9700be66d055107d24b59cc805480b7
SHA256 13815d83373200bcfac6ec368ac9dfe333e8ecbc53c2977a0f1021bb0a65d537
SHA512 3d2fc0b702379267e4c7ee7d4f67c6537ecfa456c2099503cdf0bbf8034724382db37f2311aba905e28adc7493c0e2050ce023ec672bebf460677011838e25cc

memory/2496-84-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Bnefdp32.exe

MD5 221e63907008431e6eee421ccba9da40
SHA1 9fc08b80e77a26cd865a6114da375db7363d0176
SHA256 33e3d3324bbbf7835e514093be6285b63441bd312586891139d3653d8a6cb5c0
SHA512 b84171d76432d5c6d0e41d84745d4030762043f34459f4164c5132d4efadfc76895141126e6e02add4092f3b80b393817bc65bb30e89b0d03a5453283a62118e

memory/2496-88-0x0000000000320000-0x0000000000373000-memory.dmp

\Windows\SysWOW64\Bcaomf32.exe

MD5 26dea7db17332804cfbfbc357c60b34a
SHA1 f328cd7c7adc85ca5932175d4e9668f6c464d371
SHA256 573309027df0614d8b7fba750847b58031c786f76f7d3ebf0a0452463f23a5a6
SHA512 ff117d775ab600ddfd517a22c4667a99034782a566ae1b44f6282d9ec528a0e881d6abb5372dab717eed4ad0499bf5d6b3ff9c1379b9f1bcf16422078183b792

memory/2496-94-0x0000000000320000-0x0000000000373000-memory.dmp

memory/1892-107-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Cngcjo32.exe

MD5 9e7fc768094ac5efcb224ca0a1de6d93
SHA1 4f31352001c6605f9f22f89cb4e5633efa906e11
SHA256 11d3ec4584b37c4bd8cc7a72218cf09613379f38eebd54d14b1107ccfcb85a85
SHA512 296d335ba2a27406ab81411b834d829a41f362ae31d2bc30d449d4e04d240c0cbbab34d25b37c0691b4c57e1673baecb4e9ff68de76a45115f7ea098aa8f5ebc

\Windows\SysWOW64\Cpeofk32.exe

MD5 ba35073fa259fc43b7a3bcb2fda76bf7
SHA1 736d172a3d09bb1fa90662dd1b720825f95f338f
SHA256 e961707b8ef53dbe49367026ca844563fb92e5944b5dbd34033792e323607da5
SHA512 d2029b5984ea1341504ee28aa83e0900990531bf01e2890c3b365881f36e812df69b02a18717ca570e340f4c20480179a14f56a129a879ddf93765ff5f8cf7de

memory/1288-132-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Cdakgibq.exe

MD5 a5d0b872edc2966faa473c140af65658
SHA1 984341ed7190b4c96792be0337ec75428cb80082
SHA256 b58bf47368eca207e63537d1ed98cdde2bf59cf8d92e70b0bb7ffa27d9ecc56f
SHA512 13086fea4cbef5265a127341efef8f8add619889d52d953b33b290d2b706af383a3fbad595e209e868da7e93c36abd21be01588f2e796ebd64371265f581d91a

\Windows\SysWOW64\Cfbhnaho.exe

MD5 7894ed60936430f93741c272a0d99e10
SHA1 427585ef54fe3d68656886bafe76207b6e9ade05
SHA256 f45ddc30ea7176aa8fc70f8f4787c95fca53f892bb65c3e90c9cfe584b2718b8
SHA512 79a0de0c60c80ffd55027893c5765089978ae9bf18f2d67e1909c85f401388ed6ad798ec0fd737bd9312d6b00de2703493c062a980f6a9f102c9a83934cbac16

memory/1680-152-0x0000000000460000-0x00000000004B3000-memory.dmp

\Windows\SysWOW64\Cphlljge.exe

MD5 e9d69f470529eea965d8f1886666dc34
SHA1 c069cf7d60fc8af8c24606bba25b5874e85aa42c
SHA256 bc7303ffac22bd26526b1ef85c66d44bd89d5c204c33b44e9bbfc62c3ff70650
SHA512 1f417fb33e3e851e36291f37e3f8ef208fa5d5dd9148b521fdc2caeb7bfb40e28189b369dc583d62443e7786b9017e96c9ad7823501d1c6e84c6618a1109dff5

\Windows\SysWOW64\Ccfhhffh.exe

MD5 ad168bf51c8c7c80ab2695222d8f930b
SHA1 427d01877f9217a8231da2cff977cf7b63e0d7f9
SHA256 f6689dfa4b43f04adca0561a38b994fc1a5e134566fac0dafb5ec47fb304c2cd
SHA512 c869ff66d8a2fef748e4aef0f0bd19098fb548067d12fbbc8ed997bfa0bdae96ab8269f54e1e22a56d3b614882cec870a6cdbb90a26eeb5db9d0336506f9a717

memory/1208-183-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1524-176-0x00000000002E0000-0x0000000000333000-memory.dmp

\Windows\SysWOW64\Chcqpmep.exe

MD5 dd4701e268a7a30167298d21c8a44370
SHA1 6f45d19e69a84b7b32aa844a31811537bad2794c
SHA256 23a72bb47a2a071cccedee8e967656f7eb92b2d9e73f36bb04f42788e674dab2
SHA512 7587a6bd6a92bce8b3bf19a223d150454d3b0673822f13872977be4464742e469723af2fb5bb152e638636c6156d67ea78b5751a1e0db9aca01919ebf7fdd720

memory/1208-202-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1208-201-0x0000000000250000-0x00000000002A3000-memory.dmp

\Windows\SysWOW64\Comimg32.exe

MD5 0d507ee36f7822ed1ed731e3d09b628c
SHA1 35f0d377eda737d660bade1cc45ad654cb7a067c
SHA256 785a94e6924031ef79f9eee23bb4d22f6b08456c2309291a7e63b8ce979d8912
SHA512 e26fa743089fb493d8a31467a283dbc8fee038552127645a7efa4e6434502f765b28f58247360a54128c4eb57912cedd3bd106690731c769444b31b76ef780f4

memory/1740-212-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2064-211-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2064-210-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Claifkkf.exe

MD5 64c258a9c7206e556d963ce4371c8f5f
SHA1 c8480b82a0aa26176605660f6a99f5648a164890
SHA256 ee21735a4ff2b5af688e25b2df946317460a7737e5fc63af953ac8911bab934a
SHA512 3474574b2d82a6ce48a8ff01aaf43164fe5c3cb15ced5865a4c154e7aa588f639c4e7d0b84bcd64a4a0babad012ea20bda6cf0d4eb1f9eab58f2c2cb40d9ad72

memory/2328-223-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1740-222-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Cfinoq32.exe

MD5 d0f49cfc2b0be75b10f5d780c2122c58
SHA1 67a6bc3d032760e51634bc82b8cdcdca333f7d40
SHA256 7cc46adc65cdcb0e654708b8cb50d68562a4664cc2ef1f5cc840d8849a6c4872
SHA512 289d9eeecaf2621ce46b3ded1bef11b4a3e321038ff3eb31eca4665a9863714e39d4a8338723a31d6a87606ffba249c0a5c0c5729a84f4857beef4002619773d

memory/1308-234-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2328-233-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2328-232-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Cdlnkmha.exe

MD5 a9b4f529a3d9b3017b53f9aafb9b0ee6
SHA1 f2015f05e932c009c3b8d5588986323cb67f1729
SHA256 4ee68cf4fb9d762c3859bb096bd4342e47f8296a86dfcc204ed2811e069e7539
SHA512 d949a3e926a4d290c1e63734a39f0aed95fd4aa78325c1f1989ef450110f16d0cc31a13402e88e4d58aa33f2305d33a2a41e8ba6a324323efc0c2b66e6151063

memory/1308-244-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/1308-243-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/1760-253-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1620-255-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1760-254-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Clcflkic.exe

MD5 078943cdb2555cff814c05d1f58a7231
SHA1 056f1761bdf45bcb4cf7a48c13becbe4241b5bf5
SHA256 9a8efc919ed62a96e19329839e952c04009462e2954d89c7ac050c88c6ad7f06
SHA512 7fd80fc43b5749c62082300db9a2fc679a1561d45a0f8713f00abc8a7bb7650bec129bd7b62d7ece8580a3d1738368e10301a692c1e201268493784a1dfdb4bc

memory/1620-261-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1620-265-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Dhjgal32.exe

MD5 a800b09c1166121918b72f2ad2899025
SHA1 c8c30938678af6ff6bb3e2840e52826bc4684d8e
SHA256 e1c1a567a8e81c6d2c312f6b037dd7266596fa86ee25b0a73883cd9ba1b66f5e
SHA512 c31e76c4ea6f1ecceb6d43a96871dc0e4a73f84afe67a05743cc1dac313595afe4425cbd6769ca8f022a7213755a0a818a989f63165ad8b7609ec24c70e91d99

memory/1192-270-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1192-273-0x0000000000300000-0x0000000000353000-memory.dmp

memory/1192-274-0x0000000000300000-0x0000000000353000-memory.dmp

C:\Windows\SysWOW64\Dodonf32.exe

MD5 e0feeac25afc3e441e84d3c772bece3f
SHA1 809c29785ebef84cc3b0e3b24ba28403cc540ae1
SHA256 6bb25fd36728fe438151f597ffdb87d0613f355257b43a4fb03149ff6f8fdc07
SHA512 2f02d5852996ba2254d9f35fe377df141487d89fd95c214860200bf502fba22397273575865075f83bfc39430a267d8f66037cc0a217f52a79a507df20146f76

memory/1404-277-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dgodbh32.exe

MD5 e9534f650b1b7d24690bc116b5854c20
SHA1 3eefe6a42e063978b793b64ba5cca9018e06102e
SHA256 8fdb5d72b7ef9ee789f8812b5e52289ef061a62c68e13d593ad89b813a1671a1
SHA512 e46c688edfb2f6441e8dbd45be6c12b62978f74a7767c7683a2feeb3e7ac17dfd10e7175585ec1c545b3ae77c663548d55235bf891abc891eed0cbf9ea998f10

memory/1404-290-0x0000000000460000-0x00000000004B3000-memory.dmp

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 9898ad572a7262dc4be9fad79cabc117
SHA1 6d7126762dcebad265ee4217c34505c39918ae51
SHA256 d6667c8ade2a29c63edf50dc82aa5af5b9154428b7bce9802ab5ae016005d32a
SHA512 71b2b52aa62c15e8ae02de59ef1eb01b228cff23c53d62582d6304d63ec42ad4875da046b6998e6ecd6987665e30aac0164da59a3204e93949889b2f389d6361

memory/1392-295-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1968-296-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dqhhknjp.exe

MD5 bbd023759e77ab8b9c75a82445202a73
SHA1 b5e18542a4d1428272774c027ce05b722776a2a7
SHA256 1738891ce230cf3bbd28b61cb47cd9a8f5d8bab684fbf0eed7b2256c547c23a5
SHA512 ec7226865a11a266db56e3ba3e3153bc05a626f55b400b5a3cb338900c6171f639cec93005b4db144c21be45c1068bb377fa18c2a0495fba6ac8d7295f310079

memory/2896-311-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1968-310-0x0000000000300000-0x0000000000353000-memory.dmp

memory/1968-309-0x0000000000300000-0x0000000000353000-memory.dmp

memory/2340-318-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2896-317-0x0000000000320000-0x0000000000373000-memory.dmp

memory/2896-316-0x0000000000320000-0x0000000000373000-memory.dmp

C:\Windows\SysWOW64\Dcfdgiid.exe

MD5 7c2274c46e03a235cb5eee4d94749315
SHA1 3d811f70f4746cc65829667a2f842744dff0a3aa
SHA256 66d94a365e2c586f1121ac0fd9d67db7c44879562735d7011ae0e73acae65363
SHA512 3f0c05b7b5b29fa782de7a759d9da2f8d17c977f3a03d586f371f130187441eb43560604b6ac7c5979dbdd9de7b0e6d314d4c45d1317d5f4ec91c14072479fba

C:\Windows\SysWOW64\Dmoipopd.exe

MD5 1a8a4ea3394cda4eac9c3d37e5d394c1
SHA1 c4e597d0348e3997409e943c9f19b2c791a770b9
SHA256 a6dba2d7b54b74abfc5506f0f3d852f6e088f03108c72a7ae9b5900686be96dd
SHA512 80b8cadb6e318ec76319c35976b9f94da6e281dadfdc9936ac21f3e34a567d08420ba78d6887c644299ebb454e9e7dd2b2d298f5cb981ebf9f57d61a6bcbeb27

memory/2340-331-0x0000000000320000-0x0000000000373000-memory.dmp

memory/1580-332-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 517447a8c3f425e3f3f80d8bc357e347
SHA1 f75e8a2ce52703d4ab6b574307ca3ce8623bcf37
SHA256 c136982d224a2a1d3f43e4dba1c9e456f132036715ea55345309c1cc5edcbde1
SHA512 b1be9d688a777514a57bf4908de1565efbeabe38d604504b7e79ad0ce0365d9431f9470c2e47d4ab314891da38d6517e139f145203b24fd0030c2afe9f240b4b

memory/1580-337-0x00000000006C0000-0x0000000000713000-memory.dmp

memory/2532-338-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dnneja32.exe

MD5 9718f184c41038243434ed038a9586cd
SHA1 e19ca633f6a6d8cc999f79899cdda9d8841e674b
SHA256 97e1ca5d03495a1d492dd55d56e439046d7cde5c18c0ed98f8d8dd272bb4aded
SHA512 0cd7cb134af282762508e5da1f9fbc94a62fd371e838f5d408ee4adcfc14648984ef5b86b1b0624d4f3246e53ddcd5fcd976ca8b3de321e2796e3be487fad758

memory/2532-348-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2592-350-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2704-357-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2592-355-0x0000000001FD0000-0x0000000002023000-memory.dmp

memory/2592-351-0x0000000001FD0000-0x0000000002023000-memory.dmp

memory/2532-349-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Dmafennb.exe

MD5 467b074efcbcd82714d2000bca4e0ff1
SHA1 94b33dc2ffbde8406f3bd59df6a30128538632ba
SHA256 4e14de25998a364db770c66a334ee6f224157cca53657e41127fc478e04bc259
SHA512 f98889406de0057b31ccd7fe710a7a7e8220a3ce0d91b48c9c43d1f4b4ef569134f6271d3a41b69a1271416dfb12c394257c7da01ed074700633451b7e02fdf6

memory/2704-362-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2704-367-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2724-369-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2724-373-0x0000000000310000-0x0000000000363000-memory.dmp

memory/2724-374-0x0000000000310000-0x0000000000363000-memory.dmp

memory/2464-375-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Djefobmk.exe

MD5 5d8c9c808d2e2023a3273453150d0148
SHA1 1dbdf40f61746e2ec1d504f3919056d64d5230c1
SHA256 8716070ea9658f0bf04f0f59d481dd71fd9fdfb6244cc38a0cc273d5d13f172f
SHA512 3212a15b40af25691cac9d76f9d7790c47d4d0d6ece773d611c13bf881663bff6aee37ecaa36292d7d2dfd92a788fcc22fe0a8b72d6d10937a3c4801d0dababb

memory/2464-384-0x0000000000290000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Eqonkmdh.exe

MD5 cc03337a359c5f417b1e1be710b3a576
SHA1 dfb35a74d326848f5660e936eb8a387ec4773d48
SHA256 0627ec65203ea0071578a5c263cbdde6dad672bd6819bb9784c3ddac49610ef8
SHA512 0917c4f5072b11724c877a014669773422520f474fba89931b5a7600e54a6703c29f427489663f2549065df5c3c50bca2967a7484ea782750b5d9326d3672285

memory/2464-385-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/2924-395-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/1884-401-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2924-396-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 985c6e76118bc4075fcaba0013cdfbca
SHA1 77c092dedec5db75eab715eeee8d30c92126d230
SHA256 d379a303262c175ac77613cb2e0fddea2e7391a49e4723adc8746f6fc4228350
SHA512 bfab6f84f3638344de09b3ad67acbafa01b74ee9c20aafee5062ebf3139cdba1bb679c96116cd1fbef0a6f05b39dbe395eb64eef5d84ee761bfe9d496ba3a622

C:\Windows\SysWOW64\Eflgccbp.exe

MD5 77e65d5bc4afdd35394c99060197fc19
SHA1 6b59eac7868e4626860e40443dcde46c98f26986
SHA256 932ced7d71b6dce51c86e61dfb526239382c7e2b15e1d1ebb8aae5b996cc9c09
SHA512 29f33acc50bacc0826e6b4a21c59f7a48fa4ef7870423e413e61785d17ffd6dc3573bd3c76746c9ac0bb51f68f7196da59b60949d9e96cd577426aad4c1ff637

memory/2924-390-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2804-408-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-407-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1884-406-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ecpgmhai.exe

MD5 5a85495c94a323dd67f2b4bd93d83742
SHA1 94a622b6977d49d8d038c43194b4ca16b6e74aa3
SHA256 8750508785bd4f5a1a241e75cf13430bf52f56b4a513b8967d372fe442c159ab
SHA512 343e8ec407a397210d1ac26366f21ba4ed8fbc505984cbef97c890da2e58f78ec31a9bfd9f307b43130461730b75e6910078544c9f3f06b705ddc280414a5519

memory/2536-423-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2536-428-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2804-418-0x00000000004D0000-0x0000000000523000-memory.dmp

memory/2804-417-0x00000000004D0000-0x0000000000523000-memory.dmp

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 cccdd50470fd3046358031298713320c
SHA1 e8271053e30edc7600d139894144c29ce8c22591
SHA256 56207a1a80345be38b27ceead56d7c615f23adcadf439f5ce87f62832b2640cc
SHA512 1cadf773b5a815cecf40969884ff8d8d4913158770e3e15ee3c3f0550e9c80f918101b9c9105e63ac9125e3121ee69321498536dff90cdf0aa6033635fd67a28

memory/2320-445-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2320-440-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2500-439-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2320-438-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2536-437-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Efncicpm.exe

MD5 c2d7a998b42b93984b71fd58fb42ffe4
SHA1 1ff81af2bf1db26e523e33de80c888e7c52750df
SHA256 8f9b8ef7f2a588ca4b02dba2b4547b22d2dc9e7a68c9e56a3c74a1e00200bf05
SHA512 05c85ca98845b6093f9fca62b10a042a815669cb2ea0245158c4f503c436ee773a0ee60c06b49699f4ca067cc9e7b8a847d92734f011cda6abae8ca3a9b4ce2c

C:\Windows\SysWOW64\Eilpeooq.exe

MD5 8908c90f1418b8528dc490230287b206
SHA1 05387bd9ae7993695b641fb920575caaadbba88b
SHA256 ff92cb866a23f62a7fc74ddec5db6809738da5e1d47f57a34678685628a557d8
SHA512 7acd505454e331d2efa2881e953dcf1d59a89a951c6d4dd0de6d3f056c479db0f921d8da71c52c86b8bf96a074d4220a09532f94c421a57041ad11b1c0d07c8a

memory/2784-460-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/2784-459-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2784-461-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/2500-458-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Efppoc32.exe

MD5 a20dc776005dc5b4af35ee148b7d9023
SHA1 6a0ebf57ae62e95b9379b2061a601097df68c0dd
SHA256 925e0be7938a80166f03bf5bc88d2d90fc030c2efbf3660d0b2097fb87d52686
SHA512 2a2af463a2024841e17c19925afbfb482146e40ece79690a2ced74f28fbad2e5c8526a0eda1ce34ea48361cc9243462c0b2ae66f24fb763c935cd065d21e89c4

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 1f11feae0d6ddfd602887180691e3817
SHA1 2fff01d662288a6b365804bc1657bd27ce456e86
SHA256 10ef0a84833d48d299155ff5bf5a4e8db52a011c1656042b452d247d3b94e82f
SHA512 ab68b0ebfb84c1871d2e29ff6f956901e2e667c32c24b7891400668a8199a454512025c165c7bfae73b7448fb5cb5375bdc72a075d65cdcedf7025275f4fb097

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 fc82f1d6501a382a93be33d5c7c4cf77
SHA1 919c1be4846d93bf8436b04f740a48d035e9bab2
SHA256 a0a4a3602fd6440fb04db31e5e7903419a2044f0ba747524361c140c181f215e
SHA512 56034c140f87779f176f2a8ef120d8057abea43a727dc15373daeeeb4a19b7af9c03172d4631c02a1f11dc7909c4d8ab10e91cff54df00d8e783d04847f8791c

memory/2688-475-0x0000000000330000-0x0000000000383000-memory.dmp

memory/1292-479-0x00000000002F0000-0x0000000000343000-memory.dmp

memory/568-483-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1292-480-0x00000000002F0000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Epieghdk.exe

MD5 375f920bafa4db63cfff19698b16a12a
SHA1 40ef08d5d000dc62b0ed7c4939a889fd007f7d6d
SHA256 82429f5e56b2507621bb9fa75af06191cdc8975eddc93941b88f777ce26ffcb4
SHA512 a65e9bfadc903196bf89c7ddec2418d90657e7f087ebcd1ec6152e48f593ccc05909394facbb437b202f4ee2378f75f0698793457121eb5dc06078b8e2d53c2f

memory/568-490-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/568-491-0x0000000000460000-0x00000000004B3000-memory.dmp

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 eb1f96eb1df22f61acf40aef6e7fb0a7
SHA1 c5957311043578e999375d61256113eef984f6c4
SHA256 4fc3e82613814d22a3698bc9a222a885969e50a1a28ee13294129704ceb31b1f
SHA512 0f57bbc17cf9e35a68543eb7a2b50b05a65037bd426186f492fc45c12ca029ee89858f87d81199e37403e78a8fb0ca2aea744441f9ddc30e99fcb3cacad83f52

memory/2884-497-0x0000000000400000-0x0000000000453000-memory.dmp

memory/488-507-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2884-506-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/2884-504-0x0000000000460000-0x00000000004B3000-memory.dmp

C:\Windows\SysWOW64\Eeempocb.exe

MD5 327859a1479bf234c5937c05ace085c2
SHA1 66f6e3a6697e88bfe8351c1e1a2076e1da9b774f
SHA256 6bf72e08e670c05310b155efc4135f12738171123df82710e556cb318fd872ad
SHA512 c869b5599d551b879ef8e4a96a76bff2bb348bbf3c11652040ca4ecb7a7df79c933a4738687d71eb4ec655caeb85c5ae7d33a3b7fe3edeb086c0112fd5adbc90

memory/488-512-0x0000000000260000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Eloemi32.exe

MD5 9c3a2931e875b5cefc458d8c3daa6977
SHA1 c698831fb5a8f4a2719849720a73ef94d2fa05fd
SHA256 2a17ac2b1f868e72290c9842431ed3e7532e331eb92fb2364de38a76534a52c8
SHA512 ece8050fafdc513025bdbb27575b8ce604d45d94e22a13913a723cbb6a10bd4c8dbcae7d97a56979928a384d8ef48874bbf802b1c5186977785773737e69cf47

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 cd3f2807502cc2bcd0c3642670ad8784
SHA1 8005d4e046b8f28c0c0e71ee2ad716ba66e7725a
SHA256 97c18ad402bfdd6a67405e18684d0090db7798d5b1ed9af676a77250491770bf
SHA512 a9bbe73db0fdbcf3d6ba3f671034fe614754500ea212f38628fb9894fb6e43571ff320c848ba4343fc16e9543d1ec80f4709aa77843cf6f77779ada2c1666486

C:\Windows\SysWOW64\Ebinic32.exe

MD5 5b3334638b21848f7cbc6bc4e3685ff1
SHA1 351d20f108f662a011ba897779341ffcf901b156
SHA256 00767bfa5c5feff546da449ec17bbeb107ba4db5ac73fe6a88f26f17e7a8091e
SHA512 191b08c09b1af6df87b539b7590c5602c0734b42a1c7fe2d512e296afe95e96cbb049a15fa57af5db24858c593ad0bdc73f186e97c6c0110359c29cc0e16c8bd

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 105fa135a2589da9eb6ec6b23e334838
SHA1 fedb29f37b6056fe8bfddaab8d50ba3cac9627f7
SHA256 3af26040add7d52480c2955226390091ab6a157a2c76a6d801c7d4e8490237c6
SHA512 c43bccddcbc90e8c2913d75794126ff0d64c8d862d64299fea7962442942f8734301ccdd382eb779ef68f400a6fe37b0faa0c705b7c6db6b5b435fce11d2572b

C:\Windows\SysWOW64\Flabbihl.exe

MD5 82f087a07345b26993d971c839f069b6
SHA1 5b1695c6923ad47d7d378dde2d8a5fa0b52ef4a3
SHA256 b32f96a18a43dab615bdddf26d9c7aefe7af31bef11981e79180c0e6ba6ed983
SHA512 05a3e38ac1b727fe065d78d821fd13e0ed7f4b4969f7ff316ad5de3a13fab288b78388a9f2d01df00d7f4090bbc4a88a16b52b6ba38f775445bfad6d07378337

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 7420da1cbd10186159565cfa3af4588f
SHA1 f6e5419bf93ebfb52e062bd9b9b9e74da1ee80ea
SHA256 cc8553b866e2bf710a5c09b0413d6523c770d0298849622e6a7f859f548021e6
SHA512 33c8452c106e6626f87994bc696392c761f0ba442aa0d621ac7f6b1d7d64a29a6427c19f0fb3950943d3509b6bbd3ec161c6cbc15c65aae219ce635e59d05130

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 e9016b69285b95840ef039f761819ccd
SHA1 9fc56857c9a017f93d88d594e72f7632ebd86f6f
SHA256 bba25ddbdef4a87207f610248f27920b40e2515a6695ea2959a5af2ac2fae7ff
SHA512 91cc5d36a9c9b90417738d8d90f8b43f93f4e68b6428a192ff28379970ae37bb7d065ff9b9cfda98cc2f566000d82c70ee34cd3feda34e34204cf2df6cf7a1be

C:\Windows\SysWOW64\Fcmgfkeg.exe

MD5 f09e508470e9e51d737d087e60b1f678
SHA1 16489065c63717cb5a9e3a4cc67e8dae7b5f9d75
SHA256 d5809e9cf98cc1218043f7ea1a6c187034d79399c57c37ae073651f256e125dc
SHA512 cb46592ce46e8db61d0580c527958e67ffe5af8d450c4ff07e538540a70f3da89f8b05b9f3c93aafabc526f86abcbd9614c48e72898a45f6875c265ecb550663

C:\Windows\SysWOW64\Ffkcbgek.exe

MD5 6eaa87b85fca9a1e000c026494dbe0e0
SHA1 d8d53458118f951759e41e566f9a8ae914d276db
SHA256 78e950e99f5d69cdb8e25d89bac83429205e0d8223e69b90521ce11c41b2c5c1
SHA512 49ede01ee6b18b76897b66086805216fa25b0a95c8ca676da45f9c34de9d5824a9b2feff8151062be2e8129c5a2ad0dc9d6ca17bc047f4fe77f9e58110d5c3d8

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 f055eff58ef715d4edc3f981ca35399e
SHA1 3ffe285a8d132ea2908fdc52c3e562b4ccd57037
SHA256 464041162612247396d758daa9e9595aed3d2d88050f8ad4a0b6aac98859d02b
SHA512 9ffac9837d5e6c8e4ed5f65ee52db7296923655061c4ece7a381767fef259e82072f4ec4a2746c3034d34c8fd2ca0c482768e254ba8a4f7b5394d94c2e0d8941

C:\Windows\SysWOW64\Fpdhklkl.exe

MD5 d20ed337fcdcf8b014f3ddcb81abe680
SHA1 9d64640f03f03de5ba45f0660997d6f22c494015
SHA256 4aac177b3442663fe0bdc99fbcbe640c7572558627ec759441168f37166a671d
SHA512 ec201cafb199c96d4620a57d552939be1199fc12bd5bb23a2325ccf04179ef8f16b9c74c5e7e4b21f205ee688c014024753bd4f57bc02d2b93fad80f2b4e820c

C:\Windows\SysWOW64\Fdoclk32.exe

MD5 33e4f708d2cf504ddfca28bac8d0e052
SHA1 42d9972413c8198a467f2b9e89fc85a58fc1eae2
SHA256 d3066cddb548cb3d9f88f0f69c39c2f6ad89d71907978e58625cdba0a55bdb6d
SHA512 5810449bf7a054c0898129ec8b561c8f4143372631dc319f70d9b7aab22ae02a59df226f7bee69c9760c1f3302cc70cc4610e79b8b68b1a100e884230896effe

C:\Windows\SysWOW64\Ffnphf32.exe

MD5 f79f540362b3a1174b1b6a6bcf9f3b3e
SHA1 2bdc074175132d6cfd94cacc81b444ee5ec3c87c
SHA256 f346cb8ee6baaa187ee2c25dfff46fb2a1fdf9fe41e0c810b4efd482e9730bf1
SHA512 a048faf7ea11ae1902ca8ffb36c15a72cb16af82b2a5ef37e19e7f373be677d19d3eae019de787a5876249bebfe7ae44e27a74750dcf4cba756ec67d520a3745

C:\Windows\SysWOW64\Fjilieka.exe

MD5 c2fd41f1394af15ba7501b84416d21cf
SHA1 bfc298bdf1bdff143d8ffc40a067c4671e2a0890
SHA256 aecbb4ce032c29fe82c6e7353a0f52bd0c14baeca7e89be278a30e306978d6ff
SHA512 bb9004b9e700324529896277417126ab17399f5d540e983009c989a001e2292dab6b83aac04d7999a75240b9e6a16d584252d4fbbe27387e1e5076a3228f9d94

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 8b841797e383812cf36cba1090293a8e
SHA1 13303fcb66c3bfe043a3d998193e948793e3775b
SHA256 347586ab936e8918e02519d9486bca4d09caccd221c1621190466034e5ad1914
SHA512 b193b72c6e44d55764727d99bd79f2e80cca20699dfbaf3ace9d9ebca2089a8f901ebd8cbea2eeea73938b419b1d47a1507717ec5447699242f50a8f60568acd

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 84956df64273d941dc3393e7bb895981
SHA1 cab681840401a1de6c43b8f1060345f98b7ae1c9
SHA256 3818d8663ee871be58c3081a19d714de318bd735cebb475d6200bfbc1c27a019
SHA512 cb51e40cfdcf4dd9f044fda0ddfc28fab9fc30e086d1113d749a82497d87dda5435404d2a35a856494ffe1e3c9fa389b61df6e4958ba003882deff8183654280

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 429eda13d72374b087690928161fe75d
SHA1 3861057affc2052010af58b08dd647d3aa98e2aa
SHA256 3aa6195d6b0880036e612e4e26737de9849a8885b0e234bdfa23c035103cd2c1
SHA512 91867004c31045b8b0da4823d01b3a1e21c24658163cd7e1a4953b8f7ff40f8a61ad9f03d12f4766d66fb50b6f758146c18e92594c34e29321911a3f4484b3fa

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 a377372d79a8b1b0343c18ffab599fbc
SHA1 a1db8891042347f3544f3d07800b70c5fb65d248
SHA256 19bbe3a1bd3216fb1a3118b6f38230be94ec960494d60cbf868e2e3f3d7db411
SHA512 3bb6e5a7253656d7ba1df93e5705af06a210132a3f45c4542dac745e653d50700d925caba0f944428eb30f92061f20020c3de5219ae61e5671039c731a71a37e

C:\Windows\SysWOW64\Flmefm32.exe

MD5 2a6f571344d2a62fcb47d5d5caff4dcc
SHA1 f154079fbd3541d5c2fc82ebaee24dff13f5fce2
SHA256 6df9d8c4455896d15d7900c85e86ac8e70cc1d84642f2e28026583ba06805add
SHA512 f0239cb432fb361ba8f7337f8157456d8f833d979174129ce0f031ed8984d904bb5bb3c363ac7537235b3af5af5cdbc21c88999a4fc91c1b2ed1e7f0d12f6012

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 1b8a57513d3e6a2f6e9a1b99cd7f48e5
SHA1 fc571e8dd715e613a538147ba30833f7618dc9bf
SHA256 5ed3f632a43243fa7b5a1dbdaa45f8c7d9258da3f951d3005a4ecea29a6a88b9
SHA512 87aa12be82476157a141c69f682a78e2e452f4b2e32723296dc3e9c774c17a6a74167ccd923aea27e64a386748a69abab437a2415539482b4e8abb7769420e9d

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 54268f69095838d4a6af15f9ca63b9eb
SHA1 c18fc6158d82925478afe699df11f66c4b5070e1
SHA256 dd553ce98146b36f1ab03aa00808a41b814f5e88d9f4998c0aee60f57fa9e54a
SHA512 172cacc7ec6b3927c35599c3281819247be2b16cbadce4d69b896ca2987d26b46e7cb81eeab81d4c11d4002d9d9f31fc392d42cd776ad655f2d142defff0b1d8

C:\Windows\SysWOW64\Globlmmj.exe

MD5 cdf148b9a1de14a86b3ce7b1bccd4550
SHA1 3990a23b8a7287deaadbc8805a90c3b583229e5e
SHA256 01bc9e0f93986f7644cbab992b338dba68958085d062e3b46fa71f6fe1ab4783
SHA512 3754f23f3949979ca80219f54d14f602293cbd63a25c3754f4e015b91ee14749cd89c95682bd195d1caec2a642c68f3f3ecdadd195342070077cc8d2fc13afb1

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 13419e25763fb6db54ccb2d5e1e1c14a
SHA1 ba523e6812d3a9563418eb490615bb5b946f7285
SHA256 3ab78a8dbc4d7ce5b56663f95fd637122abc94defc933dd4b2af6476a6443471
SHA512 69a0dd20295186da2f05bf461d26ce991111658d838014bf3809807b2482bf442ad2b9a88d9ea6800a1034318880c35176b1197aea10f6576fa14f1002d11c07

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 ccdf6fa0000d2e57a66385c3e7bacfd0
SHA1 0254a11cd09796827befc0c2b15543993b76ce26
SHA256 b2b65a9a92a8545c3088c09b2ace7add67a7720461b68d746b498f839bbbc223
SHA512 1ed5f39dbc8bc2ee7fd2101c8fd5073239fc058e2920e301183004ef54abf46314d56dc4c8e0f9810956d6efd15471f81311188ea6321b3a6c25006f7ce9873b

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 f61b4a95387fd01914a2d6ec74b4efa6
SHA1 3eea28e9c563c07260f50e1a5992cfa0f6d1dc6b
SHA256 c3f70db45d8e8a3774910c203b2d0a3234ce368a6dbe46d68c546488be371b72
SHA512 47cab5906226cd6b7240eac7ee4f441b784f7e4bfe4aa38c095238154026ecfdca0fe33cfc579586fb78663a48c5fad76b3a179b9b1a6eb9ac47b32bae0fa94d

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 be201221f06a29d2296cc0bb3986b295
SHA1 7c611370a75f8bb279428b3cbea9a09fcbb59bcf
SHA256 038de835a363493abe17c3f50b43d32f43aa5d02257007e1e302eb1ddb1a8d77
SHA512 82c21996216939cfc4b0203714a3896fa2ae5f689d362c5f4711f09c6ff2918d011b9fb6e008364a6d19ce9e81947a8ad12ca3ca042a2be7e572b64155ed89e7

C:\Windows\SysWOW64\Gejcjbah.exe

MD5 fa802c317efffab61698cfcd81a396e0
SHA1 549e3266238254c14c10d81428cd91e82f71aa88
SHA256 29cbc9fda36957e00a929493deaf27ecc3733509eef73da01dab250e4b76462b
SHA512 8a8b5118df7506e8aa31f4a3d368b091670dd1dfe7e730c08da4a850c871e3336087f01c7c493d8bd96d2240c0d5de8f351fe736eff52112efd7888c2d4c8a1e

C:\Windows\SysWOW64\Gieojq32.exe

MD5 5c8a0e866643fab9b9117a7af6a02225
SHA1 e41c87622e9a43135473a41d01cc5adfe730e598
SHA256 2a4cc9dc536e410ab9dd8008519102bd8fad4b279de4f79e33c7b244fbb9d267
SHA512 83794e1cf5db21d51218b0b276aa5ce675a1e11fc5581239e6468ff485f44f4357bec7708c648465df7a27118c3fbb77e931742ce1213d91a549b6c93082b4ad

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 4d743677aa568a7b379e212f3df2aacc
SHA1 068e4b93a1a41e06afdf99b4f7e372146dc5a52d
SHA256 d9a6f8b4829a54f71104df1e5232a9b9a39581bfd1378837658c8afd3bc582ca
SHA512 ce94d44fde1da307c85ef0a2824fe00c2dde7ace75053aa957f6444cbf5307342d87e32bb331659cd90612452c87a47cab4279ddba068af08971cae03eeabc10

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 60fe655da6c256d98305ac6bf8231252
SHA1 2721a5cdd08739a6cc47c88bab833e611d8d2fd5
SHA256 26a6ccdd24eb13fd0d57acbb73b1d185dd01ae04163307c29d76635c9bf68847
SHA512 3016b9d6afeaa3e8e930e4ddf5fa7f8ff80a8f18e6231b96fff17e67e4118d6b84febbef9ecb76ed9ad188127f9f6731d26666ce06ecfb0ab9428d66a3bbf824

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 86a3122d9a28c314c0f2edb303231d51
SHA1 ae5d00d9f0396a3f13df27633a0fb97f05d51ca9
SHA256 47d92d58db681e4cf1ab300661a15ba827b5aadc4d6a07791798d8506c643d0e
SHA512 4f84a9679045155abe3342b27a516e189c4a5e628156f423f709894f4429f05acdf55e0bd7d03785d2621b7173680a0b5a4665cf59d1f2372ec0ac7e8421b056

C:\Windows\SysWOW64\Gdopkn32.exe

MD5 973f89cf9784ea00b2c2a62f89b1fe34
SHA1 a0a42c4cc1ff666011bd3d25a0738a25945fbb11
SHA256 94caaf21c79dec09c972eb71b6caa9f2d5aa5c4cd113abe1282acbb234d272f0
SHA512 9fcfed37ce8e4109954ed5e5e02c16e7a0d6aa3ff1edc08f22a87905a26fea5798c105e3135727b0e5c9d9e1fdcf91ccf0fa0c47791b11b2058279b564669afc

C:\Windows\SysWOW64\Glfhll32.exe

MD5 17cca9e540f0bec33358f5c2f65844e8
SHA1 5378d30f71b06181e80eaeec54f8c66f7be07020
SHA256 2987bba3a0a211e9fe1cba85875986d0cebf1fe8f8689eadf9ff2dbe508d7c94
SHA512 410b6b718ea84af3cab8012cdc6f12a59837ea8afe10b8ca322f018bf96395d825557357f3fac0213650529c627aa4b9045672a8e151598bcbb41499f2ea9d9e

C:\Windows\SysWOW64\Goddhg32.exe

MD5 a9d51d3231887f86a89bb56ab822e934
SHA1 3ffdfeeb1de7da622420ca8e7ce9d4b2fd32114c
SHA256 dd098b0f1bd20e14c5faff6127cc74a4590f5c87cf8bbb1d0da89ce96da4135d
SHA512 87c6dbe2ebfad90c1aea7c8db8b8b76aebc3bed89f8b92d1d3bfaf79a8d8f4a9a655ce9ba58fde7bab23b8648aafeb6e473497bbc4791611ea64bf7776043986

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 86806a5289e2be9a384d5a701e2e5936
SHA1 063b5c9774a46242be47c9e1b6400154424d9bee
SHA256 33f8c8758b4f7e762e0ca0bd18151a432f3a6de8e5913f8c542504b3993340bd
SHA512 71f0c87d83b8caebfa690f3159a3834a25941754203d61e39810bc3a75636b30a0506e82d90db4406ac00f9e815474c911018dcc1974a13bf96d76d65b156dc2

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 45b78a8b9b24b038aeb9e92e4f8ff347
SHA1 ad8e0399ca7cd0864d34856ca42bee509e3164ae
SHA256 a69b8c63826b89f1d1dc206e1e91bf5e5de4452d0fe12d596d035726b7fb9040
SHA512 d08a79c400a3cbba92cb367425f96dda17023a4be748ad1f589181dd77c6f832a7d22a724292b8af4de650cecc17f69d2b39d65e81b747d8c878af5a4bd0a842

C:\Windows\SysWOW64\Ggpimica.exe

MD5 bacc69393a72a6c30d98b8f69a74b8d7
SHA1 270745f71f1b28d7ae79fcbd9b5fbcf483862f50
SHA256 141e2948e004c40e12aad6b94410b618c1832dae0f882a0e0dcfe9681f057c36
SHA512 4fe4a988adad47d607f0297a62950dc64c716ff1410822ea8843351061c3b01526f3fe5386fae8c0d22882d6413090eea6adf27a5b5706f0651d75414e7fb8b9

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 7d50dac7cf1d3be84994a547ddeef940
SHA1 70934a798c50cd77a77f14068cb79986e66f0c3d
SHA256 391ca995d3f7120fa39217eb211aea9f1daff6d035f31b9bda701e3d9756ce2d
SHA512 5bbc8f2aece3bac06b86074202f44c92f1441f7dafb162d384cc91c9ce4b7b4d28cdd9a7190456e754e67892cdc1d8803615a8e91d0f8737cc7fc666f647115a

C:\Windows\SysWOW64\Gogangdc.exe

MD5 a157eb8c6bbacecf3499cb19ba0a5a2f
SHA1 f611353039d3257511a19909918b9e294645c168
SHA256 e305e5e41b9314e65b45397e4176b34d7e07321eaa5397ca88e8cf1b74088820
SHA512 a672e7bdc3cec0226873f221fb4cb1a099a9c02a60cbe4c3a231b87fcc9c4f8a8f191017b8664cacf43ae50ebe135fa8724aee75a9651d6399c4dcf998b7ed6a

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 746a06b68347d2c6712ce7b2db2d1857
SHA1 ea1121a6b8a848a0e8e1e155ca8657cfe4358b05
SHA256 794d0af3bf478cd22440ec4ae2b3c02286b26156ad9e422acda77fe2e173b982
SHA512 888c8ab8c6386beeb5a6b3dfc5c8b1dea6f7e7586d77f792c419e75f5724622dbe688a679b2ab3b8185bb5f7f824535a4807bd2e02ba7bfc666b8c403b362f41

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 79a3424e047c58b62668be27e8ad143f
SHA1 c104f8876df09bc394733307aa1180ba4dbf3f34
SHA256 92076c297eef31c7096b2cfd58672cc08b982b38fd1b0da343566d060a040225
SHA512 679a7de52b6b33fa36df5e1ad7e33331a360d877246281ffe1b028f0d0e8ef8d400ed68331baa1960dabd8ae5fd864ede9bf0da07e8dcb32ffb68066a7e28f27

C:\Windows\SysWOW64\Hknach32.exe

MD5 f2f35dfc8f38e2cb30fe68a6ef2c316d
SHA1 836ea9b70398444fca4bb29760a2de09afce94b9
SHA256 1129680583d3d8e933ad2902bb338b0f47888844c0cbc97ca246804675d8cfca
SHA512 2948181d6130141c150a0d3f65a71542293ba7713852efb99593ff039a0d02ab59b789af0497de508d99cab49c85580dc6dc32855f7469149a90cc9dcbe721dd

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 c59685bd5e53a4d5779e4023f8cb6fdd
SHA1 d654951e671036b40cd06c9d8a23652ed7bc8df8
SHA256 d6b61622cd4d9805054922794b37f9f88e0b34aff136bf5333546cb7658e3bca
SHA512 1a6b85db1fa948934e574cb51e0b256899b94f8315888b86d184ee1b91976147a74f3e1ed248ef4362f56a39690fbf64426e018a9d2eb6ab389179c1cfcad2c2

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 1dc879dadd6448e4b5e9a9cbf1a4752e
SHA1 110d7a7881100b6aadcc42f7b3df88b1b3495256
SHA256 ce44b6f2a0bf8e3600c27c5d27f145f63034fcf8601b5e371ec349b3e0347496
SHA512 5864d32a518aee2edc4143f4be33897ef4a6f8accd8d3a14c135627cfdd2b7be5071ea5d2d0832077f4c6c3e04e5ee0fdb05b4db763e9a15b8df04465b2cd81e

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 6cbca3a3dcbbc41cf2748fff05001591
SHA1 54679d3221658d916131c977e3849d1aa78a5658
SHA256 0cb8a316e15a31f3b6e80da30e42d8c00a38e15f61c84ad2f3ffc1985e4f4639
SHA512 6fca4a582334ef32b6c2599f1468d4d74525661e8072bd20249e49067e83501dd43b012c4778525baf9599c5659d1aa661831d31053ebba14f1f3d7b0a451975

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 be16a14845e7b3390e988643bb95a3c0
SHA1 f1d0896a12b1c799e5f400a6e32d01b1824dd220
SHA256 4dda6259a1ab006ec46ad88b248d1520bc9eac639959f3441bc4a84d9647ff5c
SHA512 5f27e25d6ff10e4f3f2c14a1964f83a59c2cb511462a554add5c4123d9be591edb6e01e61fd3852574c35444e973d75e8abe3716a4b6f9613b4824a363c3c5d4

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 0981f24454ff071441ab97ccf67a6629
SHA1 a5a3c97e605339241107f996018e95d5c2039114
SHA256 cf5799b8e71859f16cba11cf80d3b41e7901fec3baba464a4c8d093ef9cd8afd
SHA512 55e58b87a8dd19f2371480b15355dcddbad7a897728324ac4ef571c37b75446606a8a4f88881ec6a32d1f841352bf53ad24cdeed2c8367a9b5a3ea2285eb00e8

C:\Windows\SysWOW64\Hggomh32.exe

MD5 11f32107381417d1ebdd77c45ceb880e
SHA1 7c25f6830185473d5882c1945aea05d44cff0789
SHA256 ce564fed22f530d5c129e7e722eaa3a9ddcdc1447297daa3106ba3ae80b2a613
SHA512 7b8e3898f7cdb6a84da7dec756ab7f43b02defd94f5149b25ecb6a06a5005a379a598ce8b00b021fd0f92c6d04de9b81a17713e861e0d09c90889096d313a3ca

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 8474107795db2411a3bd306d5dd73fb0
SHA1 8053df277e7aedd873f2253ae0367b99fe0e0aca
SHA256 4bb91eaecec30d674a6c2903e667a1362d907f3444ab22349daf172de590d389
SHA512 9ef0becd8b22fc37b089b77ce71179f1dccbf6721fa7e3b56bf6ff24b749dfcd074fd5d7870919dc56eba89e633b8a73c72d8b38d31fb2247b25fbad74738042

C:\Windows\SysWOW64\Hiekid32.exe

MD5 dca4384f51e11252006f400f81377be9
SHA1 306445d84cf1e7d93485b32c80d156caecd50857
SHA256 7313ce2442bbdcc0b6480edc84192efe32db2d9f19b1f0c7617cc16808b392ac
SHA512 1cd90bd91dd6a6a96d3d2e4b70ac1e72c0c2b8f3799e04e445874795298f2eb6341888ee39fa5b1882c37e1775c595191414458da06a9c5f62169c7de94d1392

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 ca212190bd7661ad2103b1d42798c2c5
SHA1 ec88e5c5dcb413ecc175bccdae39b941f81b5579
SHA256 00bdd9b110120df7a609234bf943746b06581bd27b65095c919c8ed3a5fe53a6
SHA512 ce3a748da4acceed0cab7a659c9fbcfa2b471919d0051f5231c0fbe9ededd2bf07a60d77d6cb58180cf8ed0f02c3b07111c8908a5b8f2e98900d15884c5f448f

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 db90d1d2a90affd0925bb647e5c442a8
SHA1 c0948184448a24f45f78d49d2a9a12dbd49c0af3
SHA256 b99b46ad3ed12c8714cec8e37d905f369b37cbee29f43b153634f9c8c4ba0f9d
SHA512 deb614f1e62a063195456b15fd80a655e1b028cf7bc9625f98747ecb587a7b22416ee2e29eff0abb1c202bae56b4de4cb9686d3dd3b8fdccc9d0afa9cdb316da

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 9cef9f33dbe4c99a859ddd7a145c43f9
SHA1 ea576af52ee8c1ccc96b593f3b379041f267030d
SHA256 5080ebc6e0f6c8daac71f90b355def0eb107f8bf30d1580e810d06ed7d14004a
SHA512 54e7c1ea0bd3a0dbde7864ee1e886263c05d1734260fda7020aeca28621bce53d1cef828c5c1fc6e1dc00783d531c8b2f9ab9fea8923782023e598379ed75805

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 7887ec4bc8e03ab7660c3eb363212fc6
SHA1 46d9a548ecd458b1afd12252601b2685c71dd200
SHA256 56a70ff50878b1e87121634f10417522f811bf96f7965da1aa4d9a104b67f8b1
SHA512 b914a9c8949fb221e43fbcd209a0246b002ac2878f3c46a0e7be78bd1b24e05592a24dc2711d2fdb9ba90c12e3694f49e91155c94577f39d412ce94a54bb2e15

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 d936250b72381faa924863866be00b1b
SHA1 114e1adf1c75d9583d819632b67b49af50f8ece2
SHA256 fa03ed11b056bc35ba40e55b8a429b7e624dc5c7a0ab5ffa5976305e02b2224f
SHA512 67ea57205c1bff980ded30b51edf68625ea470cda27abd0cb47ae1330b329fbeb494ea103e758a469a8528c48040f433737928f5a7aa49ef8fa32387c30e1c2e

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 519d2f868a4c8d7c867d5c50e54371b0
SHA1 add350c4a422de2f278098549695959e033d83fa
SHA256 033a555379039a41aea7baeb59be196a4926223c6cf09993525043b94153c515
SHA512 ed13abf2cb38d74669d25ad886d242fded77aa431d303457bdc74fa25316ec95e19bb6834671c19aa2b8d602f742306e1f5988f6f626218d397a676246806149

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 18b76470a206b9208c407db18334e71f
SHA1 811ce59841782edf49261d1f7a98d83e01c51faf
SHA256 51feb15c43cfdf5d6bf5d6c39fa80387e4d8476178261a538faf0d161009f1ec
SHA512 d7481e2688411400c456adf37875ae1c14d374075520af32ed418867fd3234f8a7b908100d58cc6fd7ab9635328530759327125f1ee1ba6b52ced22cca4bc003

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 4f335a42a44e09e8ab8dada3bb6b7481
SHA1 4da349389653b07265f3def19e60673f8a7f31a9
SHA256 de363bb3fbe3fd3d70e570aac3d358d84a4010bf1b50da35090d9d8655c8d00d
SHA512 f746eddae5f7d624b8a940c6051f0b44baf6fe7d1a9399516f380c182021f7bbb216b006467be95c4a20058fa7a818c635ae3301bc0ee270f5ec9840340b2f68

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 f3e54124154bbd88ff5457e540f22548
SHA1 988f7b9b84425e31b7de5ff7a3184155d63eb930
SHA256 d35e16395db166feb4b713f61ae58e3750c3e96c420b9f5b5a61c7e95c55764c
SHA512 0a3a4eccf8f05460f9a39c51dd74312107f696f690ce7c649c53661787b128c9b1f0a863819f0e5990a001ddbfa6a4cb2bae1a03a593fbfbb71f3661c04dc443

C:\Windows\SysWOW64\Icbimi32.exe

MD5 73d8b81fb6d61d68b2bd4b572291c029
SHA1 f7ef4e8600a034f29977d93fd59eb4d538e435bb
SHA256 7c752b78c6f138173726cd2558387d016bab439a4b08a56351f7504d21e55ab3
SHA512 66f83a53f279b7a046d19196ced2ef34a5879f956b3da64ed37c935b447bf4b84ae68971059a6c40e345cc87d5f1972a50554723aa275ee2d126d09e58112088

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 1eb893d7cfccb3dedaf0d00d092f918f
SHA1 8b47279a77773e0c80afb32ee1ec723524f8cf61
SHA256 9247a732adda3db8957eaf62672f57e8eff205311cf5485d94028c3031d5c761
SHA512 8ddecdba211a9e6f926c4500790e1e37f48f12cdfda739172ae24c53ed00c66c6663156f5abc7edcbfcd4e61ad4b18e602f016ca8eab738ca8ada39d1291089b

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 26c3c936e72dcb449ea7c07ae78a5bfb
SHA1 0741b5cafe7ae5b84e8f7bb4e650be87d1710f89
SHA256 f69c79afb0afbd0fda1bf28aa66fefde79844b0027362483bcf7eafdf3188cd9
SHA512 b8aa62d1db01acf2dcd7c0ea8f20604e59824b8ef7b7b172c44b8687aa61d4b4eeb2b658a6517bee12beb9b1aaa70b76de4097c60222bb97b9b5d161ae305939

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 616b55a7e57544566b84e9a67bfe597f
SHA1 622a549c8bc136ac5fa22cfe8e38aef20ce68caf
SHA256 83df9ff1dca3134260c1afc3b97edc13bd6980d0b8c11afa11c6c5f574ca2f2f
SHA512 fb7fb4a78bda8863d6367ba41fd4585e5e46779fb430d969c7a03d3240a8cd744275158588cafa91e4e8b1c53a4c871ef3b715a00eab188320cb0ea24835ecee

C:\Windows\SysWOW64\Inljnfkg.exe

MD5 7e79d0680f2f953539de6f7d97586262
SHA1 5c629d2ef8bb72349accf67e264c79bd99391596
SHA256 de16e95d10e6fb9b38f130f82c9a8cf4d7cfd736e1587d1b9d5bf55e050682a9
SHA512 189eff1289cb2ee999e4caa02fc25d9ca694eb83ebbb1c0477c77132548f3033f57333a59689e9dcbf2b500a154e908db1ef004696b0f5b33f853f46763c044a

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 f0e35030b202dc1f500835ec29b59595
SHA1 6e746fbe70991d9295e3873fdda476476c24a638
SHA256 57241984049b32f306c18763b411e47ae8c460a2994280e05517f28af15ca2fe
SHA512 017c80e25a34adb642b2789c0742ee4d2f2faa75cd3adc9bb9387e9316e45f80ca6f3b6a65194267db1948503d6589e04c53920d093be515c34fed31764f2018

memory/2924-1435-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-1458-0x0000000000400000-0x0000000000453000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 21:54

Reported

2024-05-09 21:56

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ehedfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmdqgd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llcpoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iifokh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieolehop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfjcgn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acnlgp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doilmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pagdol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfoafi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kedoge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jioaqfcc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmknaell.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdcbom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npfkgjdn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cehkhecb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jblpek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbhoqj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojjolnaq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hioiji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdcbom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lljfpnjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahhblemi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfkaag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baicac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baaplhef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldanqkki.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcppfaka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ambgef32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cajcbgml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iblfnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Opakbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekcpbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hihbijhn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdeoemeg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdhdajea.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Belebq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdqgmmjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfeopj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dobfld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eefhjc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imdgqfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chpada32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chghdqbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmjlcj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Megdccmb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfaigm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cecbmf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nfjjppmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcllonma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdmpje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pqdqof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Edkdkplj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jblpek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Behbag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnfdcjkg.exe N/A

Gozi

banker trojan gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pbmncp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcojkhap.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbpjhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcagphom.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjkombfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Paegjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pagdol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qecppkdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcepkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnnanphk.exe N/A
N/A N/A C:\Windows\SysWOW64\Acjjfggb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdbcano.exe N/A
N/A N/A C:\Windows\SysWOW64\Aanjpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahhblemi.exe N/A
N/A N/A C:\Windows\SysWOW64\Aelcfilb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajiknpjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpcon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahmlgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Angddopp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahoimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajneip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blmacb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnlnon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beeflhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbndobo.exe N/A
N/A N/A C:\Windows\SysWOW64\Behbag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blbknaib.exe N/A
N/A N/A C:\Windows\SysWOW64\Bblckl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baocghgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Baaplhef.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhkhibmc.exe N/A
N/A N/A C:\Windows\SysWOW64\Chmeobkq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cliaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cafigg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chpada32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cknnpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cecbmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdfbibnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnjjpod.exe N/A
N/A N/A C:\Windows\SysWOW64\Colffknh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cajcbgml.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckcgkldl.exe N/A
N/A N/A C:\Windows\SysWOW64\Camphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cehkhecb.exe N/A
N/A N/A C:\Windows\SysWOW64\Chghdqbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckedalaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dekhneap.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhidjpqc.exe N/A
N/A N/A C:\Windows\SysWOW64\Docmgjhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Demecd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhkapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkjmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dadeieea.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddbbeade.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlijfneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dafbne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dddojq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dojcgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddgkpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhbgqohi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekacmjgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Eefhjc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehedfo32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Paegjl32.exe C:\Windows\SysWOW64\Pjkombfj.exe N/A
File created C:\Windows\SysWOW64\Gidjfdep.dll C:\Windows\SysWOW64\Chghdqbf.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddgkpp32.exe C:\Windows\SysWOW64\Dojcgi32.exe N/A
File created C:\Windows\SysWOW64\Hgaoidec.dll C:\Windows\SysWOW64\Pfaigm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Agoabn32.exe N/A
File created C:\Windows\SysWOW64\Bhhdil32.exe C:\Windows\SysWOW64\Bclhhnca.exe N/A
File created C:\Windows\SysWOW64\Ecoangbg.exe C:\Windows\SysWOW64\Eleiam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oflgep32.exe C:\Windows\SysWOW64\Oponmilc.exe N/A
File created C:\Windows\SysWOW64\Chmhoe32.dll C:\Windows\SysWOW64\Oneklm32.exe N/A
File created C:\Windows\SysWOW64\Pjcbbmif.exe C:\Windows\SysWOW64\Pgefeajb.exe N/A
File created C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Ogbipa32.exe N/A
File created C:\Windows\SysWOW64\Nnenbk32.dll C:\Windows\SysWOW64\Cehkhecb.exe N/A
File created C:\Windows\SysWOW64\Kbejge32.dll C:\Windows\SysWOW64\Beeoaapl.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe C:\Windows\SysWOW64\Bhhdil32.exe N/A
File created C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Dhkjej32.exe N/A
File created C:\Windows\SysWOW64\Eadopc32.exe C:\Windows\SysWOW64\Ekjfcipa.exe N/A
File created C:\Windows\SysWOW64\Mpnaemnl.dll C:\Windows\SysWOW64\Hoiafcic.exe N/A
File created C:\Windows\SysWOW64\Kdqejn32.exe C:\Windows\SysWOW64\Klimip32.exe N/A
File created C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Beeoaapl.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkalchij.exe C:\Windows\SysWOW64\Fhcpgmjf.exe N/A
File created C:\Windows\SysWOW64\Ippggbck.exe C:\Windows\SysWOW64\Imakkfdg.exe N/A
File created C:\Windows\SysWOW64\Pfolbmje.exe C:\Windows\SysWOW64\Pcppfaka.exe N/A
File created C:\Windows\SysWOW64\Mmnbeadp.dll C:\Windows\SysWOW64\Belebq32.exe N/A
File created C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajiknpjj.exe C:\Windows\SysWOW64\Aelcfilb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajneip32.exe C:\Windows\SysWOW64\Ahoimd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cafigg32.exe C:\Windows\SysWOW64\Cliaoq32.exe N/A
File created C:\Windows\SysWOW64\Keoakjca.dll C:\Windows\SysWOW64\Chpada32.exe N/A
File created C:\Windows\SysWOW64\Ibcmom32.exe C:\Windows\SysWOW64\Ipdqba32.exe N/A
File created C:\Windows\SysWOW64\Hflcbngh.exe C:\Windows\SysWOW64\Hobkfd32.exe N/A
File created C:\Windows\SysWOW64\Pgioqq32.exe C:\Windows\SysWOW64\Pcncpbmd.exe N/A
File created C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Cegdnopg.exe N/A
File created C:\Windows\SysWOW64\Abpcon32.exe C:\Windows\SysWOW64\Ajiknpjj.exe N/A
File created C:\Windows\SysWOW64\Oolpjdob.dll C:\Windows\SysWOW64\Lenamdem.exe N/A
File created C:\Windows\SysWOW64\Pkfcej32.dll C:\Windows\SysWOW64\Lebkhc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Lphoelqn.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Ogbipa32.exe N/A
File created C:\Windows\SysWOW64\Echdno32.dll C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hofdacke.exe C:\Windows\SysWOW64\Hmhhehlb.exe N/A
File created C:\Windows\SysWOW64\Jmhale32.exe C:\Windows\SysWOW64\Jimekgff.exe N/A
File opened for modification C:\Windows\SysWOW64\Oponmilc.exe C:\Windows\SysWOW64\Njefqo32.exe N/A
File created C:\Windows\SysWOW64\Elocna32.dll C:\Windows\SysWOW64\Pnlaml32.exe N/A
File created C:\Windows\SysWOW64\Qgcbgo32.exe C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Andqdh32.exe C:\Windows\SysWOW64\Acnlgp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Edkdkplj.exe C:\Windows\SysWOW64\Eamhodmf.exe N/A
File created C:\Windows\SysWOW64\Nhgaocmg.dll C:\Windows\SysWOW64\Kfckahdj.exe N/A
File created C:\Windows\SysWOW64\Hiclgb32.dll C:\Windows\SysWOW64\Onhhamgg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Mgcail32.dll C:\Windows\SysWOW64\Cmqmma32.exe N/A
File created C:\Windows\SysWOW64\Nbgngp32.dll C:\Windows\SysWOW64\Ddmaok32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ippggbck.exe C:\Windows\SysWOW64\Imakkfdg.exe N/A
File created C:\Windows\SysWOW64\Lnlden32.dll C:\Windows\SysWOW64\Pjjhbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Ageolo32.exe N/A
File created C:\Windows\SysWOW64\Nqbjqh32.dll C:\Windows\SysWOW64\Cafigg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Ldanqkki.exe N/A
File created C:\Windows\SysWOW64\Jlingkpe.dll C:\Windows\SysWOW64\Nnjlpo32.exe N/A
File created C:\Windows\SysWOW64\Ldjicq32.dll C:\Windows\SysWOW64\Gdeqhl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kimnbd32.exe C:\Windows\SysWOW64\Kebbafoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpnlpnih.exe C:\Windows\SysWOW64\Llcpoo32.exe N/A
File created C:\Windows\SysWOW64\Hddeok32.dll C:\Windows\SysWOW64\Nnlhfn32.exe N/A
File created C:\Windows\SysWOW64\Dhkjej32.exe C:\Windows\SysWOW64\Delnin32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cknnpm32.exe C:\Windows\SysWOW64\Chpada32.exe N/A
File created C:\Windows\SysWOW64\Fohoigfh.exe C:\Windows\SysWOW64\Ehnglm32.exe N/A
File created C:\Windows\SysWOW64\Hfifmnij.exe C:\Windows\SysWOW64\Hckjacjg.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbbkaako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll" C:\Windows\SysWOW64\Mplhql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnebeogl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Olfobjbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ogbipa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhkhibmc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjicq32.dll" C:\Windows\SysWOW64\Gdeqhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll" C:\Windows\SysWOW64\Jefbfgig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mlefklpj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll" C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkkojgao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hbeqmoji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icifbang.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooajidfn.dll" C:\Windows\SysWOW64\Jfoiokfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmdqgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpbmco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hijooifk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll" C:\Windows\SysWOW64\Kebbafoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll" C:\Windows\SysWOW64\Acnlgp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll" C:\Windows\SysWOW64\Kfoafi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdfbibnb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcpclbfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlekh32.dll" C:\Windows\SysWOW64\Eadopc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jcioiood.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kebbafoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll" C:\Windows\SysWOW64\Mcmabg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcpnhfhf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnneknob.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ekjfcipa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll" C:\Windows\SysWOW64\Klimip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oneklm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmlkkap.dll" C:\Windows\SysWOW64\Pagdol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipeomnnj.dll" C:\Windows\SysWOW64\Fbnafb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffkjlp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eamhodmf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fdgdgnbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikhen32.dll" C:\Windows\SysWOW64\Gdqgmmjb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ifefimom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecoangbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipenkiei.dll" C:\Windows\SysWOW64\Ddbbeade.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ippggbck.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbjcolha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmpijp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll" C:\Windows\SysWOW64\Mcpnhfhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cagobalc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklmno32.dll" C:\Windows\SysWOW64\Abpcon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hckjacjg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdqejn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll" C:\Windows\SysWOW64\Kmncnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Olkhmi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll" C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dddojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abckpb32.dll" C:\Windows\SysWOW64\Jmhale32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kedoge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll" C:\Windows\SysWOW64\Ifllil32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahhblemi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bblckl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klimip32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe C:\Windows\SysWOW64\Pbmncp32.exe
PID 4880 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe C:\Windows\SysWOW64\Pbmncp32.exe
PID 4880 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe C:\Windows\SysWOW64\Pbmncp32.exe
PID 4460 wrote to memory of 452 N/A C:\Windows\SysWOW64\Pbmncp32.exe C:\Windows\SysWOW64\Pcojkhap.exe
PID 4460 wrote to memory of 452 N/A C:\Windows\SysWOW64\Pbmncp32.exe C:\Windows\SysWOW64\Pcojkhap.exe
PID 4460 wrote to memory of 452 N/A C:\Windows\SysWOW64\Pbmncp32.exe C:\Windows\SysWOW64\Pcojkhap.exe
PID 452 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Pcojkhap.exe C:\Windows\SysWOW64\Pbpjhp32.exe
PID 452 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Pcojkhap.exe C:\Windows\SysWOW64\Pbpjhp32.exe
PID 452 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Pcojkhap.exe C:\Windows\SysWOW64\Pbpjhp32.exe
PID 2200 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Pbpjhp32.exe C:\Windows\SysWOW64\Pcagphom.exe
PID 2200 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Pbpjhp32.exe C:\Windows\SysWOW64\Pcagphom.exe
PID 2200 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Pbpjhp32.exe C:\Windows\SysWOW64\Pcagphom.exe
PID 1692 wrote to memory of 3680 N/A C:\Windows\SysWOW64\Pcagphom.exe C:\Windows\SysWOW64\Pjkombfj.exe
PID 1692 wrote to memory of 3680 N/A C:\Windows\SysWOW64\Pcagphom.exe C:\Windows\SysWOW64\Pjkombfj.exe
PID 1692 wrote to memory of 3680 N/A C:\Windows\SysWOW64\Pcagphom.exe C:\Windows\SysWOW64\Pjkombfj.exe
PID 3680 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Pjkombfj.exe C:\Windows\SysWOW64\Paegjl32.exe
PID 3680 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Pjkombfj.exe C:\Windows\SysWOW64\Paegjl32.exe
PID 3680 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Pjkombfj.exe C:\Windows\SysWOW64\Paegjl32.exe
PID 1520 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Paegjl32.exe C:\Windows\SysWOW64\Pjmlbbdg.exe
PID 1520 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Paegjl32.exe C:\Windows\SysWOW64\Pjmlbbdg.exe
PID 1520 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Paegjl32.exe C:\Windows\SysWOW64\Pjmlbbdg.exe
PID 2592 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Pagdol32.exe
PID 2592 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Pagdol32.exe
PID 2592 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Pagdol32.exe
PID 1540 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Pagdol32.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 1540 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Pagdol32.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 1540 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Pagdol32.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 2000 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qcepkg32.exe
PID 2000 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qcepkg32.exe
PID 2000 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qcepkg32.exe
PID 5044 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Qcepkg32.exe C:\Windows\SysWOW64\Qnnanphk.exe
PID 5044 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Qcepkg32.exe C:\Windows\SysWOW64\Qnnanphk.exe
PID 5044 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Qcepkg32.exe C:\Windows\SysWOW64\Qnnanphk.exe
PID 1596 wrote to memory of 4620 N/A C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Acjjfggb.exe
PID 1596 wrote to memory of 4620 N/A C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Acjjfggb.exe
PID 1596 wrote to memory of 4620 N/A C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Acjjfggb.exe
PID 4620 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Ajdbcano.exe
PID 4620 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Ajdbcano.exe
PID 4620 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Ajdbcano.exe
PID 1924 wrote to memory of 3188 N/A C:\Windows\SysWOW64\Ajdbcano.exe C:\Windows\SysWOW64\Aanjpk32.exe
PID 1924 wrote to memory of 3188 N/A C:\Windows\SysWOW64\Ajdbcano.exe C:\Windows\SysWOW64\Aanjpk32.exe
PID 1924 wrote to memory of 3188 N/A C:\Windows\SysWOW64\Ajdbcano.exe C:\Windows\SysWOW64\Aanjpk32.exe
PID 3188 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Aanjpk32.exe C:\Windows\SysWOW64\Ahhblemi.exe
PID 3188 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Aanjpk32.exe C:\Windows\SysWOW64\Ahhblemi.exe
PID 3188 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Aanjpk32.exe C:\Windows\SysWOW64\Ahhblemi.exe
PID 4664 wrote to memory of 4776 N/A C:\Windows\SysWOW64\Ahhblemi.exe C:\Windows\SysWOW64\Aelcfilb.exe
PID 4664 wrote to memory of 4776 N/A C:\Windows\SysWOW64\Ahhblemi.exe C:\Windows\SysWOW64\Aelcfilb.exe
PID 4664 wrote to memory of 4776 N/A C:\Windows\SysWOW64\Ahhblemi.exe C:\Windows\SysWOW64\Aelcfilb.exe
PID 4776 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Aelcfilb.exe C:\Windows\SysWOW64\Ajiknpjj.exe
PID 4776 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Aelcfilb.exe C:\Windows\SysWOW64\Ajiknpjj.exe
PID 4776 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Aelcfilb.exe C:\Windows\SysWOW64\Ajiknpjj.exe
PID 1340 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Ajiknpjj.exe C:\Windows\SysWOW64\Abpcon32.exe
PID 1340 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Ajiknpjj.exe C:\Windows\SysWOW64\Abpcon32.exe
PID 1340 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Ajiknpjj.exe C:\Windows\SysWOW64\Abpcon32.exe
PID 1600 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Abpcon32.exe C:\Windows\SysWOW64\Ahmlgd32.exe
PID 1600 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Abpcon32.exe C:\Windows\SysWOW64\Ahmlgd32.exe
PID 1600 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Abpcon32.exe C:\Windows\SysWOW64\Ahmlgd32.exe
PID 5024 wrote to memory of 3684 N/A C:\Windows\SysWOW64\Ahmlgd32.exe C:\Windows\SysWOW64\Angddopp.exe
PID 5024 wrote to memory of 3684 N/A C:\Windows\SysWOW64\Ahmlgd32.exe C:\Windows\SysWOW64\Angddopp.exe
PID 5024 wrote to memory of 3684 N/A C:\Windows\SysWOW64\Ahmlgd32.exe C:\Windows\SysWOW64\Angddopp.exe
PID 3684 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Angddopp.exe C:\Windows\SysWOW64\Ahoimd32.exe
PID 3684 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Angddopp.exe C:\Windows\SysWOW64\Ahoimd32.exe
PID 3684 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Angddopp.exe C:\Windows\SysWOW64\Ahoimd32.exe
PID 4636 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Ahoimd32.exe C:\Windows\SysWOW64\Ajneip32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Pbmncp32.exe

C:\Windows\system32\Pbmncp32.exe

C:\Windows\SysWOW64\Pcojkhap.exe

C:\Windows\system32\Pcojkhap.exe

C:\Windows\SysWOW64\Pbpjhp32.exe

C:\Windows\system32\Pbpjhp32.exe

C:\Windows\SysWOW64\Pcagphom.exe

C:\Windows\system32\Pcagphom.exe

C:\Windows\SysWOW64\Pjkombfj.exe

C:\Windows\system32\Pjkombfj.exe

C:\Windows\SysWOW64\Paegjl32.exe

C:\Windows\system32\Paegjl32.exe

C:\Windows\SysWOW64\Pjmlbbdg.exe

C:\Windows\system32\Pjmlbbdg.exe

C:\Windows\SysWOW64\Pagdol32.exe

C:\Windows\system32\Pagdol32.exe

C:\Windows\SysWOW64\Qecppkdm.exe

C:\Windows\system32\Qecppkdm.exe

C:\Windows\SysWOW64\Qcepkg32.exe

C:\Windows\system32\Qcepkg32.exe

C:\Windows\SysWOW64\Qnnanphk.exe

C:\Windows\system32\Qnnanphk.exe

C:\Windows\SysWOW64\Acjjfggb.exe

C:\Windows\system32\Acjjfggb.exe

C:\Windows\SysWOW64\Ajdbcano.exe

C:\Windows\system32\Ajdbcano.exe

C:\Windows\SysWOW64\Aanjpk32.exe

C:\Windows\system32\Aanjpk32.exe

C:\Windows\SysWOW64\Ahhblemi.exe

C:\Windows\system32\Ahhblemi.exe

C:\Windows\SysWOW64\Aelcfilb.exe

C:\Windows\system32\Aelcfilb.exe

C:\Windows\SysWOW64\Ajiknpjj.exe

C:\Windows\system32\Ajiknpjj.exe

C:\Windows\SysWOW64\Abpcon32.exe

C:\Windows\system32\Abpcon32.exe

C:\Windows\SysWOW64\Ahmlgd32.exe

C:\Windows\system32\Ahmlgd32.exe

C:\Windows\SysWOW64\Angddopp.exe

C:\Windows\system32\Angddopp.exe

C:\Windows\SysWOW64\Ahoimd32.exe

C:\Windows\system32\Ahoimd32.exe

C:\Windows\SysWOW64\Ajneip32.exe

C:\Windows\system32\Ajneip32.exe

C:\Windows\SysWOW64\Blmacb32.exe

C:\Windows\system32\Blmacb32.exe

C:\Windows\SysWOW64\Bnlnon32.exe

C:\Windows\system32\Bnlnon32.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Bjbndobo.exe

C:\Windows\system32\Bjbndobo.exe

C:\Windows\SysWOW64\Behbag32.exe

C:\Windows\system32\Behbag32.exe

C:\Windows\SysWOW64\Blbknaib.exe

C:\Windows\system32\Blbknaib.exe

C:\Windows\SysWOW64\Bblckl32.exe

C:\Windows\system32\Bblckl32.exe

C:\Windows\SysWOW64\Baocghgi.exe

C:\Windows\system32\Baocghgi.exe

C:\Windows\SysWOW64\Baaplhef.exe

C:\Windows\system32\Baaplhef.exe

C:\Windows\SysWOW64\Bhkhibmc.exe

C:\Windows\system32\Bhkhibmc.exe

C:\Windows\SysWOW64\Chmeobkq.exe

C:\Windows\system32\Chmeobkq.exe

C:\Windows\SysWOW64\Cliaoq32.exe

C:\Windows\system32\Cliaoq32.exe

C:\Windows\SysWOW64\Cafigg32.exe

C:\Windows\system32\Cafigg32.exe

C:\Windows\SysWOW64\Chpada32.exe

C:\Windows\system32\Chpada32.exe

C:\Windows\SysWOW64\Cknnpm32.exe

C:\Windows\system32\Cknnpm32.exe

C:\Windows\SysWOW64\Cecbmf32.exe

C:\Windows\system32\Cecbmf32.exe

C:\Windows\SysWOW64\Cdfbibnb.exe

C:\Windows\system32\Cdfbibnb.exe

C:\Windows\SysWOW64\Clnjjpod.exe

C:\Windows\system32\Clnjjpod.exe

C:\Windows\SysWOW64\Colffknh.exe

C:\Windows\system32\Colffknh.exe

C:\Windows\SysWOW64\Cajcbgml.exe

C:\Windows\system32\Cajcbgml.exe

C:\Windows\SysWOW64\Ckcgkldl.exe

C:\Windows\system32\Ckcgkldl.exe

C:\Windows\SysWOW64\Camphf32.exe

C:\Windows\system32\Camphf32.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Chghdqbf.exe

C:\Windows\system32\Chghdqbf.exe

C:\Windows\SysWOW64\Ckedalaj.exe

C:\Windows\system32\Ckedalaj.exe

C:\Windows\SysWOW64\Dekhneap.exe

C:\Windows\system32\Dekhneap.exe

C:\Windows\SysWOW64\Dhidjpqc.exe

C:\Windows\system32\Dhidjpqc.exe

C:\Windows\SysWOW64\Docmgjhp.exe

C:\Windows\system32\Docmgjhp.exe

C:\Windows\SysWOW64\Demecd32.exe

C:\Windows\system32\Demecd32.exe

C:\Windows\SysWOW64\Dhkapp32.exe

C:\Windows\system32\Dhkapp32.exe

C:\Windows\SysWOW64\Dkjmlk32.exe

C:\Windows\system32\Dkjmlk32.exe

C:\Windows\SysWOW64\Dadeieea.exe

C:\Windows\system32\Dadeieea.exe

C:\Windows\SysWOW64\Ddbbeade.exe

C:\Windows\system32\Ddbbeade.exe

C:\Windows\SysWOW64\Dlijfneg.exe

C:\Windows\system32\Dlijfneg.exe

C:\Windows\SysWOW64\Dafbne32.exe

C:\Windows\system32\Dafbne32.exe

C:\Windows\SysWOW64\Dddojq32.exe

C:\Windows\system32\Dddojq32.exe

C:\Windows\SysWOW64\Dojcgi32.exe

C:\Windows\system32\Dojcgi32.exe

C:\Windows\SysWOW64\Ddgkpp32.exe

C:\Windows\system32\Ddgkpp32.exe

C:\Windows\SysWOW64\Dhbgqohi.exe

C:\Windows\system32\Dhbgqohi.exe

C:\Windows\SysWOW64\Ekacmjgl.exe

C:\Windows\system32\Ekacmjgl.exe

C:\Windows\SysWOW64\Eefhjc32.exe

C:\Windows\system32\Eefhjc32.exe

C:\Windows\SysWOW64\Ehedfo32.exe

C:\Windows\system32\Ehedfo32.exe

C:\Windows\SysWOW64\Ekcpbj32.exe

C:\Windows\system32\Ekcpbj32.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Edkdkplj.exe

C:\Windows\system32\Edkdkplj.exe

C:\Windows\SysWOW64\Eapedd32.exe

C:\Windows\system32\Eapedd32.exe

C:\Windows\SysWOW64\Eekaebcm.exe

C:\Windows\system32\Eekaebcm.exe

C:\Windows\SysWOW64\Ehimanbq.exe

C:\Windows\system32\Ehimanbq.exe

C:\Windows\SysWOW64\Eleiam32.exe

C:\Windows\system32\Eleiam32.exe

C:\Windows\SysWOW64\Ecoangbg.exe

C:\Windows\system32\Ecoangbg.exe

C:\Windows\SysWOW64\Edpnfo32.exe

C:\Windows\system32\Edpnfo32.exe

C:\Windows\SysWOW64\Ekjfcipa.exe

C:\Windows\system32\Ekjfcipa.exe

C:\Windows\SysWOW64\Eadopc32.exe

C:\Windows\system32\Eadopc32.exe

C:\Windows\SysWOW64\Edbklofb.exe

C:\Windows\system32\Edbklofb.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fohoigfh.exe

C:\Windows\system32\Fohoigfh.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Fhqcam32.exe

C:\Windows\system32\Fhqcam32.exe

C:\Windows\SysWOW64\Fkopnh32.exe

C:\Windows\system32\Fkopnh32.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Fhcpgmjf.exe

C:\Windows\system32\Fhcpgmjf.exe

C:\Windows\SysWOW64\Fkalchij.exe

C:\Windows\system32\Fkalchij.exe

C:\Windows\SysWOW64\Fakdpb32.exe

C:\Windows\system32\Fakdpb32.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Fbnafb32.exe

C:\Windows\system32\Fbnafb32.exe

C:\Windows\SysWOW64\Fdlnbm32.exe

C:\Windows\system32\Fdlnbm32.exe

C:\Windows\SysWOW64\Fkffog32.exe

C:\Windows\system32\Fkffog32.exe

C:\Windows\SysWOW64\Ffkjlp32.exe

C:\Windows\system32\Ffkjlp32.exe

C:\Windows\SysWOW64\Fhjfhl32.exe

C:\Windows\system32\Fhjfhl32.exe

C:\Windows\SysWOW64\Gkhbdg32.exe

C:\Windows\system32\Gkhbdg32.exe

C:\Windows\SysWOW64\Gododflk.exe

C:\Windows\system32\Gododflk.exe

C:\Windows\SysWOW64\Gbbkaako.exe

C:\Windows\system32\Gbbkaako.exe

C:\Windows\SysWOW64\Gdqgmmjb.exe

C:\Windows\system32\Gdqgmmjb.exe

C:\Windows\SysWOW64\Gkkojgao.exe

C:\Windows\system32\Gkkojgao.exe

C:\Windows\SysWOW64\Gbdgfa32.exe

C:\Windows\system32\Gbdgfa32.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gmjlcj32.exe

C:\Windows\system32\Gmjlcj32.exe

C:\Windows\SysWOW64\Gohhpe32.exe

C:\Windows\system32\Gohhpe32.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Gdeqhl32.exe

C:\Windows\system32\Gdeqhl32.exe

C:\Windows\SysWOW64\Ghaliknf.exe

C:\Windows\system32\Ghaliknf.exe

C:\Windows\SysWOW64\Gmlhii32.exe

C:\Windows\system32\Gmlhii32.exe

C:\Windows\SysWOW64\Gokdeeec.exe

C:\Windows\system32\Gokdeeec.exe

C:\Windows\SysWOW64\Gfembo32.exe

C:\Windows\system32\Gfembo32.exe

C:\Windows\SysWOW64\Gdhmnlcj.exe

C:\Windows\system32\Gdhmnlcj.exe

C:\Windows\SysWOW64\Gmoeoidl.exe

C:\Windows\system32\Gmoeoidl.exe

C:\Windows\SysWOW64\Gdjjckag.exe

C:\Windows\system32\Gdjjckag.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hkdbpe32.exe

C:\Windows\system32\Hkdbpe32.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hfifmnij.exe

C:\Windows\system32\Hfifmnij.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hmcojh32.exe

C:\Windows\system32\Hmcojh32.exe

C:\Windows\SysWOW64\Hobkfd32.exe

C:\Windows\system32\Hobkfd32.exe

C:\Windows\SysWOW64\Hflcbngh.exe

C:\Windows\system32\Hflcbngh.exe

C:\Windows\SysWOW64\Hijooifk.exe

C:\Windows\system32\Hijooifk.exe

C:\Windows\SysWOW64\Hcpclbfa.exe

C:\Windows\system32\Hcpclbfa.exe

C:\Windows\SysWOW64\Hfnphn32.exe

C:\Windows\system32\Hfnphn32.exe

C:\Windows\SysWOW64\Hmhhehlb.exe

C:\Windows\system32\Hmhhehlb.exe

C:\Windows\SysWOW64\Hofdacke.exe

C:\Windows\system32\Hofdacke.exe

C:\Windows\SysWOW64\Hbeqmoji.exe

C:\Windows\system32\Hbeqmoji.exe

C:\Windows\SysWOW64\Hioiji32.exe

C:\Windows\system32\Hioiji32.exe

C:\Windows\SysWOW64\Hoiafcic.exe

C:\Windows\system32\Hoiafcic.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Ipknlb32.exe

C:\Windows\system32\Ipknlb32.exe

C:\Windows\SysWOW64\Ifefimom.exe

C:\Windows\system32\Ifefimom.exe

C:\Windows\SysWOW64\Ikbnacmd.exe

C:\Windows\system32\Ikbnacmd.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Iblfnn32.exe

C:\Windows\system32\Iblfnn32.exe

C:\Windows\SysWOW64\Ifgbnlmj.exe

C:\Windows\system32\Ifgbnlmj.exe

C:\Windows\SysWOW64\Iifokh32.exe

C:\Windows\system32\Iifokh32.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Ippggbck.exe

C:\Windows\system32\Ippggbck.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Iemppiab.exe

C:\Windows\system32\Iemppiab.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Ipbdmaah.exe

C:\Windows\system32\Ipbdmaah.exe

C:\Windows\SysWOW64\Ibqpimpl.exe

C:\Windows\system32\Ibqpimpl.exe

C:\Windows\SysWOW64\Ifllil32.exe

C:\Windows\system32\Ifllil32.exe

C:\Windows\SysWOW64\Ieolehop.exe

C:\Windows\system32\Ieolehop.exe

C:\Windows\SysWOW64\Iikhfg32.exe

C:\Windows\system32\Iikhfg32.exe

C:\Windows\SysWOW64\Imfdff32.exe

C:\Windows\system32\Imfdff32.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jimekgff.exe

C:\Windows\system32\Jimekgff.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jbeidl32.exe

C:\Windows\system32\Jbeidl32.exe

C:\Windows\SysWOW64\Jfaedkdp.exe

C:\Windows\system32\Jfaedkdp.exe

C:\Windows\SysWOW64\Jioaqfcc.exe

C:\Windows\system32\Jioaqfcc.exe

C:\Windows\SysWOW64\Jmknaell.exe

C:\Windows\system32\Jmknaell.exe

C:\Windows\SysWOW64\Jpijnqkp.exe

C:\Windows\system32\Jpijnqkp.exe

C:\Windows\SysWOW64\Jcefno32.exe

C:\Windows\system32\Jcefno32.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jefbfgig.exe

C:\Windows\system32\Jefbfgig.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jbjcolha.exe

C:\Windows\system32\Jbjcolha.exe

C:\Windows\SysWOW64\Jfeopj32.exe

C:\Windows\system32\Jfeopj32.exe

C:\Windows\SysWOW64\Jidklf32.exe

C:\Windows\system32\Jidklf32.exe

C:\Windows\SysWOW64\Jlbgha32.exe

C:\Windows\system32\Jlbgha32.exe

C:\Windows\SysWOW64\Jcioiood.exe

C:\Windows\system32\Jcioiood.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Jeklag32.exe

C:\Windows\system32\Jeklag32.exe

C:\Windows\SysWOW64\Jmbdbd32.exe

C:\Windows\system32\Jmbdbd32.exe

C:\Windows\SysWOW64\Jlednamo.exe

C:\Windows\system32\Jlednamo.exe

C:\Windows\SysWOW64\Jcllonma.exe

C:\Windows\system32\Jcllonma.exe

C:\Windows\SysWOW64\Kboljk32.exe

C:\Windows\system32\Kboljk32.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Kmdqgd32.exe

C:\Windows\system32\Kmdqgd32.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kikame32.exe

C:\Windows\system32\Kikame32.exe

C:\Windows\SysWOW64\Kmfmmcbo.exe

C:\Windows\system32\Kmfmmcbo.exe

C:\Windows\SysWOW64\Klimip32.exe

C:\Windows\system32\Klimip32.exe

C:\Windows\SysWOW64\Kdqejn32.exe

C:\Windows\system32\Kdqejn32.exe

C:\Windows\SysWOW64\Kfoafi32.exe

C:\Windows\system32\Kfoafi32.exe

C:\Windows\SysWOW64\Kebbafoj.exe

C:\Windows\system32\Kebbafoj.exe

C:\Windows\SysWOW64\Kimnbd32.exe

C:\Windows\system32\Kimnbd32.exe

C:\Windows\SysWOW64\Klljnp32.exe

C:\Windows\system32\Klljnp32.exe

C:\Windows\SysWOW64\Kdcbom32.exe

C:\Windows\system32\Kdcbom32.exe

C:\Windows\SysWOW64\Kbfbkj32.exe

C:\Windows\system32\Kbfbkj32.exe

C:\Windows\SysWOW64\Kedoge32.exe

C:\Windows\system32\Kedoge32.exe

C:\Windows\SysWOW64\Kipkhdeq.exe

C:\Windows\system32\Kipkhdeq.exe

C:\Windows\SysWOW64\Kmkfhc32.exe

C:\Windows\system32\Kmkfhc32.exe

C:\Windows\SysWOW64\Kpjcdn32.exe

C:\Windows\system32\Kpjcdn32.exe

C:\Windows\SysWOW64\Kdeoemeg.exe

C:\Windows\system32\Kdeoemeg.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Kfckahdj.exe

C:\Windows\system32\Kfckahdj.exe

C:\Windows\SysWOW64\Kibgmdcn.exe

C:\Windows\system32\Kibgmdcn.exe

C:\Windows\SysWOW64\Kmncnb32.exe

C:\Windows\system32\Kmncnb32.exe

C:\Windows\SysWOW64\Klqcioba.exe

C:\Windows\system32\Klqcioba.exe

C:\Windows\SysWOW64\Kdgljmcd.exe

C:\Windows\system32\Kdgljmcd.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Lffhfh32.exe

C:\Windows\system32\Lffhfh32.exe

C:\Windows\SysWOW64\Liddbc32.exe

C:\Windows\system32\Liddbc32.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Lpnlpnih.exe

C:\Windows\system32\Lpnlpnih.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Ligqhc32.exe

C:\Windows\system32\Ligqhc32.exe

C:\Windows\SysWOW64\Llemdo32.exe

C:\Windows\system32\Llemdo32.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Lenamdem.exe

C:\Windows\system32\Lenamdem.exe

C:\Windows\SysWOW64\Liimncmf.exe

C:\Windows\system32\Liimncmf.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Lpcfkm32.exe

C:\Windows\system32\Lpcfkm32.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Lepncd32.exe

C:\Windows\system32\Lepncd32.exe

C:\Windows\SysWOW64\Lmgfda32.exe

C:\Windows\system32\Lmgfda32.exe

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Ldanqkki.exe

C:\Windows\system32\Ldanqkki.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lebkhc32.exe

C:\Windows\system32\Lebkhc32.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lmiciaaj.exe

C:\Windows\system32\Lmiciaaj.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Mgagbf32.exe

C:\Windows\system32\Mgagbf32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mipcob32.exe

C:\Windows\system32\Mipcob32.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mchhggno.exe

C:\Windows\system32\Mchhggno.exe

C:\Windows\SysWOW64\Megdccmb.exe

C:\Windows\system32\Megdccmb.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mmpijp32.exe

C:\Windows\system32\Mmpijp32.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Mgimcebb.exe

C:\Windows\system32\Mgimcebb.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mlefklpj.exe

C:\Windows\system32\Mlefklpj.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Mcpnhfhf.exe

C:\Windows\system32\Mcpnhfhf.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Ndokbi32.exe

C:\Windows\system32\Ndokbi32.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nepgjaeg.exe

C:\Windows\system32\Nepgjaeg.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Ngpccdlj.exe

C:\Windows\system32\Ngpccdlj.exe

C:\Windows\SysWOW64\Nebdoa32.exe

C:\Windows\system32\Nebdoa32.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Ncfdie32.exe

C:\Windows\system32\Ncfdie32.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Ncianepl.exe

C:\Windows\system32\Ncianepl.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Nlaegk32.exe

C:\Windows\system32\Nlaegk32.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Olfobjbg.exe

C:\Windows\system32\Olfobjbg.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Onhhamgg.exe

C:\Windows\system32\Onhhamgg.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Olmeci32.exe

C:\Windows\system32\Olmeci32.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pqknig32.exe

C:\Windows\system32\Pqknig32.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pgefeajb.exe

C:\Windows\system32\Pgefeajb.exe

C:\Windows\SysWOW64\Pjcbbmif.exe

C:\Windows\system32\Pjcbbmif.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pmannhhj.exe

C:\Windows\system32\Pmannhhj.exe

C:\Windows\SysWOW64\Pdifoehl.exe

C:\Windows\system32\Pdifoehl.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pcncpbmd.exe

C:\Windows\system32\Pcncpbmd.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pcppfaka.exe

C:\Windows\system32\Pcppfaka.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pnfdcjkg.exe

C:\Windows\system32\Pnfdcjkg.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Pfaigm32.exe

C:\Windows\system32\Pfaigm32.exe

C:\Windows\SysWOW64\Pjmehkqk.exe

C:\Windows\system32\Pjmehkqk.exe

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Adgbpc32.exe

C:\Windows\system32\Adgbpc32.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Ajckij32.exe

C:\Windows\system32\Ajckij32.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Acnlgp32.exe

C:\Windows\system32\Acnlgp32.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bmkjkd32.exe

C:\Windows\system32\Bmkjkd32.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Doilmc32.exe

C:\Windows\system32\Doilmc32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 10812 -ip 10812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10812 -s 396

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4880-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4880-5-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pbmncp32.exe

MD5 7f9d347640fad0dcd3d15c0a56d224f1
SHA1 a3c5017fd603f99dc08c064def92a733153d4363
SHA256 5f2cf7038e6641b5e2502ea5b7785a12dd68fb1529ca26e243de71a92960c95e
SHA512 e8f858e0d3e9a9d7cfcc76da5b41f7f128179e29fb6a77b54ce15da15379aaa2f8b92141d1e57210827006407e8261d6eda120c31338671efefa85a288b2c567

memory/4460-9-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Pcojkhap.exe

MD5 0b88e3c356e798f5ac0a4dbe4721cc17
SHA1 f9f4889f01f6baa9be03a40623fbc1cb924d6569
SHA256 194d9f2d1e55618d05621b0a81d3b4122fe58f7f4c0341e54eb8cbf856a35d5b
SHA512 b80364e1a84062f2e4e8b05267e13d4ba0dd33e45b8583e72c712d01c01231aad6f32623fe22e035bf3c9bd5adca53f7dfca56dc5efc3b2bfd4fccd3d14904da

memory/452-17-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Pbpjhp32.exe

MD5 ee77353a1149763ff54839c326339df4
SHA1 68420fa6d590c81c925f1996c4e013021466e59c
SHA256 e8acdf4657e4f2c353bf58fcb3ebf11612f640345813f74284e160973b233039
SHA512 8f8387950f1b579b9c1e67ef65895f943233b4bc940884add399fdd5f7eef46c905a460b0c6f0d2710e95dcdd7feba8b469ac8806db25a69baa5ef81d4c6e9b9

memory/2200-25-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Pcagphom.exe

MD5 0044b13e619d7bf84b144b45d8764e46
SHA1 df0d225ce0abfc552c10d52dfc1a20bbebb24994
SHA256 5de76afc0889d135d46802e9c72372e3f52208c7c5abf6c2909e15e45298106c
SHA512 234e47604c776b48e34c27b3bc451435adf0b8c1bdabc1450a7534f6feff02320ed2fe92d79bb065305839ae92a0b1d1e5cd9c7ec05f71f8d7f8ea05c60943c0

memory/3680-40-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1692-39-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Paegjl32.exe

MD5 f460258c5ab8fe774db7d209b2c7f775
SHA1 334589688dfdd8aca8e80f2497de5615517ddd42
SHA256 dc7e6c39779076dfa00b26a34328f98bc5116a4963bb4723191fc15596b0e036
SHA512 270f28fef480b521ede61d86bbbe38330020f34bb55e6aaf9505b8e23b0d448e52b8b49c6ae286be194caf5e6e92dfb618d68b646c1c3e5589721a1bd5dedb90

C:\Windows\SysWOW64\Pjkombfj.exe

MD5 620604313e4ff5ce138cfbe7529977f2
SHA1 54bf042d077b85479d913a917662f4cb123c89bb
SHA256 0debc2582e99ca13036cf8278587900b24edb98ccb32576b67694ee8b5f57fca
SHA512 52b5b6111f8bd7ad11ced4410471efaeb375d01d782e2ce45c3eb22d92e0688de7263c891ddd80d041973a280a15305cab14a5a9960b21ac66ba1586cc67bc6c

memory/1520-53-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Pjmlbbdg.exe

MD5 2a9ee8e2495b0ef1dbb363c0cf1cb310
SHA1 dbaf73ff0699c273b83d0c79cf1267bbaab075f1
SHA256 37e99397434fdb516b0e99347876fbfff7c61608f68b2b3c1cadca4283d885de
SHA512 6695b926371a062b4444c95d9e7b547ebf07ff82b8241bcc59050f8aee8c4b71000c184129fe86df6ec6ce45d96c8b48ec312171847196dffe27918532a70189

memory/2592-56-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1540-69-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qecppkdm.exe

MD5 bdb1c144de793cee72bd439b05964efd
SHA1 7c072f56cccf5904153f7d00b0785b97953f8418
SHA256 e50e7bf3239626fa2f81ae1e91106e3841e44a5c21ab9d080831978ca78cbd55
SHA512 92ebb844adb11a3414b10d556c9d065e5a5e3c0719e4952ecfe51c99709c83bd3d068f79116f6dc4ddff350d83f7edb0c287be3c2eaffbb7273f14cf5e39aebb

C:\Windows\SysWOW64\Pagdol32.exe

MD5 e4064745d2c458af50f7b57a632838c4
SHA1 da9aeabf6649bef6397a3d619446781bf1181433
SHA256 88ce0a0189d2c60b5b02957ff3fdfe2cfd3e8ada4037d4edbd9dbd8b32150635
SHA512 7fe9b44326a6727da75134d6c7d2cdd85db5d4db9d51fb3e96bb9b6d191c5fecec55f6118dc2c2c8e5deed2870265cb0b79dfb60024ee666fdd29e07350e1f08

memory/2000-77-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qcepkg32.exe

MD5 994eb7b682a5e4ba1d0d500d91d0892b
SHA1 c155adc7fd748ff8676ef63c6baa0e52a233fd7e
SHA256 adcadac3bd0956412b7d2f90265282dcea8e55449e08b4dd0c38bca216c32db9
SHA512 bc0b022cade1566738a71d18da5df359b1df85679557d14e786b4d2a261913b28de1642a069bc0738142a06cc46e98143b4b51579da15c9f56c08c096e22778a

memory/5044-80-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qnnanphk.exe

MD5 781e26e6ce2b8cd470cf8338c2cbff31
SHA1 f6ca9c27b129f75f036deae55cc920380be14382
SHA256 5de650d3093116171b0684f3dbf94de7df996326713cb17611d44036f1a5b0c4
SHA512 c3b260e203bff7a9b3ae487526a3f0980f4c84267caa628360bc2f5204346a9971d8ce3b95bc9ad58059fda4d85eab233ee87e726da3232824fde1c53bd679fa

memory/1596-89-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Acjjfggb.exe

MD5 224c589562baa07ab131d615eddc6014
SHA1 d7f6a7b49217f601c36e51d7945f4cc07f0ab798
SHA256 392d8c32ddbd46deb981d6b505284009125cfa3d8b0ff332f5349b62e4453366
SHA512 4d72cafa5ee02e793bbcb62b3021ce652e526d2993da037b6ec58101bab6d6c108b83759c32fc112f05dc2e89206cc677be5faa030d0a2e51bfc23b14d3baf51

memory/4620-97-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ajdbcano.exe

MD5 30898e1a73968b4a00aac7de810e5fc7
SHA1 19d8a40116e8290d57d3f1ab5b2527d1830c3f9d
SHA256 bcdf676d755284faa059e79451d6a504659f5245ec28e9122fecb93e2532a04b
SHA512 7462072ee4130091f6d20e68fc834f93c03b76137fb3764aa8670b02a83a75d8a064a26b8bfc02bc1ebdb84acb087f925f1a73b1a1ee7c9350dd139bda3dd82d

memory/1924-111-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3188-112-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aanjpk32.exe

MD5 a8e6eae130634bd6876518c53066c1b6
SHA1 c6148838f1589cc8a14ebffff41ee4b63e79a224
SHA256 c65b6414a4ccef3bebf339bfb5d55c9fc3d51f071fd214c29c6dbbcd8469a9d5
SHA512 595ddefd054cdd44664c952de856556ad12032d7212d45f4821b6f2126853563a0beeafeebd407c4ab7f0b1a1b0a2cbd3184deab9355e35b052269f55abeed78

C:\Windows\SysWOW64\Ahhblemi.exe

MD5 6d89ff150c21fad3648f2c929675d943
SHA1 097d1b53ce41ab6dcad095f313399a59ce63cd53
SHA256 47063e12cf36f1db710ba22c8763f7eea0f1418339e1e6e0bc90d4d571cf0b15
SHA512 26692ca9fc439faa798791930a4bc3d6590c54841c2390da55cc35c4471a16af7bf64ed2b79ea68e6f9c3a259ff6200cacf37b93f983067a6557c904c2c5fe2b

memory/4664-121-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aelcfilb.exe

MD5 1c6dfd8f13a537f0df5f647a46b8ae81
SHA1 42057cdd96b2237c66eb54320bbdbec1f6cf283a
SHA256 ff01ed6895c0129f6179629105e06c00a16d5481f3b52b2ef69e5058dae179b0
SHA512 145a88e9c6ba747c54aba29485735bb7be8e6f719910390a0b00f4f3dcb74ef97a3dcf94a8327e81240cfdf905099b75cc168cb250e8f3c325ba831d9b7c5ecf

memory/4776-128-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ajiknpjj.exe

MD5 1355cf75bbe35ab5a0cdaf455d8c1758
SHA1 63c9de810a97d22253d9d59bed7e51854a403302
SHA256 4fbdc5da87120600af63b129930bedfb67d0bab3b7639f02efd707da0e025261
SHA512 8a0faec29acfff1eb00d5fefdf4319ef49170d9e4c3c875cff3d18e26cf1d28755c08a1c63908180010518d4a0a64442c89d7858cb4bedc406a05b1e8884cb69

memory/1340-137-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Abpcon32.exe

MD5 5ac03c64757aab4b72012fa1fd158a3e
SHA1 4067c0baaa2503981a2166c84ad660c6d9c317b7
SHA256 3466635d135d63634fa3c5cdaa6f1dd3f90531514f45502bdf10e5c04a5efc06
SHA512 ccab4c8814b50ce036a8d910225c5818192ed6bb53c7860564d9dc41105d85c0221ad534e51dd5b145b7e0a803de423859d7e78af8df7bc7f6aa8376e0c42146

C:\Windows\SysWOW64\Ahmlgd32.exe

MD5 7e8a25aaf26047582c627889744b6984
SHA1 515d42b397ebe089a93ef45a3ebd8a8c46b31790
SHA256 837130a895536fd728fb26718a0c04257f4539c5e9c76378ce7f67aad7a89f8f
SHA512 0d402a7c64a6c2474b737aadeae3d8442a5f30106afa26664ededd59a916d2b61fce807ca9a8f039934152e6572504512f3d48ea723dcf8874a032aeb495d98d

memory/5024-151-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Angddopp.exe

MD5 fce492e1dc2604be60ce33a02b532335
SHA1 aea959b50f70557efff5b701aa50cf6933cc5aef
SHA256 e5c69eee347826650ba0f34dec077f4f6fea039e10024d38de1d48bcab0e2f80
SHA512 d87f5495e0ed0f3f9947028d9a066bab17492e72a2911bc2493a690218a92d6a0618a8323232d6fdacb547baec3f4f7f2d2ed2ea29bceb4240abf7dc5c88183d

memory/3684-164-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ahoimd32.exe

MD5 d89fb5b0d691051b10bd6cba957debc3
SHA1 bb4fe46712f37f641216a3dff2dce0f71161c136
SHA256 8196c3cfea8bcc784f8a2276ec7d1675a056926907231a25d4aa63a18f55fff3
SHA512 6ff15756b72c2ce625ed131f5b097e7ba1ce04eefd1a23249a2ee7d3d4ca9fa9ce6f1ce00d425fd07008855e76ab22549c279ca8bf6c0e33551ecddde2234f33

C:\Windows\SysWOW64\Ajneip32.exe

MD5 c884bdf62d4846da2e7196ff6d5fe24b
SHA1 22b8af8a8040d4187aa284c56bcb2bdac532606e
SHA256 515c81106b0253b1a9cec392e6cccf3adf0f2afadb0e5f5c917b3fedc4e3b8ca
SHA512 0a235faa5f69bd50696c6cd74b24f8022a913c7c073ae6bfdce6320525c78329c99e7af060454c2d0f3be3ba967c6a795fe68dea938be1553b104ad169f2f2dc

memory/4636-172-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4484-175-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Blmacb32.exe

MD5 d5a14c1dbc7dad58498caeed3b9b0b17
SHA1 428fbdb83787f47addfaaf2e79a31270b9cec934
SHA256 48fbd6f6a3f78b7331e74183dc6c1cb570bc331106290cdcc488bbfaf8cbc2bc
SHA512 ccf449880e73029729e8e6a74577e532193440e7ed8623b94650b887e97aea474a95a0194f222b25ca65a2c96c0c2f1eb873277a09793c21e5b03a9b3e4064b1

memory/776-188-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bnlnon32.exe

MD5 2d7073f732e56303b118c5f797503ce9
SHA1 561a2d6dd29b89bd56d1ec9dc35f59d6e6b4d372
SHA256 5d3979472db1b882543338714a1379425697a0f195a2a7b4b91064666a7ca31a
SHA512 fc967437597d3f17bd855de2945c4ced6d1189b20c026f37d63a6d799efed7f3e0e455fea2ab867837685ea68e922bb24e7c5699dfe4eea2e9d116697e122c52

memory/1076-196-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Beeflhdh.exe

MD5 c683f7f4d1e0968a955614c1b92a98bc
SHA1 028f484314fb374bd5a3ac1d1ca5756617392c7a
SHA256 bd2571689e356171e59a91a5a73dc7e351dfcdf4f6c69359e61b2eed22876283
SHA512 994638f8893705acea8b590fd1ef3c91114b8248330b6fcfd76ebcedbf31e5bf23f92d3dd5428d5563473885e26687f08b55ecc2c0554fd8985d4c7406c43026

memory/3960-200-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bjbndobo.exe

MD5 ccea1fae3fc5da8e5122868b3d7c2d22
SHA1 2f98da9d03e9007e5dfa88894b8a76c1f51403f5
SHA256 6e9248a61e2584c38e11410202be5a56ffe40af6a385a1985d1571a869ba9b62
SHA512 47c4a804425a90907bcdbc92d4835c51eae215901ce9979813738199381117e876a54721c5167e9040aaacac95dcf70ec50103b37403ae7390a5521a85a65017

memory/4952-212-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Behbag32.exe

MD5 4e8da503aae830816ca6d4231198fa1e
SHA1 8bea627958208308cb388422279695f9b603fb23
SHA256 b133c7dd9e661ecdddc1fce1d02d843e029067671398f38e8e35e8fb5c465163
SHA512 25f81f706ec1589af30656d49d117b8a30357327803f92f70b09fccce5ae364b0316fcbec0e83095bdedf473364651f6da0580314b014a569f77e55ba661224b

C:\Windows\SysWOW64\Blbknaib.exe

MD5 ffef1336e5a2f4e6049fd60dfc2f2565
SHA1 75129928bd2ba6a6f9caae5f7c2107687c06dccd
SHA256 c948c1d05b41616db6b3692214476e8b1ccf32e19da505a2a2f9078fdd45a614
SHA512 3afa69bf6e2caf0346e9b40bc25f10a3711f5abca2a9bc13de128ad1d25a7436793aad4566c1037f505e3ea95c61e031c2e561de5d88226dfddd3128540ed407

C:\Windows\SysWOW64\Bblckl32.exe

MD5 fa975a9addb67a7613b415f0456658a5
SHA1 964cda361214ce830e1c7a3faea598745b023676
SHA256 be936a412e7b5155403eb38c10d5bf42fa6ecffd87495841be3e213240091974
SHA512 c10be1d735b2c2d3c0e254525e9e21be60f7b640f9dd811f1c8a35cca3f068edc0d34b32b218ff7821de2ed772c2aafc655c37b43ec64de00575b4b347558d05

memory/1996-227-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4372-236-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2600-238-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Baocghgi.exe

MD5 482b3ce94f786f540287e99777e051e8
SHA1 cd2ba4fd12d0e359d23abf696cda4752cdf2de13
SHA256 2242425df4fd5e5b8df9ade4c7531588ee9ffb65616417a5c21016b744e028c0
SHA512 e5485325c19c3613f59809acfcdc2e166461b70352d097c8718568511975c540a3ada2c05814ad2be10d803fde0b71af85b04e101e4cfb21efdfd6fc6e6f819e

C:\Windows\SysWOW64\Baaplhef.exe

MD5 e8879c35b7fb693a478ff1e8bc31d22b
SHA1 35700f93dfd31aa1cfefab99b048f5d8c0390b74
SHA256 cd9f6208dda8f967d36767555715a77fa010156f5316f4bf550b3931d0a7756e
SHA512 e4171203632b55a4d3de5fa6276e06f9ee3e93a856c5b8be6a9143beea6f7ac6979a835f2c2f64327a934d732365d36ece2337ef22cbe8db4bd96dca10805817

memory/1728-246-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bhkhibmc.exe

MD5 018b55588b154e701b07a740efaba2f0
SHA1 5a417bc77e79313b4af77de9fd4204d255b69a80
SHA256 6552eee4912731c5adf8a081f23a09830c04812c7fc53ca6457bb7f96e81549b
SHA512 7890d8ebc42745c523abc73766f87bf842708601a281a25b1ae6db84741b1e45f4929d32aa6c885c37289fbaacc578fab9709e7635e6de1850938a3be21d086c

memory/5016-254-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cliaoq32.exe

MD5 42bd8ebcd19f6456e271efdadb5963ca
SHA1 41652dfbaaa642e0a3ac833e5c6278759068c8e5
SHA256 bd7ac1e42cf9c4cde1ae71eb76f7a579d75c726022435d0c8cb675ea0f6cdb32
SHA512 cc127c26d4cfe23745162421e5c4141d39df6f5326bca1173b43c93ccbac62d1a63d327c97b0ba8251648139d09c6dc98e274138c8f9e8089cb868b1c53e2f5b

memory/1188-261-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4492-267-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3360-273-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5028-281-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4316-285-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4896-291-0x0000000000400000-0x0000000000453000-memory.dmp

memory/380-297-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4304-308-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2080-313-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4088-315-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1952-325-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4940-327-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3916-339-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4644-338-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4568-345-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4884-355-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2568-362-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2932-363-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3536-371-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4416-380-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1276-395-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5012-402-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4060-408-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5116-414-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dhbgqohi.exe

MD5 65f02df046c8dd27522f43e9bbcf7d30
SHA1 a6529de78b212ea87cccaae141ea6ed0d3bebe15
SHA256 bf4e45a1f49d66be0eaf09445f78a4b3b19b9d31a5ea47be50552947271cecda
SHA512 3ceeb1e18401ca98c247cb869a705a9b093d74063ee5215213e9129aa73539445879602f8b1d9eac33be81c825120bbad52a9675a44d11a395e8f62360b8d050

memory/3504-425-0x0000000000400000-0x0000000000453000-memory.dmp

memory/404-430-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1972-432-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3200-448-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4808-458-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2468-460-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4688-474-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3596-481-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4064-483-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ecoangbg.exe

MD5 208500cdfaa2218559346b90816b011b
SHA1 2d7735d5e3b36e6034c771d3da56b4be4efc2de7
SHA256 09fbff0b1cd0dc271307052b081ed5d34f7a5476f3317f456f7c26b2633a8142
SHA512 9a52ed5344af4598bfcb9704a3c92fdec4e37381f02aa34c8eed4377204e8347e179835300284ae8001b44996c6846cc8b85d1a2c5289aa0cbbb52fe952db2c2

memory/2612-489-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1332-501-0x0000000000400000-0x0000000000453000-memory.dmp

memory/808-495-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3280-516-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Fohoigfh.exe

MD5 149c84b310754df4274361822b222cb0
SHA1 d3181a6ccfc99cb9648a1bfabbb7e62ba277595a
SHA256 cc565eb78cbc96e9c6f0afffffd57c578a21dc7acc71e28a3094d52f32d6e1b5
SHA512 b6a6a641c101e5e049f3d0f170a10a272eae60268fbdbef39d21f1ba757d4005229ffb63a2cfdd3870db74426ce58cac0c8845bb1c780e445f2a770fdec36a08

memory/3656-518-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3528-524-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4912-530-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4880-536-0x0000000000400000-0x0000000000453000-memory.dmp

memory/844-537-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1736-543-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4460-553-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5132-556-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Fkalchij.exe

MD5 f3d22c89725857a51433be7e3345cb40
SHA1 1f925ad9619034d371089c105def7894d0fea8c7
SHA256 f6780c066040aff231cfe1bd5554ba1a2adfb153e9f8b680a080e2fc10a2f56f
SHA512 fa5410fdf665079b106e76c4bec9639bbad3ba4840b9dea3e5d5178b8918f0ca15f622f2c6e333fb8b62c8ab9ca48a33cca7af9fa4d7815e4cce2f116ca4d768

memory/452-555-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5180-563-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2200-562-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3680-570-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1520-576-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5308-583-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2592-582-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Fbnafb32.exe

MD5 d48664c329db49650bb06ecbc4f3e114
SHA1 cea17aa34719fb400953cd3f1ac5aab14ed1cf89
SHA256 d6afd4ee3542dd2f7db97647966627e28d3bb829fecfa5fba33d897b0dd231f1
SHA512 bdba7def8f1ead3bdbab687510bc1455968f1c75de8d7260c544cd97f0cf4435a64ed444239fb4709e778f67fd1589cb9e71e89a84386d4d8cf3de7403965fb4

memory/1692-569-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1540-593-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Fkffog32.exe

MD5 aa5a40b2bfd693de467376818422ed0a
SHA1 b55e0aed767772ab07050b5b0b519c08f46b6c37
SHA256 87b348486b1f8a0adbb6490609552da4f8e8f494465751808027c2aef81060f9
SHA512 7c56a26215afd46ebd047b41ff734ed9ba42e8423f0fe1721999b18d2133654774c0c7a872d61b0508e8466727c93475c4f98363aa7f1cdbdeca88221feae8be

memory/5044-601-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5392-595-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1596-607-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1924-614-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5560-620-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5600-627-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3188-626-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4620-613-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4664-637-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4776-639-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Gdcdbl32.exe

MD5 9edb0e93209c23cef8c999d2c4d64373
SHA1 9581fd108f294c869713e5f2b1c33b716f652cd1
SHA256 c2ad41ffc3f87c2e4305d975e607343d047836227b23041336686dbfccfdc2ce
SHA512 8269e7838ea9e983867dd004aa96d6f238144f570194c4be8613dfd8d7af39c4496c7993b317eef04814b4f81808eead258b7fdc30a973c2608f5f59ad2e80c6

C:\Windows\SysWOW64\Gfembo32.exe

MD5 48d4b09acaf7a39225218520761662eb
SHA1 2e0b8bfc27c9e1bf6c0b759867aa4ca59e6a07e6
SHA256 e4e8b6b9557d66778222bbb9085d8a225c4b7b8de17b806b7053aa52021e237b
SHA512 98bcfd744d5917a450222dadafcb5bf7003a6fd2c313529c2c987aef1256a02090cd356bfaff2659accac8e2bfaecddd8b0d0560dd1e0e96066cbde4d9d7cf2a

C:\Windows\SysWOW64\Hkdbpe32.exe

MD5 fc7e0c9d049f2f201378a72407d6bb8a
SHA1 40d62c0b5aa0a2c0a1f83312c812d4819bb86c00
SHA256 62603c527870923d5daf6d464a8df25adc25f733d93276eabeddd3dae597ffa5
SHA512 7dae6aa9ba30901b244ac60dee70aa744cfeaa18df9030218128ed194e2b39f7109f9ad97ab682f34129de2ce7bfe865cc6ed2d7aad95dfccd73f75f39e48425

C:\Windows\SysWOW64\Hmcojh32.exe

MD5 bccc81a069b0233804027191f9640a1d
SHA1 855bacc4a5ce7777976c74b5a39c6c41ea377f4e
SHA256 87716910bf0ec9ffa62728fbd0d51f9e12b1b055b63201f421a924f2bd182be8
SHA512 d9540ce7da1679fce660bab2b3b4ca9a60e0d09351b1d7632de34cd873e00c8ff41723ef97d6e9e4aa1e8c127e7d57d6339b1b80c0f99fd1beb6ee10452cfc83

C:\Windows\SysWOW64\Hcpclbfa.exe

MD5 f1dc33fd8e60cd31021147e277555d5d
SHA1 c2da1f64506bb9229794112a9e2db5340376f91d
SHA256 69926662017f357121cf8f1a4098b5c089e84d665dcd0d5238c4c798f67170d7
SHA512 16b08f95a7b8b309ab7d7f94b0ad78d07eea5418ec7b6fa86719f6781fbab030f6ac174e2a308a8b1f635b307d691345dfa10da6815484f4197bc3e2feda26e0

C:\Windows\SysWOW64\Hoiafcic.exe

MD5 3ab5dcc67ad3708359a3f393eb7dfc67
SHA1 33e6d5d1413b1ba85ebffcc117e28e287e2baee0
SHA256 f617567ce18cfe0deefd9440381d8a0cefe058ea371edc07084a90f833b265d7
SHA512 e2949121272d0a80d53ec7e0f1d00f1faf87b4f6824e046c1b1ec2ac6a915e10b7f63d07a47af6107a6b206aca0e9dd40296874f4b99f0d1649ca057c423a33a

C:\Windows\SysWOW64\Hbgmcnhf.exe

MD5 90581f3702c6a88f44d4f819336b3673
SHA1 f5ef7676ca36c1fc20f86b63d7190093bd4f440a
SHA256 ef8bf8d3262bf9750228999e7fcb3656b3d8c7a2288faeb40cd6c0e662575045
SHA512 4cbebc81f8a975c03996615e73c66aca1a1968a1c4d86633cdee086f1a0302216f78856e8db7f0931df766f69bee1c12de9ed00d702d90ee6170ae5cbca2bf14

C:\Windows\SysWOW64\Imakkfdg.exe

MD5 86fb7ccd883efabffbb5f45dbc782a3e
SHA1 c88c1594790cf8e71481c83c97d2a8fb601d5dec
SHA256 526f35176ff1c78832c2fb396db682b39706957ff55ca8d6450b454bbfd9077a
SHA512 25a408cea050f7c3c245b1e9367503fa5822dea7e269bafe2332348a412a61298c92383c28400dabc69e5821e85f7f86689fcdf67c9a02c6cdd25ad745474da0

C:\Windows\SysWOW64\Ippggbck.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Ibqpimpl.exe

MD5 882a4921a815b17416dd1d4b5c1578f6
SHA1 79d7ede0b812f8a57bc606e047ddd6270f885b6b
SHA256 6d9bb3ec2e2afe0fdd060ad9dde083c939a343ce11e54d8211b3fcffff0b4595
SHA512 cf0e1ebbc0cf67e8da64c217afccba45c36ff88ff11b6e2ee2d26ac9fdb8b8be82d56e3996c490f280aeef6f3b008a669b8e12e6a1475c58431e4e31aefb0cff

C:\Windows\SysWOW64\Jmhale32.exe

MD5 410dbd20e3827babca796fae11e28c6b
SHA1 ad34a7b452a2cdb5c20bf450bb642005120b939b
SHA256 8f6c25b88afd0ffb11fafc2e87c918ba50469b813a49372cb94544c7146c687e
SHA512 92636bc77369335671a98fa5579f9c9d9b69ce8945d6cd8afaefbb20b5d8c817dfc2979104a0cc5062ea51c3c5b3c89af64905bef61385f5d2948e6930dc925a

C:\Windows\SysWOW64\Jfaedkdp.exe

MD5 fa2e727a4c1163a5f7e63782ce2b735e
SHA1 96afdc422fe70b802b6ee654c72f2dad64f2e6db
SHA256 f0d926f52d1451bb03399d2682f385d9ef5af6e634cc75893750ba22664db68e
SHA512 6a38fd5c89f4a3e108801a3394efb8661fdc47cd809fc8b59708de101c8d722b2a2d3e4e04b929b57e86673da0345d51f75c35b75058f257b0beaeb5a048d32f

C:\Windows\SysWOW64\Jblpek32.exe

MD5 5c1e0d24aa6988bcdda2a0ad0cc92940
SHA1 83ce95b866c3065f88ae6ceaa5d467e35019f8f5
SHA256 e3e17f63075163b5cc424f17b98d0611ee26993ff77a7776f18d55592d74162b
SHA512 75e4ee9923bf09c505b3ab22c592a2f000b8dbfab00447cccbee41c9870fde74805acedb230f96cc3dc989070617155b8d82c22107e10591f55aa39188edf6cc

C:\Windows\SysWOW64\Kiidgeki.exe

MD5 4be1f13712ca51d887f532080b8f3b15
SHA1 f61055be39bb8db8d97ef55e19155b6223d26d73
SHA256 510e3a67d3dae999c35be8bf6c5ad3a05e8820b046b0661b11eb5491da7fc373
SHA512 aaf984df67dfd4ccf3178442725a004474d7ca753ef08534f9cb7133cc14344da5630901686ea85c960eb17162e417e069456a44e1fe7d719abdd79635481d6b

C:\Windows\SysWOW64\Kbaipkbi.exe

MD5 ad952296b8b8f1dbf4e67f8a31f59320
SHA1 28a1762cdc832840bcda07c0e57539db40dab130
SHA256 6b7522c6946555453df765755a4ea7d9da223a6ffe40f1811319bbfe7eb67e7c
SHA512 d332543e45b45f0dc9de263644a8179903fdf251987285545ded92fa908971be7aca06309a56400126108a4800ed2be2ced9c8e0be216cdc320cdeaae3ef569a

C:\Windows\SysWOW64\Kdqejn32.exe

MD5 8b15dbe3b91c6d66b1f67d7c329eac2d
SHA1 0dcb0442b854fb4dbb05f0fd55e9703794f567ef
SHA256 c0770db9d6e524c337bc4c1c4ef1f76bb90717816326a9ddae743a8b6a8906ab
SHA512 8b679431bc9bfec85e8914fda848c6f196cbdfe249fe161bb47a91ef640fa763a9441d61975f123156b6cf97df4cd54d227bb9595ebd5a0a6e7793b2dee7818c

C:\Windows\SysWOW64\Kebbafoj.exe

MD5 e318819a26e67f43a786be3a879e8941
SHA1 fd6115990316e0912c11e4dada656bf58e7fb96f
SHA256 5a941a08f7d7095d883ba139a9a9c51c9613773ebc78390d75f82bb5ea923efc
SHA512 dff64a2854c0b48a89a8957265520746ebf0d70454c7e2250db82376122b49325098ae1e0ad423f77b8145eb66aedfc95052865beaca9ac80f0eb9f9bc8d762b

C:\Windows\SysWOW64\Klljnp32.exe

MD5 3a1d453cda794caeec77376ff47bc538
SHA1 ed12104f5740c126fead464d878a505fc62d5f0d
SHA256 72242940eb729f2d32308019f17fc81f1ab9a571901b14aa451cf0d57db0b61a
SHA512 2733b8f1a793e980cf6b89071a7f712deb8c8c18b321316fd62db990d5c7f4ece529b88412916c70720d6cd9fd8f3f9728c2dcb5b23261935711bfdad4d977e0

C:\Windows\SysWOW64\Kdeoemeg.exe

MD5 c6c237344a521a61b5b79e7f60bb56ea
SHA1 5fe2425e581c8707419907afa0d19bf8a7b8887c
SHA256 024ae97250891ecf40eb7e91a5a7bc68b13f81eb357f1deb4406768640e37399
SHA512 e5c9c66352a670a6e0a119b95732d2365799298773394c4bb6b76ae4edfb05bacd14c47a5a7249ef43f1029b6807578a3caa2b0e15439376e65b3a6bd2f8b9f5

C:\Windows\SysWOW64\Kmncnb32.exe

MD5 7f22ed0d4afa2b2402a41610706539e9
SHA1 e1e9380cd4fb18fea58c912b656eafd5d82499a6
SHA256 f5232f786560b336b069974e1b75873de5b93c917468b353ad840a70a212956d
SHA512 a17dbb16cfba8b32f2ddcca2c5273ce5782af8d79d7adc983fb83fa539effb3b250aa7f0643c32d51dba4eea9c0c9866a148946afd777ef7e6a20b6370b53dfa

C:\Windows\SysWOW64\Lbjlfi32.exe

MD5 5e449f724da9e05ef758870746a3cca3
SHA1 7cd5fd2aaa14ab2749068e900b2e128e487f0a71
SHA256 25ee60765a3696e803d75ad443640bfefbed8d232fd78556488e66324852d3fc
SHA512 f93b13ae0f29efe4e86ad9e5d4e25a9ff9b851f1e5db8bee202584bdb51c6bf60ca32d02ecacfdf70fdc2078cded209a3c8d74e62605b7485f1ab37efd9e1dfe

C:\Windows\SysWOW64\Llcpoo32.exe

MD5 5d1040db546d2b4d7892666b9447d55f
SHA1 9c36d001db2c8bf956726a722617fb2b9689a67f
SHA256 39ffc8471301d5864de8c0c3f032b19f511ff352f5f5dee5fc3790752fa1f202
SHA512 5b1e1c544209d376aded5a755ab8ee25f45269deb319e742a7f62f99cbde60b1bf49d43a4761b60992b339e7d918e16ca5912406dcd1cff07366c5b3316c3033

C:\Windows\SysWOW64\Lenamdem.exe

MD5 27570ebb015ca13a4b987e70f0e5a70f
SHA1 4918dc8b78dced7e885765e1c7227b001506afe4
SHA256 ee8f973d0e2b554572634749179d37b92321e8c04af03224282c93600f3ce1b6
SHA512 aedf44df4bf5174457186347ec48731488eb9d66b17e873de478fc1d79849500d5192eb6c5bd4a9ba97203d01cc83b5c532e54fa2561f40e20085866af29726b

C:\Windows\SysWOW64\Llemdo32.exe

MD5 7c766912cbce9f1170ca5dd9aed90e31
SHA1 c64ee987cf3b1d7c392c6c8413bee56a2fd471f8
SHA256 a4d795d52b2ebfa44c62f2279ac4d9e3e4c65dffb0630c5c8c39981407cbf798
SHA512 95989c385986513afeadb8c52dd6d5a8b86828f9befb6342de1cd494478bc4bedab785a6a27ee5b598695776af06adf5975bd3a3d03469c170f7a29e40223450

C:\Windows\SysWOW64\Lpcfkm32.exe

MD5 32a1a6d948164b8a8350a3d840251a47
SHA1 0a9e83b9f168c3fa999b4b947010bee96d31ebd4
SHA256 df72d43272379ea14bc80107c31d4822942840e4d97e0ebf746c43fcc34dbcf4
SHA512 20456c380217010fad461b0cb996f4192d95a3d0b9e9b9af3f14c49dd4108321215ba59c3a83597d9f25ac990e1a58f86b88530bcf097b899434d5cdfa3d00e2

C:\Windows\SysWOW64\Lepncd32.exe

MD5 a8a1122f48af74efe353b7cf802cfb92
SHA1 b553242dda0574c8ddf61bbde2f1649dfa6554ca
SHA256 080191088d90cf9ba7a5c17793c46af07e1d5b9de49cd815ca3bd05344bd3254
SHA512 8d1e71c79d62e74ef1d5bf818da1b81e774493f12a0326d230f88d3fe2901f3738a783a5fcd2967908bd8bd9801d2d0f001fb16b37cbf454d928c3a31f2fef08

C:\Windows\SysWOW64\Ldanqkki.exe

MD5 af67a51559ba4099c89aa22ccc60e326
SHA1 18795469a19150ebee92b0b111b8da1532a15d85
SHA256 2c44983ec3b8b8bb0f382bd1041756658a1935c5eec285a816ef1bc6be611cd6
SHA512 9e08cb799c46e3dcb1ba952b0c8d7d0651cb843f454e5b5300bc59adc3380a8fce4a83690c42b4803812e568c31e6e7b5b66049f06a8642ecae2209fe2bd0a9d

C:\Windows\SysWOW64\Mpjlklok.exe

MD5 3c97a2e2c8a2f732297232af213c10ab
SHA1 857b88932724e6fbc77265bcef2cc88c3a87febb
SHA256 e17c453fa8b2010ec3a89118f79919c20fff3474cb1b8bb669eac5533a29f46b
SHA512 c7a2e89db8ee50e2a55068c335ea1eb2b16042df3a85b83f5b73b2b58b33943ae6d2d74cd2a44f546c0179aeac34524137f429ea849c9cc8fd34cef1ede7a1a3

C:\Windows\SysWOW64\Lphoelqn.exe

MD5 9d06b39bd9768efe985d740cd5c8f3e8
SHA1 326dbf22a6aa2040574717416c1a65b88c1e03ed
SHA256 20a5b239061a17ddceaac0c411e2478dd32c5dc3d4fb17d12f65687014db1d45
SHA512 57d1d3cd4b80c9d4e9920ab984a420edbf22a1892a42a28b08db581a2fb16d052799b00f90bb49512ffb7fdbc5a34d42fad9e214065d2c74830a13d845d235d9

C:\Windows\SysWOW64\Mmpijp32.exe

MD5 cbacf3d6ecdc3a0f9b1bf9a2cea2c136
SHA1 47f46130959aee197c51d444674d6fa334180ae8
SHA256 1a0b482ee6139485ab2178de02a61042d812349635dfd09571773126f782c004
SHA512 d592920c93c6cfeedd8f0d4237d3a73389a2b18e1d4a4b37e7a9b02dfacad45545ddabbb2f5f56368c5d30cc36b6842add6186cb39acde5ebecd96375d27ca27

C:\Windows\SysWOW64\Mmbfpp32.exe

MD5 2d2122aef70022cbcb45d17bed7a67d1
SHA1 0f5c84cd5874b26087305fd2138a21ed782cad0c
SHA256 02e37cf28cf53931ec46b68c3c0f4ae6ad1fca10cce05ec2ad431d05c2f70f13
SHA512 6ec4e78df54ad9dd0ca7b80c8db7a053aa5469a21584d3b8fa6ee723783540d3fd26ab7a90ff91cb4413eeab089c63a02e7c061cb11457f0225543e4c645056f

C:\Windows\SysWOW64\Mcpnhfhf.exe

MD5 c877de56d45adc67d44044896bf47be1
SHA1 e44f194c04088d5670f620cdfce494a5c9f09c55
SHA256 cc7217ca0a3ea91d4bdc5cc44b0a2098176b13431d4a78727a71979c3737774f
SHA512 6a84e9e92e323f0a2f545fd1c262c1f5744bd4de8b6e6611bc276485f28723175e25c6f2106116dbfedffb08f238ea14da036b7e02cd5f30a3774f620bfec732

C:\Windows\SysWOW64\Mlhbal32.exe

MD5 2b56e1e216a6fc41f94c7b065ede52e7
SHA1 2e87784e149b3637273874c2d6fde7ea8d304418
SHA256 6da3f8d593b62e585efa88f8f0023d998c4b6d6e85642eb1d3fd9fd893781f99
SHA512 2cc7f66b9a8017143e1ee0cc8a359d878f5318b60e9bd68a75592010291e9bd045fbcbf7b1493d5302379e19d5221d4be443b4988880c4cf8ad4ecc91f03e6db

C:\Windows\SysWOW64\Ncdgcf32.exe

MD5 50f2e1967157ff83fe1a3b9731dc43d5
SHA1 38929be75f1cdfd92ad005da2ed04d57a814342c
SHA256 713bb08c6377c7fab1c0b45070474b8d10fe254892d4133d024dcc6734966eae
SHA512 55c21bfc22c65d03097c3eadf2dd50a2eba471daeb7e234ee59c6ab340c70639531ab33637986ec25cf40a498df0caa7ff245726499028cba0c769c30a14231a

C:\Windows\SysWOW64\Ngbpidjh.exe

MD5 deb5439416fb9b28f26dcdbad705363f
SHA1 343d68f3dc4b63acda6d2be62d72903a92d2088e
SHA256 eb3e37081ae7b189a8dc1f62fb9c21e2b3c5312bd287228260b61435af640769
SHA512 d6ef800b405bf255347341a007f434b7eb53cb2ef025a81aa9da6136493a71f7586aea5ddcf07d8dc397e559b494bff813a079c4e446a0a7ea5a11b1727e6adf

C:\Windows\SysWOW64\Npmagine.exe

MD5 b4b2a3483964cad5919c1d39cd960d37
SHA1 6383b63a547f8439b828fd57c09107a2c577de19
SHA256 031f79a7e4df651794f226298346143d7482a31c5fef942a7d4580eda52a2312
SHA512 2d3c42efcceee6f6662d5226a188156841c727d281cb2875f829954de9191fef51a6dcd26406a8a2c1466b7eb26e70f272ad1328b0698728d27341da76085e38

C:\Windows\SysWOW64\Oponmilc.exe

MD5 7ba9892e3878b192f9963220231f34e6
SHA1 cd39fb6c9bcfe96226b1611a26fe08eca5fe9388
SHA256 ec762d587c4ab616c5c743d4453cb28e7c93ecc3d6daa690855278cf592de7ba
SHA512 9d427f695cc0c70f433f5c4683209606576eee55148d37851f4f2ed6d67e7b5f7c0683b1ea61ff08e025372bff9fb4a9321a804c1e2939fa9872969505c06d10

C:\Windows\SysWOW64\Ojgbfocc.exe

MD5 faa022d959fbdaf731065ad70ef1591c
SHA1 c3d289693c43bf108d7e46becd694d5948a7988d
SHA256 3b172e24f63ef91ac8bd4e58ce5db95938121855fd7fda6e73a0ab6adc31a258
SHA512 a15891da17f7bf35e92d4379d5abfb0d7c80dd3d5a8c1046bb4cee6e744736a20d6e41e53ed28b1760547bb9b1251891d78b7d0e909d99c2c4372bea9929df9d

C:\Windows\SysWOW64\Opakbi32.exe

MD5 62253cebad8bea4b02da881fea7dab74
SHA1 7ee58b22ca365f9b88956a1c948d3285427c4e8d
SHA256 9b6a0a7c8c1ae55593cfb007f714fdee7747c4ddc06601367fc00873ae465d35
SHA512 97723cf49d275fd3558ba694cc028ae6a26a4eb8dd1db7943e3e6f532527296c177e6b2909a33b121473693544508f075210fe53a3072008815f71b4f2ca9e61

C:\Windows\SysWOW64\Oneklm32.exe

MD5 233e66bef98ba48c02ce9779da360788
SHA1 f021bbdcffe03648c798e757a277a54931194747
SHA256 29bdf4048593b716578bedfcdb871e8363606d8c2ac6096e7c7b5bcbe380f131
SHA512 45b20e1b0ce71010b265de61e23efdd451da750bf79a28f6adec81d99082b9eab5d60b399cec7e3229ff068459d1f421ed0d7896f9491f7133e735f90a7601b1

C:\Windows\SysWOW64\Olkhmi32.exe

MD5 957280cc386edf113116cb8b8ed2c265
SHA1 d96e294551c92a76a1bbb5e02f0ef3d46d3113f9
SHA256 a31d05312e4051010b62451e56f4bf679edcfcd1a2f32de240ac4364c1e1459d
SHA512 bec8786e71dea446c5ff4545289b9e4565b0db49b0207f2da25ecdeeff153d5834cc5760ea0688b08eb0ff7d8b47c75b30c2510652aa597917505d7f0d10679d

C:\Windows\SysWOW64\Oqhacgdh.exe

MD5 4a4fe365efc98b1217da7981cfdc90b4
SHA1 1b5227817b011b62aea45d66e1be5cf7f1903a16
SHA256 edec0089eb7966389d6dbbd44a414c44980f84826c92a338e76090825bfcd2aa
SHA512 224e4f31b97dbbbc8d78c4bc6965db8c381493e9f5380fe59ef7781797150b672a920110902440fb9ffce447cc4ccbae26cb882319e9dbad34eebfd14ad8dcbe

C:\Windows\SysWOW64\Ogbipa32.exe

MD5 226ed1c9da97653617843029322c1183
SHA1 196867bf487660ae3ac632b691e53ac9d1c0cd7f
SHA256 a57175bb9460e6a90cbd823a4fdafaa9112942e01b1589e86bec8b081b6476c1
SHA512 93ca9cddd181b6915ad00b1ff3097657ffdce74f09f1b89b2bb49ad920ecb17908753aead243cace612e8a09ab7103449b80bbaa7be1931054603d74bd1dcb94

C:\Windows\SysWOW64\Pqknig32.exe

MD5 777ac64c93c7bd611af9a7292cd28ffb
SHA1 50d1b26e8714779870e1fca9a60e504d4d392fc8
SHA256 deb1167793625290f2aa871955443ffdf850f986a9c01480ac1449fd3a7921d2
SHA512 118d80588e52dde0f129416901b525f25e0b9c3dfb88faa9c2fc5237433c31d6f6e32266e9a885b99c7799a7cc1b4bc9378f3efdc0edb3546b6f3b49501ecaf5

C:\Windows\SysWOW64\Pmannhhj.exe

MD5 0109aa9e16b298637932fe719a3dfba1
SHA1 8d9e3401571a3365d75366201b66b439c58dd423
SHA256 4805f0b1426a9bda1782906754e5bdb43465ab67e603f3b34922062b26cf55be
SHA512 7d32fc322ff359458f1ce257f5efb862ce928d49d1d0cc99bf21eb0aa6ccadf7bf33dacf87acc9d2e3d57452ec6fc843048ab1b57e83bdc7f8091d3df081125c

C:\Windows\SysWOW64\Pclgkb32.exe

MD5 dfa92fca556c0c4c854dd0b51568fa80
SHA1 981c9418546e57f4766fc15e67eeecb591c9e0b2
SHA256 73c64dd51b28414beed631565e2220333cfb23cf94313bbe08202b3168ab51d4
SHA512 f563757fc04ae03a0751f33b1a70aeb91d2c6fcdf623f185c2191140c63a03cf78200df3bb1975a81b0ff24094e2df6ecb0ea5bbbd75ab7608a602c98cf90398

C:\Windows\SysWOW64\Pjeoglgc.exe

MD5 18c82a02e0ebe7f9dceaffb7c477a3b7
SHA1 f88cfb9cd472a293c191819a6d36f27c1051f788
SHA256 b70efdde525ad1ba7f72b3353aa44467b6ed2a2a6f12ca59dfd7012b01795f3e
SHA512 da2a20cec360fd9a7fa62c61181ba738febe1fe8b5bb28a09cf5d6904b8946425e1eb7953d88487dc8c87f0301fbf27bdb6310c4c520c1579e4f370ec28b3e96

C:\Windows\SysWOW64\Pgioqq32.exe

MD5 bfb5924c41fd25f10fd97bc6b0779c95
SHA1 32530331d8c4bd039311431863331ab72f737e01
SHA256 c1f57eb5f8d97585dc0a404d49b97d518593fed5fda5d3f2cff364976e70a127
SHA512 3a4df88e465b3b73386977540d7caa759260fe29f652e86e36d166352830ca7c29632a31a5dbd9895ccbfcd5cde53d2388b8e46139b72bbf062ca97e329bb646

C:\Windows\SysWOW64\Pcppfaka.exe

MD5 d3493674a52de61015abfadafe0b50f3
SHA1 f739d1ea6575d417429a0f077d68b51962863468
SHA256 70e92bb2f1f16fa7e6fcbf35226903a2c1b2767bfbb624aa3479c4f7a3829e1c
SHA512 0b67df36233758010c83b8d4a81b5bb79926a1300ec1001070e184a206a7ad802bf2a75a038b67368aa52e8e6e96475ed9fd18bfb63617b410baa79288b20401

C:\Windows\SysWOW64\Pjjhbl32.exe

MD5 7850fc44b923ca4e2c1c9d324aaff5c3
SHA1 db09b3411965d55597aef05bd5f00d78b899e071
SHA256 3f9d237b3c640b0af039376b16a70ccd32a4caed070178ea7e196cf0a2d0f140
SHA512 91a47d353fa2ef48d5be9c2b5619924695a2951cd6b81edd251d6036374c8069f9064a034fdede9b904b1a2d6cbec17885946b54a643ea5bc2508469fbd4a1b5

C:\Windows\SysWOW64\Pqdqof32.exe

MD5 58a59d2e8af709ca36ba21931e95fa3d
SHA1 9585c16ad3e786fd3bd66f3f1d4a7be5d584dc31
SHA256 9049ba36b5c7f646493891058d118575fb5b73d0370989f0edf9ccadc9def3f6
SHA512 1f815e718c32208498958dc23e47617aea4584d06d48e5b6f1bc46418782385e5261047ae4dea18c8fca22ae68cf2ac9d1944132c6c5b34ca53d5221733b1138

C:\Windows\SysWOW64\Qmmnjfnl.exe

MD5 49fb87afcacb6372cc559488123bdfac
SHA1 31b247a4af975b4781a2c16d57c96553a7fd7ba2
SHA256 b6df1eeab6f0870f26d565c33e56124d2fa1af67f62df0e3b8b750b9712620d4
SHA512 8323c8c156f08f314a469bcb23dcfdb697890037d052db1dcafa1dcaee1a7c10207f227037450960d932ceec1b3aa029f82434d6c0f18e2cb4805fe81a743537

C:\Windows\SysWOW64\Acnlgp32.exe

MD5 d80387ca9f3b69edb6badd07ec1ac90e
SHA1 fdc2e2722c2786c7e3b610f3d1de0c8a25676973
SHA256 d6f9ceb56c0c50f424feb82a75c8ae2ba67d223638e7f21df66d2f179e12b777
SHA512 83327d90261c48789556d272783754d011608aa68b8943afbbbbfd21924725eb4a24011d02946fac1b84c47c90044590263d201eefeac1a3f1c689c542ef2dc4

C:\Windows\SysWOW64\Acqimo32.exe

MD5 c1d87a90ba51090c3666872019a8ecd6
SHA1 41fa45e8d0667aef2f937a26c7cef990c56c5917
SHA256 61a58b025d213c4f2bfd0e7ec898052677bd96d9d1b92955140546d0550a19fd
SHA512 39d76d2e6bb6deb36afc20d92cc2236e40e38e033a9c69ed8356aea1ed5a10ef12d9de55a83ae2ce921739554acf5ff6ba612125a18fb6ac8425f96aeb8cddfe

C:\Windows\SysWOW64\Bagflcje.exe

MD5 d2e662ee07976f5b412335b23e940770
SHA1 47c50e7f540d1cfd6644c3c3af2df760a0915c34
SHA256 b82c15d7394ec97c93e2c9ef806bb7ef1276e9ef7f04919d6ae0e5de39d97e13
SHA512 89ff15e0ee8a247ac7a22cfb37760e59819c112f2143bb21fb99e842cd204856789eb32824b37dbaf3b906d4e6145b5cadcb2bddf9f10eb9dcb28acd9b8cf927

C:\Windows\SysWOW64\Baicac32.exe

MD5 46fb2a60d8a604ffbc445f477672c14d
SHA1 846c0b09051beab132bf05ed1062d69affd3f682
SHA256 b89d330bda3744789bf421b4908123f252c2296444f6f7147f7cec41340912bd
SHA512 d22590e4e72f12f814b9692388a46dafead77dd0b8fef7d41c63b489b6be2fef8472ffeee5b0ec73ab4c983736afe77c1b0ada933e93c0d347e26bb3a7b7588b

C:\Windows\SysWOW64\Bfhhoi32.exe

MD5 38508d6daf090bdf6b29cc8f35bdcb24
SHA1 eab2c11dbb211e5aaf8f074c1963ea31fbd48188
SHA256 ac1741eccce9da233de7dd59681de9e5f91dd71ae2b14271c1d308a3c3f206d4
SHA512 cffddc1b67c85e274e384ebb7a26bf33e95cab0d3ea47477bba6fca5d33a76a6572fe3ad6b9e3e6d5e1a1ae32c4f2ffd4012aa94f674dc012fa486b4cb3f562e

C:\Windows\SysWOW64\Cndikf32.exe

MD5 e67c30652eec668e1bc4f817ddde73a4
SHA1 0d27f83ef3b78e1d4fa425eeedb715c70ccd9f6b
SHA256 df31bd9ad15965602542dc293f7285c055bb4dee2333942a2a7e763440360875
SHA512 688f216483ccbd75ed486a74a0bebf5995ca8d8e61ac8b0f30ace34ed3a70b1986c89acd97d333ee5b9fda357ceaa99e5739066099c99f1d6b0d3185367bd577

C:\Windows\SysWOW64\Cenahpha.exe

MD5 a3059b3c88fcc0d4da53ed0f432bd2ea
SHA1 cb7038f21b1e9de23163e6ce2875bc09a83ae83e
SHA256 002f0d70615076a7bc8f5750b83979d05290e563c1f9be710a3fdfe7f317565a
SHA512 b7f97c25d760751cf3d1c910308e34bc39d1ea198eb06c81ba7a9d3e0ef42f2c16cdc191c63765f04e4ff7ef19c0304a4ef996f02d8317fff5d64ec72d5e0d47

C:\Windows\SysWOW64\Cjmgfgdf.exe

MD5 a0322afa67f9d66d9caddf9d7fd98a25
SHA1 a72a9baaf8db99519da71ff939056aef2736a037
SHA256 8c56299df23d0847a989d9b4ac6a4df7ec58cad043cc61c7ef8d0a3be9c161d7
SHA512 eaf6d2621a1f1415e332519284bd68e8c12a9ee8c65277bed87c860b9ce1ae1765bd25a61da01e3a375e71fa667c2a017ea8362c7e3603d551521903bbae1ad7

C:\Windows\SysWOW64\Cffdpghg.exe

MD5 b3832fb6af7f6838992cf11bccf5963d
SHA1 215a2c49cb63eb1cad67c6228e6fd6fad1416d49
SHA256 de2c8570b029ae0189f6a758796da8145968c5aff64b363a4fddabb2e385f0ab
SHA512 5e20af0aee99b29ed892d8180f124b99ea3e5f89cebb24497d5d7c8f9f48e01afb9a83303aead09f436250a4dea123a73330dc2683d24dbb9f4db00e5da767c5

C:\Windows\SysWOW64\Cegdnopg.exe

MD5 d376e516b86b42101347e216e021a56b
SHA1 8381861c35521e1454abc078246669d4c0757704
SHA256 43e2c8710b8369ac57b53640ae0e557b54ae6c27cfbf5c913928889b9acfe1a6
SHA512 cf8306b50828f4718ae3627f0cb128b758df37c13bdef7bfc64e64f4ded7ba68a210274805abf96b76342ca1d7a4c411e0bde3b5a7b332d67ee39110cb205640

C:\Windows\SysWOW64\Dfiafg32.exe

MD5 bca0fd1f0cad8c5d4194ccf785bbc237
SHA1 b0fabd36f3039717854ebb4954d898534ec4f247
SHA256 0abe52a8fbc5a369e64e522287301fc9dc9ca1ac37a36398818aaac99e32b0e3
SHA512 4fea90487b970fb5b23d1badde023cc2a43fad2c61dd8004b061565404e8f01aaada3a61bb588814b4f3139c7d74ea985c8f0de7bfb9f34d953f330e940e8d4b

C:\Windows\SysWOW64\Delnin32.exe

MD5 b52fc6f938f7bd59853f96f2dd95435e
SHA1 5736fef90f832443c36eabc57aac635f6ef0ceae
SHA256 349d9a2fb01ac7956fd39dd8d984239cda40cf7803b44b9adea4862d0c604ef7
SHA512 014bdc5f83cbd1255c725b979722e2b416b308fb3144140150adffd8a3a14bbf1074eb35398f4689503a3d4aa457c3de7a6890bcb39d94e40ae55b6b3b67ed3e

C:\Windows\SysWOW64\Deagdn32.exe

MD5 a6e2ab349bd9db477f37d1e093ce8fa3
SHA1 9b215480fde3f8ae19a2ac418623a83884698af8
SHA256 e7d54504154931473e390782ea800271dc978c7e98af232a6f7db08c8f1e88d0
SHA512 e15820f0def9b95b09b4c708208b03068aef810485ffaee79b698e69af3f4e5d5b68da49afef068f5e7bc1bac003f5b7cb97d79d487ab4f0cf2118ea983f9370

memory/4264-2510-0x0000000000400000-0x0000000000453000-memory.dmp

memory/9100-2543-0x0000000000400000-0x0000000000453000-memory.dmp

memory/8020-2594-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7896-2647-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7828-2648-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7212-2717-0x0000000000400000-0x0000000000453000-memory.dmp

memory/6668-2746-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5332-2866-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4912-2946-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1332-2957-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4952-3053-0x0000000000400000-0x0000000000453000-memory.dmp

memory/776-3059-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4664-3075-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4316-3031-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4088-3020-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4884-3009-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3536-3001-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5116-2987-0x0000000000400000-0x0000000000453000-memory.dmp

memory/464-2940-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5132-2938-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5600-2917-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5664-2914-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5504-2886-0x0000000000400000-0x0000000000453000-memory.dmp

memory/6824-2804-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7028-2795-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7160-2788-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7120-2791-0x0000000000400000-0x0000000000453000-memory.dmp

memory/6560-2777-0x0000000000400000-0x0000000000453000-memory.dmp

memory/6952-2764-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7980-2679-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7448-2659-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7612-2655-0x0000000000400000-0x0000000000453000-memory.dmp

memory/7740-2626-0x0000000000400000-0x0000000000453000-memory.dmp

memory/9416-2410-0x0000000000400000-0x0000000000453000-memory.dmp

memory/10216-2407-0x0000000000400000-0x0000000000453000-memory.dmp

memory/10248-2406-0x0000000000400000-0x0000000000453000-memory.dmp

memory/10452-2402-0x0000000000400000-0x0000000000453000-memory.dmp

memory/10812-2392-0x0000000000400000-0x0000000000453000-memory.dmp