Malware Analysis Report

2025-08-11 01:59

Sample ID 240509-d6cxtsbc94
Target e12b29b27bfebd1b732b3aea09960350_NEIKI
SHA256 a586a7dfaaae3c882b02bff4ab252083f6db3585f308de241a6b4a48def8d55a
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a586a7dfaaae3c882b02bff4ab252083f6db3585f308de241a6b4a48def8d55a

Threat Level: Known bad

The file e12b29b27bfebd1b732b3aea09960350_NEIKI was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 03:36

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 03:36

Reported

2024-05-09 03:39

Platform

win7-20240220-en

Max time kernel

148s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ppamme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnilobkm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbfjdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjijdadm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebedndfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Banepo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmafennb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hknach32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncjgbcoi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baqbenep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdooajdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebpkce32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Doobajme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epaogi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekholjqg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bghabf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cngcjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkkpbgli.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckignd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmoipopd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faokjpfd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hobcak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obkdonic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfgmhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfgmhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hknach32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfiidobe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pigeqkai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gelppaof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Comimg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiomkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mohbip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdjefj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gelppaof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Clcflkic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqhhknjp.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mohbip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njbcim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncjgbcoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfmmin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nofabc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbfjdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obkdonic.exe N/A
N/A N/A C:\Windows\SysWOW64\Pminkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiidobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Pigeqkai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnfjna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmibdlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bommnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Banepo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Baqbenep.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgpgce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfeddafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkkpbgli.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebpkce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe N/A
N/A N/A C:\Windows\SysWOW64\Mohbip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mohbip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njbcim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njbcim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncjgbcoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncjgbcoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfmmin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfmmin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nofabc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nofabc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbfjdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbfjdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obkdonic.exe N/A
N/A N/A C:\Windows\SysWOW64\Obkdonic.exe N/A
N/A N/A C:\Windows\SysWOW64\Pminkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pminkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiidobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiidobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Pigeqkai.exe N/A
N/A N/A C:\Windows\SysWOW64\Pigeqkai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnfjna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnfjna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmibdlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmibdlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bommnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bommnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Banepo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Banepo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Baqbenep.exe N/A
N/A N/A C:\Windows\SysWOW64\Baqbenep.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgpgce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgpgce32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Epieghdk.exe N/A
File opened for modification C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Eloemi32.exe N/A
File created C:\Windows\SysWOW64\Fjilieka.exe C:\Windows\SysWOW64\Fpdhklkl.exe N/A
File created C:\Windows\SysWOW64\Hobcak32.exe C:\Windows\SysWOW64\Hpocfncj.exe N/A
File created C:\Windows\SysWOW64\Pigeqkai.exe C:\Windows\SysWOW64\Pfiidobe.exe N/A
File created C:\Windows\SysWOW64\Baqbenep.exe C:\Windows\SysWOW64\Bjijdadm.exe N/A
File opened for modification C:\Windows\SysWOW64\Clcflkic.exe C:\Windows\SysWOW64\Cckace32.exe N/A
File created C:\Windows\SysWOW64\Epgnljad.dll C:\Windows\SysWOW64\Dcfdgiid.exe N/A
File created C:\Windows\SysWOW64\Nokeef32.dll C:\Windows\SysWOW64\Hpocfncj.exe N/A
File created C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bhhnli32.exe N/A
File created C:\Windows\SysWOW64\Hpenlb32.dll C:\Windows\SysWOW64\Clcflkic.exe N/A
File created C:\Windows\SysWOW64\Naeqjnho.dll C:\Windows\SysWOW64\Dkmmhf32.exe N/A
File created C:\Windows\SysWOW64\Ebpkce32.exe C:\Windows\SysWOW64\Epaogi32.exe N/A
File created C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Ebedndfa.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bommnc32.exe N/A
File created C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cngcjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File created C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dmoipopd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Djbiicon.exe N/A
File created C:\Windows\SysWOW64\Cgqjffca.dll C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfmmin32.exe C:\Windows\SysWOW64\Ncjgbcoi.exe N/A
File created C:\Windows\SysWOW64\Bnebmi32.dll C:\Windows\SysWOW64\Nfmmin32.exe N/A
File created C:\Windows\SysWOW64\Gkgaje32.dll C:\Windows\SysWOW64\Nofabc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Obkdonic.exe C:\Windows\SysWOW64\Nbfjdn32.exe N/A
File created C:\Windows\SysWOW64\Efjcibje.dll C:\Windows\SysWOW64\Epieghdk.exe N/A
File created C:\Windows\SysWOW64\Hkkmeglp.dll C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Nbniiffi.dll C:\Windows\SysWOW64\Hobcak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njbcim32.exe C:\Windows\SysWOW64\Mohbip32.exe N/A
File created C:\Windows\SysWOW64\Nbfjdn32.exe C:\Windows\SysWOW64\Nofabc32.exe N/A
File created C:\Windows\SysWOW64\Kjqipbka.dll C:\Windows\SysWOW64\Bingpmnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Doobajme.exe N/A
File created C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File created C:\Windows\SysWOW64\Aoipdkgg.dll C:\Windows\SysWOW64\Bpafkknm.exe N/A
File created C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File created C:\Windows\SysWOW64\Bnkajj32.dll C:\Windows\SysWOW64\Fpdhklkl.exe N/A
File created C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hdfflm32.exe N/A
File created C:\Windows\SysWOW64\Ongbcmlc.dll C:\Windows\SysWOW64\Faokjpfd.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe C:\Windows\SysWOW64\Gkgkbipp.exe N/A
File created C:\Windows\SysWOW64\Jpbpbqda.dll C:\Windows\SysWOW64\Djbiicon.exe N/A
File created C:\Windows\SysWOW64\Cfeoofge.dll C:\Windows\SysWOW64\Eihfjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Eiomkn32.exe N/A
File created C:\Windows\SysWOW64\Acpmei32.dll C:\Windows\SysWOW64\Eloemi32.exe N/A
File created C:\Windows\SysWOW64\Pfiidobe.exe C:\Windows\SysWOW64\Pminkk32.exe N/A
File created C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Abmibdlh.exe N/A
File created C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bingpmnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Comimg32.exe C:\Windows\SysWOW64\Cfeddafl.exe N/A
File created C:\Windows\SysWOW64\Fhffaj32.exe C:\Windows\SysWOW64\Fehjeo32.exe N/A
File created C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gelppaof.exe N/A
File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Apajlhka.exe N/A
File created C:\Windows\SysWOW64\Alihbgdo.dll C:\Windows\SysWOW64\Bhhnli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File created C:\Windows\SysWOW64\Jpajnpao.dll C:\Windows\SysWOW64\Gmjaic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Ekholjqg.exe N/A
File created C:\Windows\SysWOW64\Eaepofcm.dll C:\Windows\SysWOW64\Mohbip32.exe N/A
File created C:\Windows\SysWOW64\Ccedfd32.dll C:\Windows\SysWOW64\Njbcim32.exe N/A
File created C:\Windows\SysWOW64\Gmdecfpj.dll C:\Windows\SysWOW64\Banepo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Dkmmhf32.exe N/A
File created C:\Windows\SysWOW64\Ggpimica.exe C:\Windows\SysWOW64\Glfhll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Nofabc32.exe C:\Windows\SysWOW64\Nfmmin32.exe N/A
File created C:\Windows\SysWOW64\Bdooajdc.exe C:\Windows\SysWOW64\Baqbenep.exe N/A
File created C:\Windows\SysWOW64\Fkahhbbj.dll C:\Windows\SysWOW64\Dqhhknjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Ebpkce32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocdp32.dll" C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklgpmjo.dll" C:\Windows\SysWOW64\Ckignd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndbcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbenjka.dll" C:\Windows\SysWOW64\Cndbcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njbcim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbfjdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pigeqkai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmekoalh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnfjna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdakgibq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll" C:\Windows\SysWOW64\Fmekoalh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll" C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bommnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnilobkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfgmhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pminkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjilieka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfeddafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nfmmin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nfmmin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfiidobe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pminkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhkqaj.dll" C:\Windows\SysWOW64\Bghabf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" C:\Windows\SysWOW64\Cfeddafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" C:\Windows\SysWOW64\Ebedndfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apajlhka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" C:\Windows\SysWOW64\Hdfflm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abmibdlh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fehjeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njbcim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epaogi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ppamme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahdmkl.dll" C:\Windows\SysWOW64\Bjijdadm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obkdonic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gelppaof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hdfflm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" C:\Windows\SysWOW64\Hcifgjgc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe C:\Windows\SysWOW64\Mohbip32.exe
PID 2192 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe C:\Windows\SysWOW64\Mohbip32.exe
PID 2192 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe C:\Windows\SysWOW64\Mohbip32.exe
PID 2192 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe C:\Windows\SysWOW64\Mohbip32.exe
PID 1996 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Mohbip32.exe C:\Windows\SysWOW64\Njbcim32.exe
PID 1996 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Mohbip32.exe C:\Windows\SysWOW64\Njbcim32.exe
PID 1996 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Mohbip32.exe C:\Windows\SysWOW64\Njbcim32.exe
PID 1996 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Mohbip32.exe C:\Windows\SysWOW64\Njbcim32.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Njbcim32.exe C:\Windows\SysWOW64\Ncjgbcoi.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Njbcim32.exe C:\Windows\SysWOW64\Ncjgbcoi.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Njbcim32.exe C:\Windows\SysWOW64\Ncjgbcoi.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Njbcim32.exe C:\Windows\SysWOW64\Ncjgbcoi.exe
PID 2604 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Ncjgbcoi.exe C:\Windows\SysWOW64\Nfmmin32.exe
PID 2604 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Ncjgbcoi.exe C:\Windows\SysWOW64\Nfmmin32.exe
PID 2604 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Ncjgbcoi.exe C:\Windows\SysWOW64\Nfmmin32.exe
PID 2604 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Ncjgbcoi.exe C:\Windows\SysWOW64\Nfmmin32.exe
PID 2548 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Nfmmin32.exe C:\Windows\SysWOW64\Nofabc32.exe
PID 2548 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Nfmmin32.exe C:\Windows\SysWOW64\Nofabc32.exe
PID 2548 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Nfmmin32.exe C:\Windows\SysWOW64\Nofabc32.exe
PID 2548 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Nfmmin32.exe C:\Windows\SysWOW64\Nofabc32.exe
PID 2132 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Nofabc32.exe C:\Windows\SysWOW64\Nbfjdn32.exe
PID 2132 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Nofabc32.exe C:\Windows\SysWOW64\Nbfjdn32.exe
PID 2132 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Nofabc32.exe C:\Windows\SysWOW64\Nbfjdn32.exe
PID 2132 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Nofabc32.exe C:\Windows\SysWOW64\Nbfjdn32.exe
PID 2404 wrote to memory of 344 N/A C:\Windows\SysWOW64\Nbfjdn32.exe C:\Windows\SysWOW64\Obkdonic.exe
PID 2404 wrote to memory of 344 N/A C:\Windows\SysWOW64\Nbfjdn32.exe C:\Windows\SysWOW64\Obkdonic.exe
PID 2404 wrote to memory of 344 N/A C:\Windows\SysWOW64\Nbfjdn32.exe C:\Windows\SysWOW64\Obkdonic.exe
PID 2404 wrote to memory of 344 N/A C:\Windows\SysWOW64\Nbfjdn32.exe C:\Windows\SysWOW64\Obkdonic.exe
PID 344 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Obkdonic.exe C:\Windows\SysWOW64\Pminkk32.exe
PID 344 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Obkdonic.exe C:\Windows\SysWOW64\Pminkk32.exe
PID 344 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Obkdonic.exe C:\Windows\SysWOW64\Pminkk32.exe
PID 344 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Obkdonic.exe C:\Windows\SysWOW64\Pminkk32.exe
PID 2668 wrote to memory of 1236 N/A C:\Windows\SysWOW64\Pminkk32.exe C:\Windows\SysWOW64\Pfiidobe.exe
PID 2668 wrote to memory of 1236 N/A C:\Windows\SysWOW64\Pminkk32.exe C:\Windows\SysWOW64\Pfiidobe.exe
PID 2668 wrote to memory of 1236 N/A C:\Windows\SysWOW64\Pminkk32.exe C:\Windows\SysWOW64\Pfiidobe.exe
PID 2668 wrote to memory of 1236 N/A C:\Windows\SysWOW64\Pminkk32.exe C:\Windows\SysWOW64\Pfiidobe.exe
PID 1236 wrote to memory of 1916 N/A C:\Windows\SysWOW64\Pfiidobe.exe C:\Windows\SysWOW64\Pigeqkai.exe
PID 1236 wrote to memory of 1916 N/A C:\Windows\SysWOW64\Pfiidobe.exe C:\Windows\SysWOW64\Pigeqkai.exe
PID 1236 wrote to memory of 1916 N/A C:\Windows\SysWOW64\Pfiidobe.exe C:\Windows\SysWOW64\Pigeqkai.exe
PID 1236 wrote to memory of 1916 N/A C:\Windows\SysWOW64\Pfiidobe.exe C:\Windows\SysWOW64\Pigeqkai.exe
PID 1916 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Pigeqkai.exe C:\Windows\SysWOW64\Ppamme32.exe
PID 1916 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Pigeqkai.exe C:\Windows\SysWOW64\Ppamme32.exe
PID 1916 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Pigeqkai.exe C:\Windows\SysWOW64\Ppamme32.exe
PID 1916 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Pigeqkai.exe C:\Windows\SysWOW64\Ppamme32.exe
PID 2284 wrote to memory of 500 N/A C:\Windows\SysWOW64\Ppamme32.exe C:\Windows\SysWOW64\Qnfjna32.exe
PID 2284 wrote to memory of 500 N/A C:\Windows\SysWOW64\Ppamme32.exe C:\Windows\SysWOW64\Qnfjna32.exe
PID 2284 wrote to memory of 500 N/A C:\Windows\SysWOW64\Ppamme32.exe C:\Windows\SysWOW64\Qnfjna32.exe
PID 2284 wrote to memory of 500 N/A C:\Windows\SysWOW64\Ppamme32.exe C:\Windows\SysWOW64\Qnfjna32.exe
PID 500 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Qnfjna32.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 500 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Qnfjna32.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 500 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Qnfjna32.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 500 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Qnfjna32.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 1612 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Abmibdlh.exe
PID 1612 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Abmibdlh.exe
PID 1612 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Abmibdlh.exe
PID 1612 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Abmibdlh.exe
PID 2240 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Abmibdlh.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2240 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Abmibdlh.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2240 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Abmibdlh.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2240 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Abmibdlh.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2212 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2212 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2212 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2212 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Bingpmnl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe"

C:\Windows\SysWOW64\Mohbip32.exe

C:\Windows\system32\Mohbip32.exe

C:\Windows\SysWOW64\Njbcim32.exe

C:\Windows\system32\Njbcim32.exe

C:\Windows\SysWOW64\Ncjgbcoi.exe

C:\Windows\system32\Ncjgbcoi.exe

C:\Windows\SysWOW64\Nfmmin32.exe

C:\Windows\system32\Nfmmin32.exe

C:\Windows\SysWOW64\Nofabc32.exe

C:\Windows\system32\Nofabc32.exe

C:\Windows\SysWOW64\Nbfjdn32.exe

C:\Windows\system32\Nbfjdn32.exe

C:\Windows\SysWOW64\Obkdonic.exe

C:\Windows\system32\Obkdonic.exe

C:\Windows\SysWOW64\Pminkk32.exe

C:\Windows\system32\Pminkk32.exe

C:\Windows\SysWOW64\Pfiidobe.exe

C:\Windows\system32\Pfiidobe.exe

C:\Windows\SysWOW64\Pigeqkai.exe

C:\Windows\system32\Pigeqkai.exe

C:\Windows\SysWOW64\Ppamme32.exe

C:\Windows\system32\Ppamme32.exe

C:\Windows\SysWOW64\Qnfjna32.exe

C:\Windows\system32\Qnfjna32.exe

C:\Windows\SysWOW64\Apomfh32.exe

C:\Windows\system32\Apomfh32.exe

C:\Windows\SysWOW64\Abmibdlh.exe

C:\Windows\system32\Abmibdlh.exe

C:\Windows\SysWOW64\Apajlhka.exe

C:\Windows\system32\Apajlhka.exe

C:\Windows\SysWOW64\Bingpmnl.exe

C:\Windows\system32\Bingpmnl.exe

C:\Windows\SysWOW64\Bkodhe32.exe

C:\Windows\system32\Bkodhe32.exe

C:\Windows\SysWOW64\Bommnc32.exe

C:\Windows\system32\Bommnc32.exe

C:\Windows\SysWOW64\Bdjefj32.exe

C:\Windows\system32\Bdjefj32.exe

C:\Windows\SysWOW64\Bghabf32.exe

C:\Windows\system32\Bghabf32.exe

C:\Windows\SysWOW64\Bopicc32.exe

C:\Windows\system32\Bopicc32.exe

C:\Windows\SysWOW64\Banepo32.exe

C:\Windows\system32\Banepo32.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bhhnli32.exe

C:\Windows\system32\Bhhnli32.exe

C:\Windows\SysWOW64\Bjijdadm.exe

C:\Windows\system32\Bjijdadm.exe

C:\Windows\SysWOW64\Baqbenep.exe

C:\Windows\system32\Baqbenep.exe

C:\Windows\SysWOW64\Bdooajdc.exe

C:\Windows\system32\Bdooajdc.exe

C:\Windows\SysWOW64\Ckignd32.exe

C:\Windows\system32\Ckignd32.exe

C:\Windows\SysWOW64\Cngcjo32.exe

C:\Windows\system32\Cngcjo32.exe

C:\Windows\SysWOW64\Cdakgibq.exe

C:\Windows\system32\Cdakgibq.exe

C:\Windows\SysWOW64\Cgpgce32.exe

C:\Windows\system32\Cgpgce32.exe

C:\Windows\SysWOW64\Cphlljge.exe

C:\Windows\system32\Cphlljge.exe

C:\Windows\SysWOW64\Cfeddafl.exe

C:\Windows\system32\Cfeddafl.exe

C:\Windows\SysWOW64\Comimg32.exe

C:\Windows\system32\Comimg32.exe

C:\Windows\SysWOW64\Cjbmjplb.exe

C:\Windows\system32\Cjbmjplb.exe

C:\Windows\SysWOW64\Cckace32.exe

C:\Windows\system32\Cckace32.exe

C:\Windows\SysWOW64\Clcflkic.exe

C:\Windows\system32\Clcflkic.exe

C:\Windows\SysWOW64\Cndbcc32.exe

C:\Windows\system32\Cndbcc32.exe

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dbbkja32.exe

C:\Windows\system32\Dbbkja32.exe

C:\Windows\SysWOW64\Dkkpbgli.exe

C:\Windows\system32\Dkkpbgli.exe

C:\Windows\SysWOW64\Dnilobkm.exe

C:\Windows\system32\Dnilobkm.exe

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dcfdgiid.exe

C:\Windows\system32\Dcfdgiid.exe

C:\Windows\SysWOW64\Dkmmhf32.exe

C:\Windows\system32\Dkmmhf32.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dfgmhd32.exe

C:\Windows\system32\Dfgmhd32.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Dgfjbgmh.exe

C:\Windows\system32\Dgfjbgmh.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Epaogi32.exe

C:\Windows\system32\Epaogi32.exe

C:\Windows\SysWOW64\Ebpkce32.exe

C:\Windows\system32\Ebpkce32.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Ecpgmhai.exe

C:\Windows\system32\Ecpgmhai.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fmekoalh.exe

C:\Windows\system32\Fmekoalh.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gkgkbipp.exe

C:\Windows\system32\Gkgkbipp.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 140

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Mohbip32.exe

MD5 36655b4e4fddf5d31a1112e4f0931518
SHA1 278500d46483e5d42ec70b0ff7656448aced3499
SHA256 35629a8cde3bb348d862244fa5e3e5112c4712ceaa81018d0aec77c98e45053d
SHA512 d43874f99fe81d7d773def22c828d9d5424b7d5ee66fb1272db61394fe380d7b85ffb79d4675e48feac402086e9d577d2d42991eb0219eee8c83b2cc5c8169d3

memory/2192-6-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2192-13-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1996-14-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Njbcim32.exe

MD5 437232507c90874cf0b074cd5226f165
SHA1 b75bd9c27fbf4e92099c9bd17245b367e5e28201
SHA256 69df8abb7d49059946a77beae2e6d0a64230caf3bd742bb8307e65f56e7493a6
SHA512 22b51587120e36470a88691a5fc9ad064db9bdd730b64d88c1ffb2f1d8c9730db96461704d4bb3346a35712877a29cfa14e062acf470380e9fa1bc982545ed3c

memory/1996-22-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1996-30-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Ncjgbcoi.exe

MD5 aa1429699554acad9c49292e19c6177e
SHA1 b1116f999fae2cde85ac4b808970223014d00627
SHA256 c93e140a1d5b147fcec6896f2be00d1f7e4486f2a42ea8ae32549809d377a2dd
SHA512 ef19a651f5fba59c645b746bcca6fcf36b44d6fb3c3ee71e0f257e87e713bf528fb82e324495d3d490412119e15579d2efbfee56dc8ba3655bbdd25540ea8f39

memory/2476-34-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2604-44-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2476-43-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2476-37-0x00000000002E0000-0x0000000000313000-memory.dmp

\Windows\SysWOW64\Nfmmin32.exe

MD5 35c84c66e4f2f7e442d7177d72ac06bd
SHA1 643e0c8e4d77ab316288b97cfc751e956fd68ed5
SHA256 5c4b7ab66d29b34be14de603174e7b941dc8bbffe240649ccffd229baaea7287
SHA512 88b85dfc858818e15abbed435ad1b617127b6d63e86715efdfa53bb4b967f69d1557436031ad2d4c616db291e9004cb5e196d0ecb39ea2320a0b996d9c9832af

memory/2548-57-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Nofabc32.exe

MD5 46865c78bbf8821c7a2ebb0f432912ef
SHA1 357ac51af13c5f2b8d5ad9bb55f48317349757ac
SHA256 d8d70a3bfdb360dea1fbae78bfe6796497e009854cdad4139bfd195f55fc229e
SHA512 02359aecb4757855edda028aaeb583a3c527ec299b45f0bb507c504b1fa3143c2e590d6906c135bb8e4b2431e1a466f875b708159beb513e0b0eac3e0de9ec05

memory/2132-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2404-84-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2132-83-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Nbfjdn32.exe

MD5 1c8d2e2ed1d6ac730da3690c6f4bbde0
SHA1 ecce561b418be27f457a39853aadc16fc1077ad4
SHA256 399e36b4129c8da963a8d57058cd662cd9056beb0ae4d3e0eac9a5768673ce15
SHA512 d17b5f6b2970025c540941f2eaee64a9274cd94ff498b286f14e78ab49478ed7016d133e6056b0168975e152380e3c662ae6f74b0f02f1bb8a599fe3267f542c

memory/344-99-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2404-98-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2404-97-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Obkdonic.exe

MD5 9d0b87ed1cff1d84a95097f29d7b3634
SHA1 6d000e68d31290ce258127bfa4c377006dbad551
SHA256 6ce5b87ba9eba6ad6050e34c2cd6c76df10409aa1735c602c916b60a51318221
SHA512 d0584586bc708c331215080eb614b4647abde18b5994c67e551e9fbdc7419c9e9515a5d4c817ce4a6e8ecae47275c378b068aed02eaa6b83bf9102b16ea25abf

\Windows\SysWOW64\Pminkk32.exe

MD5 8eba4ab62204fbb062a3141771a4df47
SHA1 00afe48180eab378885ca7762d8da5d2bf8a4cee
SHA256 5c567a3edbb1d8bf06f539a6018c2fc16eff101dd4e598c53da25a8c74ebd2b8
SHA512 ba6d7f435a4620aa83ecebbeb73ab030b6f5730a62b4d031cee2277c5503f6dcc1c3aa85e164522562381406b6a9d641b9752f74944eca19db62907489ac5992

memory/2668-114-0x0000000000400000-0x0000000000433000-memory.dmp

memory/344-113-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Pminkk32.exe

MD5 393177be9cb615479ce2a4ed767d3c68
SHA1 d3061a655e75391d1235af300d72e1c2d246a852
SHA256 ac1c2286f83917cd77cc7e2447d42d24c95fcbc63a5e67eaebbd06f72ba344b1
SHA512 e8ef96e336aa659cd4cfcf9395e4d29edfdcae9e5495dd083bb0328ffce7edfc70f5c763b62a970849db403ecdcf11db2383d473a59ce50421d4861bbb000ff2

memory/344-107-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1236-133-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Pigeqkai.exe

MD5 158d98f52c1dbd0247c3ac69635b4087
SHA1 6fe2af2e0c71760d465759e89551202c7b0181bc
SHA256 a3cba40ef3d9fa77a5a5d94d8400d0ce6df31556af6bbdd52ed28a16bc8cffc2
SHA512 a4e1bf9b26efe2ba9b4e0573f76f0655397a907adf3f0a2dd2108935d8f458fcec9c968b8f1dbb066037a3340943213e6a60b1b0e1331d7ef55d1cf5b0224f73

C:\Windows\SysWOW64\Pigeqkai.exe

MD5 f4214d4008720b8cd59ea7156d902cd1
SHA1 0ffd65c9dc96daff820864fc1b7144007ab2f234
SHA256 a44d4021f402ce18ed6116880e403bfa4295d0aee78e89485a6fa3d4ca97f70c
SHA512 d7f1750a07eaf4133d243b405596d9c3bf5161e62a7a55635272749d2dc87205298acc7f128d7055db29f0e143771db83421802d9692614352d087e2b2cd6bb2

memory/1916-143-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1236-142-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ppamme32.exe

MD5 b54dc6f7c621fcba4bdc3249143e17d4
SHA1 cd6403aa89e20c2f10bccce8e7bdc5c73422c220
SHA256 6d18f7ab4338b3ee85916ee4e185b421adb916e3df4dbafcf5dc429d5255fda0
SHA512 c8d6e63b81498969b0f56586ca922729434e267eaaf329836cc5ccb798e962202f0de9b6fde6b2c27cb791d10a575deb7920b06eba7dd46d6f22c64f40ecbaef

C:\Windows\SysWOW64\Qnfjna32.exe

MD5 3fc487eb8929f1157380128da835e634
SHA1 10a5e4bbd2bb1d4aa76f57dac61d5f22ff0276be
SHA256 24060142723a28aa950e71e0a84b9e954b093d0be2cd12c400b5255abff55573
SHA512 e7152ae86634bdbe022d497956bb3fc5ed66c2cefca8643568fe7edd87cffa71e57cf939669cdab1660d6bd9de25b26a8ad823d37a151eef2486dcadd1943db9

memory/500-171-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2284-170-0x0000000000260000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Apomfh32.exe

MD5 1176cc9992dfea299841dbf69b0063c9
SHA1 16390469d85ec40a39d737d107712c51ffcf2286
SHA256 b4513f87e763faa1505f7d5c976560cfcf64f5e63cc31699c90dcbb2ac584cf5
SHA512 23d611992c4d59cb5b13dfa44c682b20009f90d52fbf7e31b4e067fa75792cfefa4c8721edde2876f94b2806cde2abbe9754e59e98afff89dde132f341f6098f

memory/2240-200-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Abmibdlh.exe

MD5 ab731fc75d768c6c6594a0519825440f
SHA1 98950fd2548ed5cf163bbd66e8b26a7e36d58e78
SHA256 0dd6c60f2f06ce804b9d2ef0a613e6061c3ef8a805a631bdb236f2945a790046
SHA512 ecf2f327fec299328794ceca62ab31a6ac414c0faf59964a0c12254e91baf54f386cbe9a873e97e6fcf7583d266c8af4bbd94023e85052b760a26ba6423b08c4

memory/1612-199-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2240-209-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Apajlhka.exe

MD5 4b0fa3105abf1b88ff5cf750f6da88a6
SHA1 6a0b6d1453bab9d4d2e3e90685d3cf66225d3e8d
SHA256 ee11318c2d41f35e82a047c117e4b547a8eae8db2990dc50037ba36469768be9
SHA512 6070f7236a74386758321ddadf60575bfd5ecef9fe47adbb0bf9fd2e941d20f622d3a650b62dcd5b5d0a315000f0359d32ed26de561e0b496c46f65d264bbffd

\Windows\SysWOW64\Abmibdlh.exe

MD5 df7ed0bc2c3312ab2d56016341bde5c5
SHA1 005cde2f947b2ba8f782f138a6316b7185ce774b
SHA256 1f15667e3814f1f8be19c24c2629b213d4633aa7a376db4d53e40e8dc820e9d3
SHA512 13cf8e529ba534791918c87d4429685caa574de7b3b820a8ea54758c07e78d0485418b75dad36e025c6eabc235348a0a6d80c6a3953ec9548e17bb7c71d5fca6

memory/1612-193-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1376-227-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bingpmnl.exe

MD5 8535b0ffd6c98c434bcac85afa5619d3
SHA1 b17e03cde1f73bbd24040e101f5d7dd50ed8fe04
SHA256 440c1b3abda4433a6df6cf27596d3c024cec359775b2ef3b8eaa372752335e4f
SHA512 1c1e6041990eb609ee2f79f3a3dfe8af622bdc9df043c14f069392419379f66f5140f454ae833bf08d3bade5ef62a4da852f642144577c0525deab7970c18035

memory/2716-247-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Bommnc32.exe

MD5 7c002a88f81f249fd3065dfe3e330190
SHA1 759520e76d8b21dbbeed0a38685057cbd08d2ea7
SHA256 8cd21b84f3a5195000b2ec773383579919733c0ab419f2caf20ccd2b12fcae5a
SHA512 4ca1020950ba0048ea8790fb2bd329cad030eb252f6985b8a7c7faa4a23d4862e30a540d7071ee57847b0701197b1481993a319d56e0a931359b3c1f39fbdced

C:\Windows\SysWOW64\Bghabf32.exe

MD5 fec15fd0864be909163f1d22b7c33595
SHA1 327e12ab542068d2a3a807292a1089d0e446c3c3
SHA256 a38607b3caa534644f40f5249b50d26e4a5ac1647ca2ab91238acefa7a8ddf48
SHA512 548966810f761c8c4a197053b61568574736219316030c4f3d15a8a572f5d95101b946e5c9207eec99d33aa252692bfa25b2e7348284d93892498652fc8e1343

C:\Windows\SysWOW64\Banepo32.exe

MD5 c4be3e325662dad74866f2bce546218e
SHA1 0437e0553771cf9332deaba3b1b37280eba9a017
SHA256 aba59a4bdff1f549439b9777a947b88c1f48f5392d4df910ae9cd8ca31b81c13
SHA512 78cf4f295e1376c16d6a13de125e6ebbfc766dbc09319648520ff3276b3be92ac1b1f030c553e6909b9c656109d8b9e85942e532f0556b6fe533d6fb102fa2e9

C:\Windows\SysWOW64\Bjijdadm.exe

MD5 cc14ba6886a74949596bfd0c297846c2
SHA1 1b90e3c18ff93eac1a48c56fa7d526c83308a7e8
SHA256 f54ae0252ef634d3cb1fe8c6ee7a7966f3a61c700fbd7ed05d20dd0400ba7598
SHA512 c53dc9c0352a7f5ae5cd809ae04463cb9151e19c2694bdda6ca1a6ba62a5dd108f659051596c887e1b377971c6a807092c50a1df889c9a1fa0584f052af3f630

C:\Windows\SysWOW64\Bdooajdc.exe

MD5 77854da06c9dcee8ffb7d416bc525664
SHA1 c5122f02f0e8d1130fcd3b746404267ac551839b
SHA256 044ec83fb8f52c00ef28907ada0fc691e41a5209535b5aaae331d16b64328c63
SHA512 43d21bdeba1a0ddeda1830a424b2c4714e476b39ef12936314385beb88578e2d927789749ab522937e7ea4403ee39bf051cfe5e0810092ae71ba271660cea5ef

C:\Windows\SysWOW64\Cdakgibq.exe

MD5 dbfeff536977c86f10112cdd5e4d19b2
SHA1 e9e60debc4c1c7f310663e4db48920cb48e2029a
SHA256 c0e03337f23c61a3a7c0d1ce47be348271fbecd045603c8e99096c32a6bb85e7
SHA512 1466944b461e6d5d2ca763f41224ec4c68129f02d4bc708ad04b3549e143eb5a3d3cf8f8ef8eec56971d9807d18ff10a278b315211b24e551ad0abdd8ea24c5f

C:\Windows\SysWOW64\Cgpgce32.exe

MD5 a50b700c1f7813162dc4360b6ae5af3e
SHA1 945b1066a3aad171cb94db4ddee57cd5fe4c4332
SHA256 b914f4c8551e0b204bdf73c5be0b1763a297d7fb93deac7b7dfbcfbb3543c4d6
SHA512 9b9eac9162d7f0c1ff6fde76516bdf292abed59b91f957c702a91f2ab39308a3668ea41495cb42e52022723e31f9755aecb4354c52ed308dfd1daabec53fc300

C:\Windows\SysWOW64\Cphlljge.exe

MD5 cd794901c364dc7d4f9714d7eff85cbc
SHA1 ad96d4f7af04f3203f61a74ff92891fde11b5dd5
SHA256 af2993e6e02e2a18f08ff3943ed49eb77d28d3489b12a28b4bd6da2e9581b857
SHA512 43000147f361d2d482cd96073ef54227621e33cd13bdef97474b2110a51062e6f1c3cb21c9f9a188e1395b599c6fcc9c8a8e07cb0ff4ea8e2ba819ae7c3c1be7

C:\Windows\SysWOW64\Cfeddafl.exe

MD5 26288ffedf2bf191f4b0c2b10b609985
SHA1 7b249dbe92be439eb25d38dcf96ef89318e04a74
SHA256 5e8c9400a2c1d0341d79edfd19afe5795ec619841decae981d3c6eedbc2b987f
SHA512 5e5bfc0e21a73e927038dd37f688d23b4fd3e87dde662e4aee49348692557e2453bb0626eb54cfe4280631a1f70dee855c9f72bf7847d85dcd4d7ec9b7a8666d

C:\Windows\SysWOW64\Comimg32.exe

MD5 d396b1dcecad09e839e4b8516124cc40
SHA1 0316c73a15c10ae41f2af87210832403bb76ca6d
SHA256 1edc805cf06fbe079d0a307dfa1aabaa1fbb7d7a229bca52b7db16dbbebbc1a2
SHA512 f16cc448c748f398a813a053dd4eabc7d2d0503098ee2dcfafa5957cf2e48873f26c369678aa358202df7fe2edaf9eb38c26cf8c2d135cfd44a1288274861fb3

C:\Windows\SysWOW64\Cjbmjplb.exe

MD5 596e569b469c3683f54e3ab5b05b3bb1
SHA1 613224fe1a76ae2f739cd7db528fc0702086009a
SHA256 ddad8162b0b9d994d55ce914a0700a2dff414a993964ae4e42df946b8e27b6ee
SHA512 6afa9eeaf6d155d1a41d0074d7f978b711e932367b6ec061a35a28cf3f90368c5084fa0766b06dd2600188c7c44e4b89da95136bf75fb2175aaa7accb6b4f506

C:\Windows\SysWOW64\Cckace32.exe

MD5 ab4b91906e4bbeca226266f39f15ab13
SHA1 fadfd958f27e32dce84edbc24a5c4d2654c8c41b
SHA256 b78c1b3aeac00090eeec62403161a181358366b0dc309c10ac733304c21c8fc9
SHA512 cfb5862c794a8484f927518d5c3b133deaccfa750119e3a0065d412a03f51029edbd7c3a741f38e0ea8ebedd288364c548b25d90a7710f2451d8efc39d060877

C:\Windows\SysWOW64\Clcflkic.exe

MD5 c8990f7554cd4a840da65c9a31364dec
SHA1 4a15f04690bcefa27aa2a83cc94a79b24a95778f
SHA256 96b47f2ba870e05f920c5865f8b022cfcdb42488ac3c988ad6d2da3d01fc2963
SHA512 45cb27d22cc7be492da20f8d9b2bd42e2169bb82a14f1d961e04d8ed869182a1c7b0d7f300a6cb783e6c011e5e7c34039f9b71954a25f385449b2f973357ea31

C:\Windows\SysWOW64\Cndbcc32.exe

MD5 c6769527ae7f9091aca251ae38b11909
SHA1 04116fd8787149d9db6e77e3be1368b324d96152
SHA256 a150abd2257381c2f00ebba66b6b663af20450a5d0337e2af8a1492089c0db61
SHA512 cc7545581ffca4afae111ffd7df2c0c607390378770b2087d6d022999ea3f6bf1c64b430672f74fe1775226e2905ed03006b79c40afd5bdd438652b13125e9af

C:\Windows\SysWOW64\Dhjgal32.exe

MD5 8db8afe3c68747ccb47c02ebcf7c60ae
SHA1 840285d4231778b6b1586b9eca0e20cc2d66cdc1
SHA256 d1b6a174e118d51df4933b559c02c1d7ef40f709318db849a2a6cd041c88b2f9
SHA512 72f547b27be08eceb446cb75f1342d2c5b07dbcebdb63c08fc9e2bc9fcab2def68adb4f93c04059a9d42f93bc740643a4515fbeffe379c5623db09e2bc58f6a2

C:\Windows\SysWOW64\Dbbkja32.exe

MD5 07e457830ca8c9efa50e9dc2a1467179
SHA1 7fd5505edf6e5f72a1cb0adc30fc83e216d4f86d
SHA256 4497942246fee4227967da4d03588dc83c6de4dcd5be6c8bc56327e02641f69f
SHA512 6597ab17e43f8dc84bd70bb69d715f70794602a1616a0c13f62e4b44ba6d24d6227ded56b62068b066a58550e8d49844273da1b774d31819f194cd270657b68b

C:\Windows\SysWOW64\Dkmmhf32.exe

MD5 f7b1d4d1f8a7cfe9550058e7e4b80f55
SHA1 ed297afad1bbdafec8ef6d37bb83dd0152447b4e
SHA256 9d68523109688bc36baf87d861010d99a1dc3d2097e8f7f1fda2a70315111560
SHA512 0002f2949fba97f518e63c1ef968467760c6ed9d79220a3ddd7e4eb27fc75e8ec81138484a7bed2e44229bb98f91115020ea01aa7e7e3138fdcf32ab9959608b

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 31b09db7b0ee08c6af6bdcf74e30dbed
SHA1 5f3c7c83c979a48fdbd4d7d931029ec3b5dade6d
SHA256 d5f998e191f5c6ca98f939dd57f813f9dab3a8194a8f166f7be84f3edc770a47
SHA512 e5b005456c815cc472a12f97933d20e6413b1d4a8309d19d7e9f65320cc9d33b3e1e986d11120d24e5a3fc26d296f5fa13a9e10d034942b28d1b8407139f9f45

C:\Windows\SysWOW64\Ecpgmhai.exe

MD5 a895f320c401b2c5ff350c323f9ee88d
SHA1 525789022433fc686f08accd80b667164cb03b48
SHA256 5a92b21d90a7e723d2d2d66808c39a194a2112634d21e0e2500fde6ee0adf090
SHA512 c7ad154f9bf43c5aa86a84a96adba509a7f3fd66e9fdd5ed795d085814990d470d1e1596757b6ba7b12bfc138bd6a10ce0ee89d5a8505e20fbe4f35f040a3d20

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 97efaaeff190df9ca4c2ec7c975eaa28
SHA1 715cfd9d9a1b9a010f0e5c8b72fee3e213758193
SHA256 66d7e480a195a9dc32507ca5f29877f525156369347907d362727ace43a9cc93
SHA512 d144e92cab036386371e832fe997854f0abd5934487a0030015d42a8ed53db60610e3c384d2df5f41cb73f3e72f6d3f0e57ae9ed78cb9fddde8210a4e616fc82

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 a91bc461435bfd9f66c7b4954b273336
SHA1 04af391cd6f4f0f7548f7c8eb6e3fb5fec0a8c81
SHA256 83041426a38c9e4dfcfda14cc7b859345f67488c548eaf9d8bc784130766d244
SHA512 74e9a9bd2c102893682cc0627a352aba14d483f2ffdfdeb883b57a53b1dc6d9cda771452740fdb22b3a140c97f2ba327d54ac84fc3384dec78ac77f143c35f02

C:\Windows\SysWOW64\Eloemi32.exe

MD5 4f836bc5cb5b753893a9b7e72936755c
SHA1 e78b5c6eb8091d49c1c1ac49a9d28023b0eb144a
SHA256 c3bbc3a0d1bb16f51fe515a171336364a775e7a8ac1d33333f50317af0f58185
SHA512 a4fe0b67a6112e6dabb787f055edb46e57d1149496fc0fba1807714e2cf46fad9ec4c55db768b5a0b21461b56080ff06d9a4db7f0794b87b012114bf95fae45c

C:\Windows\SysWOW64\Ealnephf.exe

MD5 0aea1a885014d366a72abb8b21121090
SHA1 bf7e25f49c4a12af3fb9e09e551ead65275ffb03
SHA256 24d03f807a0bbf87b129c195560e661e4561ef14d5c61068249d4c187dc05f30
SHA512 734e4fbc69a16d19b4f6ca55797cba9bc2722dae14d3c1b25b7a6b8aa9ab4baf4dce90ad162ac6f33491bf32a1417a462dd68d038baf0b7d04cd7bacfee0e6af

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 40974a48ca1c281b094f9a7d832435c4
SHA1 556b10d78d3ddf743eabaaedf9f3962a7490f95f
SHA256 53278e6fbd2451d11595d7fc72dab5658ad327eb6fa63e3ce8cbbd6ff7c7c85b
SHA512 4e30a96ceee9985e49285f4051c7ced092a603716aae15ac24657e76134f33f5f7a252045d8245d91dccbd2cdf659daa171401e310ead2dc2b0778d432483e53

memory/1544-708-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1832-759-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2296-758-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2296-757-0x0000000000400000-0x0000000000433000-memory.dmp

memory/912-756-0x0000000000250000-0x0000000000283000-memory.dmp

memory/912-755-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1892-754-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/1892-753-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1948-752-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 96a0220d706d1c96c209793530fca7df
SHA1 4d769c746d88ce872670a366f6c005a6fe18a8e7
SHA256 1ef746d4662e8aa37efc21bdf9b2da6bf073ea5a564e588a1f909217f49eb7c0
SHA512 dc950f0cedc92f5f8537272b4387a3469e85c56143ee6a32508e2c540eba0817ba276291be6dabe6c1b68c11a6970a3748cb4a0bddc7c226da1b8f370faf2ff0

C:\Windows\SysWOW64\Gkgkbipp.exe

MD5 a484f5f9be9d822c87bad1d798840a10
SHA1 23945e35f5d434918e94e7ee6efcbde1853c9871
SHA256 a514bc016e76e1c8f90e57115ceecb8984e305f8b2122acc75cdb3b6f7ab6e03
SHA512 84dab76de783b085f3e251160eba9d29c0bcde5965b998ba9859471b914c39b986c6a264955e888a74ee6c659ec690ae546c76495b483c7f7a1fc15d2c2a8c6f

C:\Windows\SysWOW64\Gelppaof.exe

MD5 126c8351124c01f87acc89f93959a985
SHA1 7928a794f2f0db51fce46bb60f0113e30dde9923
SHA256 be8a2b9962e840b5a26c8a0a6126679e27f65169682477f329d97b11119e3569
SHA512 478c02ac71dabed7a5d888fedf4c03c148929dc4e1f56367356901367a8ed248ce9b89f4e7762d441a825f961bebfd6277ba38e35deac4aff3274a188b914d5d

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 524ee14f92ee085351f04708af7540c6
SHA1 c919f6ae0946d223f0f8f7acf44bc9e0a742a262
SHA256 6156f2063ad96bc4c8f561c1a8510b1140bf4352a93199260e11d01f11655e93
SHA512 43c677571246a2e18a69117102cc8637069c090a6460ad41b3eec4f26005fd7d403d19ddd7e3acebb935000242bd0b6dee8ad7997be168ebdf51ed9a0d37aeef

C:\Windows\SysWOW64\Glfhll32.exe

MD5 26f52e3ad879d25446619c07c94fa3fb
SHA1 ac384e51f3709104877185a7811602ebb2e9f827
SHA256 2a056e411699d89c2f1c1926629639e92e46bbc49cd54b9216c162651182b118
SHA512 82359823d33606e6584ebae116dbd3c91ae096b8741da102476fbe31c4995cd8bd8a3a81dcb97f24a8b39a3bf445c42d4a5730776ec0c4614abc74c07cdd730e

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 587c78620ec4ba7b9954f98d0e398d51
SHA1 146b4ced9d0f473a701c2697edaa8ed96c533761
SHA256 8cfacb3b9aaf67ea446a0ec7b14367ebb56a4f6da16c1d6fa76e63dcb43ff903
SHA512 37368d512d711733d23f2d0a16c05549dbba2f63cb8eccbf120330d3d0c4d90f182ac8c7549d99dc8fac1f73969d343b2ec78f2cafd1da3ca9e48565051c449d

C:\Windows\SysWOW64\Hknach32.exe

MD5 6ec338d9af98df15fe35e25429e055b9
SHA1 62d2f06a86989f426118ebc570bb2b394c3ea1c6
SHA256 40e35832424468db8010751be6582b22af11e13dc38eba9d02a93bcca715931c
SHA512 1d4d6d499d5de971d54ba7652e4d25a9838b2f072d24dbf0c837289ca801ec7fe7704b7f2b2b118832c0d3d6980dcb69643887b7f119825e335b428f13101463

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 e32a3555c790f3c3b77117cba178df58
SHA1 a95da1836fe0c3e217f246b4fea3148692cb345b
SHA256 79b76c83a9e9503ba32326563d21fe8912f4c41f60ca0e61885f46c55ad02517
SHA512 90dc3bc6e2ef21f810c328b2d63a4f135b1e0aa6927ba1bba0d0e7578beef0049d7d8ab33945e2f8deff4938b619171871c38e7b678faf2081d9bd68b6d5e1a2

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 6a75f33f3d2c2ad2f9fff2444364ae81
SHA1 a47d05e9629ef78d32b05784943d3bcf36520a57
SHA256 98244e17cc0aeccb29e8f6174efacf44bb4fbaead845e5e73b239654f5ccb6be
SHA512 7d27c0cee44ee49def06a03e88ad51f518e2fc92eeb1cb22b157bed1061eec4ba16ee914da44fd7cdde01f8aca8ec3ad7277d732620889f946a0d9a8c925092b

C:\Windows\SysWOW64\Hpapln32.exe

MD5 7db0415cf790d60efec383ecde054f4e
SHA1 a42b2c57e457923d20b69b3883eaacca44d2bac6
SHA256 47c97ab19794e94b992f23a25ac2531a734f3f1b0d455ef1d722ed5d97820f76
SHA512 23229d33d0c5d847da03db426a84c653f08a0a84a536647f73c83679c51bd439e7da6235f6784292a2adfa01bfb45ec4109baf48382a0c94b1d4de78f1eebae6

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 9b99f073b0d1c8e7c62018a285b53f74
SHA1 cae8126650f46d2794a2a9a3813f852e3abacf63
SHA256 a172aaa3df3c4c6d673907112c29caeacedf380c24d3d201cd1d82e52a9d292b
SHA512 e2a6207932c8832d866fa8b7f2ccf4f85701f480c6d4ace8eb58822139a48bed9a38528dda977341a77719c62eb013dc26f639c2f67a753892568cedb812c735

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 8f24c3a5baf6edf5292b819d762dbe5d
SHA1 2cfe7a95bc59bde72d816c57c21a6a947b45752d
SHA256 67a2542540a0b21b07cf194d1785a8ac6a6e6fda942a65cbf955dac3e61721dd
SHA512 925f72841723916de3be004322ed3ea5dacbfb228c1604c0f8266007f486e044cc2fe17ad1e204307deb18224ead927136d80176a4a6a82a58e8ccaf0fb2b2c8

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 f598b1fffa6a5ef8b5dec7c9e1f6dd4a
SHA1 d61205df2d7f69fdebb42a960c2706f54ae26b8e
SHA256 c68cbc3f78bb62b3cea72d222e45669f62c4a56566afe0aaa3c7c44ba72037d1
SHA512 f03b0565e94e2de2998c12abee3dc61861caca3f3f584e3c3a5d84750e8d7034e700d012b6ddb6dc360806508437aec4f8d3bddfe3f8af139aecbff302182419

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 db1feedd04bdc6d376ceba3899dc9be8
SHA1 a7c6565a5ee5fc2269284edad49cf5246ab7f469
SHA256 a931ee1c98858c3fd750b0355e9dbd9a4abf2fbbd5fd36582437187085ed302f
SHA512 4fbc41446342441ee0f0e44a8127e6891075a4a93d87f0a548b3847ac59686b650b5697887dbb48a05c30cf670e2d27aad4f857e767f2225f7743cb049f59ac7

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 cfc1b1c047963a1f1e81dd99f859edc0
SHA1 9bf53cb9ad4c88b78317c40d125478291495f24d
SHA256 c5a2ec77509992114d3ab37fd19de3bc6407becbc3a640f2cfd255e36e135588
SHA512 64c8158f5f9c66a8f66ca324d8e3a0e17bb287f1e7402e0c0760e5bbdc5c1c2261064b3bc1af5d04f1910a6b2036b6e9e099756e89de6ea2433428bb5d6b6d1d

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 171df0eb73ad6033ca82baa7c04f6e33
SHA1 4117fe791aeb192d45adc1a92eca4343c71c9adc
SHA256 865512032e25c91892d503b6e675f4ef95d8305b20949702099049bee7b5978c
SHA512 3f9450d0f15ade02cb26ee6e90d10d3b2aca3dd354afe788e12f7d9bb0d4308e09bc18eb5eb9a14c59581edf1c5e02d73ad134f016bd291a4bc1e320601305fb

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 7bd64673724a07b85275efd73beb431f
SHA1 82104fe807962b7ebbea0f5d054effaa6c16b974
SHA256 3d16b312e66b3d1b87c9b2674d8f584d19fe4c436a0075345a5c4dcbbf99a998
SHA512 b695742f8db9228eadc535a6c973e493b302e78af65b3c3ff665fc1256d6091546500ae1a7a4801f0cb46df63b88387cca238d326ab225ead0a57a9e2f922a2a

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 fcfc0276589918414c60b52459d0f11a
SHA1 f7403d19fda40df471fca5a252f3913b94752c75
SHA256 a1664b59e6a4e1116ab357c2fa17a6537dc9f7f3db8f5356c7c3d63e4bd8a79e
SHA512 420ed651ead2562347ce0e6f324ec978432057de6873ff4f1829ea550caa5632b4f52a926bf5057f8cdcac5a19f2e7d630b416d3684e09092ff7ed187b969df2

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 25e77db3cb3e27370434d514c1faf655
SHA1 73cd64fb9bcd7cadcaac8b3a5147074a55b19428
SHA256 68f2a2cb61553e58fab2701028bff99d2715511f6b30666e2b5e29f1562936b8
SHA512 cc1e74907eadb1625b6e4bf1dc5160b6013fd6def8e2d11721f613a3abc2c3c812c9f695e720e1b70385f6a3206e9c4c9993cf380bdfd0eb9c08346529a6e12f

C:\Windows\SysWOW64\Hobcak32.exe

MD5 4d17da2e38640c746efcc3f8d483f033
SHA1 84c95e97513cc2afd10f95bce72e5e14ef280655
SHA256 5a7937b6905e28c1c4025d072f73a4870bd11203104b26584c3d7151fdc7312f
SHA512 b374340ec06de61748c53775b030e48f3a3f763d77572716b4ab0dbe05229f066da1740f82eb76857a37e393e0b2da074a4c2bdad94fdea4bcb7183d14abc51b

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 886f91bc49b8b656bdd7263bb2e28810
SHA1 d44cfcbba16cbaf1ce1591ecbef528fc6a72e92e
SHA256 52512df175aa5b0e1d877b0ae9b8e000c76a0a53cfb34ac15d5d1c4eef4b8c62
SHA512 7a59668052f37949273780998bd8e22afc3f20869aa971ee200fd5565e8af8ec907f24b5a04d281250bd3ed8c57543bf0ab3e6b2e0482a80bd39fe01a3f220b7

C:\Windows\SysWOW64\Hggomh32.exe

MD5 4e420b9cb086387fc0cedc19bfb62632
SHA1 d2b3dcc3f0987eba9698937bb1f3f421d267e46e
SHA256 9484b93571c3cfb7853b4ac5edf40a661599b65318685ebdcc287014b9794f62
SHA512 45fcf67b4472a1000021274377c4a085a1ad449e1609b371b0e441720784f58f3abedc4462bdb48873c3ae7073b30485c535a11c01192bea61550b05adf97258

C:\Windows\SysWOW64\Hicodd32.exe

MD5 bc66d9fdedbdcb098e4b11034472f71e
SHA1 a44565a77ca798e990dabde03715b07570a00f06
SHA256 cddce9a8737c57216cbb7e9d44601630c2160398ccd790ffa3f62ba7a8468ac0
SHA512 bac10739be5ad2d41bc430fb0410ff6ac52fb5e6b2f9411ab8dd38906b2a477c750d86a847271d5e838379d20c7897fe5de2de7a406e75cdbc6fb1e4556431e1

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 f2876a9dadb3a4a318577232dd30d5af
SHA1 b3fa481dd686e1736dc2aa2dd02a73aa7e3db4ba
SHA256 273bca57299b5c691baed8550d5d61045e98891e50ade46958a3ae8a6fd722ee
SHA512 b85a32f8b3ca6bd841435fd3e9c8aba776f452d3ce9f6f95161ae8f6562f911f31fbe7fc33af163efdc14a2e3881b37c0f96d650e883eec5456e71ba2be38a08

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 8f918651e838ce33f46630d2b18bdcb2
SHA1 dc6207d9b71cc49bc86ff52d3898dcca39be74a2
SHA256 33217050ceee4824d5a61a6c0e8dcde7221de4e21cb76f7b0d436b3cb35e0021
SHA512 f66d4c6705f8e5f49345cb0c9d9415b1e93d37674d19e11325b819b5ef330940086db4aee6863a63f615aff6ef7349e4867e8f375308ccfca66963e1e8c8f441

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 2482e5c5ba5551a789606d9752a11760
SHA1 a639101a3f677ac0488dd313de91d105c38b45c6
SHA256 c5068cb0b90428ec09567ef2007b015ca0e0a75e64f28fead0ef9f55c2349659
SHA512 7a1c7f699151d7ba7830c2a706826c0b9d4417d81af3a0a3cbe42d2762881af80d2b653ba198980a8ea4705af07c8358cffa61116b55e03a0b29053847960781

C:\Windows\SysWOW64\Ggpimica.exe

MD5 0bd2d8ab9cd5485de879f4058a6236fa
SHA1 507dab1e9a93ce04cdb96e1957212f8c9a0561c9
SHA256 c18bb87c54237a9b313d9eb5be23875cff5553aee76db75744e107f4ce7379c4
SHA512 3cacc295fef5037dd079ff2af1015f9c21f52ddab227aa886f48885f15fb00e71393aa1443f53a541dc58431cb16a8c31388c964b963abe19763a4eebaf57eff

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 9f05a42b93a56a322563daa7a4f2e682
SHA1 d1100c67a58f5fa10a61047549ac0202724832b3
SHA256 c110db49362e916eba2029e605041a3eb86944657b4cb506a14b545660393849
SHA512 c60bdb62d1c0820adbbb3e330412aeac93ad8eb232754bc829185d1faa072e12299393dc1e20c3689d67ea319604fbb3e12adaafd7e9c2b3729e6f55c7f521e6

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 be5021765849732ce75c66a356637c85
SHA1 7ab58e7522435c3bdd66591b502b872ca64fe5d9
SHA256 6ad5cdf3fcae59d2905fd69c402863d3decb111701989688a071c013bf517ba7
SHA512 b413dc306c9257dce984b5892943c32aa9de4e2ab4daf290ea02505a39a32981e2c4a7c96982b4c69747696f4814730fe25d5300aaf5801b896e2fc06f4c0b9d

C:\Windows\SysWOW64\Fjilieka.exe

MD5 c9f2a4f948ce590048c6f235de99e966
SHA1 bf6634bf36e6165280eb8a05759601d75c7265a5
SHA256 22b55cb801b517b78079eb058456cd5d2036e8bd938d92ad7b85afc7873e8132
SHA512 9faad30a47ed04eda58650ccf955faa38404b63f084b52eabb7a72d6ab45e7fe029810d47d167fcf9d76c6e9a1358a5ae42a6b5608cc61887923f9767329ab9f

memory/1948-751-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2520-750-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2520-749-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2452-748-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2452-747-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2868-746-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2868-745-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2460-744-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2460-743-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2524-742-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2524-741-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2392-740-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2392-739-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2632-738-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2632-737-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2028-736-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2028-735-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2028-734-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2016-733-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2016-732-0x0000000000400000-0x0000000000433000-memory.dmp

memory/836-731-0x0000000000250000-0x0000000000283000-memory.dmp

memory/836-730-0x0000000000400000-0x0000000000433000-memory.dmp

memory/404-729-0x0000000000250000-0x0000000000283000-memory.dmp

memory/404-728-0x0000000000400000-0x0000000000433000-memory.dmp

memory/348-727-0x0000000000250000-0x0000000000283000-memory.dmp

memory/348-726-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2984-725-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2984-724-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2872-723-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2872-722-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1152-721-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1152-720-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1036-719-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1036-718-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fpdhklkl.exe

MD5 4d91517f875be5e23eaf26c8ee9e0c35
SHA1 11d6f530fcd3c59dfa4303085f718208ea84ee7f
SHA256 af03057ec8333f9c9e9b63079d77266e6e3fb0dd7667d56160791ad85acecce4
SHA512 8920c9089297d2a4f3d9ab349211c324427aa1cb2a63d4a006cb4d4a830fd71a70d06dbe70322889d28f3c011cbb9c57dd118ae88cf7fb9d4e24201d3187456a

memory/640-714-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/640-713-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/640-712-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1544-710-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1544-709-0x0000000000250000-0x0000000000283000-memory.dmp

memory/868-707-0x0000000000250000-0x0000000000283000-memory.dmp

memory/868-705-0x0000000000250000-0x0000000000283000-memory.dmp

memory/868-703-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2112-701-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2112-699-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2112-698-0x0000000000400000-0x0000000000433000-memory.dmp

memory/908-697-0x0000000000250000-0x0000000000283000-memory.dmp

memory/908-696-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Fmekoalh.exe

MD5 f3702c856c8d214057036880223d51e8
SHA1 2a10d1be09e3875a2beb9149a34b3c1315489042
SHA256 84216082f2c10d70fcec9e5ab49eec71aa369dc7e330acdc56bdc37d75fea4ba
SHA512 34092a98d2ca083fb28a7b12d8d266134a541f78850d48bab00bab117a55d66f845983985e708396f15af992c621cfc07094c5da5119e62e13f6e0c7a3cc0b15

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 aa1c727f884ab8ba75b1e84a87f63a48
SHA1 fd880f21cea5a8e45c58246dae6cc4c0b687ef63
SHA256 d74ef88265ace8edfc721c7fe401761cf032097cf452b7b03a36932e9cbebe43
SHA512 43a4b5a7ce6c29e372892b0f716588f4b0c803362e87521d979b9ca5832aa9ad319e48ff03fae2bdbba1fe63d2eea5a0bb630c85e35bb7950ab4bcc05ed0975d

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 f00c9c3bccdae859fde9b660387c9378
SHA1 411610cb439766347d64be08b1f7397ca0dd59d0
SHA256 66e52d0dcfe495462b6503761c2e9d8698026774724d11509e2e96ef0efacf79
SHA512 4224bb0f1925e1c4c27d904c67274c48cb337936c98eb92e66c8705c0d92b8d5e8f565f1d8f61cd4c98954c5c36aa080d53faf065c61a92f9934f52b3dfab8d5

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 689ad580991b54e317e166a9e2abfb6a
SHA1 9cfa89fe6fed76a00ea599a750f092ba67870f1a
SHA256 00f594e88a0b9063688281f5ecf5991671476ccfa419c20fb849111ef8030d2e
SHA512 b31a7d9ddb38471bd9bc7135c4ffcd5897f61a1082923c7101fae263f9476e6f981c5f45d4b0ef052fc9c2688485db1900724ddc15568abac07a0e149c610a1a

C:\Windows\SysWOW64\Ennaieib.exe

MD5 bd49d2329a59916f375ba871237d0d8d
SHA1 09c7324990614188887ebbd09d2418e9fe86ae93
SHA256 c8aab0447e92ba171d9c42d2067761c007e5ebadaa4166ccfe057a563ae25abb
SHA512 c1c1d04c9505563e8658d0dcad44b731b8869b1d37f700bc277ff5238e97d5d63bf3c4c71a7b40752f81a06342857bd4e3674f986ed6c086982b4e858c3a7015

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 c962ce3851f1047a3b05c0c674013621
SHA1 3cc7915b7a3e9ff5af5df44ddbda767b91eac72d
SHA256 87f2779fb3b09d14abc0703702fea2a66738c42bec7ba043b4786f8c497d7e7f
SHA512 7d9d7573da10092b1cdb20e77802ad5638f61200b8b33300ecc7b2952a72b7c0641212c81d469c6a02362e047c4597f086e566a14a19f84436fa586e6e1ca90c

C:\Windows\SysWOW64\Epieghdk.exe

MD5 b52aada156e3d849a0b33f4b7141ecec
SHA1 f49247183df5fe898a7c4279f6405c8c5439d5f2
SHA256 539bab9d6f94c875e6c6ffe69a73043e91f79ac4ff2c36db0eb06171a92af778
SHA512 7d52feea53208a1ecff074f5785e387c64d78253aa3cd5636e73f65e2e36b732987840021161b485203258ccda96aabdabdece2c14e400f5deda52878ecff216

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 eee76eb7adc8c8d0fd7b2dac33b6201b
SHA1 7ba7e225b4a0d70ac7af63df52c39654f4181cbe
SHA256 fa61d2339f962489e0210791dd34f985c07c62bbadfcdc2aa13f1c8f309f7129
SHA512 c2bb1aedffe37343c67af92c29471c6e01c59d3970f363342d9cbafb0aa08fad854993db9a51a5809e9571fde967c417d020550a844999d1daba905fe13580a2

C:\Windows\SysWOW64\Efncicpm.exe

MD5 deacde78424f04cb7dc61e9a3966ec56
SHA1 808eaae9ab06b87583d41c045e9de0891bade35c
SHA256 ce1d6508d346674a1558a345198ea223a581e4063152426c8b22540ae9ec2b82
SHA512 6c882da479c426db3f5f6ee71ebe14e3f2ea808aa072cda03115b52a06ad84c0f5ae0e5c13a2237112a156d418f2fb8d6a7718c331099a841701670ff01d8086

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 db75c3502dffd2fe0f922f1f6044afdb
SHA1 1854bf319425791d1a8d619ea9813fd0049f9954
SHA256 5c2ed84f506d8aaecf342b1afc894e3e40ac115dd82e90d1c55ec5bc8db14d0b
SHA512 1d64ba1b368a0229df570f4de10ae47eb7d13c4e6fc88888509b0733f6ea4b294a7dccf7825b4ff51b199541a41d70a7144b1e2123c275c4324cae84fabc4dc3

C:\Windows\SysWOW64\Eijcpoac.exe

MD5 32fdec96fe6558921f4a11391a693763
SHA1 ccfdb5a32ebf1cbcd4ddc2a46cc5067b5b605fa1
SHA256 322bf145a2b20c9a6030eaced1fa3017420721bc404a4c54e6ee33a26a8d8ed5
SHA512 c01d378977aa4ff1626b76366405728d3041e52065b3a58d351d2cb6c91860c81297782711b2295031922e1711ae664faaf6d82af54dceb74190bfda7ef6292e

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 3e75b3fc57c71164b9c09778fe3f257a
SHA1 a048c6f31434a1052fe0886a05654f5fb777f9b6
SHA256 897f1f49b67b3ff46a4904cc5f1fb203ece20a0bcdfa7eaccfeccac4c6ec9a0a
SHA512 489a24852f1f0401ff1e75fd025cf0708ad63fc0feb4b198c02894b2494df08a8dd3aac0a47e28d22398e8b94a01792bf95b1f753988b11dcff4e8f1ef98ef1e

C:\Windows\SysWOW64\Ebpkce32.exe

MD5 bb3860b6833423ca7626b47473466a55
SHA1 24376510d3eaa24c243663887f9a2ef5d9ac4049
SHA256 2426211d629072395128bef925629212a97163def28612e1bd1c7841a0948b8f
SHA512 3eacf3cc79f1a0e9736ad8e9e6d0825914764353a3691b7e64df7555136aae5baa6d27bb3775ea59d73ef7019b6a77facc128b4e25551e56ef8aa83d0f3da45d

C:\Windows\SysWOW64\Eqonkmdh.exe

MD5 df8a616d5d535b3afd2a93fe35632dbe
SHA1 e1ed30154907a1b2a1acd3fe01a5706e0eef398c
SHA256 08eb2697d052eb607f78a261f36ca3fcdc6f3ab26425c8a1d0b0211c484c2556
SHA512 527f55d613ad1077b54c1f8f440687ed3f10db9c8713553cb8ec758d4ca158eddb77caec8b306e5cad6acaef4560f42b6bc401033a3296433bb2d82abc59f88b

C:\Windows\SysWOW64\Epaogi32.exe

MD5 fd7174322cedc0174dccab3c483a451e
SHA1 0715f67a935bab8bb716795bc7f6effddc572dd7
SHA256 82ae0acf0ed01cffd0fa05681dc983754e804bdabd77f7a8ceb32a3c53fc7c08
SHA512 505a97b0a49cb828193ed48921d71c126f74a32d9dc6629153b0eba1266b764d1866bafd6df5e1fcfee131fe16848e18da068c2bcb422b1bcc8cf5336aa3355c

memory/1236-1175-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1916-1176-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2668-1174-0x0000000000400000-0x0000000000433000-memory.dmp

memory/344-1173-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2404-1172-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2132-1171-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2548-1170-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2604-1169-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2476-1168-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1996-1167-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2192-1166-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dgfjbgmh.exe

MD5 28c939500a4396880563018318f13058
SHA1 3192f28154e2d5e5e0cd703694a8e76be80fa0ea
SHA256 e2bc7a0462e2312a517cc605d0afd3911570bb7dcde598f4b6146193cb6cef49
SHA512 69d5a83fd6110a2fefe826aeb4135497105f5adcd8c1813b37c52b04325c31f247da932163a331f1802e17558acead2fbd2c6a186ad08fc3222cbf6c4138fbb7

C:\Windows\SysWOW64\Doobajme.exe

MD5 f7a9d60cb43b3acf0db54a41ae2d8e50
SHA1 f7223e6b5d6484f20300e6c20cdcd1192b59dcd7
SHA256 c526492cd9a9c6700ad60f2c9b74dbf33cf41f94ad446745987e0b24ba38b2d0
SHA512 5df6b58405887bca20f73e0a7fd8e3d3d263c66dbd0af6199a5ef2525a2d34f84f1a11cff05d6c671afe15282d4287f148d232e042fd25aee3ee43bce1f3e367

C:\Windows\SysWOW64\Dmafennb.exe

MD5 29b7127041acda242235026946fd763d
SHA1 036c7e6bcfc8bc28185a0f9dab6af1ccb5cfa505
SHA256 7d66b932db273695103618c82921635182de74036081230a4afc4c6d8e7fa290
SHA512 e0fa893aefd6df9b1fa9c94fd87bc0788bf227c36f0a0bf0a0402c69a37f02b662c20492194fc452f41dbe0cba3d9cf0ed5590b0b0e01999679cd912b21f9753

C:\Windows\SysWOW64\Djbiicon.exe

MD5 19fad76be6490604c846c098be3e332a
SHA1 2c907089c0879cded72842d036505badd7aad260
SHA256 102016b0747bcc92f94577e7592876b7f20f232e384e695eba9eea45c7ffc7a6
SHA512 50d1cacf357fd0d721d37fa35ace606c79c98a7cffa672da9c7b0dd57a78336953497f89879f9f60226faa121c129f0407b4740dfe28849addd446b87d3969cc

C:\Windows\SysWOW64\Dfgmhd32.exe

MD5 01ec97d425114a74ab014ed8d057ebf4
SHA1 3a160b1311a9c88dfbc144737234e2120d91d07c
SHA256 62a823ea7d0ee9d3e7b6db1a197a28956ce6a5ab1ffc51f30109ea674b4a48b1
SHA512 01e2c3a28ebd50d9a73c4392ae9cab59c85c44e19f91fb3a7c44de91c82214762cab69f6bb32ed5f9b6227f825ddd56877fe76022bbf18ae243d849263f1a060

C:\Windows\SysWOW64\Dmoipopd.exe

MD5 2f05c235b319d9e193b04de346c25aa2
SHA1 dd06045e869ed73b008580c920ec3ddeec3e228f
SHA256 7b2107d46f73db82e59e896afbc3d8e95f695e9bee335372e513281d9f09eebd
SHA512 12277c2b1d21068ea0422d9491767ba8a9e208f50840727c8b74351a57814e3774ee3c7cfbea975ad1ad103f1520725557ad2dbd20cf09ba7f87ba1f7f8268b1

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 dd7b753dea6e4dc158adee10bd6be7c7
SHA1 e50ed90d2aa9f1ea062d47522a584ad300eb4982
SHA256 f6f8609d5871019cb408b6b7c0113675b44906236ccb6013bed1ddc616ee626a
SHA512 565940f2ed3eb3e7d945f0700caa3f3a69140eed3ad32a1c75f3f5ba6dfdf9fff1f8d1d4ab75ea2c48b073f8980bafbb1488a8eabf970d6eedf9a71c7a0f6d1b

C:\Windows\SysWOW64\Dcfdgiid.exe

MD5 f83f0829660cd3cda65bace7367d35e2
SHA1 a84e11502848b29ce60244f90eb4d002a3b5c1ff
SHA256 d57855b5e6ca714686f04270bec9303887bb24b6904482c43b40b9e0794d1fec
SHA512 42cea4e2b7d086aaa89e4bb86107cd7d4e33f9bbc9557f709235d57f46decc6ecd0fa849f4530d6308b1c487324dd8ae194441523b3cf172999ebc5803fc61c9

C:\Windows\SysWOW64\Dqhhknjp.exe

MD5 c38d5e34827effb6002331c45d0917d5
SHA1 6afc7d8772626a27b8382a3c1a1dc9ab80964eba
SHA256 e1ae4cf7eccd70a6d36906c313e22f83aa2da3aaae283dcb4969d7efdfdb3f94
SHA512 ffc8eda8fe1769f89029326a85dd53a552a1e648a3f6b420631b742535eb42fb3dbde287466d14643f8fd477ef17cbdfb620670ffc3f4fdc10f02457430971eb

C:\Windows\SysWOW64\Dnilobkm.exe

MD5 49a8cd9e2a9e82f092e8a8cf7b45ee58
SHA1 33c7d292e6ac06df3ac9499102e579b3ac34cbc0
SHA256 47f1359ef977cbcbcc25651abacf5b8607fd81bc21e6637ca27f15bd43d41353
SHA512 1ad74c9bdb30fb67e7a1c4cb0fa766317ce0547000701d8e4603d2f6c3771737da7c031aa2cbec01866eb1d644ab8e611ea3049e373a86ae49a089af3a32598b

C:\Windows\SysWOW64\Dkkpbgli.exe

MD5 714b99d6462b990003d8d05ff946a258
SHA1 0079ccee4848853952aaee0e2a3dc2359da535a1
SHA256 43b7fa7a9847f1d8c5189b14ddd635acc7a043bc8ffa67e96925732cd544d802
SHA512 31f65823cad369a1bf2d7e90b68abff72b7ae00913c6937960960dd6f7e9614a473d785887dc940da7f6e080ad3994263f8855fa11277ac350e28a643108360c

C:\Windows\SysWOW64\Cngcjo32.exe

MD5 0b6c0ac0c94b3e6f1c6f05244ada57c5
SHA1 2c6491fab45a79ad4bab785680b9620f54829c7f
SHA256 947c0705e493c58af60c27b7494474bb22a371a93adc31b8a3054af66cf8a881
SHA512 f5c388bf64d280ad5a181cef4afb9ba31aefb2a56703a6b60f930c124dfdadccf4ab29c239c03bc32a2e37dcdb4b069e7cc60c272b79491e714034365553ffaa

C:\Windows\SysWOW64\Ckignd32.exe

MD5 cf112277f87ebc832a0781fcea38b1d7
SHA1 93b8260db3bca56ad7672e8339a757f535c2595c
SHA256 6edd3217be7d8ccca1007532175bbc2b04e8e76cd2e4d90b2c4eededde0edf8e
SHA512 58f86a6cbb65b93f5f5a02ed67ac329cc9267a741667a969742f0bc4d8351da0ea6c65a96a7bc5d5e6e79a6484f2e281fadd27aa79aeee22f74eadcb1064a33e

C:\Windows\SysWOW64\Baqbenep.exe

MD5 aad69c8ef02c4f814a895ffb249bae65
SHA1 a415e2940f5b983c9b845547cfe0ed9ad20b8c04
SHA256 8f7c5abcac90863869caef0ac7108b21f84c4e74d1e3af32a45003adb6ce472d
SHA512 2229b74d9b5859d67a67f59bb34414c32755361e69cad1f9899708868a538aef8d2a2f84060423f8eeb3951dd66fc16cabaab46cddf78de759047be7f00ed818

C:\Windows\SysWOW64\Bhhnli32.exe

MD5 a3e0056dc4a9ebe36e63af5e5751dca8
SHA1 16d1f0989362ac046ecf35400ac57e64e3dd0bb8
SHA256 61a5766760db3c5e052b5ef0701b8d934610f9c0bcc0e584eeb35b9e6ce611bf
SHA512 613c4a1e65925d7064427916b662cefff9107f319de5a333d0693e3634dbeafb126efeab62179b0f6454092b4d9168d6f1062d7b98432e45a5a99260d73e138f

C:\Windows\SysWOW64\Bpafkknm.exe

MD5 972e78713d78ae44726db00da47ede6a
SHA1 6d0d68a5d2686eb822b4071c40940582d8ca53f6
SHA256 18d2e61484c37e41c596a4670e16eb4522c6e591acd9388abe869259d40ec1bd
SHA512 5a45bb2bef269c84ded42e020c313c710ffaf3da965a77280959589fe1c08569d768a7659550c3122b8956679ef698aa58112bcd16dd6463bb4efd0acdee4cf9

C:\Windows\SysWOW64\Bopicc32.exe

MD5 685df33ed3ccd82c72920023fc72b28a
SHA1 8d2c0d02ddc594d3735a29837f62702807869d06
SHA256 251e1d8ee2c6d145b7965986d6d1f5d3afbd69e8a9a26d7bbcd5d0cab145fcde
SHA512 3e047ec6286593fb43114128dd951104d590a61069f56144c271f5d78a1dc554c92078529ade8d61b512351cd5028e963ed3d376b3839ce13adf5645916be90d

C:\Windows\SysWOW64\Bdjefj32.exe

MD5 532d3f11d070feffe7d5727c474970cb
SHA1 05f6e2aa7616ec513a851ff4f9cfa06b7a6185ce
SHA256 51089ac7ea9c0dab27123748b4b7cc6ff0de28a989e86623dbe9316a5cf61acd
SHA512 63d626f1d531d1e73b547e3eb0e268bf8f1907a34f41566bc0d812f5369d2879f097c20bdcb9073945ca18bc1d573633c102edb76d9ac4ac469c9a48d4a5fbe9

memory/2716-242-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1376-239-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Bkodhe32.exe

MD5 3a4aff70788a81d568a0798c57b12e3d
SHA1 08a62a4e4a585f57deda80bb8c0ffb88a35a327a
SHA256 cde665e0b89d8ff09fa0c47f7318f5a6607ae7aed8058786abf522f4132f2cb6
SHA512 5d20eedc6672d395c2f1aeb149158d13bd9e9fa23101c85d9fbb23e3a71860ea07b3ffe6502eec6bfa4d587e2e7d8678b6a16e6195bf8d52b14d7ede04cc27c9

memory/2240-1180-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2716-1183-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1376-1182-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1612-1179-0x0000000000400000-0x0000000000433000-memory.dmp

memory/500-1178-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2284-1177-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2212-219-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1612-189-0x0000000000400000-0x0000000000433000-memory.dmp

memory/500-183-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2284-158-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1916-153-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1236-141-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Pfiidobe.exe

MD5 436bc5b35aecafdd7d01861b0d96544f
SHA1 d2210ebf10d1de2b34950530c9799c0aa90c7a18
SHA256 c5b01b65e36da6e2a4ac22e2a9ab8bc182d1ca1878ca61e31e5918865baeb992
SHA512 263d6f984e0558b3ef4b85d6f6e7820ee1d6faa176e474ad1df7c3f73d38ff1b6c14d664e455d2dcd576c82b0e728b732592b5ae15ab71dbadb1ae1919338fe7

memory/2668-125-0x0000000000300000-0x0000000000333000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 03:36

Reported

2024-05-09 03:39

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dobfld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghopckpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hihbijhn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olcbmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajanck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afmhck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceehho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klimip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lekehdgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajanck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddpeoafg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Menjdbgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nebdoa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncfdie32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oncofm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epmcab32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gcimkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Meiaib32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlcifmbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Medgncoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Edihepnm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieolehop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdgdgnbm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imakkfdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpqiemge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hbckbepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fomhdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fcmnpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icnpmp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ognpebpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecmeig32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecandfpd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jifhaenk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afmhck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icgjmapi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iakaql32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdfibe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lingibiq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpqiemge.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmdina32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddpeoafg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Edihepnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klimip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdgdgnbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Heapdjlp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfcbjk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ieolehop.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Commqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chebighd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcalgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dljqpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epmcab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efpajh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ficgacna.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmhfhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcggpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfihc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbckbepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjolnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iakaql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imdnklfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaedgjjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdjfcecp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiikak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kacphh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kphmie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldkojb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldohebqh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcgblncm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiklqhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhqjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkgmcjld.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnolfdcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Okeieh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onmhgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkamqmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgopffec.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbddcoei.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkmhlekj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeemej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agffge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abkjdnoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahhblemi.exe N/A
N/A N/A C:\Windows\SysWOW64\Anbkio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aelcfilb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahmlgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbpem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahoimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abemjmgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdfibe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnlnon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beeflhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnnjen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bblckl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdmpcdfm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbnpqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdolhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbqlfkmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdainc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cogmkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cddecc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cojjqlpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnjjpod.exe N/A
N/A N/A C:\Windows\SysWOW64\Cajcbgml.exe N/A
N/A N/A C:\Windows\SysWOW64\Clpgpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Camphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbllbibl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhidjpqc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Jiikak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fafkecel.exe C:\Windows\SysWOW64\Fkmchi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Aeiofcji.exe N/A
File created C:\Windows\SysWOW64\Ahhblemi.exe C:\Windows\SysWOW64\Abkjdnoa.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlmllkja.exe C:\Windows\SysWOW64\Nebdoa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Ceehho32.exe N/A
File created C:\Windows\SysWOW64\Bfajji32.dll C:\Windows\SysWOW64\Lpqiemge.exe N/A
File created C:\Windows\SysWOW64\Gcggpj32.exe C:\Windows\SysWOW64\Gmhfhp32.exe N/A
File created C:\Windows\SysWOW64\Jaedgjjd.exe C:\Windows\SysWOW64\Imdnklfp.exe N/A
File created C:\Windows\SysWOW64\Gbledndp.dll C:\Windows\SysWOW64\Imdnklfp.exe N/A
File opened for modification C:\Windows\SysWOW64\Heapdjlp.exe C:\Windows\SysWOW64\Hcpclbfa.exe N/A
File created C:\Windows\SysWOW64\Lekehdgp.exe C:\Windows\SysWOW64\Ldjhpl32.exe N/A
File created C:\Windows\SysWOW64\Anbkio32.exe C:\Windows\SysWOW64\Ahhblemi.exe N/A
File created C:\Windows\SysWOW64\Ckijjqka.dll C:\Windows\SysWOW64\Lphoelqn.exe N/A
File created C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Accfbokl.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Ndqgbjkm.dll C:\Windows\SysWOW64\Jblpek32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmdina32.exe C:\Windows\SysWOW64\Lenamdem.exe N/A
File opened for modification C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
File created C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Aeiofcji.exe N/A
File opened for modification C:\Windows\SysWOW64\Aeiofcji.exe C:\Windows\SysWOW64\Adgbpc32.exe N/A
File created C:\Windows\SysWOW64\Ojdamdma.dll C:\Windows\SysWOW64\Cogmkl32.exe N/A
File created C:\Windows\SysWOW64\Fafkecel.exe C:\Windows\SysWOW64\Fkmchi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hoiafcic.exe C:\Windows\SysWOW64\Hecmijim.exe N/A
File created C:\Windows\SysWOW64\Eonefj32.dll C:\Windows\SysWOW64\Mgddhf32.exe N/A
File created C:\Windows\SysWOW64\Olcbmj32.exe C:\Windows\SysWOW64\Nfjjppmm.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcbpab32.exe C:\Windows\SysWOW64\Heapdjlp.exe N/A
File created C:\Windows\SysWOW64\Dmamoe32.dll C:\Windows\SysWOW64\Jfcbjk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Mmnldp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ficgacna.exe C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
File created C:\Windows\SysWOW64\Flgmek32.dll C:\Windows\SysWOW64\Bbnpqk32.exe N/A
File created C:\Windows\SysWOW64\Cddecc32.exe C:\Windows\SysWOW64\Cogmkl32.exe N/A
File created C:\Windows\SysWOW64\Efpmmmoo.dll C:\Windows\SysWOW64\Camphf32.exe N/A
File created C:\Windows\SysWOW64\Hihbijhn.exe C:\Windows\SysWOW64\Hckjacjg.exe N/A
File created C:\Windows\SysWOW64\Codqon32.dll C:\Windows\SysWOW64\Mlhbal32.exe N/A
File created C:\Windows\SysWOW64\Ocnjidkf.exe C:\Windows\SysWOW64\Olcbmj32.exe N/A
File created C:\Windows\SysWOW64\Hpoddikd.dll C:\Windows\SysWOW64\Aeklkchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdmpcdfm.exe C:\Windows\SysWOW64\Bblckl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hckjacjg.exe C:\Windows\SysWOW64\Hmabdibj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcpclbfa.exe C:\Windows\SysWOW64\Hmfkoh32.exe N/A
File created C:\Windows\SysWOW64\Ceacpg32.dll C:\Windows\SysWOW64\Hoiafcic.exe N/A
File opened for modification C:\Windows\SysWOW64\Imakkfdg.exe C:\Windows\SysWOW64\Ipnjab32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Amgapeea.exe N/A
File created C:\Windows\SysWOW64\Khkchobp.dll C:\Windows\SysWOW64\Commqb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jpgmha32.exe C:\Windows\SysWOW64\Jeaikh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfmepi32.exe C:\Windows\SysWOW64\Kpbmco32.exe N/A
File created C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mckemg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Npmagine.exe C:\Windows\SysWOW64\Npjebj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmabdibj.exe C:\Windows\SysWOW64\Gcimkc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hecmijim.exe C:\Windows\SysWOW64\Hcbpab32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lekehdgp.exe C:\Windows\SysWOW64\Ldjhpl32.exe N/A
File created C:\Windows\SysWOW64\Ckmllpik.dll C:\Windows\SysWOW64\Cdcoim32.exe N/A
File created C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Daekdooc.exe N/A
File created C:\Windows\SysWOW64\Gpnkgo32.dll C:\Windows\SysWOW64\Mdiklqhm.exe N/A
File created C:\Windows\SysWOW64\Feibedlp.dll C:\Windows\SysWOW64\Adgbpc32.exe N/A
File created C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Beeoaapl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Majknlkd.dll C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File opened for modification C:\Windows\SysWOW64\Abbpem32.exe C:\Windows\SysWOW64\Ahmlgd32.exe N/A
File created C:\Windows\SysWOW64\Npmagine.exe C:\Windows\SysWOW64\Npjebj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Olcbmj32.exe C:\Windows\SysWOW64\Nfjjppmm.exe N/A
File created C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Efpajh32.exe N/A
File created C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jaedgjjd.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Camphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elikfp32.dll" C:\Windows\SysWOW64\Gohhpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll" C:\Windows\SysWOW64\Mckemg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeiofcji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll" C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll" C:\Windows\SysWOW64\Jpgmha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dobfld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpphha.dll" C:\Windows\SysWOW64\Dljqpd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Efpajh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll" C:\Windows\SysWOW64\Jiikak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgopffec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbllbibl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hoiafcic.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fomhdg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jblpek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncfdie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdkcde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amgapeea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Klimip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll" C:\Windows\SysWOW64\Lbdolh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kphmie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abbpem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdphnlp.dll" C:\Windows\SysWOW64\Heapdjlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jeaikh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jblpek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll" C:\Windows\SysWOW64\Jifhaenk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abemjmgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdamdma.dll" C:\Windows\SysWOW64\Cogmkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhclmi.dll" C:\Windows\SysWOW64\Gmoeoidl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kiidgeki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" C:\Windows\SysWOW64\Deokon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddbbeade.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opakbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qqfmde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gcggpj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpmmmoo.dll" C:\Windows\SysWOW64\Camphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icgjmapi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ldjhpl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mlopkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mlhbal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chebighd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Imdnklfp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dbllbibl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkchobp.dll" C:\Windows\SysWOW64\Commqb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdchadai.dll" C:\Windows\SysWOW64\Bnnjen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anphnl32.dll" C:\Windows\SysWOW64\Fcmnpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jcllonma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll" C:\Windows\SysWOW64\Lenamdem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll" C:\Windows\SysWOW64\Pdifoehl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmhfhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecmeig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ceehho32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Commqb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecandfpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibnccmbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkfcl32.dll" C:\Windows\SysWOW64\Ghopckpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofcmfodb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anbkio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fomhdg32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe C:\Windows\SysWOW64\Commqb32.exe
PID 5008 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe C:\Windows\SysWOW64\Commqb32.exe
PID 5008 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe C:\Windows\SysWOW64\Commqb32.exe
PID 3972 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Chebighd.exe
PID 3972 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Chebighd.exe
PID 3972 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Chebighd.exe
PID 2304 wrote to memory of 2416 N/A C:\Windows\SysWOW64\Chebighd.exe C:\Windows\SysWOW64\Dcalgo32.exe
PID 2304 wrote to memory of 2416 N/A C:\Windows\SysWOW64\Chebighd.exe C:\Windows\SysWOW64\Dcalgo32.exe
PID 2304 wrote to memory of 2416 N/A C:\Windows\SysWOW64\Chebighd.exe C:\Windows\SysWOW64\Dcalgo32.exe
PID 2416 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Dcalgo32.exe C:\Windows\SysWOW64\Dljqpd32.exe
PID 2416 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Dcalgo32.exe C:\Windows\SysWOW64\Dljqpd32.exe
PID 2416 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Dcalgo32.exe C:\Windows\SysWOW64\Dljqpd32.exe
PID 1260 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Epmcab32.exe
PID 1260 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Epmcab32.exe
PID 1260 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Epmcab32.exe
PID 1052 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Epmcab32.exe C:\Windows\SysWOW64\Efpajh32.exe
PID 1052 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Epmcab32.exe C:\Windows\SysWOW64\Efpajh32.exe
PID 1052 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Epmcab32.exe C:\Windows\SysWOW64\Efpajh32.exe
PID 4576 wrote to memory of 3112 N/A C:\Windows\SysWOW64\Efpajh32.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 4576 wrote to memory of 3112 N/A C:\Windows\SysWOW64\Efpajh32.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 4576 wrote to memory of 3112 N/A C:\Windows\SysWOW64\Efpajh32.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 3112 wrote to memory of 4572 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Ficgacna.exe
PID 3112 wrote to memory of 4572 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Ficgacna.exe
PID 3112 wrote to memory of 4572 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Ficgacna.exe
PID 4572 wrote to memory of 640 N/A C:\Windows\SysWOW64\Ficgacna.exe C:\Windows\SysWOW64\Gmhfhp32.exe
PID 4572 wrote to memory of 640 N/A C:\Windows\SysWOW64\Ficgacna.exe C:\Windows\SysWOW64\Gmhfhp32.exe
PID 4572 wrote to memory of 640 N/A C:\Windows\SysWOW64\Ficgacna.exe C:\Windows\SysWOW64\Gmhfhp32.exe
PID 640 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Gmhfhp32.exe C:\Windows\SysWOW64\Gcggpj32.exe
PID 640 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Gmhfhp32.exe C:\Windows\SysWOW64\Gcggpj32.exe
PID 640 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Gmhfhp32.exe C:\Windows\SysWOW64\Gcggpj32.exe
PID 5104 wrote to memory of 3500 N/A C:\Windows\SysWOW64\Gcggpj32.exe C:\Windows\SysWOW64\Hjfihc32.exe
PID 5104 wrote to memory of 3500 N/A C:\Windows\SysWOW64\Gcggpj32.exe C:\Windows\SysWOW64\Hjfihc32.exe
PID 5104 wrote to memory of 3500 N/A C:\Windows\SysWOW64\Gcggpj32.exe C:\Windows\SysWOW64\Hjfihc32.exe
PID 3500 wrote to memory of 624 N/A C:\Windows\SysWOW64\Hjfihc32.exe C:\Windows\SysWOW64\Hbckbepg.exe
PID 3500 wrote to memory of 624 N/A C:\Windows\SysWOW64\Hjfihc32.exe C:\Windows\SysWOW64\Hbckbepg.exe
PID 3500 wrote to memory of 624 N/A C:\Windows\SysWOW64\Hjfihc32.exe C:\Windows\SysWOW64\Hbckbepg.exe
PID 624 wrote to memory of 884 N/A C:\Windows\SysWOW64\Hbckbepg.exe C:\Windows\SysWOW64\Hjolnb32.exe
PID 624 wrote to memory of 884 N/A C:\Windows\SysWOW64\Hbckbepg.exe C:\Windows\SysWOW64\Hjolnb32.exe
PID 624 wrote to memory of 884 N/A C:\Windows\SysWOW64\Hbckbepg.exe C:\Windows\SysWOW64\Hjolnb32.exe
PID 884 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Hjolnb32.exe C:\Windows\SysWOW64\Iakaql32.exe
PID 884 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Hjolnb32.exe C:\Windows\SysWOW64\Iakaql32.exe
PID 884 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Hjolnb32.exe C:\Windows\SysWOW64\Iakaql32.exe
PID 2288 wrote to memory of 4364 N/A C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 2288 wrote to memory of 4364 N/A C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 2288 wrote to memory of 4364 N/A C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 4364 wrote to memory of 4196 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Jaedgjjd.exe
PID 4364 wrote to memory of 4196 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Jaedgjjd.exe
PID 4364 wrote to memory of 4196 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Jaedgjjd.exe
PID 4196 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Jaedgjjd.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 4196 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Jaedgjjd.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 4196 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Jaedgjjd.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 2616 wrote to memory of 3700 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jdjfcecp.exe
PID 2616 wrote to memory of 3700 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jdjfcecp.exe
PID 2616 wrote to memory of 3700 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jdjfcecp.exe
PID 3700 wrote to memory of 3620 N/A C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jiikak32.exe
PID 3700 wrote to memory of 3620 N/A C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jiikak32.exe
PID 3700 wrote to memory of 3620 N/A C:\Windows\SysWOW64\Jdjfcecp.exe C:\Windows\SysWOW64\Jiikak32.exe
PID 3620 wrote to memory of 1764 N/A C:\Windows\SysWOW64\Jiikak32.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 3620 wrote to memory of 1764 N/A C:\Windows\SysWOW64\Jiikak32.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 3620 wrote to memory of 1764 N/A C:\Windows\SysWOW64\Jiikak32.exe C:\Windows\SysWOW64\Kacphh32.exe
PID 1764 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 1764 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 1764 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Kacphh32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 1472 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Ldkojb32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\e12b29b27bfebd1b732b3aea09960350_NEIKI.exe"

C:\Windows\SysWOW64\Commqb32.exe

C:\Windows\system32\Commqb32.exe

C:\Windows\SysWOW64\Chebighd.exe

C:\Windows\system32\Chebighd.exe

C:\Windows\SysWOW64\Dcalgo32.exe

C:\Windows\system32\Dcalgo32.exe

C:\Windows\SysWOW64\Dljqpd32.exe

C:\Windows\system32\Dljqpd32.exe

C:\Windows\SysWOW64\Epmcab32.exe

C:\Windows\system32\Epmcab32.exe

C:\Windows\SysWOW64\Efpajh32.exe

C:\Windows\system32\Efpajh32.exe

C:\Windows\SysWOW64\Fmmfmbhn.exe

C:\Windows\system32\Fmmfmbhn.exe

C:\Windows\SysWOW64\Ficgacna.exe

C:\Windows\system32\Ficgacna.exe

C:\Windows\SysWOW64\Gmhfhp32.exe

C:\Windows\system32\Gmhfhp32.exe

C:\Windows\SysWOW64\Gcggpj32.exe

C:\Windows\system32\Gcggpj32.exe

C:\Windows\SysWOW64\Hjfihc32.exe

C:\Windows\system32\Hjfihc32.exe

C:\Windows\SysWOW64\Hbckbepg.exe

C:\Windows\system32\Hbckbepg.exe

C:\Windows\SysWOW64\Hjolnb32.exe

C:\Windows\system32\Hjolnb32.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Imdnklfp.exe

C:\Windows\system32\Imdnklfp.exe

C:\Windows\SysWOW64\Jaedgjjd.exe

C:\Windows\system32\Jaedgjjd.exe

C:\Windows\SysWOW64\Jbhmdbnp.exe

C:\Windows\system32\Jbhmdbnp.exe

C:\Windows\SysWOW64\Jdjfcecp.exe

C:\Windows\system32\Jdjfcecp.exe

C:\Windows\SysWOW64\Jiikak32.exe

C:\Windows\system32\Jiikak32.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Ldohebqh.exe

C:\Windows\system32\Ldohebqh.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Okeieh32.exe

C:\Windows\system32\Okeieh32.exe

C:\Windows\SysWOW64\Onmhgb32.exe

C:\Windows\system32\Onmhgb32.exe

C:\Windows\SysWOW64\Pbkamqmd.exe

C:\Windows\system32\Pbkamqmd.exe

C:\Windows\SysWOW64\Pgopffec.exe

C:\Windows\system32\Pgopffec.exe

C:\Windows\SysWOW64\Pbddcoei.exe

C:\Windows\system32\Pbddcoei.exe

C:\Windows\SysWOW64\Qkmhlekj.exe

C:\Windows\system32\Qkmhlekj.exe

C:\Windows\SysWOW64\Qeemej32.exe

C:\Windows\system32\Qeemej32.exe

C:\Windows\SysWOW64\Agffge32.exe

C:\Windows\system32\Agffge32.exe

C:\Windows\SysWOW64\Abkjdnoa.exe

C:\Windows\system32\Abkjdnoa.exe

C:\Windows\SysWOW64\Ahhblemi.exe

C:\Windows\system32\Ahhblemi.exe

C:\Windows\SysWOW64\Anbkio32.exe

C:\Windows\system32\Anbkio32.exe

C:\Windows\SysWOW64\Aelcfilb.exe

C:\Windows\system32\Aelcfilb.exe

C:\Windows\SysWOW64\Ahmlgd32.exe

C:\Windows\system32\Ahmlgd32.exe

C:\Windows\SysWOW64\Abbpem32.exe

C:\Windows\system32\Abbpem32.exe

C:\Windows\SysWOW64\Ahoimd32.exe

C:\Windows\system32\Ahoimd32.exe

C:\Windows\SysWOW64\Abemjmgg.exe

C:\Windows\system32\Abemjmgg.exe

C:\Windows\SysWOW64\Bdfibe32.exe

C:\Windows\system32\Bdfibe32.exe

C:\Windows\SysWOW64\Bnlnon32.exe

C:\Windows\system32\Bnlnon32.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Bnnjen32.exe

C:\Windows\system32\Bnnjen32.exe

C:\Windows\SysWOW64\Bblckl32.exe

C:\Windows\system32\Bblckl32.exe

C:\Windows\SysWOW64\Bdmpcdfm.exe

C:\Windows\system32\Bdmpcdfm.exe

C:\Windows\SysWOW64\Bbnpqk32.exe

C:\Windows\system32\Bbnpqk32.exe

C:\Windows\SysWOW64\Bdolhc32.exe

C:\Windows\system32\Bdolhc32.exe

C:\Windows\SysWOW64\Cbqlfkmi.exe

C:\Windows\system32\Cbqlfkmi.exe

C:\Windows\SysWOW64\Cdainc32.exe

C:\Windows\system32\Cdainc32.exe

C:\Windows\SysWOW64\Cogmkl32.exe

C:\Windows\system32\Cogmkl32.exe

C:\Windows\SysWOW64\Cddecc32.exe

C:\Windows\system32\Cddecc32.exe

C:\Windows\SysWOW64\Cojjqlpk.exe

C:\Windows\system32\Cojjqlpk.exe

C:\Windows\SysWOW64\Clnjjpod.exe

C:\Windows\system32\Clnjjpod.exe

C:\Windows\SysWOW64\Cajcbgml.exe

C:\Windows\system32\Cajcbgml.exe

C:\Windows\SysWOW64\Clpgpp32.exe

C:\Windows\system32\Clpgpp32.exe

C:\Windows\SysWOW64\Camphf32.exe

C:\Windows\system32\Camphf32.exe

C:\Windows\SysWOW64\Dbllbibl.exe

C:\Windows\system32\Dbllbibl.exe

C:\Windows\SysWOW64\Dhidjpqc.exe

C:\Windows\system32\Dhidjpqc.exe

C:\Windows\SysWOW64\Docmgjhp.exe

C:\Windows\system32\Docmgjhp.exe

C:\Windows\SysWOW64\Ddpeoafg.exe

C:\Windows\system32\Ddpeoafg.exe

C:\Windows\SysWOW64\Dkjmlk32.exe

C:\Windows\system32\Dkjmlk32.exe

C:\Windows\SysWOW64\Ddbbeade.exe

C:\Windows\system32\Ddbbeade.exe

C:\Windows\SysWOW64\Deanodkh.exe

C:\Windows\system32\Deanodkh.exe

C:\Windows\SysWOW64\Dojcgi32.exe

C:\Windows\system32\Dojcgi32.exe

C:\Windows\SysWOW64\Eolpmi32.exe

C:\Windows\system32\Eolpmi32.exe

C:\Windows\SysWOW64\Edihepnm.exe

C:\Windows\system32\Edihepnm.exe

C:\Windows\SysWOW64\Ecjhcg32.exe

C:\Windows\system32\Ecjhcg32.exe

C:\Windows\SysWOW64\Ehgqln32.exe

C:\Windows\system32\Ehgqln32.exe

C:\Windows\SysWOW64\Ecmeig32.exe

C:\Windows\system32\Ecmeig32.exe

C:\Windows\SysWOW64\Ehimanbq.exe

C:\Windows\system32\Ehimanbq.exe

C:\Windows\SysWOW64\Eemnjbaj.exe

C:\Windows\system32\Eemnjbaj.exe

C:\Windows\SysWOW64\Ecandfpd.exe

C:\Windows\system32\Ecandfpd.exe

C:\Windows\SysWOW64\Fkmchi32.exe

C:\Windows\system32\Fkmchi32.exe

C:\Windows\SysWOW64\Fafkecel.exe

C:\Windows\system32\Fafkecel.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Fomhdg32.exe

C:\Windows\system32\Fomhdg32.exe

C:\Windows\SysWOW64\Fdialn32.exe

C:\Windows\system32\Fdialn32.exe

C:\Windows\SysWOW64\Ffimfqgm.exe

C:\Windows\system32\Ffimfqgm.exe

C:\Windows\SysWOW64\Fcmnpe32.exe

C:\Windows\system32\Fcmnpe32.exe

C:\Windows\SysWOW64\Gododflk.exe

C:\Windows\system32\Gododflk.exe

C:\Windows\SysWOW64\Gdqgmmjb.exe

C:\Windows\system32\Gdqgmmjb.exe

C:\Windows\SysWOW64\Ghopckpi.exe

C:\Windows\system32\Ghopckpi.exe

C:\Windows\SysWOW64\Gohhpe32.exe

C:\Windows\system32\Gohhpe32.exe

C:\Windows\SysWOW64\Gcfqfc32.exe

C:\Windows\system32\Gcfqfc32.exe

C:\Windows\SysWOW64\Gmoeoidl.exe

C:\Windows\system32\Gmoeoidl.exe

C:\Windows\SysWOW64\Gcimkc32.exe

C:\Windows\system32\Gcimkc32.exe

C:\Windows\SysWOW64\Hmabdibj.exe

C:\Windows\system32\Hmabdibj.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hmfkoh32.exe

C:\Windows\system32\Hmfkoh32.exe

C:\Windows\SysWOW64\Hcpclbfa.exe

C:\Windows\system32\Hcpclbfa.exe

C:\Windows\SysWOW64\Heapdjlp.exe

C:\Windows\system32\Heapdjlp.exe

C:\Windows\SysWOW64\Hcbpab32.exe

C:\Windows\system32\Hcbpab32.exe

C:\Windows\SysWOW64\Hecmijim.exe

C:\Windows\system32\Hecmijim.exe

C:\Windows\SysWOW64\Hoiafcic.exe

C:\Windows\system32\Hoiafcic.exe

C:\Windows\SysWOW64\Icgjmapi.exe

C:\Windows\system32\Icgjmapi.exe

C:\Windows\SysWOW64\Iehfdi32.exe

C:\Windows\system32\Iehfdi32.exe

C:\Windows\SysWOW64\Ipnjab32.exe

C:\Windows\system32\Ipnjab32.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Icnpmp32.exe

C:\Windows\system32\Icnpmp32.exe

C:\Windows\SysWOW64\Ieolehop.exe

C:\Windows\system32\Ieolehop.exe

C:\Windows\SysWOW64\Jeaikh32.exe

C:\Windows\system32\Jeaikh32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jedeph32.exe

C:\Windows\system32\Jedeph32.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jcgbco32.exe

C:\Windows\system32\Jcgbco32.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Jifhaenk.exe

C:\Windows\system32\Jifhaenk.exe

C:\Windows\SysWOW64\Jcllonma.exe

C:\Windows\system32\Jcllonma.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kfmepi32.exe

C:\Windows\system32\Kfmepi32.exe

C:\Windows\SysWOW64\Klimip32.exe

C:\Windows\system32\Klimip32.exe

C:\Windows\SysWOW64\Kbceejpf.exe

C:\Windows\system32\Kbceejpf.exe

C:\Windows\SysWOW64\Kimnbd32.exe

C:\Windows\system32\Kimnbd32.exe

C:\Windows\SysWOW64\Klngdpdd.exe

C:\Windows\system32\Klngdpdd.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Lpqiemge.exe

C:\Windows\system32\Lpqiemge.exe

C:\Windows\SysWOW64\Lenamdem.exe

C:\Windows\system32\Lenamdem.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Lbabgh32.exe

C:\Windows\system32\Lbabgh32.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Meiaib32.exe

C:\Windows\system32\Meiaib32.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Nebdoa32.exe

C:\Windows\system32\Nebdoa32.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Ncfdie32.exe

C:\Windows\system32\Ncfdie32.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ofnckp32.exe

C:\Windows\system32\Ofnckp32.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Onhhamgg.exe

C:\Windows\system32\Onhhamgg.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pqknig32.exe

C:\Windows\system32\Pqknig32.exe

C:\Windows\SysWOW64\Pdifoehl.exe

C:\Windows\system32\Pdifoehl.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pgllfp32.exe

C:\Windows\system32\Pgllfp32.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Adgbpc32.exe

C:\Windows\system32\Adgbpc32.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Chmndlge.exe

C:\Windows\system32\Chmndlge.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6304 -ip 6304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 228

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/5008-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5008-5-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Commqb32.exe

MD5 5a58fc603a786431d95e533a5d49d862
SHA1 d7b17b55f687e3786f126383b29e01669d6d814f
SHA256 0e4442bdce73d0cddffaa45d284a786197dd3ab643067ea1f8d252444a8d66e7
SHA512 a293b4e371839e43b352c68ae9779913633d17d091d657a23b3c3171213054c8434f2c95402f6224b1dbea5055d9baecb02769472738067ab9b188f5fde72e46

memory/3972-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Chebighd.exe

MD5 d32c8bba9475aa425fff849aa1040fe7
SHA1 17cd16256837b5357f4547616f8ba8af02fe3cb8
SHA256 d6b99a709817b4d6f49cabeaab888d1965ec8fdb744e9d684889bbafbb50fa65
SHA512 fb824cafe20f08c97ff728e3a82a0a2a8cb4b37e5a46599fab9c5c1a3b94d32d73a8e80356d8d4181a689f4f7542429f696a47205985d6521dfeb410f2a87e1c

memory/2304-17-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dcalgo32.exe

MD5 30334c10fdc6a2f72e4a1a1da2a7063d
SHA1 871ef4a0bd69aae8edca488f0f47305bf2270264
SHA256 244bfa874db41122ea750db0aab0834c6b017458adfba06dd82f5df6656a7f4e
SHA512 fe2eebe26ec4dc747e4fd31a66a0b2ff85ff4f5c3df5104f986224df5d9d8e07aae1244aad2011d7520efdd5310a133016fdaaee34daabc65994de9d5104a713

memory/2416-26-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dljqpd32.exe

MD5 4e75024061c11bd7a92222f315f1857e
SHA1 3149e8d6f8b6805a644d10dc6e260112852a1161
SHA256 489b0f23fc50f1d6c64a71a18030036402ddef977a6faeccb7f1bd4e8a771a20
SHA512 4bb4966a52bddf960fc2202997b78316218888ed36ce3eaa694e2b0bf7073f64ed3438b5504c937dace9adc1d595037eff0a69baad9bb79968083fc237c245ef

memory/1260-37-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Epmcab32.exe

MD5 adc3130276e3b81332877cb801390793
SHA1 3c8f93331c1aa39ced525975d561c7713e083af4
SHA256 d2a41adc7ff5a40c32306c8ec47f5d848c2029ee166a4a04f6499099f18a5da9
SHA512 47b052af0abc5c083ac4be7fd63e9c69229a1f7a457a4bcde7d701c13361d9afe2a75e289069ad3134e59d5e7b68ad7d5001a296eacef5616478ca43085b79c3

memory/1052-41-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Efpajh32.exe

MD5 6f626eca2eca966a9269f2ea00a3c350
SHA1 58bd3e0f72ff9eec8e421efbaf50cc1de7a489f0
SHA256 22c6c5f95895d6025ec69cc3f85e4f6c3b114865ee3bc93e4cdf15f4cb1f0116
SHA512 89f1eeaca283bd33a66bece33aa79eb0f060c5e03ae03bae382fd1a126d7f7baabd224f5e3538ed571f7d07b91cd9867613b7b43a3d0d3de43deced5556ddfe5

memory/4576-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fmmfmbhn.exe

MD5 f3b8e807a8d4347ae681c375e3b3d4a5
SHA1 95a5004ca43a71bb39f6b4a07d3e6f26fd460d55
SHA256 b427c89caae8b26ac3453212c063844062cb4c9baf821856e00c94513206d87b
SHA512 f3ae5da59453b47ae0a6ae34d65eb77268c66cc8d41ee1a20db374b17655fd7e339e50aab8e43f334734803d331d4e2a63e808d6def201580fa041670c751fa3

memory/3112-56-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ficgacna.exe

MD5 c2f536c95cd9a0995f005df251066072
SHA1 9ba31ea7f365f1b9e772029953192f62985f6da1
SHA256 4d0d2640d9a3f28e0cf1ff0bfad330c61f857f5c8a0e5bf920c5f114006b3275
SHA512 8e1ebd74d1376224ca43521b02c0f60b89be8e81bf3a3ebe3cb839a150dfaa68d34bcf2ef7014c156087c67c59b4762d0ee068939e9b0721b6dcbbb8a0b87c4e

memory/4572-65-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gmhfhp32.exe

MD5 c7c66a613dc09652a82618048c19ccaf
SHA1 e183db12dea71588b18f114f44c611458356f3da
SHA256 9e8f052dfdcee493e02dfc16a50582f18c77735733f47e7f6b6d37faa3fce2ce
SHA512 c6e5ddf67ad46c6e8c315cdc3e4eaeeae8af6bc47cef0abfe0b46541c0aa078ff72a1061c10f61a9254a619256dfd46ba69aeef1918b9ac71ae57f9c73cced59

memory/640-72-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gcggpj32.exe

MD5 e4a6eeaeea04b5f71690ea650e3434fd
SHA1 d5ad2df6e42ca589192b9981f5dfaf31152c2f76
SHA256 1390d1ce47d9c83ea78f21fb568bcb1fa83162b69d980f04a186addf732a20d5
SHA512 e433567ba22fc327b3e4e38d7d949c591c52662e6da0ff2a264a375572a401a92627fd51b89ba1848b1b221482542489cb11f85bd1be9d839fea859de939ec9d

memory/5104-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3500-88-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hjfihc32.exe

MD5 2fe3c0860845eed6669b99bc3f6181de
SHA1 86984830de08f97afd97e716f91f39e35b4d66e7
SHA256 0e285158ee8c5a1551f397f61fcf2a38d26b7dbf4aed4f0db5a14694b591f8e9
SHA512 b587f18a60987fb78fe41092d700966af7a0510b6778ae395a553327d0efaaa4f2b4453bcfc90e881de5a331fe411107f4dc59b54ffc4b51b8ca1a41fec98f33

C:\Windows\SysWOW64\Hbckbepg.exe

MD5 0a316cf450ca0d2cb1aa07ded687ae41
SHA1 dbaf3de1b3fddbf8505dbe3813244fe2b53d8669
SHA256 66f5ee6c778b81edc11097cbbe60100e140c9c5dee5178f53b42ad65ddc63380
SHA512 06e9fb715f450c062e08bb960cca183fca594dad41ad9e0cde0214c918cff8ea1a78ae60b1844d9ce9e0dee2905d247cd0ff4ccf4a54eb1441070ea9f2f15cac

memory/624-96-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hjolnb32.exe

MD5 75f6c8f8a58b20201ea498b0d463edcc
SHA1 666374da9406f59960fe7efab7d7aade499495bd
SHA256 34a85b1c90f64fce8984b9be6fd8cf25beba4b45b60d52bb2143c2789e52453f
SHA512 51dcd7c366593b32ae10c7e38e61972e03a9065dd3777d6d285ab335b6bc735523a4dcfbc5e300dc2605b6509aabde3b220e66f5ef4dda8b5efeb90e380386aa

memory/884-104-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Iakaql32.exe

MD5 b337d6634060524360c02a922893de71
SHA1 bd097a4d2701cf377ec3cc79a726c80c8a85cbe3
SHA256 786da743bf8665669437e801e076c6111de061a9cbb14c4c90bb62a95966d1a4
SHA512 d61ff88cd77e17633aafaa359b3b745f6deebcbabb770277903f566f5ac8bf1cbdaa8b86d9b91db81334d5eb80d42bbcaa8c819eb7c674c5211c9c1e62d4a2e5

memory/2288-112-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Imdnklfp.exe

MD5 17bc2a4d2a9281475cf61b81617a2a39
SHA1 77beadb18c273666b9367f6807dcf6eda5d88b9e
SHA256 eaa554963c0c17467469df6f3fd26329e96921b32148afe06429e2b7842bb562
SHA512 bbc077f975b9eb9892ca99a5dd8ec80dcf8df0bdbe779149ed573ea8cfa8a36daf0f08f094961af10aa042b9f87f4caf0d5868e46db4cf7fb6897d892427b961

memory/4364-121-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jaedgjjd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Jaedgjjd.exe

MD5 253e984fc812719dc6e1bc4cad9c5932
SHA1 e325caa42fae0858d81dda7ce82681f4b24b80b1
SHA256 92512158e95b379d7f47a0c5f21bed3acbfe33f2e756bf7789a612947f07d02d
SHA512 048dfd3674f18cad22e19e059b00c7e5657036a822bd6b7cd3abd17c818a775f0392a2bc032d46637f926014fb9add9ca44afd0f90e75733e87cae3db194ba21

memory/4196-128-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jbhmdbnp.exe

MD5 a4276a2a9928831d988563fa28767d8a
SHA1 b0348277c8e50fd31c15b355b1fff22ed9d4823f
SHA256 6f624a7852443bd6add7a699688cb88ec5ccb5a7b497d0b22e78cdf2e8838cf3
SHA512 b09123c8badddcee6681a2cbd96ebb6471512bae631903c2732d82870e2135f5dcec11a18ef289bdf231ae7fc7bcea17d1707dbb8be525d0584748256cb6020e

memory/2616-136-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jdjfcecp.exe

MD5 fb0f4c52c730515acbbf08bd2d77d45a
SHA1 23190d4e94bd4417570e5597b1d6a0d382edb31c
SHA256 af50123d946afb2efb1aebc95464846cfc3284f37516bbf885b37704e0cc8af4
SHA512 22f8356c5084bd83a8ef04c3631b627c9043c493858dc163c75917c6bc3b1a363e9f436582afa83eb13996abcad22e1c6e4a780f05d76c1d2a8f5d2d341389b8

memory/3700-144-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jiikak32.exe

MD5 900bc607224cb478b3bab8cdec8f2fe7
SHA1 b145ae0c299a3cf1ee9b98a50df2e06ac5a60d5b
SHA256 20c1ec02bdd3ad1ac6342cd6740ef28702c849c601fb064abbe66d9e33627576
SHA512 cdf07dab8e90185459c9de1cdd5f8aee091fe55a8ede76c06fbd7f87de5bf583db6032ed62ac90aa6d32686b179d424550804920abf1de1a7e95582dadad2cc9

memory/3620-152-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kacphh32.exe

MD5 934dff0af1ef6138992c49a870f0407c
SHA1 19e1b50c6d7ec424eb3b2d9f716b8f4430efefae
SHA256 e201a339170348e8e824eccf3af55044a6cfd8df849aadad3c0b5db8f9a59981
SHA512 c1f2d76378bb435e30875c9c3ed8adbb57d65ebe63eec8af86156d308ce14d39bdd0b38836e9ae334c52b09a348b0357c214f61ba26696680165bf73c41a5205

memory/1764-161-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kphmie32.exe

MD5 f4147fcf104f0b361e71a00dc0a4e96b
SHA1 fbc0fe40ce0ec0e935b185499c37cffafddeb8f9
SHA256 0b696158fa8ae6d68bfd46124a58fc81a36ab684e6d8eb2b056172b0d1ae3de0
SHA512 9a60d07f4301e7ab85b13a38a36a7da6c5d12d12d4a049d2ef21077aff48083f1df77f0812756785a696848ea86e6292abf3080133b7af8953730c9232b832f1

memory/1472-168-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ldkojb32.exe

MD5 9a4ac33b1aa05cc8cef5270e3e61b75e
SHA1 267f62ed045c1e8294bb9c458d2aa7ab2b7ed4d7
SHA256 107fb4c5976d1584d10253c96266bad22f89470584da3e2bec96223f5bee8be4
SHA512 0bc79709ce4d64ee2f74cc985cb65a2705ab987c80f4ffb98c02c6573b0ca4be3530764ce9339ca1f785a8a8455cd6210406fb8a70a3c186c29d58eaecf9ce38

memory/1004-176-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ldohebqh.exe

MD5 ddb09a32be120de540402f1a429e2a5f
SHA1 201ec1b82c683bce402ff1db6a8965ceeb4a71a5
SHA256 a15367554e9d544ffa4d1fa093678b27c0e4f7eea332da176f9b4c741aabb120
SHA512 de8e2f38f0245d5ad642b08796b557b945e27a82a56e0731872204c3ebd91e24d53337e13491e629e21ff59fd6194524eb48ba7276bcd84d62622b7b31c2b36f

C:\Windows\SysWOW64\Ldohebqh.exe

MD5 2d551d3860dbc46a5a333642eec0a0be
SHA1 480243f3601b68015b8f52fc09973dce5e95ca0b
SHA256 623251081dd45e80ac2163405a1e7eee2aa7aa63deb3d53d41125e20a0458baf
SHA512 79ec51bde12105d1bf69433f866a8088f924d18b412a3d21da303ba96246d11766a6300d64b40d3c69a3dd9f5f64119b706be903d255c9ad932c8e8b38ce2575

memory/2820-184-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lcgblncm.exe

MD5 42e6e60de761f44751d466a1bd693e38
SHA1 d314689ce22f9aca155d1c6e95957113e5dee3b5
SHA256 0c66db50ed0781f5a481ca4884bc1d9d8b0fc30a01d00c418694f3b864995cdf
SHA512 850e2efffecb9b599ac84d69dd44d3e4af2bdc5a6911c989c515fa5dc3ce0cb872b01b7399cb8fc870dec7e221ce91f64851597729df41e00b7b2f97574aad1a

memory/3136-192-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mdiklqhm.exe

MD5 bf555d8e9b1d8db601ec3f7756a495d7
SHA1 50110693f82c5d62fe014c5c00cb7195c243104d
SHA256 0911a1a7c3e59c4b9cb8397a3bdbb31b96560d8e5662e709751ccf8e877a647a
SHA512 816afcbe97ce6bca81e5c3b83b9609b413a9207c1a928f97345eaf56014d9900c77a3955f53eaaf4f8b258f506d09530d3f2954d7936f34ed748d70cbc59d962

memory/4864-200-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mjhqjg32.exe

MD5 91d99c46fc7c451efffaedfa7c6160f2
SHA1 1effa792e472b96767e437919635c0b3b7bdca1d
SHA256 152a0ca4f8028650d1f3abb2fd7e7e3f4a445c0146ae1e360a29d941c5d28f17
SHA512 d278bd4ff6dd1cb0aa8c9ca4597bded99e06e3a46879247a59a0d074a3cc84bdcf0debfc1a3bea62fc4f8b2c7bed278bb9ce852f28a9d25a61ac5c1ad986b9cb

memory/2936-208-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mkgmcjld.exe

MD5 259ac81d10b3207ccfcf5acffb2fa3d0
SHA1 65700e51b16723ef04e9626db1260d79304d6474
SHA256 7bf1edaf1997dd18b087ed0ccf3e6712e68e489ba3531969e4388a2393986a53
SHA512 145dfdd7f9b4fab79f559f1e97c21ed45e7262f91f4f1bebf2de25d271d2b292c5d521d6003b8acef81867491297530eaa32d1fa992ae1da6b662d7b83d6446f

memory/2424-216-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ngcgcjnc.exe

MD5 991fba4e6d1d89757afe198948123399
SHA1 c7fd7d0b215847dda6e9dd02847c3a9ffdfe20a4
SHA256 2d4812a72afae0f173c7d2d440cada3b541573b54f4269b534389e42b740ff9c
SHA512 c079a50127678fb382688564a1510f4c4f9c9c9d560cc222dcf9eb00e1e554a029e174435439ba937c0edc4518cd3f6bc29f964a128d5d43365060058e135eda

memory/4072-224-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nnolfdcn.exe

MD5 b0d9e5bb6659598f667ec84096838a46
SHA1 55a1e125969e6f6ff36baeed0575db3ff7cb31cc
SHA256 68742fc7922d51b05d441a508fb90c69f3c7d776edf0ac2d181cc39cc27324d4
SHA512 16fc177acf4ac5ccf374fb51681513c14db2da87524c31867cd3003e9a499a8cba610020fa5b511207420baa596c97c3b08b504d2c1fdf8a042d2b7f618c4077

memory/2440-233-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Okeieh32.exe

MD5 0b1279979079ebf5853784c1ec567e65
SHA1 d894d14ab53ee2aca8e2467933031eb2cf33a5d7
SHA256 350e67675a9c0f56abf144b1a2554c17042534c17d9cf185255f8e8d62ba3cde
SHA512 f889be3a1f74e9ac866107da419d294be7c9d7e78a64727d41756695ff39bf4284677e4196de47dc1ee95c475814b5b821409b82fcf914d2947566648f080794

memory/4708-241-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Onmhgb32.exe

MD5 096730aed5e53ffcec6f8e3b0603085c
SHA1 c3da3fd1345faf1b169a16bfdb33029745b732f7
SHA256 4453b6bdb006b3b640012ea22c77decd85baaec45751a98adbd0077a5b9b31c3
SHA512 b19c135f02318ff07ee046cd4fd67f982fb7b172a558b4dd2a2171aaece70082b666c305aa9652fad3e592072b38446ac1411fa3458241268fc920215f8d096f

C:\Windows\SysWOW64\Pbkamqmd.exe

MD5 1d631ab9b8d8874daa2e5f16f23bdf68
SHA1 e571a2e16b7a8ad004934ea03fca70901ddfead2
SHA256 bc710ad4d1171bd999696f20532a146628048a8ed3b5de661705dcb6b39937c8
SHA512 d4ef7160c3100b6ff5310dac6172819e96e47b3f6c51d31278e9797be19dcacee161f08567bd4e569d2082d67167e696c31fa3742d1994eefd175a98e3f2c56c

memory/2380-249-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5056-257-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2392-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1952-269-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qkmhlekj.exe

MD5 e163042dbee2c2de7b644c302245e9ec
SHA1 dd80e7c4786fc332448269a07d6c2703157b6bd3
SHA256 f832e72552e2d8f02743e25f5d76fa95753e819af26fcef89450fe0cbfb252c0
SHA512 086bd8e4e77dd678939f9716c607cc53ac3c0dbf25a23c539dc398fa9debb7440273811820ff27114c0e996145cddf77624bfef67266cde971278764125961ea

memory/4984-275-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qeemej32.exe

MD5 fc328b47d66ab334f6794befa64fdb9d
SHA1 a0ffbcff288f08be5ce36d7f444359eb7be919e0
SHA256 6473c88cdc0bc751a15e66e2f16ada20fea6f3e184fb5d268cd23e8c0b8a5442
SHA512 cf0b869e62c4570f88ed8fe4d8d6ca8e798b61f4225fabbd34c416696419b871d835652f6e0cedda285fb9d5a6c78362ed1f3ea43e3c76c1b791a353db02649a

memory/1988-281-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1732-287-0x0000000000400000-0x0000000000433000-memory.dmp

memory/316-293-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4820-299-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3988-306-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aelcfilb.exe

MD5 75980f24edf99640d7802a9fb9926bc4
SHA1 2fae2b629eaa0e080dd8454b7368f6ed4f669d57
SHA256 d50564aa5d1fdb67f886dbf660a8a8216491d7586e71a63e9070a03317fd48dd
SHA512 fa495233a68e1a00af2e8b749c152436b43407614344edf20d57a35ce1d4c53284936418448edd57cbf716336336e58e2ed3f109a4c25a9a85b6920871bf9a02

memory/4928-311-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4868-317-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1820-323-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1432-329-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4012-335-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4108-341-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4832-351-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3788-353-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnnjen32.exe

MD5 5e39675ed79e8f273fb746168f906ed5
SHA1 6402a28a759eab38e942ee9206893d13739e067a
SHA256 b483e73f56259a6440c00b24d825a687508e4a83f2fa799196ea85900c38bc87
SHA512 0d42776c1b99d63584ce3931fda11ad55584a6163c122ab43334f13b64b29067f99847d8db0db583309c7bd9d208945198d8366c5a6f087883d38042dff3d5b8

memory/4388-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3436-365-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2452-371-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4860-377-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3864-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3740-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/612-395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1940-401-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1076-407-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5008-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4900-414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4292-422-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2304-421-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3972-420-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3464-432-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3104-434-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Camphf32.exe

MD5 30ca635f9cd5c7bf846ad3bb7574c22e
SHA1 a00e4cb1740d0f75856fc9a6b47030568689d9cf
SHA256 57e6dc8a61886b4a4db6e9b64cb454b4b6c335e3125a5cf68284838b47d7edb2
SHA512 c9c5c7b02837c9ae9c95d34580658a33d4586d3fc109656d363d00cb60508353aee3e9c1749eb478aff4cb92a2bd4f998857340dfed7032162d80680ad27122f

memory/1492-440-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4344-446-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3412-452-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1516-458-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2416-464-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2700-465-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3860-471-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ddbbeade.exe

MD5 2fafd7100bd92bee709a58e4cc37e4e4
SHA1 52e4de98846a3b9bc72cfa19224efc31b8d8d6af
SHA256 ec298b30dbf611b44b651526dca85d500f6a7173c3282d539b1a1c4bc63cc86b
SHA512 4a1297e46db5de8b0a994cd6971c3f2fdb8abc8a6b5e48392f2c0cc916d7756a79cbd98ca699c9bd04a7c46ac196c4ddebd050107251a5c1d71f7884b92e0408

memory/2920-478-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2908-483-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dojcgi32.exe

MD5 1c101f41a0ecd67a8d8679eb492e3f81
SHA1 49d1faf75dc12311131a88ba01d37c8a883dee6a
SHA256 dc574ae1c87ff3d968e3a1a954a6cd37cc31e2a1612b3e837d17b7eef6e51608
SHA512 8db3eab826ccc2da697eb92b98c4030e1de4d84f325e7fa217d7a3abff94cdbbbb8eae1a0aee84afdbbcafa74eef77caee5f19273da133105e4ade67af694960

memory/1912-489-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1660-498-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1052-496-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4380-503-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1808-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4768-515-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1880-521-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ehimanbq.exe

MD5 8ec3b26fa9f6d1b216fcd6e718d4ea6f
SHA1 9b433fb3cab45b39c6a59147b913c37de3094a14
SHA256 9ca44126b4ffbd879150b8e45629272fc8f49f3801e2a5d96cc29353f3b5ee7d
SHA512 921f14e2d97cd37dc227b5bfbc9da821549c2d58e3ac150e8d8cf2a813d74a619c8db2ee522925c8db805756fd695d3244fe0f2f7c46bbf5d43c1b0ab05b2224

memory/2676-527-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4576-533-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4644-534-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ecandfpd.exe

MD5 f7446a09a6eb9c7c72b9b5bd7468da02
SHA1 38b08249e3ea62c33c845e58e371e77ae92c94c4
SHA256 97dffd28018ee75273f555f4280923ab07290cfedc89fcadd31346320e132cd9
SHA512 16a843a10cae6eba3a7a48cda355413defd3ecb8ffa874c225e25113b585b148aa475586c12736e3d97bd823af820106159f78671d4588b7322c3e7df730f508

memory/4060-540-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4360-547-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3112-546-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fafkecel.exe

MD5 205fe96b4c2892c4ec2473e68c18c45a
SHA1 9b743f15fbfd31b4764a4991281af08df9ac661f
SHA256 1729b11bf6f57cb2f656841d2987787f03d18bba673178bcb618e391b4b3443a
SHA512 b0f942496c72b4911f33d65923680f1393496e7811f68bf635cc83689815e3fb45bb02f84556b038bff1235901fd54cdcf008bd4d8392263efab8605ea07314d

memory/1600-556-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4572-553-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4164-564-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1160-566-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fdialn32.exe

MD5 97c7805c9b148e872fd35f05b7a352cf
SHA1 ff2680eafe9abd73bcf22fd7261fa4c31c977a7a
SHA256 208332670e942547af41d64b02b1b36988f10d9c4913cb45b6ac719c76a0139f
SHA512 bffdf7303529bb3cd60b1deb3b3197b291a0abdbed07a716578dd6f3cc7b42a73dac680e73b41f02998ae127febc48c0c089332345207ece302bc32cc165eb7a

memory/3240-575-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4312-578-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fcmnpe32.exe

MD5 bc4b636aad4ac93afc7429f4088e6710
SHA1 22075bddffc5a1df668f5061b03f2e81c940ded0
SHA256 64b06f86dede2e39c028ac96381cac3f5be3617235c0c0e5b82ca7a7ebc8f63f
SHA512 3592d68efbf197f07a7276b690b47b7d2597ec083b6c8ebc978f4dc4c4226002c33e1f0e4a3a72953890359df39aba4744a1b3216ec7d193e62d15fc09cafce5

memory/2248-584-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2096-590-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gdqgmmjb.exe

MD5 c152162781ce5fbc9b6e2f92233b8c4d
SHA1 fe04656bf8e648beeaff92f0eb81f56dd069cd65
SHA256 23e8942d72a979ae12a257bad7e703e98083dc8823fc44bbc549d761c18309c5
SHA512 b39f576b58a9e3454e2377f5bdc6ad51b9b2ee0cb370eef99c6337413080efd9c47d68808fb6c0f32ea2d20d1e9cfd394a4ad864a99ee6590e84a0a5b1a08e54

memory/640-596-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4700-597-0x0000000000400000-0x0000000000433000-memory.dmp

memory/412-603-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gohhpe32.exe

MD5 b5b84361a905e12b2f62e7ce36f189ae
SHA1 13fb428ce62f8f1537f13d357b5d07f76063f34a
SHA256 6dd5e10f077b68a784d86c20f7e4d6ff0d38360c1d4179c07540ba995e160f8b
SHA512 54f2664b5c0e9d1dd3315473781f899b1842f59f6d0dbe4628c55229b7ed38700f2032068a6e22243acb4d86215335b6f2e0ceaff9e83142f8ce5dc613120c6e

memory/2156-610-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5104-609-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1636-616-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2660-623-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3500-622-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4592-630-0x0000000000400000-0x0000000000433000-memory.dmp

memory/624-629-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hihbijhn.exe

MD5 de15619369a172149f5aa402b5aad233
SHA1 e41ae0abe4460b59fdc940696ba08e7726ee2077
SHA256 14aa540d1c8a9d852f0690603e0dbcd54c1cba2d688b4c1d4a755a217af9bc57
SHA512 5251d7c798947784e47baa59f456fca1264e2d04b239e5d2572c46746401c36ad6c8ff3ef4a14a6e58d1b7171ad8113490355b82d7da17e314ecb1407b5b906b

C:\Windows\SysWOW64\Hoiafcic.exe

MD5 7cdc0321744749d8cdc0ededccc6ec9e
SHA1 65d740f5cb17168ce8f77fe6f05e55b3a9e2df0f
SHA256 e756bd6b30a10b4a1fa3db585ec7328e96d1af4b99f8e6b0d39774808e52e951
SHA512 ec7264ac80006e43394715a07f2182fb0c8f8a1c150b7737f122d44a8692252236017aca96878c578f233289406fc19b4a615a102899a800c9caae6d5c7e7c33

C:\Windows\SysWOW64\Ieolehop.exe

MD5 0cafcdbc0dc6830044e50288d373b86f
SHA1 0cec516e23f290edf41b8e3687885db4dd8ebb12
SHA256 2839f9abe5e0acc942123ddaa0ad42f2ac8c57b8671e5d632d6a316c6ce6ce02
SHA512 5a67473478a28895e66b241bc661d768b3cc42699b27cfa4d81f3e5fa5b5b1c0b6eca0c8640a47362f9fa6f588357e45d64d2b99b5b9660d187323a83970d883

C:\Windows\SysWOW64\Jcgbco32.exe

MD5 343fb14b4e1fb38fc6ed7de56f7bc4d2
SHA1 d132b198e3eca9887bbd37ccc05ae71b0fecb6f4
SHA256 c8f46f0790603a428a339f45e05a21b0fdf3c5e9d81ace44bd4aae6d4af97afc
SHA512 f14f74194b934ee75838e3c0b65f90b947efe138467d08d76903d43354675d199c9b3e29a328064df9b0891998a5bb01c7047073bf96b387d437ab5c68b76fef

C:\Windows\SysWOW64\Kimnbd32.exe

MD5 a3ba58d1a4a32730efe4a47a6e2b8e45
SHA1 e6107f1cafb0405aa77ed3b47e17e0812c3c3c31
SHA256 4dbe5565233e771a9d3e6896b5b154a17346427b7b3e892769ada13da2e171f0
SHA512 bc5fe298943a6ae3e53d9f9e9561dec5f34852187043454b63daf0b8e166b7689414ae0f359094d21d3305029541a8cb76fb2e5087876ce1a32562c36e9d4caf

C:\Windows\SysWOW64\Kbhoqj32.exe

MD5 541d8f0feb76df384f47630f31978410
SHA1 53dec32beb9872ef669be5272e5b88210b037362
SHA256 c471d4e2d9e9ee30604b3c2bb3af515b5fe156d32206463d27c3f325b581735f
SHA512 587cfa9da414e01f6a6c1f5e4c18b2f560153e7695650b6b3e0139d1cfc4ef710e6f55220c6fdd49bc743aab45eec00c285cc6b8f7aba736b50b5ab44e2ff122

C:\Windows\SysWOW64\Lbjlfi32.exe

MD5 6edc79ec6efdd85951cc13a2f5166c74
SHA1 b540b0976f4b8195c29ad4f43b824e944f32418d
SHA256 dea9965578c1e98317c47e0a6724961dcb56e0099012ad94034f185eea119ec5
SHA512 a8b38b5c3926851dcca35aef07092e6550dc9c5167d9dec431cb697b8e3855f4bd09e1f6e16482775563e6fe016184f7b55a7e6945fe76080f4215b4a0000fc3

C:\Windows\SysWOW64\Lbabgh32.exe

MD5 4303e9f42f8a07493f58401a52dcd7a4
SHA1 f2ebd1089fd5ea44e1d5ce4fa40abb171f03789a
SHA256 4de53582a3249769f7cb15f5830ff5c5f30141edf136bc3e0fb72f4391533f63
SHA512 a561c9b771f2dcb39552c4f808b9b47b692fd3d16636af5ace5986a85e65cce39fd80546aed658db97c42bcb63ed137d9a94776812855c90f229c778208f62fd

C:\Windows\SysWOW64\Mlcifmbl.exe

MD5 786fd3e916aa9ad2ac034d5d01cb2c5f
SHA1 f0615136296f7d9445b9c6196d14a23cbb74d854
SHA256 5d9898b2cf17a62a11b5ad64d0d35c83d14b650e218c76cc0b6510d5db4aae0d
SHA512 fd0ee29912aa1fdc3a8020a359bcc45ba6696e6de4a6fab39a070851e00b5e145cc137e424677814444b3427fb62a43848b5368e5ae3f8134076bb0b104ae4a0

C:\Windows\SysWOW64\Mlhbal32.exe

MD5 cf8e3b95345409b736ad445b58547f61
SHA1 6e71b6719ad1bec62c1f53677d53e7aba2408613
SHA256 ceb9dd57ccfd3f87baee18949b9616ec64cbef052f240d1cfbe5bed1950cf140
SHA512 f063f3717547f1acff7ba9afde84805a0c75a5b153b1f3d4a80d614ad577e4644c2bece5165d07c126c8e810f01403abb7e4a0916dc45886007020fbd1b2c523

C:\Windows\SysWOW64\Npjebj32.exe

MD5 c6504a4015fb77858fac43c098b480db
SHA1 889b7d9c42d91027c8acb1ddce25fcedec0931b7
SHA256 338d7808e40ea882eb210c03c1335e5d34fc48a05107a5e232edb693564a0a4a
SHA512 62bef87107e4f2d430005929e4e433b064a65076cc92efb1369823f23a303d75c05f4d22c6fe77dea9906745bd22aa9c315cef97e2d770e8b162403fec3c55f0

C:\Windows\SysWOW64\Ofnckp32.exe

MD5 f7ffc87c234a83a42d9837f6a93b92d9
SHA1 332e76de6cbf44cd07f715985dc1ac0da4736a1e
SHA256 b37db456e881c156ff7528359e4dc23099a997141eb1eef8547ba36fcba1aea8
SHA512 21ad594f89e978faed576270f404d6ec4cf6009bf5be6d001947c6395140985f96b69d9d2f4fb921ea990be49725973248ea230f18e6c9e6840c8c1dc8ef5b83

C:\Windows\SysWOW64\Ofcmfodb.exe

MD5 3f45f654f38dd07f5a4193b5f7a2e7b9
SHA1 7eda5cd4f1a73a154f737f786b128f774e9033ce
SHA256 44525821368be0162fb5ed1657b8f26c7efa78264baff9fe0c8dee8f20678e53
SHA512 91a7fe9c27bed07bc145e83aa4097ea1957ace0eac7f7cbf7357bc8da69c338ca3ddce83feb373303239c92d8ed261d8e6ab9779292c730e9f10a515589b5598

C:\Windows\SysWOW64\Pqknig32.exe

MD5 1820212aca95a7c54bc809efc2b475f9
SHA1 91a94705b40e21731435727d0a83d186b24d407f
SHA256 b0d5669f8d3ad5ecccb3e9eff26ab951d4a10bcc69f49887ff39a7a6f906d9ec
SHA512 a8943509e1c389b04d7d7d3381ab7c1f0254e5233df2723d59d4efec01b2b27431f5189360fc974f3f99a5de1955addaf8d80ad5add68c0a1274ae1fc463afc0

C:\Windows\SysWOW64\Pqdqof32.exe

MD5 c7b6a74e4f5bafc7c4179a91714598d3
SHA1 6056575e25378fa84d9471602b22961191d58950
SHA256 0cb9ffef272474cf4493afb162397bdd39f8fc02be34a259833600f9206b6d66
SHA512 e8274fb7b95ce880bbb1d57428739e49bbce5c93510f668cd24d627431b9ffb418facbb765fa2d3cb1b2410c3120811cc8e49cbb060d697f08efb905598140d3

C:\Windows\SysWOW64\Adgbpc32.exe

MD5 3810b502ba6c5aa96e43faf1cbf7492a
SHA1 810b55f3739525ec194151e206d11163a0401755
SHA256 423575a007aae42345863ad61a55827132ccd04bc42623964a547626915ff1b6
SHA512 67822f1d5cc2f5c21a673f3f29f428c3ea42483e423e36d1a796f6f8ab0f5f0fba3337645f67481c90e7b356d3bbd0bdad99de9375863feccf9b3decfac1b038

C:\Windows\SysWOW64\Accfbokl.exe

MD5 af7d52356fe1b5ed3d37aaf2cc19b236
SHA1 5a8b54f010fe39fb6b5ca9c3b28b835818f36eaa
SHA256 3e6776c30fdf524ee73e45d8f37a61fa6aa687afc53879718d5133833d9c8109
SHA512 36ebf6944c130af0986865fc36c843048a2faf71b20a606c5caf8f536877f80b8c57fd4ad0dcf72d70839ca441eb0f3852ffcb7aa0701b2039627689fe59f819

C:\Windows\SysWOW64\Beeoaapl.exe

MD5 4d44620f1435abe3a13cf3ee91971d8c
SHA1 05462206df10115ddffdd84323001e9970c289d3
SHA256 8cca883a29d555b16002134be3c6f39ec13a96e52fea229253c812e08abbaf82
SHA512 e4064e7afd3cf0d69d18cbee8d7e7a8d5f2bb3ad44b7edb373e6654b013ba4fb978f841ae81876c855b3e8ec8224b299a4a8d93a71bcd2d4b9433cbf17a4cf37

C:\Windows\SysWOW64\Bmemac32.exe

MD5 d30f603d1111b91ac41441728de88590
SHA1 2144a37eb94b714e487a9a0daacfb99f9507364d
SHA256 ae5c16f4072798f44b95fec303f190064d08c3e728064a47998a94c66d77377c
SHA512 bade94ef9f6b3ed418d99a3b3f3f7e8875cb70eeb0368e36204384645135043015c0adf35083b9105951b89ef51bdc41ffc0197799bc4b28c9823b7f93457129

C:\Windows\SysWOW64\Chmndlge.exe

MD5 ac915764f49c8eeb9a0b7a82c49998f6
SHA1 1d4a9f6639be843906b96f0c8d47fcc5e92a5f57
SHA256 ad4fa8d5293fda8dfe862228ee9bdb08b6744ae7301f4ee7fcb3052d91514c67
SHA512 6273b1f2b8c9d629287c1055efe1e852ada6ba030654f0e49d8d32f4015fd6e2c77cd11d4e1855f997157dca34f320bd7edf460a73530dde76b48e0658c308e2

C:\Windows\SysWOW64\Cnicfe32.exe

MD5 9eeff4d3bb1b8316394ee445026e2bff
SHA1 3d94345bbd2c7d51de636b5c882b2f10f324be23
SHA256 204de672056c6f20e5c62e600f90c5b042971535a6c58d00ce4dc67b18f79814
SHA512 a2be2f50f818e647c9344026903c33f9dee3cc4cf591e2f4d616c7c5aea6d96db3762262f535742bad4668601e0664407af2d01712e34d9835f1e016aa125d1a

C:\Windows\SysWOW64\Dmcibama.exe

MD5 223c05871507767d6f3a628051cf339b
SHA1 1d8d845c0fac40bc94d0f1d234d2562abb81464e
SHA256 5a40bfef4c1ae16deac43fb9f20dbd71059b5b7122b2cd00c4397758f993e417
SHA512 66cbd25251182b4ac0793869b145623423fabbda0bfd5a7a99a22e92678c6f067b35cf26c84c15a96722ce025b8da62b12160b6c21f784177284415c4139e42d

memory/6912-1508-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6204-1526-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6292-1525-0x0000000000400000-0x0000000000433000-memory.dmp