Malware Analysis Report

2025-08-11 02:00

Sample ID 240509-dwskjafg6z
Target dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI
SHA256 2ae3a68d6910cf91f6da42ac0ac61c147a9394c4fd2bad59de4c90bb860fdfd7
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ae3a68d6910cf91f6da42ac0ac61c147a9394c4fd2bad59de4c90bb860fdfd7

Threat Level: Known bad

The file dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Adds autorun key to be loaded by Explorer.exe on startup

Malware Dropper & Backdoor - Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 03:21

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 03:21

Reported

2024-05-09 03:24

Platform

win7-20240220-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dcknbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Elmigj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Emeopn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fdoclk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekholjqg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fehjeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gejcjbah.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeqdep32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fehjeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hodpgjha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gfefiemq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmhheqje.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fphafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Epieghdk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epaogi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djbiicon.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Epaogi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghhofmql.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghmiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eihfjo32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckjalhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjgoce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffnphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fphafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Feeiob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiaeoang.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gonnhhln.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfefiemq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gopkmhjk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieojq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fdapak32.exe N/A
File created C:\Windows\SysWOW64\Gfefiemq.exe C:\Windows\SysWOW64\Gonnhhln.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Iknnbklc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Hknach32.exe N/A
File opened for modification C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File created C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Mhfkbo32.dll C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Emcbkn32.exe N/A
File created C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Eeqdep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Glfhll32.exe N/A
File created C:\Windows\SysWOW64\Njmekj32.dll C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File created C:\Windows\SysWOW64\Hdfflm32.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Olndbg32.dll C:\Windows\SysWOW64\Faagpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Gbkgnfbd.exe C:\Windows\SysWOW64\Gopkmhjk.exe N/A
File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fjgoce32.exe N/A
File opened for modification C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fnbkddem.exe N/A
File created C:\Windows\SysWOW64\Feeiob32.exe C:\Windows\SysWOW64\Fbgmbg32.exe N/A
File created C:\Windows\SysWOW64\Gejcjbah.exe C:\Windows\SysWOW64\Gangic32.exe N/A
File created C:\Windows\SysWOW64\Iebpge32.dll C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Gacpdbej.exe C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File created C:\Windows\SysWOW64\Ghoegl32.exe C:\Windows\SysWOW64\Gddifnbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Emcbkn32.exe N/A
File created C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Epaogi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Eeqdep32.exe N/A
File created C:\Windows\SysWOW64\Lpdhmlbj.dll C:\Windows\SysWOW64\Elmigj32.exe N/A
File created C:\Windows\SysWOW64\Mncnkh32.dll C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File created C:\Windows\SysWOW64\Jamfqeie.dll C:\Windows\SysWOW64\Ekholjqg.exe N/A
File created C:\Windows\SysWOW64\Hkabadei.dll C:\Windows\SysWOW64\Enihne32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fdapak32.exe N/A
File created C:\Windows\SysWOW64\Bcqgok32.dll C:\Windows\SysWOW64\Fiaeoang.exe N/A
File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dchali32.exe N/A
File created C:\Windows\SysWOW64\Dcdooi32.dll C:\Windows\SysWOW64\Fdapak32.exe N/A
File created C:\Windows\SysWOW64\Fiaeoang.exe C:\Windows\SysWOW64\Feeiob32.exe N/A
File created C:\Windows\SysWOW64\Maphhihi.dll C:\Windows\SysWOW64\Emhlfmgj.exe N/A
File created C:\Windows\SysWOW64\Ffnphf32.exe C:\Windows\SysWOW64\Fdoclk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Globlmmj.exe N/A
File created C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Hknach32.exe N/A
File created C:\Windows\SysWOW64\Ebedndfa.exe C:\Windows\SysWOW64\Enihne32.exe N/A
File created C:\Windows\SysWOW64\Gphmeo32.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iaeiieeb.exe C:\Windows\SysWOW64\Hogmmjfo.exe N/A
File created C:\Windows\SysWOW64\Gmibbifn.dll C:\Windows\SysWOW64\Hogmmjfo.exe N/A
File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe C:\Windows\SysWOW64\Fehjeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Faagpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File opened for modification C:\Windows\SysWOW64\Gddifnbk.exe C:\Windows\SysWOW64\Gphmeo32.exe N/A
File created C:\Windows\SysWOW64\Hknach32.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File created C:\Windows\SysWOW64\Henidd32.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File created C:\Windows\SysWOW64\Egdnbg32.dll C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File created C:\Windows\SysWOW64\Fehjeo32.exe C:\Windows\SysWOW64\Ealnephf.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gbnccfpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File created C:\Windows\SysWOW64\Khejeajg.dll C:\Windows\SysWOW64\Hpocfncj.exe N/A
File created C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Epfhbign.exe N/A
File created C:\Windows\SysWOW64\Kegiig32.dll C:\Windows\SysWOW64\Fdoclk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Ggpimica.exe N/A
File created C:\Windows\SysWOW64\Hodpgjha.exe C:\Windows\SysWOW64\Hhjhkq32.exe N/A
File created C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fckjalhj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe C:\Windows\SysWOW64\Fdoclk32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll" C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hknach32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Efppoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Efppoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffnphf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Epfhbign.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fckjalhj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fckjalhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gonnhhln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" C:\Windows\SysWOW64\Emeopn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ekklaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmjejphb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekklaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" C:\Windows\SysWOW64\Efppoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Henidd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gddifnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epaogi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ghkllmoi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 2064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 2064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 2064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 2928 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2928 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2928 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2928 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2360 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 2360 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 2360 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 2360 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 2560 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 2560 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 2560 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 2560 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 2588 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 2588 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 2588 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 2588 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 2708 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dqlafm32.exe
PID 2708 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dqlafm32.exe
PID 2708 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dqlafm32.exe
PID 2708 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dqlafm32.exe
PID 2484 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Dqlafm32.exe C:\Windows\SysWOW64\Dcknbh32.exe
PID 2484 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Dqlafm32.exe C:\Windows\SysWOW64\Dcknbh32.exe
PID 2484 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Dqlafm32.exe C:\Windows\SysWOW64\Dcknbh32.exe
PID 2484 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Dqlafm32.exe C:\Windows\SysWOW64\Dcknbh32.exe
PID 2500 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 2500 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 2500 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 2500 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 2900 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Eihfjo32.exe
PID 2900 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Eihfjo32.exe
PID 2900 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Eihfjo32.exe
PID 2900 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Eihfjo32.exe
PID 2740 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Eihfjo32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2740 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Eihfjo32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2740 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Eihfjo32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2740 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Eihfjo32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2768 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epaogi32.exe
PID 2768 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epaogi32.exe
PID 2768 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epaogi32.exe
PID 2768 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epaogi32.exe
PID 2220 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 2220 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 2220 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 2220 wrote to memory of 2256 N/A C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 2256 wrote to memory of 540 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 2256 wrote to memory of 540 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 2256 wrote to memory of 540 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 2256 wrote to memory of 540 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 540 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 540 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 540 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 540 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 2236 wrote to memory of 864 N/A C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Ekholjqg.exe
PID 2236 wrote to memory of 864 N/A C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Ekholjqg.exe
PID 2236 wrote to memory of 864 N/A C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Ekholjqg.exe
PID 2236 wrote to memory of 864 N/A C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Ekholjqg.exe
PID 864 wrote to memory of 1928 N/A C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Ebbgid32.exe
PID 864 wrote to memory of 1928 N/A C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Ebbgid32.exe
PID 864 wrote to memory of 1928 N/A C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Ebbgid32.exe
PID 864 wrote to memory of 1928 N/A C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Ebbgid32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe"

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Dchali32.exe

C:\Windows\system32\Dchali32.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Dcknbh32.exe

C:\Windows\system32\Dcknbh32.exe

C:\Windows\SysWOW64\Dgfjbgmh.exe

C:\Windows\system32\Dgfjbgmh.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Epaogi32.exe

C:\Windows\system32\Epaogi32.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Ebbgid32.exe

C:\Windows\system32\Ebbgid32.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Efppoc32.exe

C:\Windows\system32\Efppoc32.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Fckjalhj.exe

C:\Windows\system32\Fckjalhj.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Ffkcbgek.exe

C:\Windows\system32\Ffkcbgek.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Ffnphf32.exe

C:\Windows\system32\Ffnphf32.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Fphafl32.exe

C:\Windows\system32\Fphafl32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Feeiob32.exe

C:\Windows\system32\Feeiob32.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gopkmhjk.exe

C:\Windows\system32\Gopkmhjk.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gkgkbipp.exe

C:\Windows\system32\Gkgkbipp.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 140

Network

N/A

Files

memory/2064-0-0x0000000000400000-0x0000000000447000-memory.dmp

\Windows\SysWOW64\Dqhhknjp.exe

MD5 e7bb1bcd7106157d923ed9bdd2c098bf
SHA1 e8a5710826f6b2cd10ab3674e3dbadb95b6b155d
SHA256 b23510a821e6ca5280c673d2fa2a1b9bbbe3ae7a302455ff71330f597c87c925
SHA512 26415b12fa6db12b932ca613ec5a5a2bb8db413d3bf59ae0392e26ca6cd7ae9db043b8c01159f813d36635833f8cf8d6878adee6eb0b6fea7cadc988789b2720

memory/2928-18-0x0000000000400000-0x0000000000447000-memory.dmp

\Windows\SysWOW64\Dgaqgh32.exe

MD5 683d3b451eeab5dc2f0fea91fc4d2ef6
SHA1 9354abaf5c42a98a18308cc7e7ae265e3056ffbd
SHA256 2f26864b36920ae8e4428e3070cc7cec8a77a1371e82e3de8249b61d52371969
SHA512 3fa7fa2fa477fac537404bd5760c605014a4d24dc65c97c6c270066f77b2f2df41f24eea637a1bb68f5c13b7ea318fce3760f2e4befa501e43da6c9b66b957e0

memory/2064-11-0x00000000002D0000-0x0000000000317000-memory.dmp

memory/2360-31-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2560-39-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 29f5714b4745d441f364a6e467bc2b27
SHA1 05c7c365a5d7a9cd50560672a9c08db50b098f5b
SHA256 737352c41be27e9a075f096d044eff922cad1ba9e7c0757af587a55f1d3aa382
SHA512 3b00e84f21e5d4b98cf22ef112ea315205218c7b10ad8dd2a3b5a28948b589179dae4c61289fd84874ae0d533a137ee9cc0d9d8b3eb6e4094b57fdaa20312c84

\Windows\SysWOW64\Dchali32.exe

MD5 941d569f8161ad5c520e17f9d951ee24
SHA1 c670bc8661691b0b3ea04df0746a2040f1d39607
SHA256 1519cafd13233c88393a50ce88364d4d55c12ae093256ac9e9f89eabe520268a
SHA512 823cf45a233da92d3988aff6e1d099b4c3335e3bd2d5baebdbb6a7728ea1d23bcc048f2000a7da2ebce54a6144916b6acc83477bfaa2c4ef1f03ec235aece034

\Windows\SysWOW64\Djbiicon.exe

MD5 dad08cfc7859b8a562b4444698aa2c08
SHA1 a2be1918dc2514e32ccd99df2742539df0b9ac3c
SHA256 8b4f14513c40a71b782cea87d4f1e13e3ad5dc4149d8518008bc7b8fb54e4437
SHA512 fffc85af570bf91607881acc2236fcf9bb2044e14188499684dc9488c6ef85c45aeeec7c15029b2aeb175721826c1b795dc7b1c80156b2b66ab38e41d8b278a9

memory/2588-64-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2708-66-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2560-57-0x0000000000290000-0x00000000002D7000-memory.dmp

C:\Windows\SysWOW64\Flcnijgi.dll

MD5 ef8d9848cf5bd1c5abfc2b649ea8fd6f
SHA1 fb2776ac69453f3d854ae23f25aae927d44906d0
SHA256 beeffbab5b7cb530b956139ba6d7237f7b939bcc037ef60955daf6b1de48ac6e
SHA512 8faddc14d906fced5713ca611c201cc43c3b4bc349b7f48dce554868c054344d59882a994c06a349cd6183c4ee877114e2d4f4f8496ef1803e87842101b24ecf

\Windows\SysWOW64\Dqlafm32.exe

MD5 95294a64854dd4c625d5720ec0042069
SHA1 7f347e9ad7809cd749416dfa159c7a159a19b214
SHA256 245a6b1c233c2f413f4bd61cc3f14719ee08d1deb0c7d03131946abcb19d2bde
SHA512 a3cf10789ea8033b1a7edb39637370527d25f2a2ee928106410edd3264cceb16f54bbea7585d61a7508575cd9fbb5d0c2006649e9bf71340e779f380bd6adb7f

memory/2484-84-0x0000000000400000-0x0000000000447000-memory.dmp

\Windows\SysWOW64\Dcknbh32.exe

MD5 8fa13f4ca26626d6169daea250a3b081
SHA1 e8ed774e456f4080579d73a1a93bdc7c5779cc65
SHA256 890176a48ba2bf40e53cb14d87b55b8c3cf2ea9a0a72286e06ec4eaa71d87000
SHA512 38e1cf9524247e4ecd6abfca5c808147c48295ca6ac60f1fb325a457c0be696208b4f66a4db77ca78998f49b9fc30e051207c5767b235dc8433a39bb531e56b9

memory/2484-92-0x00000000002A0000-0x00000000002E7000-memory.dmp

memory/2500-93-0x0000000000400000-0x0000000000447000-memory.dmp

\Windows\SysWOW64\Dgfjbgmh.exe

MD5 bf5493169159e066c845e8212da5e480
SHA1 bbc32f1a13a91763079756f2ee4769cb511f60dd
SHA256 d515c269803c2dcfbffaf4b322cdd7fdd6c8f31646b32fd67c699ea485ccf154
SHA512 eecd450534aec32e1a16890631a0852432410acafa607f4a9bca286db313d5e126b29c377949594abe19145bc73a87f6a6b85266f222cab22984681d8830d902

\Windows\SysWOW64\Eihfjo32.exe

MD5 58e8da433dc499f22cca89a8c9aff02a
SHA1 c386d508f145a1f7496b67ad694dc2205d7bd4d6
SHA256 580369fb3ae25619b9f73a7f66020a4e8763b747ba14ffc2063b6a9f155a6089
SHA512 26f50e0623de2e8230b2e52bf748b071958b3c1f10533eb73ebd9e267f4050ec58c89218c23440e6da839687fa707f8879255447985f025f0a07832b710b1614

memory/2900-111-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2740-124-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2768-132-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Epaogi32.exe

MD5 d3be8bb2c63e2c3b739e876e478d25f4
SHA1 dc76b49dfc38b115708bfb96a4448d22ee0ef76d
SHA256 636d27462b14287f1192b9ec77a6bf135efc18c5584c3786c8bbdbd91e5fd368
SHA512 2432d9a60c5ea75d82fe47c994ab1dc25fbe2e5e534272577f736d60c749161b3fc89c78957a1d18d485c7eb91e7c39f1e44bb2941c1118252a4d205bf61f415

memory/2220-153-0x0000000000300000-0x0000000000347000-memory.dmp

memory/2220-152-0x0000000000400000-0x0000000000447000-memory.dmp

\Windows\SysWOW64\Ecmkghcl.exe

MD5 22550452cc8a11eac844402cff4cc2e8
SHA1 44f850bd16ca64bc6b3b2b3e902cc367f9321f79
SHA256 b3cad5485e1d862fef3d254f176f22f3f8840dbc2f1ac042c2e3e18528d4ce86
SHA512 4409c01f29c191fb0d4043392f15a91d56d9f1675a699e498ddf858211c49d481c5fcec96c39cb0bf59c189993ef1dee26e7fe40f1325cfabdf25fb2f29ccb4e

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 ff82c206bb484fbda329b67024c5c043
SHA1 4d3f38ca4ea660a8c10c65d2a2189119a53a31b4
SHA256 257d482ed19375b79e30a47e6921f021b084630c3fcd51defd55fed271e42912
SHA512 6a8b1c008bf6c4c563055cf6b319630a3ea24f770c98c2a98dec4f85c6b7b1494e7a170fc9cba573605a1abace6de3ff75ae5e48838b1ec53ef3617bea6ca342

\Windows\SysWOW64\Emeopn32.exe

MD5 0f2e8d821f4a50786442d7fba8135fe0
SHA1 be3ce203514be7c77d0121e3955492de374f4287
SHA256 2f99863712b09dff2677b30a507033ce9d610ef6dc2eb906ce4e1b3d82d6cdda
SHA512 e557069624568ecd2eeefe4cb408517ceed0ed2952fb386dcfc92a031c86166af58f4ae13e7201c734512cdd273c98a624eb6a523f1d7ae1de6f311b3a87f3c6

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 0709ead7de99f40d56d1a98b0f3fe024
SHA1 d9cab3f3096c4c446728c98aa0543ae156f26c67
SHA256 1b09293b865ee47cda5004def57d8ede3b472d7c126e6d3b88e2c97f22f11cb2
SHA512 d9072e31b35ddf220ce0efc578d154b105215f0e35f13e834d9b1b52c6e6e7cd4a0d6e7fcb375ef149f9d645a30df54ec8ef82dcdbbba8867c24e1b58a54634a

memory/864-197-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2236-196-0x0000000000400000-0x0000000000447000-memory.dmp

\Windows\SysWOW64\Ebbgid32.exe

MD5 fadb7a3848484c37c46f2a727171dd39
SHA1 0edb7a9604617a59e177bb9769a1fe8b60cc23b9
SHA256 3010c94319c74614516a31bfb4f90b5115fba299ac912046df6fe8fcc71392c2
SHA512 5e31d3997550311363d21c97d7c96d6a8e5eed39ea2d052aa99b1d26caf81cf5ad380805865f7bdf838c5264f286e47601f72f37f0485199177ee541ff3f4111

C:\Windows\SysWOW64\Enihne32.exe

MD5 1a8b56701753f2baf697c48e46198d95
SHA1 1f7d442ed48dfa685fc26f11d378f059282ca8c3
SHA256 8df0df28bc107d668f6eeebdc060bc0372db97409b3ca1db0f6755a6d3fcccd4
SHA512 b21824068c9ff232482bea34810d236f2bd30b1e3dcb7c791c87ec388280e4ad53fae1aa176626f2fec49080a3c77d48a17b1f6b023f575274a6ef0b370a586c

memory/2092-289-0x0000000000450000-0x0000000000497000-memory.dmp

memory/1640-318-0x0000000000400000-0x0000000000447000-memory.dmp

memory/708-317-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2716-346-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2472-384-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 98a8bee82f1f0e3a2547152acb1e6de0
SHA1 bf1d3d4f5104fa26d951690ca6fb1d5e19602df7
SHA256 227fe7fc14d9b89c0b5f756c582c4b79ee7e437f006946d424a95c4a6db83b48
SHA512 7f70b7a47c02b44d06bf011e4628a8c1e49606e63db39ef60757a0d66b772ba1fee6af9584c9fd90ef8f1426a3b68fcd97a2e1a2157292ae3bea81d2760f712b

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 207300508dbc6778b82f380dd3e3d544
SHA1 66d0ef12df47901024c2f77a313aa61108e9fb5f
SHA256 f87f840ac9bdd29218e1d8e5b8027e2ac1f92a1ec70383fa27ae87a3f6cd10d5
SHA512 62eb0d1065302faf72dd1ec6fd417a0afdafff2adf07505a1934c62e3eb4d5985b1fdc810d830b0bc55bd36ff8a47e1dd540c1cb43825d0e31c61811631014f6

memory/2468-401-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Fejgko32.exe

MD5 ea2194efc481a04ba2ed6714a3598274
SHA1 d34fd006eb7f8ee7e783fd7dd3b3c60faa498c38
SHA256 588363044715ed7e3c53756d246d48e83fd22ba003584dec0803394569c64965
SHA512 d9c7315e7521ac69cb9f992efc241c5d8fc64a627c9fc9be375315da911c61df0aa4b3193085651b8c15abd226825ce25340e2fc8b93be5b6b64ae4e15bb5afa

memory/1984-442-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Faagpp32.exe

MD5 740915b502ec68ed339418ee15c7d6e6
SHA1 d751af1e8a6593fb7fb82c6a13ecb3c0ef2226ff
SHA256 b59f9d32e4f215827ab390f937a0d8fc0554d3baa534a94c31b992f887b43d18
SHA512 d528fbbaa81a7ad613c1ddf26706f747df863b448f079131da4d193ce1939946dd71a91c1a314106d9f05ff774dd5159f43a8eb9abbf4335cb6d7b903a1acc34

memory/1536-488-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 c2da0e1291c1e64c981aadf976a32ae8
SHA1 fdbb53e12db5597865c71a0201dc5819f5557eb6
SHA256 f43710e73d0aa8faed4203f1cc49f421fa1bf994c9ec6257a547fc84a71d38f5
SHA512 13a9201bc31fef2359d88f96b3cfdce6858ff53703c9228607011a4d6b8300f33c6a18f1b41ba464fe3be6a720f3e9fc27a04b2b4fb6e9f4715c9d60cabf5c40

C:\Windows\SysWOW64\Fdapak32.exe

MD5 333c5a705e0cb1fab61d7f8bc457cfa4
SHA1 9e8bb7d128b1d1925aab3b1b6df12b26c707c748
SHA256 782c358818730aa5e8a13d704229db1e449e9e64b1e838348539576549cd83d0
SHA512 d3a496817be957e928447bea0334408888b074d8121872d40323791362ae0d84abb9dc4324ee1ff9342afe99e8935ecf02cb4ddd1a4483d434d20e01211d1902

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 e1d85c7ed8449fc5671e179714935619
SHA1 b5e41857260c171213a3d93df3f80741250706bb
SHA256 3d69ea60b5d390a91466f7a78db42890093dd2d75901ef7f67488ae5ccfcea7c
SHA512 3e7e68795db948827661c1b66af999fdbe01777b6348261c38c1c44383b24d16acba8389baeefff44a92d8662d7d7025a74e7082d6500241791b07ec73f027ae

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 df4d61eaa00fd43951d2c1f081385000
SHA1 3a3f8b25af83f6a1497bbb6408e43b1312cd421b
SHA256 2108d93f61af64cf7dc0fc78882cf8c065cf557e17192d1c758f8fc6339ad9de
SHA512 54c536e308a4fc79d6f552effb29d4d29a8131993e5fcc95184f32011a03ad09d7fff2685c8d467e9f6703408562cebb8b162502fd66384b739a447ab9f6665f

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 346d64bb6d6c057288574623ee044ba9
SHA1 67db980f882ce88d5408e59a2874c4a2cf445cb4
SHA256 95e86fa17ccc29e71ba80b3748260ced6be00b8a3aa5632060d780cf7975fa65
SHA512 933da976c505ffb84e64b67c19e6dddf64298788e092cdbaa88ca8dcbc4486422c788afa6e6a0871a9284bdd87a5899eb6b897444def9cb9744d2654fd196ef2

C:\Windows\SysWOW64\Globlmmj.exe

MD5 9bd1fe7288cc3ff57d6cbec334e452cd
SHA1 0cd2b4ca4464d70ee40511c77533599e439d2ad7
SHA256 1f21499139301b0206916248438610d7df6017f252877b6e213764545c033d76
SHA512 d60cc7a456c14a0f156d237faf9f33413efddd3f157b6c0afdbeab35c144768a863ee7d8db428253a566f647b47adbddabf700541143eaf5d2e68be342c200b0

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 df639e587af1e522705f4729a69e73a5
SHA1 d93a211a565eef20e762eec384922e33641cdf59
SHA256 af83845c9d32465342fe5adae43367224ea16c84fc7b408cabef8433600d2ab0
SHA512 1d7f55eac0389c4af7e49b132272024e6350056f4a25b01bb986e9cbed7fab979b9dc62b838de7ff3ced3f96b9f9d4f857f91dd82a6b9bc609cb7342b3b8aa92

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 a9eb3a941172d2fa46b110520f3c8be1
SHA1 3a87b9a5d1e9dbf7ce35b7914f71eda4fd267064
SHA256 33fdd9bd2cdfec6e3d6dd48d61ccd354dd05389ed6e5f86bfd1667ea2d718188
SHA512 2fb8b13a01c690999e039fef88e5159c05defe251affd7efad54aefdbf83de249f83488133a41e188788f734b95f6fe95a1786de933e722acc45fa36550ea0e7

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 8ab5bdee2bd66592f9d34354d44ed506
SHA1 11073032bd93dd51b1bfc59565e2cf5cc69a9035
SHA256 6a1b0246affbca12567092f512943bdce225462a1204aeba337e7965bb9bf14a
SHA512 68b63484239a81e5706b7affe3f5b1c9b48263a9490e1b3dcbfee6083908d6568218939a589fd0fe7b75f1901591859d37f15615709d14d03e79f6cda2edc2c4

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 d62b372facda0c7e90c01b3a9b6dbeda
SHA1 4d00c5bde6f392bfd38fba7705c3a05f1d0a7bf1
SHA256 db5bd9cc9e357e57ac04a5bd6ad2909f4404ad5eb688020a0ffbef2ef1d772ca
SHA512 2ffcdd6a1da2773d3bf8e3e01fc45bc4bdf64f4db0321afb90af032fbe0101528137756698facda8fd78ba900f6a58ecb6569b33e0b6e290480662bd1e305c84

C:\Windows\SysWOW64\Gopkmhjk.exe

MD5 47b9a4d8f11a53797658aa41184a4117
SHA1 1c3d5d60d50d912fa262430dc805c539b7b6f7a1
SHA256 9574e174cfb911e44ad9f3bff10f1ef0247931721c97eaa7c4432eb6b1152d0e
SHA512 1b55273975e663c3f745426ed140b94fc534b61617d9a6206185e7a8c40971e7806f9f26f85748d25400cd071e3bd698518bcaf34b336e33e4a12720cb868167

C:\Windows\SysWOW64\Gejcjbah.exe

MD5 72349c69a8890b4de3ca144f8f046c63
SHA1 3a120fb6e74f67ba07247caba3c3cab7060df102
SHA256 9c6cdde432e86757ccd42958623636bb2933cb90054facc747d6f35f4d2c8a3b
SHA512 86215a2408a8e80c1c9d4f297fe14cead7f451952bab3955a40333c99527d1a0d35fb3392070f6c71688c2a98ac3639ca69964ce5a5662e0460801255c5df421

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 060127181ffecd5eadb43c52ee5dae9d
SHA1 13f2b630c97749cdfa4ddc5b1ba2bc2a2d95e036
SHA256 2fee5ed84f895f807afa78ccc263c1b646d654ab9e3bb5d64ef622d61583678d
SHA512 b15a8e1912870831762a843049f3ebe248c21f3e50790de6a4f3748b51caa650be1b0939f35147f168284077417d7e0a9d893413607d7629efee9b4b7cce914b

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 45181256871141b4aa5620a46f7f4f94
SHA1 5ec14df87cfe4fb289a630e0aabc341c49c3f9dc
SHA256 c950d0436b3044552efed9171180a0072138a870699196b82b0810547f8d93ca
SHA512 49457181fb5bfc0ed2c797a457bc396a32075ef15badae316e97ca4bad7e22ef94d192008067c91070f8686900e902d2db36b3d7d5f188e6a3b81a252ef5e4bf

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 24473ab6933c3635d7819dd3bdb976f4
SHA1 7786beb8f38331906ec7704bc24e3dc6074a3a3c
SHA256 a368dd53b20b2e82447fdc1b1d6972ce6595ec1eb3c9f0cd3372550121468448
SHA512 dd866f3925dcfb929dbde7c87ac9aefd2148b852da0a8868395109bdf3b56941f4d763dbc29ba35ac706b6ade6427a181e85d171b17bcf02ce8801160cfc8a28

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 2265e28afbabc71a7166a50738376a7a
SHA1 1fb68f303d355ddfbdf2539f49bc7720ceb764ba
SHA256 8ba470eec68c72fa3275049f11b8fbdff0ea1cb2c7eb0d9a9e68e3a47d747835
SHA512 c0f31e891000c0c5c0101d4d748de2787cb96b806bdeb838e7419746f083e6148057a94d4a87d86f35768eb1ee6240d1654cf48f53b602b2b4236b7541f8a1ca

C:\Windows\SysWOW64\Glfhll32.exe

MD5 cc16415fd3289f98c06c74b0fa3d9116
SHA1 72c4dd10f5ae440c925ee712ae0873ea5e24a114
SHA256 f54a5a30b868c1e1f20ef573fb6c58990c512564156523d37ee073afd9e2d561
SHA512 9717e2e4c56c41c3c7a18a628738342c29902e21797da6a9fa1edf5f3c1b22cf792734ff44bca42466c8357f7248ebf4c9e85eeace2a8e71380b2dae10efb007

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 29feaf87d9aeccd2c0622475e453622d
SHA1 597df9422110b81d0d60cb2db77231c4cf42c974
SHA256 f37f3e7122aa01cde13b05907dea54b33e64cb734d5f65b164f9e9ba4d13b48a
SHA512 6a23ca7401f7540df820fbcdca68fa8288a994faf4609a3822f212887d59d947cbe388ac16574fad077abd13b4e35f60a12d1490e64ec2bd70b82ac255371f6b

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 97e1382a254810c7bed377b036c13f75
SHA1 4fa7987ab1b94b2a64004391571598c6b6e217e1
SHA256 dfe269d4233cc25d8d414c626a828b4c18f70b8cdcb1e1c7c5fc095e678890da
SHA512 3b3849e7e6c52b170f8cfce47646579d9bc4ac08526c95e507b1a3d19d4bf4a19d50272be7f483a9f91281d59561c9b6b3d058a504c2c5b9c9f09c0a5b9dbfa1

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 12f5f43363a4aa03021dd738b315a08b
SHA1 8ee9591095e8ba6d2f4f8878c1eef6bb21510661
SHA256 0a71a7782a16bc4ffc3abbc4be8f7b28b677f593de68add60a203d2e47efa45e
SHA512 203e639f59903458fcd2574968d5d0f935623f6b11ad0a8f6f5add7e93ade5738a8eaacf749cebae7fa50fbc286bba9e1189dad2ad5d072e5e6957bdcf7bac8b

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 ddf88fe1732d380d06832980b18eae61
SHA1 e9f306ae2904ec89f96ab3350132948f2ff68100
SHA256 8053d03b91924fb26274e2ae28bf56f24177e6b6ae17015c9a2e7d4116cdb939
SHA512 d7405f12d64ea23cc41eb2565f8d5601391ee26bc967ba45e89d4031bc8c9a8a8c18c1e38e261df5b3d3fa0ad2b014e64fc547acf66ac162a0d36e6d37a57b24

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 ad6e80b1ad4b0a90d06e35f0907f80e7
SHA1 72b25f080d47818e7311e17fc4296d85b867241f
SHA256 8142933032e97cfadd02f3e8497ee679c54bc9ed4c1c3617ca3fe15cfe6ec102
SHA512 55247d6a901e5da37dbc6aa2a8dacaab4da01ebb1182e44fb96a8abc7507e43f5cd9f37c0e17e156936a21c9e0beca9ee5b42fd3fb0f1e758c210d21b5d9c06e

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 832fa0a8dcdfb140820e1afcc632bb9b
SHA1 5a45d9564b1b810a9079ae6f6a8dfa10509829cb
SHA256 4eca083e66c41e33f3356a3eecfec9ae6ee2522c3c7b9a4d1ce0931bf02d26d9
SHA512 ad393b490b37879d9143833766f2ecf87cfc65a831280ed0e154e753dec852868137184065600497b0eab3fcf3ff1796b10854bea1b0835e426c8a4113f2adae

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 f1a449c09acdfb5aed7209d8aa49bf4f
SHA1 4783dbf06502b094c8aad1905494a9ccc03f1166
SHA256 21eff6052c0858b01444efb428d26b069a0149f6bee631a3b012302033ba5a46
SHA512 7404b4aab947567d0217eee8bbee0b8070fe490c0469b07441826fc694dc8852825024da432a59e6e6c734d58ea5c9f1ff09ef5d4444ceae3649a8c8e2e3e091

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 dfab905078e5d9ef688416d40190ad4d
SHA1 655bcea9892bb1161f2fd6b11a69ca0857ccbda2
SHA256 2f66138286dd39ac64d84df3810b3bda9344a90216ae9a69661370b807ff152a
SHA512 33fe27e87976dcdd85ae93b6eaf3d1534581dc8d9f04df46efaeb0df962064b1a06fe45fddd98d32ecb1253f6124ac618e96b9804de4cc63149c40e586f4f1b0

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 b4b4b41eec26adcc0c4611e3481a81ee
SHA1 0ccfe9edaef93f8bc1502038e8ac70fdc8ec50a9
SHA256 fb694f35d960a2baf29ca725166e2fc97482c34fd641f389e452ce6d51f2fb3b
SHA512 6e58fb326e56d4c1d5de41e0ab85841eb3eef6312ca85d84b94ea1b0b594462fca6848ca5d514605743bca4068e07d499a0d2bbc8a0e387ce2929add4645dfdb

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 a6069a01bfaa58cb921f559a4a4f4441
SHA1 dca1fff2a7c2c7b7e8a367c1dbdaa12d7243618b
SHA256 cdadb63f5e367926a5ae95be3f1b7609a2b3f01d52e5b673b00d4bd630ebdb16
SHA512 6675544e33bf8df06c3effa9e96e9ade36bf96eea25c8cfb8807c84ba1f8a5bd226eda186086605ce1b27fa9239005cf0834f8d3b127e1f6018aeff43437cc22

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 4a0d63ab9da3e9d9dc76bea45858a3ba
SHA1 5ec0dc45ef422476134467ccd6fb8bf8eabf9870
SHA256 3222073e958d8537649b8c3eab8689985c46a3b2377d97e19d5853e70acbf5b9
SHA512 1cf0f4b6ded690ecbc28816b4e7f312a4559fc730f7f6799a3ed6973055212dc5ec7941f2b2213678b831c646cb5ba4fb70b8ddf122beb49f9a3ab5b416b8952

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 2a28080913ece25a9f776104574b340f
SHA1 b889296ec9f5af5b252073fc21fe1e0c581722ae
SHA256 fafeacd5dff95ca4c985a2f3c79fa2e2548dee4647f64fe57486cb40aea8da2c
SHA512 ed34cfc96af7cbfc0b8153e38cb11361c2a04d64842ea62a40799f3b752b45c25504d75b415632de58bc39f5fbb258a171a2e84a7b74ab9af80c6293b99a718e

C:\Windows\SysWOW64\Hicodd32.exe

MD5 6fa43a565a49ec503a3ad53768c623b3
SHA1 ba452bfb4771db497028bf2d059cbe1d88a269fe
SHA256 63f523222e5b12285482937e07de6bf3198281fb5a80b5d9fa5b5804b935d8e8
SHA512 26e4c0d8f2ac2e47552567c13daaeccea405aa229d42e2ac7e8c50d5a7d0257fd47d42b4d9208301a4a00b7c16166ecd2f2b48ee98da9dec088fb5800ea21de2

C:\Windows\SysWOW64\Hknach32.exe

MD5 84855e35d979f885b91ebdc87f8ce8f1
SHA1 622cf95b992493b6b97d85e54e60cf14bf9fff1c
SHA256 f14801c378313243ae4a9000d8430bc360089f2ca534b863fdb16f4edaa97e20
SHA512 3b5620179e32238c2950817e41d04a0ddd10459fa566d5b8b35962d2106f74deb61b28dc162a974f54b0153a405ca0c1dde068214cea62b74f6aaa469a208356

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 7d8fd633797c9fd3f3b30e6cf8bf1e09
SHA1 3261001079986bed34280284b39fe6ec9ca1b974
SHA256 e82bf0e80b51d2bf2e749e3271d5d1720cfaff45cb0dcf60f83181548d1606fe
SHA512 eb4bc4abe301a27e1f0eb7a8093f86f557c296ab9a47e29147d9cc3d7fa61bb7e2db7e6b6c6a6d89abae33b5c1f49e4e689ad4d2d5672b06e09faa2f14320213

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 f70e7b3943aee1c014d90767eafb6ab7
SHA1 47daef427eb679bbc18e0d222caf3f48c512a790
SHA256 0d7c9948f74c0dce7e12cb2597a3787bd386bfcd40ecc4571584c9d60a52dfe9
SHA512 ad20852ecab8929f968bba5f5c2c5198c2a82a2cbc30c76763bb7a3dd1ac8d2fc6eedce22898c697fcc309a1bdbe3d3dfbf2917e9d644bdb56bd084cb0e1d10e

C:\Windows\SysWOW64\Gogangdc.exe

MD5 ac540877f39a1c8e3ee457543b384613
SHA1 c0e44600f7bf2f9affac22f96c430eb44f36ed6e
SHA256 8d0e985bddca86347581c255782ec84447636bfa0fc71da8d3fa47062d184f31
SHA512 3fa6a355adfd00f85167434327d361b54aef76752b27b88d9acc71e085ff665d8eb22a1d713668eaea3246ed78d75fa25e9791cc3920bdaec8694751ec547ca6

C:\Windows\SysWOW64\Ggpimica.exe

MD5 bfb581f81602d08715ed2512ee50957b
SHA1 7b581a79b78d34ebeabc47fe219a4ec2e293a22d
SHA256 4e396025f476fdcdbcdc12deae5284b0a46849a671c3ea9cffe4302b87f729d1
SHA512 26421cf37e4da0091cdb2e05327e04fe52db958d3e8275b5a101157d20404d243db006d13c0951b7c51d9e9fc95d87999687035677a6aad2a680d2aa6ca61252

C:\Windows\SysWOW64\Geolea32.exe

MD5 f7978978f6ef5b98596e16244a223e0e
SHA1 99067ac6c14fd548969c79e4f96d0ead8ff6d6cb
SHA256 5400d7abb61a03337cb832ec2cb20cb1e49b9acf3dc1aa5317f6d0f2dd6ee686
SHA512 27fdc299f933d7bfde80b839ba88a029710105c975af3680df82576719b721e093fa937388d0fb0a521711204af0e57cec4e453ff968d5afdf77570ec2875a3f

C:\Windows\SysWOW64\Gkihhhnm.exe

MD5 4e0dc81552e5ad61f47d202a5c1f4c7a
SHA1 dadc550ccbea9e056e947b98d300af7338b27dab
SHA256 5a97faef5451bd039b5f03e2a262fd20e8e670f407d2a269c261c731c3583129
SHA512 1c6bb2cf1ab21858c71bb8eaf466494a009863263ed5145867452515a61d9f59d529cb80eb25a5bdb46e8acaaface7b19b388d941482a0e7d3a0cb77e1a25a07

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 3cf1d420fa5e2a01573ed24a41a8d687
SHA1 01e1d6044298306229e587ed7f8a2a9937d0913f
SHA256 e1d97032b6019b9b1b55c045fc8c51138cb7337645424df969790f86d4acc668
SHA512 c9166d294b81642dcf1c855fb7cbc6bb719cc1e741770956302bf2069c2ced2a0a884c2aa2a642fd30b8ac4dfeea6565d7850ba3acba49996eb5a88cbe4af4d8

C:\Windows\SysWOW64\Gkgkbipp.exe

MD5 d9f0dc5922069e7ebe1eee901d8c370e
SHA1 c2aa2bec6375043dd2f93825447ab9cd14c141d7
SHA256 7d24472a787403c853615315ffee693a188cbaf0b63683a07475d7972ce00ebf
SHA512 11fb4d49dd13a2e66818369c5b94101cb5bf2c8c606dda53e71288f0b42e70192cda809053244ffda6d10e80b7fa73fc59d008e4d835815bbdc4bbd98e85b387

C:\Windows\SysWOW64\Gieojq32.exe

MD5 62abd76c4eded2b655e66762f26c805d
SHA1 b22f1580829f0764b52c18ff3f9b3326852fe475
SHA256 1e127c4ec4b19ade2c135aff1011359a53ed3fddeb45f44589b7899e6d994d20
SHA512 3d13f488e2362fd8dadc449313cc142740d052898b9ab5904501ffa899ac7994b29e65a3078331c9f999524de296c6ccddeed9cc0a0edafc6164d9abdce45853

C:\Windows\SysWOW64\Gangic32.exe

MD5 7292e60322b541c9acd734440488a076
SHA1 f8426584b6cf54c8879d8440e3c1368b039d97ab
SHA256 416a90acdd02515dd29cac395e7f9a1e8e8aff308cc8e4dc1062e1e5ff9af78d
SHA512 89775f99d30cd888d134eaa86f7daf2a88e7c0602cccc0ae7cf142a7521306d0f0325447762526cc8364911c5254877aab5f04693cbdf053f72ee3ba7b5978dd

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 fcd653ae485a53cec8dcdee5ed9f8e42
SHA1 bd47fac13543e77948869184b4c0410b57c1d078
SHA256 5236da8955942683717c91193d97d9d03cb69a8302005a0ad707bab803d5c381
SHA512 34f6db2b02c89a29c3d3d8dbdaf97b3f8a6cd4e31330d1b9afdc748f9e395d0117893169acb3309ee8714ec4490c133ee843fa0941c18a8796a423f2b31e0bed

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 8393a294d84638f0bb5021969f038cbd
SHA1 70368e86034e245b43183952d69e2705269ee36f
SHA256 b2c888057695c22e9b3b5361a813cdbd523724f8039e8a88b50a507f2cad5415
SHA512 5e82def54386364ecfe9944f37264f0002d75c47b6a1b2bfef56b4c12416af38fdeed33d7d6093f918f61a64b48cf26d2bad0335bf62d4348e280bfbb820f6a4

C:\Windows\SysWOW64\Feeiob32.exe

MD5 336c4756b8d0e2261db1f8638bacb604
SHA1 49623556b1b1b511f1fed4088aaef851d4fd3a5b
SHA256 717431e1083a689cc1fa4a2f0109028f274104a249ba39b38f5fd628d6567d20
SHA512 405709aa166593a7acef567702c6659f50aaa64588d38f0a496aecf0745115a7bd83e3202bf132abb7c622b86a531097c903f17fe7bab094d8a31f991c59dccf

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 db2c05f0bfcd79a874653f21cbd7fe7f
SHA1 8a8d647c01f4f045c60cc00c655b29b86813eefe
SHA256 b37c9a9fa31b84e6f765f1e05890b90d819865362d0af7560741918d44e81161
SHA512 7e3eae696c7b3a9e974162d5494dd0dc408ec3020e99e01939c4e3efbb72f67bffcdd8ddb0a05bd7d685ab07161c4f6067b92aaa836f78683301b58465285bd2

C:\Windows\SysWOW64\Fphafl32.exe

MD5 9cfb3aa5c0a2931ccaf4ec1cbdb78c5d
SHA1 bdf5bcfb38fb64958d72eb2294e985ac63974a07
SHA256 8494ab7c24b20975db091146b13791758374dd024ae1200c624f66751e63539b
SHA512 7b87c495fb7fa8409bf7972d9af345f437c3adb8df70b295ff04b5e3243bc2124fc52be6462e169b028b81ea2a53e7b8b04f6647cfa9bd89ca45b4c6d3ff602a

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 ad1b7ad76d699d78721da90215174db0
SHA1 e17438fb78b0eb8fef201af3147bac222d26bb4f
SHA256 46a49bfac27f97be32fff1903acd53c42877e2ca1a430003364e650b5fddaf00
SHA512 efb02d66b7f8db2f3ecca00178d1b04263b4af48dc83e9728ffc8d3c3e13b81f5580e44891fe2455241edbcb5bae87e5ce6612d37174e3c20336defcdb9cd883

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 04a28f32af12693e075a6dd8eeb8ffa9
SHA1 78f9645c37fe90ded719f1b3c0934bcdb92bfdb0
SHA256 406c5f935bd90537aa3cd5cbcf54c0424d817010075a71be99ee37123dc69d13
SHA512 3265e7c33c460eb46b920fec4a922689c7ecac38a6ffd866dd5bb99cb8279a246676a80d2a29b9f766d0ab4d147fd9ddf74a27b90f4e10151f0775f4276cfb8a

memory/696-503-0x0000000000250000-0x0000000000297000-memory.dmp

memory/1536-498-0x0000000000260000-0x00000000002A7000-memory.dmp

memory/696-493-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1536-492-0x0000000000260000-0x00000000002A7000-memory.dmp

C:\Windows\SysWOW64\Fjilieka.exe

MD5 db85c3831dd33867a3222bab8a9c571c
SHA1 80b4609e261ccbc9a3443ccfb58191bcc7976e8b
SHA256 33a2257ac3e3e1ece07a37647e818b70e44500720e397efe28664827957e1cfb
SHA512 9f58b3f2e04df919d540344dee4953ab69848dbdb488a6389daf078f01d63c7f63a7546b5483b4d7ad35b6846f30b9e4c8205603dde649cfbb29d8bf941c5d57

memory/612-482-0x0000000000250000-0x0000000000297000-memory.dmp

memory/612-481-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Ffnphf32.exe

MD5 f59e50143c6773291026533f53ca5010
SHA1 bf7f907668687f739b36c5cf0f517697bcf62cf0
SHA256 0765c124d349426269d114ad53c3fd4134d32d4814985be553eb51426f0118ba
SHA512 97a2b6bf9b63841a65afe84b9307931712ac3ea15eef72cb6386730920e62466483ab39b5e1cc52b9585a8fb0cf9f53def0d974470125ba05bac47eb27fa0d7f

memory/612-475-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1068-471-0x0000000000250000-0x0000000000297000-memory.dmp

memory/1068-470-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Fdoclk32.exe

MD5 79500607a6ef30dc2a9e78e6b50b0a01
SHA1 2f4e42cd36915742fb1f6c183fbf05f6b8f4acc3
SHA256 7b1dce73227702096038d88ffa408bbbe58cb2e9c69d774af6e96f3058b8552d
SHA512 a620cdfee2002c2f4070127ae7589ddb47f60812d4e9eb3c423cacbf14b0cadbee34e9a110d2f2253599ba948d075ab71b97c22db24bf57f080413421256c84a

memory/1068-461-0x0000000000400000-0x0000000000447000-memory.dmp

memory/324-460-0x0000000000250000-0x0000000000297000-memory.dmp

memory/324-459-0x0000000000250000-0x0000000000297000-memory.dmp

memory/324-450-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1984-449-0x0000000000290000-0x00000000002D7000-memory.dmp

memory/1984-448-0x0000000000290000-0x00000000002D7000-memory.dmp

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 3acae53907c114f02d5fd0e1af6fcf0f
SHA1 fed844b69e7406ab811508348ea71bce2a9b8267
SHA256 6b46f3fe33e6910fb0a1ed2114326f262cf7d505b0cf690f8f144274c9e6cf18
SHA512 784ce691e8751affebe8b6beb81ac68daca9a068f6f7baad9f1716d1ffa2343e3eda82b10ecc16e0db7f2a2e253a2857dab3cff78402b45a05f30e1d4f2d6580

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 ed50ba35c8175d7e250cfdc73a310dbf
SHA1 1e8bc75d1c90d1076e978f97a82cb0e524f43c0f
SHA256 4cd8a428bb288c93d3c3e67497f4f49be09d330e0fc34f9f40f82725c5609584
SHA512 867442a4086089f22c03b395848bbc91e1b87ae7d2da4f1cc07e32a6605d35f96bff7748f645d0f3e3dc9f333a44e8ca38460d0a62b3d9b6f95d828a15290e5f

memory/684-440-0x00000000002D0000-0x0000000000317000-memory.dmp

memory/684-437-0x00000000002D0000-0x0000000000317000-memory.dmp

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 3bd82b641ed2d3747423041e0e66315d
SHA1 c7c208a7d923beccae116017e637cc4a40524abd
SHA256 bd4ff7e515ecff7dcc205d2fae91e172365a8eb72554ede9134360e0c4ee2764
SHA512 a7a53b003653d4f9ebbbeb687882af446591daaedf8849ac35c44fa16e15cd0dcb57d14281cecaa2bc2e4cd89b66525157b02c0f64c5863e8de1349701b8d6b4

memory/684-431-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2260-427-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2260-426-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Ffkcbgek.exe

MD5 bc2a18e0dbca278fca490fe68d1ec8c4
SHA1 5207d8799fd990b383db794af8ef7a1b603134c9
SHA256 06697c11668a94ac23bce2505bcfcc687d872a2137b1b21fc80ebd5acd1994b2
SHA512 2685a3271ca7efa249ee715b0533f9deabe5ed649a7bea8033e8f2af9ea023bc479831d5dcc2070000be8208bb0e10ef7b6f3e96eb39cfc2c310c5b8c988c099

memory/2260-417-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2728-416-0x00000000004D0000-0x0000000000517000-memory.dmp

memory/2728-415-0x00000000004D0000-0x0000000000517000-memory.dmp

memory/2728-414-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2468-410-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2468-395-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2472-394-0x0000000000450000-0x0000000000497000-memory.dmp

memory/2472-393-0x0000000000450000-0x0000000000497000-memory.dmp

memory/2640-383-0x0000000000450000-0x0000000000497000-memory.dmp

memory/2640-382-0x0000000000450000-0x0000000000497000-memory.dmp

C:\Windows\SysWOW64\Fckjalhj.exe

MD5 8beb17785d8ba2a7ffbb8232e716c784
SHA1 3fde509caae04655279e520a23a6342b6b98a3cd
SHA256 2a963e8ae70354a9439b121f200fc31c76a285467b7b8f0d61dbe9f41bd12ee1
SHA512 188b66998018e028b7a19b77219e566120de20a254818592872313e1ff0afd6b98b94dbd8d560c62f29ed9f9d4764915adc2ec7f7610b978a8d832d740af2c23

memory/2640-373-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2668-372-0x00000000002E0000-0x0000000000327000-memory.dmp

memory/2668-371-0x00000000002E0000-0x0000000000327000-memory.dmp

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 f5aa17275515e84ce45973da915ed2aa
SHA1 69192cefa6b416450376f3357164d970e08a9722
SHA256 20664b3bbb9c73e2b49a2b6c19a4b95c363ea657f57faa2fe2e048624637137e
SHA512 d98231e920bc27f59faca07ad3c066756a10931d5f5cc591ec081425dcf86027177ad8cf46da4832d95f99a05ef6e9d8d67fb2a06bf04f221466822e625f8c1b

memory/2668-367-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3048-361-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Ealnephf.exe

MD5 fd3a47081fc5c73ab42d3adaea3572b6
SHA1 d4b9b8f64e6ccfe809aa56126978d441c115994a
SHA256 4a9f45331b1c4d4128afce9321f42cdcb3409053963af88eb7bcbaa6b05efbb5
SHA512 f0b91b7d804af3fa6d27c0d0ec349d5f6bf1218c525c8b17104785dcba6ea3a0ddb402fbd7c3d7de0ae6c70ca25f5f7d8656a5a6872ccc3861b469bea3c6e514

memory/3048-360-0x0000000000250000-0x0000000000297000-memory.dmp

memory/3048-351-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2716-350-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Ennaieib.exe

MD5 7eb144e83760b822251761616f4e129b
SHA1 9d91691c8e668b0b49b23eaf889e2ff64709a5a0
SHA256 0dbb8475484c2be6755f1435768dadcaca0dbf6fff281a5ff4a659d3d7a43185
SHA512 bcc617bac9c39c444c787350c30ff500b039a14bd0a57135aae8cb9a3e52388cf7e24f75bf7a7adfd8395304a6ae5124b9eff429190151d299b864b5710df28a

memory/2716-340-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2012-339-0x0000000000270000-0x00000000002B7000-memory.dmp

memory/2012-338-0x0000000000270000-0x00000000002B7000-memory.dmp

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 3f9f6b805cdc601e3d244c685c547670
SHA1 151d448e1d9aa790499115b1cce7f6c67e21f01f
SHA256 4ccf3175ff2f119e5c906f76bd935d94789a3381868703b8e33c2386ce76a703
SHA512 6d206597df0654f0c9a1bedb3634e894a336fed476fe5f5d115ccaedd88ed014f4d267098186787f8875c031adb70bb15c905ea085cf5ead66d88f0277b65f32

memory/2012-333-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1640-328-0x0000000000290000-0x00000000002D7000-memory.dmp

memory/1640-327-0x0000000000290000-0x00000000002D7000-memory.dmp

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 d62920880bcf280b0462e83a2f8876d1
SHA1 958da312bdae8adf421db1b9dad447ddddd412f9
SHA256 14d5397ad919ccd2e31fd7ba25c75a145c480cf8e9e379784f1bcba07014d620
SHA512 0a41a1690bedf26f7b8050c42f34f29fbf0fd50994b623d2ba051b606e02176ab7ea0c35491920b1201f9123ee9a2a13689f56ccd16eddaa8f0499df0f2839f1

memory/1044-316-0x00000000002E0000-0x0000000000327000-memory.dmp

C:\Windows\SysWOW64\Epieghdk.exe

MD5 c98bc3ac12dc240966913b756ce334d2
SHA1 05cb0b5d0e9c60970090da6848178d9ee9613b1d
SHA256 ccb1284fdde3c9dd68ce375c521ce7890ead8ceeae10d1a62aba9640de3f19b8
SHA512 27a26b0a7cc1b9a0a0b324a84059503dcb7fb65edd38d832c8be09c3c6c77ef0e6fe6feb90d3594487a3c41b5bea21f8b75a501ff361942d6720b18d44259790

memory/708-312-0x0000000000250000-0x0000000000297000-memory.dmp

memory/708-311-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1044-310-0x00000000002E0000-0x0000000000327000-memory.dmp

memory/1044-309-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Elmigj32.exe

MD5 dca1e9427f518a311e29f319ce0b4644
SHA1 0aa81300da48888fd23aa888582d63940de22338
SHA256 1592f0d4f520809cd63e403857bac65e39a0019c79c3d6497ee785d7fda10171
SHA512 6070c596cdbbcbf25f796e809467d257a6bbff95f21c9544fba123984b048ed3d623250b9289a3e544df7f05ba1c63792301575828352b63794b927a6eb3e65d

memory/1360-297-0x0000000000250000-0x0000000000297000-memory.dmp

memory/1360-294-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 f38d3088cba58d56b9479b924b4eb0db
SHA1 8156e2fd5e350d990102f2e80355051ff1976610
SHA256 d4d2565c69ad57ce4335a377450cff41f926b7613a02d2592843324769d8c828
SHA512 c3f70d780da85b2e7fd3641c7aba7872a015f85ab682e3af2fc3467a187c0aaed8d741e15d90bd8a97572bc80dfb51404a89601e3b66b952fef4f8f675602feb

memory/2092-287-0x0000000000450000-0x0000000000497000-memory.dmp

memory/1360-283-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2092-282-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Efppoc32.exe

MD5 956913fdf9318f51b031816403a2264c
SHA1 75ff12726c0b2073201c0f82208f67dc7fb0430d
SHA256 e09521fb7a32e7d8d6cc7b50bf20c440b91f2ba2eae4189fe42c14d06ebeded7
SHA512 1ded15c3237ccc826b247dd8cb837e1f8b03a911118293f18a6083c8d7122e6f0d880ff80e2276a9fa8e00b4db1830a3d7e896c3d06ee455e8b706028e696da1

memory/2328-278-0x0000000000300000-0x0000000000347000-memory.dmp

memory/2328-276-0x0000000000300000-0x0000000000347000-memory.dmp

memory/2328-271-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2152-270-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2152-269-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 d2b5236ec8d529f88086d056a3382606
SHA1 a493ffe8284dd7d5fc93236e3e18147ba142a621
SHA256 8aebad31915631d97c33ed39b8b66c06949db2ddcae706450efefa146549a4b7
SHA512 41e54b702936b6b10f3a45296c612430588189dc11c40ad0da602ee898e411cbabbbb469b90150bbbec7f5dd62f05e8218da3c82571049237c60dde85fea7bc4

memory/2832-252-0x00000000002D0000-0x0000000000317000-memory.dmp

memory/2832-251-0x00000000002D0000-0x0000000000317000-memory.dmp

C:\Windows\SysWOW64\Epfhbign.exe

MD5 986d4950111413f130d3bedd00b86e36
SHA1 12be5649e000ec2c31b110f0d06d04869669b66a
SHA256 b5dcbb051f2af6e1f2971f410bcf70addb28e9f6c9daa045f1db97c368474aa4
SHA512 5085a04493bfbfab660a96be51fb84fe0880799bc1055d8a5933b3cd387b8563d44d87fb666bcc5ebbdb1d2b9274dd9dff3ff4dc174bae0280f717ff70c0d44d

memory/2292-242-0x0000000000450000-0x0000000000497000-memory.dmp

memory/2832-241-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2292-240-0x0000000000450000-0x0000000000497000-memory.dmp

C:\Windows\SysWOW64\Ekklaj32.exe

MD5 cd754a0efb00171da475d5ea092fe029
SHA1 c732c0237fdec3839fbf04e319ff4b3b6ab75f2a
SHA256 af35de7c7e06a6c080c24ab67780fdd6f0f036c87f6df8e5a06ad5887adc5771
SHA512 9a7c3b6dd197098af428c306b971e482b940fda0480327ff6e7e917462e8d833e436bd1efc6cc386a1ead998a7b2ba45a999106f0be8cc6923b2b74a4aaa8a0d

memory/1120-231-0x0000000000450000-0x0000000000497000-memory.dmp

memory/2292-230-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Emhlfmgj.exe

MD5 46680c6345b3e13d75eff5eb0b57b45e
SHA1 61d9815511a0d019b80f2793207641ff0e0e6f24
SHA256 740287aba63b1d3e170474607879c19722e6e50d6380311ec2871ad26396c681
SHA512 f82aafdbcf27282ab7be0b1f8843ff82a7084983f7afb43a57310ca73416682398abe7d63ca6224595c059af71a347fe309a734011e71f89859d729914927361

memory/1928-221-0x00000000003B0000-0x00000000003F7000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 37f2d6bd426b540ac067300677d2771b
SHA1 ab9c600d6a810b5a263c93bd9b0dad35d15e09e2
SHA256 906749a96bb07080cb9436b5194d0b7c9ae5d64feae38fad1fafcb9f1b8b7404
SHA512 6f5d768c2068eb1520b52aa8450268e372f726a1ebc1a8c9186f26a11f60ae0f0476821180b8c5fefb9a24aa3f8a5f554f1eac56894068c826634c7e9b5f73a4

memory/1928-217-0x00000000003B0000-0x00000000003F7000-memory.dmp

memory/1928-216-0x0000000000400000-0x0000000000447000-memory.dmp

memory/540-174-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 3fee08ded6c3f73635ee59b2d3df51f7
SHA1 e92057e46830436226b0ca842d2abcef8ad8207e
SHA256 5f34be4d1d10a1c94f8123ba98541363965e57365cc1a79f744d56a7531fc314
SHA512 0365a557fc22923ac28819abab3e2e6ecf23d6e5a7b24ccca2480b20ebf5d4c4c47984aa41308f867adb09edf8244e542165cc9f49c814b46a0ec7d1f99ba90c

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 985d3369bf178826228d936394a3157e
SHA1 57cee05f39298678e662219b331049fd41fef046
SHA256 6f7d4e0378e617371f86b23d26c0c5b1ff5144430e56c79abbb9649a2608eef5
SHA512 ce0cc3869d13595c4c2e67d7d662a191dc9dd8d1284d52ceaf989f9c7a31e7b5f4d54505a2a470f7ad979be288aadce8a97dbb4faacc16fd1de6653c0cffd27f

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 24bc914690632c79911b174bdaf3802e
SHA1 eaec0f45a887b1f5b1225478683ceab356c4b047
SHA256 2f4ebe4f2b8e0ab73cfea75142b08d2d8b1a581c9381d8bb6a60d1e551fa354c
SHA512 6f74d697f377bc93cdf2f6d055892ee5ca467c9990c3176ecfe3ea1fa3c5a096ffc34f83dea661f0381377185ad652d7ec76c432d06e839edc75127602c7a9c1

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 9bc365f7f41f80c8961b85cbb5a73291
SHA1 7770ed7ae3039921bfd7ff34c48e1ff99fa2299f
SHA256 ef6c15c40a5660288c8b4c5f77e276a741ff4aacb160bc5b85c0e70413937d1e
SHA512 00b711202d2746aea7c1b53ceee355f6898e6c68abe318df7af41aa6e070ecc79387f3255ed0ff89e69889193873c271da157c5502207966db2087da1230f3ea

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 8ad81cd1fe40a5087cb6dd83ced9377a
SHA1 9032443ea102a495cef94ee813fa3a320c879be4
SHA256 35b2bcc02d37dfc439c6a6602f4cb803bd3b38a6ef42f16d7cccf664be724d38
SHA512 041f298da5647b9366d737b4a6efb246f5a25275fef917f789530483a121497c2090ec55ef5dd15f9bb568ddb43b7722eb036af09bb0b802331ec952b2731b4a

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 e9f9dee26649897b789724d1f27a77ea
SHA1 2c50d0b9c08a844a2561359a4bf069dfc4f71c68
SHA256 a9c0f0b39dd4cfb83ab0f0cd48f06a54eebf6eca880717d53ad3ceab5dbb910e
SHA512 146b0f12a1205d944c62eb18e6a38f3561bc7365d204f6e10935f3ead2ff41da9c7839b3f854bc9a668ee6fc79c0c8c10e2ad94e10e568e71706ac69457b5009

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 fcb0b7760bec79a220837ea9b899ec25
SHA1 f974d682d335876a3837bc29c6db48a80f0e3be4
SHA256 2befb1cd7b04fe333853d557f42f037b59e2606d63c5524ed6b9b57f6c4f54a9
SHA512 383e93c20d3d42cb606324dec428a2399509cdd3e8db3317460e55ea8750db4f37f4e0dcc608ec5319d63e9d55a6afe4b5979100249aea4cdb464dbfc82d6ed1

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 a23f2582ac16cd721eaba372bf6bc0e2
SHA1 52ab422a8c44a819ab1acde54f0da3d5885b4933
SHA256 68782a27be5f54b697a0a62fc735ae7e968c2059aa956e8a9c17d23a4e435163
SHA512 13f9548b4be0a172378116c5741801cc63a39a6cf72fea316f1f1f4fa011731612a2379b15e4ffa28189764b42ef7cccbdf5ca4c89013a36403d791fa3e223cf

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 c1e9a9c84745e81541c4ad8df65abbc3
SHA1 1d9849994a565f9b045645455fffb41b0de42163
SHA256 fe03a3e5848d2078a82a05dcd3f1285a2500de1b495b69e79454e3308a01d06e
SHA512 08e41bcbe7ea206522b30bb06b1d1218faeaa4c9bcad53e1b6cca512fb73227ca9ce736f5789a719ebc5ea63364c6dfc13b240ad519e5d6c3dda603d079bd8c3

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 1d5c8ee30eab6723ff2dbdf4937331b3
SHA1 763c93aee4914bb3513a02c4a45a752698fa5390
SHA256 07b272c3895d86bfaa7951c7ac92f6d82a1240260cd7338e34e5ed18ec38de7b
SHA512 bd0d3236d54d82f5d9d891eee59bf30b1583929145647ebc47382224a2e8a7444592bed494212a017133eb7addcb896245ee553bca8cc00d2f8fb4b9bcf01535

C:\Windows\SysWOW64\Henidd32.exe

MD5 dd91199bf7a89504a130079050a05957
SHA1 10023cf7c79d55fd1408b96fd6f410b6b4c60fa1
SHA256 c95660313d64ac69ed6662ee33fd0a90871e5637890ae7f00d081b84e5593f41
SHA512 514bd32b0e834912d71b1d5516bc1e12cc000a5e025556e850c410708afaf1a3ebd93e420a375641ee3dd72ba4fedec635b4b6978731d4f9f7a89b7aa1c837ab

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 0a759a6ea07d05e9ab7da64917984887
SHA1 5d6129ad25b89df756724f4f61440b9fcc6e8a22
SHA256 6500a8306afc6ccc950d7a0002a154abb659095e495262e667903a7dfa684c3f
SHA512 8889aeadd905a2789c27e5746767cbb249e170acccb77d6f601b4130729dc590daee42cba8f5287e7d7647fde80ba997d9dcb31d25f64ee8cec92502f555cc4b

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 2f4082b91753ec6c751cbeaa1a0d9f62
SHA1 114047270df3769e2a16b48a30d0e2a152bff431
SHA256 fa379f0105a6136c47492b62f0936dff9b9f5aaf4a4e29c402acc815850afa44
SHA512 de352fcbc5b7346b5a62ffed550660e1bbda819c3b7ff3746d3adb08a3d6ffa257d4384d3151c8de0a1bd7d53dfc8c76af6eed0918c0e1356b8956c8820e6a7b

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 854693bd2f7176e21b04baae1c93785d
SHA1 fa07b3485fa6ad917215280294c49ebba858bcd3
SHA256 44523422b1bda3b5f79fe46decb3cf9d1d7143933225ec5722dd616afbcba327
SHA512 0a45cc80b39e06ae0ce9ac528c1cc38d5ab6fce75c768e4128d5600ac44029e594c55483d0f86460b9befd76ca821f3c6f686506d8278e3b969ffbae4b65fdcb

C:\Windows\SysWOW64\Idceea32.exe

MD5 53615f8a50643b07416467dcb0d216d7
SHA1 47693244ce2940db62dcf12aac383bdd27e2005d
SHA256 50e3c7d668bf9bea9663fdd79c1d7344b97f885d8f869777297cdc9736104553
SHA512 4771390bd84f9349c48b68389292ca0827c235d90dbcb654bb8ae77a2c56780a6eb1902ecf9c8e3176ca0c5c964846e6d37644309390d90656ba1c603515b1d2

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 2a2bb2fbb07d7833907548a1df4515c8
SHA1 51b0a954f59340491217530d18100c5c15a07a6a
SHA256 df90c23344d300d7bd27c8f038a2bb2eab4d02fa56d2a1b02b7d9bb051f54706
SHA512 239e703ef9f7067f90941989983c413cf0986a4a3655d5191d9953c43251fdee39e7c099321dfbd93f6aae4c6dc17276317dfa98e6d533fb9de905d80a605ffe

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 01eda7f141c840478311aa9af6a837df
SHA1 d5d6579ffafc9b3b18d00267ddf4b66d9f74ca75
SHA256 3f91bf2495cb950b56993f542cffbd31b05792980935ce495e3b9afed4b32ad7
SHA512 63b9c486b219bc65cf017954c9c1f17ae38e1c7b72681da139321d5f79e1641ea038cf1d5f3eb2a3bd92aa5e6bf5853742831d4b4b11e7b1bf18df9cc4956728

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 9be260010bdec4c0bf25cf88f3832fe8
SHA1 2eafd6c62314c2a58c9f3656fe97bca0a1c7c852
SHA256 3d4c9de5d44daa9a47c57bb8d3bf1d91677af587d34a55ebee5a452a044b2a73
SHA512 fddca0bc79bc61b134727add3f7f3b932606a7bdc7046e531e123a5e3baef82b4fe2027e5ca89ca275e7f5c702262441bdfadaf45d981374244272dad4f3aee7

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 03:21

Reported

2024-05-09 03:24

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlegeemh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbnhphbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Goiojk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hpgkkioa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hccglh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipldfi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cpedjf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dpjflb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcnejk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jfdida32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jaimbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jaljgidl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kinemkko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Denlnk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcgoilpj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ficgacna.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcbiao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cafpanem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ccmclp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ffbnph32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmkbnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gfcgge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Imdnklfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djlddi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dcfebonm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epmcab32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hccglh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hjolnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcklgm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncihikcg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chebighd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Denlnk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fodeolof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gppekj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hfachc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjolnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ifopiajn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpgqpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Commqb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cipehkcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fcnejk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caimgncj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fqaeco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcqjfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hfofbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpgkkioa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lilanioo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dohmlp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fqmlhpla.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Biiohl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcgdfaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Beppmmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Chnlihnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpedjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cafpanem.exe N/A
N/A N/A C:\Windows\SysWOW64\Cimhckeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpgqpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Caimgncj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cipehkcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnadfbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Commqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cefemliq.exe N/A
N/A N/A C:\Windows\SysWOW64\Chebighd.exe N/A
N/A N/A C:\Windows\SysWOW64\Coojfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Camfbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cidncj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpofpdgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccmclp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Digkijmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlegeemh.exe N/A
N/A N/A C:\Windows\SysWOW64\Doccaall.exe N/A
N/A N/A C:\Windows\SysWOW64\Denlnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpcpkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dadlclim.exe N/A
N/A N/A C:\Windows\SysWOW64\Djlddi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dohmlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dagiil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnaji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dokjbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfebonm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfdbojmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpjflb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchbhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbkehcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Epmcab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebnoikqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejegjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epopgbia.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmlcmhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgdpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eleplc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eodlho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbidj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejjqeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elhmablc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecbenm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efpajh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehonfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqfeha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecdbdl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbnph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcgoilpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffekegon.exe N/A
N/A N/A C:\Windows\SysWOW64\Ficgacna.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqkocpod.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcikolnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffggkgmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Fifdgblo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqmlhpla.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbnhphbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fihqmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqohnp32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ddhbep32.dll C:\Windows\SysWOW64\Ffekegon.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffekegon.exe C:\Windows\SysWOW64\Fcgoilpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kpccnefa.exe N/A
File created C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mjeddggd.exe N/A
File created C:\Windows\SysWOW64\Lppaheqp.dll C:\Windows\SysWOW64\Jmbklj32.exe N/A
File created C:\Windows\SysWOW64\Jkageheh.dll C:\Windows\SysWOW64\Hpgkkioa.exe N/A
File created C:\Windows\SysWOW64\Qnoaog32.dll C:\Windows\SysWOW64\Jjmhppqd.exe N/A
File created C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kdhbec32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdfofakp.exe C:\Windows\SysWOW64\Mnlfigcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbjhlfhb.exe C:\Windows\SysWOW64\Gqikdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fijmbb32.exe C:\Windows\SysWOW64\Fflaff32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhfnccl.exe C:\Windows\SysWOW64\Hbanme32.exe N/A
File created C:\Windows\SysWOW64\Bpcbnd32.dll C:\Windows\SysWOW64\Kgdbkohf.exe N/A
File created C:\Windows\SysWOW64\Kgkocp32.dll C:\Windows\SysWOW64\Lkiqbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fcnejk32.exe C:\Windows\SysWOW64\Fqohnp32.exe N/A
File created C:\Windows\SysWOW64\Dkfpkkqa.dll C:\Windows\SysWOW64\Gjclbc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hccglh32.exe C:\Windows\SysWOW64\Hpgkkioa.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kaqcbi32.exe N/A
File created C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Lkdggmlj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Maaepd32.exe N/A
File created C:\Windows\SysWOW64\Mcplce32.dll C:\Windows\SysWOW64\Ffggkgmk.exe N/A
File created C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jbkjjblm.exe N/A
File created C:\Windows\SysWOW64\Hbanme32.exe C:\Windows\SysWOW64\Hpbaqj32.exe N/A
File created C:\Windows\SysWOW64\Anjekdho.dll C:\Windows\SysWOW64\Jpjqhgol.exe N/A
File created C:\Windows\SysWOW64\Elhmablc.exe C:\Windows\SysWOW64\Ejjqeg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djlddi32.exe C:\Windows\SysWOW64\Dadlclim.exe N/A
File created C:\Windows\SysWOW64\Gogbdl32.exe C:\Windows\SysWOW64\Gmhfhp32.exe N/A
File created C:\Windows\SysWOW64\Ilaidmmo.dll C:\Windows\SysWOW64\Gogbdl32.exe N/A
File created C:\Windows\SysWOW64\Gjlfbd32.exe C:\Windows\SysWOW64\Gbenqg32.exe N/A
File created C:\Windows\SysWOW64\Iinlemia.exe C:\Windows\SysWOW64\Ijkljp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Coojfa32.exe C:\Windows\SysWOW64\Chebighd.exe N/A
File created C:\Windows\SysWOW64\Ejjqeg32.exe C:\Windows\SysWOW64\Ebbidj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdkhapfj.exe C:\Windows\SysWOW64\Mamleegg.exe N/A
File created C:\Windows\SysWOW64\Jepjeoec.dll C:\Windows\SysWOW64\Chebighd.exe N/A
File created C:\Windows\SysWOW64\Ejbkehcg.exe C:\Windows\SysWOW64\Dchbhn32.exe N/A
File created C:\Windows\SysWOW64\Qjebnamp.dll C:\Windows\SysWOW64\Ejgdpg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fodeolof.exe C:\Windows\SysWOW64\Fqaeco32.exe N/A
File created C:\Windows\SysWOW64\Hcqjfh32.exe C:\Windows\SysWOW64\Hjhfnccl.exe N/A
File opened for modification C:\Windows\SysWOW64\Iannfk32.exe C:\Windows\SysWOW64\Ijdeiaio.exe N/A
File created C:\Windows\SysWOW64\Jaimbj32.exe C:\Windows\SysWOW64\Jfdida32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kdcijcke.exe N/A
File opened for modification C:\Windows\SysWOW64\Dagiil32.exe C:\Windows\SysWOW64\Dohmlp32.exe N/A
File created C:\Windows\SysWOW64\Epmjjbbj.dll C:\Windows\SysWOW64\Mdfofakp.exe N/A
File created C:\Windows\SysWOW64\Ogndib32.dll C:\Windows\SysWOW64\Lmccchkn.exe N/A
File created C:\Windows\SysWOW64\Qbplof32.dll C:\Windows\SysWOW64\Gbjhlfhb.exe N/A
File created C:\Windows\SysWOW64\Kipabjil.exe C:\Windows\SysWOW64\Kgbefoji.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdhbec32.exe C:\Windows\SysWOW64\Kpmfddnf.exe N/A
File created C:\Windows\SysWOW64\Jplifcqp.dll C:\Windows\SysWOW64\Kdhbec32.exe N/A
File created C:\Windows\SysWOW64\Mdemcacc.dll C:\Windows\SysWOW64\Lcpllo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dadlclim.exe C:\Windows\SysWOW64\Dpcpkc32.exe N/A
File created C:\Windows\SysWOW64\Nqklmpdd.exe C:\Windows\SysWOW64\Nnmopdep.exe N/A
File opened for modification C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Clnadfbp.exe N/A
File created C:\Windows\SysWOW64\Gqpmkibm.dll C:\Windows\SysWOW64\Denlnk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djnaji32.exe C:\Windows\SysWOW64\Dagiil32.exe N/A
File created C:\Windows\SysWOW64\Iannfk32.exe C:\Windows\SysWOW64\Ijdeiaio.exe N/A
File created C:\Windows\SysWOW64\Jaedgjjd.exe C:\Windows\SysWOW64\Iinlemia.exe N/A
File opened for modification C:\Windows\SysWOW64\Jangmibi.exe C:\Windows\SysWOW64\Jmbklj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kdhbec32.exe N/A
File created C:\Windows\SysWOW64\Eenphlji.dll C:\Windows\SysWOW64\Caimgncj.exe N/A
File created C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File created C:\Windows\SysWOW64\Gmbkmemo.dll C:\Windows\SysWOW64\Ipnalhii.exe N/A
File created C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ncihikcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ehonfc32.exe C:\Windows\SysWOW64\Efpajh32.exe N/A
File created C:\Windows\SysWOW64\Dohmlp32.exe C:\Windows\SysWOW64\Djlddi32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mcklgm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Digkijmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdmcidam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iffmccbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldaeka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dadlclim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll" C:\Windows\SysWOW64\Dchbhn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ffggkgmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgbefoji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnldg32.dll" C:\Windows\SysWOW64\Bpcgdfaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Epmcab32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jmbklj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gfcgge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbfpobpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bpcgdfaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll" C:\Windows\SysWOW64\Cidncj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll" C:\Windows\SysWOW64\Ejgdpg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eodlho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll" C:\Windows\SysWOW64\Ijhodq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kbapjafe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chebighd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll" C:\Windows\SysWOW64\Lknjmkdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" C:\Windows\SysWOW64\Nqiogp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll" C:\Windows\SysWOW64\Jpjqhgol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll" C:\Windows\SysWOW64\Dokjbp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fijmbb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gmkbnp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jfdida32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll" C:\Windows\SysWOW64\Jdmcidam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll" C:\Windows\SysWOW64\Kinemkko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ljnnch32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Epopgbia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fqkocpod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jaedgjjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncihikcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hbanme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmbklj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkchobp.dll" C:\Windows\SysWOW64\Cefemliq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ebnoikqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbnhphbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gppekj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll" C:\Windows\SysWOW64\Hpgkkioa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll" C:\Windows\SysWOW64\Ijkljp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lalcng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll" C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cpedjf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ecdbdl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gogbdl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lpappc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll" C:\Windows\SysWOW64\Maaepd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecmlcmhe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fbnhphbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll" C:\Windows\SysWOW64\Fbnhphbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll" C:\Windows\SysWOW64\Ebnoikqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebbidj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkfba32.dll" C:\Windows\SysWOW64\Dpjflb32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5312 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe C:\Windows\SysWOW64\Biiohl32.exe
PID 5312 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe C:\Windows\SysWOW64\Biiohl32.exe
PID 5312 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe C:\Windows\SysWOW64\Biiohl32.exe
PID 3096 wrote to memory of 3612 N/A C:\Windows\SysWOW64\Biiohl32.exe C:\Windows\SysWOW64\Bpcgdfaa.exe
PID 3096 wrote to memory of 3612 N/A C:\Windows\SysWOW64\Biiohl32.exe C:\Windows\SysWOW64\Bpcgdfaa.exe
PID 3096 wrote to memory of 3612 N/A C:\Windows\SysWOW64\Biiohl32.exe C:\Windows\SysWOW64\Bpcgdfaa.exe
PID 3612 wrote to memory of 4164 N/A C:\Windows\SysWOW64\Bpcgdfaa.exe C:\Windows\SysWOW64\Beppmmoi.exe
PID 3612 wrote to memory of 4164 N/A C:\Windows\SysWOW64\Bpcgdfaa.exe C:\Windows\SysWOW64\Beppmmoi.exe
PID 3612 wrote to memory of 4164 N/A C:\Windows\SysWOW64\Bpcgdfaa.exe C:\Windows\SysWOW64\Beppmmoi.exe
PID 4164 wrote to memory of 5316 N/A C:\Windows\SysWOW64\Beppmmoi.exe C:\Windows\SysWOW64\Chnlihnl.exe
PID 4164 wrote to memory of 5316 N/A C:\Windows\SysWOW64\Beppmmoi.exe C:\Windows\SysWOW64\Chnlihnl.exe
PID 4164 wrote to memory of 5316 N/A C:\Windows\SysWOW64\Beppmmoi.exe C:\Windows\SysWOW64\Chnlihnl.exe
PID 5316 wrote to memory of 5372 N/A C:\Windows\SysWOW64\Chnlihnl.exe C:\Windows\SysWOW64\Cpedjf32.exe
PID 5316 wrote to memory of 5372 N/A C:\Windows\SysWOW64\Chnlihnl.exe C:\Windows\SysWOW64\Cpedjf32.exe
PID 5316 wrote to memory of 5372 N/A C:\Windows\SysWOW64\Chnlihnl.exe C:\Windows\SysWOW64\Cpedjf32.exe
PID 5372 wrote to memory of 5828 N/A C:\Windows\SysWOW64\Cpedjf32.exe C:\Windows\SysWOW64\Cafpanem.exe
PID 5372 wrote to memory of 5828 N/A C:\Windows\SysWOW64\Cpedjf32.exe C:\Windows\SysWOW64\Cafpanem.exe
PID 5372 wrote to memory of 5828 N/A C:\Windows\SysWOW64\Cpedjf32.exe C:\Windows\SysWOW64\Cafpanem.exe
PID 5828 wrote to memory of 3912 N/A C:\Windows\SysWOW64\Cafpanem.exe C:\Windows\SysWOW64\Cimhckeo.exe
PID 5828 wrote to memory of 3912 N/A C:\Windows\SysWOW64\Cafpanem.exe C:\Windows\SysWOW64\Cimhckeo.exe
PID 5828 wrote to memory of 3912 N/A C:\Windows\SysWOW64\Cafpanem.exe C:\Windows\SysWOW64\Cimhckeo.exe
PID 3912 wrote to memory of 3980 N/A C:\Windows\SysWOW64\Cimhckeo.exe C:\Windows\SysWOW64\Cpgqpe32.exe
PID 3912 wrote to memory of 3980 N/A C:\Windows\SysWOW64\Cimhckeo.exe C:\Windows\SysWOW64\Cpgqpe32.exe
PID 3912 wrote to memory of 3980 N/A C:\Windows\SysWOW64\Cimhckeo.exe C:\Windows\SysWOW64\Cpgqpe32.exe
PID 3980 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Cpgqpe32.exe C:\Windows\SysWOW64\Caimgncj.exe
PID 3980 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Cpgqpe32.exe C:\Windows\SysWOW64\Caimgncj.exe
PID 3980 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Cpgqpe32.exe C:\Windows\SysWOW64\Caimgncj.exe
PID 1116 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Caimgncj.exe C:\Windows\SysWOW64\Cipehkcl.exe
PID 1116 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Caimgncj.exe C:\Windows\SysWOW64\Cipehkcl.exe
PID 1116 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Caimgncj.exe C:\Windows\SysWOW64\Cipehkcl.exe
PID 1392 wrote to memory of 5280 N/A C:\Windows\SysWOW64\Cipehkcl.exe C:\Windows\SysWOW64\Clnadfbp.exe
PID 1392 wrote to memory of 5280 N/A C:\Windows\SysWOW64\Cipehkcl.exe C:\Windows\SysWOW64\Clnadfbp.exe
PID 1392 wrote to memory of 5280 N/A C:\Windows\SysWOW64\Cipehkcl.exe C:\Windows\SysWOW64\Clnadfbp.exe
PID 5280 wrote to memory of 412 N/A C:\Windows\SysWOW64\Clnadfbp.exe C:\Windows\SysWOW64\Commqb32.exe
PID 5280 wrote to memory of 412 N/A C:\Windows\SysWOW64\Clnadfbp.exe C:\Windows\SysWOW64\Commqb32.exe
PID 5280 wrote to memory of 412 N/A C:\Windows\SysWOW64\Clnadfbp.exe C:\Windows\SysWOW64\Commqb32.exe
PID 412 wrote to memory of 3732 N/A C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Cefemliq.exe
PID 412 wrote to memory of 3732 N/A C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Cefemliq.exe
PID 412 wrote to memory of 3732 N/A C:\Windows\SysWOW64\Commqb32.exe C:\Windows\SysWOW64\Cefemliq.exe
PID 3732 wrote to memory of 4140 N/A C:\Windows\SysWOW64\Cefemliq.exe C:\Windows\SysWOW64\Chebighd.exe
PID 3732 wrote to memory of 4140 N/A C:\Windows\SysWOW64\Cefemliq.exe C:\Windows\SysWOW64\Chebighd.exe
PID 3732 wrote to memory of 4140 N/A C:\Windows\SysWOW64\Cefemliq.exe C:\Windows\SysWOW64\Chebighd.exe
PID 4140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Chebighd.exe C:\Windows\SysWOW64\Coojfa32.exe
PID 4140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Chebighd.exe C:\Windows\SysWOW64\Coojfa32.exe
PID 4140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Chebighd.exe C:\Windows\SysWOW64\Coojfa32.exe
PID 2732 wrote to memory of 3248 N/A C:\Windows\SysWOW64\Coojfa32.exe C:\Windows\SysWOW64\Camfbm32.exe
PID 2732 wrote to memory of 3248 N/A C:\Windows\SysWOW64\Coojfa32.exe C:\Windows\SysWOW64\Camfbm32.exe
PID 2732 wrote to memory of 3248 N/A C:\Windows\SysWOW64\Coojfa32.exe C:\Windows\SysWOW64\Camfbm32.exe
PID 3248 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Camfbm32.exe C:\Windows\SysWOW64\Cidncj32.exe
PID 3248 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Camfbm32.exe C:\Windows\SysWOW64\Cidncj32.exe
PID 3248 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Camfbm32.exe C:\Windows\SysWOW64\Cidncj32.exe
PID 1904 wrote to memory of 4728 N/A C:\Windows\SysWOW64\Cidncj32.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 1904 wrote to memory of 4728 N/A C:\Windows\SysWOW64\Cidncj32.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 1904 wrote to memory of 4728 N/A C:\Windows\SysWOW64\Cidncj32.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 4728 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Ccmclp32.exe
PID 4728 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Ccmclp32.exe
PID 4728 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Ccmclp32.exe
PID 2000 wrote to memory of 748 N/A C:\Windows\SysWOW64\Ccmclp32.exe C:\Windows\SysWOW64\Digkijmd.exe
PID 2000 wrote to memory of 748 N/A C:\Windows\SysWOW64\Ccmclp32.exe C:\Windows\SysWOW64\Digkijmd.exe
PID 2000 wrote to memory of 748 N/A C:\Windows\SysWOW64\Ccmclp32.exe C:\Windows\SysWOW64\Digkijmd.exe
PID 748 wrote to memory of 4128 N/A C:\Windows\SysWOW64\Digkijmd.exe C:\Windows\SysWOW64\Dlegeemh.exe
PID 748 wrote to memory of 4128 N/A C:\Windows\SysWOW64\Digkijmd.exe C:\Windows\SysWOW64\Dlegeemh.exe
PID 748 wrote to memory of 4128 N/A C:\Windows\SysWOW64\Digkijmd.exe C:\Windows\SysWOW64\Dlegeemh.exe
PID 4128 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Dlegeemh.exe C:\Windows\SysWOW64\Doccaall.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe"

C:\Windows\SysWOW64\Biiohl32.exe

C:\Windows\system32\Biiohl32.exe

C:\Windows\SysWOW64\Bpcgdfaa.exe

C:\Windows\system32\Bpcgdfaa.exe

C:\Windows\SysWOW64\Beppmmoi.exe

C:\Windows\system32\Beppmmoi.exe

C:\Windows\SysWOW64\Chnlihnl.exe

C:\Windows\system32\Chnlihnl.exe

C:\Windows\SysWOW64\Cpedjf32.exe

C:\Windows\system32\Cpedjf32.exe

C:\Windows\SysWOW64\Cafpanem.exe

C:\Windows\system32\Cafpanem.exe

C:\Windows\SysWOW64\Cimhckeo.exe

C:\Windows\system32\Cimhckeo.exe

C:\Windows\SysWOW64\Cpgqpe32.exe

C:\Windows\system32\Cpgqpe32.exe

C:\Windows\SysWOW64\Caimgncj.exe

C:\Windows\system32\Caimgncj.exe

C:\Windows\SysWOW64\Cipehkcl.exe

C:\Windows\system32\Cipehkcl.exe

C:\Windows\SysWOW64\Clnadfbp.exe

C:\Windows\system32\Clnadfbp.exe

C:\Windows\SysWOW64\Commqb32.exe

C:\Windows\system32\Commqb32.exe

C:\Windows\SysWOW64\Cefemliq.exe

C:\Windows\system32\Cefemliq.exe

C:\Windows\SysWOW64\Chebighd.exe

C:\Windows\system32\Chebighd.exe

C:\Windows\SysWOW64\Coojfa32.exe

C:\Windows\system32\Coojfa32.exe

C:\Windows\SysWOW64\Camfbm32.exe

C:\Windows\system32\Camfbm32.exe

C:\Windows\SysWOW64\Cidncj32.exe

C:\Windows\system32\Cidncj32.exe

C:\Windows\SysWOW64\Cpofpdgd.exe

C:\Windows\system32\Cpofpdgd.exe

C:\Windows\SysWOW64\Ccmclp32.exe

C:\Windows\system32\Ccmclp32.exe

C:\Windows\SysWOW64\Digkijmd.exe

C:\Windows\system32\Digkijmd.exe

C:\Windows\SysWOW64\Dlegeemh.exe

C:\Windows\system32\Dlegeemh.exe

C:\Windows\SysWOW64\Doccaall.exe

C:\Windows\system32\Doccaall.exe

C:\Windows\SysWOW64\Denlnk32.exe

C:\Windows\system32\Denlnk32.exe

C:\Windows\SysWOW64\Dpcpkc32.exe

C:\Windows\system32\Dpcpkc32.exe

C:\Windows\SysWOW64\Dadlclim.exe

C:\Windows\system32\Dadlclim.exe

C:\Windows\SysWOW64\Djlddi32.exe

C:\Windows\system32\Djlddi32.exe

C:\Windows\SysWOW64\Dohmlp32.exe

C:\Windows\system32\Dohmlp32.exe

C:\Windows\SysWOW64\Dagiil32.exe

C:\Windows\system32\Dagiil32.exe

C:\Windows\SysWOW64\Djnaji32.exe

C:\Windows\system32\Djnaji32.exe

C:\Windows\SysWOW64\Dokjbp32.exe

C:\Windows\system32\Dokjbp32.exe

C:\Windows\SysWOW64\Dcfebonm.exe

C:\Windows\system32\Dcfebonm.exe

C:\Windows\SysWOW64\Dfdbojmq.exe

C:\Windows\system32\Dfdbojmq.exe

C:\Windows\SysWOW64\Dpjflb32.exe

C:\Windows\system32\Dpjflb32.exe

C:\Windows\SysWOW64\Dchbhn32.exe

C:\Windows\system32\Dchbhn32.exe

C:\Windows\SysWOW64\Ejbkehcg.exe

C:\Windows\system32\Ejbkehcg.exe

C:\Windows\SysWOW64\Epmcab32.exe

C:\Windows\system32\Epmcab32.exe

C:\Windows\SysWOW64\Ebnoikqb.exe

C:\Windows\system32\Ebnoikqb.exe

C:\Windows\SysWOW64\Ejegjh32.exe

C:\Windows\system32\Ejegjh32.exe

C:\Windows\SysWOW64\Epopgbia.exe

C:\Windows\system32\Epopgbia.exe

C:\Windows\SysWOW64\Ecmlcmhe.exe

C:\Windows\system32\Ecmlcmhe.exe

C:\Windows\SysWOW64\Ejgdpg32.exe

C:\Windows\system32\Ejgdpg32.exe

C:\Windows\SysWOW64\Eleplc32.exe

C:\Windows\system32\Eleplc32.exe

C:\Windows\SysWOW64\Eodlho32.exe

C:\Windows\system32\Eodlho32.exe

C:\Windows\SysWOW64\Ebbidj32.exe

C:\Windows\system32\Ebbidj32.exe

C:\Windows\SysWOW64\Ejjqeg32.exe

C:\Windows\system32\Ejjqeg32.exe

C:\Windows\SysWOW64\Elhmablc.exe

C:\Windows\system32\Elhmablc.exe

C:\Windows\SysWOW64\Ecbenm32.exe

C:\Windows\system32\Ecbenm32.exe

C:\Windows\SysWOW64\Efpajh32.exe

C:\Windows\system32\Efpajh32.exe

C:\Windows\SysWOW64\Ehonfc32.exe

C:\Windows\system32\Ehonfc32.exe

C:\Windows\SysWOW64\Eqfeha32.exe

C:\Windows\system32\Eqfeha32.exe

C:\Windows\SysWOW64\Ecdbdl32.exe

C:\Windows\system32\Ecdbdl32.exe

C:\Windows\SysWOW64\Ffbnph32.exe

C:\Windows\system32\Ffbnph32.exe

C:\Windows\SysWOW64\Fmmfmbhn.exe

C:\Windows\system32\Fmmfmbhn.exe

C:\Windows\SysWOW64\Fcgoilpj.exe

C:\Windows\system32\Fcgoilpj.exe

C:\Windows\SysWOW64\Ffekegon.exe

C:\Windows\system32\Ffekegon.exe

C:\Windows\SysWOW64\Ficgacna.exe

C:\Windows\system32\Ficgacna.exe

C:\Windows\SysWOW64\Fqkocpod.exe

C:\Windows\system32\Fqkocpod.exe

C:\Windows\SysWOW64\Fcikolnh.exe

C:\Windows\system32\Fcikolnh.exe

C:\Windows\SysWOW64\Ffggkgmk.exe

C:\Windows\system32\Ffggkgmk.exe

C:\Windows\SysWOW64\Fifdgblo.exe

C:\Windows\system32\Fifdgblo.exe

C:\Windows\SysWOW64\Fqmlhpla.exe

C:\Windows\system32\Fqmlhpla.exe

C:\Windows\SysWOW64\Fbnhphbp.exe

C:\Windows\system32\Fbnhphbp.exe

C:\Windows\SysWOW64\Fihqmb32.exe

C:\Windows\system32\Fihqmb32.exe

C:\Windows\SysWOW64\Fqohnp32.exe

C:\Windows\system32\Fqohnp32.exe

C:\Windows\SysWOW64\Fcnejk32.exe

C:\Windows\system32\Fcnejk32.exe

C:\Windows\SysWOW64\Fflaff32.exe

C:\Windows\system32\Fflaff32.exe

C:\Windows\SysWOW64\Fijmbb32.exe

C:\Windows\system32\Fijmbb32.exe

C:\Windows\SysWOW64\Fqaeco32.exe

C:\Windows\system32\Fqaeco32.exe

C:\Windows\SysWOW64\Fodeolof.exe

C:\Windows\system32\Fodeolof.exe

C:\Windows\SysWOW64\Gbcakg32.exe

C:\Windows\system32\Gbcakg32.exe

C:\Windows\SysWOW64\Gjjjle32.exe

C:\Windows\system32\Gjjjle32.exe

C:\Windows\SysWOW64\Gmhfhp32.exe

C:\Windows\system32\Gmhfhp32.exe

C:\Windows\SysWOW64\Gogbdl32.exe

C:\Windows\system32\Gogbdl32.exe

C:\Windows\SysWOW64\Gbenqg32.exe

C:\Windows\system32\Gbenqg32.exe

C:\Windows\SysWOW64\Gjlfbd32.exe

C:\Windows\system32\Gjlfbd32.exe

C:\Windows\SysWOW64\Gmkbnp32.exe

C:\Windows\system32\Gmkbnp32.exe

C:\Windows\SysWOW64\Goiojk32.exe

C:\Windows\system32\Goiojk32.exe

C:\Windows\SysWOW64\Gfcgge32.exe

C:\Windows\system32\Gfcgge32.exe

C:\Windows\SysWOW64\Gmmocpjk.exe

C:\Windows\system32\Gmmocpjk.exe

C:\Windows\SysWOW64\Gqikdn32.exe

C:\Windows\system32\Gqikdn32.exe

C:\Windows\SysWOW64\Gbjhlfhb.exe

C:\Windows\system32\Gbjhlfhb.exe

C:\Windows\SysWOW64\Gjclbc32.exe

C:\Windows\system32\Gjclbc32.exe

C:\Windows\SysWOW64\Gmaioo32.exe

C:\Windows\system32\Gmaioo32.exe

C:\Windows\SysWOW64\Gppekj32.exe

C:\Windows\system32\Gppekj32.exe

C:\Windows\SysWOW64\Hpbaqj32.exe

C:\Windows\system32\Hpbaqj32.exe

C:\Windows\SysWOW64\Hbanme32.exe

C:\Windows\system32\Hbanme32.exe

C:\Windows\SysWOW64\Hjhfnccl.exe

C:\Windows\system32\Hjhfnccl.exe

C:\Windows\SysWOW64\Hcqjfh32.exe

C:\Windows\system32\Hcqjfh32.exe

C:\Windows\SysWOW64\Hfofbd32.exe

C:\Windows\system32\Hfofbd32.exe

C:\Windows\SysWOW64\Hmioonpn.exe

C:\Windows\system32\Hmioonpn.exe

C:\Windows\SysWOW64\Hpgkkioa.exe

C:\Windows\system32\Hpgkkioa.exe

C:\Windows\SysWOW64\Hccglh32.exe

C:\Windows\system32\Hccglh32.exe

C:\Windows\SysWOW64\Hfachc32.exe

C:\Windows\system32\Hfachc32.exe

C:\Windows\SysWOW64\Hippdo32.exe

C:\Windows\system32\Hippdo32.exe

C:\Windows\SysWOW64\Hpihai32.exe

C:\Windows\system32\Hpihai32.exe

C:\Windows\SysWOW64\Hjolnb32.exe

C:\Windows\system32\Hjolnb32.exe

C:\Windows\SysWOW64\Ipldfi32.exe

C:\Windows\system32\Ipldfi32.exe

C:\Windows\SysWOW64\Iffmccbi.exe

C:\Windows\system32\Iffmccbi.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Ipnalhii.exe

C:\Windows\system32\Ipnalhii.exe

C:\Windows\SysWOW64\Ibmmhdhm.exe

C:\Windows\system32\Ibmmhdhm.exe

C:\Windows\SysWOW64\Ijdeiaio.exe

C:\Windows\system32\Ijdeiaio.exe

C:\Windows\SysWOW64\Iannfk32.exe

C:\Windows\system32\Iannfk32.exe

C:\Windows\SysWOW64\Icljbg32.exe

C:\Windows\system32\Icljbg32.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Imdnklfp.exe

C:\Windows\system32\Imdnklfp.exe

C:\Windows\SysWOW64\Idofhfmm.exe

C:\Windows\system32\Idofhfmm.exe

C:\Windows\SysWOW64\Ijhodq32.exe

C:\Windows\system32\Ijhodq32.exe

C:\Windows\SysWOW64\Imgkql32.exe

C:\Windows\system32\Imgkql32.exe

C:\Windows\SysWOW64\Ipegmg32.exe

C:\Windows\system32\Ipegmg32.exe

C:\Windows\SysWOW64\Ifopiajn.exe

C:\Windows\system32\Ifopiajn.exe

C:\Windows\SysWOW64\Ijkljp32.exe

C:\Windows\system32\Ijkljp32.exe

C:\Windows\SysWOW64\Iinlemia.exe

C:\Windows\system32\Iinlemia.exe

C:\Windows\SysWOW64\Jaedgjjd.exe

C:\Windows\system32\Jaedgjjd.exe

C:\Windows\SysWOW64\Jbfpobpb.exe

C:\Windows\system32\Jbfpobpb.exe

C:\Windows\SysWOW64\Jjmhppqd.exe

C:\Windows\system32\Jjmhppqd.exe

C:\Windows\SysWOW64\Jmkdlkph.exe

C:\Windows\system32\Jmkdlkph.exe

C:\Windows\SysWOW64\Jpjqhgol.exe

C:\Windows\system32\Jpjqhgol.exe

C:\Windows\SysWOW64\Jfdida32.exe

C:\Windows\system32\Jfdida32.exe

C:\Windows\SysWOW64\Jaimbj32.exe

C:\Windows\system32\Jaimbj32.exe

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jidbflcj.exe

C:\Windows\system32\Jidbflcj.exe

C:\Windows\SysWOW64\Jaljgidl.exe

C:\Windows\system32\Jaljgidl.exe

C:\Windows\SysWOW64\Jdjfcecp.exe

C:\Windows\system32\Jdjfcecp.exe

C:\Windows\SysWOW64\Jfhbppbc.exe

C:\Windows\system32\Jfhbppbc.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jmbklj32.exe

C:\Windows\system32\Jmbklj32.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jdmcidam.exe

C:\Windows\system32\Jdmcidam.exe

C:\Windows\SysWOW64\Jfkoeppq.exe

C:\Windows\system32\Jfkoeppq.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kaqcbi32.exe

C:\Windows\system32\Kaqcbi32.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kgmlkp32.exe

C:\Windows\system32\Kgmlkp32.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kpepcedo.exe

C:\Windows\system32\Kpepcedo.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kinemkko.exe

C:\Windows\system32\Kinemkko.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kipabjil.exe

C:\Windows\system32\Kipabjil.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lkdggmlj.exe

C:\Windows\system32\Lkdggmlj.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Lpfijcfl.exe

C:\Windows\system32\Lpfijcfl.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Ljnnch32.exe

C:\Windows\system32\Ljnnch32.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mnlfigcc.exe

C:\Windows\system32\Mnlfigcc.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mcklgm32.exe

C:\Windows\system32\Mcklgm32.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6156 -ip 6156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 232

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

memory/5312-0-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Biiohl32.exe

MD5 44b9185ae56369fc679a88d2a87865c3
SHA1 07e2dd5c000d86fbf8a0dc90a52dfe6843b2ea16
SHA256 1b60f68da774a00c33b7c767c93a019e35df21aed0bd2d8a4aa4079fec826f80
SHA512 4ccfffcca9c7cf356ee66504de2788ab33d5079340c954da5bfd534401243db7b4eae01b89d3fa6684aca4ca81cbd5c9fa7fd98faa307d324683b47a6026d7f3

memory/3096-8-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Bpcgdfaa.exe

MD5 c4b534a59ce32505e436f0d6bc493ed0
SHA1 0bc65a1b0203af2ebd1549bec650212fbe18fc67
SHA256 71427dc47f0750027f93ddb69eda3ccf2d9f678461a8d46c86644e3d8549b5dd
SHA512 ca62e690d831dcdbf4832575f68aacae4d5282bd77210699fc10b56fbd258aa53a889c07fea01b1f89683af2379fa0281912b779c07edf7101670bc989e0e20c

memory/3612-20-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Beppmmoi.exe

MD5 7e1c501530cf5672c4c1ff01d977012a
SHA1 b85cd6d7b8997c183026d6a63aa04b8480cbc726
SHA256 bc98c14628b9dc002649ef34cd23b74152859ae8e3277dbfd862bdbdca9ba061
SHA512 ab30c3cff1231e7f4ee9f04a50af1747f56d5ed9989b97091ba3b3b85974d16731c61cc6ac2eb246c37f05ecce8d7210eb123489b66ee12a808bfaf838d8c1b5

memory/4164-28-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Chnlihnl.exe

MD5 482dda9681ea6643556cd9ced497a161
SHA1 a2e0f37478f9b6bd8e1a2dd8e22e2cf9d557d05b
SHA256 fe042a72697d1a486a271911234a59ba30be62d472d9b7dbcc66b32a743a934e
SHA512 1dc3c4fd79f8ff489ff1b186d71b340f6660531cec42e48c61931bc8d6aa78c1ee932896dc6bc796beb568cb379f658e01c45331a1fe41cb8639df3520156d88

C:\Windows\SysWOW64\Aamgnn32.dll

MD5 1e14e12ea2f385f4eb3242f25ab045ae
SHA1 82adc3243bf415883bb4d78186513e55e0aa9592
SHA256 ec52d88bb11686241fc75ac2c1873791e4a4b0ee46fab37752772ce9016eddfe
SHA512 46f8a1059eca31153dafc6b94a8e37defcd86171fdd5e859c0e1421677dc75a7f087212a2a294fc31ba166666dc866bf57fb71061757ab14ddafc7451bcd2261

C:\Windows\SysWOW64\Cpedjf32.exe

MD5 a6494baf065e25b3e5e4ef84968b278a
SHA1 b21a6bb9f63c47e20dc5c816d1c3f932660a089c
SHA256 5483cc2e0e138005d77f93a46f776bf5f82ea41dcfc77bd393e51505b83fac53
SHA512 99f580fe7f362cb85fe6e89bdb20de8c90bf582eec4d57644540995a6327a0c5fa215408d0e86fcf02ebd870a30f357aee12daebec12f667887b712d6c72d5f9

memory/5316-36-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5372-39-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Cafpanem.exe

MD5 68d6072be70f0a0092746590a50c9519
SHA1 46db36ed83bd6a2e0ecb8090fe3b7f67fdfb58c9
SHA256 8ab1082c1ad568f2ebba28ee5874b19f0222d37ae37f11ba27faab2176ffb686
SHA512 671c453993f5de07d9df372703e04b3eac7af9cc97ddb901fbe358b534c0e55b51afcdee4d806a68da966a11c4ed6af37a3b79f825525225a0b037055248228c

memory/5828-48-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Cimhckeo.exe

MD5 7c28a86db2c00838ca65d3d6e61be6b8
SHA1 c50ea15c5c10698853425c9a7b90a3931f12acb9
SHA256 5ffc51f8e62ffc76e1f2ec9cf6f2a84c52ad0f43884c7500f670fd49e4afc117
SHA512 6813779a1f92df5bc37d893296d3c9b08a077dbaa2db881a6e404e0f7d490f92eac24fbbf54f6692acc1eb11cf8cfb388a58877947e5c2f895c2885d8e964513

C:\Windows\SysWOW64\Cpgqpe32.exe

MD5 fec685fb664492ce1d14fb0795a0ab7e
SHA1 e32372ac3a44f2d0902f42b2055b4cc4be4ab453
SHA256 97fd8aa9835aac6055156163843e26613a8126862627e927ae682a2a9690a232
SHA512 b004b1c224e29af02deb5efc24c219c8f73d3da8384eaf1aadf8b7e74fa188a7dcd89be1557f22d6ed39083dd7f0e6a8badacc839bc09509d853cd869c7851ee

memory/3912-60-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3980-64-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1116-72-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Caimgncj.exe

MD5 cc0d52c1efc999e70c153930918a953f
SHA1 16a1b4c382f6660f6d52103f8465517023bb4725
SHA256 646bef140180a528096396d214a8f8d59cfec9ffa8991dc8554dceb680d6da00
SHA512 e41c206580f081cbbdb5c454ea90d5582e7ee1d8679ea0d979314fd153bb1624d3449d5a41ca791f19b7dbb6180369d87321f03cde42ef7e58704ce310a943f8

C:\Windows\SysWOW64\Cipehkcl.exe

MD5 3d90b3481b5b87b110f5c3d5e63f36de
SHA1 eeeac0d55aa385ecc56c18510d412bfb7817f9bd
SHA256 dafa3792220fa62312ab23caff59a90eb0e9d04bc57d864dde22034cdbaef705
SHA512 0b2c85a33b656269f7da85ea16dde39d09c5c9ac908c651d310d71aa56f76f90db315034694420979cb7c8b7b19e51896b600b48f4705adf0b966bfea31ea876

memory/1392-80-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Clnadfbp.exe

MD5 ad4c059b89eb41d75ffdb973f7f1337f
SHA1 f92dc37db5f8f107ca2a716e23b381d8c7ea7d14
SHA256 b262bd2c6235a7c1da387e39705a55022c1298ad67d93d5acc5a6adbee445c56
SHA512 ac744e15103e1f42f68237f46bd70cf9aacfc49537ac098a7365a2468b36344f2ad23548ab28cc1b2cef2cd198f8daf022bbb8521dc73305cad8a313278778c1

memory/5280-88-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Commqb32.exe

MD5 b236c2ea6049e1dcd63598309f7f74d3
SHA1 577a60a75863c76bb1c99d3f9ef206ef44d442b9
SHA256 fd4714b36995d30488dd114312821abcff68f5e450284bd9709c1e203f5e2403
SHA512 70d6b6183d4c632567fb47f7ef64dff0b8653e2ab156607584a5b949add249ffa5f47b49c068c8ca68e6318f84762ead9f4ae0801fb479e1e2e92925e78abfd3

memory/412-95-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Cefemliq.exe

MD5 9046712c1d09a4867e4df2cf8da311ff
SHA1 96a2af63ae15055d7c143f57a659c7d142208a02
SHA256 3ed01f1323dbe379d469f2134c9497cb5e8046b559109b9838d2a3dc38649cb7
SHA512 9965ec516114afd723e9ae3d722b6628e9e6d6d7c33414592b017c2cbae41fdebbaf37476536730db5b7ab8fdd4ea6e0370fedda41b9bc904ca5dff8cce62815

memory/3732-104-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Chebighd.exe

MD5 decae30d10ae8793e835818db04bb9d3
SHA1 2f329700fcabb68731e843febc7da0edaf4a9cf9
SHA256 a3bfb44cddd2e97f82989383b13dd4a25a5924481e4a598978fc20dd20e06ee1
SHA512 577e36cc99a818ae15d09e834ac1f16b440ea07d4bf08fd11b9f6b6119b6b7576c594bb7df1f96b879d42f5b8b69561c7ad2fef0588419cd4d6bda996ed3c6ca

memory/4140-111-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Coojfa32.exe

MD5 6f9f7a2564b1e01531dbbb2e6c30e104
SHA1 028aaad34cd12fea3dd7fe5f252437d0aa5c6ccd
SHA256 6b0e3a63c8e9783ed0868a766c57bdaad842cfc42ead8931e5b727be5305a041
SHA512 d847abd575c6524f06c3645f1f0eed17f144936358d8d2cca0f613f4014df07e445242e70c694f16943b9fa6b68fc07f250f494f666841e24a7c95a196548685

memory/2732-126-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3248-127-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Camfbm32.exe

MD5 3cdb703ee8dfa54f2e8506dd6f3288cf
SHA1 fa9c464cf76ce490ae29a149264a9d9f0a23dcc3
SHA256 95c8059c80157c8425f82d9fd69e7af05805c64c2a99b9b7a54efae058475f9f
SHA512 54d89a173f4b6c1208527ecbe7d52ba70cc55abe3cf305c81d714a0cda39aa3282618774153ea7774521302a6b5167871120faeaa5c540e9d43b2a5937d70308

C:\Windows\SysWOW64\Cidncj32.exe

MD5 1da0db1c3866a6f0cb1ea6b6dbd4e9eb
SHA1 bfadbb48066b9ee31b72cea0a346e198dfd038d9
SHA256 3270a8ce61ef5562b6067eda76d0ff76c5981edfe84371b1c35cbd65c7c4016d
SHA512 1dc08faa4567e36a300665abada9f9569d0d071ef63656919048ec181c25753ede4ff768d2637973a5e6dab1d35b726533d8e52b4bafc54638c7c8302d00e2c6

C:\Windows\SysWOW64\Cpofpdgd.exe

MD5 33ea0ff7945431cf25d3ed086a084cbb
SHA1 9e6e048fb6c9d913e3bd2b65b00d80da9ae7da77
SHA256 3acf05e9f4888ad63d1dc565ab513a62f3d804e84a55a741c304e31b4c1637fe
SHA512 34edf0efde567b790acbf36731dbceb8668d6ecdd4c7857a9604d716779b13887f557fe3ef103a74c031399545ec55cd556d2d518cb8b243643c6502c2250ef4

memory/1904-141-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4728-148-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ccmclp32.exe

MD5 da498a2db850b91166707e7ee05521ad
SHA1 a827ac896971d4b955fab0d913ab0addaca65e19
SHA256 f8ea9e3c98aaab60ec8c0d0d7111a8d93f8666a8a3d59e9e175d5518383bb2f1
SHA512 0746dedf6aea7d9fd25c6d1e2028f897a53e15f18cbedfcbe33711be83ca13ccb2246b34c76dade6904cd7b8a9b7f5ef99cc233dc4e19aae82da5f6718b368d9

memory/2000-152-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Digkijmd.exe

MD5 7f38b1a57828f8ccda8cd029c7dd0ac4
SHA1 5c5e59e782dc2277155bbff998224a93b3eff635
SHA256 24ff999ec8b727b0ba380c29046e493f03145ab6d7143ad74c75c5a48fd0b1fd
SHA512 2f0efb75f13edf3efc65984c4c6f8c981578a27cf0301853cc74b230cf67efa83f87830a9c7791d494ab8baaa81af7d192b534bda50b29da5dc1adbdc6221f47

C:\Windows\SysWOW64\Dlegeemh.exe

MD5 9dbbff47697fbcca70e7ce30d7394a63
SHA1 1b1e4959ac2cd6cac86af23b81b633e91ce0089e
SHA256 ceeb0d7da231b85561ee34b9a7e2bc7f3afe0f3f39c58ca0ea6211ae019f0b2c
SHA512 d5b4b5077e672ccfa72d4fda1e7ef0d7e304ec37e07e6e6532c61bf20fb8dbcc8b418eb7204d75a82a4e21ba32f33b78d4f06d4f083a3406278ad67d406b9d6f

memory/748-160-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Doccaall.exe

MD5 4c552f3ad10a14f440b8f238fc3dd103
SHA1 ba514b376591a4305b1becf487116095a4b09ce1
SHA256 2712183c7208e2faee01fa0e529ae23132e02031360c21220285c80fb3482e2a
SHA512 76f9ad23217fb98c7c654899da1c6aaa2cb8aa01eea5bb57540f18629825179835c26491e32a0174c0827be4a22c3475d909f0832b47d7e9b6b67115ec85269e

memory/4128-174-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1564-176-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Denlnk32.exe

MD5 73b849c1e33ad71f4e33d2ba638e8580
SHA1 6b6c42fd61001175ff094ec44bcd350258be7a3c
SHA256 81fc13a55e5a1cc0ad13335b71a50df268dfd71f847b0f98f2147688a897ce19
SHA512 ed6acacf17773adf08bcab366b71db1d969a0543ab919ec9fed23e56c2d50a12db3405a8f422896614f773d06ab741910d02e8a2779ccfdaaa530a3c585c6015

memory/3336-184-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dpcpkc32.exe

MD5 9859cd6e3cf1fdb500494e281f2246cc
SHA1 31d6bbb17d4a63d0f29e801a66aac2676887daba
SHA256 7ecc946253ef0931adc2cec58d67027e7e784fbb09f84938f67121af0ca92179
SHA512 1b0ee9d96ba860ccdd47d97e95ffa6049dcd0501dc64c54300b1d13f5a392ec57181563b74251148388b9c5cf11540dd93118f208a58c874fe6881ee33ff4d7b

memory/3388-192-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dadlclim.exe

MD5 e8150a0fc4244281710b0669d6514957
SHA1 6319019f015824e16f789bb7c6fba595d9aebbd7
SHA256 2d5e26e9cf03c307c584cc1903846fe8ab3f9f446331af6aef5ff422c1ea7705
SHA512 46f8a287a4234bc3b0133826ca564ade58464065a0103cd4aed88281a15eb639261677a3751c447f81b7b344bb871aa403fb918c353ebaa6ec929e03f211dac9

memory/1404-199-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Djlddi32.exe

MD5 b20aadc6fcb75b62f42e6b69835f1baf
SHA1 01330c12f4283c18851c87fc338ef30db8afaa61
SHA256 fb1b17f1319c03c173796bacc991068a89587fe4568f98c38452f525a3fa9111
SHA512 7ca8d4c8a5944ac462ed155609f43a8a0127a524e8b3c267fe00f40c7a0c510c333e15d9f59e6da144e293e57234f75a34b2f6841bc050658a1a1410009a77c2

memory/780-208-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2496-220-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dohmlp32.exe

MD5 9d61e3f0b505cdaa57f20050426927f5
SHA1 2a20fc54d49e362c378f51af239022175a3286ad
SHA256 875c537839637288ba011b155c82fab25777553a481c1c2be9713daec31851ff
SHA512 c749ffbaeba5d7fb287cec8f10af3bf1fb11016300b0a935821a24630ea66cea172592963b48207eaf0555932fe495557e6be436c9b71aa11ecc33587bf8456f

C:\Windows\SysWOW64\Dagiil32.exe

MD5 279f0de2d781a6aab5f547e36b19a6ff
SHA1 3dcc5656e5ce27bf470f66c4ebd2a9b6015e8ef8
SHA256 bd21f69d5c57789cc9a904df521d93bd6acf4a854c63500bdb95089e16bc9da7
SHA512 176c5f8a3e2f29e48306511ff0c661274ecf49c8450c3aaa5443d6a534b08d418fff7d389fe4ed8219f5e05d2ef91e0c18a6b283df80f0edff643da94e4b12de

memory/4332-228-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Djnaji32.exe

MD5 875b36fa6b89838a2991c1702d51731c
SHA1 69605ea70d990b538006b4370461ea687fb29e31
SHA256 317b15189ee12c875f99aec44b47cfd045f2419c7ca29a19a468a6bb60b82344
SHA512 f3be5f8c17f5d1e5c8adc18332fddfdc5dca930a40719d1e0f4a358c926e844c7d20099185dca488e3c4146fb6640a3f4e4b295a66971f581df0d497568607ac

memory/1372-231-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dokjbp32.exe

MD5 85ea5f93d1440b587494a44de3d14dc2
SHA1 8433cce4e8c71f282dd9a3acf90df2c885f1e240
SHA256 10c299cbcae4fb52f834fa5d97371205e83cb8e3fb65e732ce21ead49145eb62
SHA512 1163bbb68247914253fed4b586d54b37be8ca393c9f0de0791d2f6f337e39dca3b8e46fd54794bf9c8a5dc529126142d1bb5a461305a8b22d11c8b52e46a440a

memory/3752-244-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dcfebonm.exe

MD5 26ebaaa6605a3f86479baf8f3fd61c36
SHA1 42eb725cb650e23a0b4bed74b716415e00ac8f02
SHA256 9e376e952c8322b9fbfb9dbbec3c5ad79348e210d18127a55dee54b95b744bde
SHA512 98e52ae560c89ebd0697ab7a068bffbd416032161551d6b1484e216c87596c4e87939eeff19ff4c2874c1b81679d0ed050df73fdde13bfcc84ba6ef18fefbf91

memory/4328-252-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dfdbojmq.exe

MD5 22dcbc43555f2ae21cfa4079b200de3f
SHA1 35c0035fd83fb321b83482e14db86a9f3f847b0f
SHA256 95c67feef2fd05f50a9448bf49ac47b4faaa5b6335ace0d44dc9e9d5a38ea6cd
SHA512 6964e7fc3bab2433a5d125382ca6e6c8f416290184fa8581153e46c7eacf1d415c24d16b7289b3ec58bb49afd5251496651a8f2d8cfcf362d354e73a29da6f51

memory/2828-256-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3428-262-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dchbhn32.exe

MD5 ffda48a327e338a2030c14746ff9951e
SHA1 db806c165a4a0aae35e9bd516a042de580d80bc0
SHA256 5d22abf43e6156ce2f8fe19579a8d13d77214c79d1dcaf2adb407e02bbec44e8
SHA512 9c168e91f6d0afc236d36ed2a13273f305d8a5e387868b5deae2bf8994dde9c0545fc7dfa8567f399239538a1ebee4b8df40d3d8a03896e0d615b4b7383b28a1

memory/4612-272-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3756-274-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2980-280-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1828-290-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5500-292-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5536-302-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5628-304-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2024-310-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2444-316-0x0000000000400000-0x0000000000447000-memory.dmp

memory/6000-322-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2376-332-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3584-338-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5512-340-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ecbenm32.exe

MD5 2eeb071205eb61c4e299ac60154d1e08
SHA1 303d52d5a887b045ad8ba7e381afdab88e61c2af
SHA256 ae07254d922c36a1b75c1f20f9d7113dcaa6d390d99da34a2e50fde8e4b5115b
SHA512 927b2e000de8654056bdc3ef9118a78333efa8c19dc93a340c0e4b4f61dee44509af64841681a18cb4cd2a49f6f38a8c8a61ff6cf96983bee7611030aa1713ef

memory/5524-350-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4288-352-0x0000000000400000-0x0000000000447000-memory.dmp

memory/6120-358-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1424-364-0x0000000000400000-0x0000000000447000-memory.dmp

memory/900-370-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3276-376-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4600-382-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1136-388-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3052-394-0x0000000000400000-0x0000000000447000-memory.dmp

memory/760-404-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4092-406-0x0000000000400000-0x0000000000447000-memory.dmp

memory/404-412-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4876-418-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Fqmlhpla.exe

MD5 96070efc9564e7de7e15f4bb81f00d34
SHA1 a2b943f963b895d7f09f9fddf3ab6c53f8e306e9
SHA256 5e5974bef5a6eb7553702468de0c5968b89d63f014536e8bd42b026867b83f02
SHA512 55dad36b590757bfa74e2f917581fd496ea84d2e0c915989e128a91d720d45bea46807d2ad6731027ddb9c1874a4e68fd0e3f11ca77c7d8308353becaf5627a6

memory/1964-424-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2624-435-0x0000000000400000-0x0000000000447000-memory.dmp

memory/784-436-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4904-442-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3036-450-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1556-458-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5616-464-0x0000000000400000-0x0000000000447000-memory.dmp

memory/956-470-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4696-478-0x0000000000400000-0x0000000000447000-memory.dmp

memory/6108-477-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1640-484-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Gjjjle32.exe

MD5 14d7cb0040aef1abe11201c26c3d15ce
SHA1 4d2ce919aede65a4e8292992f7ef72cd170c54ac
SHA256 e7f9b2a4267e7e017b5894b8c5a503af95fff86f47377006ceb06208836c6deb
SHA512 08105740f1df5f011bfc88ffca95e9aea0c1309565eedfac4995e998a1edcef89aa8989d13e074b3387f25ee4b3234bcff18d5ad9ba226d0f266caa9aad4bb0c

memory/5780-490-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5664-500-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5648-502-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5692-512-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2160-519-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1436-525-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5624-529-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1344-532-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2016-542-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5312-544-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3256-545-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3096-551-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3772-552-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3612-558-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4300-564-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5684-566-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4164-565-0x0000000000400000-0x0000000000447000-memory.dmp

memory/732-572-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4592-579-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5372-578-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5828-590-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2248-592-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5776-591-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Hcqjfh32.exe

MD5 047413f209fc5557a7d6626a100c8b8a
SHA1 1548dd7b5d9ffb4879e39a98d5ca7a977970ef7a
SHA256 839fbce31882416ccfb7de86de07791d5e4c56a8a271d321345302ff9840ba25
SHA512 5556def53320cc1d12265ed73461e43458fa18e5124077abfc4032b8ad56c723cff8aaddc2a39ed18691cd0760add110bc90095fdf090eaa7b9cde048bfb4cce

memory/3980-602-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1156-604-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Hpgkkioa.exe

MD5 d6ae1121b49ecc82cd5e9317b09545f8
SHA1 a7c2e7e3f4a727d4a1954eeae911f870b88bdb3f
SHA256 b1790ecf6020671caa1bd00d38e9f35c633eb248a8b36b06918b6667e8c28c85
SHA512 2822aa321f799ffec7a8ed58ae84fe577a3e3143c55110c92ff86232c88506580a9e7013256d3051fbd65f7f65cd06137f7d7a1ec47ed0fc2641c6ddfcda5340

C:\Windows\SysWOW64\Iffmccbi.exe

MD5 3c2f7626f76cbdd89638cf94ba91499d
SHA1 15308e4bb434135ab450d7aeb96d2f974798998c
SHA256 6037af9620590d34db2900e6db7f632297f0fb65d117247ac6c66711be53cf6b
SHA512 abbeae2cdc397ba0071e6da6c84e952ef03fcfc050c198dbb62370d134eccfe97409796971cc55722e9a5cb81e19c8af54816794459271920abd58304be7a12c

C:\Windows\SysWOW64\Jkfkfohj.exe

MD5 19f0b39796e44172c601c373bb81de9e
SHA1 7d99dd5272c3fb92079fc3a5d2660fb48da75905
SHA256 a50609d1733c60f1ecc369c7f2045fd97355adcf0658727bfe8f742eb65da35c
SHA512 e7caa8d97430395136ecc208cd1a77ce4a58fafaef0e2facf9b10376828c21ed852d815235bb4770bd9bcf85230194bdecd6481c14139dc274cd0d72da2e66a1

C:\Windows\SysWOW64\Kdcijcke.exe

MD5 20658e320eabe3d407be0476c6df2aa2
SHA1 de60b6a97858738efa4bc93dee4ec855dcb5e9bc
SHA256 4bd83f8c70b592b9503b4c2c652469049178bd1d3c350984f8c8ce69fe157a29
SHA512 24e49d5938f450c38e1287010d7f1aeb56a99e24c723ac7b356e54b920f0692056b257f8097ae17875348eedfdc0ba7cc18ed82d0505e7b734e5a13e4a9783b2

C:\Windows\SysWOW64\Kgdbkohf.exe

MD5 a6308feac7314678bafb0782593fef02
SHA1 eff1a65916bcf92572f9803cbebc2db160e7f6d0
SHA256 58d168e306a2edd349312e633b08020b11efe5e7f441f1bf701f3b128889a1a7
SHA512 f7739ab2bff091e88fc7cb48d8261aeb798496ea8778241307dd2df946e7d87aa75845ae76c77e9c68021d56a2192706b6fcd307d0d44fce014fdbf3d3555543

C:\Windows\SysWOW64\Kkbkamnl.exe

MD5 b9cc7d5d903d98d5c546f35146686eb2
SHA1 1682d8e634889a8adcf91c489f3e0adffbf22595
SHA256 07d2e520d7e47c0c164e33d9dc6b688a672ce338593375dd75530b3dd731d345
SHA512 af4d1322b11457975073045ddf4cd87d62d9ff520c1719705508a15a98ee90f5ab2a3efcd3dbea04e27fc84071d2fba36c31840e029fd11d1e50bb32699d8646

C:\Windows\SysWOW64\Lpappc32.exe

MD5 a33b171e47818ccf72a16d821fdcb5e9
SHA1 fb5efa950168431d981d17f64e5ad385c00246dc
SHA256 0821319a244f02e0d325aa90e4e53fa7952a640ce25b603f0250c3217623ad94
SHA512 8e0baab62c0e19d43a5ac5ebc6829e53c6173df6f10d8d56a6128273344b61d3ffa8af5f8141e63a73721ca358d450e3c4d3d861796321a1c78223e66168d37c

C:\Windows\SysWOW64\Laalifad.exe

MD5 5ee1a098c0e35fcd9d4e6e022219bd8b
SHA1 bfca528112841b40ca31cc1e734c79ece409b55d
SHA256 4655a205e3d1255789e8f0d10d8fbaca8e3265c2b5d6fdab43883fd6ced72033
SHA512 511010b034bebf545864e9930265d76ec155bbf84ecf626d05df95891b43a024cb05c76032cbf35b6304d7011d1d2d3ba863629f71b5e7b815baad62999cd6a4

C:\Windows\SysWOW64\Lilanioo.exe

MD5 2f907ac94fe4cc955f1d42d467afa196
SHA1 1191d88ec0f667a2a1d09b858a45abb3735a4116
SHA256 2dd604170eb23e9c83b213ba04dfb7cc5abd811af87062df22b91e7ac3a576bc
SHA512 10f0a2af4b8a6b18e0c2d109e32ec3200bd6bc9a42c5e81d6657ffe142d84118f2d50c891aabdd8e7ad305bc47e469dfdff95e8886adf000ac1200d1f253176c

C:\Windows\SysWOW64\Ldaeka32.exe

MD5 7953e1f8fb2b9ef74302c6a8d6b6e57b
SHA1 0546459f97d2bc2301a10b357c30de900b6bbbbd
SHA256 049a1bf9e6c28dd32aa1b4f688110ef3465d25ec4c59516d51fe5202c698eb89
SHA512 ca98ae534633137d52c05e3f3f5d72142ff0e5fc60bc9ba179960097c9a7f54f230611d264329353930329607d53a9f30c97fc1aeec51ba3d5a181a2ab08c9e7

C:\Windows\SysWOW64\Ljnnch32.exe

MD5 8a18e1db70f18f07ea4022df31e35365
SHA1 ea72b72323fdf1f2fde1633116ef4f369e8456e7
SHA256 f0bf2c61c5e3c6d5fd6123b2a3a0ca32aa284544d192f113886c47fef0a39cdc
SHA512 515b10c4c2a544e0aad511bf618e11619661a89a6447efa2793a9ae170493b097608ee86638e7d015f7e5445084b711788151061ff432ede37c7c3c121c5d4aa

C:\Windows\SysWOW64\Mcklgm32.exe

MD5 59d91288751ee5b9d371f6bf5ff87ce4
SHA1 00ada5b70298a726895d3cfb45f3ea07e466901e
SHA256 0c383c4d290f5bef4a71c291db1b232f0a981f1e3bd9ab85d7949c7812a6a33b
SHA512 090b4ba207604d5de4f02ddb0b9c63d50a90844f551d8daedbe3969aaa60f315a620d941a476398ca23748c201a8b3318f30a09b4f3887d75712e88d4b40cf5f

C:\Windows\SysWOW64\Maohkd32.exe

MD5 b3e8de6ce53932530e1039f4766dd9c9
SHA1 22a170658ffcca2fd548bfeb536c5e6df8e16b9e
SHA256 79744bd03b836d2d9293d71831b68fb2b2f54c6f50fd1818aaf9a1a0a0f3614f
SHA512 e6f8e2b8eb66e8a409a4773d97441b35895cd18f65ef0fe32f60a730b78e942b73c660da029689ecf763c3277123d150ed202aac21bfa8c04daf10bf0f928b2f

C:\Windows\SysWOW64\Mgnnhk32.exe

MD5 59eaf9af504c87b6a3b381c2d73e5757
SHA1 602c62550b5ec63394a1f6651ff7888f2dd4511d
SHA256 8451662d47e58bee017ed9c23f5533cd3a30aaf38746929841405139f7a283e7
SHA512 e206e497b6e04a62f57fb0c71dfe4dd1728145f06706a6c26273f13e56a19f88dab4fe3671d44e823db55e70599d684ed385eeaa63c3a6365628d122126b7e46

C:\Windows\SysWOW64\Nnmopdep.exe

MD5 3d31be554d83255269656ca3a7838e7a
SHA1 65eae87a4c664a9734276a03fbbc6620fc87bc67
SHA256 187f0a9ba0f690469daabb5739c67c6ff86234840b0cd03a1284114cd71f3da0
SHA512 5f8a19c4ef951f916dd8722eba4ff75594be824009d1993bd6a583571f051a48cce87ee61e350eded02a32bcff124ea050fd8ef79a9700fcaeee5d582eff55b7

C:\Windows\SysWOW64\Njcpee32.exe

MD5 31eab31381c788ed17ee60438a5b2348
SHA1 b201fe95a471c72c07c2065ebbf660bfbba7f2cd
SHA256 b58fb6fe6c2a9b8f5233f61c12ec2e02966eedf41a1b58f576416608e5056e6b
SHA512 c979a1ec8190760ca62133540ffc74bceeec67add498869dd21114b0a2030fed14f17fa174a4a1674edd597d875d3ee150538a99f68195d22624f403ffd0dd4c