Malware Analysis Report

2025-08-11 02:01

Sample ID 240509-dz3jxaga6s
Target ded952b0b66d55b160d2379721ae5360_NEIKI
SHA256 87248c093e75a7a9cca250332568aebaecd9171ee439e1ee0d130887b50524d5
Tags
backdoor dropper persistence trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87248c093e75a7a9cca250332568aebaecd9171ee439e1ee0d130887b50524d5

Threat Level: Known bad

The file ded952b0b66d55b160d2379721ae5360_NEIKI was found to be: Known bad.

Malicious Activity Summary

backdoor dropper persistence trojan berbew

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Malware Dropper & Backdoor - Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 03:27

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 03:27

Reported

2024-05-09 03:30

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bpafkknm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Claifkkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goddhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcknbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fpfdalii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hodpgjha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dflkdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbbkja32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfinoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfeddafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpjiajeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfgaiaci.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfijnd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gddifnbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dqjepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bcaomf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fnbkddem.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdopkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgknheej.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flmefm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epfhbign.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilknfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enkece32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fioija32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdopkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cngcjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmcoja32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfeddafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfgaiaci.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffnphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiaeoang.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gonnhhln.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieojq32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfeddafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfeddafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfgaiaci.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfgaiaci.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Eijcpoac.exe C:\Windows\SysWOW64\Ecmkghcl.exe N/A
File created C:\Windows\SysWOW64\Mncnkh32.dll C:\Windows\SysWOW64\Gpmjak32.exe N/A
File created C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bkaqmeah.exe N/A
File created C:\Windows\SysWOW64\Keledb32.dll C:\Windows\SysWOW64\Cfinoq32.exe N/A
File created C:\Windows\SysWOW64\Fnpnndgp.exe C:\Windows\SysWOW64\Ebinic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Henidd32.exe C:\Windows\SysWOW64\Hacmcfge.exe N/A
File opened for modification C:\Windows\SysWOW64\Hodpgjha.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Cfgaiaci.exe N/A
File created C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dnneja32.exe N/A
File created C:\Windows\SysWOW64\Cgqjffca.dll C:\Windows\SysWOW64\Ecmkghcl.exe N/A
File opened for modification C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Ffkcbgek.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe C:\Windows\SysWOW64\Gicbeald.exe N/A
File created C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Gddifnbk.exe N/A
File created C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Hjjddchg.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Glpjaf32.dll C:\Windows\SysWOW64\Eijcpoac.exe N/A
File created C:\Windows\SysWOW64\Efjcibje.dll C:\Windows\SysWOW64\Enkece32.exe N/A
File created C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Fmhheqje.exe N/A
File created C:\Windows\SysWOW64\Gieojq32.exe C:\Windows\SysWOW64\Gangic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gldkfl32.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
File opened for modification C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fnbkddem.exe N/A
File created C:\Windows\SysWOW64\Ffnphf32.exe C:\Windows\SysWOW64\Faagpp32.exe N/A
File created C:\Windows\SysWOW64\Fbgmbg32.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Jjcpjl32.dll C:\Windows\SysWOW64\Gddifnbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hpocfncj.exe N/A
File created C:\Windows\SysWOW64\Pdpfph32.dll C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File created C:\Windows\SysWOW64\Polebcgg.dll C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Flcnijgi.dll C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dnneja32.exe N/A
File created C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Elmigj32.exe N/A
File created C:\Windows\SysWOW64\Iaeldika.dll C:\Windows\SysWOW64\Ffkcbgek.exe N/A
File created C:\Windows\SysWOW64\Flmefm32.exe C:\Windows\SysWOW64\Fioija32.exe N/A
File created C:\Windows\SysWOW64\Kleiio32.dll C:\Windows\SysWOW64\Gbijhg32.exe N/A
File created C:\Windows\SysWOW64\Ahcocb32.dll C:\Windows\SysWOW64\Gdopkn32.exe N/A
File created C:\Windows\SysWOW64\Ndkakief.dll C:\Windows\SysWOW64\Efncicpm.exe N/A
File created C:\Windows\SysWOW64\Pdmaibnf.dll C:\Windows\SysWOW64\Cfeddafl.exe N/A
File created C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Cfinoq32.exe N/A
File created C:\Windows\SysWOW64\Qlidlf32.dll C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
File created C:\Windows\SysWOW64\Coklgg32.exe C:\Windows\SysWOW64\Cfbhnaho.exe N/A
File opened for modification C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gbijhg32.exe N/A
File created C:\Windows\SysWOW64\Fndldonj.dll C:\Windows\SysWOW64\Gobgcg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hckcmjep.exe N/A
File created C:\Windows\SysWOW64\Alogkm32.dll C:\Windows\SysWOW64\Hodpgjha.exe N/A
File created C:\Windows\SysWOW64\Iklgpmjo.dll C:\Windows\SysWOW64\Bcaomf32.exe N/A
File created C:\Windows\SysWOW64\Dqelenlc.exe C:\Windows\SysWOW64\Dbbkja32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dqjepm32.exe N/A
File created C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Epdkli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Gonnhhln.exe N/A
File created C:\Windows\SysWOW64\Kcaipkch.dll C:\Windows\SysWOW64\Gdamqndn.exe N/A
File opened for modification C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Cfgaiaci.exe N/A
File opened for modification C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Cfinoq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Eijcpoac.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Fjilieka.exe N/A
File created C:\Windows\SysWOW64\Gldkfl32.exe C:\Windows\SysWOW64\Gieojq32.exe N/A
File created C:\Windows\SysWOW64\Pnbgan32.dll C:\Windows\SysWOW64\Hjjddchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
File opened for modification C:\Windows\SysWOW64\Coklgg32.exe C:\Windows\SysWOW64\Cfbhnaho.exe N/A
File created C:\Windows\SysWOW64\Pafagk32.dll C:\Windows\SysWOW64\Dnneja32.exe N/A
File created C:\Windows\SysWOW64\Oecbjjic.dll C:\Windows\SysWOW64\Fmlapp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gdopkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfgaiaci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcfok32.dll" C:\Windows\SysWOW64\Dbehoa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffnphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cngcjo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfeddafl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnneja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fioija32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gonnhhln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdakgibq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" C:\Windows\SysWOW64\Dflkdp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Coklgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" C:\Windows\SysWOW64\Dbbkja32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Epdkli32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" C:\Windows\SysWOW64\Epdkli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Elmigj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fpfdalii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" C:\Windows\SysWOW64\Dnneja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcknbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjijdadm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfijnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dflkdp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" C:\Windows\SysWOW64\Cfeddafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epdkli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bpafkknm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 1844 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 1844 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 1844 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 2984 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2984 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2984 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2984 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2704 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2704 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2704 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2704 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2672 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2672 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2672 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2672 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2636 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bjijdadm.exe
PID 2636 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bjijdadm.exe
PID 2636 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bjijdadm.exe
PID 2636 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bjijdadm.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2964 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 2964 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 2964 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 2964 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 1568 wrote to memory of 304 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cdakgibq.exe
PID 1568 wrote to memory of 304 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cdakgibq.exe
PID 1568 wrote to memory of 304 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cdakgibq.exe
PID 1568 wrote to memory of 304 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cdakgibq.exe
PID 304 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 304 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 304 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 304 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Cdakgibq.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 1576 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Coklgg32.exe
PID 1576 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Coklgg32.exe
PID 1576 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Coklgg32.exe
PID 1576 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Coklgg32.exe
PID 1560 wrote to memory of 288 N/A C:\Windows\SysWOW64\Coklgg32.exe C:\Windows\SysWOW64\Cfeddafl.exe
PID 1560 wrote to memory of 288 N/A C:\Windows\SysWOW64\Coklgg32.exe C:\Windows\SysWOW64\Cfeddafl.exe
PID 1560 wrote to memory of 288 N/A C:\Windows\SysWOW64\Coklgg32.exe C:\Windows\SysWOW64\Cfeddafl.exe
PID 1560 wrote to memory of 288 N/A C:\Windows\SysWOW64\Coklgg32.exe C:\Windows\SysWOW64\Cfeddafl.exe
PID 288 wrote to memory of 1588 N/A C:\Windows\SysWOW64\Cfeddafl.exe C:\Windows\SysWOW64\Cpjiajeb.exe
PID 288 wrote to memory of 1588 N/A C:\Windows\SysWOW64\Cfeddafl.exe C:\Windows\SysWOW64\Cpjiajeb.exe
PID 288 wrote to memory of 1588 N/A C:\Windows\SysWOW64\Cfeddafl.exe C:\Windows\SysWOW64\Cpjiajeb.exe
PID 288 wrote to memory of 1588 N/A C:\Windows\SysWOW64\Cfeddafl.exe C:\Windows\SysWOW64\Cpjiajeb.exe
PID 1588 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Cfgaiaci.exe
PID 1588 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Cfgaiaci.exe
PID 1588 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Cfgaiaci.exe
PID 1588 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Cfgaiaci.exe
PID 2020 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Cfgaiaci.exe C:\Windows\SysWOW64\Claifkkf.exe
PID 2020 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Cfgaiaci.exe C:\Windows\SysWOW64\Claifkkf.exe
PID 2020 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Cfgaiaci.exe C:\Windows\SysWOW64\Claifkkf.exe
PID 2020 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Cfgaiaci.exe C:\Windows\SysWOW64\Claifkkf.exe
PID 2784 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Cckace32.exe
PID 2784 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Cckace32.exe
PID 2784 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Cckace32.exe
PID 2784 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Cckace32.exe
PID 2632 wrote to memory of 688 N/A C:\Windows\SysWOW64\Cckace32.exe C:\Windows\SysWOW64\Cfinoq32.exe
PID 2632 wrote to memory of 688 N/A C:\Windows\SysWOW64\Cckace32.exe C:\Windows\SysWOW64\Cfinoq32.exe
PID 2632 wrote to memory of 688 N/A C:\Windows\SysWOW64\Cckace32.exe C:\Windows\SysWOW64\Cfinoq32.exe
PID 2632 wrote to memory of 688 N/A C:\Windows\SysWOW64\Cckace32.exe C:\Windows\SysWOW64\Cfinoq32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe"

C:\Windows\SysWOW64\Bkaqmeah.exe

C:\Windows\system32\Bkaqmeah.exe

C:\Windows\SysWOW64\Bkdmcdoe.exe

C:\Windows\system32\Bkdmcdoe.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bgknheej.exe

C:\Windows\system32\Bgknheej.exe

C:\Windows\SysWOW64\Bjijdadm.exe

C:\Windows\system32\Bjijdadm.exe

C:\Windows\SysWOW64\Bcaomf32.exe

C:\Windows\system32\Bcaomf32.exe

C:\Windows\SysWOW64\Cngcjo32.exe

C:\Windows\system32\Cngcjo32.exe

C:\Windows\SysWOW64\Cdakgibq.exe

C:\Windows\system32\Cdakgibq.exe

C:\Windows\SysWOW64\Cfbhnaho.exe

C:\Windows\system32\Cfbhnaho.exe

C:\Windows\SysWOW64\Coklgg32.exe

C:\Windows\system32\Coklgg32.exe

C:\Windows\SysWOW64\Cfeddafl.exe

C:\Windows\system32\Cfeddafl.exe

C:\Windows\SysWOW64\Cpjiajeb.exe

C:\Windows\system32\Cpjiajeb.exe

C:\Windows\SysWOW64\Cfgaiaci.exe

C:\Windows\system32\Cfgaiaci.exe

C:\Windows\SysWOW64\Claifkkf.exe

C:\Windows\system32\Claifkkf.exe

C:\Windows\SysWOW64\Cckace32.exe

C:\Windows\system32\Cckace32.exe

C:\Windows\SysWOW64\Cfinoq32.exe

C:\Windows\system32\Cfinoq32.exe

C:\Windows\SysWOW64\Chhjkl32.exe

C:\Windows\system32\Chhjkl32.exe

C:\Windows\SysWOW64\Dflkdp32.exe

C:\Windows\system32\Dflkdp32.exe

C:\Windows\SysWOW64\Dkhcmgnl.exe

C:\Windows\system32\Dkhcmgnl.exe

C:\Windows\SysWOW64\Dbbkja32.exe

C:\Windows\system32\Dbbkja32.exe

C:\Windows\SysWOW64\Dqelenlc.exe

C:\Windows\system32\Dqelenlc.exe

C:\Windows\SysWOW64\Dbehoa32.exe

C:\Windows\system32\Dbehoa32.exe

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dcfdgiid.exe

C:\Windows\system32\Dcfdgiid.exe

C:\Windows\SysWOW64\Dqjepm32.exe

C:\Windows\system32\Dqjepm32.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Dnneja32.exe

C:\Windows\system32\Dnneja32.exe

C:\Windows\SysWOW64\Dcknbh32.exe

C:\Windows\system32\Dcknbh32.exe

C:\Windows\SysWOW64\Dfijnd32.exe

C:\Windows\system32\Dfijnd32.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Epdkli32.exe

C:\Windows\system32\Epdkli32.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Ffkcbgek.exe

C:\Windows\system32\Ffkcbgek.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Ffnphf32.exe

C:\Windows\system32\Ffnphf32.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gdopkn32.exe

C:\Windows\system32\Gdopkn32.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hmlnoc32.exe

C:\Windows\system32\Hmlnoc32.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 140

Network

N/A

Files

memory/1844-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1844-12-0x0000000000280000-0x00000000002B9000-memory.dmp

C:\Windows\SysWOW64\Bkaqmeah.exe

MD5 e9826b24e180f70d987d0d8ede5d941e
SHA1 203e23262aeaba6356b322643da25ee74aeba179
SHA256 e933c07b9735e084bb101bb72f9e6f143a3ca4b21f08cbb52eb7b9815931f5e3
SHA512 4426ab3a81fda05edbc4c6538cf834468d9398fee3f53b7e3abb7a9f91fda7d0a1231e9d9f38928243da09fb705304039adeab67ad812da5baea24316de44dec

memory/2984-14-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1844-11-0x0000000000280000-0x00000000002B9000-memory.dmp

\Windows\SysWOW64\Bkdmcdoe.exe

MD5 dd53ddd2b3756ba07b4c2967d5313625
SHA1 f1924f510a95b9dd0fecdc4d52a1caa5c6d9c443
SHA256 5d31bf3aeef0a096d2616a0ada2d3ffeaa0bee22113f171a5721a5715429a523
SHA512 f1fc4ffc3ef7dfa382ef2dfebfada5c41cc714d5a40b680685f95616e4a8c09af14159515c8875cb21bc76c426a96dcdf26282a79d550433b860bd0c36336a2f

memory/2704-28-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2984-27-0x0000000000250000-0x0000000000289000-memory.dmp

\Windows\SysWOW64\Bpafkknm.exe

MD5 ab068f47dfc2d8dea0501724100dc43d
SHA1 17ce9bb988b81ff4b89667c2ca56e2d07f4878e1
SHA256 4fbf0acb9ba2a6ff60b58c82f479be6c6f40553aaaac9f9867d4fa345075436a
SHA512 26d413e763797b654d308f6dae658dc180a2ef8a8ed2b4549b45ebd10e1c23eccf4fc158a99dd17d86618f86ebe8f65075f66f2a2ee18ff31f465ae3cfa6b2fc

memory/2672-41-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Bgknheej.exe

MD5 a832130f21f3280a3f4c54871409a4c4
SHA1 9e357db2b28f49dd230472da93c53a67e4c15910
SHA256 bb897e0e78f46b7bd6e213ad69c8ba5d44f0a14e53a99e63a986bef332ad37b5
SHA512 46cc06bbfdea5c8ade786bdf8dc0bbac484008cab5a71f35788c190d4bfa8ab48f0a4c5e296c3254726df896ed11996019fac824ac911e9d71fc7aa31a1bdeb9

memory/2456-67-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bjijdadm.exe

MD5 30cca3d21fff1f7cf3fbbcd750441aff
SHA1 5ec94a9f8c47e2bec41a379148fd0a8583d9be04
SHA256 86fe29367af7175effe661750348fc94987ca17784951c7381dbd5541fee5aa7
SHA512 73df4377c429dda5372a439882d0c9d99a4a862f23c1e833894fdf5e03f3ee3d7b05680674feda9b64ea4ebac5341690a3272ffa9ba5d47e7ebbb2d2db73edbb

memory/2636-65-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Bcaomf32.exe

MD5 3aab24ec0af413c65cdf80452c8df074
SHA1 fa38a82e9b12ae4ce268cc9bde1fd875e1e0d739
SHA256 5c6f19e3fdc8d6e0aba6f31b8fa990b6658675368935718e5089d2584aaca332
SHA512 d0052596c2cc30c8ddf96695d4b866f11e2d38d6575c2d1c28530c7ece8fea3836ba6df386c26dc79a454cda3dfe33a78418ec3d7fa7f3b1f1c6632fe2bafa80

memory/2964-81-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2456-79-0x00000000002D0000-0x0000000000309000-memory.dmp

\Windows\SysWOW64\Cngcjo32.exe

MD5 80880663c5c322b352fe9eca47d13da9
SHA1 74c00dd324cee771f0b7a21376501b7d44274cdd
SHA256 f9cd88acc6ab07dbcb381fe620870113630eee5c4697eeb5f2a73cae4236fde1
SHA512 0acf22ac34baa0c346dc09a22763621bd33a9aa793837d98662a68e27146eeaf6a963a5cf20054c32270108babdb88ae1d37390ae806554457ea3d67393c7e3e

memory/1568-94-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Cdakgibq.exe

MD5 7336c7bf8e2557282a26682a76b0881b
SHA1 07cd0cbb344b441fa979500f92ce853f22a88881
SHA256 551234ef89bbd31c32b8bd5041d82904a6c31e5a738549be889bc279ad508b68
SHA512 3e1ee7ab85c75b011e07bc0f608a7cd78ea8f24482fa0dc6d172887558d9f02889f9745feaa5b3c5e7111e2206ce41e63d1114b64b5d01ed7e091934defb0d89

memory/1576-120-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Cfbhnaho.exe

MD5 fce11051773cff493b67da5336c2e2c4
SHA1 cd8484b787ec0637a8fc2555b42d5f9e57b2dd47
SHA256 97f0799e18174b01575aece8149a7b792e2c20e3cd95f0a300e934d9a7315c62
SHA512 286c0b0113c95805d460abcafd8e5cba9af249915360da7edd4cc0f5af18999da0f8071901d5ef52eb4a3ccd691fbb4983d546b5654b672da3a2ce6fa039cc40

memory/304-118-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Coklgg32.exe

MD5 cb37ed15601f21b7efe6648e65225316
SHA1 23d9b8f5cef7f9903d6d2281cb15c059cf416407
SHA256 f386e61c651157e9e00355680012f8e108f63c0c3cd51bd08a48849dccf8759e
SHA512 62685d514ab3c2d6798e22c6bea399a602e1de9718b56f6eadd3aa2a064aa75cad5f59e4155d13c426f5e0299b8aaab18ce77d8eb26dbe0a840fa0134732571e

memory/1576-128-0x00000000002E0000-0x0000000000319000-memory.dmp

memory/1560-139-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Cfeddafl.exe

MD5 7ef88ba00ed5bb230fc1d4e9a9557e11
SHA1 709f1edd7dd90cbcc03c5569b0399acb876c2e57
SHA256 05486b6f7f68a2133aa551f9a2206a0ae39f3b5a101a2baa10dcc6ab06ac6945
SHA512 3825b60868fe01ec96092d53e38cbf0ccddc1804b0631c45a27e378825b162ffcef1cc61cd7c4a216a0302b50c8d785b553fd9de49b489bc911e894ab6642838

memory/288-147-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Cpjiajeb.exe

MD5 0aa6412b50559dfbb9aedb1bb38426fc
SHA1 01990452202fe70e0aa787c3f5462e729f5e54ee
SHA256 46a3f4335f3dcf02f111cf5840ec6a2a86f8099a735313f2e1a27662e1e8dc29
SHA512 e8d8c8856e37ea451a6de0dd1afc9766be0628119146d7277393e9f09d99c431a9df8ac8e38c2f6236f63c504a0f03f556434b2537a791ddd6998e45cfcfbcca

memory/1588-160-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Cfgaiaci.exe

MD5 2767aaaa3143719750f8eff08d086510
SHA1 b634b413d1e81cda547427846cb4825ea165a5bb
SHA256 a288e72dea94fb8211534183dc6ea9a2591aac5fed87b044d5aa353373143a85
SHA512 31c0a9112e2aa018251bce7814d4847eee13ef4ba3efede5f2dabb9dc1d1acf249f45b2e1607c88e913237ae05e352f4cb9b2435c5d84e7be4c4280ef5b11c04

memory/2020-173-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Claifkkf.exe

MD5 26f34f46634b39bd7651644084699877
SHA1 dcd50158f3b0b36d313cd8513f54c9008056415a
SHA256 e3c5fd079b8449c75010baeaf4863f61f89bbf89ebe397fce250a1e05333921b
SHA512 04a326ef0aae0a75366099b79bda50a147c668f26f63fbd3b1c68c314267e798add6f2b023d04344897cfd0ddda76906d7040ef2251870213eda5f1bf87be4b3

memory/2020-181-0x0000000000440000-0x0000000000479000-memory.dmp

\Windows\SysWOW64\Cckace32.exe

MD5 05cf91009afacc9e872bff5630f2105a
SHA1 7eb609e92cea613e158dedb1bb49af91c093f65c
SHA256 837d7457f9f3bb3c4ba5268dd07b51bfd0736e8e611a497c8cec7d69bab22ffd
SHA512 2097651a5df2a2d2e4296a2ff5e01abd9f2726b5ba0af064fd47f10c813505d7f7b839fd3e72767cf35c6b6b5ef24b392f9cfe4dcaa66d6a7d3bb8ac3aa62022

memory/688-218-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Chhjkl32.exe

MD5 f3aa5550c1589d988f6da52ea9048145
SHA1 8f2742f8ffff360f6c265c3e838b5fb4e77fef30
SHA256 f3403a1a23168f702918131006720555e0810a1663cf72a7b95afcf5bbb42c9f
SHA512 7a4f889df694d5cb557c2078094a615fc940267e37536a2e46e912b12ecefa1d66d20632c94ad38833e9b8fb0189957dbf69719c6ef66b55a72ca2462f407642

memory/2632-200-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Cfinoq32.exe

MD5 068a9220ee4a914cec592078039db456
SHA1 fea4b9c0c343d4e79f03c1dcdbd93d9a8c9a1eeb
SHA256 4135a4e1464647b60f7a1c21a86d0cfd43bf6d959b11339963715e20417bf383
SHA512 551db871149f1852fde9d495b44d2e8db16cfdc3af584b90891351d380e905349345b33c6e4e5f0983d665559d168a29aa3b19b0d84ed6abd02f972673cdcbc8

memory/2632-207-0x00000000002F0000-0x0000000000329000-memory.dmp

memory/2784-194-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3000-225-0x0000000000400000-0x0000000000439000-memory.dmp

memory/688-224-0x0000000000290000-0x00000000002C9000-memory.dmp

memory/3000-235-0x0000000000290000-0x00000000002C9000-memory.dmp

memory/3000-232-0x0000000000290000-0x00000000002C9000-memory.dmp

C:\Windows\SysWOW64\Dflkdp32.exe

MD5 6b93f3e78d5ff6b7d1da2072d02b5aef
SHA1 9986af7e1c03f39bd6b1eea01ff04432569ae0c0
SHA256 6e728db5360596f9d47d9492a4b2af73afdd70ee91168a43d27e275406f2a436
SHA512 03ad16bee24754cd69bf431a0c41775b6af7fcf845a6ad872c6edec5ab09ea3068dbf3fceae43ebdd75b5ca4e43749753b7a18f12149ad838646722ca5ecfa70

C:\Windows\SysWOW64\Dkhcmgnl.exe

MD5 aebad012d727cbc4be6c422e51644f0b
SHA1 f300726300bf794a11436b32921fa816884ae440
SHA256 cfd926ae7d51e7942a963df9241fee087e7a454b4d90022b38900fbf8282fa16
SHA512 322c8fbb0414eeb3ce78fc3bdbb618170fb362c330cd02516881996339be8e983020dfaa4c8ca18e7055bfbec2b8c89cfa3e3aa761f09d4f8b7648209edaa08b

memory/1256-244-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Dbbkja32.exe

MD5 1a6221f35cb72a28ba7ea966b78d16f3
SHA1 e6e6e33175716aa64525d9cefeb4bd8ea554ce78
SHA256 3043af898e904f2a6c514b271673011fbabeff605ecb0dbf3398907dd49b0f05
SHA512 aca01632cc504d258e639cf743a37832ecc1a237c00561aa50ed73576722f2c4ad59d79bf6f3a55d98db2383ac6b4960bf749ceb41a61eea702e757ed50cd96b

memory/1324-264-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1684-265-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1324-263-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Dqelenlc.exe

MD5 adf150a30101c8aade8fd5e2361c4d9d
SHA1 c9526879e6bbae0afe13fb2f320061ee2ed51bd0
SHA256 0fc6ee580e964cb6db6a8c29ecf894cd4137b71512ad77f9108f40f532482ddb
SHA512 7d2cc2ef76721f577da758a53243147015c28436c5474b562f8cd9d316c88c613b697ac83e34729d7605d236162892d9b7aefa87b72ac97cb947e6de9e7dc631

memory/1324-259-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1256-257-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Dbehoa32.exe

MD5 01807baefb6dbb16ab6153c72e2f061b
SHA1 0886392b57a4d7c98a5b7b93462ec0fc4b51b218
SHA256 14c064105d985c136e91d0b2cb5ba4c7e36896ce1cd1e84694a3ab0f186f867c
SHA512 612eac9e3f5476c36fe4ebe1a760f624b6c0374c5edf2f98caa8bf011928e80b13cad8942c9ee1f3f5533d5a41a02e2fcf70bcbbf1a48b8b1f7932b08975de08

memory/2852-279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1684-275-0x00000000002F0000-0x0000000000329000-memory.dmp

memory/1684-274-0x00000000002F0000-0x0000000000329000-memory.dmp

memory/2208-291-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2852-290-0x0000000000290000-0x00000000002C9000-memory.dmp

memory/2852-285-0x0000000000290000-0x00000000002C9000-memory.dmp

C:\Windows\SysWOW64\Dqhhknjp.exe

MD5 c0f6b7e00497dd2b7f9326e0fec5724c
SHA1 96136c6001e2b23aa1037cbb10bdde0b9fe7cae9
SHA256 54744e2efc04ec755938e1692f5e6b90e02782d2f2cfd6f19f12606acc04e987
SHA512 41ffddb300d3e11242503763b3d5d81d8aaf0887a8a1811746a7a949863af3c81d0ee068a1672604ac5f5ebc71a025744ec1ddc750d293d13b680312f203499d

C:\Windows\SysWOW64\Dcfdgiid.exe

MD5 4d701629d25c013039869ac78978f900
SHA1 c422b7c391897a0f34c7902349093ad946bb99c5
SHA256 1dc3ca582afd97f0293c437872ee9c9328c7e717cdde3ed127f949efc692327c
SHA512 dda345772d53b03a3701a210909ffda4094afef921c0d144026e120b92488fffd25e25b3ce114f80212f4ec0c0a306bdb2dbab7e882ebdd2bc3401e9d4352c76

memory/1916-298-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2208-297-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2208-296-0x00000000002D0000-0x0000000000309000-memory.dmp

C:\Windows\SysWOW64\Dqjepm32.exe

MD5 0e9b14cd4fa787f11aad77290a56065a
SHA1 b30ca4db99f14643bbb65197ba24564af55f0074
SHA256 cc98fa3762e51076ac54778147f9797ee64624f15caf27de471ac6b4307ed97f
SHA512 1717391805223b986e6d5e9dbbf0d9543e622fb45a3dde39f969f6746a3ebe62e92c3674f15e3d04a66d2a094fa4b5e14a807d5b005a626e4fcc7c1e22bde05f

memory/1916-310-0x00000000002F0000-0x0000000000329000-memory.dmp

memory/1916-312-0x00000000002F0000-0x0000000000329000-memory.dmp

memory/1652-319-0x00000000005D0000-0x0000000000609000-memory.dmp

memory/1652-318-0x00000000005D0000-0x0000000000609000-memory.dmp

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 987f4f4936c2dd19405fe81e0af2802b
SHA1 39c17f85d5de19ebc6778e6f4a4ced6e6d2a41f8
SHA256 73625ec9ade1045ae238ac0117fa085794ab27ac583a686e76daa73387d2291e
SHA512 7b4a5d01095438967326d02106d81dcc8a3b63436587d7b67c5481e3fa80a5d3433dc570cf213a0fbb28eed5856ca814df893986da796a3852aa97ef70dd3083

memory/1652-313-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Djbiicon.exe

MD5 da782483ae83a800485913827ece2f7b
SHA1 12dd344b23b79afd1228ea437b584b46a1ab19aa
SHA256 c9f47a07cd99dd877b358f93a9e35f5f153ea6935ec12dde376ee570e8ad0b32
SHA512 c2c6591a5e4964cb4fdfc3f166810204711364b00c59aca3f100adec17b5403ed2ba7646ab4d0eabf9db468c543d7f67f2508a293a510b05c83b7f6e4c5fe481

memory/1540-330-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2880-329-0x0000000000280000-0x00000000002B9000-memory.dmp

memory/2880-328-0x0000000000280000-0x00000000002B9000-memory.dmp

memory/1540-336-0x0000000000270000-0x00000000002A9000-memory.dmp

C:\Windows\SysWOW64\Dnneja32.exe

MD5 4d0b9881557fcd78723f907d010fde2b
SHA1 16f0493f783713545cce7a9bcf005ffe91bbe4c6
SHA256 3626e8adccdb2b8d8dfd5eb3afcca2951134eebc212e031b76769c3e2aeba767
SHA512 f6b3e14f1365a3d4b602d311685a7673a9e1b3754b3b1b077fd29b814f4ac341bb4ab49cd29550e1f0961d33e84896350fb56580369befe0dd97fcc9886b555f

C:\Windows\SysWOW64\Dcknbh32.exe

MD5 a1a2ca6baad20067bd5294ff2e25ed4a
SHA1 0965cfcd0830246a33471f93bec380deda4c7019
SHA256 f43c3e7d3e733a38b7fe09f83b0df03fe9c90250ea44e4ea5cd0c0cbb441d2f3
SHA512 45c782f7c2ecdba9428788ec97a4ac2b0fa3ad8f698c637d178a3e67c333caf1ab98561213092cd61b40d99ffcd4124ccf1b3785c6de8defb35a9b738822d169

memory/2608-352-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2708-351-0x0000000000260000-0x0000000000299000-memory.dmp

memory/2708-350-0x0000000000260000-0x0000000000299000-memory.dmp

memory/2708-349-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1540-348-0x0000000000270000-0x00000000002A9000-memory.dmp

memory/2608-362-0x0000000000280000-0x00000000002B9000-memory.dmp

memory/2608-361-0x0000000000280000-0x00000000002B9000-memory.dmp

C:\Windows\SysWOW64\Dfijnd32.exe

MD5 62ed4e09f137f77a7c7916dfa0a98a8f
SHA1 0d94bfc08fe594d5c64268c5a8c827624865333a
SHA256 002af9dc6079c39c80e9be6ac3b75925037fd01678e466c1921cd3f729bfcb82
SHA512 451d5694e2ba1531f2e6fa2de93dd58f3af9fb108db0821b7402acc0032c2bc21fb87853b225a9a4a8b362680d846d472c9435cfc4fa594150611616c19f0ff6

memory/2744-363-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ecmkghcl.exe

MD5 96343bb8f172e2de42de2a2cafef8a1b
SHA1 f7684ac7d51fe5866db67bd76306eb5541b40693
SHA256 16384adaf9df09319cbe84006bbace45812e48d7fdf29ba94ff7ead05753861e
SHA512 d638f42d666e650bcd3dc3d637522a53ad7d67ebd98f46c539797197079c00511018dc5658f945fd0335fe5fd9fb61fd2e671640e511f119f1987afda43c46f5

memory/2500-374-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2744-373-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2744-372-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2532-385-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2500-384-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2500-383-0x00000000002D0000-0x0000000000309000-memory.dmp

C:\Windows\SysWOW64\Eijcpoac.exe

MD5 b7390154a03ffe916aabb24cf07c089d
SHA1 47e6d47ca1b69db96edb68ead09e5dd77d655ecc
SHA256 96dbcfec943bc9a75b7ecd00b39a37d01fa93819d0fa3a88c36178a7c73b82ab
SHA512 c4e3aeeb90bb653e2b5e19a4aeb2f00609c5d7033ada3dc4c8fa2f9091091e84c4e83a361118b830fa578fbceeca6698f13359cc8ac97e6445ce246f8093e337

C:\Windows\SysWOW64\Epdkli32.exe

MD5 35a37850696af169d761658e3c8f9acc
SHA1 83ae4f90c982268bd3435d715e4cc1810249af77
SHA256 d6fe7d423d66a6a39efb753094937ea1123d1878e537d760768a0016678019df
SHA512 9efdaaf3a701dec8b25b3cbd1cb0f67029f8799c6bbf9861f0eb985c4381f0fb4fbab07a8d0d25200a51b808d659440f8edc16b87b80f1c455dc455df8386aa7

memory/2148-396-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2532-395-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2532-394-0x00000000002D0000-0x0000000000309000-memory.dmp

C:\Windows\SysWOW64\Efncicpm.exe

MD5 f89d58d2411274a37f8f858f7ff2ebf1
SHA1 b2286aa14b7b0de093d94369859bc74bd1788eaf
SHA256 b48cf3c34bc790607a01e551c59f38faf183f7d243287e0be17bb3057efc4a85
SHA512 773e4e8f7c2915da335d39288e01f8bdad53d9c04282e80dbcf26053d39ed3877118b73e97e1a888f0d85fb1c2ede7a2220063e7f7bd8a8e92083c47fb98668b

memory/1252-410-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2148-409-0x0000000000440000-0x0000000000479000-memory.dmp

memory/2148-408-0x0000000000440000-0x0000000000479000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 fad73550ff92d247f76d0a9a34d9ba25
SHA1 5cc8e84e741b2c72ecc2df02c5f9a858c4b1f041
SHA256 7049afa21295537b41f0559621d7734747872f131631c41412db8656426b7ab6
SHA512 82dd3412ff13af1a200d5a933a84a4594bffe6468f2678a3ccd97a06ba904c8a5b3ef285a30880e7b8cc0804ca6b8f4b65e06c54230a4d177e3b2ee58fedde4e

memory/1592-428-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2152-432-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1592-421-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Epfhbign.exe

MD5 d1559cf8ad8b17b6274adfe7ffc8e2eb
SHA1 13785dd0ff8ae036fd2a1a8a83a042b9ace0d4f7
SHA256 e7c54b80bf11b61ac2c9e87408f1666179dca9c04688896bbb4f447657c34338
SHA512 781829aa1c05fa5bb60f83662ee61a5ba738520d83eb9607b1f36ed26473453da301376df7f51d782d681c808c75002ab7da0b35b25c9bc0adcfd9f936c432a3

memory/1252-417-0x00000000002E0000-0x0000000000319000-memory.dmp

memory/1592-427-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2152-435-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/1252-416-0x00000000002E0000-0x0000000000319000-memory.dmp

C:\Windows\SysWOW64\Enihne32.exe

MD5 664564e50ddf11227741a34e7d0e3ab0
SHA1 287e6963ead570f244c3afb2fb847c33116e8679
SHA256 6744e87adcf9cf2094553a5c49190b38578a3d6e27905d7bc73f1a183b4b66ab
SHA512 9041f13dbd4127805c709fbe74a7b96097717f3088fb2da4c6897baf577e739d1ae75c76bb17c20429287dc6ad23a3598b8bb3471b5451d4e4a4dc80e7f76a2d

memory/2152-439-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/1572-444-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Elmigj32.exe

MD5 87ca6bcaf27e492b6082e9d0a054fc08
SHA1 b6b0c0d5480f2c331f045b812f7d867e3ad5199a
SHA256 4f6f47b40ecd990794c86539bfb178b23c4764e14d1adf9b2c898dbc55f4b3a7
SHA512 723794c7d8fe2917f31cbc1569d6fce5f2a8a890d8e805e2f8516b93da63e786248e2d90e682bc30869434cf64c691b71adc4ec02fafe8f01adefaf229e3ff4d

memory/1572-454-0x0000000000330000-0x0000000000369000-memory.dmp

C:\Windows\SysWOW64\Enkece32.exe

MD5 92db69ea3078df8df5ab6bf7883034c6
SHA1 ac014f7c780b708b68b178384f75fb8638b6e56d
SHA256 e0a27127e1af357f00bbe8acb42ab1b62f94a4b44fcfe0ebe3e6694058672183
SHA512 3f8dd826303f55d89c68c0635d2fe7b37c4f007735458192122d3820d4044a28f6a121f25e39bec325e48d1cb1f815731f1d5d592ee62f84a9c2b3ca8a79485c

memory/1368-462-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2772-461-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2772-457-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2772-456-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1572-455-0x0000000000330000-0x0000000000369000-memory.dmp

memory/1368-468-0x00000000002F0000-0x0000000000329000-memory.dmp

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 7dc6de40420f3afb49c47e28cf74a6b7
SHA1 6e20d0a433cb77b0055b083ceb67b3e1f28a428b
SHA256 cc7908c47f40b0faca66fb450c32d3e25443466088ab748b7e1ec9444f76e572
SHA512 0785ee0fc5023958ca659bdbe5f2d4c3806f909c57821891dbe0d996c8e2b90790a355e732b3bc3aa64355be8be37ec3571a8ac2ad4744cd872e515171cfc261

memory/2496-482-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2496-483-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2496-481-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1368-476-0x00000000002F0000-0x0000000000329000-memory.dmp

C:\Windows\SysWOW64\Ebinic32.exe

MD5 9d5902c9eebbf47ed89684d23fc0f6e0
SHA1 021efd83159d78371efab36568a871524dfc88a9
SHA256 fe474be076beeb78d252bb2f088f0ea48015178f4bba51b7dc65998074b364ac
SHA512 fcaa00d907a09edf835ef6872d3b2d1431685955e98e0350621d8ebd43454081a50580e847320b480c8c79cbf840303ea47a1c041e92a036f8db812043610259

memory/2240-484-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 f835fa144a025b0f12d951e4f5361523
SHA1 a2b60956eecbddd2260ab0159c0a76e5a190fe00
SHA256 bb21a627e320607704d3a0a5775aadd1615c1d76f61dc4f8fef3be50f80f3d5f
SHA512 af78a3d4d8e669f3d2f3793b08e3e245edd9a93b04e0303ab33648ba03a97312d9d9632fe2acb2a2c379b87b418980a6ac7042758d58c95c67152ea9b37e7bd9

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 f7dbfe9c7fb66cc59e33bed9113855bc
SHA1 c0c4776c23116b7a227773d0b8d54681ea474b20
SHA256 019cafd3f433215b3ab9d7c986c5a7d67d4e01364d26a6f55f1b3acff356c645
SHA512 b9f154b0521b0eac8600c37f9c6babd29444241aa4ecd04c67c5bfae06b80abfbd423351a32a3caeba94f30f219c003e24fc8df7347f6c6f4089eeb6b8c1bcd0

memory/1704-500-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2240-499-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2240-497-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 2edb9eda34208e92d55106ab1b5cdc8c
SHA1 eee164570d1ea2ed5d0f39df75ced210e5c59d33
SHA256 8025b7422c3dd0d2d6cfe4278593f4b03a6a8eece19051730ca97c7758dd05e1
SHA512 8edcf7f51c74297a4565f189c5113cdac7b0e3209c6eed49bdb1d6bf5d944b5eae7cca4d4eccab265b47e3a0ca8a6f314a4ba158b147d6b7c1797b3d0a57bd83

C:\Windows\SysWOW64\Ffkcbgek.exe

MD5 eb08a352008df08549c3bb495e0138c6
SHA1 6bd492cb099a446586cc225cb6c9dedada6c6c4a
SHA256 1b831bc46fde50d3519d7aa20a7a76cc74d3135b0b661f29515c996f81d915a0
SHA512 b93e9aff3b1c74acc288b0f2570e9d5a177c47cd1ed68b165deaf51ba9b76df53155c7bee716f1b1c9436865674cc403338c4e02cd64ecada340c4784b80a8e8

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 5020694075e5f09a85d4fc5c1139ecd4
SHA1 b5bfe7627ea053964de0c3f4976d8b1244b0080d
SHA256 db24b2cff700736bfbd3bbf5c4389195b4c861314de75b5ad03f1882c7920d0d
SHA512 096a46ca03cea302e5e3c9aa6c8c68547d579cfe1251daa5f4c70fcf2d75fc3dbd179b02d2183d45b4c8dd7f94507cf6eca58b1f84b88311187fa7a094d2f564

C:\Windows\SysWOW64\Faagpp32.exe

MD5 ff72319b606d8f4814a8ca9a8d1e7792
SHA1 5904fc4e71a4cd7b97c9e40ca0bc5fb01d21945a
SHA256 43675787133f567050d47c5bb31e56fad8b7616c925f92f86733d26b8846fadd
SHA512 085583720fef8593f8a68fe80e6372159995d15b02bbda68797628af85a1618eaf13772e4bd81029a2f020e635ad9c20420c31fe6b269af09dadc060997cdfb6

C:\Windows\SysWOW64\Ffnphf32.exe

MD5 a141c79815d26fcdefacc6997ce530b4
SHA1 65a1135cb2229cc30d7128b83959a78b22c6b7fb
SHA256 8416fea6184100fca34135764d783916e8860cbfbdd7677d35236151baed069b
SHA512 47a0e44e9607c26b4b85cb41c4b9070b431a2329f049990cfa82e03d4c6dd84afe42e7663457ee12c654dcf19d0e0869cb5d5918e081cf63ad472551cd05f939

C:\Windows\SysWOW64\Fjilieka.exe

MD5 3f5519237a938d74c7164553730f43d8
SHA1 b594eb482efb34a1ee83d26b67ad0b4fd7756f53
SHA256 ed03d113a3fac323510ef157362a07be81a6e6964bef39024611551eac2cf0fc
SHA512 a5cff767f1c85bbfec9b9abd4e9bfaf94d05d2d1e3379ad6de506add69850a0b7e8074017b8a50991ac27c92acc3b6a086caf750447c225c1bcdacef059d26bb

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 8f768eec8ba1bf7c3cb267cc0226ddb7
SHA1 36c4d32350717e7935a8add7033c0e600aa62237
SHA256 652d292b843dc34bc15187e498c8fe37d4cb6d728fa2b3bc66705243168bd160
SHA512 83a022e75f8b629b7095fbae98eaa980cd7f60bffb96aec88074b9c1e7695422e32d952027d2ff4e4be6ef581e231ce7a7038269e133fa997316c9af6f23bc4e

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 a60de8ab89abbf50101c317ee1493aa1
SHA1 998a12039e6cca47c214085c1b9793bc26f5d492
SHA256 f4c33602d0403045c92f79b2f7575f46429bb310b49c6b103ad5feaa5eb22323
SHA512 3a8a42999ca34cdb10374bf29266b14703fafc904bc046be38a0dcd1dfad036b79701742aeebd608136d066ccd57f5526c2c8def65bfbb2a2a25b4eb1d0a22ac

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 c96f4745a9751f9606cfdc2389db578a
SHA1 6411dd639577886bcde23cd31e779431763c0779
SHA256 aed397aac7aff3957965d0898e871cb14d8a6b46a5ff10d6ae43564aecb1bab7
SHA512 f869d7c2933750d6b2f4081788177d61507f75eeaa2613ea55d394b20cdb6faf53e697fcfed8eb077f1e79fb9564d62d186b0af91986c74edbb29c9153a8433d

C:\Windows\SysWOW64\Fioija32.exe

MD5 496cd6ca40947595805e2289c207d99f
SHA1 35e9e28108f5185089f0f63990dcf56219cdde6e
SHA256 8508cb00506c54dfa66249a455dc35dce8fb446061bd3575bf271cc6e51c9783
SHA512 385743dd09c341d02ff333e3f1d6d7c1de6c9d370b9e4074fe6088a2fe273211056622a25faf04e1fc3745b35053b2ffb6663c2fb81e00ec185dd6c8e229e05c

C:\Windows\SysWOW64\Flmefm32.exe

MD5 fbc9f6028aa8562b8e6120079da3897c
SHA1 193cd7d0ee40dae58bbd4f8cba87b8e2c77f6259
SHA256 aed52dbf919d23bf124a835a6ddaaecc4c1cb65f70c1af1f852ebefb12a8c6d1
SHA512 900108e467c57e7521b7e7067adf3c45d4d3bc05c5f785f4b4c27a7739be59b2f29241d15632d8fe05b4354a02be4417b918ff2ed9a4525bcf5aa1bec30bb72b

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 560aa09c6936d4b6ebb39c8242905c09
SHA1 30375eb56ea4a5e6de9545045cea9719d1f6f4e4
SHA256 c33261ac22d2cdfb9f74fa2d9fe950b2cd4ee0c004239d78758ab68e9052e663
SHA512 e17dac74c294747847b2bf4f90b0849b138ec90268367db1b34a10d3afa81bee233f0800cf4a04b5ccde4e63c8b772c02093d7162e33e5ed9b35f46f4e2d0f14

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 cc260cf499c939ed42d448744a124dd0
SHA1 f4f4ec3fff2ecf9a5fd3d6040cb71419a288506b
SHA256 a3b52a2151274953826f93c1c8bf169e5a0c243cb2e4e8a64e72f248bd7af4d9
SHA512 528ea527383f9b33f1ddcd10a3fa566ded56085dfe0c404c49ddaf30c927fb62621a9e20612863a6e28ac071b06075b8f1c1a8b156431706a853499ba91f0160

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 bbabd44622d931930c6339ce5f2acbf6
SHA1 dc8f07e049e8f4e862f7cbf928d4401bcd27f349
SHA256 fa73589e0dfec60a5a6b60fed6816fab8f70e765a9bdebc46f1bfb4a2e72eb66
SHA512 257ce637b051bb128f0bdaba1d2c2bfd77cd1befeadf8a5a6c6a65e2ad072baf6042f85bf7a8f1c6e7cb6625c4bf2677f0495ec85298fe33f1f287224c1df83d

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 6bfc4c61dadb9db00f8ecbb84b8b2fc9
SHA1 ca5f8e9ced8c3d205eceb6a6a62442d3dec4dc1b
SHA256 01da4a3e08f2c4dc6a664a59326ed508fb295617a34c84a1e560a37127e24ca4
SHA512 12ade03de13b158766dd581e559d43bd0683385f391965ebc2e72bc3331989db517e7f9f047ab86552be4003a965aa07cfda2d9fdbffa7d8afd0326f81f9ec3c

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 a18d81141167df36f7f4c7823c66f65d
SHA1 5abeca70654347d14b8bc25dee27eeb0c7f6c4fd
SHA256 620471864665d344f25da779e74f0dc4c0dc146cadedf8ba454567d897f72f88
SHA512 01f22577fc8e9326ec7a95f6f5f8414df28ed06699967fb3fe7d8a76cce57a8e7098d97ab9f70cd12ac952d9ba4e52afd44c0bc9e7faf13a34f0b136b8c71a69

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 d2135ef38b751a06271c574cb6dfd31d
SHA1 e601ec555198174747b2f68f6e6a28b6c84347ac
SHA256 22d76f6b9bd9fdd871acb72d0efbe94695909704f3cfae196a213942e49aa543
SHA512 8b3811ae6a45b757c1b130c20da458c471c1987876f65b2f2989d326da8b7f7073d38c6333227d343a8d38073649b5d385a2a5f1e865e15102dbb9e95ef95092

C:\Windows\SysWOW64\Gicbeald.exe

MD5 544d374895ef1e8e733b2dfa6d3884ea
SHA1 2222cb559e4d26f96e4307152f24eac6cc7c68e9
SHA256 227f1407238b668aa7cb0a8e1e87db24442533b80920a28195f2fad3d25b7bda
SHA512 a44f01a50aadacbe1c6fae47aeb6ff688907af561530d48951004d77edbc118b83df212927286e4770f4c43afcb9fd40e1a17905830abc60712c199e6f6d520d

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 9db51931d9f270857c177382f34fc34a
SHA1 6695f4d380dafaad5f3cb267ce0a894e2891c96d
SHA256 b59240b546af0f28c30f2a189a3020590f171d811ea2e461074674e490460bb7
SHA512 2ea9fac6343cd95111a9b10b833c78558dd10d052bf63190bc34657a3b00313cbb2b6d94c3034c0ebbb760d2ee5dbb201c99119760cbf45357983a097d703ab8

C:\Windows\SysWOW64\Gangic32.exe

MD5 e17588da634838520cb11c243576a3fd
SHA1 85293516076b456b4ec0289d58e5f42c882d64a1
SHA256 652d3fc661f16eda16bf2f54c55f78b86f5dc6dcde4ebe21670525e3985fe73d
SHA512 634cf7be116ec6cc59fe080bcc3ded36a6e9c373f1b7d56abbf361a17249055fb150e8986a4c0441104d6037cfe7a994d4f30144f52bf084aea5781d122109a6

C:\Windows\SysWOW64\Gieojq32.exe

MD5 3eaf70cc2df8975880c007a3dd09d61e
SHA1 6ce296b6bd683a032565b3b58582332d957adbf5
SHA256 bda224e982d699d36ce3a1a5b7cd3546d024d1c0b5e7076591e2f20c066a8dea
SHA512 5e1710136d8e5a4b0448c1b26138a3992987251b5e3b64df763d80193d16aa6f9c69841b1fb11942f4a46b10f0aa0b0a5c4ebc33e2a3b3c8582275e3186a095f

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 db12938a7b5912c7f3052747721f62c3
SHA1 3c2ba2971ab18a18c3d1acb481ca14746d9c141d
SHA256 d13663c807a713c3b3ee4688f3dbcf7b4a6c479fbcdb967feebf1506a0a86b15
SHA512 1fdc85f4a544694e615d46977e28288e19cad10094983a340be40d80dcecb440cdc20030f5ad1962dd086272f8dc6db0a3bd01dc2408b6d5f2ccfa1e5181fdcd

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 d5c5ee1197a8c4eaf8f0f9c4f7fc3c51
SHA1 4350084cb44cff035aa6318626136480f23f5f50
SHA256 093b419bca5b6027c07a3dd6065815b466417d4f1d7508e67a4591a8d284182e
SHA512 0b24dc6d686c1e2fe2ab7ef27aab8ea637679c9b3ff18eee60edbb851f48938d8a9217c5bc54d1f2b1632e90516cb7f0b713891af0c8093437c5e492ab15950c

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 91d39f35d1a3578c0b758a56673a5055
SHA1 c053103561c17f30570aec0f230c8095f24a1ee3
SHA256 f516272a78934d1f7ecaabaca596c117f45ab8aafca9818d1aa8a0e48668c712
SHA512 7bc5922ff19be0936cac952182264dc5f946a06ac28c4acd62302fe7e5d391421234cff30d47f4c4f3e6efe64db6764035953b383ad9b015f8b08f470fd86d77

C:\Windows\SysWOW64\Gdopkn32.exe

MD5 ffc3ecb4627f5508375ef364a478e91a
SHA1 437ead72fb80e4fc14b769b1d1b548b7f612917d
SHA256 1364731ce4f3c3c04f3aed3a4183b76ecd060e0092a57bd464d3df43e75168c6
SHA512 a50a582d5dc09ec00df38ef5450c05a9041c7c8d5ba59071ba88ef4c031fcfbc7aacc4bc17effe2fd340ec78356b27a128b2d131f0cc5ff52b42cdacbfb2b3de

C:\Windows\SysWOW64\Gkihhhnm.exe

MD5 e1382b1f2b28303f130cf2e9cd803e8b
SHA1 6c8ee092025a5fc4af7c61486e4a5a7dafdf135a
SHA256 6ed65c2b6af9432d423fcec142971d1c02654561758418b2aee987e0a7618ca9
SHA512 152e26a990bc0cfe40aba20f04da86039e95d72f2a20693770bc4004321a39ee152ddb9cffcc8cc97d7ac0bcc69f4b3397a6b2418fa62cbc0d9599f867ae512f

C:\Windows\SysWOW64\Goddhg32.exe

MD5 eefa78339cfdb6155708bd4be0ca1d91
SHA1 45a5767b965cd66071fc24a3d531da4a64c17b30
SHA256 75d35f50f5e06a2676360bcdf2e8c47514cf8a1e4525d1541338f34284e4f56c
SHA512 7bc4dc6a2625894b28488dfbf9602461c87238ff3a144fb8dbae99acadffeaddc549211be4c52a23f4b0bfcc6742f2f3c5c3c57620a8b09a55deaa76cf48120a

C:\Windows\SysWOW64\Geolea32.exe

MD5 66738764535b7bc780df69d44305929e
SHA1 c01337ce8cb3fb5b46a1954e9e943460a9e97270
SHA256 26ed286000454e87ed668e9652626f79b834874441abd1d4e50da9711fb6f66e
SHA512 9f9a9f773bf49e837024f4dea4b7e4fb2f176704aaf39ad456c1bf6e891492f6a0e3fc442ffac28a3d6f1db795be3040c6f2694262fbe2c5263e3014d8fe264f

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 d62c2e86dc1722d751eabf70e39c7f05
SHA1 ce18a51a8c87f2bcf40cc1be9590f1e31cf38222
SHA256 ad6258880504134b835c153a6bff6cb8631b44a92d0664fc121d8a82d014ce44
SHA512 c0f93cd7e16320664b4e7571fa49adaa9f825933850c65f013d8b784d0c0738f6519f585d05de6d2762e12b5caf729d051021343a33cfa1b3665cacb3b4ece7e

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 e1e7519e54631f2c6d184d8e0243dbe1
SHA1 194fb4c51c16a958f316ade101b65dd1a7d71a14
SHA256 99966ec1d7ad160f86e727d68fd9727f4d0b54fb3118e4b9d4c8629af47fda1f
SHA512 43225c0b02aa1a0e5608b09a60e8bf2aaac0d62f38b6371eb05f3b71b3f5b4e64db50dca0175c144347def3cd4c97f5acaa03cbc0558c73249532778ccdd7d82

C:\Windows\SysWOW64\Gogangdc.exe

MD5 f29389bf25a2d1646755578e616919b5
SHA1 5ecfaa197a2b76f87d0105646b0032f276ba8ec4
SHA256 ee2f4e0ded9de07001b27d27450726ace5673d401bb93dbaa991a538526765b3
SHA512 d295352284bb62b50fd435ec0499d384d23c49fc1931462ac435e91e47f828e1a0a0140fd8a2be33b722db194e847252cd0163cae9c27b582b18f1327f56df7f

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 5bc199b2b41696343025b6c8a3ef3918
SHA1 ad36614934e82320f9407d480710c958f76a1688
SHA256 59da99f8d4de4d6448a4bbc4d78d133236fa4add07ad6bb00311a6dfdcb2115c
SHA512 4d9023949904f52421b2d4cd61c4986e3d419c9f87f6a5077b8e277ab74811758ea8b82bc6b002ef96defae40fa14f5f9c91df6ac5c29db97655969ea859dffb

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 b5cc770799ca8b3e98113ef7a734f1b5
SHA1 c47552f754177f4eea8444fc9b06e12a44a05b8c
SHA256 b941544a956f066db12979f01b66a8666f89211807496447466bc2d1ede2a3b4
SHA512 7ad8af9326fa4fe8c269c08e27f57bef42efb0ff3cc83920da7bdefbc9ad2c4fe3aedf803d3fe0282787cd998f58b14f69a2e5db44598f1deb9d19364f3c6058

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 fe43799e31e470acf62fd5ac6550165b
SHA1 419b4306dce648703f895c0e40e855f41eacf76a
SHA256 f0628b297577ed70fd2a8340b6c5c1513f945ab7b72e1e5a857a0cd0c581a138
SHA512 cc9a7cac8b9cc8184d4a25b98945d48c4a3db02861b0ffcc4858121f9489a97a62821d137c65a64fc25db3bf6a29aa52a5d207a065f8d5bb23b486284b1a5c9b

C:\Windows\SysWOW64\Hmlnoc32.exe

MD5 2635d493480ad7977d364f11b751d5e1
SHA1 df71e9adb08730162746c1dd95dfc7b880537c13
SHA256 736b124d709b830c26a105827bedf7d3d8ff3e3c8ffd3540ea29d78424220e88
SHA512 3e096cffbe3a5e19577960c96f3481e3cc70d35dbd6a7950dbd6612b3dd15e5f49f93295bef6cfbedf6b9ea3b17ca71583c19149a65e39fa6be75c0e6e13cae9

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 fb738e66f4d1ee6e78307581257816e1
SHA1 b1adb99b59848db2444bb0a2f4ca125334db43eb
SHA256 f1c4d3dbc1a90fbefc023d999b52eab71a3f74c2af2a4beedbc1c1c442749263
SHA512 6aac7b3e78f467c70fc08a0075f5499eb8c445c02584c659ce79a5aeeb3fee8dfae3d8aa038b80974672efd3369b8ac6f7c50e2945a4288ad8afbac5311bdf1a

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 369dc9bc9528000a47ae551c7205d86f
SHA1 cfb4d6d9b7ccf4f69056abc37afa3e39ad569bc4
SHA256 cb1d820380ac769c7ec931b3aeb13e3b724845504027787bc414da098fcc2df8
SHA512 2d6fc7ec6689ff7952b3679e45d53feea7d1834d2bd29559881145247ad003a1cfe13786a1f679b0072b8c308a6161764cdebaa35733af53a22c6635e59f22a0

C:\Windows\SysWOW64\Hicodd32.exe

MD5 da255aacb810e03c27cf1a8aa72202b5
SHA1 0c63d202d281e0a1d8675bc01e426bc83f13fc39
SHA256 b067741a50ab48143c97a5e77d5deecdc3f74a59b25465d2a3b95f90801d340d
SHA512 deda640ef07af455a17a16f8eb0ff93c4111f07f4346800b6443121674be550f0598ac43b0f2dffcd1472d98864bcd9ad38febc4c6261c7f8f003a215df32455

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 a61e310b904a4551f63932f91fd3509a
SHA1 fb053b5740bb8aba6ab51104f96a9b2749a82f0d
SHA256 d0cbc43909520cb26fcdb6626ebb236dd372d2def8d1564284b86cd4655b3596
SHA512 65e19d07d0040506bf5d71fb7d9fefb7faeb2a383fd05c73d7530a6ed7bdf15c05ad4a6656b0affe7fd9c3931339e8373dbac37cd00a9b8d7132b2e1eb479e09

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 9b9f65c6166193ad446185684c733fa5
SHA1 8124bf2b7c6ac54ebb0667c16ddd1d86e6f51a2b
SHA256 bdc8a2a039ce38048ea79c5b2986a53f8a36a72b461f48140acff684e47a760f
SHA512 854557bf598c863c999fa837f6b37ef6617bc2634417266c9306d0f843fd2e862d147d8b5c5ed3e291064a1d5327a0a2148f01ad31b14987a6cf0c878de1c393

C:\Windows\SysWOW64\Hiekid32.exe

MD5 b9d1d2582163248de85b794ba1389bdf
SHA1 d82cd8c57ba116a8ec588d0ca1ddc879d9df2399
SHA256 1e04e9aae99497f50f5be135efc4d7b9e2c43f156e9235beee46a070d13c7406
SHA512 bf5898a6bca5a71ea2b2bee7098d4496ff4e30c160af0a6fcbf05a7eae25d9eb74655af6230b7cc5c540b2efb0c53cacb6f68e995f8a58b4f3ac41205c7eb967

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 7a31f2d5d613b5fa66b09f1eebaf7835
SHA1 1b7ea1461864733fb53fcde0c3e3e1296eedf707
SHA256 dc78bb3efc53b8b430161cfe5d99d332ac556d69849dfab4832890386232bff2
SHA512 912d06d801d27a19c993aa7e06be60d3e0274e40e7df5d5a29a785bb83305f38a0dd98ecc2da0a7660c0408631b87e62badb248ac5f9c588b16d453c69881902

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 347147a14e6c1274e4b9e4efd8d0ad80
SHA1 4ded80dfb7eb0e391d76d67eabd3c4162ae47a67
SHA256 b67264f767c0efa92c2d7860a087cbd02872c5a836e0c49dae6bc1b5213f538a
SHA512 e1d8aca501675f1e0325b63c276c47cb11711f3e769bd1f3adeba3070f3b987996be367e08e1667efa2579dba814637e774a3523beb498f5d6d312dec9d19433

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 96e0f02f3bb337388f577532c556b9f3
SHA1 0f553855276a4308f0e84679dbf7b3e2a849e6eb
SHA256 c66dfb23392d97d9dfc09bed4f4ba7e070a4681133fa0af39a8210b431ba481b
SHA512 b7650c93bfef9a3a975d52d0449bce9dbe4d21f591748bfdc06f22a606c04a986f3c02e95fd420b10e2a5abce90cccaecea36429f83bcc2f471d423d1c7ab517

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 2023601aac865b3471b300fff5193b84
SHA1 c3959affadac36f72ce153a089ffe04994cfae62
SHA256 57549aaecd358816b1ff5a30a02baee10aa59be030c9fccc1e728b0953b397ce
SHA512 24c1f148f2410f19672db8a63ae5a570cf57cf00bb9d72da354411e1d97df036ac9578bf2bf18ff053bd5893de26899c749b36e451f85c88d34c538eecda244c

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 f375110c666b64fabd722626990fe9fa
SHA1 444d9037c2bf42f4ce98d822e811fd49655b950d
SHA256 711454f712acca6c2c4048f1f4ae206f6bb4ef142fa497540aa50959f94c7200
SHA512 096c7d85c3292e9a67f292a4037090757dd5e774b84948ee199dc868cf7405fe06b79ec5c12ca93e1386772e5dd08659867003d224d9c9ae3a50b3c8c2d715da

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 35dee71f52e28be72065b26e58c1a553
SHA1 e5db8e5d848b17da98b2a64af9af8e932f325961
SHA256 64eae670ca7220da71b6e27612e3aefd3fd41ee2dbcaed2d38ff50726390a577
SHA512 9983a6469900560b0759e0728f33a8d12a9433edb2e9bb7e53d0877a0198d8bfc65c3493bc6417ab9270830bc8aa914a641b1fdb8af23c7279a6adfe11d7812c

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 4e7b4dc9e3a7c5b77fa406add001c5f8
SHA1 b08b37aa45ec02c3eaa3d381235bd4bfee5c9159
SHA256 efe3166939e00929112c0547959db97bc0d24f8d645a377113af2cdbad8e3c8f
SHA512 498e41028536b0b9a9b6dc87db41b7cffd0a90beef1e72312e6bfb1cc3db39f986ca8279bc0ee651f55804dda4fd0e2ae4b0b6b3e15c8b7aa066fb0eca24a288

C:\Windows\SysWOW64\Henidd32.exe

MD5 b1340e8b4f70c1e629434989fe807177
SHA1 dd05b442a134cfbb82fbc6cdaceb3ebc8e344be7
SHA256 e160ea7b5beec375710bb4d39f609199b4b91f7c67e095d75077e0bd27473d04
SHA512 9e726eca3d00049a067f542e41149eea39fb287dfb981ee35fcf602320da70b5f333dbbc0308e50acb2ac1af4e127460f12beb49a3331b7d8c4ef53b5f7bc0b5

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 feb3a8440d68cb241a507b9cf6738e29
SHA1 60496967b8bc3a2c3ba346f934d5299a8d4ee817
SHA256 e6c5ba858874a7cd072e991f16a030fadf872bb05afef44e053e885275a2a12e
SHA512 4675233eadec759e537ba600ebe8e3dd015b49583f3d3cb0e1d2dacaa8472ac4d485d3d7723a13e66572a0dd56fa92796ac6ccfe47efe3cb4152885c2b7fc19c

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 4085cf3bc4bd9dd665ba020f4fa1df39
SHA1 00573c5b53daa1e8de3a808ca83efb6e0062dc98
SHA256 2026d746a2029c533eee9ff957aaa5ccb7f5b9be675de5ad6c2f929da9aae5a6
SHA512 a5ff8013b4ac0489a844f7858145a116bbda25162169b6106715f966b1b1927889141df4cc2810f499eeeaed0f5b5e586d64160b6a72cfcfc8d65f87002f6d61

C:\Windows\SysWOW64\Icbimi32.exe

MD5 2ac413e0274cbc6ce9326b753559ba2a
SHA1 e943bd5432461277da8a5bd6f147304a6b752876
SHA256 5d843658a686dcf8449c8e508330e2bf7b8eec858ef689dd69db9788dc4316b7
SHA512 5b9ca7f5383212de6192f6293c85817695865289d3b109a1cba59a3ab8fe75358f78db869e6a8fd9e171731ef3259ba21cb4fbd5743c3322691d2dfda43c525b

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 ecf91ea8dd97088a8c0db8b34a2ec361
SHA1 521c8c22760dd2bc7e96fc8f0a080775b15ad4b7
SHA256 1bc5982182d47e350ee19bdd3c328e4b41b4818eca476767deb3f0830be9dbbf
SHA512 f86a53bb9c547d4a94165272d360689e5e54cd80bcf4702d942dc2fd05d4a1cc8a1232e02b1bbdde99d44f04c822644d21986bf96654a3d40b5483cd460d1800

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 7568cc4133045bb34a1b9ca30d4f6638
SHA1 85148870b8551963ab30cb0fe15008f53f59d4b9
SHA256 68e7f9a40b5d87f6ec615d8b3b06b4f09095cde39b4dc4d4c27cb230c3d99727
SHA512 fc07c5c8cd30b9cc9c6c4225c95361db9c8918c471dfb357d246224bcdeaeafa610dbde0dc707576be10a9a07e760a45b7932064f9915a776adf328c179ec1ae

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 571433e1a88a63675a3f091ba3c72c3f
SHA1 ea7c2dd4266c31c32ba34eb5729061690f10ef23
SHA256 519f90eaef4646a2a9915fc555bac4467c7f6ad9aa4290a9e00509753655b2d7
SHA512 b9d870f1c00475579ac5ffebb4ed4dd2753b23dd824724cf5cb028a8b90c76c2877a2cf95a9cd5ac9876d6e9a973b4c7b4ab2440946da908a6955cc2c4612458

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 612c4014b5629413e68900d7f510c932
SHA1 b62a0b86e30f3a0bf22f9443bfafd3190af4de5a
SHA256 780791d6f04584832ae7897b1304874a3b29c2a6c8169ec35b5d6f4b72a150cb
SHA512 1ebb817be1529f11df7018bd46807ccb620a733f2d38858dfcdee2b5e091d5de9d2c1a55b18e3e66ceff4d89959653fcf40f005a2cb08aafeab54474e55b4866

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 03:27

Reported

2024-05-09 03:30

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkpgck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdmpje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klngdpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdmegp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojjffddl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjpiha32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imoneg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jehokgge.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Likjcbkc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlopkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Obdkma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdnidn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpccdlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Edkdkplj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hofdacke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmmjgejj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clbceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eoaihhlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ifjodl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilghlc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chmndlge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdhdajea.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndokbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfjcgn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdkcde32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcioiood.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlcifmbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Belebq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qgciaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhjfhl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkdbpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifjodl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbhoqj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kefkme32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Deokon32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odmgcgbi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbbkaako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gcimkc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kikame32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdialn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llcpoo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmdkch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkbkamnl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmoeoidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oponmilc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcgbco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbjoljdo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdcdbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjlcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcdmga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cddecc32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kcifkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkpnlm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kckbqpnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkbkamnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lalcng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpocjdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmccchkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgdml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laalifad.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcbiao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lilanioo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldaeka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklnhlfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Laefdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcgblncm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjqjih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpkbebbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkpgck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiklqhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnapdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnhmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mncmjfmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmegp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkgmcjld.exe N/A
N/A N/A C:\Windows\SysWOW64\Maaepd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdpalp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkjjij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnhfee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndbnboqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nklfoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nddkgonp.exe N/A
N/A N/A C:\Windows\SysWOW64\Njacpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngedij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncldnkae.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfmke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqpego32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojhiqefo.exe N/A
N/A N/A C:\Windows\SysWOW64\Odnnnnfe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojjffddl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogogoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obdkma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqgkhnjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojopad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odednmpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojalgcnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcjapi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnpemb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Peimil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkceffcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Peljol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndohaqe.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkhoae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgopffec.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgallfcq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjpiha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeemej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgciaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qalnjkgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Alabgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anpncp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acmflf32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Hlmobp32.dll C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Qgphkcho.dll C:\Windows\SysWOW64\Oqgkhnjf.exe N/A
File created C:\Windows\SysWOW64\Jmmjgejj.exe C:\Windows\SysWOW64\Jbhfjljd.exe N/A
File created C:\Windows\SysWOW64\Ndokbi32.exe C:\Windows\SysWOW64\Mlhbal32.exe N/A
File created C:\Windows\SysWOW64\Nnjlpo32.exe C:\Windows\SysWOW64\Ngpccdlj.exe N/A
File created C:\Windows\SysWOW64\Agglboim.exe C:\Windows\SysWOW64\Aeiofcji.exe N/A
File opened for modification C:\Windows\SysWOW64\Bffkij32.exe C:\Windows\SysWOW64\Bgcknmop.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgehcmmm.exe C:\Windows\SysWOW64\Balpgb32.exe N/A
File created C:\Windows\SysWOW64\Becifhfj.exe C:\Windows\SysWOW64\Ajneip32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cahfmgoo.exe C:\Windows\SysWOW64\Cknnpm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Clbceo32.exe C:\Windows\SysWOW64\Cehkhecb.exe N/A
File created C:\Windows\SysWOW64\Fdegandp.exe C:\Windows\SysWOW64\Fcckif32.exe N/A
File opened for modification C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lkgdml32.exe N/A
File created C:\Windows\SysWOW64\Higbhjml.dll C:\Windows\SysWOW64\Qjpiha32.exe N/A
File created C:\Windows\SysWOW64\Ajneip32.exe C:\Windows\SysWOW64\Adcmmeog.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdcdbl32.exe C:\Windows\SysWOW64\Gbdgfa32.exe N/A
File created C:\Windows\SysWOW64\Picpfp32.dll C:\Windows\SysWOW64\Chdkoa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Daaicfgd.exe C:\Windows\SysWOW64\Dkgqfl32.exe N/A
File created C:\Windows\SysWOW64\Dkljak32.exe C:\Windows\SysWOW64\Ddbbeade.exe N/A
File created C:\Windows\SysWOW64\Kiaefcan.dll C:\Windows\SysWOW64\Ddbbeade.exe N/A
File created C:\Windows\SysWOW64\Fbnkjc32.dll C:\Windows\SysWOW64\Kbaipkbi.exe N/A
File created C:\Windows\SysWOW64\Gnbinq32.dll C:\Windows\SysWOW64\Kbhoqj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnfdcjkg.exe C:\Windows\SysWOW64\Pfolbmje.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieolehop.exe C:\Windows\SysWOW64\Icnpmp32.exe N/A
File created C:\Windows\SysWOW64\Elcmjaol.dll C:\Windows\SysWOW64\Pgioqq32.exe N/A
File created C:\Windows\SysWOW64\Pdmpje32.exe C:\Windows\SysWOW64\Pmfhig32.exe N/A
File created C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bagflcje.exe N/A
File created C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
File opened for modification C:\Windows\SysWOW64\Alhhhcal.exe C:\Windows\SysWOW64\Aacckjaf.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkkojgao.exe C:\Windows\SysWOW64\Gdqgmmjb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilghlc32.exe C:\Windows\SysWOW64\Iihkpg32.exe N/A
File created C:\Windows\SysWOW64\Knfoif32.dll C:\Windows\SysWOW64\Ogifjcdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Balpgb32.exe C:\Windows\SysWOW64\Bffkij32.exe N/A
File created C:\Windows\SysWOW64\Deokon32.exe C:\Windows\SysWOW64\Dmgbnq32.exe N/A
File created C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mpkbebbf.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkceffcd.exe C:\Windows\SysWOW64\Peimil32.exe N/A
File created C:\Windows\SysWOW64\Dhbbhk32.dll C:\Windows\SysWOW64\Kpeiioac.exe N/A
File created C:\Windows\SysWOW64\Mdpalp32.exe C:\Windows\SysWOW64\Maaepd32.exe N/A
File created C:\Windows\SysWOW64\Jiglalpk.dll C:\Windows\SysWOW64\Angddopp.exe N/A
File created C:\Windows\SysWOW64\Eeanii32.dll C:\Windows\SysWOW64\Jpgmha32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pclgkb32.exe C:\Windows\SysWOW64\Pqmjog32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iiaephpc.exe C:\Windows\SysWOW64\Hfcicmqp.exe N/A
File created C:\Windows\SysWOW64\Hkmgakaf.dll C:\Windows\SysWOW64\Ojjffddl.exe N/A
File opened for modification C:\Windows\SysWOW64\Lfhdlh32.exe C:\Windows\SysWOW64\Lpnlpnih.exe N/A
File opened for modification C:\Windows\SysWOW64\Oncofm32.exe C:\Windows\SysWOW64\Ogifjcdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogogoi32.exe C:\Windows\SysWOW64\Ojjffddl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojopad32.exe C:\Windows\SysWOW64\Oqgkhnjf.exe N/A
File created C:\Windows\SysWOW64\Bdolhc32.exe C:\Windows\SysWOW64\Bjghpn32.exe N/A
File created C:\Windows\SysWOW64\Elgfgl32.exe C:\Windows\SysWOW64\Eemnjbaj.exe N/A
File created C:\Windows\SysWOW64\Cajolcjk.dll C:\Windows\SysWOW64\Eofbch32.exe N/A
File created C:\Windows\SysWOW64\Hofdacke.exe C:\Windows\SysWOW64\Himldi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmjdjgjo.exe C:\Windows\SysWOW64\Hfqlnm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odocigqg.exe C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File created C:\Windows\SysWOW64\Phiifkjp.dll C:\Windows\SysWOW64\Bagflcje.exe N/A
File opened for modification C:\Windows\SysWOW64\Mipcob32.exe C:\Windows\SysWOW64\Mgagbf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lmccchkn.exe N/A
File created C:\Windows\SysWOW64\Efpmmmoo.dll C:\Windows\SysWOW64\Clbceo32.exe N/A
File created C:\Windows\SysWOW64\Jcpfco32.dll C:\Windows\SysWOW64\Dbllbibl.exe N/A
File created C:\Windows\SysWOW64\Jihdea32.dll C:\Windows\SysWOW64\Edihepnm.exe N/A
File created C:\Windows\SysWOW64\Hjjgia32.dll C:\Windows\SysWOW64\Qalnjkgo.exe N/A
File created C:\Windows\SysWOW64\Pkfcej32.dll C:\Windows\SysWOW64\Lgokmgjm.exe N/A
File created C:\Windows\SysWOW64\Ocdqjceo.exe C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
File opened for modification C:\Windows\SysWOW64\Alabgd32.exe C:\Windows\SysWOW64\Qalnjkgo.exe N/A
File created C:\Windows\SysWOW64\Kihgme32.dll C:\Windows\SysWOW64\Adcmmeog.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkpnlm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqpego32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhjbhod.dll" C:\Windows\SysWOW64\Alabgd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gdcdbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll" C:\Windows\SysWOW64\Icnpmp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll" C:\Windows\SysWOW64\Qnhahj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lboeaifi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mchhggno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll" C:\Windows\SysWOW64\Pfhfan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pnpemb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghaliknf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll" C:\Windows\SysWOW64\Jfoiokfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll" C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Belebq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnopdeh.dll" C:\Windows\SysWOW64\Fdlnbm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdeqhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhclmi.dll" C:\Windows\SysWOW64\Gmoeoidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npibja32.dll" C:\Windows\SysWOW64\Imfdff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll" C:\Windows\SysWOW64\Kpeiioac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpqiemge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckafhlkg.dll" C:\Windows\SysWOW64\Dafbne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfhfan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeiofcji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbnafb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iihkpg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalojih.dll" C:\Windows\SysWOW64\Ckpjfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkhbdg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdnidn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmncnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chmndlge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" C:\Windows\SysWOW64\Chcddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbcpl32.dll" C:\Windows\SysWOW64\Cdfbibnb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fdlnbm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll" C:\Windows\SysWOW64\Nilcjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" C:\Windows\SysWOW64\Npjebj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofqpqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Peljol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pcccfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajneip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mchhggno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngpccdlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" C:\Windows\SysWOW64\Pgioqq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcgblncm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckcgkldl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hfnphn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lpqiemge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll" C:\Windows\SysWOW64\Mdckfk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll" C:\Windows\SysWOW64\Nnneknob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll" C:\Windows\SysWOW64\Belebq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Angddopp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eoaihhlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfkkboc.dll" C:\Windows\SysWOW64\Eepjpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gcimkc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jcllonma.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe C:\Windows\SysWOW64\Kcifkp32.exe
PID 3788 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe C:\Windows\SysWOW64\Kcifkp32.exe
PID 3788 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe C:\Windows\SysWOW64\Kcifkp32.exe
PID 4252 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kkpnlm32.exe
PID 4252 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kkpnlm32.exe
PID 4252 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kkpnlm32.exe
PID 2280 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Kkpnlm32.exe C:\Windows\SysWOW64\Kpmfddnf.exe
PID 2280 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Kkpnlm32.exe C:\Windows\SysWOW64\Kpmfddnf.exe
PID 2280 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Kkpnlm32.exe C:\Windows\SysWOW64\Kpmfddnf.exe
PID 2920 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kckbqpnj.exe
PID 2920 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kckbqpnj.exe
PID 2920 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kckbqpnj.exe
PID 2980 wrote to memory of 3144 N/A C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kkbkamnl.exe
PID 2980 wrote to memory of 3144 N/A C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kkbkamnl.exe
PID 2980 wrote to memory of 3144 N/A C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kkbkamnl.exe
PID 3144 wrote to memory of 756 N/A C:\Windows\SysWOW64\Kkbkamnl.exe C:\Windows\SysWOW64\Lalcng32.exe
PID 3144 wrote to memory of 756 N/A C:\Windows\SysWOW64\Kkbkamnl.exe C:\Windows\SysWOW64\Lalcng32.exe
PID 3144 wrote to memory of 756 N/A C:\Windows\SysWOW64\Kkbkamnl.exe C:\Windows\SysWOW64\Lalcng32.exe
PID 756 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 756 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 756 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 2248 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lmccchkn.exe
PID 2248 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lmccchkn.exe
PID 2248 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lmccchkn.exe
PID 4952 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 4952 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 4952 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 4664 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lkgdml32.exe
PID 4664 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lkgdml32.exe
PID 4664 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lkgdml32.exe
PID 1220 wrote to memory of 496 N/A C:\Windows\SysWOW64\Lkgdml32.exe C:\Windows\SysWOW64\Laalifad.exe
PID 1220 wrote to memory of 496 N/A C:\Windows\SysWOW64\Lkgdml32.exe C:\Windows\SysWOW64\Laalifad.exe
PID 1220 wrote to memory of 496 N/A C:\Windows\SysWOW64\Lkgdml32.exe C:\Windows\SysWOW64\Laalifad.exe
PID 496 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lcbiao32.exe
PID 496 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lcbiao32.exe
PID 496 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lcbiao32.exe
PID 4440 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lilanioo.exe
PID 4440 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lilanioo.exe
PID 4440 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lilanioo.exe
PID 5016 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Lilanioo.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 5016 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Lilanioo.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 5016 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Lilanioo.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 2984 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lklnhlfb.exe
PID 2984 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lklnhlfb.exe
PID 2984 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lklnhlfb.exe
PID 5024 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Lklnhlfb.exe C:\Windows\SysWOW64\Laefdf32.exe
PID 5024 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Lklnhlfb.exe C:\Windows\SysWOW64\Laefdf32.exe
PID 5024 wrote to memory of 4576 N/A C:\Windows\SysWOW64\Lklnhlfb.exe C:\Windows\SysWOW64\Laefdf32.exe
PID 4576 wrote to memory of 4772 N/A C:\Windows\SysWOW64\Laefdf32.exe C:\Windows\SysWOW64\Lcgblncm.exe
PID 4576 wrote to memory of 4772 N/A C:\Windows\SysWOW64\Laefdf32.exe C:\Windows\SysWOW64\Lcgblncm.exe
PID 4576 wrote to memory of 4772 N/A C:\Windows\SysWOW64\Laefdf32.exe C:\Windows\SysWOW64\Lcgblncm.exe
PID 4772 wrote to memory of 376 N/A C:\Windows\SysWOW64\Lcgblncm.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 4772 wrote to memory of 376 N/A C:\Windows\SysWOW64\Lcgblncm.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 4772 wrote to memory of 376 N/A C:\Windows\SysWOW64\Lcgblncm.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 376 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Mpkbebbf.exe
PID 376 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Mpkbebbf.exe
PID 376 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Mpkbebbf.exe
PID 2032 wrote to memory of 1768 N/A C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mkpgck32.exe
PID 2032 wrote to memory of 1768 N/A C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mkpgck32.exe
PID 2032 wrote to memory of 1768 N/A C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mkpgck32.exe
PID 1768 wrote to memory of 4076 N/A C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mdiklqhm.exe
PID 1768 wrote to memory of 4076 N/A C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mdiklqhm.exe
PID 1768 wrote to memory of 4076 N/A C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mdiklqhm.exe
PID 4076 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Mnapdf32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\ded952b0b66d55b160d2379721ae5360_NEIKI.exe"

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kkpnlm32.exe

C:\Windows\system32\Kkpnlm32.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lkgdml32.exe

C:\Windows\system32\Lkgdml32.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mncmjfmk.exe

C:\Windows\system32\Mncmjfmk.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Njfmke32.exe

C:\Windows\system32\Njfmke32.exe

C:\Windows\SysWOW64\Nqpego32.exe

C:\Windows\system32\Nqpego32.exe

C:\Windows\SysWOW64\Ojhiqefo.exe

C:\Windows\system32\Ojhiqefo.exe

C:\Windows\SysWOW64\Odnnnnfe.exe

C:\Windows\system32\Odnnnnfe.exe

C:\Windows\SysWOW64\Ojjffddl.exe

C:\Windows\system32\Ojjffddl.exe

C:\Windows\SysWOW64\Ogogoi32.exe

C:\Windows\system32\Ogogoi32.exe

C:\Windows\SysWOW64\Obdkma32.exe

C:\Windows\system32\Obdkma32.exe

C:\Windows\SysWOW64\Oqgkhnjf.exe

C:\Windows\system32\Oqgkhnjf.exe

C:\Windows\SysWOW64\Ojopad32.exe

C:\Windows\system32\Ojopad32.exe

C:\Windows\SysWOW64\Odednmpm.exe

C:\Windows\system32\Odednmpm.exe

C:\Windows\SysWOW64\Ojalgcnd.exe

C:\Windows\system32\Ojalgcnd.exe

C:\Windows\SysWOW64\Pcjapi32.exe

C:\Windows\system32\Pcjapi32.exe

C:\Windows\SysWOW64\Pnpemb32.exe

C:\Windows\system32\Pnpemb32.exe

C:\Windows\SysWOW64\Peimil32.exe

C:\Windows\system32\Peimil32.exe

C:\Windows\SysWOW64\Pkceffcd.exe

C:\Windows\system32\Pkceffcd.exe

C:\Windows\SysWOW64\Peljol32.exe

C:\Windows\system32\Peljol32.exe

C:\Windows\SysWOW64\Pndohaqe.exe

C:\Windows\system32\Pndohaqe.exe

C:\Windows\SysWOW64\Pkhoae32.exe

C:\Windows\system32\Pkhoae32.exe

C:\Windows\SysWOW64\Pcccfh32.exe

C:\Windows\system32\Pcccfh32.exe

C:\Windows\SysWOW64\Pgopffec.exe

C:\Windows\system32\Pgopffec.exe

C:\Windows\SysWOW64\Qgallfcq.exe

C:\Windows\system32\Qgallfcq.exe

C:\Windows\SysWOW64\Qjpiha32.exe

C:\Windows\system32\Qjpiha32.exe

C:\Windows\SysWOW64\Qeemej32.exe

C:\Windows\system32\Qeemej32.exe

C:\Windows\SysWOW64\Qgciaf32.exe

C:\Windows\system32\Qgciaf32.exe

C:\Windows\SysWOW64\Qalnjkgo.exe

C:\Windows\system32\Qalnjkgo.exe

C:\Windows\SysWOW64\Alabgd32.exe

C:\Windows\system32\Alabgd32.exe

C:\Windows\SysWOW64\Anpncp32.exe

C:\Windows\system32\Anpncp32.exe

C:\Windows\SysWOW64\Acmflf32.exe

C:\Windows\system32\Acmflf32.exe

C:\Windows\SysWOW64\Anbkio32.exe

C:\Windows\system32\Anbkio32.exe

C:\Windows\SysWOW64\Ahkobekf.exe

C:\Windows\system32\Ahkobekf.exe

C:\Windows\SysWOW64\Andgoobc.exe

C:\Windows\system32\Andgoobc.exe

C:\Windows\SysWOW64\Aacckjaf.exe

C:\Windows\system32\Aacckjaf.exe

C:\Windows\SysWOW64\Alhhhcal.exe

C:\Windows\system32\Alhhhcal.exe

C:\Windows\SysWOW64\Angddopp.exe

C:\Windows\system32\Angddopp.exe

C:\Windows\SysWOW64\Adcmmeog.exe

C:\Windows\system32\Adcmmeog.exe

C:\Windows\SysWOW64\Ajneip32.exe

C:\Windows\system32\Ajneip32.exe

C:\Windows\SysWOW64\Becifhfj.exe

C:\Windows\system32\Becifhfj.exe

C:\Windows\SysWOW64\Blmacb32.exe

C:\Windows\system32\Blmacb32.exe

C:\Windows\SysWOW64\Bbgipldd.exe

C:\Windows\system32\Bbgipldd.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Bnnjen32.exe

C:\Windows\system32\Bnnjen32.exe

C:\Windows\SysWOW64\Balfaiil.exe

C:\Windows\system32\Balfaiil.exe

C:\Windows\SysWOW64\Bjdkjo32.exe

C:\Windows\system32\Bjdkjo32.exe

C:\Windows\SysWOW64\Bblckl32.exe

C:\Windows\system32\Bblckl32.exe

C:\Windows\SysWOW64\Bdmpcdfm.exe

C:\Windows\system32\Bdmpcdfm.exe

C:\Windows\SysWOW64\Bjghpn32.exe

C:\Windows\system32\Bjghpn32.exe

C:\Windows\SysWOW64\Bdolhc32.exe

C:\Windows\system32\Bdolhc32.exe

C:\Windows\SysWOW64\Bkidenlg.exe

C:\Windows\system32\Bkidenlg.exe

C:\Windows\SysWOW64\Cdainc32.exe

C:\Windows\system32\Cdainc32.exe

C:\Windows\SysWOW64\Cogmkl32.exe

C:\Windows\system32\Cogmkl32.exe

C:\Windows\SysWOW64\Cddecc32.exe

C:\Windows\system32\Cddecc32.exe

C:\Windows\SysWOW64\Cknnpm32.exe

C:\Windows\system32\Cknnpm32.exe

C:\Windows\SysWOW64\Cahfmgoo.exe

C:\Windows\system32\Cahfmgoo.exe

C:\Windows\SysWOW64\Cdfbibnb.exe

C:\Windows\system32\Cdfbibnb.exe

C:\Windows\SysWOW64\Ckpjfm32.exe

C:\Windows\system32\Ckpjfm32.exe

C:\Windows\SysWOW64\Cefoce32.exe

C:\Windows\system32\Cefoce32.exe

C:\Windows\SysWOW64\Chdkoa32.exe

C:\Windows\system32\Chdkoa32.exe

C:\Windows\SysWOW64\Ckcgkldl.exe

C:\Windows\system32\Ckcgkldl.exe

C:\Windows\SysWOW64\Cbjoljdo.exe

C:\Windows\system32\Cbjoljdo.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Clbceo32.exe

C:\Windows\system32\Clbceo32.exe

C:\Windows\SysWOW64\Dbllbibl.exe

C:\Windows\system32\Dbllbibl.exe

C:\Windows\SysWOW64\Daolnf32.exe

C:\Windows\system32\Daolnf32.exe

C:\Windows\SysWOW64\Ddmhja32.exe

C:\Windows\system32\Ddmhja32.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Daaicfgd.exe

C:\Windows\system32\Daaicfgd.exe

C:\Windows\SysWOW64\Dlgmpogj.exe

C:\Windows\system32\Dlgmpogj.exe

C:\Windows\SysWOW64\Doeiljfn.exe

C:\Windows\system32\Doeiljfn.exe

C:\Windows\SysWOW64\Dadeieea.exe

C:\Windows\system32\Dadeieea.exe

C:\Windows\SysWOW64\Ddbbeade.exe

C:\Windows\system32\Ddbbeade.exe

C:\Windows\SysWOW64\Dkljak32.exe

C:\Windows\system32\Dkljak32.exe

C:\Windows\SysWOW64\Dafbne32.exe

C:\Windows\system32\Dafbne32.exe

C:\Windows\SysWOW64\Dddojq32.exe

C:\Windows\system32\Dddojq32.exe

C:\Windows\SysWOW64\Dojcgi32.exe

C:\Windows\system32\Dojcgi32.exe

C:\Windows\SysWOW64\Dahode32.exe

C:\Windows\system32\Dahode32.exe

C:\Windows\SysWOW64\Dhbgqohi.exe

C:\Windows\system32\Dhbgqohi.exe

C:\Windows\SysWOW64\Ekacmjgl.exe

C:\Windows\system32\Ekacmjgl.exe

C:\Windows\SysWOW64\Edihepnm.exe

C:\Windows\system32\Edihepnm.exe

C:\Windows\SysWOW64\Elppfmoo.exe

C:\Windows\system32\Elppfmoo.exe

C:\Windows\SysWOW64\Ecjhcg32.exe

C:\Windows\system32\Ecjhcg32.exe

C:\Windows\SysWOW64\Edkdkplj.exe

C:\Windows\system32\Edkdkplj.exe

C:\Windows\SysWOW64\Elbmlmml.exe

C:\Windows\system32\Elbmlmml.exe

C:\Windows\SysWOW64\Eoaihhlp.exe

C:\Windows\system32\Eoaihhlp.exe

C:\Windows\SysWOW64\Eekaebcm.exe

C:\Windows\system32\Eekaebcm.exe

C:\Windows\SysWOW64\Ehimanbq.exe

C:\Windows\system32\Ehimanbq.exe

C:\Windows\SysWOW64\Ecoangbg.exe

C:\Windows\system32\Ecoangbg.exe

C:\Windows\SysWOW64\Eemnjbaj.exe

C:\Windows\system32\Eemnjbaj.exe

C:\Windows\SysWOW64\Elgfgl32.exe

C:\Windows\system32\Elgfgl32.exe

C:\Windows\SysWOW64\Eofbch32.exe

C:\Windows\system32\Eofbch32.exe

C:\Windows\SysWOW64\Eepjpb32.exe

C:\Windows\system32\Eepjpb32.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fljcmlfd.exe

C:\Windows\system32\Fljcmlfd.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Fdegandp.exe

C:\Windows\system32\Fdegandp.exe

C:\Windows\SysWOW64\Fkopnh32.exe

C:\Windows\system32\Fkopnh32.exe

C:\Windows\SysWOW64\Fcfhof32.exe

C:\Windows\system32\Fcfhof32.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Fomhdg32.exe

C:\Windows\system32\Fomhdg32.exe

C:\Windows\SysWOW64\Fakdpb32.exe

C:\Windows\system32\Fakdpb32.exe

C:\Windows\SysWOW64\Fdialn32.exe

C:\Windows\system32\Fdialn32.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Fbnafb32.exe

C:\Windows\system32\Fbnafb32.exe

C:\Windows\SysWOW64\Fdlnbm32.exe

C:\Windows\system32\Fdlnbm32.exe

C:\Windows\SysWOW64\Flceckoj.exe

C:\Windows\system32\Flceckoj.exe

C:\Windows\SysWOW64\Foabofnn.exe

C:\Windows\system32\Foabofnn.exe

C:\Windows\SysWOW64\Fhjfhl32.exe

C:\Windows\system32\Fhjfhl32.exe

C:\Windows\SysWOW64\Gkhbdg32.exe

C:\Windows\system32\Gkhbdg32.exe

C:\Windows\SysWOW64\Gbbkaako.exe

C:\Windows\system32\Gbbkaako.exe

C:\Windows\SysWOW64\Gdqgmmjb.exe

C:\Windows\system32\Gdqgmmjb.exe

C:\Windows\SysWOW64\Gkkojgao.exe

C:\Windows\system32\Gkkojgao.exe

C:\Windows\SysWOW64\Gbdgfa32.exe

C:\Windows\system32\Gbdgfa32.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gmjlcj32.exe

C:\Windows\system32\Gmjlcj32.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Gdeqhl32.exe

C:\Windows\system32\Gdeqhl32.exe

C:\Windows\SysWOW64\Ghaliknf.exe

C:\Windows\system32\Ghaliknf.exe

C:\Windows\SysWOW64\Gcfqfc32.exe

C:\Windows\system32\Gcfqfc32.exe

C:\Windows\SysWOW64\Gdhmnlcj.exe

C:\Windows\system32\Gdhmnlcj.exe

C:\Windows\SysWOW64\Gmoeoidl.exe

C:\Windows\system32\Gmoeoidl.exe

C:\Windows\SysWOW64\Gcimkc32.exe

C:\Windows\system32\Gcimkc32.exe

C:\Windows\SysWOW64\Gdjjckag.exe

C:\Windows\system32\Gdjjckag.exe

C:\Windows\SysWOW64\Hkdbpe32.exe

C:\Windows\system32\Hkdbpe32.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hobkfd32.exe

C:\Windows\system32\Hobkfd32.exe

C:\Windows\SysWOW64\Hflcbngh.exe

C:\Windows\system32\Hflcbngh.exe

C:\Windows\SysWOW64\Hijooifk.exe

C:\Windows\system32\Hijooifk.exe

C:\Windows\SysWOW64\Hkikkeeo.exe

C:\Windows\system32\Hkikkeeo.exe

C:\Windows\SysWOW64\Hfnphn32.exe

C:\Windows\system32\Hfnphn32.exe

C:\Windows\SysWOW64\Himldi32.exe

C:\Windows\system32\Himldi32.exe

C:\Windows\SysWOW64\Hofdacke.exe

C:\Windows\system32\Hofdacke.exe

C:\Windows\SysWOW64\Hfqlnm32.exe

C:\Windows\system32\Hfqlnm32.exe

C:\Windows\SysWOW64\Hmjdjgjo.exe

C:\Windows\system32\Hmjdjgjo.exe

C:\Windows\SysWOW64\Hcdmga32.exe

C:\Windows\system32\Hcdmga32.exe

C:\Windows\SysWOW64\Hfcicmqp.exe

C:\Windows\system32\Hfcicmqp.exe

C:\Windows\SysWOW64\Iiaephpc.exe

C:\Windows\system32\Iiaephpc.exe

C:\Windows\SysWOW64\Ipknlb32.exe

C:\Windows\system32\Ipknlb32.exe

C:\Windows\SysWOW64\Ibjjhn32.exe

C:\Windows\system32\Ibjjhn32.exe

C:\Windows\SysWOW64\Imoneg32.exe

C:\Windows\system32\Imoneg32.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Ifgbnlmj.exe

C:\Windows\system32\Ifgbnlmj.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ifjodl32.exe

C:\Windows\system32\Ifjodl32.exe

C:\Windows\SysWOW64\Iihkpg32.exe

C:\Windows\system32\Iihkpg32.exe

C:\Windows\SysWOW64\Ilghlc32.exe

C:\Windows\system32\Ilghlc32.exe

C:\Windows\SysWOW64\Icnpmp32.exe

C:\Windows\system32\Icnpmp32.exe

C:\Windows\SysWOW64\Ieolehop.exe

C:\Windows\system32\Ieolehop.exe

C:\Windows\SysWOW64\Imfdff32.exe

C:\Windows\system32\Imfdff32.exe

C:\Windows\SysWOW64\Icplcpgo.exe

C:\Windows\system32\Icplcpgo.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jbeidl32.exe

C:\Windows\system32\Jbeidl32.exe

C:\Windows\SysWOW64\Jioaqfcc.exe

C:\Windows\system32\Jioaqfcc.exe

C:\Windows\SysWOW64\Jcefno32.exe

C:\Windows\system32\Jcefno32.exe

C:\Windows\SysWOW64\Jbhfjljd.exe

C:\Windows\system32\Jbhfjljd.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jcgbco32.exe

C:\Windows\system32\Jcgbco32.exe

C:\Windows\SysWOW64\Jehokgge.exe

C:\Windows\system32\Jehokgge.exe

C:\Windows\SysWOW64\Jmpgldhg.exe

C:\Windows\system32\Jmpgldhg.exe

C:\Windows\SysWOW64\Jcioiood.exe

C:\Windows\system32\Jcioiood.exe

C:\Windows\SysWOW64\Jeklag32.exe

C:\Windows\system32\Jeklag32.exe

C:\Windows\SysWOW64\Jmbdbd32.exe

C:\Windows\system32\Jmbdbd32.exe

C:\Windows\SysWOW64\Jcllonma.exe

C:\Windows\system32\Jcllonma.exe

C:\Windows\SysWOW64\Kfjhkjle.exe

C:\Windows\system32\Kfjhkjle.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Kdnidn32.exe

C:\Windows\system32\Kdnidn32.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kikame32.exe

C:\Windows\system32\Kikame32.exe

C:\Windows\SysWOW64\Kpeiioac.exe

C:\Windows\system32\Kpeiioac.exe

C:\Windows\SysWOW64\Kbceejpf.exe

C:\Windows\system32\Kbceejpf.exe

C:\Windows\SysWOW64\Kimnbd32.exe

C:\Windows\system32\Kimnbd32.exe

C:\Windows\SysWOW64\Klljnp32.exe

C:\Windows\system32\Klljnp32.exe

C:\Windows\SysWOW64\Kdcbom32.exe

C:\Windows\system32\Kdcbom32.exe

C:\Windows\SysWOW64\Kedoge32.exe

C:\Windows\system32\Kedoge32.exe

C:\Windows\SysWOW64\Klngdpdd.exe

C:\Windows\system32\Klngdpdd.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Kefkme32.exe

C:\Windows\system32\Kefkme32.exe

C:\Windows\SysWOW64\Kmncnb32.exe

C:\Windows\system32\Kmncnb32.exe

C:\Windows\SysWOW64\Kdgljmcd.exe

C:\Windows\system32\Kdgljmcd.exe

C:\Windows\SysWOW64\Leihbeib.exe

C:\Windows\system32\Leihbeib.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Lpnlpnih.exe

C:\Windows\system32\Lpnlpnih.exe

C:\Windows\SysWOW64\Lfhdlh32.exe

C:\Windows\system32\Lfhdlh32.exe

C:\Windows\SysWOW64\Lmbmibhb.exe

C:\Windows\system32\Lmbmibhb.exe

C:\Windows\SysWOW64\Lpqiemge.exe

C:\Windows\system32\Lpqiemge.exe

C:\Windows\SysWOW64\Lboeaifi.exe

C:\Windows\system32\Lboeaifi.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lpebpm32.exe

C:\Windows\system32\Lpebpm32.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Mgagbf32.exe

C:\Windows\system32\Mgagbf32.exe

C:\Windows\SysWOW64\Mipcob32.exe

C:\Windows\system32\Mipcob32.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mchhggno.exe

C:\Windows\system32\Mchhggno.exe

C:\Windows\SysWOW64\Mibpda32.exe

C:\Windows\system32\Mibpda32.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Ndokbi32.exe

C:\Windows\system32\Ndokbi32.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Ndaggimg.exe

C:\Windows\system32\Ndaggimg.exe

C:\Windows\SysWOW64\Ngpccdlj.exe

C:\Windows\system32\Ngpccdlj.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Nloiakho.exe

C:\Windows\system32\Nloiakho.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Nnqbanmo.exe

C:\Windows\system32\Nnqbanmo.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Odmgcgbi.exe

C:\Windows\system32\Odmgcgbi.exe

C:\Windows\SysWOW64\Ofnckp32.exe

C:\Windows\system32\Ofnckp32.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Odocigqg.exe

C:\Windows\system32\Odocigqg.exe

C:\Windows\SysWOW64\Ofqpqo32.exe

C:\Windows\system32\Ofqpqo32.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Oddmdf32.exe

C:\Windows\system32\Oddmdf32.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pnfdcjkg.exe

C:\Windows\system32\Pnfdcjkg.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pfaigm32.exe

C:\Windows\system32\Pfaigm32.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Aqppkd32.exe

C:\Windows\system32\Aqppkd32.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aeniabfd.exe

C:\Windows\system32\Aeniabfd.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Chmndlge.exe

C:\Windows\system32\Chmndlge.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8708 -ip 8708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8708 -s 396

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

memory/3788-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3788-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Kcifkp32.exe

MD5 24371aeda5e309afd28f0a089d0722de
SHA1 d80aeb4596f156b02114b9ea16e3548369b5fa43
SHA256 e7a6e40fb9c82d03e24f2f49aa4da3494c7f1ac89479567ca4e48cfeda524c02
SHA512 1f51b6016d2571157398ea6f81cc04574b62eaa512205abf294c64abae06283818f2ec3dc9ac0717cdadaf241adbdaabd8278ff03a4854a2e909fa053a4efbef

memory/4252-14-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Kkpnlm32.exe

MD5 2abbfa58ac60f0e15bb1bd4b2fc29c06
SHA1 74c2255cecf104cddcd9f2e9cb68041f0040cd9c
SHA256 2392affe46dcbeea7548e448f44938933c3092637c0da5130ab64c953eb57dbf
SHA512 1c173e135e3b37acf610261cb08659e2876c2fdc6a7b913840e04658204202e1f8f970d310538124dfdc35ed8cee875b32d7294f01486f70165be4566cc365b0

memory/2280-21-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Kpmfddnf.exe

MD5 cdee55dc1fc648e9c3940b6eef1c4ae7
SHA1 8952f6c448a2ff8b8c87663665cfa7a64b270be8
SHA256 5a6dc607b434bcff1ae8adc34507a8b66bbc360433e34068cb7bbd79167eb5ae
SHA512 5e991b48138e9305b551762d97b909d2d7773e1d876ffae947d79a17facc1727c362166ef0d35dbbf17c734922825d0974f5cd63067abca688c8394018b65b7a

memory/2920-28-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Kckbqpnj.exe

MD5 8966ee44c2f448fb5b465a524cc67694
SHA1 f69c42310bcd15e8a58814beb6d99f8b93a9ed99
SHA256 f3527933185b72f11ede1c90c4e717016e9d02e49a3dee9cde091a184ae12fac
SHA512 735ed5fc8ab92cf93262a49e06c51b797b05cc1c566e664663ca811e0cf37909b43828815898915169d317bda237d26a30972c0b4b6c5484bf52440e88103f96

memory/2980-37-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Kkbkamnl.exe

MD5 d6a1a22b95049ed33a29d8d6c79d9845
SHA1 10a932a494cf3ae66eba97c0f0632783aa915213
SHA256 5c3ca35f7d04d655972f85269dde5e31cd61afcec025c0759c203094a8c1deba
SHA512 f3c7f42ff503848fe4b66437f5dc8a8d921b364df15de37c170a9b766a18b23351125bcba5441eca9e0ad300c69deee1ea3d1f716a42de80c399a2e325cd2264

memory/3144-40-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Lalcng32.exe

MD5 e37a00b0e41147de63e6f98069aa0ab5
SHA1 5ce373f17597033ce3f31887cd4084f89c89d11b
SHA256 47664b5e60b54fc330312a97abab39785b9c164befffd1734b3d3696b412b1d5
SHA512 bfc91d46b82d91664312317668a4a0fba66348f04f2db21ce8248e5e9f4607d75cd1fac0eba3ee0b0b10dc51f7371ef230be86dab3f036229cecc0e3354fcdc4

memory/756-49-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Lpocjdld.exe

MD5 257281c4921f23ea87fcaefa2c54bb0e
SHA1 a3c35f76a10da0f87af4c013744045fda18f3e03
SHA256 7176641843a1ff908ac2333459b6f820dfc76905f52b579d959bd639a01d7c1e
SHA512 1040450583d1f11ab1ca9b4b8e634b3bb901f9f51e385e9961a14ab42fc4faa3815002239b58a2624e2d6f14ca3474f7bfc332d24819d5a86560040f2c969aa7

memory/2248-57-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Lmccchkn.exe

MD5 47066d5caed01f93b2d114e9da481e93
SHA1 7b6500dc59e9c938f8b8c91f876ac749f928e233
SHA256 e173a37715b203136d18c4940ddd107746b870af7f2ffbaba92dff5c8a6f3c81
SHA512 b4a4b7ec61d3e85ff563dcfc1b9cae30668cb0bff4b44f411aa8fb8b340b37d3114f398cba4c14a473f5a935183c308cbdc57ceabef2d52032a2bfb53ca1bad0

memory/4952-65-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ldmlpbbj.exe

MD5 44a8b9d5d71ee6d3d92f6c357283e833
SHA1 8fcb66739bdcb4d13a77afcae2ba77f1a76439b4
SHA256 10e0b9e080c95f1f9ff7a72274eea2259ae250bb26345667ea8fd45a5d1aa8ec
SHA512 96a85483b6c49ca60f4e0400853466d98a834a91d6cb4266f0084bbc7ae7c0fd1fc8aefd5499b09d83c4e6358abeceae21e70064ecd85f030266bb245fc3b656

memory/4664-73-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Lkgdml32.exe

MD5 05e664cbd5cfb76d9d99904a4df827f6
SHA1 bb1549386534edab006028c9dbe0cbedf376c08c
SHA256 9cede5d2003dcae64981fe3e8088efc98c87c74368882f476b17b118776c15e9
SHA512 807cdf9e2f6115892ae69a43a0a70f362d75b2b84ff75d86911a681fb4185997c636e5b5e9664073dba1bfe3c173c70e139ec8c69d94a2d9b16f77b5d046a828

memory/1220-80-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Laalifad.exe

MD5 68417c5ccf864b8c1103cc7f9ef18799
SHA1 fadf71790995dd2d1ba1512fd5dc4bed962ffcae
SHA256 19952337811307cb09eecc956f282274e89cafd9b0a2eb1c6c1dd3620ead7fdf
SHA512 03a8f9b92d650449d5a2068a6e2cb83fb51cd78341b12ef8ae0d75e1786765459f44498eb0fec639a7c98141fe79b8c2a463f57efbcc35bd3f54c2b53b56ec78

memory/496-89-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Lcbiao32.exe

MD5 d32b50e03b6b98592cb5872c903ee514
SHA1 c2228723a1481293ac260816de7b49b42a2fe4c5
SHA256 04b2adb67d2a149da7d4e0abdfc1a1d8e3abcf81779ae7fc84915d21fead98ba
SHA512 b2b6b90d47e3534b54881153ca16b335dbf48439d50454db4d15460916ed3a4bafafab3a53cf595027ecfeed968e4a521e758aed24914dc2fa761af161eee119

memory/4440-97-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Lilanioo.exe

MD5 2b4b5eec642d4811ebb9ef1204266589
SHA1 2063bfb97cf95d6f15cae0698e1ab1554ff4f248
SHA256 9592e9c0d5f2389e92ae0ef81208e8fda3614ef68c00ecdef55e679ccfb47dcc
SHA512 d4ab362ee9b0b2f7855d141baf0924c20574ad8cbf14be64ae614099e805bf8ce6da6006df303c9eaa5db2b7eb6f6db27e22fd1174aa106438eb8108d43c98be

memory/5016-105-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ldaeka32.exe

MD5 01b5df07d1347bc09586466dc42be8b8
SHA1 e545d56e682465fbad3293172a387fbb82beb5aa
SHA256 72c515cc979c1e60f455848eac3b31a77c969aa7da2bd3220534ab1ab5ed0e84
SHA512 c300b3a9f2208823375bc462a2d4b16a43a02dd8c19e2df22a7617f5b271f37e1b0349b76bedfeb60fe760ab5b3bb283189268b5a59a6b44cb82be4b40ec704e

memory/2984-113-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Lklnhlfb.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Lklnhlfb.exe

MD5 691bf6ce895199b83b7698fddf7378aa
SHA1 0d989c2673c402c7a05055f32ac9df3b6365dfa5
SHA256 aeaacf9e7f1fa6da9c658512aa6e65cf42c2f5c38e931b11be08d7efa4a9db21
SHA512 193be12a20e3907a8622e8aa6fd70cfc0e10cf611d9fa95cfe6952aa7f607afbde10b127fdbd469b60cf2110db694f9359f2b12a7adf83e227ddf10877abbde2

memory/5024-121-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Laefdf32.exe

MD5 e68ae5b15e784a47e09ccca9ff481ace
SHA1 b87e3638100570d619d7e8cb1dc665bf38821ddb
SHA256 86f62aa6fcfb25c6bd8214afebee9f84eed5b2b3aa628aafe0ec6e3a3a706ebf
SHA512 b0273e4cad1e338796dcfed38cf264de04ae5f0d0f968f207ae06e5cf869e78c9e7ca536fe46df318867926c5314195395d8b9af48748cd99ab2f1c4871361fc

memory/4576-129-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Lcgblncm.exe

MD5 5e513c64b665a7fe40a38ec9ff2e8b8c
SHA1 a1d451d86661f78a6e77cfa09748a9344d72fbab
SHA256 ccaac8138e2eab1dcc3692be8fc849cabf7bc4f4b39a594d9cb4c3f373cedf34
SHA512 7eac68c4722557f439aab1b58d800cb94b822f5cd56022740e750b5a73fe94846d2fd2cfe6da74ad8a000cbbd086a6c5095ad314892396f787210d63c0f9bde8

memory/4772-137-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mjqjih32.exe

MD5 d0d6e38deed3eb9e1c56f82e5480d8a2
SHA1 93122f9d3e8c1dcc9e1adfbb2122e23ffe03ffe7
SHA256 fdd3d1ba551d17c085f57e1c1bc1abd3c82eace9c4c679117c07d94eb40bd89e
SHA512 2179fb309fda47532ab617ec51d2c0875dc43a3a27edb0f837ab28e57b7bf45f2c655d53a29699d01a0a83c3c095d136a31cab8df99c6cc299955ed04c7d6e8e

memory/376-145-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mpkbebbf.exe

MD5 4322b80b71945b0149961cb83b456f45
SHA1 e4abe99b0347ca35905350fd5add19eefab225c9
SHA256 e0ee5bb3ffefdbe7231b3110afd75285899f546cdf08d2b64463f7d027fe5b02
SHA512 b17b984b73ca79e6d7592c9d2f46776102daad85d8dd33505678e1e3d11dd855e5ecb004a66452df44e0bee830045f6310f6fa98b6d3760af133ae603cb3f357

memory/2032-152-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mkpgck32.exe

MD5 6932709089231ae9fd41ca4c2602e32a
SHA1 8fee31dab033ad073e6ad6f9360cbd2555ae1230
SHA256 ce2c4bf668d31e52d5319255e7245e865820f3d907e7fbf972b22bc52230d60f
SHA512 cb4d63f61d6b6ab4d34d9d63a8389c10f26500c8ad65604b55d30d98d20d13c1cfd0ef88aded06848227fadcf9cd6e9e81468484e17fe83dcd6604bd32cb1ee8

memory/1768-160-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mdiklqhm.exe

MD5 53660c558b106f508145b3ec7c786b67
SHA1 c9a785a2ce42a77b9c56b2aa7a2b2ee98470bc61
SHA256 6c1db608fe8b9052bb455c25f287da974c1013ced189861edac7d7794f68771b
SHA512 5f68bce2d07cd3527e86aedfaa5839f095063bd74cd6e5ebe7a46c6f864ca95d47ab986d84ff95c316a2b78392d986d4f8612cb5d2d891eb911457d2a11f87f9

memory/4076-168-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mnapdf32.exe

MD5 90bf54522a8e09ad31933096ab24c943
SHA1 ec259bf6a7ae3d2adc521e6d220bd38541f03b76
SHA256 5edf363e8c6b4a99e0e710a9e12744efd75246c75a4a216f6d9ad4061ac10203
SHA512 fb2151bf8c99a2e6574013d5cd7540cdd1e0e3a591d215f4f3672025379eeda3bd463d71b153e4b9f4869ed4f704b3621bd05c4f2e2a0772ac18fe874cd28ba2

memory/1832-177-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mcnhmm32.exe

MD5 8170b32d62f3867abf8731838ccd857f
SHA1 cdc09e31d9565144c91d559996a41219727adbe5
SHA256 abc754ff6c66a14b05803de392a183a9c73c029caa44a990a063fb2a7bc76e0d
SHA512 bdabca13515415447d4724d66c8c3931913156f8fd4215632b1e52a20ad015a6abc9f4241709df700a7db971e0830df3a9e4a7efaeb69fc30187852f03f02792

memory/1580-184-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mncmjfmk.exe

MD5 77aef7b4c8c8a37903e308089a272516
SHA1 6a1d8c5fe3428be0e7f2d0e0a507d8c3f2e02a42
SHA256 c7490eac571cb39e9e18b88a211731f4c5d4616f86102fc9552d20edfebd50a9
SHA512 fb2d035954116c332fd9aa52737b0b688b7ed05a5717210f618c3ca891fbbf1131d481aed1853953304665f0fb5ef5eaf64b9fe5caf3d001c961e019a97bda9b

memory/3556-192-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mdmegp32.exe

MD5 1db9737e5951edb1629bf71d49852369
SHA1 26571effb8d0235d44f5e0873343200882b24c00
SHA256 21e7489887d6479853ae3ebe1420c1a08b95aa616987b717ed36140505830927
SHA512 16a54b200034acf9df684026f9559220322dbee9ebcdcc21b176404974053a296ad69152f6b09f45288bffe27d295ad1ecd4998292265e14a50902a0c2a07030

memory/3356-200-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mkgmcjld.exe

MD5 1e163720f26ad2fcedb215976b973b34
SHA1 f9e743c4892c24067cd66f8d02939b89b7b6a407
SHA256 93b11f5fe4af42000b64d86b560615bc0e41dd87a0861c20cc696459c135a9a6
SHA512 3d25d10a606c71f2b7aa54fc0c5e509295aa346f2ea939ed77f77e2a0745ffa7396d46013814ebd0de030876f33ef96279ed0e92429d586f9e847f704bcdcad5

memory/2580-208-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Maaepd32.exe

MD5 f2959581c1afa27d9d87a1beef7e247a
SHA1 b719ed138b7080090038c042547d89ce2cfaba06
SHA256 64d2b40ffd4983e56ece9f4f6ebba2e2c63ac7232bf96440fcc7694c091faa77
SHA512 3c9d3ca9634ccaafd552705e9de60236bd70ff5cecf47c5227c6a11f1ee6d678b47d91634cd2e32169dc91c96cc6f7c9c90162ac09ab3504917806ae44141c71

memory/2544-221-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mdpalp32.exe

MD5 d8124c2d16383fa3386bf5882dd8553a
SHA1 82256c41b8a23f8c585d680ffe64d9d3631edbaf
SHA256 9ca7ff83060fc759f232e0e69fecdd6f59531000bc8b2c6fba72f1e69e5bec2d
SHA512 120f422b42c3d477605d438f4fd70732ac6715097d79d591cb8eb8253c2bd15047afccd239a82d7cf77ed85df45b5231621ae672d2330c99f3f88b43c298da89

memory/4840-224-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nkjjij32.exe

MD5 19c52c6d2d1bcff95ad7c37e2d67eed6
SHA1 9caa797506b45a6738a528a980bd8c51d4d05043
SHA256 a09b8e0877a3a7b044504d4d4064f0a8316313eb5c1df76a83dd0a6e84bf35a8
SHA512 56a484c4cd895c92c9bf4873490552d9d91d0108cdc1ca228976fb08511c011f08e04ff006c1e1a37abd11fa5a6aa47ef0caa759d1165a9b0fa5a7446431fc5a

memory/3308-233-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nnhfee32.exe

MD5 e84c556f7d46bbf559c44b6049379f97
SHA1 3f5893feb0b17bd0881e5dd87f8a25a175a5afbc
SHA256 9020aa488015a1ddef474edcf63e0705ad2ced8ce28cb426bb62eb9d94dc9270
SHA512 b2370fc80d5ed60f58ca244824dcbaa6d1300c9bf3b08b1b9b4aeb5689610873b888a3edf8dd0f63bdb17d75b74542dc5bd849b4fc914817fd84921c18e9e1e1

memory/3600-241-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ndbnboqb.exe

MD5 34c3007f811914654efb233b80583894
SHA1 03915c26a0d2c90e092903a08e00cbcb42a3b9fe
SHA256 e271da89a5ca7c03b8156834ba1622ab010ec8deff7332f05a4387e342551cf2
SHA512 a1bc9db4a8c6de66f60341e7dad5472a156c0c308a3cc7098c149f42f6b8d2c6c518b2b39160b69d68091367c7555a4a5e03ba871fd791e7eca1edb5adc9c32d

memory/3832-248-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nklfoi32.exe

MD5 260a9a6ec3e6a9aff54c5dee748bacc1
SHA1 f2bf360b32c6419e9d6010b4fe66837467cd795a
SHA256 7e00193d1f53de0ed9c957d5ab0003f1fee7d1a4ced409ae368e30bace82c020
SHA512 578ce479bb730ce48f661dc812dbe75e1f67dd865405af6f060a92ced56d82fe7ea46f6fd5f8eced82045be71b615858decaa1b16dcf0006e0b54f561ababd86

memory/1556-257-0x0000000000400000-0x0000000000439000-memory.dmp

memory/824-263-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4200-269-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ngedij32.exe

MD5 a97648bc86ffb3e1ec394381d37409ca
SHA1 42dcc447494001057b8b1e99074c0435301c22c6
SHA256 d21be23ff4aeb5222d3d0344279d7f985d34607d623bd2a2112698d6f89978f2
SHA512 7c489484ec11daea345f3c71ea335f4197692a04550bbf7e51f3b3accdbbfd0d07941a0e7aa1b847385196ceea99de0280172b08594707171dcc138aca645ba9

memory/3212-275-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2096-276-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2588-282-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Njfmke32.exe

MD5 db8b9d583dace7ae40529ccfd40bec53
SHA1 b8a611b847ee62aeda03cb8c8656a6b7eed4f68f
SHA256 8a45c734897af53caf506694f1972a2dc575c99f9228ab7cfca84d8e385c115c
SHA512 abddf43474168345f181038566faee66ea55981aa2924abaf66b582e6b5cab98991048e6d6a6603b7ab0233d112a76b11dd0fc615ca399f9f8f5713179551319

memory/1604-288-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3708-294-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ojhiqefo.exe

MD5 de684b495ffc210414e901b290bc0fec
SHA1 a373037341177ca0e3a42c3066afa0b7acd6a578
SHA256 2abfa419677bcc97171e84959f84d14bbf434969fc11afaea9f3e2d425755706
SHA512 a5de5ca0563b8240e6227af1a4c14bbf21ea5269663ee13c787b9a8c1f618e2429812ea23af996933514cf9af52bfc64968eefe68dba6cdb1d8ea54a42808402

memory/3300-300-0x0000000000400000-0x0000000000439000-memory.dmp

memory/624-306-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ojjffddl.exe

MD5 ff401032f8fff13eeae405a7fd663cde
SHA1 e421db3beb5265a37d6b60d0c8f22f86cb5e3bd7
SHA256 6246ff649b2f6ff96855cfb4deb8682e5e284837bd450e3cb632333b014a324c
SHA512 5fabc49ea792853603d41c4718a9ea32c2737d9827b0d0e7c0e870dfd18955c96d430f91944dd9e3b6ed7a3e4346abe7d36d0a225eeb2c7107dbc1d796ac46f7

memory/1688-312-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2900-318-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1616-328-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4956-330-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2668-336-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1792-342-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ojalgcnd.exe

MD5 98d8bbb83442844556c28064ed8c994c
SHA1 fabab28c800b9fe1eb88de26214b3fe3d827d172
SHA256 64e4584d3af2fa4bfda2a768c93d34240c2adc1f41d68729931d829a573f0ee8
SHA512 c60da888dbc34431f08ac07e111bc4550bfcff4688f4d0453e4cb9c52cebbbfb2681b1d50f61923a00347cfaefb29f25e31379c792ef0ca056b307419c608f49

memory/1492-348-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4992-354-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2100-360-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1992-366-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4160-372-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Peljol32.exe

MD5 eb58211c44290f0fe84b7fcff2b10101
SHA1 5b580664b10431177a48a5ce5653ce19f065d4c5
SHA256 243b210c7616d1b3963acc53c5b7243f600f42224bb53b36ecb16a20314b36af
SHA512 5c660192d5a03d6c4984f530eef15b2cbf9b56fe69e3ffbf4b86ff76bee1f0321d40e095dd9f683adc260165a78fb7e35baeb85fd6ef55f94f535293b7135ec5

memory/1756-378-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4660-384-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4052-390-0x0000000000400000-0x0000000000439000-memory.dmp

memory/60-400-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4752-402-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Qgallfcq.exe

MD5 e712691cf27943e3d66289c03bf37f2f
SHA1 6c8985a4ddd928975a36e1968eb9cd405f08afd6
SHA256 1be788f1b0a10625b0ed5006508bad28e78f402722c220487c2364d0e7170581
SHA512 3aa21d249a98277168b964a23851f27d9431c59dfbaf01c0f5ff563184663bcedb9c3d03fa4c27f0342a9336a20206afda0acf93f02d5e3470ae2f2c299e296d

memory/2040-408-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3292-414-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4828-420-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4396-426-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Qalnjkgo.exe

MD5 25f811eb2cd96e4d0fa59514513849b7
SHA1 df34339087dc676f11e1ad2a43654f2de800cedd
SHA256 639a0c651ef347fd6c4005ce3a545af19756dc6165b546229e197d2f873a716a
SHA512 0abcd444ad520cf934d6a973bb056b5730ac4cda340ee1646ed4984fe8cc9c291249734e8d625d8ae882a697cd4f28d90b88045ceaa96e7ff70388a850cc76b7

memory/3388-432-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4864-442-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2196-444-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Acmflf32.exe

MD5 bc5ea9df776564407ec08ea8d366111f
SHA1 5cac7ee27c75c1d7a7cbd6e82ed23a2d10e6d27d
SHA256 b6a7cf25df968284dd9051f0d184165506dfb346b8f1174ace57ad19d496326a
SHA512 634acaf19611f4595f33f9e2d32654bba8341d5ea7746fd3d0da05bf5a3ce03ed2a4b5f1ae636d7f02ffc9f543a6d2350545105c2cfe1892ebe41cd461be4137

memory/5108-450-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2428-456-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4264-462-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4732-472-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3052-474-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Alhhhcal.exe

MD5 c194822efcfade47810fc4b8185ad22b
SHA1 68d1140f255f1b9b3018b78006c583194dbadb73
SHA256 1c15f34e1bc7425580243c0df86a5535525d5cbb62535925855664fd961e3965
SHA512 246f9485696b43cd6222647c4102d105c253b3c705c853bdcd41917b13477f2ad6e794baf7612333097e3eb1fc31670159a13053a2da15219c1c4276f215b807

memory/1252-480-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2968-486-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Adcmmeog.exe

MD5 af64f5c56a6db28f85035963342f3600
SHA1 13ed343efcb3484f58e424601350b2650672e69f
SHA256 d9738b267ce2bb1edaad492ba2d394bf2097b913a9b6c3c573db4f1fa68b6bf7
SHA512 a433087bf5c8a676edbdeeaaa1f852b3ab435c684eed85d03e0f3dbdd5165d21912891c3c7abf0e2cfc0592e65756ec2b4f339e43b37e57a55591c3ad7123541

memory/4936-492-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2472-498-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Becifhfj.exe

MD5 8b722a2a5dc55e0462cb7feacd4e7d23
SHA1 5d876b966f1ff1fd12021a5d29b6d2c14a22e915
SHA256 5a9ef3c73ecd895baa78178361fe168ac110ca8bf67539a7e66eb2b4e0e02764
SHA512 4ba370825e45ed0c4ffee8a5379a7e20f3ff6d0d41adf6140bde31354c45726dc4c410ca219aae09e5eedeee94622f3ee0739539fcabb34425f33542587a3617

memory/4180-504-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3716-510-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4996-521-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4564-522-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bnnjen32.exe

MD5 6adc1183025573f590203b102e15ca38
SHA1 ed744079c083aa61e82131d228e967ee968a2905
SHA256 5969e624a1f769b0cc4d1f55f6d95fa07f03f52086f81a3190209c1ebfab3aa4
SHA512 a4724cd8acad2a93a7192fee9b152c4c8e2b6f520aa5f4f4326f60da846e048d5432d496f7e1eec45600083c93aac8f619b1a022b879a49613c749545d0c61c9

memory/224-530-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3788-534-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2644-535-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bjdkjo32.exe

MD5 ae556165e61877b34800382fff1f3340
SHA1 380d9850aa431adfd8fc3c87f76e222e121a2298
SHA256 15d39107d2d3618314e9db838dd6b380b428919bbd425182a0740920f7ae3aea
SHA512 050a36f4c49da5e5ffbac6bd2ac9324a4b2243f5dc513078b271017c00dade3ad1a3731eb111e696a7268b2e31b8cfe44ad1dbc3c79803177e9461a7aed88345

memory/1408-541-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2316-547-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2280-553-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1516-554-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3268-561-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2920-560-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4960-567-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bkidenlg.exe

MD5 4abbca1c445efdc7eb1336145ef4c830
SHA1 66b9b579cc7bf36e6468cc46fbc669c1dd83baf8
SHA256 1a128e9943dec8e599872352af7807eff68a2e854e5c586ca36cc600e5beecf9
SHA512 73972ddac8a9e8b4bf0fa28ae2c5e46b6447db256c14d4cf977c324c4fa2972103d6bf5ab332e1d349269453ac6c5aebfd8379c485a0eda823e16f8aa03ebb8a

memory/3144-573-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2344-574-0x0000000000400000-0x0000000000439000-memory.dmp

memory/904-581-0x0000000000400000-0x0000000000439000-memory.dmp

memory/756-580-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2248-587-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4800-588-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4952-594-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ckpjfm32.exe

MD5 2192c1bfe4807c50019461d01d11cbfc
SHA1 2ab4beb56cce9627f7f8222a5f3349a86b7ed2d3
SHA256 e9c6398a1b754ef263bffb10be975b7adec198f1e1c8a08702b570b27b106b3b
SHA512 83fef368d9a421dc962286e15a991c10a401e282c1abab2f7a26ab20f5cb2b95e5ad26c571f07bdfdfb221d03156fcebbfef251093b74a0c6220806de2f3002d

C:\Windows\SysWOW64\Clbceo32.exe

MD5 e923ebbce7b9304f8018c3497d8bef44
SHA1 a3b36ba32a844ea9d1e3f80f7bfa1cc2fbc8df33
SHA256 dde202aa9c823b757e9823eb12ec7321273c370cdc17b15a92b0675c6bd96434
SHA512 a96d8578b1aee25db5a9092cda60a87c1a5b08f449e839cd0ab94fca932680166d0218309f8f7319b551d905361fc9eb9a8b8d7405d0b8e41b8ed42e11b1264a

C:\Windows\SysWOW64\Doeiljfn.exe

MD5 1244fb27f003bcbea43eb2ebe74419e2
SHA1 0e6df01c5ac72d835d3a3e6c29f535f1ac1372dc
SHA256 da671642a0a59ad489064e40f3cedcde6cde4b9d42118eefe7b29e06092d5aa2
SHA512 cdb894a0c237a6cd2cdc4298546e8c41599676540237ba155cd9e33525f1dc68dcedc380c1c073dffafba6bb1bf2dce620ffba760c49656b7b62e891bde1b2a9

C:\Windows\SysWOW64\Dafbne32.exe

MD5 2061771fee7ceb2273c4848b67480926
SHA1 4ce16f0164220629f64b8df64602df8b732cdf3b
SHA256 08f8715413bcc7ff8a4741df7c15a53027093c2b0497c6fe86c83d971f019c05
SHA512 fc637c74187a690edaf02930efcbfa790a282d2decbb44e70a2fb1f514490c8167b74e891c9eae9fde1ed2df57305c9b4bf9209c61d8d4c1c4b0c4ad60f7b4bf

C:\Windows\SysWOW64\Edihepnm.exe

MD5 20a8ea4c35277cb27d05e8ebe2f728ae
SHA1 c25b3c8a2e9eaee0122303085920d510d69dd080
SHA256 4a411ca8c0021c5694357a678668c48acbdc13132ad392542b479a940e2e2ce8
SHA512 843e52490e2b5c50772acb644515806841d07b2b172cde05bf75640909e756c21e6a177a5d821d2edf54926c569e814107b47fe94f83dd766d67b66ed5ea0246

C:\Windows\SysWOW64\Ehimanbq.exe

MD5 29efbd800933b24d734a2429634a0a1f
SHA1 28953800f1c8db660865c664b44f10dd5442703a
SHA256 4a7f53c7d1c30b20ceaed62cae1fd610fa154c29c2fed9e6116bdb0f816db775
SHA512 0dcaed6f82aae7baac33a8c69318d96ff93f5fa4231d25f8d84085b5ed214ec558a1f992131c94569811d0d26588797c36e03922e080036ff76dc88532188394

C:\Windows\SysWOW64\Elgfgl32.exe

MD5 b48501f8762f839d8e869f77af1465ab
SHA1 a4f56eb56064ccbfb1a97f8f5f777bf69141afa3
SHA256 e6bd3e7323c5f9b46012e48a98788d50401b0d85237369c71b725277492ad0bc
SHA512 8277cde25ce999cdeb386e452619c8c76475cd25b2bc3144eb21a051072c5ce490a0809e23b4ee522665578d273c0cbe6e8cce9cd58c1302d8d83dd4d3998be0

C:\Windows\SysWOW64\Fcckif32.exe

MD5 d0bcec131058f73db005ce1b800cd1ba
SHA1 5c64e32be0f1891e55c74b6c155dd1cc371901e5
SHA256 7811248081242ce21fdb4d9775a55bc249d4cd171f24c13f93ddeb783acfd8f6
SHA512 7fadd511a604094fa63eb3d199d46a9e7aeef87f4cb5eb09d045ff56f39b509e0cbb2a461c93eb0cc97244f0574dcdb7bb3e0480f31c5f45e876838b974a42d7

C:\Windows\SysWOW64\Fomhdg32.exe

MD5 ca4a094342e907a78653dbf71e040e12
SHA1 982b32fd055ec48ead0c555032a30c785b6a4be3
SHA256 af2e1fc2ab5b5dd15a000a0781ab95e220a5ac858c20b30ebcb6334edc9eaf9d
SHA512 0f1a31f345295b916b9277bdba5997ead72a37f907befdce382147bcb1e9241e88654d4c872e924235930da43f69f18c34a68b1eedde821bec714b0bdfe5c761

C:\Windows\SysWOW64\Fooeif32.exe

MD5 d71ac59eb613e702f094e814034c1581
SHA1 2794136971d123982e03fff1b2238008b14a8441
SHA256 b7eba70ccfc16c0862b705005cdc7eb27c9bc99841eb52a5b898da1d125e0d38
SHA512 d7269b92161993b816561e99ea7efb16564e914a22e6e7b9c0eef241e513033eb8b1d3598b13d8fdc99aa2443612cc125122d52f31d09cf9f349e104823d76fd

C:\Windows\SysWOW64\Foabofnn.exe

MD5 6b36cedb254825ea60aabb345535408c
SHA1 043049a31bff9e062f4993d80ee10e44cd224963
SHA256 317b941dc613b4b46115dec6ece87391a46689ce244da407d9960f5797075d33
SHA512 b613559677b4941d0264843aaa5fdf2d80de624c6b40dd7724ef2959b1e5dfff55efd9eebd309cbad09a0da2d262e03b7f7c653d8fe00b96cf14949311280af8

C:\Windows\SysWOW64\Gbbkaako.exe

MD5 61321b376c75ab6f8e258c42c1f2165b
SHA1 0ed8b4f17f8d57beb1cf3fceeea1aef31bb46e48
SHA256 a3e5ffab096cd47210c42765888798cb41adb4b0e4fbb95ad3efb7744908ac5e
SHA512 eca23bb680605b51130440ce7d8fdc30d00ea850d52b32e3568b0a00a4e4496b1d934f52cf5dc6b0092acf67b33618c6393d98faab4e05e7056e56d682e09ddf

C:\Windows\SysWOW64\Gkkojgao.exe

MD5 0b061e1a852244c384e27b30719317c7
SHA1 9bf6c57f63f957c7ae517e231f041ddb5bcc3d8e
SHA256 7516c915bd290d35efc86f267491b84cb40f6bc992e060a18153ca38d86c3d9d
SHA512 7563eca8b64feb584434954438b29fae9432911d7c4c41d72b607fd7da845ef0c2538d92dde2c99fd05a22ad18bde1756327566fa9a95b77328e26795673e047

C:\Windows\SysWOW64\Gdhmnlcj.exe

MD5 86e7c9767452107b7019ac5c4812a4d0
SHA1 2481f8b14ecb96bbbcbddd134f92eb15dc2c3aaf
SHA256 59e018ecc6a1ec1485de4014302c900b4763206664a0a62b2387d77df1dd44fb
SHA512 91dab5cc964d7fa2a22a90d102d1a35172910aff284f63fe5e827ebcae1c78ffcae5f69307a3575c7fc4f36bca67cb49150b67edd588d49d80b99c2131418cc4

C:\Windows\SysWOW64\Gcimkc32.exe

MD5 b51512192d480cabf07acea8c3d11465
SHA1 1ae3577ac942d6af68bf428dbec25e7f5a373cc2
SHA256 3b0bd8e4ae279bb2826c20d837be8dba2c9b6e19ea89215cfb70e7c46968162c
SHA512 150b51ffa220be58c86caace4874bc13f037126f38d054bc7b4f0cf0f81e973669e15ce38fba8d5db3b98222c288e673c446666f3db74276a14e90c28027cb18

C:\Windows\SysWOW64\Hkdbpe32.exe

MD5 c42d6b3560a6f115b4b38eba37fa71c7
SHA1 c73ed8abe71b00c1a9a20ac1104e81af501dc1e7
SHA256 dece6208bbe506e9f00def226448e8cf5224f22632410d822f7c0373af1f90f4
SHA512 6d54da1fa08b9cc192f3f9f1b298938d24e0e8afc297529af4d9ba4a8587098103bffae8d3a6d972a5dab799b884f56e92e9a01f20ea0c882bbf9dd7438c2009

C:\Windows\SysWOW64\Hflcbngh.exe

MD5 c910c6bb4643270edb74d1a64ea2fe57
SHA1 16a74c87c5281c14c8433c98a800907365a659d1
SHA256 23b954383c8b750f2e9fde0b6788f756f26439e4fc678512ea19ba80382ba041
SHA512 04a7b5e2d14921784ecab85e40c40bd0c4d21cf9912a4e1f74a1a22e53c50f3a717826edf11b972309bdf62ef88d93ccda225db8200898250433661aca0b5da8

C:\Windows\SysWOW64\Hkikkeeo.exe

MD5 6bc0a7146f7f61b291cb4132b798850e
SHA1 f2715acea5b8e303a749cafed6ce02da23073ae0
SHA256 1f0ff1cc6a294bc78dcdc169364a57d304e320132611f6b883e458405b72e416
SHA512 bc2e71890776ccf4b8d4791d2341b8844e68b1c95262b0aa46db6ba372c025aeea67a34aabc530573496407a1620b02d71f530d6cd92c7616084be72722afa12

C:\Windows\SysWOW64\Himldi32.exe

MD5 d9e58498b3b1fb47199e0d2fb7d8912a
SHA1 3ffc9c851c127c8784adbecaabd21f68b168ef61
SHA256 ae214377ff69695413c41159b86795afb731cc73538f42320ac8fc01ea7aa837
SHA512 24da83a2ca0222fe55625994f32ff943cf1d0aa2dd5c7b7afe344fe6b23648c427b2275e88f5ba573778e342a19d7ab9b5562601e0061a0397d12e203b8d454c

C:\Windows\SysWOW64\Hmjdjgjo.exe

MD5 e3c5338a243ca8c67905fe8f374316ae
SHA1 e1091d2f4cf5292afddddd835f18be490a0bc08b
SHA256 616700991fdc980e672f9c4ba3f057f32c5c82e5fa356791c4ccdc4914dc4ef5
SHA512 8e27e26bd98f832bef9f1dfa0fe1d8d1bca579d17dbae54fdf6bf5bddeb16864399450ee76d35022fc36a907f3bc134a78fe21533f5de84ab223b1d9cfb63125

C:\Windows\SysWOW64\Ipknlb32.exe

MD5 264f8758fb979634cb12dd86b0c119f4
SHA1 107b59aa366978b53e5b94ad0073f3bf0b7e63cb
SHA256 7445c52507f0666fc46fbc479b4e2f2b4d91113f0a9992ad42e61bd48dd3957d
SHA512 67ae5d45b3cc1f0c23b354b0b85cb4710d2657bab26739f2394462c443dec01c86cd482e62b1c4b118009c8c4a02801701edd1912a82675c108f6f5edaf9bb90

C:\Windows\SysWOW64\Imoneg32.exe

MD5 9cd47a835ae16e513c233af23daca4f7
SHA1 55cbb8e3ceaa6b6784bddc8f806054d16486ce41
SHA256 bdc8be22cadd4cfe03708fbf1b4845c9d4557db9af99c2e559d32a86891ff399
SHA512 922c2ca305db5b3a019650f58f1145d4264e7ed4b197f97dbb38eec368fd62064f9ecd457839370359ce8bb095ce80974ba4a36511b2f0c2935d25810241bc93

C:\Windows\SysWOW64\Imakkfdg.exe

MD5 485ee0d91f1ab94af416395e34939899
SHA1 aa375c095a138a6372ca5a996208cd79b2bf32d0
SHA256 3e2b0c198284ba1c5fc0e68bc15ea7ece538d78c4c7f5d428c354dbc25755f43
SHA512 a451c9b2598bc924fc4677ed344cd43c24c2db77c57ac72e6f3cafabc00c392af86db0474d6153d1f00be77e4ca2a2b90317ee3720020e34f1a6ec0dc31996f0

C:\Windows\SysWOW64\Ifjodl32.exe

MD5 9a52a4513d3978c7d4f22daa5ba62ac5
SHA1 f7cb7f1acecda242dee3f131a4f91213ac79e91b
SHA256 63446bcafd31e8fd99f1bc3cc8076768bd599d7e3daa7ee5f892f75cab537173
SHA512 7f2482e391c9f9b8d2132e20cc1693ad48b45c6cf5d49de1337a638d2356e842158890f04cec5825884f49a4b25a36082c01bc38b085b26ee83e577ca284d712

C:\Windows\SysWOW64\Ieolehop.exe

MD5 e06807b5661929196d64d45b53206e6e
SHA1 620210e86d37cdeef12b9b87382c6ef219d55faa
SHA256 4650015859c251805c6235f5ddbcbecaaaf768262db63bfa67c29ace5b1c7234
SHA512 e1eee3af22164d95e38a58c629e94fb8acb0f4bf2b3b34a163fc06d6be670b1fce74df6da47b270f52f2c69645934aa95b1575bc35a25600b1543d04c732adb9

C:\Windows\SysWOW64\Jpgmha32.exe

MD5 adbe86cec707ed83cbf2fe300bd8d6ab
SHA1 573457af83692d5781c051024e3b015270e15dda
SHA256 87826c51894416ce8a79336b6eb98162863f2c4e9926172e37e5020051fc93be
SHA512 8ce1dd69b328dab76e4a118341f80ec54244b536817af6b3334695b566e59c7daf30273e2258558039e9cd6b1c0c8dc80102ee72c30f80f5172114b222eabc40

C:\Windows\SysWOW64\Jioaqfcc.exe

MD5 0874543b470ca86d148062b340f1bc92
SHA1 6472e20be331d493b015c7d8649b48ee716e3154
SHA256 bd3dc2a61762ee92405a467c39164d9eb636bc58ac757c187c2f9f38484348f0
SHA512 dac5bb9b49f410f77843b035ae20121f98f051241adcc8e0fe2b6986503f174a98754fcc2dbc5f43e59dc3676a43d6c4bd641e08f01650db1ed5b16cf12ae2fe

C:\Windows\SysWOW64\Jcefno32.exe

MD5 ba2fbf31d9893f970d5c5010419da180
SHA1 c3ad549338ae2214757c21b3093727e27a835e66
SHA256 7c6257ae123c56550b914ffa30b04dab2e98a7df2534908e97d9452698138177
SHA512 782df637d72dfa31f24773d75d6f133d11c5fa57acfef94713537401e9dfafa083bb63423d488201adf50b78da3a8e14a64af07e0cfae452a40a969d36c8c94b

C:\Windows\SysWOW64\Jcgbco32.exe

MD5 0a6bd39baf45e26c83f6ef0c1739f7fa
SHA1 c0b87c356cfdd835c566531a50a95b97617b4cdf
SHA256 d54a5b9f08586f4456570c4e20290931ec0880f66f1b5b377618e6466c4ccb68
SHA512 032b2345429cb189a407274fe592652afd6a8cbffaba25508a8cf1f0e80d978507a4d26a5301c2df33ef95f20c44fba7fa00d7061cb8b2298dc61ba3a5e8c18e

C:\Windows\SysWOW64\Jeklag32.exe

MD5 2674768f2b2b13026d6d45d0e8e898d0
SHA1 605afe2f57657d76c3fb6298e0b591b740c4ad02
SHA256 b4050ecc36a590814f03f75036d47e50877c985777b78c00ab65d6020b9d1d79
SHA512 d4a507bf480c32a481ce219dede8c1d22e785fc1167f0e2856cc6f8bd54a99fd073aad80bbf8563f3713f19f396c5c8eaee406a2fa53e2252870ef54bdd9b8fc

C:\Windows\SysWOW64\Kfjhkjle.exe

MD5 954d8045393a083c2dea5a8f92d382b2
SHA1 83c267cc01691ad004297410e6912f6e00673559
SHA256 c0c90f1e2d79d9b6c0744e96995ef36d4536cfde8524a28be966e1315dbe6fa1
SHA512 ce94a08ab70f8a0ff53c55afdc75dff9156984bec9e2ee0079df56d73299c8b805f13b88e3284b682a53df9bd37e942595d32712a10571a22b619a9ddd31106a

C:\Windows\SysWOW64\Kimnbd32.exe

MD5 744be2b9ef696418c23febf068421fd3
SHA1 3f29992d64e804474d68a34741846ada09d12f43
SHA256 44420091ba2a123bae930f428c4f1abe1fe96b52ee31747c11d2a0264d5f3a8c
SHA512 f34cd081f1a829b29baad4db7444917dcb49cf7ae0a8558513da92526eb44fa7d1d7675aadc106a2f84979e4a073ffa3d653b5a255118afbbee3b468f5164f59

C:\Windows\SysWOW64\Kdcbom32.exe

MD5 5334e795d700c3bac8f24c843b7790e2
SHA1 a640f548f9d8c4ea28ed46ba9004e8a69c668e2d
SHA256 3b1945ff67caad896b3bae0e1903e4f7e13c643a2bb1fdd9e67bae822a325e7c
SHA512 ee61da9b6f8cfb4a4ce51d75f6927aa14025989a286c05c651463a636a68c8e0981b59438eadfa627a0a3bc62a67c7cfd0e2a79e11da4f13f61a719ce734995e

C:\Windows\SysWOW64\Llcpoo32.exe

MD5 544ad7fef53376779fabac4e53825ede
SHA1 0475c5c79af9b62dcb04c2bc2d74032454a1a00f
SHA256 03dce99317b81928af242a42b35d2c2bc8416953d590db04bd0b0599dd8a57c3
SHA512 cdfea446935d019ebc4df163500227f6752981cfd2506c7ccd83365f24d069f29abf8a98ca1aa6bceaac2d3c05adae1ef34d8b16cb0b8bfd91319d893246727d

C:\Windows\SysWOW64\Lfhdlh32.exe

MD5 0c94caf626c56e7a6b0bcae65e1ea4f7
SHA1 32c30c97f9209d44cb8059dfb4fd4945c6905c86
SHA256 8137526aecdc81305138b1536941a0a1186bc4ba203d3484883130b4631e2725
SHA512 48b6788c66505f49ed8ac604eb5a7db267545a85217e98b2b7b1e6bcf492d3aca39c10dd14ec24888b36466a5497f47b0fbfcb6287a08a571a157cefc204f7d2

C:\Windows\SysWOW64\Lmdina32.exe

MD5 e3acedc5b62e87e17f7718cd824bca56
SHA1 e714b243f3a52ac672664a19d367950b157e6b33
SHA256 740483231f8b2c5857064a5b4cad2c199ea2c4e953d53330b0d18eb39e6b44ec
SHA512 d74e8e818ce1cbf64cf07ec9492ba273a8eac9041839c2d48d04d56da0279464b382686a7588b3341af2ea71c995b34097b8792c801a7115efd1eaae461a6891

C:\Windows\SysWOW64\Likjcbkc.exe

MD5 2c6046107ed2a4baa875c468bff58ba7
SHA1 9676b8ccbbd1db49a71c8ea3779f6f2df01a4666
SHA256 51e6dc613b6d9bac5ebaec23cf96d37ed8fbb33ef4bec9c6c5330233a68ebac2
SHA512 9e2b2055787eba2e351dea8d679ea3cdb3aecd168106c99f79c446a5b89045a0c371f644a2e17f17bd1770c9467c584dc51cfe1fd1d650f20831e5029fc61b59

C:\Windows\SysWOW64\Mdckfk32.exe

MD5 50cd2649009e97272b1cfa4a706c0213
SHA1 77b2e5518f0b29c8f31128bee9fe502b123cf994
SHA256 a325f0f99ee0d77fe2195234fd062c9ff8875d40e9b4792cd5e94da42fb0cfc7
SHA512 226b64083b1f145785634e5d8467325c549023bf4ac4fecfa1c5ab18b90573e08a3b2e1935bf09fc4cddcbf178506d150a21b75584472c30e06e7c31758ba850

C:\Windows\SysWOW64\Mibpda32.exe

MD5 2a9230950eed286a7f43456033d8a485
SHA1 8aa3e1685acac8443a1353b98c389b092c0f3a48
SHA256 5ba09f531b420db04b7318c96a071b28ca06ad54182609d5669633fb5b35274e
SHA512 d8265b8c7642dbff82ebd8fdc1d0f2d8ae2563c9f36afb2a905d8f7d8693ee81fb15072480f155023467e9ad5bccf14a4846954d9df115d582a2b288b10bbd34

C:\Windows\SysWOW64\Mmbfpp32.exe

MD5 061f8907582558ace3abe66f667a8a42
SHA1 0d54f9f4bdf03f9850e695e3e4e6ddfc67d10a0d
SHA256 ba298de41035d7c7a3066764fa39b88f98cfd9efd748f172e288d1b45d5e1fb1
SHA512 243edef82e15ba3a5aef4d288fc7e41e014530c23ee3f17462a97674669d5bddde9b24cc737bdf55ae456a28312ecf1ec4b39be7a5d16a3bd0f4e5b0efbecf2f

C:\Windows\SysWOW64\Menjdbgj.exe

MD5 fcae3ac3645957b2379a1655c554b350
SHA1 9d178afb4658d199d4cc75eb3b66a6e7d2e33c59
SHA256 0b64514c36c6e1ee2bfeedd959ef650ed3c865fffe931935c1f90b6101bfa1a0
SHA512 288601c0efba8f094d79296b0e93900f157b0bdb5c68b3aa8e0ff50d0bf6cd120a2b0d265c71a821a4b1061ea17285919831f2dacad67be8d8b4028268722172

C:\Windows\SysWOW64\Npjebj32.exe

MD5 123eab9081250afff44716b171f65fd2
SHA1 febac9ee55785a1657b873929136f8d931b65c21
SHA256 e9b5bdb155417f138e7c0351e65f53e70ddf65c47afb0df06363ae9e7045818c
SHA512 33f2dc56c1fd37d88c4529b17666b52ecc54c943b5ae01771432b9327ee25303a20e16f674d34f0fc28ea73d8e501c633ae24093e5390b3a12bc241af337ef21

C:\Windows\SysWOW64\Nggjdc32.exe

MD5 4d9abbe7273346b6f06a7dfd12eaf648
SHA1 905d75984ef768f667c1dc5d77877099c0140cf6
SHA256 589dce232ee73208c643b3bbb6cf3f06a6eec72a0338bad3fa378d5c1601b456
SHA512 939f442fffb9d87734cac6b36b6dfd42c5e2f32a6141e3c57b38a20e680c74bc5838741043519e7ba362e2d6bd82ed99908d5ceb2a1c7ea7a3d89f5a501ff64b

C:\Windows\SysWOW64\Oponmilc.exe

MD5 4d5611d75c81321791fed2756270122a
SHA1 3e85d41186689d71f7c3e67396960d5f7417b2b0
SHA256 2ead397cd1ef43d0749823477bd6f51b731fff77f252e6151ad5c59355b9c0ec
SHA512 489382e72053385bde89a52249e3a3a3f81c0ccbf754db58beab3b6cad6ebc01099a098c54891b0355c3d0323004f45c5e15019cde73a6332e16e4aadf5c3b2c

C:\Windows\SysWOW64\Ofnckp32.exe

MD5 0a3816f96ffb3bee1e490b3cf5b4de23
SHA1 b5e2ed984534d669442e02b1313e4c72c1d435bc
SHA256 dbd1a637774ed3f4c1f9284aa7fd3ade11962111c0adc2acb6e43a003a3eddaa
SHA512 aa3c512cee1a532443a90d7512b081b4c200e3f40bae23ff03fa0fa450934bb7dfda15c0a4d2b85b35b2661a68e37796b437f6298a1591e8bc81e02667ae70f1

C:\Windows\SysWOW64\Ofqpqo32.exe

MD5 46a9fed42fca06221c1da506993e0a35
SHA1 29385840f1dd2aa1a6a662b1e5a0c060dc729997
SHA256 a2f00797afebba81539abe0d912cf3434f28437382f5d40c4c7c5fb6426d514a
SHA512 e733b4ad27ef8da9fe48b5d0271a3e7a5367fc8ed072efd3331d3a4d349fdcab63e442599e8d5e483e904c01722e6b617a724017a7209b667e08ad6479e9a102

C:\Windows\SysWOW64\Onjegled.exe

MD5 11e765686258803c58b29385bf7368df
SHA1 e3f5d8c3248c527ab693d52ebcce865f6469d913
SHA256 b8244c48eafeff8736f20035e66eac78431a8efe5bd80ccdc5b0393b663da955
SHA512 b53015a7a52b62912f58c298df4857d14b90918d9f6186f55583e47a52fae20bf894a393daa62e171644d28b78156f6bf053d9b412442a9046abb04c989a7f9c

C:\Windows\SysWOW64\Ofeilobp.exe

MD5 35d1f813a12f46973a5d09e6699f8592
SHA1 cf7049bd67b3da80dcd1e018d2963ab91493a1cc
SHA256 267e52f9054c98f62d571f29a329f7c992bf62dac66725f43935a4963f9d65d3
SHA512 6f28dd4f7d56b82532bab4020d8a948f7421357c6f6872b8a39805038fb8b4446a2a90d69116497048ddb1c5fab397833105a34068de1420c61cbdb6a8ae1084

C:\Windows\SysWOW64\Pfhfan32.exe

MD5 1475c8dc666a4f3c3cb6273314fde54c
SHA1 603bf844ffbaf06eca2b8d54a98695ef90006237
SHA256 1b497145dbe0a9e6765dd4681b4783d90770662be5bc3b76a1e18e3f26c57e78
SHA512 f4ba94a0c8cebd01c583693e04269ede88769736570ce34d7c80443aa8276a26cd53ef9550bba6d2a0eea6424377480f6f4bbf4a956f8e5b8f785b5222f526ec

C:\Windows\SysWOW64\Pfjcgn32.exe

MD5 6a5632930bd8ef830cbcebabcd217dd2
SHA1 e32f9f65f2d3e3a126875a173b3f6b096cedbc88
SHA256 762943b51484feea3730ba3433f414541323b96bb764337c04e5eb9d0890dc89
SHA512 fdd5af759c3311469e170031580070bf2bb51bfc90ab7f72c464d6987e71b8c326d5cbef2f6635c0419e014e70a8b8ff1c7197cf08bb6567e5df222331b159e1

C:\Windows\SysWOW64\Pmfhig32.exe

MD5 aa1fdd56ff50357cf09e842b8efe8b87
SHA1 6782d89109953a7a6cb6446acd243a684317d4e2
SHA256 d4f72f97f29b173b295fe3f06d4b77f4687419c20e04b318635ba86e71aaefc0
SHA512 e6d022436414150e6edb5ab8d701bc44509f4dd06655773f3c52aed45afbd64c673d2dc4c97e911e6fecc0e9bc5e2dd919851d25254e3ea2de9b158785be780c

C:\Windows\SysWOW64\Pfaigm32.exe

MD5 98a111f5cfdfef850cf79d30eb29621e
SHA1 3baedafb1b0400dd5bd89df1a457dd153881f1b8
SHA256 f248693ea75ef85abeeb3ee43624b703a6b58816dbad3ed1eb1bd8eec21956ce
SHA512 f6747b0e80271beb6ee1c0ba8248e101334aa0ac3bb7b756fcd4638991cef7252eaaa16d3d331407a062a0b824957d60e90bb7f95b84832c0a487c3db6a660fb

C:\Windows\SysWOW64\Qnjnnj32.exe

MD5 9b8b4bc77b4ed4d5713c38035fa4f327
SHA1 ff3fe734d016c59b7c533dc7f2a60bc5b0e43f4c
SHA256 228aa204b034c287bc632835e63df1facb9b4b637f3f07f3423a4178aedeb207
SHA512 e00cfc0196e5c5d7796c0b0c312865b87f8e7a070245971bfc554c871e4b2b9f8faa9f4947370f822ae279283321308fc6d795e7b0bceb1f8091a4510389dc27

C:\Windows\SysWOW64\Anmjcieo.exe

MD5 8f0506e8334c85e4342fff8239192941
SHA1 e104515e2cc8859eb7d2310a4b117ff5f2a92502
SHA256 6c5a2a4b73d59434eb06909d9a67589e4518024328adfa4946634b50c5806d74
SHA512 b5dbc09a41bdfc7ec5743822482700f79eaf63e020b89399bbffe362ac57c7dfaba298030191cd9ff002eb7650a5a9a9c750d876207d22c0106f2ed2a26e294a

C:\Windows\SysWOW64\Afhohlbj.exe

MD5 8ba58db7c05fa39e61cedb7902ce51a8
SHA1 885dcd247d1c64450ce8937426e55fcc271cef73
SHA256 12167f1311008b43a73fcda2fd7ffd1364d958838a0bb37306ffeee7ffa38f62
SHA512 2257e917db2240ee131d9cd525e79659871af1bdee79a7a641d61f9c4b3f019bc0233508da95607ce6ec6e45c9e842de836c5ec10930efd58b20b68dd47c87e2

C:\Windows\SysWOW64\Agglboim.exe

MD5 af8c76d9044b92c2dbd081a21f01bf44
SHA1 db9d35ba9a57d0bcc066b7f847ff7db2bb17948f
SHA256 e19bca1d3f8758e381f349e08e87ca43163805dd8d1051744cd80ea850a1652b
SHA512 093cc77cfe2b12709f2df8ffeae817312eab2b669d4ac18a523fd25e5b9e91a664da07c17da4d73eb0ac01a5a5bf13f44329afbf001180e2f0a9f455b2995b49

C:\Windows\SysWOW64\Aqppkd32.exe

MD5 c44fa34d5edba6d589ec0ff6fe9dc720
SHA1 801cf15614efaab4e128cb6c8549df6275ca016b
SHA256 7cb886ccfd4617260a2028608710ab2588dfab985396e9278a4b0200a79ca309
SHA512 b2ba029eadcca885a6ec1dc95b0f283a4c09c980484d0746aeb32a7d91f3fe442b5f6bbb8c566ee050aa7f950a454ec36786285a72023a22ca73a827450a6cd7

C:\Windows\SysWOW64\Andqdh32.exe

MD5 6410419619a07da8ecce79644c26a710
SHA1 9f8e27b82d761b7e2d4da0acd9dfa3e8a6e1362b
SHA256 0918c776be1a44c0bd537bf3be83a9cb0b6ed840ecfb094f79c6fdeebc48b8e4
SHA512 2d4bd05dbaa37366451cfe53bbbc845c26b398b7fcc7058b6e6c7acdf8da95d494d2a70512626ab6a5343a609b0d2ffe6c841e2f522a13f6b8842c4f4812d756

C:\Windows\SysWOW64\Anfmjhmd.exe

MD5 e10b98dea00e9361249b97290bf19a8f
SHA1 81fa5cd04a4f0610b63d24ce2dd67adaeb6284d5
SHA256 f20d4e9c99e36f6be1923df675d2c3c268d164193d2c5dc83ec66de8b1e9fce6
SHA512 f735416f68f989702cdf56fb598e6f540a27f7baf7d064fe6432beb55bc4a328dc691fbcccf7a874b0b6c15d686cd33bf18e2e715dc9ba4da48d0e6cac5c85af

C:\Windows\SysWOW64\Bebblb32.exe

MD5 4f02c9dd98f5d06bd65acb22202b0490
SHA1 f153866678bc246ec6887005f8c13ee23ace9970
SHA256 b7ceaeccc15b817bfbbefb24a82ad8c1f5589f40c454dd778b718970e2fa0800
SHA512 f54b78333f7fec4de0f328c46e060920c1adc8fc48dea4beb07b63ac5342f7e1a9269ae8a44a679e02d4f90d206cd99399162ed9f1be8eb40784bdb7036d2c4b

C:\Windows\SysWOW64\Bffkij32.exe

MD5 17eb2ac7792b42024204dc0134baba07
SHA1 5e1f240eb2056f88f897616cc47b0d21612a678d
SHA256 9599c4731d1942186c9781504155b2e3e4ccaa050a3a54f8820c0f46cbe3d963
SHA512 c1a4187dc5c3f1e5084f4fd5d65e0ac151203bca92b0e72516da92596d64c176d19c6a52b229893ebcca3b77087c52f4e6efac6b9ccfce9343a397494a07d7a8

C:\Windows\SysWOW64\Bgehcmmm.exe

MD5 47fae4b9696f2ad2b26fda4b4e6a90a4
SHA1 444ca9c3c8f08ff7aeff5630fd8fcf4233700a72
SHA256 c9194fd789c966e520bc6e2f00b1a9c04a9bbb572406de95603f9f3a1b28c34f
SHA512 4006b8f7d9ad9a98bc730e3a7a2b32165f4ea966f62f86dbd77bc1102e6ec046e38e0610d9c15ad6be553cb2ac362e0b0093b6c183473819584d19cb44be1b48

C:\Windows\SysWOW64\Bfkedibe.exe

MD5 9db99f49b2a826a8d2616ea16c880a3c
SHA1 6adfb57d1357e723b2be64d50202b897cd0bc196
SHA256 6e3cc6bce02bf6b56d11a4aeffb80f5db33be0f7e5068e998c036b450338d466
SHA512 8e6be8a7c41b155772b143ecdcbddfd69c9f60691387391c180922aa621ef46d4497f0b6155fbf9ef655cc06ecfb63ce2feafe8ec817100c926a29d870637512

C:\Windows\SysWOW64\Chmndlge.exe

MD5 835e61e25c5477c1a162388b889f5177
SHA1 559a436d618170ef93c9b8c61934850986842a13
SHA256 e512557e059e4fb03ac621340612665020d307bbace85e1f8976ab52ac20917a
SHA512 5a022291643f3ef5a2202d754d2cd03e7d7c493bd2f2260a45e6470753a7892c7260406bb60a60bbca6890ebc3dd73f2f73f82f76cefdce63e8217646b914f2c

C:\Windows\SysWOW64\Chokikeb.exe

MD5 c7ab7b7a114af409428dcc018c5b095e
SHA1 604cd5528293b8c899162141ae0031ba0e2e45b4
SHA256 6115a7e4324940b5caf33c9fb56c076bddcf7700bdd66c3a7c66cee0879301d1
SHA512 57f063d0cbbeb037e262ef8e8d37ba320a02c7b0890cd4c3e2de5d26e793818f366ec4ec4da7fde8cc7794fa186a0e0203578f1491a50c6449f10394479b1cbf

C:\Windows\SysWOW64\Cmlcbbcj.exe

MD5 4dec0b085e5b55d1cb6cae2b66b7ca17
SHA1 59152a0403cb3bc8f8e6f03172df820df1b8e46e
SHA256 eb6d4af541c833e5b6313a2aaf9a2f645701869459bd212332357ad37938b336
SHA512 193459980518bf5b2691f26938cb94e093ebe6ecf95594885577c231eba70155821fdce81b7dc0be691c708cc3077c3146d758acf574c2bba9e8734737d0c1ed

C:\Windows\SysWOW64\Delnin32.exe

MD5 747d60fe808b43fe36232876e8299ad7
SHA1 49244b26647e6eaf8e1f71a8057cda2f1bd8564e
SHA256 697dad21def2aed81a1a2f7ff7443f29bbe9633495c74ef8dfe5a4376914044e
SHA512 108f68015d6945d7b9aa592e207df00e9a6c39db61bb13332b824aefa65914a54392ee8c3b6b5c0059d227f3a86361fc74890df6b2ba3fda31d477f35b6d2ed6