Malware Analysis Report

2025-08-05 22:09

Sample ID 240509-rhk57ade61
Target 5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics
SHA256 0fb44962f45fadc1b470324369ec43e2f5526317c934df23a6f29d2b9c403084
Tags
backdoor dropper persistence trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fb44962f45fadc1b470324369ec43e2f5526317c934df23a6f29d2b9c403084

Threat Level: Known bad

The file 5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

backdoor dropper persistence trojan berbew

Adds autorun key to be loaded by Explorer.exe on startup

Malware Dropper & Backdoor - Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 14:11

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 14:11

Reported

2024-05-09 14:14

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eqalmafo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcmofolg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nddkgonp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gfhqbe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbeghene.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iiffen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ipckgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ibccic32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdmcidam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dllmfd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecbenm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gqdbiofi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gpklpkio.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkihknfg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcdegnep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efpajh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fqaeco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ipldfi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbkjjblm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ldkojb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnapdf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lalcng32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efneehef.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ficgacna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gfnnlffc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmkbnp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfcgge32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Impepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Liggbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjhmgeao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpbaqj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbckbepg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Emjjgbjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eoifcnid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmocba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hjolnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jmpngk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqalmafo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gjlfbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Laopdgcg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdpalp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbldaffp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbmfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbmfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kphmie32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nceonl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laopdgcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fjhmgeao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gcbnejem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hmmhjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ifjfnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmlnbi32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Cpofpdgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Capchmmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Diihojkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dljqpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcdimopp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dllmfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djpnohej.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpjflb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchbhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbkehcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Elagacbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoocmoao.exe N/A
N/A N/A C:\Windows\SysWOW64\Epopgbia.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflhoigi.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqalmafo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecphimfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Efneehef.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejjqeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elhmablc.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqciba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecbenm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efpajh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejlmkgkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Emjjgbjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoifcnid.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecdbdl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgbpihg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjnjqfij.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqhbmqqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcgoilpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffekegon.exe N/A
N/A N/A C:\Windows\SysWOW64\Ficgacna.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmocba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fomonm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbllkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fifdgblo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqmlhpla.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckhdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjepaecb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fobiilai.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbqefhpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjhmgeao.exe N/A
N/A N/A C:\Windows\SysWOW64\Fijmbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqaeco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcpapkgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfnnlffc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gimjhafg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqdbiofi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcbnejem.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfqjafdq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjlfbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmkbnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goiojk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcekkjcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfcgge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Giacca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmmocpjk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpklpkio.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcggpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfedle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gidphq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmoliohh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpnhekgl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kinemkko.exe N/A
File created C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Mnocof32.exe C:\Windows\SysWOW64\Mgekbljc.exe N/A
File created C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Maohkd32.exe N/A
File created C:\Windows\SysWOW64\Gcbnejem.exe C:\Windows\SysWOW64\Gqdbiofi.exe N/A
File opened for modification C:\Windows\SysWOW64\Gfcgge32.exe C:\Windows\SysWOW64\Gcekkjcj.exe N/A
File created C:\Windows\SysWOW64\Egoqlckf.dll C:\Windows\SysWOW64\Ibjqcd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lcbiao32.exe N/A
File created C:\Windows\SysWOW64\Nqklmpdd.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Jmkefnli.dll C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Impepm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Kgfoan32.exe N/A
File created C:\Windows\SysWOW64\Ppgjkamf.dll C:\Windows\SysWOW64\Emjjgbjp.exe N/A
File created C:\Windows\SysWOW64\Hbckbepg.exe C:\Windows\SysWOW64\Hpbaqj32.exe N/A
File created C:\Windows\SysWOW64\Kkpnlm32.exe C:\Windows\SysWOW64\Kcifkp32.exe N/A
File created C:\Windows\SysWOW64\Mdfofakp.exe C:\Windows\SysWOW64\Mahbje32.exe N/A
File created C:\Windows\SysWOW64\Addjcmqn.dll C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File opened for modification C:\Windows\SysWOW64\Efneehef.exe C:\Windows\SysWOW64\Ecphimfb.exe N/A
File opened for modification C:\Windows\SysWOW64\Gimjhafg.exe C:\Windows\SysWOW64\Gfnnlffc.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgmlkp32.exe C:\Windows\SysWOW64\Kdopod32.exe N/A
File created C:\Windows\SysWOW64\Fobiilai.exe C:\Windows\SysWOW64\Fjepaecb.exe N/A
File opened for modification C:\Windows\SysWOW64\Lklnhlfb.exe C:\Windows\SysWOW64\Lcdegnep.exe N/A
File created C:\Windows\SysWOW64\Nphqml32.dll C:\Windows\SysWOW64\Kmegbjgn.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Nnjbke32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File opened for modification C:\Windows\SysWOW64\Ifhiib32.exe C:\Windows\SysWOW64\Icjmmg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jbkjjblm.exe N/A
File created C:\Windows\SysWOW64\Eilljncf.dll C:\Windows\SysWOW64\Jdmcidam.exe N/A
File created C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File created C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Njacpf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gcpapkgp.exe C:\Windows\SysWOW64\Fqaeco32.exe N/A
File created C:\Windows\SysWOW64\Hmdedo32.exe C:\Windows\SysWOW64\Hjfihc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Laalifad.exe N/A
File opened for modification C:\Windows\SysWOW64\Fijmbb32.exe C:\Windows\SysWOW64\Fjhmgeao.exe N/A
File created C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Kgfoan32.exe N/A
File created C:\Windows\SysWOW64\Ekipni32.dll C:\Windows\SysWOW64\Maohkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ipldfi32.exe C:\Windows\SysWOW64\Hmmhjm32.exe N/A
File created C:\Windows\SysWOW64\Ppaaagol.dll C:\Windows\SysWOW64\Kphmie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kipabjil.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Nggqoj32.exe N/A
File created C:\Windows\SysWOW64\Gfqjafdq.exe C:\Windows\SysWOW64\Gcbnejem.exe N/A
File opened for modification C:\Windows\SysWOW64\Gfqjafdq.exe C:\Windows\SysWOW64\Gcbnejem.exe N/A
File opened for modification C:\Windows\SysWOW64\Goiojk32.exe C:\Windows\SysWOW64\Gmkbnp32.exe N/A
File created C:\Windows\SysWOW64\Capchmmb.exe C:\Windows\SysWOW64\Cpofpdgd.exe N/A
File created C:\Windows\SysWOW64\Ifmcdblq.exe C:\Windows\SysWOW64\Ibagcc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldkojb32.exe C:\Windows\SysWOW64\Lalcng32.exe N/A
File created C:\Windows\SysWOW64\Djpnohej.exe C:\Windows\SysWOW64\Dllmfd32.exe N/A
File created C:\Windows\SysWOW64\Hndnbj32.dll C:\Windows\SysWOW64\Fmocba32.exe N/A
File created C:\Windows\SysWOW64\Iinlemia.exe C:\Windows\SysWOW64\Ibccic32.exe N/A
File created C:\Windows\SysWOW64\Ejlmkgkl.exe C:\Windows\SysWOW64\Efpajh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kbfiep32.exe N/A
File created C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Ifhiib32.exe N/A
File created C:\Windows\SysWOW64\Pipagf32.dll C:\Windows\SysWOW64\Kpmfddnf.exe N/A
File created C:\Windows\SysWOW64\Ndclfb32.dll C:\Windows\SysWOW64\Lcpllo32.exe N/A
File created C:\Windows\SysWOW64\Dofqcl32.dll C:\Windows\SysWOW64\Fqhbmqqg.exe N/A
File created C:\Windows\SysWOW64\Iblilb32.dll C:\Windows\SysWOW64\Fjepaecb.exe N/A
File created C:\Windows\SysWOW64\Emhmioko.dll C:\Windows\SysWOW64\Gpklpkio.exe N/A
File created C:\Windows\SysWOW64\Lddbqa32.exe C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File created C:\Windows\SysWOW64\Jlnpomfk.dll C:\Windows\SysWOW64\Nqiogp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fbgbpihg.exe C:\Windows\SysWOW64\Ecdbdl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gppekj32.exe C:\Windows\SysWOW64\Gameonno.exe N/A
File created C:\Windows\SysWOW64\Hjmoibog.exe C:\Windows\SysWOW64\Hbeghene.exe N/A
File created C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lcbiao32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Lcgblncm.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll" C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfqjafdq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hjfihc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Diihojkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gfnnlffc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll" C:\Windows\SysWOW64\Gpnhekgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll" C:\Windows\SysWOW64\Hcedaheh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lcgblncm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dchbhn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eoocmoao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jiphkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mnocof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nggqoj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kbfiep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" C:\Windows\SysWOW64\Ngedij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lcdegnep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fomonm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hboagf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jdmcidam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lcpllo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll" C:\Windows\SysWOW64\Gmmocpjk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Impepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll" C:\Windows\SysWOW64\Ldkojb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Impepm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kkpnlm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll" C:\Windows\SysWOW64\Dchbhn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fjnjqfij.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ijaida32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpmokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecphimfb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eoifcnid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbgbpihg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fcgoilpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fifdgblo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iinlemia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lcbiao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll" C:\Windows\SysWOW64\Lklnhlfb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mpmokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjhmgeao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hjolnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ibccic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" C:\Windows\SysWOW64\Jangmibi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpappc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejnmepn.dll" C:\Windows\SysWOW64\Eflhoigi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll" C:\Windows\SysWOW64\Nqmhbpba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 964 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 964 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 1460 wrote to memory of 336 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Capchmmb.exe
PID 1460 wrote to memory of 336 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Capchmmb.exe
PID 1460 wrote to memory of 336 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Capchmmb.exe
PID 336 wrote to memory of 1040 N/A C:\Windows\SysWOW64\Capchmmb.exe C:\Windows\SysWOW64\Diihojkb.exe
PID 336 wrote to memory of 1040 N/A C:\Windows\SysWOW64\Capchmmb.exe C:\Windows\SysWOW64\Diihojkb.exe
PID 336 wrote to memory of 1040 N/A C:\Windows\SysWOW64\Capchmmb.exe C:\Windows\SysWOW64\Diihojkb.exe
PID 1040 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Diihojkb.exe C:\Windows\SysWOW64\Dljqpd32.exe
PID 1040 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Diihojkb.exe C:\Windows\SysWOW64\Dljqpd32.exe
PID 1040 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Diihojkb.exe C:\Windows\SysWOW64\Dljqpd32.exe
PID 1048 wrote to memory of 4000 N/A C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 1048 wrote to memory of 4000 N/A C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 1048 wrote to memory of 4000 N/A C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 4000 wrote to memory of 4252 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Dllmfd32.exe
PID 4000 wrote to memory of 4252 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Dllmfd32.exe
PID 4000 wrote to memory of 4252 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Dllmfd32.exe
PID 4252 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Dllmfd32.exe C:\Windows\SysWOW64\Djpnohej.exe
PID 4252 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Dllmfd32.exe C:\Windows\SysWOW64\Djpnohej.exe
PID 4252 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Dllmfd32.exe C:\Windows\SysWOW64\Djpnohej.exe
PID 1476 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Djpnohej.exe C:\Windows\SysWOW64\Dpjflb32.exe
PID 1476 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Djpnohej.exe C:\Windows\SysWOW64\Dpjflb32.exe
PID 1476 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Djpnohej.exe C:\Windows\SysWOW64\Dpjflb32.exe
PID 2104 wrote to memory of 3948 N/A C:\Windows\SysWOW64\Dpjflb32.exe C:\Windows\SysWOW64\Dchbhn32.exe
PID 2104 wrote to memory of 3948 N/A C:\Windows\SysWOW64\Dpjflb32.exe C:\Windows\SysWOW64\Dchbhn32.exe
PID 2104 wrote to memory of 3948 N/A C:\Windows\SysWOW64\Dpjflb32.exe C:\Windows\SysWOW64\Dchbhn32.exe
PID 3948 wrote to memory of 808 N/A C:\Windows\SysWOW64\Dchbhn32.exe C:\Windows\SysWOW64\Ejbkehcg.exe
PID 3948 wrote to memory of 808 N/A C:\Windows\SysWOW64\Dchbhn32.exe C:\Windows\SysWOW64\Ejbkehcg.exe
PID 3948 wrote to memory of 808 N/A C:\Windows\SysWOW64\Dchbhn32.exe C:\Windows\SysWOW64\Ejbkehcg.exe
PID 808 wrote to memory of 4824 N/A C:\Windows\SysWOW64\Ejbkehcg.exe C:\Windows\SysWOW64\Elagacbk.exe
PID 808 wrote to memory of 4824 N/A C:\Windows\SysWOW64\Ejbkehcg.exe C:\Windows\SysWOW64\Elagacbk.exe
PID 808 wrote to memory of 4824 N/A C:\Windows\SysWOW64\Ejbkehcg.exe C:\Windows\SysWOW64\Elagacbk.exe
PID 4824 wrote to memory of 680 N/A C:\Windows\SysWOW64\Elagacbk.exe C:\Windows\SysWOW64\Eoocmoao.exe
PID 4824 wrote to memory of 680 N/A C:\Windows\SysWOW64\Elagacbk.exe C:\Windows\SysWOW64\Eoocmoao.exe
PID 4824 wrote to memory of 680 N/A C:\Windows\SysWOW64\Elagacbk.exe C:\Windows\SysWOW64\Eoocmoao.exe
PID 680 wrote to memory of 1508 N/A C:\Windows\SysWOW64\Eoocmoao.exe C:\Windows\SysWOW64\Epopgbia.exe
PID 680 wrote to memory of 1508 N/A C:\Windows\SysWOW64\Eoocmoao.exe C:\Windows\SysWOW64\Epopgbia.exe
PID 680 wrote to memory of 1508 N/A C:\Windows\SysWOW64\Eoocmoao.exe C:\Windows\SysWOW64\Epopgbia.exe
PID 1508 wrote to memory of 748 N/A C:\Windows\SysWOW64\Epopgbia.exe C:\Windows\SysWOW64\Eflhoigi.exe
PID 1508 wrote to memory of 748 N/A C:\Windows\SysWOW64\Epopgbia.exe C:\Windows\SysWOW64\Eflhoigi.exe
PID 1508 wrote to memory of 748 N/A C:\Windows\SysWOW64\Epopgbia.exe C:\Windows\SysWOW64\Eflhoigi.exe
PID 748 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Eflhoigi.exe C:\Windows\SysWOW64\Eqalmafo.exe
PID 748 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Eflhoigi.exe C:\Windows\SysWOW64\Eqalmafo.exe
PID 748 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Eflhoigi.exe C:\Windows\SysWOW64\Eqalmafo.exe
PID 2508 wrote to memory of 4868 N/A C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Ecphimfb.exe
PID 2508 wrote to memory of 4868 N/A C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Ecphimfb.exe
PID 2508 wrote to memory of 4868 N/A C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Ecphimfb.exe
PID 4868 wrote to memory of 3708 N/A C:\Windows\SysWOW64\Ecphimfb.exe C:\Windows\SysWOW64\Efneehef.exe
PID 4868 wrote to memory of 3708 N/A C:\Windows\SysWOW64\Ecphimfb.exe C:\Windows\SysWOW64\Efneehef.exe
PID 4868 wrote to memory of 3708 N/A C:\Windows\SysWOW64\Ecphimfb.exe C:\Windows\SysWOW64\Efneehef.exe
PID 3708 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Efneehef.exe C:\Windows\SysWOW64\Ejjqeg32.exe
PID 3708 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Efneehef.exe C:\Windows\SysWOW64\Ejjqeg32.exe
PID 3708 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Efneehef.exe C:\Windows\SysWOW64\Ejjqeg32.exe
PID 2024 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Ejjqeg32.exe C:\Windows\SysWOW64\Elhmablc.exe
PID 2024 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Ejjqeg32.exe C:\Windows\SysWOW64\Elhmablc.exe
PID 2024 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Ejjqeg32.exe C:\Windows\SysWOW64\Elhmablc.exe
PID 1892 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Elhmablc.exe C:\Windows\SysWOW64\Eqciba32.exe
PID 1892 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Elhmablc.exe C:\Windows\SysWOW64\Eqciba32.exe
PID 1892 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Elhmablc.exe C:\Windows\SysWOW64\Eqciba32.exe
PID 2448 wrote to memory of 4916 N/A C:\Windows\SysWOW64\Eqciba32.exe C:\Windows\SysWOW64\Ecbenm32.exe
PID 2448 wrote to memory of 4916 N/A C:\Windows\SysWOW64\Eqciba32.exe C:\Windows\SysWOW64\Ecbenm32.exe
PID 2448 wrote to memory of 4916 N/A C:\Windows\SysWOW64\Eqciba32.exe C:\Windows\SysWOW64\Ecbenm32.exe
PID 4916 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Ecbenm32.exe C:\Windows\SysWOW64\Efpajh32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Cpofpdgd.exe

C:\Windows\system32\Cpofpdgd.exe

C:\Windows\SysWOW64\Capchmmb.exe

C:\Windows\system32\Capchmmb.exe

C:\Windows\SysWOW64\Diihojkb.exe

C:\Windows\system32\Diihojkb.exe

C:\Windows\SysWOW64\Dljqpd32.exe

C:\Windows\system32\Dljqpd32.exe

C:\Windows\SysWOW64\Dcdimopp.exe

C:\Windows\system32\Dcdimopp.exe

C:\Windows\SysWOW64\Dllmfd32.exe

C:\Windows\system32\Dllmfd32.exe

C:\Windows\SysWOW64\Djpnohej.exe

C:\Windows\system32\Djpnohej.exe

C:\Windows\SysWOW64\Dpjflb32.exe

C:\Windows\system32\Dpjflb32.exe

C:\Windows\SysWOW64\Dchbhn32.exe

C:\Windows\system32\Dchbhn32.exe

C:\Windows\SysWOW64\Ejbkehcg.exe

C:\Windows\system32\Ejbkehcg.exe

C:\Windows\SysWOW64\Elagacbk.exe

C:\Windows\system32\Elagacbk.exe

C:\Windows\SysWOW64\Eoocmoao.exe

C:\Windows\system32\Eoocmoao.exe

C:\Windows\SysWOW64\Epopgbia.exe

C:\Windows\system32\Epopgbia.exe

C:\Windows\SysWOW64\Eflhoigi.exe

C:\Windows\system32\Eflhoigi.exe

C:\Windows\SysWOW64\Eqalmafo.exe

C:\Windows\system32\Eqalmafo.exe

C:\Windows\SysWOW64\Ecphimfb.exe

C:\Windows\system32\Ecphimfb.exe

C:\Windows\SysWOW64\Efneehef.exe

C:\Windows\system32\Efneehef.exe

C:\Windows\SysWOW64\Ejjqeg32.exe

C:\Windows\system32\Ejjqeg32.exe

C:\Windows\SysWOW64\Elhmablc.exe

C:\Windows\system32\Elhmablc.exe

C:\Windows\SysWOW64\Eqciba32.exe

C:\Windows\system32\Eqciba32.exe

C:\Windows\SysWOW64\Ecbenm32.exe

C:\Windows\system32\Ecbenm32.exe

C:\Windows\SysWOW64\Efpajh32.exe

C:\Windows\system32\Efpajh32.exe

C:\Windows\SysWOW64\Ejlmkgkl.exe

C:\Windows\system32\Ejlmkgkl.exe

C:\Windows\SysWOW64\Emjjgbjp.exe

C:\Windows\system32\Emjjgbjp.exe

C:\Windows\SysWOW64\Eoifcnid.exe

C:\Windows\system32\Eoifcnid.exe

C:\Windows\SysWOW64\Ecdbdl32.exe

C:\Windows\system32\Ecdbdl32.exe

C:\Windows\SysWOW64\Fbgbpihg.exe

C:\Windows\system32\Fbgbpihg.exe

C:\Windows\SysWOW64\Fjnjqfij.exe

C:\Windows\system32\Fjnjqfij.exe

C:\Windows\SysWOW64\Fmmfmbhn.exe

C:\Windows\system32\Fmmfmbhn.exe

C:\Windows\SysWOW64\Fqhbmqqg.exe

C:\Windows\system32\Fqhbmqqg.exe

C:\Windows\SysWOW64\Fcgoilpj.exe

C:\Windows\system32\Fcgoilpj.exe

C:\Windows\SysWOW64\Ffekegon.exe

C:\Windows\system32\Ffekegon.exe

C:\Windows\SysWOW64\Ficgacna.exe

C:\Windows\system32\Ficgacna.exe

C:\Windows\SysWOW64\Fmocba32.exe

C:\Windows\system32\Fmocba32.exe

C:\Windows\SysWOW64\Fomonm32.exe

C:\Windows\system32\Fomonm32.exe

C:\Windows\SysWOW64\Fbllkh32.exe

C:\Windows\system32\Fbllkh32.exe

C:\Windows\SysWOW64\Fifdgblo.exe

C:\Windows\system32\Fifdgblo.exe

C:\Windows\SysWOW64\Fqmlhpla.exe

C:\Windows\system32\Fqmlhpla.exe

C:\Windows\SysWOW64\Fckhdk32.exe

C:\Windows\system32\Fckhdk32.exe

C:\Windows\SysWOW64\Fjepaecb.exe

C:\Windows\system32\Fjepaecb.exe

C:\Windows\SysWOW64\Fobiilai.exe

C:\Windows\system32\Fobiilai.exe

C:\Windows\SysWOW64\Fbqefhpm.exe

C:\Windows\system32\Fbqefhpm.exe

C:\Windows\SysWOW64\Fjhmgeao.exe

C:\Windows\system32\Fjhmgeao.exe

C:\Windows\SysWOW64\Fijmbb32.exe

C:\Windows\system32\Fijmbb32.exe

C:\Windows\SysWOW64\Fqaeco32.exe

C:\Windows\system32\Fqaeco32.exe

C:\Windows\SysWOW64\Gcpapkgp.exe

C:\Windows\system32\Gcpapkgp.exe

C:\Windows\SysWOW64\Gfnnlffc.exe

C:\Windows\system32\Gfnnlffc.exe

C:\Windows\SysWOW64\Gimjhafg.exe

C:\Windows\system32\Gimjhafg.exe

C:\Windows\SysWOW64\Gqdbiofi.exe

C:\Windows\system32\Gqdbiofi.exe

C:\Windows\SysWOW64\Gcbnejem.exe

C:\Windows\system32\Gcbnejem.exe

C:\Windows\SysWOW64\Gfqjafdq.exe

C:\Windows\system32\Gfqjafdq.exe

C:\Windows\SysWOW64\Gjlfbd32.exe

C:\Windows\system32\Gjlfbd32.exe

C:\Windows\SysWOW64\Gmkbnp32.exe

C:\Windows\system32\Gmkbnp32.exe

C:\Windows\SysWOW64\Goiojk32.exe

C:\Windows\system32\Goiojk32.exe

C:\Windows\SysWOW64\Gcekkjcj.exe

C:\Windows\system32\Gcekkjcj.exe

C:\Windows\SysWOW64\Gfcgge32.exe

C:\Windows\system32\Gfcgge32.exe

C:\Windows\SysWOW64\Giacca32.exe

C:\Windows\system32\Giacca32.exe

C:\Windows\SysWOW64\Gmmocpjk.exe

C:\Windows\system32\Gmmocpjk.exe

C:\Windows\SysWOW64\Gpklpkio.exe

C:\Windows\system32\Gpklpkio.exe

C:\Windows\SysWOW64\Gcggpj32.exe

C:\Windows\system32\Gcggpj32.exe

C:\Windows\SysWOW64\Gfedle32.exe

C:\Windows\system32\Gfedle32.exe

C:\Windows\SysWOW64\Gidphq32.exe

C:\Windows\system32\Gidphq32.exe

C:\Windows\SysWOW64\Gmoliohh.exe

C:\Windows\system32\Gmoliohh.exe

C:\Windows\SysWOW64\Gpnhekgl.exe

C:\Windows\system32\Gpnhekgl.exe

C:\Windows\SysWOW64\Gbldaffp.exe

C:\Windows\system32\Gbldaffp.exe

C:\Windows\SysWOW64\Gfhqbe32.exe

C:\Windows\system32\Gfhqbe32.exe

C:\Windows\SysWOW64\Gifmnpnl.exe

C:\Windows\system32\Gifmnpnl.exe

C:\Windows\SysWOW64\Gameonno.exe

C:\Windows\system32\Gameonno.exe

C:\Windows\SysWOW64\Gppekj32.exe

C:\Windows\system32\Gppekj32.exe

C:\Windows\SysWOW64\Hboagf32.exe

C:\Windows\system32\Hboagf32.exe

C:\Windows\SysWOW64\Hjfihc32.exe

C:\Windows\system32\Hjfihc32.exe

C:\Windows\SysWOW64\Hmdedo32.exe

C:\Windows\system32\Hmdedo32.exe

C:\Windows\SysWOW64\Hpbaqj32.exe

C:\Windows\system32\Hpbaqj32.exe

C:\Windows\SysWOW64\Hbckbepg.exe

C:\Windows\system32\Hbckbepg.exe

C:\Windows\SysWOW64\Hjjbcbqj.exe

C:\Windows\system32\Hjjbcbqj.exe

C:\Windows\SysWOW64\Hmioonpn.exe

C:\Windows\system32\Hmioonpn.exe

C:\Windows\SysWOW64\Hbeghene.exe

C:\Windows\system32\Hbeghene.exe

C:\Windows\SysWOW64\Hjmoibog.exe

C:\Windows\system32\Hjmoibog.exe

C:\Windows\SysWOW64\Hmklen32.exe

C:\Windows\system32\Hmklen32.exe

C:\Windows\SysWOW64\Haggelfd.exe

C:\Windows\system32\Haggelfd.exe

C:\Windows\SysWOW64\Hcedaheh.exe

C:\Windows\system32\Hcedaheh.exe

C:\Windows\SysWOW64\Hbhdmd32.exe

C:\Windows\system32\Hbhdmd32.exe

C:\Windows\SysWOW64\Hjolnb32.exe

C:\Windows\system32\Hjolnb32.exe

C:\Windows\SysWOW64\Hmmhjm32.exe

C:\Windows\system32\Hmmhjm32.exe

C:\Windows\SysWOW64\Ipldfi32.exe

C:\Windows\system32\Ipldfi32.exe

C:\Windows\SysWOW64\Ibjqcd32.exe

C:\Windows\system32\Ibjqcd32.exe

C:\Windows\SysWOW64\Ijaida32.exe

C:\Windows\system32\Ijaida32.exe

C:\Windows\SysWOW64\Impepm32.exe

C:\Windows\system32\Impepm32.exe

C:\Windows\SysWOW64\Ipnalhii.exe

C:\Windows\system32\Ipnalhii.exe

C:\Windows\SysWOW64\Icjmmg32.exe

C:\Windows\system32\Icjmmg32.exe

C:\Windows\SysWOW64\Ifhiib32.exe

C:\Windows\system32\Ifhiib32.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Iannfk32.exe

C:\Windows\system32\Iannfk32.exe

C:\Windows\SysWOW64\Icljbg32.exe

C:\Windows\system32\Icljbg32.exe

C:\Windows\SysWOW64\Ifjfnb32.exe

C:\Windows\system32\Ifjfnb32.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Imdnklfp.exe

C:\Windows\system32\Imdnklfp.exe

C:\Windows\SysWOW64\Ipckgh32.exe

C:\Windows\system32\Ipckgh32.exe

C:\Windows\SysWOW64\Ibagcc32.exe

C:\Windows\system32\Ibagcc32.exe

C:\Windows\SysWOW64\Ifmcdblq.exe

C:\Windows\system32\Ifmcdblq.exe

C:\Windows\SysWOW64\Iikopmkd.exe

C:\Windows\system32\Iikopmkd.exe

C:\Windows\SysWOW64\Iabgaklg.exe

C:\Windows\system32\Iabgaklg.exe

C:\Windows\SysWOW64\Ibccic32.exe

C:\Windows\system32\Ibccic32.exe

C:\Windows\SysWOW64\Iinlemia.exe

C:\Windows\system32\Iinlemia.exe

C:\Windows\SysWOW64\Jiphkm32.exe

C:\Windows\system32\Jiphkm32.exe

C:\Windows\SysWOW64\Jdemhe32.exe

C:\Windows\system32\Jdemhe32.exe

C:\Windows\SysWOW64\Jfdida32.exe

C:\Windows\system32\Jfdida32.exe

C:\Windows\SysWOW64\Jmnaakne.exe

C:\Windows\system32\Jmnaakne.exe

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jdmcidam.exe

C:\Windows\system32\Jdmcidam.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kdopod32.exe

C:\Windows\system32\Kdopod32.exe

C:\Windows\SysWOW64\Kgmlkp32.exe

C:\Windows\system32\Kgmlkp32.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kmgdgjek.exe

C:\Windows\system32\Kmgdgjek.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kinemkko.exe

C:\Windows\system32\Kinemkko.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kipabjil.exe

C:\Windows\system32\Kipabjil.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kkpnlm32.exe

C:\Windows\system32\Kkpnlm32.exe

C:\Windows\SysWOW64\Kmnjhioc.exe

C:\Windows\system32\Kmnjhioc.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Lgkhlnbn.exe

C:\Windows\system32\Lgkhlnbn.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lddbqa32.exe

C:\Windows\system32\Lddbqa32.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mgekbljc.exe

C:\Windows\system32\Mgekbljc.exe

C:\Windows\SysWOW64\Mnocof32.exe

C:\Windows\system32\Mnocof32.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mpolqa32.exe

C:\Windows\system32\Mpolqa32.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nnjbke32.exe

C:\Windows\system32\Nnjbke32.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6680 -ip 6680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 428

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 48.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.75:443 www.bing.com tcp
US 8.8.8.8:53 75.196.17.2.in-addr.arpa udp
BE 2.17.196.75:443 www.bing.com tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/964-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Cpofpdgd.exe

MD5 95a402df34015efb941019129da4a1d5
SHA1 d9ebe5c09478f2d50c3f9ee6a890ca1cc0c01c26
SHA256 b053f612a9c9f3ce5b649dd6a89d5d94cec92e9bf28ab0e6d07f12902f5c6892
SHA512 782f4994875d3b0638db8794e57cf719138e3aec2a4437ad4fa15932707ff41f12a4ef85f0eb2e1eb194dbd3f15f415b6b958189885b69d5a1878bca43144421

memory/1460-8-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Capchmmb.exe

MD5 9b19dcffcc907c861681c1e05fa07469
SHA1 84066877665e8d9a97be3cfefc8c28a99780f4a6
SHA256 e8fe10cffb5906a04710a6c127071cec29fcb92c7f45a663bda286b6cffc6d88
SHA512 57d7cdf83b45ae73f5e5f7981756702627fb7221466ede05802d3daadf70464b551b8f8484f2c12d1f24dbbff983a5d85f70c1d4a0ee1868b02e855fc6ee28f9

memory/336-16-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Diihojkb.exe

MD5 d6b3f5cfb67f44baa010df76b23c9dcd
SHA1 ec72ecbee254b6191356e5b0ffabc86067f95f52
SHA256 0429c04505f710345d391c5201ab3f42c41b29a055fe6872703609e2dc648a5a
SHA512 9e6478e496b8ea8cede26fe503bcbec7824b8ece06230d985ea387f4761838d4ecc5e63c1e2f0c47c4be04e693b3e24d478c099b8d28ba7e86f65113713ff877

memory/1040-24-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Dljqpd32.exe

MD5 dc092793594b64528ecd137a6e4973a1
SHA1 40683b4b8b914a58fbc889aa41296b25a9f60049
SHA256 9115947cd6100e1f47198806f9d26f804101bdcf9288c40bbabcfd3ddf86d04c
SHA512 2519114dfd4deefba252befa6a02315725e7fa67a68e405767977a436771ad1bc69f89964a91d361b871ba24f47f4cfb10aafc51a5586dec7b8498f718c3b859

memory/1048-32-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jehocmdp.dll

MD5 fb4d81e39d3e5e682c38722e0559ef35
SHA1 9206500f8dbe7a83dae770ba9d198856a78cd76d
SHA256 38e4f559efa5324032b1cb69089ef1389c4ecf6c2566fd33b49d3d9398304ee7
SHA512 bc574cf540f928c978c2d34365775e4b43179f798c071b2900a53f1c2469576b8ac5b6e935eea65819ed92e34c2c0ff524276962abc84171f0620ef07a3112bb

C:\Windows\SysWOW64\Dcdimopp.exe

MD5 a82e6df973c8a33ee782eac279dbfea9
SHA1 6da1124790d587457887178b2347ff0601e9773a
SHA256 8ef4008046870a641ceeb205e4c32e308194ee096646ab9781f5455b7800373c
SHA512 8c219d652720f6ef48585366617dc367dcdc45fb29447073b8b53b4b613f129efc8125dc7550240e024616c65e074105fbf8d8af09a7902d3b221c8e4f73b49f

memory/4000-39-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Dllmfd32.exe

MD5 17c80aa37363c8adcd8008e110e85095
SHA1 8c514b9d47981dfe9edc05fffb19147ef19ced59
SHA256 b450d77f48e15b57069b7833cc8672b3bf31a0717ef42f0cbf5888a312769e9f
SHA512 f21cf45ccfc9c991da6c18d59b56f8ee9f145a02ede603a3dde3eaefc29c55bf39ee9e1d3ab5557fb77bc3746cc932b857d88a2b997456a60663939f7cc8b610

memory/4252-48-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Djpnohej.exe

MD5 4f355f85df7f6712ae1687785e3bd3cb
SHA1 33cbdc17af59f3db25405aeaaa2c575e1f98031b
SHA256 3b88786ebd313fca6571fd22e9d169a5025f7c4847d611287786ed724a2b0959
SHA512 f87a3d6c16327bfecc6d4e5408f9435de473e4582a2ad4a21b66f47e1afa76271f5713254a4b17b0d7011533e4103ff110e7cf8513b81e57eaa4584179b0ff37

memory/1476-60-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Dpjflb32.exe

MD5 8e1ff87f039ebb7eabce8aec29eff790
SHA1 1c8065d630aec25e708bb9d35760e0fc9061728f
SHA256 892c8ca278b5f9f04f1b9e616189ec1ffa743272b229bbb068e582e782e5eeb3
SHA512 ab25e1b3dc22626372b85628b185f3c1e0c6f2a6d52e3df1a7387b45012beb9ac9e689c66639d059574bda8adc630fbabe8b2002f4d5e14098fdab4ace7fdd23

memory/2104-67-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Dchbhn32.exe

MD5 eccb59be4e32ef409a90c65523162a83
SHA1 c74139fbb63a075da1cbf412d2793543ea3de521
SHA256 baf916a80d26103c6b61363b2839a1e3ee1a5a17ef6ab208309072643719791b
SHA512 89cf0aa385656bd5b3d972ff10bf5017af3db31c32e2d96ff4d0d846a8c22e2ef179d2f5fa79070bbe7b94585d7a7049d31d56661c69a2155803a7d73b463128

memory/3948-76-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ejbkehcg.exe

MD5 d0ee761fc3552d633e7d05223f53f8e6
SHA1 bbd8a94ceb8116dd431143349dddfe079e96124f
SHA256 5c366321a5f41c0ef6a1ecc07732a7843ecf0cea3cd839a96c517d9ce58035c5
SHA512 e9cce237ddae9a83921811b2c46edb07b0bb1a241f3ded37cb552c8b113926257dd9c9e0521d373f28849d7bf429288d1ae0256381dd7cfbd57ea9b1ce44e2d7

memory/4824-90-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1460-89-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Elagacbk.exe

MD5 b63b3891337c5ab2f8cfc77de2790d57
SHA1 1be1b722bf658aef1e8306ddc5fa35e6c3cc1562
SHA256 7410fc8f54736c923ec252d786aa02d73525c681df5d4db71c9d5b60e236d15f
SHA512 2c719f7b09ac01da70e27f4abace6de027e9ce831ed4eef65dc42e51f047797a9d93ae23bce58b97b79af0164364af7011fe7cc19658c1554b1a3243d3009c66

C:\Windows\SysWOW64\Eoocmoao.exe

MD5 8e36600eee1cb4aabfa55639d8c397e5
SHA1 d18805da2152a57dbdc0e99eb776b4a0003a1f47
SHA256 ab94b8416ba6d2fc8122f3bbe4ad6a909e39be124148cb5e0fe97c26b8217b30
SHA512 0c0660adcac4077150a05dc019c87bb4c2ded2a6c6aed282fd124a4104a2756e0890545e124663d9b85716f70c376444fcf5e0a2621ceed93c7f8057a0981e7f

C:\Windows\SysWOW64\Epopgbia.exe

MD5 33b7c3ea6851964e7e27e61f88970b09
SHA1 1b2bd57db1afd92abb666a401b513eab05a21a98
SHA256 a926141545bb5d3f26d4c68130f2121a18586cae61b39641f8bd306578a52187
SHA512 2aceca778d526f8317e80e90dc7862f73342907f82027b60df893c1cc2737ee28e6c997349d24383e8908456c125f02b5d594ab7759f5fe9cacdc673788c02f7

C:\Windows\SysWOW64\Eflhoigi.exe

MD5 0153074f6de5dda71b5939d06217938a
SHA1 374f9cc87f5e3071327c8c61a516c759fecfb6ad
SHA256 8a561be9196f197c68e8a0a8c1e5e4aaec9e87732d9d9ac316bdc850b22f5357
SHA512 90ba0a7ea27791f797ebecae62d427a6d3cd9186e497a7e3787097055a006838cb19ab715edacfb8c75720ea28e7ea35926774f9a9dd0cbc88f9b4ef498b7ae6

C:\Windows\SysWOW64\Ecphimfb.exe

MD5 c3ae1d3f0cbdaa54ea8246271ca1c096
SHA1 89fb636323ea2881faa9cef34ba7080b9249595e
SHA256 2f298a49b09201fb86fb691e6d613c1c68194265e8e187c766fc4b2439d2a755
SHA512 e52649b3bc2e496feb5e6efdd5b5a34307373c66ce6398cb33876b1476444452878a0b28e83dfba5a99c7ac460528011a70a4018b938510b7814d1ea6cae78e4

C:\Windows\SysWOW64\Ejjqeg32.exe

MD5 2d1c2b00acb82fb88ee917d04cc7425a
SHA1 f011fde0a8c496931203687a704e0f5495d14540
SHA256 b24729d56955d5a9c00fc607fde1a4c5c55dadf6edfdd24ec2eae72d8f7c18b9
SHA512 d0b6c92426156c2f79c7da4a50d78ae4ec388df2098bc5788e88628ab77dba4e125a948045f8ca5be191351b0f39ffb05c6b734064ed5f76b53268b30705bc1e

C:\Windows\SysWOW64\Elhmablc.exe

MD5 990afbbe3155d72bea49bdaa9092290f
SHA1 c8109a55c2f11d294c5201c8973cd8f682b9d5b0
SHA256 44ca2c7e3fca2a23c48cff4b6395f355d85d086b1da175e2a8d62466b29e060a
SHA512 d8f663aa14854a2013e94444c50e7c66306450977fbae3bf0c4eba534ed3dfebdd9fbfdefc0df7c2324f66f3955f4232a0f9bbfe5b6589ef0d8e0456d91d2fdf

C:\Windows\SysWOW64\Efpajh32.exe

MD5 4b4c9ba8ed4ad493470256ed97783463
SHA1 4f2d7af8fd6e8d8fe2950c436379c88d5529cb95
SHA256 ce9db3c3977d7aae2ca6c7054deb23375e50b671f3c4aa88266a3a17df2c6c47
SHA512 cd3ec7527145f42f9e1ccf0a558084c9009ec8fcda68a646889be0f9cda009998a1bae10807bd953eb3f3448a147c48c907518e6809a17ed879f51e8a18f2f6e

C:\Windows\SysWOW64\Ejlmkgkl.exe

MD5 22f2825b1c9ccbe40328aca63bba17ad
SHA1 50d075d91160f4b4ca52a796134b3761086b1a2e
SHA256 7b05b94cb30fac5c362a036161ade820246ac9557077bd557b03fb62ac7e8897
SHA512 526507eb6f2123d8104cd6643599a3f4d064d1523f91715b48d1027519c43729d26e3ccdf41bd4037a4c11bf0320eb4bec638c9330d7dc43a071b8184ac19ee4

C:\Windows\SysWOW64\Eoifcnid.exe

MD5 3bbaf2d86f8663e806efc0f99eb6905c
SHA1 047bf4f7f2e865b365998061075920f27a61a293
SHA256 a738e37d4e951033034aaf86656ef0cda1b1fd7461306ea3711e67f8c9f8eafb
SHA512 71394da5b9dfdfd378a95dda1835e92f4c7ca8ffaa7e2c937e0b65423725d73e31b340a2b59fba35e98b844d4b17ed6461085b51f768bee4ff5a7a942943b85a

C:\Windows\SysWOW64\Fmmfmbhn.exe

MD5 dc63d2ab72c1fe546f99b8f687e9bd11
SHA1 a5b87957e68a9a70414858ff7cc05cbd9e735619
SHA256 21b14e535a687237cec9402e4e9efd9d140fe6f71900152107b0772208b033b6
SHA512 e5cfe9cd0df666e43bc36953e5be5448adffe1a94da9ef07caa4dec923cbf8f786c5751b4ce4c12d8fa3eb43b7e1fc6fb3e523cb1eb624f227dabad923fa1c5b

C:\Windows\SysWOW64\Fcgoilpj.exe

MD5 603447d6211fe1d0a33fa53e30b777d3
SHA1 c9993f9918aedeb1142216438d75b2c9cb3b12b4
SHA256 9fa82212f5a4e91b35fa0d632db17c2253d0fab2b62e9a51fb6e65014c78f342
SHA512 547c2c65b1c77895a26ade995ecb19565f52b1be687a23f460eedbd801595fb26ac66de44adedd3cdb5518b1baf9a9a806e199ac77788b1d838f550d629577cf

C:\Windows\SysWOW64\Ffekegon.exe

MD5 b5572040d1c73f63b8f17a0bef6bd258
SHA1 4a97e20a5e9375232a8d0ff7b36499946b768894
SHA256 6f6c512dc99dd474251f04ad216dc52475c8d3031f9ae40062578cfe3c9181a3
SHA512 76ca7a7f98642aaa1efa69466e84a5760dafc958808d1d9fdc8c1d829178e9b42dd5d22444a3091da2ae127e5df9e16f52626893490618ab38d10ba84b1142eb

memory/3624-461-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2156-460-0x0000000000400000-0x0000000000442000-memory.dmp

memory/552-494-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5448-663-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Iinlemia.exe

MD5 b840598788bb97bfc168963f095d9069
SHA1 93820434d25933578b40c48998a302bce1c394c5
SHA256 1c747cc2fccd3dd7938f0fd56592a6a5f526fd45fd71ad303f0796edca290d86
SHA512 f745f10c1c98bb275e6640265690abf86077e05bcaaf8383f3bb7a676c7194e4d1f298a577de180ca18344079c6869136d2bf32e6979b91dbe119d403a1c4e77

memory/5660-673-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5624-670-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5408-662-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5592-668-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5552-666-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5516-665-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5480-664-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5376-661-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5336-660-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jangmibi.exe

MD5 4f373d2e146fc36da1b53534e5c2c355
SHA1 4594b6e9fb8d21d7a8d7ccdce482e3f54038f196
SHA256 046c999c3122451373092c1735c68e498da11493e0cd243ba50321be9320756e
SHA512 e52b19ca2efc8e3337d1de1a4322e8c19da8baf1407310c594f9489174c3ce318a478ad1e6fdac1777beca63c8bdbe6da739bf30d9fd63a155fdab1828d4053c

C:\Windows\SysWOW64\Jkfkfohj.exe

MD5 5c7638d402b72448d3cf8e83f42315aa
SHA1 d1d948783108bbe11488743bdfc3fbfc34fbe037
SHA256 9901cb199303128eb6d42b1719c56e327da750af84b23c26980791ef606cc401
SHA512 f36dd7d1cb4cb614a3bf67ff45a66a7dfd0cedf874df75f7badcc36b7b4952f6cfeeaddb56897386640543198fd71cd8945076c8bf1186e8681bbcc6b929d3b4

C:\Windows\SysWOW64\Kgmlkp32.exe

MD5 8448946d3a894fbf26f2a7536cec2714
SHA1 0bb8facc038ef1dd89c6f917b32cb2885bc14433
SHA256 fc52c09ead730832f33e9508eb1b559eade45927903adaabee0e7da45270990a
SHA512 4cf9706d8248b89a59837a4d53f8a43ec7e5060a13437465c87e9339c78abb49ba89886ce1a632ce771561c11ac54535de56ab047e479cbab0b9c1c1e5ad49e1

memory/5300-659-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5264-658-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Kmnjhioc.exe

MD5 52aad29071f4aeca257597288484bbae
SHA1 fce73549e8a055b3077d7df2806d0e86d2a19519
SHA256 bf5901d0cc64e1b6cb7ea0d53dad72822777958d1a0a19b286699dcbea867671
SHA512 e64621ed73bdb0afe49cf25c347a4c0071e42ab5b438747e1b33d8e39d7adb4c8d066201dd6fd40e4b739416713bd66e43bdb66ed4d9449e4d614a368f3429d0

C:\Windows\SysWOW64\Kpjjod32.exe

MD5 423626b3b95135ace4cdf3e36d7d2f37
SHA1 421c5b15ab001979d0bc720481927e3e46cbb730
SHA256 dc2407609c414595475b7ed05ba4eff0447716eea41850a682221797070acea9
SHA512 1adb50c6286804610199ce1c747e04d892c5f61c9f2bc497ed7a62db5760e4f91ea03753df5335ad065917abc0d763359519a9e5e5d9886b13ed03297d604ec8

C:\Windows\SysWOW64\Lalcng32.exe

MD5 7cf0f1e251763b95c31c44e092966c16
SHA1 073493bea66a054a7d0f294c21cc8cc9c9b0f13c
SHA256 5f1af785e3f9641531d6f3f4e669b9109e2798da01b485ee5a8f4cdec4570b81
SHA512 1f8d20da624d8493cb3996ccafd95b6b117da2ccdb37785c4d1e6c00ae6ff8106af54a4371bb5a051c155b50410069aecc720abc2ca9c8de115e7c45637e84f7

C:\Windows\SysWOW64\Lpappc32.exe

MD5 9898ceb6dac8dbff979f19592b6b4f4a
SHA1 1731ffe2fe040237c5d2470a7958495f9971cc9c
SHA256 b2a06777067549c4bd496bd939e4c875b52c65b084f4f5ecc3ea427ecc7ab05e
SHA512 94fd8ae82e09ff4a6e0adaec82f52a09b45ed0c3285634d9e5468947f0d9d177503885eb5f492bc5e79bfabab8284aa3cced159287735ef7284d20e6441351a2

C:\Windows\SysWOW64\Laalifad.exe

MD5 830bbbf5c8b79c0bae3bed5c11f184a3
SHA1 87ea5448b08f75f57860c9234cc8724718f530e5
SHA256 0ae71c1405177b36cb52f14adc652b03d80364c8f7c03a9439e0b51d50fa407c
SHA512 bc9e897d27f70b4186d10bceab60ac86efda03e4aa5c6f0bbbda764a8b3f7d6be1c28cb62aa3d9ca7f68c2f3d680a6d00cbde72fd63dfeca9c0e41e202614883

memory/5228-657-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5192-655-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lcbiao32.exe

MD5 aa6753ff4f2ce84cea245c91e098ddc9
SHA1 debeb49b77ef82ed51d74641d741812433f36374
SHA256 f292bfa5065ddd8e81f55a3385964133914a84df422f39ac97cf21bdc4ce9f00
SHA512 9f608b133eda385241d02c5716abc0a6cbbe4335056166ec3a0fbaa4e9dfdb62b469c507191d72ead8c09d22c9d3dbe14fff2a103fa6a6fbb162bd682fed0f7c

C:\Windows\SysWOW64\Lcdegnep.exe

MD5 50f4bc09092e9ff2b77bb7dcd2a751b1
SHA1 9f528801de64f000677460db2ae294833cd8fc19
SHA256 5e014ee19563d8eb458f22098e8115eb2204d234c495a1bfd93a107335654265
SHA512 d86087c89369c9d17f207d61d75f5988a7074ac5f06f8ff80751a019a01b7ab6344c683739f2e9492c6ec9c44065790686445dcc7ee2a948b2bb185cb91acaf3

C:\Windows\SysWOW64\Lnjjdgee.exe

MD5 ea3443692f0ac52c653e83c1e967be24
SHA1 08f7942390fc7c4df9814a5b640c5ed0cbbfe70c
SHA256 dc682a8e3f7c2106225739bec4cbc0322652e5a735fe68d36ee6b427611f142e
SHA512 1e879cbd2287a7c2619873290091e73c7682cbe15fe1a0f0b6665e4798d7b381969ab5b9f1404a161ec8bdc1b3cd01c7d63dc71fb7f4f70f468a402db462c194

C:\Windows\SysWOW64\Lddbqa32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5160-654-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mdfofakp.exe

MD5 0f4b431ed2817054260e4a824e5d50b2
SHA1 f49c5039cd51a66ce887eb07f92f5d389453904c
SHA256 e9325248478a3c3bde425b783a6cfa2153c37f96e86f9d1d76cb39e17d114c0b
SHA512 cb484e8f3699cee6468a7b7a5b50a71b8acfddcd41e6b52c677fab7c47739231b68629e6b2a476f1a232980201d5b0e42ccc96b7b9412368cbca081f0bd091ae

memory/4988-509-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4252-508-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mgghhlhq.exe

MD5 99025bda7daba16797b96295431596ad
SHA1 f4e5cd2e93dea9fde4b1335d87748f4dca598672
SHA256 5c6504d52eb6834fa1a676bb3d2768f0d1e60da5a720105e403afa0f4ad92364
SHA512 77394df8b288bab579bef8516a6b641681ed8c1060a0531e577ebde7c0a19e077f6d04016871d5d1a2797864ca6f46f9081e2458d038538eba2c4edb2cffc511

memory/2464-507-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2388-506-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3192-505-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3508-504-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4488-503-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1744-502-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3360-501-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2400-500-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4396-499-0x0000000000400000-0x0000000000442000-memory.dmp

memory/216-498-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2412-497-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4564-496-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1500-495-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4456-493-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4632-492-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Maohkd32.exe

MD5 4927d4f3a4c7e5c75c8b059b5d6b958c
SHA1 58da712c9795796bf2d4df73c67b05d2a8306ba1
SHA256 496fe813ce159049bc246ebabacd6e24c70e52f4ec46c2c292db54e4cbb83d05
SHA512 724a2805e356f3df3f2f9ce1b6d1f682cdd420bc1c72d502a5c4e0f0c5224603404af9e49b3497583319354a4a20a9a347bda83bd2b949412ba9c8dbd01b3950

memory/736-491-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4556-490-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3552-489-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4068-488-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3840-487-0x0000000000400000-0x0000000000442000-memory.dmp

memory/980-486-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1608-485-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4696-484-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4292-483-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5056-482-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5072-481-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4040-480-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4316-479-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3760-478-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3120-477-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4140-476-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2600-475-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1120-474-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3756-473-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3092-472-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3748-471-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mdpalp32.exe

MD5 9d87e66f20e064376b24c36263ff0fa0
SHA1 8f704247ad9d1ab28f34e5d15b9d168550313a4d
SHA256 8755268b91a8d23076ce8f500168436131958d7ec1e96601fd75d0ccb67321a0
SHA512 55e9edb567bdc76dd3608d36e72424282b7356fd181e5bc27ae6e53f71b3505c4aa7e8b73d82fcec095dc7773027d0719a6839a996e5b2bf74c17cd22d9022c5

memory/2368-470-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4736-469-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2320-468-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4352-466-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2596-465-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1444-464-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4300-463-0x0000000000400000-0x0000000000442000-memory.dmp

memory/464-462-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4976-459-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1304-458-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2456-457-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5016-456-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nqfbaq32.exe

MD5 3e2572429ffce75d0d6be41574907287
SHA1 5c2be9d59ed4416cf451991f1372db0f74d18811
SHA256 f12f28a45724eaf8b126fb8c4ac24152a9eac3d706df0fdbd8986e1c0433a834
SHA512 7f71c4a21461743ca2b48b3d271a69df4e1bda8ed01605b4008195606588739511b0315db31cb50476f0e315ab16346056e560a6c9a136a1396ab31a74d1efcb

memory/4916-454-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2448-450-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1892-449-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2024-448-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3708-447-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4868-446-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2508-445-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4000-444-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nnolfdcn.exe

MD5 11aaef878c6ee7ce780f037e9feb8763
SHA1 1602532aae56e5faefac355a08824f0e7a8aa7be
SHA256 41cdbca318bcd80ad8b682cfd5d9e70f365d2a501d5ad78dbee8ac2cd6266f8b
SHA512 adaf056c24d5b639c92a77d06ce10a76f9b51a1fd1bd7eb6aaa211ca2f9503848f22c54d610f1c3b8b02b32aa87eefddb58b0a693fe09a1bc6c002d392692268

C:\Windows\SysWOW64\Fqhbmqqg.exe

MD5 c4ae44f4b3cd7254972e2a9d917c7bae
SHA1 b055733a87638778d671e59ab6676eb672f2b92d
SHA256 13d486c0dc76e9c8a5af6442e6c5ba516bc5afa9c43037fe37ba0ea0ae485a25
SHA512 3548fd7e1e1ec666e38844a8b425c84fbc49fafcd7a6d43d76a2dfce53fcbad90cdb2ec6010466e8fe2e219f2416b2ae4f78c16b24c34347f739a93440e8c896

C:\Windows\SysWOW64\Fjnjqfij.exe

MD5 d7cd1b8876d8e24350fb9311b25415cf
SHA1 c70a8ef497d7d79e381ff47fdffe66c8a5bf2209
SHA256 d183e217a20065b8c87ee23caae6c5e80580a18ae7de701d660451c236ddf26c
SHA512 297681dcc0828ae23e96b1c6da7196123638724f3de76c95ec9226ca8d48f61b35fb799c1211dbee1beaeb1da480af6bce93cdd7bbed9deeb6c46f114c0bbab9

C:\Windows\SysWOW64\Fbgbpihg.exe

MD5 61187d7676e14694e29d181d1c4d56f8
SHA1 1c9e9ea45b926c4e24001555b16624a4427911ee
SHA256 9f1a86eeec5d721e68d4453ef46b003b6cc51f299e937d02dab7275750da052e
SHA512 145a5fbeb03b175734687568e934e4e4b3deb9a3577474f9389a45b51a02ca67f0913f906337884239b62da6d998628f87fd7a42ad5464ad33ab791dfd308f90

C:\Windows\SysWOW64\Ecdbdl32.exe

MD5 84372ad90c4919618d6529f4d0f97c49
SHA1 e17747b1020365473cfbe4478d1e51f5ed9fd2da
SHA256 683c4a634ec8492ab90ef292eebd7d80679e4e268a65115b05f8af58d62e0244
SHA512 12d881083f0fdf1d1eb9a2c592de3a54aa8e0606429ee1170f1836cbb5758f913a1e44919c524509aaa07fc9d387a61716223d87c9b1951b788db339ba587e18

C:\Windows\SysWOW64\Emjjgbjp.exe

MD5 ddde5fa4b894f8a83df8a92ae9c1638d
SHA1 227f06105b8d86a025b899702e87001df53607c0
SHA256 24f9676f5ff1737a7da8808a2d3280ebf7ccc3daa5d780544c828ec8f05b10d3
SHA512 c0a9b5c257e8211155ff825711f4d52a7b210c9520acf3e836bca7b60efd9ef07fcaf6a8f35a33520987d02937ab74234ad3ae7cf2c1a2d097b7f6dc75d14135

C:\Windows\SysWOW64\Ecbenm32.exe

MD5 3dc6fba599ab0e0c335447a9551d02d4
SHA1 f8d9959ab6489da865b1848d6bf58ecc59973c11
SHA256 0a7a672d75136e578fa5ea88eadfe877524b1424301270bd1a5fbab8b3a061a6
SHA512 70cd22252c223dd723e40f0a8e80ed5235f4c7955d19b287236cb89949015786e655332c380040ca4325ce729ddbd228db841590d28b7cf1fc9f9e7c42e8905a

C:\Windows\SysWOW64\Eqciba32.exe

MD5 7d4d6e1cccff62afde3f68265c525dc1
SHA1 80c109d37401a15e32c1730bc2a656d90125c9e7
SHA256 1c4ce5666bd57361239f3676ab3eec10d3908de1b8b613092097e0bf026ef0d9
SHA512 2c67e1bad123c3d89ec030bd9fbff43a21f0faebd96d505ed669696a9e61d16fa0d4d2aeeb095d35970c783b6f40a66b111fd37c4ea1b188103fd491bc135b96

C:\Windows\SysWOW64\Efneehef.exe

MD5 9249bb12d478229bee573c2baa086af3
SHA1 66e6e1f0d483bcd54a9886eaa3addfdf14933ad5
SHA256 8c35eaf273a46b4d0e8ce4f3e0fea16799157a9063ecd0fa39c3de6dc70d2b94
SHA512 86f103c6bd1098ecf3d5b8bb8037542d22114760e201f3aef1c1859d1067779f9d7c91ab10f7e89a3a084090f525b4e1286bc0f487bb77a52c66a84f80a2a160

C:\Windows\SysWOW64\Eqalmafo.exe

MD5 ead1756e9b9a3a1105a0420d691e041d
SHA1 49bbc5cb549ac9b833d95d77b47aad43f8ec6d65
SHA256 fe976a4f6b1abe90597d0c5dcec32ff5bdd0137c67c0528271b3cb22fe62349e
SHA512 f387994aaf7d87c2c1f650a60efbd009356949b572bef263ac951456692117855243d8dd2efd246b9e8c33658959a709e43b2639c83a6d73b85e0630741b56e0

memory/748-122-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1048-121-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1508-108-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1040-107-0x0000000000400000-0x0000000000442000-memory.dmp

memory/680-103-0x0000000000400000-0x0000000000442000-memory.dmp

memory/336-102-0x0000000000400000-0x0000000000442000-memory.dmp

memory/808-81-0x0000000000400000-0x0000000000442000-memory.dmp

memory/964-80-0x0000000000400000-0x0000000000442000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 14:11

Reported

2024-05-09 14:14

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggpimica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Inljnfkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojieip32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bebkpn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Claifkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cljcelan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cndbcc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hodpgjha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qaefjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Begeknan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aiedjneg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfgaiaci.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Affhncfc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oomhcbjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfinoq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcknbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjknnbed.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qnigda32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alhjai32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abbbnchb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bhahlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bdooajdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dcknbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ogjimd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pijbfj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adeplhib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Boiccdnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qljkhe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ojieip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Comimg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ahokfj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdakgibq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccfhhffh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dqlafm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Baildokg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhahlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Apomfh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddokpmfo.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Oomhcbjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojieip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plcdgfbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pijbfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjknnbed.exe N/A
N/A N/A C:\Windows\SysWOW64\Qaefjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qljkhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnigda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Affhncfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpfhcje.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhjai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbbnchb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boiccdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bebkpn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baildokg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Begeknan.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjlgiqbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clomqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfgaiaci.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfinoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddokpmfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddagfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Djpmccqq.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomhcbjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomhcbjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojieip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojieip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plcdgfbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Plcdgfbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pijbfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pijbfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjknnbed.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjknnbed.exe N/A
N/A N/A C:\Windows\SysWOW64\Qaefjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qaefjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qljkhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qljkhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnigda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnigda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Affhncfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Affhncfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpfhcje.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpfhcje.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhjai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhjai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbbnchb.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbbnchb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boiccdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Boiccdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bebkpn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bebkpn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baildokg.exe N/A
N/A N/A C:\Windows\SysWOW64\Baildokg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Begeknan.exe N/A
N/A N/A C:\Windows\SysWOW64\Begeknan.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Qnigda32.exe N/A
File created C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Adeplhib.exe N/A
File created C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Ogjimd32.exe N/A
File created C:\Windows\SysWOW64\Plcdgfbo.exe C:\Windows\SysWOW64\Ojieip32.exe N/A
File created C:\Windows\SysWOW64\Comimg32.exe C:\Windows\SysWOW64\Clomqk32.exe N/A
File created C:\Windows\SysWOW64\Kfqpfb32.dll C:\Windows\SysWOW64\Affhncfc.exe N/A
File created C:\Windows\SysWOW64\Gfhemi32.dll C:\Windows\SysWOW64\Ahokfj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Ddagfm32.exe N/A
File created C:\Windows\SysWOW64\Mdeced32.dll C:\Windows\SysWOW64\Dgodbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdooajdc.exe C:\Windows\SysWOW64\Bkfjhd32.exe N/A
File created C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Dgodbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Inljnfkg.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File opened for modification C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Cfgaiaci.exe N/A
File created C:\Windows\SysWOW64\Hmhfjo32.dll C:\Windows\SysWOW64\Ghfbqn32.exe N/A
File created C:\Windows\SysWOW64\Blnhfb32.dll C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hodpgjha.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Gbkgnfbd.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File created C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File created C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Qaefjm32.exe C:\Windows\SysWOW64\Qjknnbed.exe N/A
File opened for modification C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Adeplhib.exe N/A
File created C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Ggpimica.exe N/A
File created C:\Windows\SysWOW64\Jjcpjl32.dll C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File created C:\Windows\SysWOW64\Bagmdc32.dll C:\Windows\SysWOW64\Apomfh32.exe N/A
File created C:\Windows\SysWOW64\Mbiiek32.dll C:\Windows\SysWOW64\Cfinoq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dmoipopd.exe N/A
File created C:\Windows\SysWOW64\Qahefm32.dll C:\Windows\SysWOW64\Gpmjak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Inljnfkg.exe N/A
File created C:\Windows\SysWOW64\Hqddgc32.dll C:\Windows\SysWOW64\Aplpai32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afiecb32.exe C:\Windows\SysWOW64\Apomfh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe C:\Windows\SysWOW64\Ccfhhffh.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddokpmfo.exe C:\Windows\SysWOW64\Cndbcc32.exe N/A
File created C:\Windows\SysWOW64\Inljnfkg.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Lbjhdo32.dll C:\Windows\SysWOW64\Qjknnbed.exe N/A
File created C:\Windows\SysWOW64\Gmdecfpj.dll C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
File created C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Clcflkic.exe N/A
File created C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eihfjo32.exe N/A
File created C:\Windows\SysWOW64\Gacpdbej.exe C:\Windows\SysWOW64\Goddhg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File created C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Plcdgfbo.exe N/A
File opened for modification C:\Windows\SysWOW64\Boiccdnf.exe C:\Windows\SysWOW64\Ahokfj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cdakgibq.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Cphlljge.exe N/A
File created C:\Windows\SysWOW64\Clomqk32.exe C:\Windows\SysWOW64\Cjpqdp32.exe N/A
File created C:\Windows\SysWOW64\Njdfjjia.dll C:\Windows\SysWOW64\Oomhcbjp.exe N/A
File created C:\Windows\SysWOW64\Cdjgej32.dll C:\Windows\SysWOW64\Ojieip32.exe N/A
File created C:\Windows\SysWOW64\Gncffdfn.dll C:\Windows\SysWOW64\Bnpmipql.exe N/A
File created C:\Windows\SysWOW64\Cgcmfjnn.dll C:\Windows\SysWOW64\Dcknbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gkgkbipp.exe N/A
File created C:\Windows\SysWOW64\Eggbcg32.dll C:\Windows\SysWOW64\Ogjimd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qljkhe32.exe C:\Windows\SysWOW64\Qaefjm32.exe N/A
File created C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dgmglh32.exe N/A
File created C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Ggpimica.exe N/A
File created C:\Windows\SysWOW64\Ebbjqa32.dll C:\Windows\SysWOW64\Plcdgfbo.exe N/A
File created C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Affhncfc.exe N/A
File opened for modification C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Afiecb32.exe N/A
File created C:\Windows\SysWOW64\Lefmambf.dll C:\Windows\SysWOW64\Dmoipopd.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Inljnfkg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bebkpn32.exe C:\Windows\SysWOW64\Boiccdnf.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Alhjai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbknb.dll" C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qefpjhef.dll" C:\Windows\SysWOW64\Ccfhhffh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfinoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" C:\Windows\SysWOW64\Amndem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aplpai32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ddokpmfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Inljnfkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apajlhka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll" C:\Windows\SysWOW64\Boiccdnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqlafm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojieip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amndem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abpfhcje.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" C:\Windows\SysWOW64\Bebkpn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Baildokg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adeplhib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ahokfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" C:\Windows\SysWOW64\Cnippoha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahokfj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Clomqk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcfgc32.dll" C:\Windows\SysWOW64\Aiedjneg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Claifkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" C:\Windows\SysWOW64\Ddagfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Plcdgfbo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Apomfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alhjai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppiecpn.dll" C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbjqa32.dll" C:\Windows\SysWOW64\Plcdgfbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Affhncfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Boiccdnf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Afiecb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cljcelan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gdopkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hahjpbad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe C:\Windows\SysWOW64\Oomhcbjp.exe
PID 1792 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe C:\Windows\SysWOW64\Oomhcbjp.exe
PID 1792 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe C:\Windows\SysWOW64\Oomhcbjp.exe
PID 1792 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe C:\Windows\SysWOW64\Oomhcbjp.exe
PID 2892 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Oomhcbjp.exe C:\Windows\SysWOW64\Ogjimd32.exe
PID 2892 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Oomhcbjp.exe C:\Windows\SysWOW64\Ogjimd32.exe
PID 2892 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Oomhcbjp.exe C:\Windows\SysWOW64\Ogjimd32.exe
PID 2892 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Oomhcbjp.exe C:\Windows\SysWOW64\Ogjimd32.exe
PID 3064 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Ogjimd32.exe C:\Windows\SysWOW64\Ojieip32.exe
PID 3064 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Ogjimd32.exe C:\Windows\SysWOW64\Ojieip32.exe
PID 3064 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Ogjimd32.exe C:\Windows\SysWOW64\Ojieip32.exe
PID 3064 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Ogjimd32.exe C:\Windows\SysWOW64\Ojieip32.exe
PID 2784 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Plcdgfbo.exe
PID 2784 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Plcdgfbo.exe
PID 2784 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Plcdgfbo.exe
PID 2784 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ojieip32.exe C:\Windows\SysWOW64\Plcdgfbo.exe
PID 2812 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Plcdgfbo.exe C:\Windows\SysWOW64\Pijbfj32.exe
PID 2812 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Plcdgfbo.exe C:\Windows\SysWOW64\Pijbfj32.exe
PID 2812 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Plcdgfbo.exe C:\Windows\SysWOW64\Pijbfj32.exe
PID 2812 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Plcdgfbo.exe C:\Windows\SysWOW64\Pijbfj32.exe
PID 2832 wrote to memory of 2232 N/A C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Qjknnbed.exe
PID 2832 wrote to memory of 2232 N/A C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Qjknnbed.exe
PID 2832 wrote to memory of 2232 N/A C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Qjknnbed.exe
PID 2832 wrote to memory of 2232 N/A C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Qjknnbed.exe
PID 2232 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Qjknnbed.exe C:\Windows\SysWOW64\Qaefjm32.exe
PID 2232 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Qjknnbed.exe C:\Windows\SysWOW64\Qaefjm32.exe
PID 2232 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Qjknnbed.exe C:\Windows\SysWOW64\Qaefjm32.exe
PID 2232 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Qjknnbed.exe C:\Windows\SysWOW64\Qaefjm32.exe
PID 1976 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Qaefjm32.exe C:\Windows\SysWOW64\Qljkhe32.exe
PID 1976 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Qaefjm32.exe C:\Windows\SysWOW64\Qljkhe32.exe
PID 1976 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Qaefjm32.exe C:\Windows\SysWOW64\Qljkhe32.exe
PID 1976 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Qaefjm32.exe C:\Windows\SysWOW64\Qljkhe32.exe
PID 2836 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Qljkhe32.exe C:\Windows\SysWOW64\Qnigda32.exe
PID 2836 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Qljkhe32.exe C:\Windows\SysWOW64\Qnigda32.exe
PID 2836 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Qljkhe32.exe C:\Windows\SysWOW64\Qnigda32.exe
PID 2836 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Qljkhe32.exe C:\Windows\SysWOW64\Qnigda32.exe
PID 2964 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Qnigda32.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 2964 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Qnigda32.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 2964 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Qnigda32.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 2964 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Qnigda32.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 2040 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Amndem32.exe
PID 2040 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Amndem32.exe
PID 2040 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Amndem32.exe
PID 2040 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Amndem32.exe
PID 2424 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2424 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2424 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2424 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2444 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Affhncfc.exe
PID 2444 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Affhncfc.exe
PID 2444 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Affhncfc.exe
PID 2444 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Affhncfc.exe
PID 2452 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2452 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2452 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2452 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2100 wrote to memory of 2252 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 2100 wrote to memory of 2252 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 2100 wrote to memory of 2252 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 2100 wrote to memory of 2252 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Apomfh32.exe
PID 2252 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Afiecb32.exe
PID 2252 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Afiecb32.exe
PID 2252 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Afiecb32.exe
PID 2252 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Apomfh32.exe C:\Windows\SysWOW64\Afiecb32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5677fc7ab5cf253355ed426bd8f75f10_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Oomhcbjp.exe

C:\Windows\system32\Oomhcbjp.exe

C:\Windows\SysWOW64\Ogjimd32.exe

C:\Windows\system32\Ogjimd32.exe

C:\Windows\SysWOW64\Ojieip32.exe

C:\Windows\system32\Ojieip32.exe

C:\Windows\SysWOW64\Plcdgfbo.exe

C:\Windows\system32\Plcdgfbo.exe

C:\Windows\SysWOW64\Pijbfj32.exe

C:\Windows\system32\Pijbfj32.exe

C:\Windows\SysWOW64\Qjknnbed.exe

C:\Windows\system32\Qjknnbed.exe

C:\Windows\SysWOW64\Qaefjm32.exe

C:\Windows\system32\Qaefjm32.exe

C:\Windows\SysWOW64\Qljkhe32.exe

C:\Windows\system32\Qljkhe32.exe

C:\Windows\SysWOW64\Qnigda32.exe

C:\Windows\system32\Qnigda32.exe

C:\Windows\SysWOW64\Adeplhib.exe

C:\Windows\system32\Adeplhib.exe

C:\Windows\SysWOW64\Amndem32.exe

C:\Windows\system32\Amndem32.exe

C:\Windows\SysWOW64\Aplpai32.exe

C:\Windows\system32\Aplpai32.exe

C:\Windows\SysWOW64\Affhncfc.exe

C:\Windows\system32\Affhncfc.exe

C:\Windows\SysWOW64\Aiedjneg.exe

C:\Windows\system32\Aiedjneg.exe

C:\Windows\SysWOW64\Apomfh32.exe

C:\Windows\system32\Apomfh32.exe

C:\Windows\SysWOW64\Afiecb32.exe

C:\Windows\system32\Afiecb32.exe

C:\Windows\SysWOW64\Apajlhka.exe

C:\Windows\system32\Apajlhka.exe

C:\Windows\SysWOW64\Abpfhcje.exe

C:\Windows\system32\Abpfhcje.exe

C:\Windows\SysWOW64\Alhjai32.exe

C:\Windows\system32\Alhjai32.exe

C:\Windows\SysWOW64\Abbbnchb.exe

C:\Windows\system32\Abbbnchb.exe

C:\Windows\SysWOW64\Ahokfj32.exe

C:\Windows\system32\Ahokfj32.exe

C:\Windows\SysWOW64\Boiccdnf.exe

C:\Windows\system32\Boiccdnf.exe

C:\Windows\SysWOW64\Bebkpn32.exe

C:\Windows\system32\Bebkpn32.exe

C:\Windows\SysWOW64\Bhahlj32.exe

C:\Windows\system32\Bhahlj32.exe

C:\Windows\SysWOW64\Baildokg.exe

C:\Windows\system32\Baildokg.exe

C:\Windows\SysWOW64\Bkaqmeah.exe

C:\Windows\system32\Bkaqmeah.exe

C:\Windows\SysWOW64\Bnpmipql.exe

C:\Windows\system32\Bnpmipql.exe

C:\Windows\SysWOW64\Begeknan.exe

C:\Windows\system32\Begeknan.exe

C:\Windows\SysWOW64\Bkdmcdoe.exe

C:\Windows\system32\Bkdmcdoe.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bkfjhd32.exe

C:\Windows\system32\Bkfjhd32.exe

C:\Windows\SysWOW64\Bdooajdc.exe

C:\Windows\system32\Bdooajdc.exe

C:\Windows\SysWOW64\Cjlgiqbk.exe

C:\Windows\system32\Cjlgiqbk.exe

C:\Windows\SysWOW64\Cljcelan.exe

C:\Windows\system32\Cljcelan.exe

C:\Windows\SysWOW64\Cdakgibq.exe

C:\Windows\system32\Cdakgibq.exe

C:\Windows\SysWOW64\Cfbhnaho.exe

C:\Windows\system32\Cfbhnaho.exe

C:\Windows\SysWOW64\Cnippoha.exe

C:\Windows\system32\Cnippoha.exe

C:\Windows\SysWOW64\Cphlljge.exe

C:\Windows\system32\Cphlljge.exe

C:\Windows\SysWOW64\Ccfhhffh.exe

C:\Windows\system32\Ccfhhffh.exe

C:\Windows\SysWOW64\Cjpqdp32.exe

C:\Windows\system32\Cjpqdp32.exe

C:\Windows\SysWOW64\Clomqk32.exe

C:\Windows\system32\Clomqk32.exe

C:\Windows\SysWOW64\Comimg32.exe

C:\Windows\system32\Comimg32.exe

C:\Windows\SysWOW64\Cfgaiaci.exe

C:\Windows\system32\Cfgaiaci.exe

C:\Windows\SysWOW64\Claifkkf.exe

C:\Windows\system32\Claifkkf.exe

C:\Windows\SysWOW64\Cckace32.exe

C:\Windows\system32\Cckace32.exe

C:\Windows\SysWOW64\Cfinoq32.exe

C:\Windows\system32\Cfinoq32.exe

C:\Windows\SysWOW64\Clcflkic.exe

C:\Windows\system32\Clcflkic.exe

C:\Windows\SysWOW64\Cobbhfhg.exe

C:\Windows\system32\Cobbhfhg.exe

C:\Windows\SysWOW64\Cndbcc32.exe

C:\Windows\system32\Cndbcc32.exe

C:\Windows\SysWOW64\Ddokpmfo.exe

C:\Windows\system32\Ddokpmfo.exe

C:\Windows\SysWOW64\Dgmglh32.exe

C:\Windows\system32\Dgmglh32.exe

C:\Windows\SysWOW64\Dodonf32.exe

C:\Windows\system32\Dodonf32.exe

C:\Windows\SysWOW64\Dbbkja32.exe

C:\Windows\system32\Dbbkja32.exe

C:\Windows\SysWOW64\Ddagfm32.exe

C:\Windows\system32\Ddagfm32.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Dnilobkm.exe

C:\Windows\system32\Dnilobkm.exe

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dcfdgiid.exe

C:\Windows\system32\Dcfdgiid.exe

C:\Windows\SysWOW64\Djpmccqq.exe

C:\Windows\system32\Djpmccqq.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dgdmmgpj.exe

C:\Windows\system32\Dgdmmgpj.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Dcknbh32.exe

C:\Windows\system32\Dcknbh32.exe

C:\Windows\SysWOW64\Dfijnd32.exe

C:\Windows\system32\Dfijnd32.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gkgkbipp.exe

C:\Windows\system32\Gkgkbipp.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gdopkn32.exe

C:\Windows\system32\Gdopkn32.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Inljnfkg.exe

C:\Windows\system32\Inljnfkg.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 140

Network

N/A

Files

memory/1792-4-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Oomhcbjp.exe

MD5 85339c0f25f8b4279b33f01111eb789f
SHA1 d8b69080ab333be4b40aeb8b51b69f324b8f05e0
SHA256 1869ed8bf12f67ce6586d0f2c6e76bf8963ccc18df1debc2542bb9144e806931
SHA512 6fa32b40764aaacb165593c2f23bddf616c131a86253d3ddd4db779a01c0cebe54c375935d6f8fdf26b099c7381251b38425bce94e630decf38f7ca9f6c5f8fa

memory/1792-6-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Ogjimd32.exe

MD5 0311d9610cc42c6e63047f85f110c7e7
SHA1 fcc9977f2756a3096a274e3ea3f21e590704faa4
SHA256 6c0aa955fffb49c9f9219e4068b778d8cd51724458737e119a408d231160574c
SHA512 637a2d8408d4318d98fb702962245ff0b9c0dcc3aaa1e58a232fa2c6db306d9332551c88ebcb3f3ca30a19b7d41952f9215c105a71193a55f0f9249eedb131d7

memory/3064-32-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ojieip32.exe

MD5 8acb226ed69a1ed7d5e87e226cba4c0e
SHA1 383bbf8a411659e1079ee2bb8aaa2ce34abf57fd
SHA256 0b0989cfc5c1ee3affeea3ae5b30cb847d24475aa84ba3ce83caf7e5e16f010d
SHA512 a5ca7c91083d642242f09c34cba2eb6c4c2f16af97677ff0c8bd432a3f9ebd6d6f942cc7318d3183bfb96d4eabaf6c51942e2b357e065a7f6a0ef5661a1da550

memory/2784-40-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2892-31-0x0000000000450000-0x0000000000492000-memory.dmp

memory/2892-25-0x0000000000450000-0x0000000000492000-memory.dmp

\Windows\SysWOW64\Plcdgfbo.exe

MD5 7b8c27df45cf202a5ceb2915f7f75e76
SHA1 d9c4619d29ae91c1da32fdb0f5aa6bbb1e79771f
SHA256 0b3acc3653d0db8cfcebc9969c93910d6d2cd35eb02fece5bf26d1cb7a7d0e4e
SHA512 f594688007dc36a095cd5b6a2cbde4b950dc2653679b3db43e6f4ecec3f71a320df5e20dd69f3a208b852f6ee2010a0d94f531724786288285a4f1f15826c9bd

memory/2784-47-0x0000000000300000-0x0000000000342000-memory.dmp

C:\Windows\SysWOW64\Ebbjqa32.dll

MD5 707055ad61b668c1ca3e9bb663ed4bca
SHA1 d6166dcac8ec10cc7d9681302d6d37ddca91912e
SHA256 e9bb6479cc2933a0a40a3a81de51c67aa217e10c5adc5fc934c63dd1392a3a18
SHA512 cbe879bd2acf7328fc20fb40fd7e7bdbc517d3c3ff25f61638e40818439d14833a5dcc4fd4837833421c8dd14f511ba1967dbf0c6a69bc8f0b096983d6f885b6

C:\Windows\SysWOW64\Pijbfj32.exe

MD5 ee39a9b24db85de3d6703364b5c07063
SHA1 241472eab4627068d0f9de8475dc838200567e4a
SHA256 e4c4651dd12618403cee22ae895c85fec5f9ddd8cc45b9a914ffee768a27b585
SHA512 dfd2cda1fe13345aeb5a98f9e981ebe0abb63b9f31a52bb5dbb901e2490e3cc50bda64aec3364ef61acb256ece23a0ebf083f7a98abd449ad012ed182a095892

C:\Windows\SysWOW64\Qjknnbed.exe

MD5 86b9db318f96f7ff3e7c8dea2ac2a813
SHA1 7e9e80e6858218c878c8c02dbebe9a27621f476a
SHA256 dd6244bf61536afd461afc25dfd5a932b2bdab06028c42cc56c76478ee53dee3
SHA512 4082c7a1f5186c80ebb8ff5444a4c838942e68feac79ad39b3a7b1bd540a95120b4b6779b32feb0e6cb1bcbc48ec60902b5700f87f0ffa37bd0b7698d4886fff

C:\Windows\SysWOW64\Qaefjm32.exe

MD5 11b853a40e255df36acdec8a5b2015a1
SHA1 74ddc8de5bd6dc840e9a422157674769b34f6e45
SHA256 bdbcfcec726c6b8a7fda4e4c387cb1a74b858860af1fb12ef6a4233787524077
SHA512 5bab6ed848766935c4ca49881f49a0cedfe1f1142f848c61e90fa16cce8936346045299943a46a6c8374e212ca76bc777e83826b8a935ec4c6a7f3d01947ced0

C:\Windows\SysWOW64\Qljkhe32.exe

MD5 067fb34ce3fceade1239e4fa4b9e15f3
SHA1 015627181b2b725141d28202000ec71031397fd3
SHA256 081d9712763a4326d8f7365fae3ebb494cc53569907b9d84bab57d5c1f5d62ca
SHA512 9588159b07bf9827c29c0764dd8ef4c6dd82b9ef8520769af3571544545aa0603c18b871a70f4e97b5913f60ab27a541ffbe5faf473e21ea8419125d3c6cbd69

C:\Windows\SysWOW64\Qnigda32.exe

MD5 c0429dad32592892ab6ec0d6c42d1748
SHA1 af1b58669c4e741a13376f476a28d59c172aee32
SHA256 29bace9a1dbf1a6b2a7c927d3847cf3e4ea1192ef285f105cde7f0579b70b12d
SHA512 c935e89937ee02ab1ba369179322eccd27fb9da66ac735b00827a1028b18df0aa6e1a1fbe37d5efdd8106fd366023d8de555a3c4efb10b563fd5bcd02d4a7b0a

C:\Windows\SysWOW64\Adeplhib.exe

MD5 ec38ce6d87c487946df70c3cabd36da5
SHA1 3d4ffbe299f4ae880ad10836a7207630cf0382db
SHA256 84dd99cb8630d39c1c76bf239821ba28ec0ca01a296fce133f25b5b689ec16e3
SHA512 05573428ff03ed6fa78968fe3208df0abdd23acfc11be20c0ff0072e2d130301d56a821a5a563549401f63afa0b3b8dfe4633c8ccf9b64a0b3437c70c80a4ac5

C:\Windows\SysWOW64\Amndem32.exe

MD5 bb58bcc6361bac7a8f37cddb224a2440
SHA1 8254157179bc900e9d4b99013e5fdaf632468664
SHA256 9b8b34adb9ea7bccebeac6a5a8d0b1da3180b93c578237d6a4ddbf1b023e9153
SHA512 c56b5760e0bfdf38f163835d691d38a298efb27b5989f3b5fc92ab054ef91f18a837db15eacab1dd1db04eb6011111f445d559d75b8785738669a7f29360ff12

C:\Windows\SysWOW64\Aplpai32.exe

MD5 d3c0f32257a2fde97f89c30ed0bbff54
SHA1 c3f96b24f398e73a5b266def22c5f04c48d54531
SHA256 7a29ca923e50dd9ec4be44d4488401eb49734405c4ac5f5b5a2f8b257506d1ba
SHA512 b323e297c4edfdf26cb0bd2a061a19e7b2b38c348c8d3e17e03da66a03b8ec2e9c33476e704fc9f3e90b89cbf1b39ff32972909d03d6f13aa127ed3dde59a891

C:\Windows\SysWOW64\Apomfh32.exe

MD5 4a2d2be4c5762d0de86aeed7ded1c249
SHA1 3c3da1d134aff02d8f7221c93b444c52677f3d6f
SHA256 84e8cb64cc4bdc88eef5a0bd8965724459bc1b83dd1814956e03aa0ab6abeba0
SHA512 28d793ea5a7d744b17a53235853c90ecc438716e73c28f781474edb55ae6a19a088f7606afddacb541a65801fc09c86b375d6880302228f55f58c2c9e75f5cf8

C:\Windows\SysWOW64\Abpfhcje.exe

MD5 26892ba4658b28c734d5e186126d4d87
SHA1 12efbb544956a57dc241e925275fc3525d81b2e0
SHA256 eab09113cde240c7917637341716fb71765c584b1317baee94106862b31dafc1
SHA512 e434eabe570acc05dedc81d83ecfa93c5f115a388496deb68c5370aead231ecb4e0db5465f5741d17ac5205712286f13e3a0297caba2be4978fb76b87078fbba

C:\Windows\SysWOW64\Boiccdnf.exe

MD5 4970ff1cae50319b474a39d832c8fab2
SHA1 0b96099b4acaedf19076f55365d61e01ebcaf991
SHA256 ab12acedd80f1058ea759ca2a0139e8c9f71fb88bb93a07410bd3ebe276b0eb9
SHA512 b5937ee01b8e3c1362ad67a8610c92ef7877c6f5ef73b16a095aa6e8f9e783379417ab7ee40016c34482dd50ec7b79898ae5f4624a0897d20968c608a0c102ec

C:\Windows\SysWOW64\Bnpmipql.exe

MD5 1026dadeecc8949ec54dc588db9f4251
SHA1 6d238c800baa1048a984c065ab226d37799af1ac
SHA256 b68f506133b5035a95e4004f7c6e691801a5595033e9ea25e24e763768799cd3
SHA512 019022ab39109a1c15a216d696a71ff858b752aa3051b31d795f2b59043422d123d2a99291dcec4675a2a02bd7a1b05d637fe4287172fe14af49d66ad068cc85

C:\Windows\SysWOW64\Bkdmcdoe.exe

MD5 f21714351faf31ef1528b5e2d492a248
SHA1 50ac429115543b3b2c81403b2feeec9aec9ab6ac
SHA256 66187cbda156b5f75285d3560e47f8e64416c350ad68adda9a331b795efe5f5b
SHA512 513fc99c5834b0dbdcd9e206ec49130604c86e4996dd674a0272bd9b283fdb5268cfc94bc5768051cb04821196536740b0a9cf376b6500a4c90e71f0d1ab7493

C:\Windows\SysWOW64\Cckace32.exe

MD5 12ce70382b24a8c55de26c44c94b4c6c
SHA1 fb38f9e32148070a72d8bbc083a60b4f777652a4
SHA256 6ea81088cc255e01a165650f7906576add7b284dee1f27b638aa45e0287fa820
SHA512 47c9ba2566389498bdb241acf6416e8317eb3d3a58c0c2e874c167f49d3cdd0ce56d1f721a97961a9210d3e4d89c34538821291d79f0f48fcad793928500c6e7

C:\Windows\SysWOW64\Dnilobkm.exe

MD5 c903371962808e342cec52b707f7024b
SHA1 38fa9e07669d1bcc2cf8b673950e757750078b03
SHA256 c039679fae13393d2fd51d86946f00ad3fab9c4ade3eb636851a7ea09441bdb9
SHA512 500e2d721367a0cd15ef49cbad500234094d6102495290f55a2a35b09163043d2905862f34749924b509a1c1e31166d8be859531b3cd03c1c6ba1483952b71ea

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 46cf2ce9dd1afa271f4f81f90119bfc3
SHA1 97d85310dcfd5fd50c5652df83ce913b4e8b58b1
SHA256 f8274403b30434023f175b468ea2d59dd2f1307f5057825bbb283306a0dd561e
SHA512 e54da2eec24176267772b9f5f8259a544d4c5ba15c21572a13bb10f65c1b3d555b8c881dbf2f5dca2e3929fc54b23224f8533c611e666f4554ec0a34611a4ec6

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 9907de61bb037d48f4adf69169d6e651
SHA1 77ce9d6e2a19539b5d0506984c0ce08a0abffc00
SHA256 3da82949bae4e7744abe3e6727ce77315cfc1070272cf68248a3d5c8d358753b
SHA512 b3848c03861650c9ba90165e7a728b75ce6ba5390833d32c9fa253b71f2efcd02ab23b48822920845ebc9c714018e9b70b4ed280447a7b0111391efca195ece3

C:\Windows\SysWOW64\Ecmkghcl.exe

MD5 931ec3e3fd4f1b06cf88d3d68982897d
SHA1 08644a9fbc87e6877a71f8409d16f140abd86a33
SHA256 27c0e6873dfc8369fd424a34f99c7acd4a0d33fb596861615d37413e31e4197b
SHA512 45a942502e7a753b83b1519359b14dce47be17e2bc49ddcac51608009d26436b3fb7a89247f4f9d25337febdf8e213d8b9c3edda61581526246c3c3828003f2e

C:\Windows\SysWOW64\Eqonkmdh.exe

MD5 961699e58c9b5e983ae7e47b404237e8
SHA1 1a27be29ba01aba26d1b95b7ab2f747a274a6b11
SHA256 dc3b8fb6b8e173cd9a9c389ad8e7709bbc6a55acfb7d80f4889a2387dae0692b
SHA512 2934f0c1328d6dc3a0b7364a3d7cd345a656bb3972f5f1158b0b606abc6392d408fabc814a4c1f4e07065a317d9627eb1acbe82bfe810fd55580862e27d3a534

C:\Windows\SysWOW64\Dfijnd32.exe

MD5 1d2d45391ccc9f017910cdc2a64050ff
SHA1 fc24e294adc398c8bbce9eca7ce74f220095004b
SHA256 aa43db802d3b6fd02442615308316a39d96c8f40603b523f7d5fe759ffdb21de
SHA512 b69ab39f24a0321e9758383a5dfcf00a21fc0345e28d11c4bb858354b01303023d63de7edacc571d21ca7efe937db98b5211344bec377198422055967a242c16

C:\Windows\SysWOW64\Dcknbh32.exe

MD5 13b7a83dcb11e85dcbd9543cf77b7400
SHA1 fbf68a9704634dda380d5dbc66fc492e5a9736c2
SHA256 3be9014c8e52fb53eec74b34f7e1707e86080d0d80634d65aa702dd64c57490e
SHA512 31c35cd711f28efa5c49be496c0e09c22886c7519e89387886cf9d16787e96df454d4ef93430ca6c07df0740650579618479f99947a93911fa43f688766b80bd

C:\Windows\SysWOW64\Dqlafm32.exe

MD5 25f81468a343631573ddf1300e9322bd
SHA1 3d1bd9195730fe9f130e92925352b475760dd49e
SHA256 61574bda1c2cf4376d6998ec6dfea3b195262b6955a140c3f6768e8ce2793852
SHA512 6e563672d0300f7797226b63325c565999f315d47cdcdc28b84e2e053cbd59770cd7f93261e57864fc7cff0feeedd02612b73bed74db83bb80c3bb3e5ad83ad6

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 004f716e5c78ea22a60416fb14793223
SHA1 2052b9835b484c137b9aec03faa7f29ded728ebf
SHA256 35f9168da2417d59418d9bb0727df010bab3e21c17ee32cfae6cce9027cee037
SHA512 72c32088e6c3730581b9b063e1310f2b94e7ef5e736bbe284d91f047873084acda6657cd481712e16d71d110e3922f35d774f64b02acfea9a8b54ef982a28ae5

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 d651945a732ae4960879c0d6e6e5337c
SHA1 4fd6ee8c5a6fe5810135684424f993afc83bb47c
SHA256 4013e372edb0579a5c844a88b215593f10945b4f1880986702a12799b4d0e02b
SHA512 dda593cf26668dac8d7b1e091932168118de118496ebc6ddb588eb50ffb3ba474b6c6d33049fa0be0651c918f53701389ae738b5a7cde66cfb6175badc2b0eb4

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 3f85a75313247033f735dae8e373b388
SHA1 bfa2856d4400ca730aea976b9e478a888c9b27ec
SHA256 5f36975c6ee05416668520e5f1015e964f96a8665ffcc69bfbfb4f4e09502ceb
SHA512 439f59daa08b24dac530f6c3cec007c984dd7b27c633b5c6cdc3fa519dfa0b7d76702a2777bd40b72a55ba29d8a6426b42fee1bd8bc5c30bc7a97b6a310bed74

C:\Windows\SysWOW64\Hobcak32.exe

MD5 f5bd2a3a39f7412026a8c93764ca031e
SHA1 b8cb4e7e510b95ff6e42c66ade31c851a53880e9
SHA256 afa1553111e6fea7b0a68500526fc9c08ce46e1dcb3b63ae394669433eb55482
SHA512 2199835ea9a9adeca86648158a1e7af7f8b136f90286204d7e46854f931cd4623879da86fa14cfd04a9c5c9cbcf5103a710f091b0cfed426d1bd98cc82a111ab

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 382651442e3b096753abda74eda6e9f7
SHA1 a98ed8f4c866b040a6f2eeeaffd24ae0f315e850
SHA256 22b33d69b95710c1cfcf8d51fe58a25e205f122cdd6c6b91625944afb7ef5e7c
SHA512 a4fba060b37267f812344e5770aed2453dbd7d4054bf5b17d712fc12ebf4cb994bf41b042c427cbc2b22fa88bed6f8210bf5f16ed0b36ce0751fe02ae2cc0916

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 da132cd8ae126b6b154d7141f8e743b9
SHA1 2991053b580ff024cc8d8e148ec192907f1d6492
SHA256 9c5954b85cd9a3677218c2345df29a4d853e4fe494323f4f11826e515bfdae0d
SHA512 f089fa6ac96f77593d8d1197fd112d49e89db6f04a1cfc83ff5a7db91b24d2d00afa8d4d7813f1740b3d141b3868633d209a718207102b04420ea44cbc706ed4

C:\Windows\SysWOW64\Inljnfkg.exe

MD5 682bd90264f4456438d198aee873bf3c
SHA1 f706af6cfb11df4f9bcf46bce123b53568ca9316
SHA256 a56667a2a78e88ec521caea715945c6687a60d7a7918e208f4648ffa15eac8fe
SHA512 70e6404ed59c3e85e8679b2cd1c1f9eddf916b6062eb656ff4401537f1540cad70e2ffe59c22a17f4eb6de015a38183145ab7997fecb1715887415cd908ba6df

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 f28f3c941be63a87a95b53a2f46f0eaf
SHA1 c5eef5b2a4166ded938df10c6314dfcacc2bcb38
SHA256 d87884d1ab9c24a15d51b48a5b9dd4b7585df90285aece18ac6aebe3ed02377f
SHA512 4c645f0f024f79ee2361d8e249a2bc9ca620e14d07b7163446f416ee878ea03068b2e87638b9c32af54b929dce22c56574fa8775e8d6b4b20423cc08bd0eb321

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 e6100ee1315c7561281f2b565749545d
SHA1 bee483489798457b560812d41f21111abca06fb5
SHA256 8e19d20dc802f1d5484122b9ae6121b0d761695ee477c871c962491efa32c356
SHA512 8885d60d0a670782bc08a299d1c30891729cbf1f5775db2770f609e049fe74ccd4177f37060d09022b3d067f4dabf74edf6f57b047c3499b9d7ecc75b15325a2

C:\Windows\SysWOW64\Icbimi32.exe

MD5 b6783f8c6a96a5122a34b278d0eaf748
SHA1 e281492a2fd9334cca5d9d0f623b57532089386b
SHA256 2fc90223f887907e5911d46c743c8fad174b7cfb34521c5da29ea70465a7a0f4
SHA512 5ee7e7e47fc17ebe51a4845d3fe5802f062360c3f5360f0707514e384c62f5e69e2a691ea78113855773e5f452f796453cceecb2ea35be8e22d1d06969a96350

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 eac87c12f11904d0a1ddfca4f1754916
SHA1 348d00ee5adb663ee1203530cdafefb74d15abd8
SHA256 84643e2ff3c12d3909a641d2f7d7e1802eacd665d25ebd7078aabc8bd53ca416
SHA512 ac9fd049c4f4dd9f7c7654205e406a274502bc6c8012fc5c4905d01e262edc895059018a625ef92a7cb07b06d4c416dc1203b8b5a164a1eb160c1b2b6d356f42

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 016fe548b5667aeef24e0d3ed4f437c1
SHA1 57d23ac9e9afb67f5ae0976944021ed2bdc5b590
SHA256 b9c000c932d473d48e07cc48349eeedaa66e28ee96803ac5c0a462042c1e7145
SHA512 1a244ef5d43827ed2cc7d00abac0ccc754e71ae7b3fb3e31261cf88e00c7b86fd9771d13cccf18d9ee67c3846b7a2c6078e5699f56fa65b690ea83eda91a7392

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 661dcfcc56dd3f226aef50cf9e193da1
SHA1 7a737796229d52206346c24b47bf4b7cfb0bfb79
SHA256 a8afec76ca174e0ccad020b5643f8aa5cb12317ce03149a889489626e3dd8eef
SHA512 a3ff34165bb327b1de492454495e2dc2ad1fc78843386dbd9d295f2d2e2e4b0171a57c3fad463acbc7416410156839dabfd445ab79b722f8c4a303ce807f3d9c

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 bd5fadf48fece0eebef89e81db8f72d8
SHA1 308995c3a7c4d0c04d23ec598dc8454a6321be78
SHA256 9366831174bc2c8f33278d6a0ef7def197bd39fb71653b328203b767d119f618
SHA512 15ed7d8a2ea1796559fe07e84cc00eee01d188a41efbe73e9cd734e8060fd3823eb6670170a9a973d838af8724353f06f8fbc497444ce9c2d412c72ce34d3bee

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 b110eb13c305cdd114546982411dcc99
SHA1 5368faa3eaff381679abd072a39af21226221ea1
SHA256 7657b0be0eba4a71667efd242ef701440f6c5aa3b2291ca29212508d81bbf134
SHA512 5bacd227ab03659f9f9250150ce90003c31ea11db5aa49348db9c4262381eeaa42a4652d3ba32e89efcd6ccef1d231df07a2a45f5525577e9f59df28c021b375

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 e618a66751b95ac31456b5c7c34928e0
SHA1 f7eeeadfddca9b74a1d4f62dc0d9f3cd52c0ce04
SHA256 30feb9e4c44551bf6c7025497662cef31c6278af8ac139739f7f093117cc295d
SHA512 179e05fe8bf393230d9ebe3bcc35fda45e3619a70193a424ee9dc53c23d39f965ff0469a2451df514b00882fb980e5ca8fe67c5b20049e3355974162d7171609

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 63bb88a06e9aded79415f70b24894848
SHA1 665029210da7506e0beb3f6f922157195fe100eb
SHA256 6a2174fdc601d16b34fff86353d4f00d72fa5370192a020052902f27c48afbfb
SHA512 46cc57df7f4a4d496aa2d969dbc434603a9cc3ff568dbb27476e84415828174f24c925a4424ee27181f0ee4a05f2daa141ada550480ed85e8664872de3da3600

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 91342a21e3435e3b3963dfc88243b15c
SHA1 387943b7996fd44f03e440422877c4943067f373
SHA256 1c36e07fc2e82a22273ff9968854bb53b164f743836bdf5d8460b5c599fe569f
SHA512 e2926594cf87be5e106b0fd78b8358dfafbb09b4af4664b2eb6618c7045af8dc044fe705b94ed90292a564e3e0e5557cd8569f2b62d0af23c685424e74b57cc5

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 a70ee045f4a6e7b06e26b3054feded9e
SHA1 952f7a872ec0ca520b1f0d6bf86f331838a3b6d1
SHA256 ff74ddf795772945b0d99168b8eb01043e813e4aaf59402e7bd01df82e324a2a
SHA512 485c65a32053df3150469e3fc159b08a472bc3bff63738a0c9114f9cd7b3319d9216bd61830168ebacf9ed055a8fd2a614b276430c87ef43f61a2e0ecb90deaf

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 b262199bd3309ef2199a66e78bd9344e
SHA1 b989dc09444452a1eb5d37fad3eae9c1698a0b3b
SHA256 fbc2e4b676dc09040d427e1a897108c8bbb854ec2f33b9e946a9d56231831e97
SHA512 e5087c69838ffd759789cf3ebee5a68b357c587362bed7f411db1a45fb439077debe044d615558c69648a2cb433d894d34ed968b3aeb448ec349586510156a71

memory/2812-888-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2832-889-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2812-887-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Ggpimica.exe

MD5 2ca9c0f742b006c8a7b4850706212155
SHA1 2e35a5ee72f3e7cc22021b63cb3d2ab4c9cbeca6
SHA256 89fc6bc8e039524768bf2ccf63caa48e3aea1f96e485f4f7e86dfdacd917a64d
SHA512 2d81221dc0e3770112088eeadda3b00235e9a79c2e371bbe471ffe80377da017468d9c36ece08586f7cab0253dc5735b35190af8a964b95c8b7c5423568f4cb5

C:\Windows\SysWOW64\Goddhg32.exe

MD5 12249c13108e7d248cfacea3f88d71e3
SHA1 fc9899c40d31155ca383953482c7834621af881f
SHA256 2026f2017cb960189e5e4ad95b71d314608b11aa2826fef6adbe257a44b91268
SHA512 65b05c01735dff9ec1d8ec0d01a2b99aafa91448b3ca8619eccf8a51485f3fa1a23a0a2eab0481a824dc350dd97917949deff34402b9d2e441c39b5def4d3f31

C:\Windows\SysWOW64\Glfhll32.exe

MD5 357ab7fc62f9e5acfb1bb8ab25f2ed12
SHA1 70cd7570b29a3de73c116e25753cfa936f0581ad
SHA256 b4694406f1412b6c572c73afb70ebb12677463ce99c1647e377ea4e0593d7eca
SHA512 6ea94373275a1f285a90aed927248f197083451783b577fd37c46b6de444c2f0c1c4dd3316e698a61420c18f1cf35d71255c2bcd7599c9d9b5e5abe38ef462b2

C:\Windows\SysWOW64\Gdopkn32.exe

MD5 44f6448505f5b467edf9646af88c8092
SHA1 84c01e3664b697d2c7484013592d0f3bdcf6c136
SHA256 3b002b13a7be10d7e2b7c73ee140381bb67193f3cd1404461b7998e91ba31b3c
SHA512 c0865e494f5d3cf7e7750f174def28f673274cd2f48040336cea04419bb370d769cd50d0daf30c3b26a65b15aa000f4a218518c4d3ee8160d3e1426f3b0e4103

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 71db1ce655e26e74b55a96ac58d830bd
SHA1 77f250a07e1df26d4ce0acddde5499ea685ff6e0
SHA256 548a68cf9f2fc525ae970392b33613cf2d1980ae7b53b53f3c4eb02f818eb833
SHA512 9dd8f430ec665430ee82fea3b946d910b243b70be27e7d6d52038d526f3df82c24c6361a389a44a17bd0d171c99735732b319461133aab44ef0399daf510f95e

C:\Windows\SysWOW64\Gkgkbipp.exe

MD5 a813af6b8b0a4da20d05eca498a05cb9
SHA1 fab797e2a057952df0a21207c01ef95938a013ea
SHA256 becded2b80cde54bd658bf356ba4090310d89a9e450a426c1fad07e9c570ab54
SHA512 2bbf4ca15e71b1f2a89d6a8479950204cfd9c16f7604a22a343cddf32e717556362711e598b0979677849ab081acc5dfba044af0da99a067320296ff8ef13d35

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 f197be6785e4fd32eb648976ed98d321
SHA1 28e3dfd138c3ffdbc756e7fa32f71dcba02cc7a0
SHA256 0dcfbbd8ae853822d8dcda0e2637337be99de5504f105d1db736b1c923f081e0
SHA512 4c000108f64d6bb8a098feb80021a1bf611922542a1e3cbc056e723e508168355a20d1876cf0f4332da95f24a26780300ca75429652f0e48b81b1899972a82a9

C:\Windows\SysWOW64\Gejcjbah.exe

MD5 1a2ebbbcf45ac5664c0e94b0e9b74c2a
SHA1 c349a0dc9349434b0d9aadcb7a17165afc692e3d
SHA256 a3fa4a9db2169efab1bd56a7ba834465bb478dc177ad66145872c28fa35fc8a8
SHA512 796bce2e77f6d70b50888f23125863791e3b6b09c71ac19e2bfa67f3c82008df26633e8e4562c580c8f480e4301f23b6289163434245ca32a9d55488d21fa38f

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 2170777b95338132bc0d1102a15e7739
SHA1 9188b911586649132e300fab0b7a2f5c370309ce
SHA256 d6caf2bd12b701f4e166a8cc97ba6c79035d5db26199992151a7b2500ff3222f
SHA512 c6dd26afed2b8e8ef896fe9556bb7570035d3a301391b7ae4520b5e65aa96e8963a6a19b1032f5e5e9406f20182124125383b5161dc8188e45afcc4dda873a8f

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 bb302e4add635002aa6558d37a107de6
SHA1 6d7b4e57b20206adf6ac18e85f260f1ae064afb6
SHA256 24650a6493cef5b8a6aefc506c48d90b5b70abb5095e0514216e7c6aea11c04a
SHA512 c337866f6bc9f628bfeba5fad79009bd1eaf2d560284a63f41bbedb036306ffafd0d40ba7d05e149210203511fe2a9cc0d49680ebbac513655078825c3dd073a

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 85079259c506689b56dc78e3fb8e6b5f
SHA1 d0409fda71dc187fee0f93a005e32f794c062c69
SHA256 78d86dac10e542a8b5f4506a7562b782df90a64ad357197f19eb51fe3689b749
SHA512 d806dd9eab30a0fade12bde7540b6081f3985cd489e2cad34539aef67526b4248f883b26a16627c93736ed5a0f10a292791f26209fccd10b8c61a3530948a4f7

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 cf3f2f14402f6c88f8da51c0aa23d884
SHA1 6be2ec882f1604e3e46b7298c8ca08d4bfcb1318
SHA256 368ad3a4e18a820c6891874ebbc7b736b0b6dd955324870dc34bbd038579ceb2
SHA512 9fcca6c6efc43b768c23f3cce55d51de31d4292580c86963ed0225d89dfcfb9e4ad27b1efc5cbbed5654370a2f4c25f1939c0d6e87b4ccc73d887b95e129a18a

C:\Windows\SysWOW64\Eflgccbp.exe

MD5 4b7acf84031084038aa8a2b95c3c8a86
SHA1 9a9a7b9acd4820721635d12beb635832e40619cb
SHA256 80ea77ff3cb7f4a36ced26390a707431d46b42156f803785c98ce62a052bb471
SHA512 b51b96bc7ab7815616e6ca26d453ceb3afdf077c3d64974a753f7777a8abc6fd20fff4bfb3665af950a578763ea99ebe7dde00f23f2482c14eba5fc9c1a85196

C:\Windows\SysWOW64\Djbiicon.exe

MD5 2a6664a9e7a4c8b6c10c3a4ef0dd3b5d
SHA1 02173ec285f55e31eeef85b5ef01e09f6bf8df4e
SHA256 f0af893b4910ae3e35601fe4ccb8e447637e3f0db5f849a662f3c3e2a6e7bf5c
SHA512 5c74bb133e1bfdf647cc68a62b09be826e806d67479ca1b7b931a80d8e8d90bd28306df4a11956b569f25b4fbff0bfa663c0245f6d8840b441606a39466cf555

C:\Windows\SysWOW64\Dgdmmgpj.exe

MD5 5b68c0f97b85118dbc4cacdb1b790a19
SHA1 67425d94044fcafc1f08a8b71497f44438ba9ccf
SHA256 a3ad39ccc5931f3f8caa04ef2dd2cecc698a43e58dcd077e3b26893071fb0286
SHA512 7522366a2c83dcb0b871e1f1341a4a806f2bbed9b514b02f3eb05017335716c188331e3d844bc1236c46379dedd855b8050bb9471d6ef137ccbe7f748cb26989

C:\Windows\SysWOW64\Dmoipopd.exe

MD5 8f5e51118cefa34de53360869ab89bff
SHA1 28a92877f97423f69309b8903f38fd76101be2c6
SHA256 7c6fb785f1de984cb9a659b7830fe72d85720613d75c8793e687fd60138a9844
SHA512 41f008eac5fe6ea77487ea2f1a05a7633b0356a479ad26fe1c1d815100c32288f6a64a90b82d38d8373cc224d46b98de5bf45519ae67b98fed6c3c61e8fef7ee

C:\Windows\SysWOW64\Djpmccqq.exe

MD5 df3da032396a06aed745c55b7db13d3e
SHA1 b1ea8d23804125fba41b9366d6c61f256b6c00ea
SHA256 d054ce62943c5d5e98fd736b59ab3b9a2006cd4f27d3c3106d49dedd5e7765a1
SHA512 31bf2370167d49ef7814ac6d65e43eb15e371ec9a1d790d57aef3be4416806236e10fe7aa4823e222d137d8b640d9fa4c52d6106529902cf3c430f2ef57c0e3d

C:\Windows\SysWOW64\Dcfdgiid.exe

MD5 4cf895916bbe56de7c94929420ff5824
SHA1 836744540c8434d2afc41275f9c700d60822fe81
SHA256 0608569e7272679799b0cf6d2535eaf6f3fc971e47d265a245ac63cd1b862d3b
SHA512 ecb9acd23a649c7519dc922a2cf0beadbe1f3947f4d3d85f237d2a23922cc4a2d8b5f3abd02285039cae303134e9cb5594ea73b912d0a4b2e1b4d32d81e0e14a

C:\Windows\SysWOW64\Dqhhknjp.exe

MD5 d90da561441b124a635e3f1991092c3d
SHA1 6633e0581d3034db0d929654770006bf37d48606
SHA256 0f36af6640503e00a93ece3a0189310e3146e2475b091d4994b81405151592bd
SHA512 9a1d4f7130d15b6e48d1535fb16e689639ae0b461583f8bc11e15c505bbc402fa103397e115de458a76960a012aec1949c0d8e25d9d2dbe9f5727de38cfbfbb4

C:\Windows\SysWOW64\Dgodbh32.exe

MD5 8e97895e11f8891e454628157a829d0f
SHA1 aa20b7644fc67a955e6717be03563adbac62637f
SHA256 3d354d88db71c588097e38ff863357c871c6cd9801d6668755b8dfcefc462abd
SHA512 1de638eab77acb28bde9cb3af819b77161bef2e38cffd97de13d920d5af671726fd61e28d907735075d31e549127233d6cc3649f17a1cfa2b3832183339785ef

C:\Windows\SysWOW64\Ddagfm32.exe

MD5 ec797725802fb2d3f4165fc401b4afa1
SHA1 d7026a8945be14d131080629430c85923dd4b773
SHA256 0010ff0d850eb4da3d803cd598f67b496a40a9332ec09ab99c3054668df832e1
SHA512 17bef5b68b9e0b64050cde68c32f2e648e5f5d7bfea26bb387ef5898e5565108fa0e9d70176751c0c2922761dee5a50119506075bd12221d9a6f172c485fa55e

C:\Windows\SysWOW64\Dbbkja32.exe

MD5 1a8865434bbcad26d69b819b5ef3db7f
SHA1 6814ab950d7992c5d5d7571e99fe3dc2c43ece41
SHA256 80fed1bd3d941bdd246aab0f20c1cf12d9ee457a0269fb3741ecfa350983b52f
SHA512 3d4375dfe9b45a5ea7d66abee241f5bcc41474927f01c2fa21e80d620bc2d252883b868b72590ebc44d7e7613005bbf2332d2663781bd386153eef83278b00b7

C:\Windows\SysWOW64\Dodonf32.exe

MD5 dd04c5dfe9503c751f0805fe7c5da675
SHA1 84137d7946b1b73956da5efe5a36d36ec8d1799b
SHA256 1fbf4eb1fa6ef4a544a2d934d0685019817919a558a27bd4296936b0ae368dd0
SHA512 b95d8320e00b8293769b19923765d19554d301f44af8edef85517bdd0c211aa8c5cea6bab4b4ab24fa61194ad23ba207dcf85e916fddd0e8d5d29afd59831ccf

C:\Windows\SysWOW64\Dgmglh32.exe

MD5 f448c48f9cbe8b190d9493ee9ea8b135
SHA1 4bd8c72c7f48bf597050869b747e4d1f7ffeec50
SHA256 cdf108751102c9152853e50602f8e28b0b7790c85ff6cd99158a84ce231ebd89
SHA512 a7ce8a6bea83e576293c2da5a7eedb37a199d678b4bff11ad9ae9ee2f73bceac12913b81f425d657d4f9ab127e854e1befa75bba5ab822589be90a4a73b4ce23

C:\Windows\SysWOW64\Ddokpmfo.exe

MD5 4887c5dfab53d75877f8f25b1667ed42
SHA1 265212f30fe82ad9725f7aa1a042c86f2b10281f
SHA256 0b78af3d52d08476e4408b76b2a33e6e126182954712de117a57ac56beb15ea6
SHA512 513e420bbc3d6a1ddfa0a686b5d24c8c26113461ac4b535a5cfddc67130b5bc9a24c135319c07515ddd01d43409681e5ac6aa387b563d21b7e30663e16297fd0

C:\Windows\SysWOW64\Cndbcc32.exe

MD5 d71d20b0c8d1cf40e93d63de50893155
SHA1 d215a4c1346ce9728c70223dda9b289d6ce32114
SHA256 0604b4ec8b0a10332e212d0ca62378365da605cc307039e346eb3b76925f9d85
SHA512 7b59b58ab8dce481b8194720e9c6194942fcba4ccb09b14b353b54297eb543040eb06815a26c17a4120b264d26a2676822443f1a6033a49ffe43eb9c321c4086

C:\Windows\SysWOW64\Cobbhfhg.exe

MD5 628537b3c4e1c5c23d3cf33a21eab766
SHA1 d1b8dbb5b0256468ed94d215ef91e0ba6ba554d2
SHA256 5ff9916bae1880831c7e2a04dfc983098064cbdac1b3c9c5512cf6545c52ca3d
SHA512 1e1753ba04227d793e6c0a7245bf193d6dff9ebd34053ef763c54fe31cebe1f072bab02d08b7d9be59e0e8dbdbd5c52d27889bcdd1b609eb63c7c67d25135d49

C:\Windows\SysWOW64\Clcflkic.exe

MD5 ce7beb743c79e353abbf4db7d26023a9
SHA1 bd9be1dccdac1a1636f3da752edf50a6333ffc97
SHA256 dd44e8e8c276a03d4a78eeb457b5ef55d8633e92e92082b627bc65be3fbde747
SHA512 d4ba7aebf5a0a9febf91ce804c97cfbce0b62d0e138b1f6c4a74e75ef5763c0cd9e256c9ab79bdcf1d919af516f1a94d1505498c3b4ae1393e8d7b577e0c7187

C:\Windows\SysWOW64\Cfinoq32.exe

MD5 f160df8d7fc2d3bef6af108e61e0c281
SHA1 f5e4da1d369147d7e55384884bcec13f366a07bd
SHA256 5fa470a71bcc8a5a31c245d12c60e7107efd9225d9860fb4095f18abc8a3f9f2
SHA512 a72267d4207f04d39cf6db39911a3e9af50dc2ba93d68bf31b7d78fda32fd9a49e43df99f71964aa391f5708801de729c51802527984af4c944597110c9babca

C:\Windows\SysWOW64\Claifkkf.exe

MD5 380a1760eddefeb449ff59686f464713
SHA1 f75a52fa9e9e59d2c61b36b1830168ba06307c75
SHA256 d69885375fda467c1354fca10d7805864e068669878d649ef94608c338942270
SHA512 0100d0c10bc5aa8c67e9b1b92b4f328047cb1ca6cb026548cdc626d6586221b0ed3b30bf71991ea96940a4ae2e7953484ddf8b48b6c3742986b4cba41d71de19

C:\Windows\SysWOW64\Cfgaiaci.exe

MD5 84384bcdf0693437b5c806eb5989fbe5
SHA1 13cf43449bb972a76853f8e4fbf0856090ceb485
SHA256 fa7a828db0e0409f97b3a987741634eabdafe44ee4a9e816c7cda2e683dc7eea
SHA512 8bc4b06732a5b6366630664860290347f22847e64a34b72bf06eb2fad0782993958ed4e8bc590e39678322f5d6322a2df570a3cd9b7b73a8cca644bdf9b93e70

C:\Windows\SysWOW64\Comimg32.exe

MD5 fa1794bbda5d8d359d0b4d5237a5b776
SHA1 cc2b982148fea5deabebfbc8b4afbd20cb4f1c1a
SHA256 ada5d5752d20cfed426cf6577327c469f83460011133e8422db1d151403ad355
SHA512 ad76d83110843d20245bc05f2871fdb5cadd8c0070bc74602864c00c2c709a63ccef2cd1313769c5d6fb442110784eab0866e22956b4176fc40563231af42b09

C:\Windows\SysWOW64\Clomqk32.exe

MD5 b3093efab8ef5cb2df87d55f0dfe8111
SHA1 0e115423e0f43e6b841ab3672160181a6427f852
SHA256 4ffca83dbf76a9b9d658c183d4f6e40950071a6b74853be4059e5f2978944313
SHA512 81ad0fe83b55f27953b9544743f03354e8fb1fb02d72b662d29ba938fb92bbf10d42314e5e85dffbd3042c12cf40eb1c3dae08732f65c4131481a96c833a9074

C:\Windows\SysWOW64\Cjpqdp32.exe

MD5 c461e93eebe260efca04594c9a9b474c
SHA1 b392f64c7e7dbae51a92922e90c393b9ee4dd360
SHA256 91658c548418a5035743a774f25f95e2cc554ca42b6f4c9c44245ae365125576
SHA512 d2913db9be550646e991e8fdee28538fbbe2cd18d98e63393289208cf5355a72d44a8955e32ac868c20250702a66e549a1a70900c740519f47fd759fcc660642

C:\Windows\SysWOW64\Ccfhhffh.exe

MD5 aa486a0762c8ab94e35206c05961bb82
SHA1 ed5010be6cfd89d7ec1fd22f1a361929b73cce43
SHA256 d15c22980134be7a272db7e2811442ec3a11c611b437c6b8f71b4401db243a89
SHA512 15477f898aab12ff837f324592f828f035b1956134d62ddb5c36b6f798a3d219ef198afb7796efcc27c86cf90b88101c9bdcb461d6a1be7bb8dcde0963626907

C:\Windows\SysWOW64\Cphlljge.exe

MD5 48ed97ff2fddb0377839ef6675c84cde
SHA1 d324416eb0f6569114aca17d2bd606b7be56ea61
SHA256 7a12f1c995c369cae38434464077092bf62a0708fc73a483a2b38537b3648bbd
SHA512 321d226987642046a46892c399ba7c420fea5c92acc690638673e5df5616aff9134803411b14f1236d067de931e4039bd6f918646254f51e618d72fda21d64c9

C:\Windows\SysWOW64\Cnippoha.exe

MD5 1f70170955b70af612e05bee228772bb
SHA1 e06396867b5dba700fb68eb3155289145627797e
SHA256 b1b153f002068dc44366da9567122baea2b4940714dfbc444cce192974cd227d
SHA512 b673a98aaf874f34e810e83a734ce4f21f249eb038cae3d468a4c34798d46d6ae9bf1328ae21156f5958cb48c14c456f5d7424209007768d88fd35babf081d42

C:\Windows\SysWOW64\Cfbhnaho.exe

MD5 bd535c145ddea6224dd2b30ffc9866ee
SHA1 40c197ecf1bd21ac87a4f1db8dfd6ee552a113f0
SHA256 87d2b32f25e95f38958599e182994ea1ddb3c49947d63ffe3651da9c2e164749
SHA512 4390bf9dd07841857cf7b32794caa7596bd1b41cb180f080557005d7649c35de568c09d05c013f12f3cc4391015a760062659e865b1278e5a541cb5337da3f0c

C:\Windows\SysWOW64\Cdakgibq.exe

MD5 c725be8b24c4054afd5b49543a7987d7
SHA1 7921131e977f6a8cb457d03e6633be979de7cad7
SHA256 5f51d4d19530bfbd42f5e546fa84ae13bf11d8cd8d60504ab211dc38aa24a80f
SHA512 85050d955953914b1905b4b6127fd829b4e66a0194529312575ee0013350a633e97d27da54cc6477d0b9fa27e2eb6959987794cdd1fdef4fee038c9cc8bf02dc

C:\Windows\SysWOW64\Cljcelan.exe

MD5 ba00a27587e5078a599e192810c9a290
SHA1 a8cac7683d1b23f0cbb53e40bf13114ccdbff42a
SHA256 2cbdea4847bcb8d10da84ad246a18542043d39b27aea1963184452cc8f4f46b5
SHA512 a7a90cb86710d8ded53dadc3db31cdac99bc881f858c119579c15c195ad15eb878b77eaea3d1841e1c2def9615c7ef95074679554aca4e8424fa6f2bf3a9efd7

C:\Windows\SysWOW64\Cjlgiqbk.exe

MD5 974bca58bed8c21035fc8a7605fb618b
SHA1 14a090693c288e55871f80644e6d9c80038db6cd
SHA256 0db1ec4b19276107410a1aeae1666eacba646b502f6c3d903950a886fc61b6b8
SHA512 44db73e4711aae0608f42d7ec74a58cd8658bea8ceacd596405b95390812450d4d59bc5ce87c34252af8a89d58f5a23ec949f8944e68fcaf903a3cc397b4ac98

C:\Windows\SysWOW64\Bdooajdc.exe

MD5 3d7f97a552ee1121b7785b251441fdf4
SHA1 bcf6dd894eb0769ad3f9d88a990cbbacb902a7dc
SHA256 0a7e120f8d14948dc29f45582481cc9a25368b834324a56fe8956f4c0aa15634
SHA512 6922b7f8b06a0870f173cdd6cdc74a0915d74b2be3deb09dd172c42c4d8fa15478839f58a5f832fd3256fef848c4ae68db77b1c1e1ea7582167f7f7dd10800a9

C:\Windows\SysWOW64\Bkfjhd32.exe

MD5 5fbf0f74018a1e3733a139a8e5f49116
SHA1 d63dd52ae024f1f04901c15b6f05f730cd66ae5c
SHA256 7bce01258641e8586edc3e6c1dbfd58928f2212ffa29ab041fb28ec012cc6a90
SHA512 12ca049a0e3d7e6beac3bff73378656ccd0c66aec1fdbc489330e4350f187fc4af53bda404146329fe49696f310fa00ea380c57844eec9006573d5e0286bcb2e

C:\Windows\SysWOW64\Bpafkknm.exe

MD5 e11add66a85f94725ae4f38635bd8a87
SHA1 83cc4d81ebaa0b3d02b9b07b2787effce38c3cc3
SHA256 e8c35f78d6eb778f71d4dc98b0b29d04fa5c47cdf4d928e3a5b37c588e9d95e0
SHA512 7bcae69d248a77473e66cd954a5f77db0dc4e2ca722229627fed3fb59347c10eac130b8dc9b4378e815706aecb0d0cb2d629cd83211c744462e68d7916f66231

C:\Windows\SysWOW64\Begeknan.exe

MD5 64020732366c343b2fe2f5e542f1dff3
SHA1 a013f50cbf8e812e5a4a2c10d48d145274eaf79e
SHA256 0987f16891c9340beb2575e0c7eb335da2b304aa74f91ff79ec05df927552acb
SHA512 99e913fef98fd07bf35dd60e652f7c9991bb7d99ffe605a1c7eacfc693adcf4fb39238d05562ac703e476b0685a505d813298b71ee7e06be37dc6432887eaf36

C:\Windows\SysWOW64\Bkaqmeah.exe

MD5 c3a8b9d1cb1e12ad2ded78588ad6762e
SHA1 0518e4d00664b453886e222f5dc059e77b3c12ec
SHA256 cd595905545d6c4dad20f20bdec58cbaa9563489905b2c8215bc2a4e7400d644
SHA512 2030cf0191465193869487243edcaaa6a181feddb089673614a8189247c6518fb2cbe9a12b475da9f40615a95121734209f05cec3e4c3b90419181ba1d415cff

C:\Windows\SysWOW64\Baildokg.exe

MD5 871203d30f32175f1e6b3716bd1cb683
SHA1 570bd6d40f003c1dfd0cfe3a88e26fc8c114200d
SHA256 fd336c8d841f05565f826489bbe9c9e5f0923ee9e0bcee09b4734bc9404a73dc
SHA512 9c898d73a74c4650582b0046781c08e2cbefea3aaf0d342e454c65f074fface70ea98fa9f0fd6ba12267fb7892c9c5fff541668280c71da67e6662a6b961f902

C:\Windows\SysWOW64\Bhahlj32.exe

MD5 e66cb2596bc41626fcfdc00426e0bb30
SHA1 ed9aed8e77931040ccab80487cf488aa3c6bde50
SHA256 f767ea2e139fad7e32525875f7fb39945dc96c7953d1ae69e8c4e79d7c84c628
SHA512 e1b1f74b5c246811563fc86075a0cd2da708e73d775a6fc7f7477628593e828c10bb8566cc812d51567af14c27851a437aa1f0d1512117681652bb8a4e98af77

C:\Windows\SysWOW64\Bebkpn32.exe

MD5 c85155128492d6f79e99c0d85e68ed8f
SHA1 92987aebc00baa8c216e384cb471b1924e4517c4
SHA256 6279d961f7862039fcb19950a796937ae1a88c7cdfd1bb77b165a319cda71c10
SHA512 5044c70e7d47e1faa81492c320f2aad75155f720900a99b77a42a822b7b6e6205a01a20d7e9ed97bd51738784e0f98fa48ea941fb4162c5acb25d81b935a8a13

C:\Windows\SysWOW64\Ahokfj32.exe

MD5 ca64b727e401210b3c169b1419ff0c3b
SHA1 0c8e0fd621e2fe7179260bdcb8b8cc81e6748cb7
SHA256 ff483243bccd769e0cb412c2528b16cafdd82951815dcf8a2346d187c4bce174
SHA512 cf9468b0092219ccd7d35740ca25b3fb9e07dbce45eaf8420e9405bdbc6667705b99b13195241c09f4c37f4fe2178c94b3ca33c0ee73f0d6a1c5d2e9bbf55a9f

memory/2832-890-0x0000000000600000-0x0000000000642000-memory.dmp

C:\Windows\SysWOW64\Abbbnchb.exe

MD5 b848dcfaeaaf92f09102cc849178414b
SHA1 acf52ec671d0796e83ad985284163c7f6e9602a6
SHA256 91593da19fad0adb564867cc72b564b09861a9ff379c5e6f8b563b6093cfce4a
SHA512 716b2da37c7383c1f5c722dbcfda961b2b0c57e885ad21cf95d54805f1463e8a2287586983aac7b7b3aca96a7bb7685f7f5f4ff8c7e711a91ebd2af1caeff469

C:\Windows\SysWOW64\Alhjai32.exe

MD5 223e33817c618483e7a3612691af7126
SHA1 a142d64703338326ed5b1a99b6b8fac88d51295a
SHA256 2880bba9d4ec23829c80be52a6624e7228acf84174bae50cf140df7417f239e8
SHA512 71842b389cd4db1562c16735b495b556205c4728383e26867f2ac5dbf02b9444d5c282f61b863571627d4f58b6d4ae4a16353cbe8128b80d1e668c791e0335ac

C:\Windows\SysWOW64\Apajlhka.exe

MD5 efb97ff7d96f3df2e90d6e1e24c85be0
SHA1 a0b3a0d31c7bfe6c331b9bdbfb253cf3dc4b4621
SHA256 0224d0f806429fd651e4dde140f100173e0f16e1054a5a82c4c7eb93abfe6919
SHA512 b091c7de4a03768d60538136aead23ede3b40b1840681d1f42818b5ab70342ed87f5c1890abc5d8e93c834ecebf83966042a6be97f7444fc48a5103fb39d778d

C:\Windows\SysWOW64\Afiecb32.exe

MD5 fd5d87fb0d93cd462fab97931269de3f
SHA1 dd48b568648af7e259c89e3aa6f22042f869b8a2
SHA256 75df7e30efc38420a99f295a963179bd0a983dc33be6503cfa7e0592d1ec2fb4
SHA512 e23b6f36ac67aa649aa9cd32c982ee8c9fbb59e40e334291348b75f83266b2a1e684f5f3a1721cdc3b963323731a1f9805a02bae434711fff24b23b4bb70bb36

C:\Windows\SysWOW64\Aiedjneg.exe

MD5 a1937236740f00f662a3c8e2363314ea
SHA1 beee728b9b881efb26aa72b6596f255817017bc8
SHA256 fe6c14fc918dfe3dfd948df4db76ac5fa8a4672c872425ea314edd73b87a9fd9
SHA512 583b0e6b2ec9a6e2e7c2ff6bc7269f24226fb638baf0a67a0ab794cd405888b006d8fbe47c7b17213109a2f360692422c3547c5de8fc81ec39b00cf53f60fb29

C:\Windows\SysWOW64\Affhncfc.exe

MD5 ccd8a5500b637f2f5ca78d21120cf640
SHA1 76b62a8a6fdf7cfb77e4c954f22a7f75042c123b
SHA256 f62ad08171e90c5c34158ef66c408e667ca826d082d24547e9e466f24ccc1ef3
SHA512 1bc48c4e23bb385eb5fce386206dcdac845c449fea62f189683950735fbdb29dc39706d74d3f5e4405c784f3a05d4e87019ea660277f7d6aa5ee1e11927dcb21

memory/596-918-0x0000000000400000-0x0000000000442000-memory.dmp

memory/644-924-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/2612-975-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2588-974-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2588-973-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2588-972-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2904-971-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2904-970-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2732-969-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2732-968-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2692-967-0x00000000002F0000-0x0000000000332000-memory.dmp

memory/2692-966-0x00000000002F0000-0x0000000000332000-memory.dmp

memory/2692-965-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2360-964-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/2360-963-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2488-962-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/2488-961-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1556-960-0x0000000000320000-0x0000000000362000-memory.dmp

memory/1556-959-0x0000000000320000-0x0000000000362000-memory.dmp

memory/1556-958-0x0000000000400000-0x0000000000442000-memory.dmp

memory/912-957-0x0000000000250000-0x0000000000292000-memory.dmp

memory/912-956-0x0000000000250000-0x0000000000292000-memory.dmp

memory/912-955-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2912-954-0x00000000003B0000-0x00000000003F2000-memory.dmp

memory/2912-953-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1244-952-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/1244-951-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/1244-950-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2616-949-0x0000000000300000-0x0000000000342000-memory.dmp

memory/2616-948-0x0000000000300000-0x0000000000342000-memory.dmp

memory/2616-947-0x0000000000400000-0x0000000000442000-memory.dmp

memory/572-946-0x00000000007C0000-0x0000000000802000-memory.dmp

memory/572-945-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1824-944-0x00000000002F0000-0x0000000000332000-memory.dmp

memory/1824-943-0x00000000002F0000-0x0000000000332000-memory.dmp

memory/1824-942-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2144-941-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2144-940-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2144-939-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1808-938-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/1808-937-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2124-936-0x00000000003B0000-0x00000000003F2000-memory.dmp

memory/2124-935-0x00000000003B0000-0x00000000003F2000-memory.dmp

memory/2124-934-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3052-933-0x0000000000260000-0x00000000002A2000-memory.dmp

memory/3052-932-0x0000000000260000-0x00000000002A2000-memory.dmp

memory/3052-931-0x0000000000400000-0x0000000000442000-memory.dmp

memory/708-930-0x0000000000250000-0x0000000000292000-memory.dmp

memory/708-929-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1532-928-0x00000000005E0000-0x0000000000622000-memory.dmp

memory/1532-927-0x00000000005E0000-0x0000000000622000-memory.dmp

memory/1532-926-0x0000000000400000-0x0000000000442000-memory.dmp

memory/644-925-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/644-923-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1260-922-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1260-921-0x0000000000400000-0x0000000000442000-memory.dmp

memory/596-920-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/596-919-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/2372-917-0x0000000000390000-0x00000000003D2000-memory.dmp

memory/2372-916-0x0000000000390000-0x00000000003D2000-memory.dmp

memory/2372-915-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2252-914-0x00000000003B0000-0x00000000003F2000-memory.dmp

memory/2252-913-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2100-912-0x0000000000310000-0x0000000000352000-memory.dmp

memory/2100-911-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2452-910-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/2452-909-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2444-908-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2444-907-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2444-906-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2424-905-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/2424-904-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2040-903-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/2040-902-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2964-901-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2964-900-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2836-899-0x0000000000360000-0x00000000003A2000-memory.dmp

memory/2836-898-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1976-897-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/1976-896-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/1976-895-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2232-894-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/2232-893-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/2232-892-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-891-0x0000000000600000-0x0000000000642000-memory.dmp