Malware Analysis Report

2025-08-05 22:10

Sample ID 240509-rj4zpadf6w
Target 57c78fb75fd72214f567aa271203f320_NeikiAnalytics
SHA256 4735b82d0164fe639f7f121c98653d316f596d7d5029cd876d12aefe1d3bc8e7
Tags
backdoor dropper persistence trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4735b82d0164fe639f7f121c98653d316f596d7d5029cd876d12aefe1d3bc8e7

Threat Level: Known bad

The file 57c78fb75fd72214f567aa271203f320_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

backdoor dropper persistence trojan berbew

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 14:14

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 14:14

Reported

2024-05-09 14:16

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ebinic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbdocc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Comimg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ankdiqih.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Beehencq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egdilkbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Oomhcbjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ojkboo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nfpjomgd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfflopdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Djbiicon.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdoclk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pfbccp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cphlljge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Afmonbqk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bdlblj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgknheej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dbbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nccjhafn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogjimd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afkbib32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chhjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Abmibdlh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aljgfioc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkaqmeah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Djpmccqq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Egdilkbf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nleiqhcg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjpkjond.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Efppoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pphjgfqq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Adhlaggp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djpmccqq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Apcfahio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ckffgg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddagfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ddagfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pelipl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckffgg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gangic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ampqjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bcaomf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gddifnbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qlhnbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Afdlhchf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnbkddem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gangic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doobajme.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mkobnqan.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkaocp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nleiqhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Njiijlbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfpjomgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nccjhafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Obigjnkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomhcbjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjpkihg.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqqapjnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ondajnme.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenifh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojkboo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pphjgfqq.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcfcmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpkjond.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmdbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfflopdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmqdkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppoqge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pelipl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfamfpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabjem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlhnbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbbfopeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjmkcbcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qecoqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ankdiqih.exe N/A
N/A N/A C:\Windows\SysWOW64\Adhlaggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Affhncfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampqjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmibdlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aigaon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alenki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmonbqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aljgfioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfagipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Banepo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdlblj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjlgiqbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpeofk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccdlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjndop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkobnqan.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkobnqan.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkaocp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkaocp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nleiqhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nleiqhcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Njiijlbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Njiijlbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfpjomgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfpjomgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nccjhafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Nccjhafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Obigjnkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Obigjnkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomhcbjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomhcbjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjpkihg.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjpkihg.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqqapjnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqqapjnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ondajnme.exe N/A
N/A N/A C:\Windows\SysWOW64\Ondajnme.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenifh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenifh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojkboo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojkboo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pphjgfqq.exe N/A
N/A N/A C:\Windows\SysWOW64\Pphjgfqq.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcfcmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcfcmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpkjond.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpkjond.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmdbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmdbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfflopdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfflopdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmqdkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmqdkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppoqge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppoqge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pelipl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pelipl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfamfpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfamfpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabjem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabjem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlhnbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlhnbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbbfopeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbbfopeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjmkcbcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjmkcbcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qecoqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qecoqk32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Bdlblj32.exe C:\Windows\SysWOW64\Banepo32.exe N/A
File created C:\Windows\SysWOW64\Hepmggig.dll C:\Windows\SysWOW64\Hdhbam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmqdkj32.exe C:\Windows\SysWOW64\Pfflopdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebbgid32.exe C:\Windows\SysWOW64\Ekholjqg.exe N/A
File created C:\Windows\SysWOW64\Mkobnqan.exe C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcnpbi32.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Cqmnhocj.dll C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Dobkmdfq.dll C:\Windows\SysWOW64\Aljgfioc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccdlbf32.exe C:\Windows\SysWOW64\Cpeofk32.exe N/A
File created C:\Windows\SysWOW64\Ddokpmfo.exe C:\Windows\SysWOW64\Dbpodagk.exe N/A
File opened for modification C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Adhlaggp.exe N/A
File created C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bkaqmeah.exe N/A
File created C:\Windows\SysWOW64\Cgbdhd32.exe C:\Windows\SysWOW64\Cphlljge.exe N/A
File created C:\Windows\SysWOW64\Hejoiedd.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File created C:\Windows\SysWOW64\Fcmgmp32.dll C:\Windows\SysWOW64\Nleiqhcg.exe N/A
File created C:\Windows\SysWOW64\Ogjbla32.dll C:\Windows\SysWOW64\Eiomkn32.exe N/A
File created C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bhcdaibd.exe N/A
File opened for modification C:\Windows\SysWOW64\Qlhnbf32.exe C:\Windows\SysWOW64\Pabjem32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Dnlidb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcfcmd32.exe C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
File created C:\Windows\SysWOW64\Dchfknpg.dll C:\Windows\SysWOW64\Ealnephf.exe N/A
File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe C:\Windows\SysWOW64\Gicbeald.exe N/A
File created C:\Windows\SysWOW64\Keledb32.dll C:\Windows\SysWOW64\Chemfl32.exe N/A
File created C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Ddagfm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Aljgfioc.exe N/A
File created C:\Windows\SysWOW64\Kpeliikc.dll C:\Windows\SysWOW64\Afmonbqk.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bhcdaibd.exe N/A
File created C:\Windows\SysWOW64\Qdccfh32.exe C:\Windows\SysWOW64\Qbbfopeg.exe N/A
File created C:\Windows\SysWOW64\Bhfbdd32.dll C:\Windows\SysWOW64\Abmibdlh.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Djpmccqq.exe N/A
File created C:\Windows\SysWOW64\Njqaac32.dll C:\Windows\SysWOW64\Ecmkghcl.exe N/A
File created C:\Windows\SysWOW64\Ohbepi32.dll C:\Windows\SysWOW64\Filldb32.exe N/A
File created C:\Windows\SysWOW64\Mmlblm32.dll C:\Windows\SysWOW64\Qjmkcbcb.exe N/A
File opened for modification C:\Windows\SysWOW64\Abmibdlh.exe C:\Windows\SysWOW64\Ampqjm32.exe N/A
File created C:\Windows\SysWOW64\Ffakeiib.dll C:\Windows\SysWOW64\Bcaomf32.exe N/A
File created C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
File created C:\Windows\SysWOW64\Hgpdcgoc.dll C:\Windows\SysWOW64\Hicodd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojkboo32.exe C:\Windows\SysWOW64\Oenifh32.exe N/A
File created C:\Windows\SysWOW64\Njcbaa32.dll C:\Windows\SysWOW64\Dbbkja32.exe N/A
File created C:\Windows\SysWOW64\Iaeldika.dll C:\Windows\SysWOW64\Fejgko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Beehencq.exe C:\Windows\SysWOW64\Bkodhe32.exe N/A
File created C:\Windows\SysWOW64\Lefmambf.dll C:\Windows\SysWOW64\Dmoipopd.exe N/A
File created C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Dqlafm32.exe N/A
File created C:\Windows\SysWOW64\Lmpnnmjg.dll C:\Windows\SysWOW64\Njiijlbp.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe C:\Windows\SysWOW64\Glfhll32.exe N/A
File created C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Djpmccqq.exe N/A
File created C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Odjpkihg.exe C:\Windows\SysWOW64\Oomhcbjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Oomhcbjp.exe C:\Windows\SysWOW64\Obigjnkf.exe N/A
File created C:\Windows\SysWOW64\Ppoqge32.exe C:\Windows\SysWOW64\Pmqdkj32.exe N/A
File created C:\Windows\SysWOW64\Afmonbqk.exe C:\Windows\SysWOW64\Apcfahio.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkobnqan.exe C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Gldkfl32.exe C:\Windows\SysWOW64\Gangic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Filldb32.exe N/A
File created C:\Windows\SysWOW64\Pnnclg32.dll C:\Windows\SysWOW64\Gangic32.exe N/A
File created C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Alenki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Flmefm32.exe C:\Windows\SysWOW64\Fbdqmghm.exe N/A
File created C:\Windows\SysWOW64\Bfekgp32.dll C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Pabjem32.exe C:\Windows\SysWOW64\Plfamfpm.exe N/A
File created C:\Windows\SysWOW64\Mhfkbo32.dll C:\Windows\SysWOW64\Hcplhi32.exe N/A
File created C:\Windows\SysWOW64\Hpmgqnfl.exe C:\Windows\SysWOW64\Hicodd32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alenki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" C:\Windows\SysWOW64\Ebbgid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfofpak.dll" C:\Windows\SysWOW64\Pelipl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmoql32.dll" C:\Windows\SysWOW64\Plfamfpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" C:\Windows\SysWOW64\Enkece32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbpodagk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll" C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ondajnme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnpmipql.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djpmccqq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" C:\Windows\SysWOW64\Efppoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkodhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll" C:\Windows\SysWOW64\Ennaieib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokefmej.dll" C:\Windows\SysWOW64\Affhncfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beehencq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmqdkj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Apcfahio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cciemedf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Djpmccqq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" C:\Windows\SysWOW64\Bgknheej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ccdlbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnefdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Doobajme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmgmp32.dll" C:\Windows\SysWOW64\Nleiqhcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgpfqll.dll" C:\Windows\SysWOW64\Qbbfopeg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ealnephf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piddlm32.dll" C:\Windows\SysWOW64\Oomhcbjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cjlgiqbk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fejgko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdmeemc.dll" C:\Windows\SysWOW64\Pmqdkj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cciemedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" C:\Windows\SysWOW64\Fnbkddem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Odjpkihg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bcaomf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Banepo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qdccfh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bbdocc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpfdalii.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gldkfl32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe C:\Windows\SysWOW64\Mkobnqan.exe
PID 1988 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe C:\Windows\SysWOW64\Mkobnqan.exe
PID 1988 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe C:\Windows\SysWOW64\Mkobnqan.exe
PID 1988 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe C:\Windows\SysWOW64\Mkobnqan.exe
PID 1336 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Mkobnqan.exe C:\Windows\SysWOW64\Nkaocp32.exe
PID 1336 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Mkobnqan.exe C:\Windows\SysWOW64\Nkaocp32.exe
PID 1336 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Mkobnqan.exe C:\Windows\SysWOW64\Nkaocp32.exe
PID 1336 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Mkobnqan.exe C:\Windows\SysWOW64\Nkaocp32.exe
PID 2688 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Nkaocp32.exe C:\Windows\SysWOW64\Nleiqhcg.exe
PID 2688 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Nkaocp32.exe C:\Windows\SysWOW64\Nleiqhcg.exe
PID 2688 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Nkaocp32.exe C:\Windows\SysWOW64\Nleiqhcg.exe
PID 2688 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Nkaocp32.exe C:\Windows\SysWOW64\Nleiqhcg.exe
PID 2608 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Nleiqhcg.exe C:\Windows\SysWOW64\Njiijlbp.exe
PID 2608 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Nleiqhcg.exe C:\Windows\SysWOW64\Njiijlbp.exe
PID 2608 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Nleiqhcg.exe C:\Windows\SysWOW64\Njiijlbp.exe
PID 2608 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Nleiqhcg.exe C:\Windows\SysWOW64\Njiijlbp.exe
PID 2528 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Njiijlbp.exe C:\Windows\SysWOW64\Nfpjomgd.exe
PID 2528 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Njiijlbp.exe C:\Windows\SysWOW64\Nfpjomgd.exe
PID 2528 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Njiijlbp.exe C:\Windows\SysWOW64\Nfpjomgd.exe
PID 2528 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Njiijlbp.exe C:\Windows\SysWOW64\Nfpjomgd.exe
PID 2508 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Nfpjomgd.exe C:\Windows\SysWOW64\Nccjhafn.exe
PID 2508 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Nfpjomgd.exe C:\Windows\SysWOW64\Nccjhafn.exe
PID 2508 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Nfpjomgd.exe C:\Windows\SysWOW64\Nccjhafn.exe
PID 2508 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Nfpjomgd.exe C:\Windows\SysWOW64\Nccjhafn.exe
PID 2540 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Nccjhafn.exe C:\Windows\SysWOW64\Obigjnkf.exe
PID 2540 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Nccjhafn.exe C:\Windows\SysWOW64\Obigjnkf.exe
PID 2540 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Nccjhafn.exe C:\Windows\SysWOW64\Obigjnkf.exe
PID 2540 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Nccjhafn.exe C:\Windows\SysWOW64\Obigjnkf.exe
PID 2588 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Obigjnkf.exe C:\Windows\SysWOW64\Oomhcbjp.exe
PID 2588 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Obigjnkf.exe C:\Windows\SysWOW64\Oomhcbjp.exe
PID 2588 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Obigjnkf.exe C:\Windows\SysWOW64\Oomhcbjp.exe
PID 2588 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Obigjnkf.exe C:\Windows\SysWOW64\Oomhcbjp.exe
PID 1892 wrote to memory of 340 N/A C:\Windows\SysWOW64\Oomhcbjp.exe C:\Windows\SysWOW64\Odjpkihg.exe
PID 1892 wrote to memory of 340 N/A C:\Windows\SysWOW64\Oomhcbjp.exe C:\Windows\SysWOW64\Odjpkihg.exe
PID 1892 wrote to memory of 340 N/A C:\Windows\SysWOW64\Oomhcbjp.exe C:\Windows\SysWOW64\Odjpkihg.exe
PID 1892 wrote to memory of 340 N/A C:\Windows\SysWOW64\Oomhcbjp.exe C:\Windows\SysWOW64\Odjpkihg.exe
PID 340 wrote to memory of 1616 N/A C:\Windows\SysWOW64\Odjpkihg.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 340 wrote to memory of 1616 N/A C:\Windows\SysWOW64\Odjpkihg.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 340 wrote to memory of 1616 N/A C:\Windows\SysWOW64\Odjpkihg.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 340 wrote to memory of 1616 N/A C:\Windows\SysWOW64\Odjpkihg.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 1616 wrote to memory of 3012 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Ogjimd32.exe
PID 1616 wrote to memory of 3012 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Ogjimd32.exe
PID 1616 wrote to memory of 3012 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Ogjimd32.exe
PID 1616 wrote to memory of 3012 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Ogjimd32.exe
PID 3012 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Ogjimd32.exe C:\Windows\SysWOW64\Ondajnme.exe
PID 3012 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Ogjimd32.exe C:\Windows\SysWOW64\Ondajnme.exe
PID 3012 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Ogjimd32.exe C:\Windows\SysWOW64\Ondajnme.exe
PID 3012 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Ogjimd32.exe C:\Windows\SysWOW64\Ondajnme.exe
PID 1704 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Ondajnme.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 1704 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Ondajnme.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 1704 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Ondajnme.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 1704 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Ondajnme.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 1752 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Ojkboo32.exe
PID 1752 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Ojkboo32.exe
PID 1752 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Ojkboo32.exe
PID 1752 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Ojkboo32.exe
PID 1656 wrote to memory of 484 N/A C:\Windows\SysWOW64\Ojkboo32.exe C:\Windows\SysWOW64\Pphjgfqq.exe
PID 1656 wrote to memory of 484 N/A C:\Windows\SysWOW64\Ojkboo32.exe C:\Windows\SysWOW64\Pphjgfqq.exe
PID 1656 wrote to memory of 484 N/A C:\Windows\SysWOW64\Ojkboo32.exe C:\Windows\SysWOW64\Pphjgfqq.exe
PID 1656 wrote to memory of 484 N/A C:\Windows\SysWOW64\Ojkboo32.exe C:\Windows\SysWOW64\Pphjgfqq.exe
PID 484 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Pphjgfqq.exe C:\Windows\SysWOW64\Pfbccp32.exe
PID 484 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Pphjgfqq.exe C:\Windows\SysWOW64\Pfbccp32.exe
PID 484 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Pphjgfqq.exe C:\Windows\SysWOW64\Pfbccp32.exe
PID 484 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Pphjgfqq.exe C:\Windows\SysWOW64\Pfbccp32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Mkobnqan.exe

C:\Windows\system32\Mkobnqan.exe

C:\Windows\SysWOW64\Nkaocp32.exe

C:\Windows\system32\Nkaocp32.exe

C:\Windows\SysWOW64\Nleiqhcg.exe

C:\Windows\system32\Nleiqhcg.exe

C:\Windows\SysWOW64\Njiijlbp.exe

C:\Windows\system32\Njiijlbp.exe

C:\Windows\SysWOW64\Nfpjomgd.exe

C:\Windows\system32\Nfpjomgd.exe

C:\Windows\SysWOW64\Nccjhafn.exe

C:\Windows\system32\Nccjhafn.exe

C:\Windows\SysWOW64\Obigjnkf.exe

C:\Windows\system32\Obigjnkf.exe

C:\Windows\SysWOW64\Oomhcbjp.exe

C:\Windows\system32\Oomhcbjp.exe

C:\Windows\SysWOW64\Odjpkihg.exe

C:\Windows\system32\Odjpkihg.exe

C:\Windows\SysWOW64\Oqqapjnk.exe

C:\Windows\system32\Oqqapjnk.exe

C:\Windows\SysWOW64\Ogjimd32.exe

C:\Windows\system32\Ogjimd32.exe

C:\Windows\SysWOW64\Ondajnme.exe

C:\Windows\system32\Ondajnme.exe

C:\Windows\SysWOW64\Oenifh32.exe

C:\Windows\system32\Oenifh32.exe

C:\Windows\SysWOW64\Ojkboo32.exe

C:\Windows\system32\Ojkboo32.exe

C:\Windows\SysWOW64\Pphjgfqq.exe

C:\Windows\system32\Pphjgfqq.exe

C:\Windows\SysWOW64\Pfbccp32.exe

C:\Windows\system32\Pfbccp32.exe

C:\Windows\SysWOW64\Pmlkpjpj.exe

C:\Windows\system32\Pmlkpjpj.exe

C:\Windows\SysWOW64\Pcfcmd32.exe

C:\Windows\system32\Pcfcmd32.exe

C:\Windows\SysWOW64\Pjpkjond.exe

C:\Windows\system32\Pjpkjond.exe

C:\Windows\SysWOW64\Ppmdbe32.exe

C:\Windows\system32\Ppmdbe32.exe

C:\Windows\SysWOW64\Pfflopdh.exe

C:\Windows\system32\Pfflopdh.exe

C:\Windows\SysWOW64\Pmqdkj32.exe

C:\Windows\system32\Pmqdkj32.exe

C:\Windows\SysWOW64\Ppoqge32.exe

C:\Windows\system32\Ppoqge32.exe

C:\Windows\SysWOW64\Pelipl32.exe

C:\Windows\system32\Pelipl32.exe

C:\Windows\SysWOW64\Plfamfpm.exe

C:\Windows\system32\Plfamfpm.exe

C:\Windows\SysWOW64\Pabjem32.exe

C:\Windows\system32\Pabjem32.exe

C:\Windows\SysWOW64\Qlhnbf32.exe

C:\Windows\system32\Qlhnbf32.exe

C:\Windows\SysWOW64\Qbbfopeg.exe

C:\Windows\system32\Qbbfopeg.exe

C:\Windows\SysWOW64\Qdccfh32.exe

C:\Windows\system32\Qdccfh32.exe

C:\Windows\SysWOW64\Qjmkcbcb.exe

C:\Windows\system32\Qjmkcbcb.exe

C:\Windows\SysWOW64\Qecoqk32.exe

C:\Windows\system32\Qecoqk32.exe

C:\Windows\SysWOW64\Afdlhchf.exe

C:\Windows\system32\Afdlhchf.exe

C:\Windows\SysWOW64\Ankdiqih.exe

C:\Windows\system32\Ankdiqih.exe

C:\Windows\SysWOW64\Adhlaggp.exe

C:\Windows\system32\Adhlaggp.exe

C:\Windows\SysWOW64\Affhncfc.exe

C:\Windows\system32\Affhncfc.exe

C:\Windows\SysWOW64\Ampqjm32.exe

C:\Windows\system32\Ampqjm32.exe

C:\Windows\SysWOW64\Abmibdlh.exe

C:\Windows\system32\Abmibdlh.exe

C:\Windows\SysWOW64\Aigaon32.exe

C:\Windows\system32\Aigaon32.exe

C:\Windows\SysWOW64\Alenki32.exe

C:\Windows\system32\Alenki32.exe

C:\Windows\SysWOW64\Afkbib32.exe

C:\Windows\system32\Afkbib32.exe

C:\Windows\SysWOW64\Apcfahio.exe

C:\Windows\system32\Apcfahio.exe

C:\Windows\SysWOW64\Afmonbqk.exe

C:\Windows\system32\Afmonbqk.exe

C:\Windows\SysWOW64\Aepojo32.exe

C:\Windows\system32\Aepojo32.exe

C:\Windows\SysWOW64\Aljgfioc.exe

C:\Windows\system32\Aljgfioc.exe

C:\Windows\SysWOW64\Bbdocc32.exe

C:\Windows\system32\Bbdocc32.exe

C:\Windows\SysWOW64\Bingpmnl.exe

C:\Windows\system32\Bingpmnl.exe

C:\Windows\SysWOW64\Bkodhe32.exe

C:\Windows\system32\Bkodhe32.exe

C:\Windows\SysWOW64\Beehencq.exe

C:\Windows\system32\Beehencq.exe

C:\Windows\SysWOW64\Bhcdaibd.exe

C:\Windows\system32\Bhcdaibd.exe

C:\Windows\SysWOW64\Bkaqmeah.exe

C:\Windows\system32\Bkaqmeah.exe

C:\Windows\SysWOW64\Bnpmipql.exe

C:\Windows\system32\Bnpmipql.exe

C:\Windows\SysWOW64\Bhfagipa.exe

C:\Windows\system32\Bhfagipa.exe

C:\Windows\SysWOW64\Bkdmcdoe.exe

C:\Windows\system32\Bkdmcdoe.exe

C:\Windows\SysWOW64\Banepo32.exe

C:\Windows\system32\Banepo32.exe

C:\Windows\SysWOW64\Bdlblj32.exe

C:\Windows\system32\Bdlblj32.exe

C:\Windows\SysWOW64\Bgknheej.exe

C:\Windows\system32\Bgknheej.exe

C:\Windows\SysWOW64\Bnefdp32.exe

C:\Windows\system32\Bnefdp32.exe

C:\Windows\SysWOW64\Bcaomf32.exe

C:\Windows\system32\Bcaomf32.exe

C:\Windows\SysWOW64\Cjlgiqbk.exe

C:\Windows\system32\Cjlgiqbk.exe

C:\Windows\SysWOW64\Cpeofk32.exe

C:\Windows\system32\Cpeofk32.exe

C:\Windows\SysWOW64\Ccdlbf32.exe

C:\Windows\system32\Ccdlbf32.exe

C:\Windows\SysWOW64\Cjndop32.exe

C:\Windows\system32\Cjndop32.exe

C:\Windows\SysWOW64\Cphlljge.exe

C:\Windows\system32\Cphlljge.exe

C:\Windows\SysWOW64\Cgbdhd32.exe

C:\Windows\system32\Cgbdhd32.exe

C:\Windows\SysWOW64\Cjpqdp32.exe

C:\Windows\system32\Cjpqdp32.exe

C:\Windows\SysWOW64\Comimg32.exe

C:\Windows\system32\Comimg32.exe

C:\Windows\SysWOW64\Cciemedf.exe

C:\Windows\system32\Cciemedf.exe

C:\Windows\SysWOW64\Chemfl32.exe

C:\Windows\system32\Chemfl32.exe

C:\Windows\SysWOW64\Chhjkl32.exe

C:\Windows\system32\Chhjkl32.exe

C:\Windows\SysWOW64\Ckffgg32.exe

C:\Windows\system32\Ckffgg32.exe

C:\Windows\SysWOW64\Dbpodagk.exe

C:\Windows\system32\Dbpodagk.exe

C:\Windows\SysWOW64\Ddokpmfo.exe

C:\Windows\system32\Ddokpmfo.exe

C:\Windows\SysWOW64\Dgmglh32.exe

C:\Windows\system32\Dgmglh32.exe

C:\Windows\SysWOW64\Dodonf32.exe

C:\Windows\system32\Dodonf32.exe

C:\Windows\SysWOW64\Dbbkja32.exe

C:\Windows\system32\Dbbkja32.exe

C:\Windows\SysWOW64\Ddagfm32.exe

C:\Windows\system32\Ddagfm32.exe

C:\Windows\SysWOW64\Dhmcfkme.exe

C:\Windows\system32\Dhmcfkme.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Djpmccqq.exe

C:\Windows\system32\Djpmccqq.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dgdmmgpj.exe

C:\Windows\system32\Dgdmmgpj.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Ebbgid32.exe

C:\Windows\system32\Ebbgid32.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Efppoc32.exe

C:\Windows\system32\Efppoc32.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Egdilkbf.exe

C:\Windows\system32\Egdilkbf.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Gopkmhjk.exe

C:\Windows\system32\Gopkmhjk.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 140

Network

N/A

Files

memory/1988-0-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1988-6-0x0000000000250000-0x0000000000293000-memory.dmp

\Windows\SysWOW64\Mkobnqan.exe

MD5 ca052f9f58f4f9210b406a213c2c85d1
SHA1 9d41517cde7ac586d0fff743a102bbb44927b95e
SHA256 99ef6d1df3d1573d3f485e908b0b63550be37874b0e8a9656aaabcde3365da36
SHA512 c026f6272288ae9d9293f148d52a9538e0d7118d29b437ab72d46616eb4964ed1295d1c3bf02db6e208265e872a7d9e2857ffa82ea453a6d2b6fdebaa4973067

memory/2688-27-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1336-26-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1336-25-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Nkaocp32.exe

MD5 8b68dee571fabe1ba205be2c94cf4bcd
SHA1 afd7933e854cef7f8e3b49a334533bc209287866
SHA256 391d6c46466067eb07000e379d7f64a3a4b04d170b60ae6d40d5f61dba983269
SHA512 34b1938fc81cf2344e8aca43ec1251cbec7be09e14ad3b96bcd7df2d16414888b57eb0ffe70db7954e98ac2287ac80943fcdf28ec6c3350bfaa7e320b0541df2

\Windows\SysWOW64\Nleiqhcg.exe

MD5 b201d44d3cc5f95ae438b16d98f0b4e8
SHA1 bd16fafb93498e44138962254508e9038696ab19
SHA256 35d765cb6c15e1b5f1ef5e325fc46b22f8482b70cd14b226b0814eac39808f96
SHA512 aa4cf8394a731ad6d13c3e2ba16d1287bf421a0e1bc50dbc54f605747a25d03c98690abac5927d7750af6bfd7c5b26ae13e8ce8e64aa9ac791cac7d68e8f0ea1

memory/2688-35-0x0000000000270000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Njiijlbp.exe

MD5 b1529b65ec3dd72cf034387951f2e6e4
SHA1 7e26b8fd6d1756709ec6366d3e5a0480446a2051
SHA256 ef3e38b39054168c06ed43e77811c05c949b0e2d93c1df44f94f7d967be38ad7
SHA512 29340419b1919310d675967a38265833d057424dba4f3fa67330f5dd374df6301cee5654366e29f403ba003dafdca93f9ad680f62c8c0e17b32e5b5d241c0283

memory/2608-53-0x0000000000260000-0x00000000002A3000-memory.dmp

memory/2528-54-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lmpnnmjg.dll

MD5 9e362f26863f426957fd650c94379c40
SHA1 3e2399ce5364626cd8b6a90857bf049704246c37
SHA256 c5b224f006e9d0a143e1b363bde75ce0574b9c376a300fd404a60b501a296788
SHA512 4738cb32fe7da4223d476aa8946320830db98de81ec955c06a23fedfc5036e167e3022a92e62b51c911448df9ee235580d30414afae4cc943d1ab58fce14d1a6

\Windows\SysWOW64\Nfpjomgd.exe

MD5 86a601f430db2dcfa26e5baade9c3a6f
SHA1 8587a4ceec1bcf62c91b7e9f955da85ab1eabe1a
SHA256 b23adf6f471aaca055bd28cad93cfaea7c858d74a7dbb632a13ad55a45d910c5
SHA512 441c67ea812cfcea683ace96711d92a112303ac046f10023aefc3b9ac219585c4fb9c9fb952d631c231e6db88279ded9fb9ce7db1db786d1c4d90d51d6d2e80e

memory/2528-62-0x0000000000310000-0x0000000000353000-memory.dmp

\Windows\SysWOW64\Nccjhafn.exe

MD5 2fd1eaf4342a79dd41e060bdc0ace54f
SHA1 6f0e8cd89c9de0667bcfd3930fd8c66bd412acfb
SHA256 48d2cd8c49e208f8dbf7ca5a3389372bd88676f5167f2c0a3862480da2d03c60
SHA512 d9b0c1f3640b23f4b0950c3802f1d408e6f232f89a0ae4d5f85cb6bb15752e24761b20b230ba0f9f50df69405af511753a463a1aeee8331e35b4680b356ac2f3

memory/2508-75-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2540-81-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Obigjnkf.exe

MD5 3ec88bae3a59de434e2a307f09105bad
SHA1 cbad856188dcea16aa7990f03bb5d95735fa4ca2
SHA256 7ef25456b5df79ff26bbeb37471894007d8cb2598c0a93edb5645a036cbb373f
SHA512 32ceb18aeda391d0e007c0fc59e2779cf80288d8c7b8cbe242210a7e75a3aaa78505c39d6c9cd1a53836d0a9c27653bee1728fa17c6a07b65951e7cd8f7be6cc

memory/2540-89-0x0000000000340000-0x0000000000383000-memory.dmp

memory/2540-94-0x0000000000340000-0x0000000000383000-memory.dmp

C:\Windows\SysWOW64\Oomhcbjp.exe

MD5 4a7ce57ea879b8a796bb747c40a838bf
SHA1 9a92d1b3553128fd97776c7804b04b79f476b915
SHA256 1412887dbebc976a91a2cedb3758874aed54c143b3b405f6dc751ba3893dce55
SHA512 8bd9dd6b6664736e3230035aab6e220c08c5e51608b537a861c082da7d02ea65d0c917927ddd0f19d28406956ffcb1fc2dfdd2585968f8712189c974c6118eb0

memory/1892-109-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2588-108-0x0000000000250000-0x0000000000293000-memory.dmp

\Windows\SysWOW64\Odjpkihg.exe

MD5 b62e59ce19a15809422bc2ccb36bbdbc
SHA1 350c9e5a2d93954fcc518036f3c5f68497d00b8c
SHA256 4435896e422e1f6a271ce4eef0084c67317373d0db9a12e1e3b2f918fd436963
SHA512 707f46954773d1f4dff99000f5c11f1f77b684918c2e7f1ae00209877c3db3886abcd565993b00388847ea7dca205a0c98d167639405d9dbd53cf1b7127f17f4

memory/340-123-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1892-122-0x0000000000450000-0x0000000000493000-memory.dmp

C:\Windows\SysWOW64\Oqqapjnk.exe

MD5 b58d2c9acacb3616cc3daf2783b68562
SHA1 3d1190d32315d96f8d6a21291a6d647b6e083c27
SHA256 7da24c84e10589fbad10a4c1610f9c3590db3a08b50471ecb1364e8019f2b23b
SHA512 d189daa6f10b692a2fda231edbfd2b338b516595450a437218cc58f52846d8135b17f6d73e1bf17decc9a3e5d3b8683cd1dd8b8ffa38930cd0232d3a217c564f

memory/1616-137-0x0000000000400000-0x0000000000443000-memory.dmp

memory/340-136-0x0000000000260000-0x00000000002A3000-memory.dmp

\Windows\SysWOW64\Ogjimd32.exe

MD5 44da1d8f74dd763de99edd99dd713fb0
SHA1 87229230e601e9ed3fb72d8b324ccfeec85ea800
SHA256 55bd87d906c3a435e4e2436d4d1c093ca6e999f17f9d6055e03c6cfe69f9db32
SHA512 0cef3b5a922d1447ce3f59a82b5e192537f5baf98f8f27e89c854eb0b9c8b3f3f58ff531c9a4f2e676537ad2b2e05d9df3a0727c7e83d21d91ad6b4cf604aba1

memory/3012-156-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1704-165-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1752-181-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Oenifh32.exe

MD5 793307ece88301aeb22dacff72ce897c
SHA1 0a8b2a93dce882028d51155c19e678930d6dd3c2
SHA256 1a8cd3b23db87f16579052f57f308b420b6b8cad1c14686554c311bfa8811b38
SHA512 a65a23f0c44989246363e7bd0dde1bb299dc119c98ce9e7c8915e45d675e9345c40c8d08c501135f5362489b27e2ab52ab8ba715a9cbef1dd1075ecda35a788f

C:\Windows\SysWOW64\Pfbccp32.exe

MD5 18b7324794b62c66215997b3b7a1b7ce
SHA1 9ebc21cf4e4f09014ff735737602b29b3cb82e6f
SHA256 329b55c82448a48b45103898f31a92964e8e2b45abaca62ef3a900e0257d0d78
SHA512 e5b5a6959f3c6a15b1710bb08656784714acc89976f142cf9c7d02daa90f018795de1586c63b1cc78546ce47ef4ecc29b5a311874a43969c3d0835a7bc4b5e40

memory/968-234-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1100-244-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1508-252-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Pfflopdh.exe

MD5 32300fa08b123b4b2022b8cb44a6f3ba
SHA1 79ac567d6ced3d094ed3110fe39d6a029a6a040a
SHA256 b6750b7f767dffddb7853d2f3e7500ef5e37c931dca22c9f2bb132e3cfc95ab5
SHA512 b1178b5e52cfed65083a4098b89d8c8b9f436ffc405aab964ecb4686a9fc105ad31be03e7e4859509daed62b57cc8e04a87e67db126279f1543ca2fe3cfbb5f2

C:\Windows\SysWOW64\Plfamfpm.exe

MD5 e1ecf28301afae6739972ebf6299decd
SHA1 6f6bd45cb8cde8ac4b4311574704490d9eddbdaa
SHA256 b95cae8104da37b588a846dc5b0836868d1e11330bd2d8f9868b455bbd31c555
SHA512 d0689be485a98ea8f00928466856dc17b232593ee02f8f3c3adb59a3278819f10fa2c6b6f7af7b4bf2e208c2cbc2a3bd151f0ef6763276d364f73b42c3426c82

memory/1880-326-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2512-376-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2172-425-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Aigaon32.exe

MD5 20621cdbdd3d297fe91b6c670b0f5a11
SHA1 efb85a64c5b2393cf3e77f6120ffc2962ff0ae84
SHA256 8ce3fa57b0e110337f77c89cad3de780191899c51cd5b6f11d3bc68d182ab2cb
SHA512 11a26f09bd74902fdf06864e35eacf7d67c8fae1ce1a366606d1a844f0676d60b11b326628605de204c504bb0532ef5c92c5ac11969f328df0ccab7ea65f90ef

memory/2072-471-0x0000000000400000-0x0000000000443000-memory.dmp

memory/332-479-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Apcfahio.exe

MD5 6ad49a54197659ba7f20bea1081e3729
SHA1 2b79ad1dd77fda0c66bf5e2d2bba002a47141c36
SHA256 6b8a5dec6e703deea4739c0822281148894e1b2d36fd2ebf9ef3c54de5a90690
SHA512 f8bb1167577b93313e6cf3821358ac72447fa7c3ff728296b030b8b333ed0ab1d7620f5fe2ec26a9bca63b500de7e1ec447b0c28d32028302acd8a59ea5fa8f5

C:\Windows\SysWOW64\Aepojo32.exe

MD5 45bf5db79410d7f0fbe04cd99a0e1b76
SHA1 6faf48da5bae51214cfaf498ccc5a8418740f1f1
SHA256 e3a2bde99243657be84fd74e293dbbf57649c4a42e1067f44dd4d9318ebcf29c
SHA512 ecb754fdf0b24a5a91d7aff05313a7a031722605e41a05f8d9deb780120eb73bf2e9fff47c325715f02808a6744aa342ef766371df1f42ecad52cb5ce11ceb3a

C:\Windows\SysWOW64\Aljgfioc.exe

MD5 5612b8c2f783380d825d2329b164ad93
SHA1 6274ed9d839138c393db63107f516ce37a4722c6
SHA256 3fc8a802588180cb6f124e55554e3c1711cbb31a273c59cc9ddea970e21bdff7
SHA512 4459fa1fda58d6f7aafb50167b901138c78cc4b6773e8502c6831715a5d26a6603f14c3d958b5a796dc04614cfb32184de014113adba8c2fd790e571d71017c0

C:\Windows\SysWOW64\Bkdmcdoe.exe

MD5 51af79c273d512be8eda231c19823c49
SHA1 f4f76d5a93a8373f2c08b79c197f14e2de4471de
SHA256 79d51bac7dd53f7c70c5b397511f876f7b1e022d08513ab559262a12e01133a6
SHA512 3c3896f0ac951a1a18649f7ec1b7b10e2145fb3424101489fa5ec2428ea509d9e00e9597912b22a71d01acf06633d779a39751c36e64a22eb666625891488c5e

C:\Windows\SysWOW64\Banepo32.exe

MD5 af722a708732cc320842166e2fcd4e6a
SHA1 c113f31177d3bbe5ac7013a454910b65bc037f83
SHA256 a7e8a92c3052df5644bff1c7241ace41585c09fedf71536fb875e711be6ee301
SHA512 5474b3ee1aa9ee743f4bc53895e2b5262a71b012f599f1c10093145852761f1d6c66709baccf5e1ee725f68b7058b1214e9e79661ad94d655f5c9034dcc0c4f1

C:\Windows\SysWOW64\Bnefdp32.exe

MD5 75b289d80cb13c4fab3217ccd6eb10b9
SHA1 5ef7b556f2284ed49f547bc783cd74da6a7d4993
SHA256 bdedbdf5e068795ac5b822658fe2d55cfb62c5d93eb806fcd0f992bc2dfff704
SHA512 3579dac185e64b6aa532bd95e4b67a9583b46ef2dbf1dd89f4ff129cf0e31dab61ee775197a008dceae45a04eb3a9c5b866312867060e080a2ed908fcdb97bbf

C:\Windows\SysWOW64\Cjlgiqbk.exe

MD5 2b73c4c868309d24fd841d4cd704ac6f
SHA1 6c6f21524c3e9bfecaeb6923b06563ec29b822e9
SHA256 b83fa97448df35e1cb29a5c0d64ebe7b5e2164b1a6145413946d813aa0f9723e
SHA512 c2f08113179a03eaf053a77dc4eb2500cbef42c4e23f69569984534f520f2c61c1ca8ca991b9807b00aa7034decb68e35c8a86b0497136a12b0a00a881590ec2

C:\Windows\SysWOW64\Ccdlbf32.exe

MD5 0baf6756ebe9c768ea736f786e2406db
SHA1 648f52924f9e1f9368410ac8e7d6a06caec98cb8
SHA256 3de3106f265c20cfc739a20bb9367e8f5780731c1ac44029672e41f984aef732
SHA512 fb35ad575f592f4873d36d52433783bcec2a56061566994d6a3bc932f10eb5858b3a4ff68cbc37182791ff8544c41040b5d19755387a0318281c54e174a0533a

C:\Windows\SysWOW64\Cphlljge.exe

MD5 5a989355608115ff9b2de4aa8053c743
SHA1 cdbae80daaaedc05695790cfdbbd8be48c4dc48a
SHA256 f04a96b7bd258b8c39cf0739af9cf7ddc37a6c241065581be6d8bed001d88500
SHA512 7455be4dfb2f42b0313432aec764a58364dd365118adf86d279ba1e6e0a7b5ace91a2c5350d6003df358457594209c84aab3a25e214197220c2e524e12a9b57f

C:\Windows\SysWOW64\Cgbdhd32.exe

MD5 418a639014454c27bdf4be6855a509e3
SHA1 f7ba3795a0cd704d99b9fb6008948c7e0cfdb86a
SHA256 93f2b8feed523c5aec104a836549ad506b55b23f3f407808b2b3c4962e8ee4b1
SHA512 b22f9cf480103e616f38eee08d36a60d7e8dc234e28de1ad0d95f8bbd6c1957bffcc6969b6722f4dd8d20d211348b41f2b360f5d922b9be06eb473edcd20301d

C:\Windows\SysWOW64\Cjpqdp32.exe

MD5 1123fad0a753fd52b28246957c08f622
SHA1 0921620515cae5bbc9e7c5cb03365dab006c3714
SHA256 0c271db9553b3bfd1b79f4779a295f7e150858fd3810d8a39e5a1cef57812875
SHA512 18b97646532440378abd1d7bc0d4ec0cd107c22864d5a5593d35899619faa8bf20353bb3766d1fdf25687aeb2da4e4752963b9682546e046ab177f12bf1214b2

C:\Windows\SysWOW64\Cjndop32.exe

MD5 334803c73b6b66f2e34d5c94e277a233
SHA1 7c5d41c98256d02cde824b37da486a3ecc4b40d5
SHA256 9fc84b86c2389f8d9c05b3af34e9e424d7fe02f679d4ae8749fbe9d51ca4f42e
SHA512 1b31dbbd5f9c03383b0fd55299fc124dbd6eafc5428c0e22afa3a0352cea3802e9ad2d0589242d59fec986d77bec3ad4cdf81f4b5741653f983dc790c3947498

C:\Windows\SysWOW64\Cpeofk32.exe

MD5 93822815692a6cf038af44658f2a430b
SHA1 b84afc32cbb7bf1b4f0857c934087dd129e90bef
SHA256 0efe5a4ef1d0312aa7ec02ed2d7e5e66ce0194165c3187a819ffe1c13e8f8afd
SHA512 4619cfd740a9085c2efa0b8124ee0a6c6ddf2ccbde9c4e20d80116cae02281e7c760aeaa1c063cb22364c27491324ec82cdb21b0aa446a1a3e31f3c8d6e1a32e

C:\Windows\SysWOW64\Comimg32.exe

MD5 fade7de2e5bba3f9270551b736a7b3c0
SHA1 c7a7d4a6c7ca92d4f35dd5eca0a4369ba3b3c145
SHA256 da1ac23753dbfa4d0fb40f3745a1d4970491bae45c9f6a97050df70f8ea54191
SHA512 68c141385ad865b1b5f4cd1b55864ab988081bccbd9e51aacfbb3962bf4eb1fbe1f471f7f124da0cb17da6cbefa54733357f624994a41999510b3a89c050bfd5

C:\Windows\SysWOW64\Cciemedf.exe

MD5 8f86752ae8e3e6fd8efea9ea8b4f8696
SHA1 618bc5858d297928e1baf632841a4b800ade44a9
SHA256 df1d8750564d62409cd630988b480054a42c6825ddc4ef80bbb53b1534bfb764
SHA512 9e69ca9d100cb3a4ca569ad9b7e95855fcb1c6b776d4eaad61ed35fdfdde6380c26ee109c5257373e0dff81be1018e0cdf35c3516e3e13cf07f5cfd23d5bd123

C:\Windows\SysWOW64\Bcaomf32.exe

MD5 d82e78c00e90d8e4b1ab0980c8a52683
SHA1 4b4ddaba9beee299e2b785564be037ba22c713d8
SHA256 22753ac17b4e1f0f9838fcc776bb480509b0facce758950ab090687221a54249
SHA512 1640e7111ca95349032ccf6cb9e179574805eeabb1c9c091e84dc0ad79b81aa7ece4446e7a139d8ea6da27002cad04ce40964ed91b753a9c606138326d39dd9c

C:\Windows\SysWOW64\Chemfl32.exe

MD5 8b1d4e85c3fce04b00231f02a9a77d5c
SHA1 edc2f96246f86ba4af8689edc14b0135a1703ea3
SHA256 86902da5235b9111c3fc2abcd93fb944c35beeaf2117cedbd85540d8449ef6f6
SHA512 ee9bb71a249abe23b6cdae5f58cbbbeae9b69f21d05b5826ce40e2b166f0a058920ef8e3aa897f30842716eac17905f2bf0f56b99e03ebf42781422c9f090105

C:\Windows\SysWOW64\Bgknheej.exe

MD5 23121ed04cb1de7c2d152ced038e5762
SHA1 d7c5d7df60db11ea0ef28cab8bffd5fe2d7668b4
SHA256 a477b1de334d8f898cedd0380436a32cf3fadd8a53e304f11957c793c6670382
SHA512 f33f0ecb588690e1bee4f3a08bcfd39863f17a6d2dbd85c92e2142c388959ed4ac13997fac1ced7a7c5fdd9ddab441431a2ec192c8243110b01674268e3bd7a4

C:\Windows\SysWOW64\Bdlblj32.exe

MD5 a71ba78c2d796f41582e4dde62fed855
SHA1 d96f45f87ef202df53c9a790d7563b90acdf7149
SHA256 06fc3e5af23e8d6df170bffcb4c07dbd9be6ad63a6ce8bec58def1dd3cf0afb1
SHA512 2e150af7e851d296f5c6619d132e71fe97b464a58994e1aa04b2f1e44234e53ba0dd48b8ea375e32718c84c7d42b4b33e815b93c9286b9ae1700b50a32646c21

C:\Windows\SysWOW64\Bhfagipa.exe

MD5 fa05a25ea8381e24725d30987ccdc714
SHA1 0ab6e591668c3581ff19c2dc3fbe5e5d27aaf99d
SHA256 96be4d18e6af15598308e02963929c25231d92b91c3dbaf132519c8064ce5f41
SHA512 98ddea6686ec09e8556459ac20323f919cd0321fb80993ce5b878fb0c178be397d7368e4fb5127fc3ead52d7bb7d9a339d5e5395fddc117bd38cf64a5b59e91b

C:\Windows\SysWOW64\Bnpmipql.exe

MD5 f8cbe257a7b541905a9d0972943d13ae
SHA1 92d9d1fe3ad4604f197f6e4827c37a1f91ecf397
SHA256 d06988df2a725fd665321accfb9239cd1b69ed9cb0cca8862995fdcba506bb25
SHA512 49131d4caedd1a129638594b0430b52a3015d0bd48a5a00f05c4c2280e3c1a512ad34043dccb267919de335c8d74a849cd60b044bcaf8b9ee78a9da56fc79622

C:\Windows\SysWOW64\Bkaqmeah.exe

MD5 90b6159c6ccbb89765d771598819e661
SHA1 26b8be1225069e02a43057e9368d5c329aecdb81
SHA256 acda91e0db0816853fa9b0da4e49d054f07096d25002b2142e69429ec984e44f
SHA512 33882c1079450d2d806be8ce6a5a5fc4f2056182016d7b615e3bf5702f6ec046749f4bf9e6da8be6fb0b7c87eb0694cb56abca390cda1d592a28cc1b08255834

C:\Windows\SysWOW64\Bhcdaibd.exe

MD5 284748993137dd115b624df218073f0c
SHA1 07337ebebcb8df9e2f9a61d956d4c51daab3a65c
SHA256 5ed68c593d63655de2168c4b890d7689c5da6a72b4ed703e9a4098089c01e5d8
SHA512 c44e6705167b9d515388d3e6758225ed17c00181946b8a065925e939a06558806af0680151445fb568d997cbc872d94e8392761d1ada5e2e42c518a530b286fa

C:\Windows\SysWOW64\Beehencq.exe

MD5 3e02beace4912add1744bb6408c71ae3
SHA1 e18485e907427ec1da9dae489d8c04c26950eb3d
SHA256 2484c6a35d409532ad15f95bbc1a8564e5c4325dbbf7c5f4fffc9620ac77f9e0
SHA512 600c70f15d87b3c93bf85b85edf7993953e83f128999e2df8cbb2e4d281790d2b8d30b8784091677247d342dabda76657020594e45b031fe6a261375cb6749fe

C:\Windows\SysWOW64\Bkodhe32.exe

MD5 eabbee91488fa3371e03036b14454cc1
SHA1 6df656a9ab99329241ee3676b94696d563977c88
SHA256 2757a4065bc71f83751d5610bf6ee64f81d8018e228be37f7909d51f231ab359
SHA512 7b6717f480a728f58996a89fb13040f9ac99eed38c795075f7d26cc29bf58ff5237a2c47804a96c8dcf50b7cd23bc6df2d786fbb661878c17721cb2745a6a812

C:\Windows\SysWOW64\Bingpmnl.exe

MD5 2504ad2a25c71d0ea7e0666086f824c2
SHA1 efd92b5b9584be855e3a6732e815ca30fb535cd9
SHA256 a6ca464b45e7d88ea5c1edf7fc0e8e621142938da49bf103257cbcae168a8a7b
SHA512 1dfeb2b0d20aca90e5c6226120c51f43601f77dd705473a114f499ffb31f60c08c54cf13766d4aca92c518593276a8d25f1ef313754a0bf659d84d2b3fd71aaa

C:\Windows\SysWOW64\Bbdocc32.exe

MD5 a768e332d6cceddab224a35ff61eaa47
SHA1 cfd8dc3388cd5fadf16b5cf2c49107e649ca1aa8
SHA256 28c05e2890b846634b67fcadfba6654c022504d8419bdd0dbf1643f685152996
SHA512 8d6e62c9d8a61d9f43772facb5e30c4e2ffd618ae56eb402a6b4897ef01f2762944e9f34b875e88bca038c762b4eda5ba8f5ab88c70cccd839af038b707ee664

C:\Windows\SysWOW64\Afmonbqk.exe

MD5 90dd7c6f6603e61bec8ff2d4db53a9f4
SHA1 13eb276a9e890ca5a0299a269920d5983aae44ef
SHA256 0f70658a1573715cf837a6f83bba365ec39b43a81498778531ba5928c95da0fb
SHA512 7182428d8d0f8be2d79342dc804c79e98d93a299b77f0d030f7907dabec07db206706a63b1136a85960d374c69babbe1ea0d13ac42519009f4ba7533ba924777

memory/2072-478-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2072-477-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Afkbib32.exe

MD5 fd38e28573f4cbc549335a1d1179923a
SHA1 16702687fb35efd04e0df365f0fc56abeb5ed75e
SHA256 5416e38b928f4265951d6fe4b61153335f607c234125c1c8810f0ce24184586e
SHA512 63380e896b231258fc755578b00bd07bdb7863b6534baa8402abb0744c0740d8fb13ffca8b030279b68992fd6c9c4273630fe969496ceea03c9f7f05302ff288

memory/3016-470-0x0000000000260000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Alenki32.exe

MD5 85d088546cd8484e46c21c7fedeebaeb
SHA1 69c3752e717e66e609471d05671d7cb4c9193703
SHA256 5720556acf41262775609bf97d3a33474a81b8eb10c2c4706c618402dc645c9c
SHA512 9172e5b2d20ae397a2534e4374b04fc61162f62fad3899b23a217701b48d8dc4449dc32e33e499c33a8ec77ced2a8463355c0316c7f8786dcbe32b113618bc4f

memory/3016-463-0x0000000000260000-0x00000000002A3000-memory.dmp

memory/3016-457-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1944-456-0x0000000000290000-0x00000000002D3000-memory.dmp

memory/1944-451-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1936-450-0x00000000002A0000-0x00000000002E3000-memory.dmp

memory/1936-448-0x00000000002A0000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Abmibdlh.exe

MD5 53d45e00bb45753e1ef92b959ced1eab
SHA1 6fb732d5d90dd34a0d1932f138ab7fcce2c0706c
SHA256 e51e1d1264dfd9da04ce7c3f4d4c55b8a8839a843c782e47e9a897ffa2e4cdfe
SHA512 5345ea0ccd7941be00c122c55ac4ce9d774c28b909993b5122ac27d5cf4fbba48cf41c9db6165eb6a5168aaa3fd2c6ff33737cf1b8d81fe40e184c5b37043c0b

memory/1936-439-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2172-435-0x0000000000270000-0x00000000002B3000-memory.dmp

memory/2172-434-0x0000000000270000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Ampqjm32.exe

MD5 a0fc02f87c4117b407ba8b1643d9bd91
SHA1 e3e7fb6d2fd90c33fdfd15acb1a70d46d8b4a3d5
SHA256 8b8bc2c52ab2164874734165ba433dd5710dd323d78adf7cc60f17d8be9a4ddb
SHA512 c016cf2a0b0dd8df003c50464cac14b1e83a689dbd6f6acfa342938689b28e779ed8612756d7cdf711bcaa4a108c825ce4626b0fd2ae056f09fefc366e197c1b

memory/2824-424-0x00000000002D0000-0x0000000000313000-memory.dmp

memory/2824-423-0x00000000002D0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Affhncfc.exe

MD5 d10aecea64b394816cbd9031def836bc
SHA1 d617427e9a7304a8c0aa8d20f8899833a67f486b
SHA256 5c0d411904bd830190ac22e249dfb031408d0a3224a3445e4d20c19e002018e3
SHA512 c5ac82aa66fc147a4e878b4fac0dff03b814113a945e8ac7b567c3b094fd6fcf7ce1e3d66f7db94f8070ee7933c3463f922f37fb98e82ab95ce9039b1055c4fe

memory/2824-414-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3040-413-0x00000000002F0000-0x0000000000333000-memory.dmp

memory/3040-412-0x00000000002F0000-0x0000000000333000-memory.dmp

C:\Windows\SysWOW64\Adhlaggp.exe

MD5 2bf22f9ead99ffc57175307383fb7721
SHA1 91027c8696a7746d19135064f9e8074a71a8fdaa
SHA256 d12ea9b5f2012692e5e4fe29da10ac765ee8b8c611d601e0026a7cb6ac2bf7e2
SHA512 4aae9f6b2b4191e9cc4b3e3fe01e868196856fae9032249706c1cd60f821e557c326461ac284f41cc06a4f1c8de69e24f97b3f66d956c768ef13c11da34b182f

memory/3040-407-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2996-405-0x0000000000260000-0x00000000002A3000-memory.dmp

memory/2996-404-0x0000000000260000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ankdiqih.exe

MD5 a269a1419f25e398f3ee84bda83d30a4
SHA1 46782d1e75a586196497cf21a30c68c39a98f91e
SHA256 45339d993dd9e2d6857f521da94bd76649acd0b6bd51a3a49557623f3340fa63
SHA512 9581b2ceaee469ed8c53f25042014f97e7bc6cdc6ab506d0d18b99071191adab35356d042a441dbe145fa033455ab58388153284a3851783c722dfd98cc9c4b4

memory/2996-392-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2748-391-0x0000000000330000-0x0000000000373000-memory.dmp

memory/2748-390-0x0000000000330000-0x0000000000373000-memory.dmp

C:\Windows\SysWOW64\Afdlhchf.exe

MD5 ed8adba8734c5608cf3c439450bf687b
SHA1 aee272548bd7e37e47660f712f9e18294237e48d
SHA256 bab170548420295fdfa2ed3f2fdbab9778ee5138f64c72252549a28521a5d1a2
SHA512 922dd822a5a69e9e975b4baa7de4c6749272e8ca0d450a34b53b0f221124b0bfa090fec198f1cba0ecb1efea9bfdbe062a2474b9e162723bc4112b96005f32f7

memory/2748-384-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2512-383-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Qecoqk32.exe

MD5 37716fa2046bebc8dc461fde998522b9
SHA1 28f46340fad816dba7c4998e2c59096f3cbc16b1
SHA256 5fef817ca538e2d525f98a11454c81e6df6a07fc43b02731fd95f11ca0a4b910
SHA512 0c298b000e75bfe77b1e9839d42593377514d214d6a2138da31f12b473d92687757b920fcad7c093bff0c27ed765baf65b4dd771a0d04f5f2742fb247087722f

memory/2512-370-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2888-369-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/2888-368-0x0000000000280000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Qjmkcbcb.exe

MD5 2e0db8da36563fb959b40f1858505c45
SHA1 665ae0700f259c11ca983160b387c9713f318e56
SHA256 24a8c380bc7a6d5b57b57d8a5d6cf538ba619489584aaad3fa56ee9443194dfd
SHA512 b6c405fcbafdf16821dc1f8d3c9c393644281ae86f5fdfd3138a843bcee3224bee83cb1eb2fa35c1bca9443b3d63c7f7c8ae56b7a32d2488114c8e3730881017

memory/2888-362-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2684-361-0x0000000001FE0000-0x0000000002023000-memory.dmp

C:\Windows\SysWOW64\Qdccfh32.exe

MD5 e4e6b0329e5411cb3c0e36116443af11
SHA1 c009150aadedf41aba8e6c88ee77b733ff83c106
SHA256 ad862b375c0a0368202ba64da46c2070cabfba513b1523b2f1232b302eb945a4
SHA512 9360038782be926ea0f7b2b6094bb55c98e40de2b78dc60cb58f7cb7f93fa2a39c0564b2d97298f7b8df1d2de87d2da9f993bd65110234cd054178c3c3772bb0

memory/2684-354-0x0000000001FE0000-0x0000000002023000-memory.dmp

memory/2684-351-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1492-347-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/1492-346-0x0000000000280000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Qbbfopeg.exe

MD5 8ba60fa6486fb007a2336029a2fd014d
SHA1 062e903facf14aaeaf40f1ef5c0aaf27500c8dd1
SHA256 b3fe6c5ae488f7a7203862d96d2224161bd4907f156f7af06182944d823a04b5
SHA512 3723ef5ad89615824b35456c47f09235124e3ae93976527427407dfe23d40d9c5790adda4e8c10e86589afdd14c535bac89c3d49cd2ab07fec0b17b0932af459

memory/1492-337-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1880-336-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1880-335-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Qlhnbf32.exe

MD5 2b41dfcda745e4bb1621da15dd3dd2cd
SHA1 f1725fcf0e8919152dfa5318ba44d7b22f03bc0f
SHA256 d46a52dd900beba93748de18a8b5d852b52093dccef13ba8aa644eaacb2690ec
SHA512 16e8da75d598599ba69b20cd4110f6ea96080f01f4e98b6adc362a8209e3d075cd630da454aef7bcb7cfe26b4751ee5d476b0b08debcaf3a9d985cf8d7afd537

memory/1668-325-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1668-324-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Pabjem32.exe

MD5 189d65921cfa8b266f32d565adde683c
SHA1 1c53a4e3db25d745bf6cde2aa9897f87e5ef37a8
SHA256 134577aedb22bb554b454c6a306129319cdf632731df7d5e6ba02d6c48710278
SHA512 404879dd9caff42166ab009179a7f6aad5f3398e9adc317d1102e6e7260f2c2c14c1e1721186c7ef521b0cbcd40e354ac446a86f365dfc1e0fc20154ddabf847

memory/1668-319-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2156-318-0x0000000001FE0000-0x0000000002023000-memory.dmp

memory/2156-308-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1648-307-0x0000000000310000-0x0000000000353000-memory.dmp

C:\Windows\SysWOW64\Pelipl32.exe

MD5 1f212e9897cbbc2dad20c5fde2078760
SHA1 895fd982f48b8a26fa698ac35c4ec9d00f0503fd
SHA256 e16e784b45f7fba6f1a3ee9496c1293d2fc45a3d844c4654859c9c42fc5e6aef
SHA512 a5fdf0867ab24f5262b074b0f1daea2f056684387bffb4840fdc88f3bac125196192c3fb1cd5ae0ed1ba206a3b928160ab0a89b20533952dcf4eaa2f5db9ce88

memory/1648-298-0x0000000000400000-0x0000000000443000-memory.dmp

memory/756-297-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Ppoqge32.exe

MD5 7cae84f833c83b9f10de491651ff67ee
SHA1 869aa9a24e4dc70f6bf2ec4ba8898589957cac75
SHA256 99c68a136e67ee8675c5684ec2e87f2bbf2a8ca21d514da3ab44d91a53e3ec9e
SHA512 55f43f1adaae22960bf2433d556f6fd0ad2492478facf01e91dda9bbe065f321e78d8af461dbabdec7a2d74984b3f090002560c63665ba1d4a8a6ab4b9809142

memory/756-290-0x0000000000250000-0x0000000000293000-memory.dmp

memory/756-286-0x0000000000400000-0x0000000000443000-memory.dmp

memory/328-285-0x00000000002D0000-0x0000000000313000-memory.dmp

memory/328-284-0x00000000002D0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Pmqdkj32.exe

MD5 4fd8f309723d740e7f82b5a1dadd17a2
SHA1 3daa23159f894f98b9db16c87885c8bbea053d7e
SHA256 595cbb09e2ea00498a2a332a478f315e35a138a21cba7a0edd19e027b9549220
SHA512 5a2bceba07faeb221b64ed9254eb550f950a5c3d9b4bda9f515f606ba6d0dd4af40f3afb63d663ce6fc448ebd75670573614a81004e8b199f9e6c8930df3237c

memory/328-273-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1588-272-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1588-271-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1588-262-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1508-261-0x0000000000310000-0x0000000000353000-memory.dmp

C:\Windows\SysWOW64\Ppmdbe32.exe

MD5 77aebb0063d24523638a03e8a861157f
SHA1 26d44a2f68257a8d03843e87f59dd4d4b8c0fb85
SHA256 4e6e62b170650ae51d7e46696bfca740361c5bb50aa810532bbbd4eb941c6e22
SHA512 731868123c88fefe83a2bbc5c7733086465d38ed3f62ea631f693596de90abaf4784be978091a38c945270d80ba4c514914aca598474c6eb7c9354962d88031a

memory/1100-251-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1100-250-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Pjpkjond.exe

MD5 a1fe9573ede41d78ae33218c9036ca86
SHA1 e94c5f044c0cda8dd4ba4c117cdb35e08709fe23
SHA256 1b7cddcf37d6ac8df0d7d18a0c4a9b0237e6ad2400cf8d7a81c904dfb36025f1
SHA512 b0eba934afc14fea47bd0c3913041fa7641cea5faa55af44333455cc4b3f2a988027ae0b7dc100477705811acb71c6b338e2de1f2a46a048154cb6d34f39c121

memory/968-243-0x0000000000290000-0x00000000002D3000-memory.dmp

memory/968-242-0x0000000000290000-0x00000000002D3000-memory.dmp

C:\Windows\SysWOW64\Pcfcmd32.exe

MD5 f0485035f807e639d586abb95b579062
SHA1 15d5f83091e60d969493605752fda06c7f42de63
SHA256 22e4f66e6fb428e60a774e05ef94fe2349c5947df51115a5191b7c9213ae1e37
SHA512 63774e34cb614f1345d7baf77fcfc008adc2cb36211c501b9b4f1993e11b7d8ef9a307e21edec770e0d406777e849b4e83258a9173c9cb42b63776255d42d0e6

memory/1740-233-0x00000000003B0000-0x00000000003F3000-memory.dmp

C:\Windows\SysWOW64\Pmlkpjpj.exe

MD5 361cc8aac643d1af8983304e7c03e125
SHA1 10a1930f12df258b3f54ef0d41d5355408ffb67d
SHA256 f4ab42409924c3928eb0d92fb20b3654dbb68f8498f8b887ad8e8c754156291e
SHA512 29991757d25a9676c47d21ee233519c3f769d611fd1cc8e7f25952453d28ccb562c3ca3471b15b9df794631f059a65fbdc8cbcd53e770e3b3d2f6ffdafcfc0c6

memory/1740-219-0x0000000000400000-0x0000000000443000-memory.dmp

memory/484-218-0x0000000000250000-0x0000000000293000-memory.dmp

memory/484-217-0x0000000000250000-0x0000000000293000-memory.dmp

memory/484-208-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Pphjgfqq.exe

MD5 a9f9ff16da3604283b3b0b9c2205ba8c
SHA1 5d514194242a90af34858e9b033f82767def18ef
SHA256 21bd72b9b64f7ffb029e67a3fc3842fa2b5598116842cc489d00cb2186f47b56
SHA512 805d26b43bcc348dc4d68fed80dbe317ec844ed9f4954dd70e5f4d18d42583999a3f47af799a7845e03bb6982d44b607e578ec99654f89619f7d92c43bda2a5a

memory/1656-192-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ojkboo32.exe

MD5 b4b876a763e0eeb42139bd3aeb53e0f9
SHA1 74f504cc61c51f4370965e30259cea06ccb81362
SHA256 be445f701e9818f0c9dab5be8766ade6452866ebc880e0c530c954a3ea189df8
SHA512 026db3a7b1c07de25674c0aea145821dfa0ed6c7b0bef2478f97ae59b4102ace48f92743f5284b816a735a4f23fa65ddf2ba80815de19980dc57d5e07cdc5161

memory/1752-189-0x0000000000310000-0x0000000000353000-memory.dmp

C:\Windows\SysWOW64\Ondajnme.exe

MD5 316d5766304fe87c1c440d2ae3fa8963
SHA1 64ce3a49975a57448ed300667fc32ce9279e9ce4
SHA256 7f8c7f0c7493888e7c8daf7cff313c3535c2c4c724a0f9d21777cd4bb3d0607f
SHA512 f214e840c0cc12184d1548d0928e918291cce817235f852b43e603010e7ce5336a6433650c030153648edb61798a8d4e82ecda49452e417ede249b719c7a1a7d

memory/1616-154-0x0000000000450000-0x0000000000493000-memory.dmp

C:\Windows\SysWOW64\Chhjkl32.exe

MD5 44399f2ce42340367dd28096873cdfba
SHA1 7a51d674dfc815f069dedd8939146bde11feb167
SHA256 95c20b8872f95f104dd7fc8852664ce09dd72e6259d673da4ac8045c04ac4899
SHA512 fa78f9a5d4ea5e30f79051299c8f7c42ab3c858b2cf2de90f0af1c60370ec5523ad15d1d18cfa67fe122c1d906cd4b24c05672d1ebb69784742a0980025ce28a

C:\Windows\SysWOW64\Dbpodagk.exe

MD5 7a5bab29143eb23446d043c56417fc65
SHA1 163aad0c243630a7629ae37e73377301eba45e0c
SHA256 645ce2f088e7253df10e6477fcfbd15624eab1a438205e0e6be5f602722eeb17
SHA512 3832179349217eb871af2721764665eff97277cc49fdafdc0121b54f62f4f51599768b2e11de83f1d2e6ba2264209ddbbdfcf9fb5d44e1faf9a4196a0b8a6077

C:\Windows\SysWOW64\Ddokpmfo.exe

MD5 e2e67751007e0c5892d988334a9d524f
SHA1 f414c2d9586fbb682dd08e0d27813e595d3350bb
SHA256 552d84f45cfeccc91c30e7f1ceb6488e6421a0649c3aaceef91a87448b787d98
SHA512 41cba63b0b28fda4b4022b56ee32facb7e6154f3cc3da9715973518b67b2d2b7d50d185dc9eda5ff0d18342b10dd2175ce8999237f618bb20ccf9c831ad2c9ae

C:\Windows\SysWOW64\Dgmglh32.exe

MD5 579583ebea5c738d1cf437925b02f22a
SHA1 28b9372c55bae05a40af035494b3705f88cfceb8
SHA256 6dbbcc0eec34358823aea1b314c77bca2743a6b376663a21116edd749d84b146
SHA512 0b189f4eeedcb15f7899dde7ea6d9c7e3e901912a49d9713f8dc4f5a781df18bddf447971e8f23fb5c4691ee07808718db3d8212be23a061b9bbe8b49267f88c

C:\Windows\SysWOW64\Dodonf32.exe

MD5 29f1ffdfaac3791ae5011387538e9b89
SHA1 7171a011d81987b53bd88045337872f5d567e659
SHA256 96d89c4d65833b196be87251c48e1042eecef0ef5c95adfd8b9c8a0d9116daa5
SHA512 c49f089906c0691ab03694b8376c97ec4a87b8f81a38287e641dc9eb6a4dd995fada8f70df42103b2c74d7b573eacde4d65b141c3f5024b6d4f6bda8a5e4a9ee

C:\Windows\SysWOW64\Dbbkja32.exe

MD5 6ce92018b1236955ac7b971fd10f2ed6
SHA1 ffc917b872297c09ed0fc36da21b74f3909cc614
SHA256 ad3dd357248484fef144b58bcfb3b45bb07c6d4fed008112643dd5d29457b2fd
SHA512 553f9409aa45af297045494e76e0496ea12228cf5145aa589aa7dfe78ab54234436f4bdd5f0e51351ce98e28a2ed0367acc1184ee0edbb0c5d890721ae04e66d

C:\Windows\SysWOW64\Ddagfm32.exe

MD5 8d896d76c75ecc03e5d7c8988dcc8266
SHA1 10e321e24e23e4149cc50a0230244d03b884409d
SHA256 962106abf6b8ba0e5f6b3c6eaa11b87e2feb039e1241a6c7c5b659c85962cffe
SHA512 03a04a5bf8d0032d5d1a1144a5cd92cb8b5ca766cefb8eea56a04df6695c5fa8755314fce3ffa4baad72bd5c0275651d203bb638991e66f38c092b53e66dc367

C:\Windows\SysWOW64\Dhmcfkme.exe

MD5 3d36096e75839dacd7734d0f1fa82702
SHA1 b2f6680510590225ffcfd0c5eb754acb01b64aab
SHA256 15d52e9af9ae099c1512f9b5921b6ffe782af3c66d0f21d6ede676b6f78cb2ae
SHA512 f7556303543ce693c843eb42eba0f8e7e926dde2922b63116bbced509425644a905fcc0c0bd558faca417422e0e5c90fcc49f84b7d88667fb2ae28ef56abe8a5

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 8fa54e1e3b162b2a8ea99658fc741db0
SHA1 f6e1292f5c26f0a38a10baf465ca289bb22c48de
SHA256 5fee5369d528659888852b3ab1ae91125ecc0433d52b7423683a6e6084873ac1
SHA512 4f886e7bbf425b4789f657372c05a28356464bb4675b88c3e4068a9a556872ca28b0ae656b60d31c04e6ef1c09b8df2ff50baf16811b9e88bb701a9aed49c338

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 fcf0249d601afb68b3e7592a7f41b85a
SHA1 c48f0804f026c1f9756e1c48a922333ecb8c76bb
SHA256 0830bb8d39d040afc7709d9f8a602ac7edf861685541c6330821c7d545c5051e
SHA512 8ba1e6ec64f13c4fa2effbfea878f017284fcf542144b7fd994df023b8ae9fb937c5efab162203d2fb8cb09609435c471a3351fc335f7848afcd5f8b370ecff3

C:\Windows\SysWOW64\Dmoipopd.exe

MD5 edf6f8bdb3a5d3666df5aac302dcd4c3
SHA1 144f9f3fa82fa4fcb967aa57b73c81051e056193
SHA256 36db1da5930c740fa29b19d300fb54d5880c0159a55459894568156de1679fef
SHA512 4dae68d0b48bb3a26e743380a0fb6ec4d79c0c86a1cb8b0a6c4db8795d4f1d4a68b021c6b3f134bfbc9b2604a878f978a757e5845af74509217fb2fb96d98a38

C:\Windows\SysWOW64\Djpmccqq.exe

MD5 99b345a5884d6253e77bf504acdbb10c
SHA1 f1d03223caeaae3341ea06f78a5bdd21a4bd7d12
SHA256 5b2e104bbf190bcae23b353a646c37f5ca9cbaf8b5f921111e4c36767ef98378
SHA512 df0e68a925badfad7d7a76dd2d62b9d95f932a408c0e94ba31e0cc028b6b2a2444a81802100efae1b8e23085abda3ef538601eca387213004518c783082dcbc6

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 356f92d307b0dc4287c36692995289be
SHA1 a6a4836b4ccf7d387157fee126c06bb908736b07
SHA256 4b9f58121509e1edd7787ca843325bbd9833d98670f766cb43ff61aa10a5a71d
SHA512 d79fedb4c51a0bc35ca01c8e42a37682f56bf3b49bb12630e1c693b8cab4a243c95d03f40b8df497c2b2b19f315be3b3293f535a4fb297044fb7fc90b6d00e78

C:\Windows\SysWOW64\Dgdmmgpj.exe

MD5 76d887742cb9de52d81ebcc3d5b052a4
SHA1 dd2c925535c14450582ce08a96f27de67fe796bb
SHA256 e4d7de044dd9916c6075982a3cc5f16af8f55b68cfc514336894189034aa8b93
SHA512 939fccdab43d76d78a7a1ca1bcd73949485940df051447aa5d9b9c9a671f814073756fb7bf007f8d23bab2c7cc69b8fad61dab9810d3175044283f69b0c0318a

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 461050a23de5cf6aa0ec7e5373ceeaac
SHA1 a281f4db0605cf69cf232738d4abd98814e73582
SHA256 57a7ccfa3196946890d14103f10ea477d50b01711f2211f2ed9a0dcf3de40b68
SHA512 7a9ffd47101f94e5eb4133a34d1c7e6c1be6376b3b1c96723421308bfdd4f699cd84589b27b145f6e51df1139acf138f5e7e38379c4f07287c9b864f25ef4ac6

C:\Windows\SysWOW64\Djbiicon.exe

MD5 dca37d4fbafed96dd1422b962676c00f
SHA1 398abb687e31091982b6e53969ce19b2d88a781c
SHA256 6349bab4bef922d984ca64886250ca754155a2516f1852e9b5a0ace3a125400d
SHA512 57254f6fa8c5466b1a91b3dc199202318632038b1b7adfcd2cb6f14cb2a8046bd2b07b94f859d7470167f2820775039bebf52503f7aa3f90ddab27022969ba42

C:\Windows\SysWOW64\Dqlafm32.exe

MD5 ebc5e6e3e4d3cf71b8ae9ee59e26e234
SHA1 f6430e492af32efb526b453d33bd8942a31fdc03
SHA256 ce0d3b379bb3feebb3da2f1591c88679b8eba39e4aec31066d917c77352c579a
SHA512 7de7dd855bb4b13fbb059c04d9a8a2aafc0174ae7702268725992ae8c697d6ae15f26d68607f140ee14a33882a50711409c5432e4072b357bf91b43ddb8ad456

C:\Windows\SysWOW64\Doobajme.exe

MD5 d41bbfe75f3ef1f014833fd4121b323a
SHA1 eec7fe97290452a43c8a6baf5e75f6f6e08b478b
SHA256 5132fded713a2601a647219c0679431d0bea85725ba540dc2763bc5ffb632446
SHA512 7e2c1523eacb060bbb5bdf328946d4895dc9d39416fd8233c965c70753886e76526dd8bb74e2e8fe016b03fe2afb9aa2793628863e192bca962968d95593aa20

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 bd79213268fc822b0efde183a7fdaafa
SHA1 bc374bb9a682d99ddb18243f4512b4e8532c8ae8
SHA256 451a201d1ed757f6b71ffc3691f597d4a684acd4febb8d5d6f3a7093bdc3ee71
SHA512 51c480f1d7849ca4730d0f50075aaad5bc4ffb87da89cdceea233678f6aec9694b0399ec65d2260687e8eae3d2eb1dae2879bc3fcb6ce7e145e6866d79076cb0

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 9bd5b80bad3fdd7aacd9219a594c0530
SHA1 d57d3b11d9f7d92494f9df6cd8da6883c45a796b
SHA256 3934b0f9913617089bb34be151334c4f3274b09a9373c760ac32a0da9b0b9961
SHA512 5396cc50da0877a315ce2130ef41c2f3e0ee74dce7e7aaf26cbb5dfb4f97a04c4893f5a06cac9ac1ae3073e1e66ffbd76e55d68c7f4df12771621824466ad1a6

C:\Windows\SysWOW64\Ecmkghcl.exe

MD5 a41a793f57c7632fae77a77a06952961
SHA1 cb91947e56212b046e60e824765e06299d514b58
SHA256 28fba4ad38256f2c01326d6734f6248b8d8671198249713f8dfa2d0d061963fd
SHA512 1ac6bf5579de638a3045f7492627fd4ae4424e7491c6b33a713c28bdfc33c6cdb295fb3b906902929c60849564bf01fe1f431c94cef3241fe7bc92e5678fd92d

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 ceda7dbe0d74a83e16375a44ed33582a
SHA1 5634a3acc79c2bb80a05c9a6f0c2042097e026d3
SHA256 b8b60243b5931c8a7137010ef4b55e97a5d0816079cfd2a7672d2e1a4ebd249d
SHA512 836e8b5b3909d038d38e84582e6901fbe4d5c38ec8bd8e8134224e275788b3183b931d898400d3e372b2d2119354846bd4e7b9b7bb9bf53ffc6beb10a2dfa97c

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 c73d844d5d7639fa9a4fecb560ec3869
SHA1 71966b98506adf35a5e41ea850328b58ceb7db99
SHA256 dbc7a02d60af132efa5de7aa963c5facefee07f8a2e93e7749d34271ac93e221
SHA512 f3e079e8f9674b73b977d902cdd20ff85a4fbd5c792744e20e3a689925e56f8940a9af15895f86f95c2b19fcd3b06f1e4f44f4665fd2e632c6d118c13eb7c660

C:\Windows\SysWOW64\Ebbgid32.exe

MD5 b7f85ef9bf78a206879ceaa1c3c76337
SHA1 b438c500129bb3c584c25451799fd79cbf84ad0e
SHA256 21dc7af806279d2c119ca9973dcdf0b83098bd8ea650d7e871be23430ef6c158
SHA512 b95dcb60d5bfa20095f0aa8d8d5eefc99d8820b4a793fb891a3ecee364e722d8e86bb9f6208fac5a983953b96949cde49b0fd72cdd8a70e26343efe3e1d8a265

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 cc45a9b341e5b06f1b413d406e767fa6
SHA1 e002f3059d1630085a272bc0aeec652866e749c5
SHA256 87eaabd742f195ecedfa1c9bffdb0a778c68f451d70892d9cabbfbcb89ae3d38
SHA512 5cd2f6d601cdb71c4152e2be5517aa3ace9957f1a7f7cc62b4e1872b6617770ca064c9284f1c696e13f3801ba86d6f2329ff6cfb6c53235a7f3d8ba27c6ab746

C:\Windows\SysWOW64\Emhlfmgj.exe

MD5 aabe41040519b83669446c7d333da377
SHA1 36b78812ff5527131d8a75ed6bb61d366f8433ea
SHA256 116ce7ecee762989053198c53615c7876e40dd6521c88456c09006a4dd2433ea
SHA512 92b26d27040236b4c1a9b721c5240609a4eedf5846d1d3746c43b8c78b550c773344da3813a1dd0bdb55dcf56f19fcfbbbca4db3b8946c14a261ca6fe447b944

C:\Windows\SysWOW64\Efppoc32.exe

MD5 dcc900eb7423e1d043ea82f33b4dd453
SHA1 670523ddfa5b5e8f6470bc9ddd770b22b46fca9f
SHA256 c0a606adfe1747c8a665017303db183e3d55084fe0193cbfd5e6ce44db5f94f2
SHA512 94028c6849aea98f2626adf490f2d5732aa0e5d476bcb6dd696dca8f5b0da40714529f97a0357810ab047447c08fdd5547553fe3675e30a7a7fbcf9649b92cfa

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 5ec30d216b4682da3df02e4ad538758c
SHA1 7599687cc4ebc01c966e4c67e30ad15f22432e58
SHA256 2b5cce0f9615fd27c1d9fe85786c4a3094a1acef76e9999bc7debeb91131d2a9
SHA512 b27bd936f4742a5cb91991305a015a2cb801eba0576ac1f09ff7304c1868e7e94ad2379c4bfc3a2a2bfd69f2026365a77cfe758d999631b44f630be592103750

C:\Windows\SysWOW64\Elmigj32.exe

MD5 c0ae9be8b61351faee3e94a3c5a5a3ed
SHA1 657cd0b9d3948f75e59a5e66979c7064cfbcd979
SHA256 1f3190cda359e62aded76059a487d169fd5cc2d9cc9adfd873d6a52e84a06069
SHA512 d769e5408965e80beea77b2625a74239c19ec3a90aca20a08ac1729d2dc9b1234a3f0065dba12f26839cb36f6ca63202aed0a6364cea044d639259d60e038cf0

C:\Windows\SysWOW64\Enkece32.exe

MD5 649e0aa7c475e6a1ee5bceadafeeb010
SHA1 90c55ee91a9a70d7169ce6344c06a1d44d349cc8
SHA256 82def07100aef41c90c77d7b0bf4bf4f0f7f15a28db4e85597567592e3a54e44
SHA512 65a289ce16f9b4570171f9a07eeabed15307ff291b4f9e042a3daeb7816f46f6f0bc774e2ccebdea3a62cc8a5314fb61bf4c0171ca455194529e374c041f40e2

C:\Windows\SysWOW64\Eeempocb.exe

MD5 77e67cdfe46b805e3958455bd06f871a
SHA1 c3506d4e0c7282db1c0c8b10e641f2e438e76906
SHA256 b040347375888477a89f93498654a10aa168f2446a5bcd123dc38f8e446e82d8
SHA512 2143e9d25f6170ed6ff570a86a275f5107bad37da1a5e430a02f82c61759d9f452e17df1d221320f76090a1f2abc95d51f8b9c7fda2c5a62f8a48cbc54c2a60c

C:\Windows\SysWOW64\Egdilkbf.exe

MD5 1af77fc41881376ab7f98a50b866eee0
SHA1 ff17550c8f50607806487483c3a7e756399e46aa
SHA256 6183365afd95fa3d5d07b3a306368cb126042fd5dcf94edece6389520fb23a3d
SHA512 3c48f70a09be014454210141fc2d7d8e3577199bec65208e0a1c60086157fff497003cbd07e649762810a7e15465971d19cf0c3c8a4f409476b68adac9c1494b

C:\Windows\SysWOW64\Ennaieib.exe

MD5 030529f6ac35a655c5921c4a4cff55fd
SHA1 861ffc707e59e5d24bc2164b547907e7325879db
SHA256 9e57316c67cbd0208817f178d62594f34a5c0e349583346a419931cbba4e0cba
SHA512 50f396af49b71bfbbdffb75f507a197d41c459d8e7cc25dd5df433fcddd4dec2ad4677818c069ee99b5d6ba76ecb3e8548e319183850de8baf69ec18c8847ebd

C:\Windows\SysWOW64\Ebinic32.exe

MD5 bc8464c46f83356ff548ac420d071b56
SHA1 be02651df1505f6fbdf91cb7dde08e83dd82fc71
SHA256 1ff0d7bbfd697d1d345a6465ccff4ab6abf60ef251b9f282d4b2752382f5e7da
SHA512 8c9ebc752acc1b088fd84d796b1a5d18f7ccab9abbfb037f48de8f24efcaa1b1e1ccb54fafdda620c8a95bd60f06e66e033b518868ba622e5ef7a30ffd65195e

C:\Windows\SysWOW64\Ealnephf.exe

MD5 30588a90106beb872d0567af2ed71746
SHA1 0984736522af7aa3853ebbbd611e189130b2a949
SHA256 a65ab26a410319b62a1df9df0be618310428901e0787eefdd77a341d01d128ab
SHA512 b92c92a74574a572dbe08743416e3d10badd3dee3bb5d8669c97296061cf827796fcf7fc44b92104828e675e1e95e7d6adfc3ed261c60a17186d37bf4a5b9785

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 2299e7beec4fc5e07a5221316af44fd5
SHA1 45fe258f8111b318058a763c4eb5475b62f6b815
SHA256 b20c88ffd676e076ec0ce02b24f77106135b6ea628107d30e2d62786e7fc8463
SHA512 f554b455ec9dc7a8ca712cf72ed43839fb72d62a087f8073d5c037f682a3d20646f0981eeeb85e83b3ebb71b5be4399844bd5c3f79f4763fdf66eb2651b8ce8e

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 e965e6627bb1470b52ad1bdbc6448100
SHA1 d67d328103cd524e56c16c41dc7678554e9a221c
SHA256 932bd6924a0576e4dfc78caa1ffdd3402244e3ccadbd64ff3bc112eae9e7e253
SHA512 73ce5797c09b37e4765d82d6cc919d14b96313a53ac5c45512cbd17e7b4abf04e1d1784d2158433300b68b4241ec3f3085c1351f12fd69f388516a102101d775

C:\Windows\SysWOW64\Fejgko32.exe

MD5 124fa1a3e91d7529dacbdcdeccee45b4
SHA1 736d219b756309af7acd6e76afc3370eec818081
SHA256 8eb76d02a245bf78bcc6df60eeebe86f35fbd5d58447df8796fb86d9fc15b61e
SHA512 7f7075ce93a4a45e37262fdd3d2d962d8d94037c58d8e270c8f82897333c5e2bb7ca07a587ee0550c463e5d15a26d9ce0fe458a2d62a678fe13d3b4b6f91cc72

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 cea68b596ee8e0d5c4ef9e452f5d3d72
SHA1 8ca3996d34e68f8503ae6519ac6cf80f1c008509
SHA256 d651340bdf37486558aa627255557a3e0e1689c8073eacf663f44806eb73e044
SHA512 653949ef1d6e2a442adc09799a5f2d502edfed2ed63cb6342c590f9ce189f4652e1a52401ce0daa2a8f716c9e48ebc1a73cbc9632ddf39de005aeb3b44c521fb

C:\Windows\SysWOW64\Fdoclk32.exe

MD5 b4b4f5dca88aded247e542cff8bd5070
SHA1 bd7dccde027033a34b2d9198cfa3e3b4526bf347
SHA256 a5e116a7bcb93306c5c4ac8ac0f83c5f3671ba284e478188c11e9d8baa2a001d
SHA512 af484fc4f030043470c6ea4edb2f3b1242ef31ee0291cd561c194413a1381b77d22b1fd796379b5cb1966694228a8fa015f32f66e80a27ddcab138a692353e3e

C:\Windows\SysWOW64\Filldb32.exe

MD5 02519e61537345a20ef0d3b9a6d85e7b
SHA1 0f69650cba98f775bdfb9edec15c50cd3e75b8a7
SHA256 206fe4ec67de0143d5cc801eaa937d66e42e9da9eb1974ed3f081c5d59bc0322
SHA512 b419f4b7bf347d2cbfae0e048087b37e4b38387cd74b84273a5fd572f9fabae0dfd594c1edffe88372978f34f10612227cb9d683940a0ba9a9e977b734c3f946

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 f9ab2f213c1944a1622d3dc747ec0257
SHA1 1056cc16207d200ffdf68bb60b832f5f4978fc6e
SHA256 81cb0ede538743ff5e35a6d12623515858994a854c0c4d26bf238b1f1de5e0fe
SHA512 048368a0585b97d1272d8e3e2cf39daf02d089bc8d4f6cff9549b518e3db0bbf300f6010bf6a386c6ecf266b9cfa37742aacc739647715d028ba31c8c1374a49

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 5248a4aca46cb62f49fd6dea0641c50d
SHA1 dd2d542ab669cb136b0c32805aa3ce6c1fab52c2
SHA256 4ad3b4751c602ecb29e1260fdd235332fd97ba2fc6fd1b93ce32a6118103234a
SHA512 69674dbd32190babf873b3d8aa4006bd4ba72e056e0ef6b430440890b6a500e199844ede47f4b15a07a61e822acd46e5e5a84ac8432fc806dfb79e6e5edf5657

C:\Windows\SysWOW64\Flmefm32.exe

MD5 57a13ad30d33bda42d0906605c54ce5f
SHA1 976a216b04ea440ec3e15ebf2239423ed165e599
SHA256 71d4d6daabfde822511f790a3bf2e518a75288a1bd6ad62f5ccb5b7f4051046f
SHA512 0275688c021111744f9692783fcd7a184d8cc1ca496e59d257a9c615c75a9a9a863f5b3f346da9b9e62cde4a719356d5f1647992aef26c5b16e9a00d6bf763a4

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 70d0124722172db2f8fb2e339ff9b689
SHA1 960748bfbed92580b251eab5fdd136be1964552a
SHA256 dc492e6ea0d8271c8a0d803644f3ebda6ad1114121d8b55cfda61c12b6da9e9b
SHA512 d23d7d2a6969d75d03d585e260c44322c34253c6f0e79429410be1b5841a2eebd104a22a2487e006c47985464fee075f5ceef3ac34ed922e1b8d81b8296aed79

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 e121bd9c42a37faf0d67913cdbffc87d
SHA1 2c458ba6a205c1a47a82a267d7055c5a4423a7c7
SHA256 3bf171a4e58ed98b992e539335ec3445fccf946c8ac53824f3bce7d4b8281dd7
SHA512 ba2fff9065d89dfc8c7437cf1970ec8762edb2f92010735567a6099b720f9f24307af1efe82e0ea3f68783911fb67da3b1b39c4aa298a596bb48d6c464d7e60c

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 113834d463414de177baeceb2f402a7d
SHA1 5de579483c98e6a84828075edbba091251124e8f
SHA256 7c420f01c4ec4e8a9861bbca4a2247752914d005f9193fc24b3a58e9ece5e365
SHA512 0bc5bd85de86e429f8b078dca6062f4040ef72c6341363e79ad6e5d17f04250e9f0a9bf3245caaa18706f234c6e3475be8279e15a772800a84f06098e4a486e9

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 fc2bc0533eb2338552db1e1bd5a55bdc
SHA1 a395d07b61c11022e758a4ba97c0705f8f865a16
SHA256 000a95b8126182f93983f5527f75393a52c69be17e80c917491fcb7e21ee245e
SHA512 7f81b8daac32bec62f00c7f503de65af4769afe8e2d584a4b280e6abdcf6596351d09d4eadecad895a9427cfed36b2f3ac0f9b9077b34a813cdb5e7e99934203

C:\Windows\SysWOW64\Gicbeald.exe

MD5 08c5f07fb705d26983835f322a37c111
SHA1 2ed87809db73803acffdb681615d7cfadcad5aac
SHA256 8a6f02187251dc86dde23e73e7fa7197c4ad4e12cd4ceae8a62d7b489d846554
SHA512 16721f5594b3344d768c5f76d2fdd5a4e11721ad106558886dc8f003189842c7b3896c1a5dfc8efc89b95b150b891a3b67e4ebd6a106118aaf47f46dde4a17be

C:\Windows\SysWOW64\Gopkmhjk.exe

MD5 0c20aa24054f59a1e5120f20a46e0cf2
SHA1 7cc758efab0a42f05236e91cdac8d54dc652c92c
SHA256 c9c6f5a0e4efc56f1cfe7495c82c6219ffa72e85347c7360892a18bfecb1c9fb
SHA512 856dd1422be72fc52c94f627344845bf7af309a2b4b6bc84228284fac03a69e737a15555ef01fed29af753f3ee8c399aa37fd5b7d3fa345d223785484f9fa162

C:\Windows\SysWOW64\Gangic32.exe

MD5 9f14df6964d3b01f9f5cafc2ec6af3da
SHA1 95e3e6b8eb6ab3f065905c910e528f8dd09fb1d0
SHA256 2c671a3d126183160774c64b35be193ba8ed128f167e382f2ea8de059fa944a4
SHA512 6217738e5e8d8dd4e9834a61f9a0597423561f21f6bb650c292815b542592da9f80ee367034fced71b8508dfc5f9969de8dca1511a4f256e52968fdbfcb06b09

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 d5d4febd89e3c44f87f3e4502b8e0cf3
SHA1 055b857672bda6d1223ae11e0e9a079161359d76
SHA256 cf25b387d349a27fbde5dcb7db6c7bb250c766e633670b11c9321dee625a10d2
SHA512 8cdc7159626aa22c7b2e7cda34bd4142505647d1506e19f22d8ed3fe2b4e924a77abd510b33dfc2fa9b0cbff051e4a7177c2db2fde3bb4b02e2a69274f7000e4

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 47a1ada0dba36f6adf81b1b769e7cb1c
SHA1 50d54a6cb91da15864fe1df4e87dfd7f3d7bbe50
SHA256 4719c500060629675be13688b149458a9ab04b59ef2c29fbe2dff58683a75ce4
SHA512 ed587a5fced9bea07b829092c5418f6581f1614f6a727c64caa76741437a169b5e4b7ea9d2958d58a25c0f58fc9eac1d9d1829fa96757eef841fff83dee457cc

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 2dece228f8bb1a780e9b031414360339
SHA1 31a2e19d83d30c28b26f9d6a974c11d31c99be3f
SHA256 b62384e19ca8d2a2084ebbe22588961afad648641ceff1b093f7a010261ebcf7
SHA512 954f4919a7221cf531c8d2dce6cae8859a5889cd40068ccaf3d98d4e772a9bbc2c80e1eb867d96cb36db9b18c3c79becc91e654f71cf2432d26fa687156d25c9

C:\Windows\SysWOW64\Glfhll32.exe

MD5 5d5aff58a4b55910376276539ffd7d3e
SHA1 52a1a614a1b254481f561a77ecd47ee015c05ec5
SHA256 7ffb21b4d5abf4cf55790ca859d45cb07775d6aeceef7ba45a3b45405f9bea0b
SHA512 0c9272b2f80207f0fe06920419c45453c3a000da9f5cdb38d508c7f6b0ffcb72220b56bf9988566ec142c5fc5a01aa8f4cf4291b47feeb5c5eaee50326d9b196

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 9f946f555bb5f0b1a585c268fac03aad
SHA1 bc37bf128e25fab201c62e96c29bf67ed1b55194
SHA256 a515da80385bcc171a9d6b64d07f351b642f9ac539f42be28660055c2b1fc57f
SHA512 3c832e938156dbc402bfea94f74fe7472ce9b8dd0d24d5a154e4228d9d04325eb1a3df1f8192844944c77108c27558e8b4d6a7ec4bced1804ca2b5ab29b74b81

C:\Windows\SysWOW64\Geolea32.exe

MD5 cb9793ba993a70b79b87b42228c4fe08
SHA1 2075cb8d6e21edd2b046a40b6f46e23edaf9e089
SHA256 e8377ce5b582bf8501c27d3eef5cc8c56fa57bcb0f8952fb253982d275ec48c4
SHA512 dec83d122ee515fc34eb8910c57dd70458646719bce06cdbdeab857b5f209bdd35351552e8e6c7579c7ee0fb924d221c7f5c638d80cecc34967820b2e85d151e

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 2484170df66db90dbe40dcd8f008b12f
SHA1 35ee710e899a7be865cab5477472ea55a687b816
SHA256 044ceb4e585249a502b77c488d1d7c2b445fd6107f41af7469f840e97802a9b7
SHA512 d63fab85ba9abcef2ef635a475975b5a6b780ab85b21a78168ee996e36bfe7639d84b80dd64731a2656a8415c2f23d903cdc66b7572f2281e0bef56c1293084a

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 71de8ffe0ad1cea7fea27b7b4e2aa268
SHA1 da2da5861a4089a3549d10b95ad00bd43ebbb252
SHA256 d0b6bccbb85f53387af88b6860bc07b2e563a2a0bfacb0684223c4c52c1812a5
SHA512 066e0b70d951b3254c02584a85fcf4323bc26f5d4aca1dfdfdf99fa9443225e2d233136f7c5cb7d1e7e00b53e759352f6ce50afb18210e19a074ac138b12a2a6

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 7d1c305c4f5f1d7ec141cb2f9f2a1315
SHA1 40e1ce14bfae0eafdc0efe6d763f4f0e35ebbe8a
SHA256 2ebab65d2bdb4359dd7c072d936bc2bf909a914095be925cb6d0df8fc1047f4e
SHA512 0340a91877f88e7faae8c06b755e2c4deccedbb73da19fc8098e1f2574c34ea38da72ee464a3eea0a68f521ba6b6fb9ea0d87d476a155153d9ff77ef8e1ad937

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 33a55c12f96f30b07cebd2790b46b0bf
SHA1 c01b92b5ebe63abbaf310404abc1c68f15d765eb
SHA256 fd02d443205bbb47157895dd3d8b48d2cf64690e475ee086569cbc4d7db7a3c3
SHA512 c630f9445b0832eeddd72942281df5aac07f8ba03fe7058d8c62b678b2315a2d2aab05259088f6e5b174f49c789692bddcf6881a118fab19f452dd60fb65c83f

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 07d672220f095e8542d24bd1f89c941a
SHA1 a7f2d71987bd8a42158082f29a165c562e164576
SHA256 a55df10803dce54ce59e65304c7a6564f797caf5d00eee1dd0704311b4033255
SHA512 652e5a41342598a2208b15a1fcb09c099d0a363ef04e942f7a17d7a6c9f0ef428d551c17b3e60530e277de97c6a31620cf4bb22c4160d6b26b15a080d38de2e3

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 b1b8df1ffcfaf843154e1ec39c5b0782
SHA1 ba43229e6ce168ff51c96b216b1cd58abc62c023
SHA256 411736380a5ed16d1b58621f834c4c422cec6890ac69de95b80e594d08c37613
SHA512 0dc5fa2671fb54b33b8f879e2a6aa1ab302aee60da3b94d16e1de49f7a7ee2001e29307ea4a91b0fc3b844eb14f06d25c3bb27926d86cc2109edaaf0439019eb

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 29b7bfaf4d7d82f9c5f1417c6aece59e
SHA1 1694df07ed7b7c072c43bfde8c9652a7722c697b
SHA256 3d59556e566a9f8944eb90eea792c561bfdb5444a893a634a5c219bd31820ece
SHA512 cd3b35332216c38008cfc03d5d9815a440422b025a4dd63cf9cea039383ea00db4bfd4314032b150f9a6f3012ecdcdf1d51d9c6b945cdcda7874881483267b80

C:\Windows\SysWOW64\Hicodd32.exe

MD5 12dc93d757c1fafb8993a9278ed1edc9
SHA1 41b1bfcfd8d6f1b1870fbfee20e5ce36f91217b3
SHA256 53bd4d9f3575073ea16e7fa5aca49df07ddf9b1fcdd79dbaeacd2d64f1480ea1
SHA512 f47a58931bf9ea03f7a1ca5ba7b98f95b99e2f15b733b9664c214282f19bfd0a59bd5785f1c73ae51def81cc9d0f6d554c47c2c616aa7524e68860fb936768a3

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 63ead78cf80c78093ba0ae5e0d627e38
SHA1 72a337ad4b9716622ba5fb4fbcda1587e28dbd88
SHA256 01eff04eeef9c7b71b9c1c750d40613e8342095bf73f29d015b17b35d2256c0f
SHA512 23c17ce557c48034b323d7f5e6a0bd44108615daa153fd0e11735a622d0511f94b0a8a4f8ab7748b3de7cf9d87921da3e223fd3d2af173317ad16d6554a5729b

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 a6e03bc13e758333e591c591c9b6d3e8
SHA1 ef4396eafda6da953ba74268dcef7e840015d9b5
SHA256 b9fc3ce2aa4f7eb9e84509f2c3b56da7ae8ad92ce8706918231019803e14188b
SHA512 5bdceb3e8322c59279747071a1f44d44be4f528641d7c6fb3ad37a8ac00bdcbd079f21fcf399839110d930be42dcddea52f5e81304eff597d1d01b8953b354f3

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 a40290c3955613aaf2f4d122f113f3b7
SHA1 e80292fa482bd1e8aa21e4a268fe2ef7dff4e55b
SHA256 83f70b2acd161b5b77dea28fdd3b18aa15e99b905574a2faf7babc9db1773fdc
SHA512 6de21badd85db1dd3d10cb1fe3a5d245984a744e37eb71cf0bd04713ce0fc6a404576aa065623c95a3208036358f29b40349c8409d46353d0a2221d78513583b

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 f303d5cc9806a0df9333360b67f66c58
SHA1 91b0eafe92dbc9721fda6fd713e6f6ee6a256fb8
SHA256 006d0163bbcf402f821f2e24bab22a6f572ad179e72b726c384b58c0900fa0f5
SHA512 99459afe004f794b80f63ac0328307b4e445cbe26dfd3e7ba5c73d3ab454a3fcbf9e949c1d233996b8d2331eb42169e4243fcf8669e39e51fb3094049ec4f3ff

C:\Windows\SysWOW64\Hobcak32.exe

MD5 a0a14dc9b6b68ce477512dbe8a0997e3
SHA1 db9a44f96560265da937217174f5b7fe1551059b
SHA256 3fe1a947f8f2660a29003046a7c61bb894a2948c597336f1ad217c50aa2b2428
SHA512 1fae0fa57e40a4b7124b47fccfe603b3d5958efbe00464cb16254e89355a51ffd0817ec3aca6210a1a3fd85c10bee5737b099c872dfcca7b2739f75a648a0bb1

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 8c2b471666d964bad063f30b853c1147
SHA1 608c12bba72aec576f1c40ee68fed0cc211a4cb4
SHA256 7b3378bc315e43e1a0383815574e1a27291bc142391557f405168c2548cbca84
SHA512 8220a1429788999cf8225b390e5cfccf5a464712d7d9e1ab0f012b280cec7532035b2cfb1a8ce9b7b761666825cd1c1a8fecd9733bf3bbf21020a6c92aef3efe

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 52174f621d4f3ffac158f1b787da5b60
SHA1 f7606b0d34b00e038ef41d04420f72777af63864
SHA256 cead7da66c6847679aeaf1498a98c592474715ae168b4757e29a43c5f7292950
SHA512 7ffffa4dcf0b82810fd87447b528ff645d3b2f93a0ef7b9b021dd9ba4c6a70cec2ed7b58f1c3c01b3208bc9ef421c84d4370c0e1bcb19af3dfcb974297dde9ab

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 359665026577994192b8a12d0abdd801
SHA1 62b9fd6a8ba61d39ec86c6ed5a4b3b3773139c08
SHA256 cef8ffa56101282af3153d2c28b2695b1df111e2d1c94d82c22273f5dc922abb
SHA512 1d8f59fbf0b9a7f480a2244f02d20f9b329194481d661633b306eede32815976ab1cf31119443f60ed50cfd9fd7795f8bd1950f8af56012a83c384897dfe14a8

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 db9a6157ef24cdfb23e80ce4e0b3bfa8
SHA1 00b6f340bfecbbbf6053ecfad624ffd5f1741c80
SHA256 32385629723d75d983d6c722004e02f078f03b4a9499d0326064256fd032d98b
SHA512 5620604630d73239a0e5ee7a96e6e4fe623df8025698c68798ab68d1d875df2acecfd3d23d348511562847f37c5d39de12b8e08766b9fdfa562a01dac2ecd365

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 2e71c9186021a009c16b0b245a623842
SHA1 d9969291c3f1f6e0b48e819e3402a93053cd0e6f
SHA256 cefd04b0a1c1e0eb6b2b88dd0aaab38654bcf3190c33ef8521718bbcf19dd67e
SHA512 cd3f7875e40f2575d14c1ebf6bd3e0e4822c48ce40f9fcf6a323bb12d2737ae58535e9d8d9b060100fb8c8a201610424ecf455f101a35f29072d512146bd745e

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 3d5d2f6e75ca5404af5b2193ee1ce54e
SHA1 aa798a8b441dd0a238e03e731c772c70596954c9
SHA256 7f44ea80ac74073c638796d2ce69767ca8100c1cfda854b1bdb78cdf0c9328d4
SHA512 8e5fbc267edbd675867e8b31055f99b4891c4239277fc065302afe93e5803d341e023f03193934281776844cabe0c081b9c0fc3ad3985ae1b083e9b1f8d163c2

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 a2cfec2778e7bdb8c32694f7ab57b185
SHA1 9a7b5227c9f0a85fc83ef08d028bf99002ce7ece
SHA256 a18e76eca3771a1b51520adb188582eb9879e4a6d51b3f179fdc4dd6369ae0f2
SHA512 be74635025ec73f07e12dcc66453f5da9397a24a2aeeff224846ece94c35c15b2693bb8d73c926a281b5cf2b6cf5a0a0090911bcbb05d18e1be9ae67f05942ec

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 e399ae422b9c2658caa5bac1fe2a98a4
SHA1 078da5032625c583ffd191acdac624e637ff0c75
SHA256 b9832193d2e2c64a8a3b847fb8c49b3c59741157630b9db65bb307208c25a5d0
SHA512 a325cc73636ea53378a4871adaf8e737dd5b1ab0b04b34b362179410b72ce316aca1546e274ce3a7cd1cade51c4c30a7cd8e24b02f2a0ccd78bf58b337490005

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 ccda39450a6af9e34d6ff120572036d7
SHA1 fe3c1b8a3872ce41bcd9d771e0c35d21cc05c0c4
SHA256 e190591f7fb29fc414d1ea1e6742f99a6be98570e41bd6cedfc4f0903862472b
SHA512 1bdd76faec646c9e44e74b1b8d11e20d3955a02d160f56f21f08eb9f42a09b02984cf7d364410834f5dbf815c6f13f2795c157335bb740e35fc749e777417dd6

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 14:14

Reported

2024-05-09 14:16

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgphpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jmpngk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcbiao32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgidml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jbkjjblm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jmbklj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbocea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpocjdld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcgblncm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbkjjblm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jpaghf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmnjhioc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lnhmng32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpaifalo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nqiogp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnmopdep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcbahlip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lcbiao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmpngk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdffocib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kdffocib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kmnjhioc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mdfofakp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mgidml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jbocea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgikfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpojcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpaghf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lcgblncm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lknjmkdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mpaifalo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jpojcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnhmng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lcdegnep.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jbkjjblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmpngk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpojcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmbklj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpaghf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbocea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmgdgjek.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgphpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kphmie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmlnbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdffocib.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmnjhioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kckbqpnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpocjdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgikfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijdhiaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcbiao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhmng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcdegnep.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjjdgee.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcgblncm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lknjmkdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdfofakp.exe N/A
N/A N/A C:\Windows\SysWOW64\Majopeii.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkbchk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnapdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgidml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpaifalo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkgmcjld.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpdelajl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcbahlip.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkjjij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndbnboqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Njogjfoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqiogp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncgkcl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkncdifl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnmopdep.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndghmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkqpjidj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnolfdcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndidbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncldnkae.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkcmohbg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Jbocea32.exe C:\Windows\SysWOW64\Jpaghf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Kckbqpnj.exe N/A
File created C:\Windows\SysWOW64\Lcdegnep.exe C:\Windows\SysWOW64\Lnhmng32.exe N/A
File created C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Mpdelajl.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File created C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Ndbnboqb.exe N/A
File created C:\Windows\SysWOW64\Jmbklj32.exe C:\Windows\SysWOW64\Jpojcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmgdgjek.exe C:\Windows\SysWOW64\Jbocea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lgikfn32.exe N/A
File created C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mkbchk32.exe N/A
File created C:\Windows\SysWOW64\Kmnjhioc.exe C:\Windows\SysWOW64\Kdffocib.exe N/A
File created C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lcbiao32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcgblncm.exe C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File created C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Fnelfilp.dll C:\Windows\SysWOW64\Mgidml32.exe N/A
File created C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File created C:\Windows\SysWOW64\Gbbkdl32.dll C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File created C:\Windows\SysWOW64\Egqcbapl.dll C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Jplifcqp.dll C:\Windows\SysWOW64\Kmnjhioc.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lcbiao32.exe N/A
File created C:\Windows\SysWOW64\Dnapla32.dll C:\Windows\SysWOW64\Lcbiao32.exe N/A
File created C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lcdegnep.exe N/A
File created C:\Windows\SysWOW64\Ogpnaafp.dll C:\Windows\SysWOW64\Ndghmo32.exe N/A
File created C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File opened for modification C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Lcgblncm.exe C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mkbchk32.exe N/A
File created C:\Windows\SysWOW64\Lelgbkio.dll C:\Windows\SysWOW64\Mpdelajl.exe N/A
File created C:\Windows\SysWOW64\Cgfgaq32.dll C:\Windows\SysWOW64\Nkncdifl.exe N/A
File created C:\Windows\SysWOW64\Cknpkhch.dll C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jbkjjblm.exe N/A
File opened for modification C:\Windows\SysWOW64\Jpojcf32.exe C:\Windows\SysWOW64\Jmpngk32.exe N/A
File created C:\Windows\SysWOW64\Plilol32.dll C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File created C:\Windows\SysWOW64\Jnngob32.dll C:\Windows\SysWOW64\Lcgblncm.exe N/A
File created C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kphmie32.exe N/A
File created C:\Windows\SysWOW64\Oimhnoch.dll C:\Windows\SysWOW64\Kdffocib.exe N/A
File created C:\Windows\SysWOW64\Lidmdfdo.dll C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Majopeii.exe N/A
File created C:\Windows\SysWOW64\Lnohlokp.dll C:\Windows\SysWOW64\Mdfofakp.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Dihcoe32.dll C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Ndghmo32.exe N/A
File created C:\Windows\SysWOW64\Mkeebhjc.dll C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Akanejnd.dll C:\Windows\SysWOW64\Kphmie32.exe N/A
File created C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Mpaifalo.exe C:\Windows\SysWOW64\Mgidml32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmbklj32.exe C:\Windows\SysWOW64\Jpojcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncldnkae.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Ncldnkae.exe N/A
File created C:\Windows\SysWOW64\Anmklllo.dll C:\Windows\SysWOW64\Jbkjjblm.exe N/A
File created C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mdfofakp.exe N/A
File created C:\Windows\SysWOW64\Pipfna32.dll C:\Windows\SysWOW64\Nqiogp32.exe N/A
File created C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nnmopdep.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kphmie32.exe N/A
File created C:\Windows\SysWOW64\Jchbak32.dll C:\Windows\SysWOW64\Kckbqpnj.exe N/A
File created C:\Windows\SysWOW64\Pdgdjjem.dll C:\Windows\SysWOW64\Mkbchk32.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ncldnkae.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Eeandl32.dll C:\Windows\SysWOW64\Lnhmng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdfofakp.exe C:\Windows\SysWOW64\Lknjmkdo.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Ndbnboqb.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kgphpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jbkjjblm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll" C:\Windows\SysWOW64\Jpaghf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kphmie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbkjjblm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll" C:\Windows\SysWOW64\Lpocjdld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jbocea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbocea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mnapdf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mpaifalo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpojcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll" C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdffocib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll" C:\Windows\SysWOW64\Lnhmng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll" C:\Windows\SysWOW64\Kdffocib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kphmie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lcdegnep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll" C:\Windows\SysWOW64\Jbocea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll" C:\Windows\SysWOW64\Jpojcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kmnjhioc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgikfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lcgblncm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jpojcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll" C:\Windows\SysWOW64\Kphmie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnapdf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll" C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgidml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll" C:\Windows\SysWOW64\Jmpngk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll" C:\Windows\SysWOW64\Lcgblncm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3324 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe C:\Windows\SysWOW64\Jbkjjblm.exe
PID 3324 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe C:\Windows\SysWOW64\Jbkjjblm.exe
PID 3324 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe C:\Windows\SysWOW64\Jbkjjblm.exe
PID 3900 wrote to memory of 4748 N/A C:\Windows\SysWOW64\Jbkjjblm.exe C:\Windows\SysWOW64\Jmpngk32.exe
PID 3900 wrote to memory of 4748 N/A C:\Windows\SysWOW64\Jbkjjblm.exe C:\Windows\SysWOW64\Jmpngk32.exe
PID 3900 wrote to memory of 4748 N/A C:\Windows\SysWOW64\Jbkjjblm.exe C:\Windows\SysWOW64\Jmpngk32.exe
PID 4748 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jpojcf32.exe
PID 4748 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jpojcf32.exe
PID 4748 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jpojcf32.exe
PID 2812 wrote to memory of 4512 N/A C:\Windows\SysWOW64\Jpojcf32.exe C:\Windows\SysWOW64\Jmbklj32.exe
PID 2812 wrote to memory of 4512 N/A C:\Windows\SysWOW64\Jpojcf32.exe C:\Windows\SysWOW64\Jmbklj32.exe
PID 2812 wrote to memory of 4512 N/A C:\Windows\SysWOW64\Jpojcf32.exe C:\Windows\SysWOW64\Jmbklj32.exe
PID 4512 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Jmbklj32.exe C:\Windows\SysWOW64\Jpaghf32.exe
PID 4512 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Jmbklj32.exe C:\Windows\SysWOW64\Jpaghf32.exe
PID 4512 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Jmbklj32.exe C:\Windows\SysWOW64\Jpaghf32.exe
PID 3328 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jbocea32.exe
PID 3328 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jbocea32.exe
PID 3328 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Jpaghf32.exe C:\Windows\SysWOW64\Jbocea32.exe
PID 2400 wrote to memory of 4940 N/A C:\Windows\SysWOW64\Jbocea32.exe C:\Windows\SysWOW64\Kmgdgjek.exe
PID 2400 wrote to memory of 4940 N/A C:\Windows\SysWOW64\Jbocea32.exe C:\Windows\SysWOW64\Kmgdgjek.exe
PID 2400 wrote to memory of 4940 N/A C:\Windows\SysWOW64\Jbocea32.exe C:\Windows\SysWOW64\Kmgdgjek.exe
PID 4940 wrote to memory of 1008 N/A C:\Windows\SysWOW64\Kmgdgjek.exe C:\Windows\SysWOW64\Kgphpo32.exe
PID 4940 wrote to memory of 1008 N/A C:\Windows\SysWOW64\Kmgdgjek.exe C:\Windows\SysWOW64\Kgphpo32.exe
PID 4940 wrote to memory of 1008 N/A C:\Windows\SysWOW64\Kmgdgjek.exe C:\Windows\SysWOW64\Kgphpo32.exe
PID 1008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Kgphpo32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 1008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Kgphpo32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 1008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Kgphpo32.exe C:\Windows\SysWOW64\Kphmie32.exe
PID 2448 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kmlnbi32.exe
PID 2448 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kmlnbi32.exe
PID 2448 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kmlnbi32.exe
PID 2856 wrote to memory of 396 N/A C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kdffocib.exe
PID 2856 wrote to memory of 396 N/A C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kdffocib.exe
PID 2856 wrote to memory of 396 N/A C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kdffocib.exe
PID 396 wrote to memory of 672 N/A C:\Windows\SysWOW64\Kdffocib.exe C:\Windows\SysWOW64\Kmnjhioc.exe
PID 396 wrote to memory of 672 N/A C:\Windows\SysWOW64\Kdffocib.exe C:\Windows\SysWOW64\Kmnjhioc.exe
PID 396 wrote to memory of 672 N/A C:\Windows\SysWOW64\Kdffocib.exe C:\Windows\SysWOW64\Kmnjhioc.exe
PID 672 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Kmnjhioc.exe C:\Windows\SysWOW64\Kckbqpnj.exe
PID 672 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Kmnjhioc.exe C:\Windows\SysWOW64\Kckbqpnj.exe
PID 672 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Kmnjhioc.exe C:\Windows\SysWOW64\Kckbqpnj.exe
PID 1052 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 1052 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 1052 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 2216 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lgikfn32.exe
PID 2216 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lgikfn32.exe
PID 2216 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lgikfn32.exe
PID 2212 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Lgikfn32.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 2212 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Lgikfn32.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 2212 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Lgikfn32.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 1848 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lijdhiaa.exe
PID 1848 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lijdhiaa.exe
PID 1848 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lijdhiaa.exe
PID 2124 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lcbiao32.exe
PID 2124 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lcbiao32.exe
PID 2124 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lcbiao32.exe
PID 2100 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 2100 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 2100 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 5016 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lcdegnep.exe
PID 5016 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lcdegnep.exe
PID 5016 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lcdegnep.exe
PID 1624 wrote to memory of 3984 N/A C:\Windows\SysWOW64\Lcdegnep.exe C:\Windows\SysWOW64\Lnjjdgee.exe
PID 1624 wrote to memory of 3984 N/A C:\Windows\SysWOW64\Lcdegnep.exe C:\Windows\SysWOW64\Lnjjdgee.exe
PID 1624 wrote to memory of 3984 N/A C:\Windows\SysWOW64\Lcdegnep.exe C:\Windows\SysWOW64\Lnjjdgee.exe
PID 3984 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lcgblncm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\57c78fb75fd72214f567aa271203f320_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jpojcf32.exe

C:\Windows\system32\Jpojcf32.exe

C:\Windows\SysWOW64\Jmbklj32.exe

C:\Windows\system32\Jmbklj32.exe

C:\Windows\SysWOW64\Jpaghf32.exe

C:\Windows\system32\Jpaghf32.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Kmgdgjek.exe

C:\Windows\system32\Kmgdgjek.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kmnjhioc.exe

C:\Windows\system32\Kmnjhioc.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mpaifalo.exe

C:\Windows\system32\Mpaifalo.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3368 -ip 3368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 420

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.91:443 www.bing.com tcp
US 8.8.8.8:53 91.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3324-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Jbkjjblm.exe

MD5 3e065640ae917281b815a808d495a1bd
SHA1 87740b5138390ad4af4962871b8c398b3d0781c1
SHA256 eb4d35cf6658c913201fede06c7a730f47a7f0dea5159f98b0e57fe630bc90dc
SHA512 d6a6e85d8b02f0d4b18fdd10ba17a3162d17db3f0c12428bb9663e5426661db98cf384c2750d8e4c90dc6cbafff903370235ce1708a5714a3e9f44a7294d2d34

memory/3900-7-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Jmpngk32.exe

MD5 0416a66c0c936ae11ae0132c439301d6
SHA1 7c7d8f9376774c8c8700dad6e73fff5de121733f
SHA256 c125400e8ae74bae48d2fe15b8188b66cca2367ce2e6dbdcf1e7d3b1394dc6e6
SHA512 d50836fd09f099bb0f58e718b287dcd4321fd982b1e7bb45bd64561a9a992f4d2a6cbe8348295e134d019b01447e0a64aad49cbd94a029abb465708101699978

memory/4748-16-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Jpojcf32.exe

MD5 83816e09a5bb2c37e100b60ae028c7a3
SHA1 c1a9b584e1b14ee946ea38c2a1b3e5126c4a6137
SHA256 ff67a324f85648a24df005ac61601b504800233099e834728cef0b874c6f049e
SHA512 f9c43616773e6bb6733e4bfae8913142adb72fafe38410d797c22e7faa1bea7285692e765a210daca19fe0809ae9c1d8c3cd6e4914efcd4d45a9646d021db36a

memory/2812-28-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Nilhco32.dll

MD5 dba83b757aed71992ae5d19e5b4d2beb
SHA1 06151f714b164892bd7b039dbb89ca8dfbdfb9f7
SHA256 211f4d20c19db5246ee783006c91b6542922cd26bc28f3e1ef8eb7411566aaf2
SHA512 3f0fa101d8ce085104193fd1cb659fcbdb0cede12c922926eda1a1df411c44c6ecfa1bc0403acb0b9360a08ed67f26478ce16cd18ee4e44a4b42e5b40f1f84c3

memory/4512-36-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Jpaghf32.exe

MD5 7595fead17d254eb10a722467713c107
SHA1 2187f410fa0fa50d2bbf3d5b997a8d88e35dc0e6
SHA256 4e4a544059eea5bcf5253cc88ef2f7b7ecad91578d5f06569064582ed605acb1
SHA512 33ef70cc7b26a430ba0a5534a0e9a031c7d99fb9dafa7437ea881bc1d73c9124ccd8253309bf02c872c40572204a74dd99b5ff20bb8ea6e3cce860b48e3c9961

memory/3328-40-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Jmbklj32.exe

MD5 8a03af60937aae36184ebfa568258a30
SHA1 b69aa5de5eefe292ef6f1479bb61c87d1e85710e
SHA256 05c8357f6a7174e22c100da8153432843527cf18a42769169b9c08bef658818d
SHA512 8301c1eb19fa9f43f9535d85567bc91b8c71d18b355b5e38292eb63b426595f5e94c93aeefc6bcd00c17ffca98dee7355d9e69063316df069359751ab72ef29e

C:\Windows\SysWOW64\Jbocea32.exe

MD5 c1059faff35d8528d864fb74442e71c0
SHA1 b7f08bccd68109ee285a11e09065e852a0f01bec
SHA256 4e29373ab4bd4910bc78f61811d0c888b92c003c16808bc1d7b29ca9be64d7f3
SHA512 3c7b0c70d2a0b6cba301354798949b88f9333d48e5608388f127c1d46db3cf90cd1117bb725c474b2521d8cfbe897dfc327fe69d664e8d409bd84e886925a467

memory/2400-47-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kmgdgjek.exe

MD5 ca1183c3954b4a6a440a89be9937ff72
SHA1 17e8e4880e016c7bac97590617467c09bd98308a
SHA256 1526a79affd03f9eeb6c566c23280ea03c2f21d945b4f0e1a89634b1c8359be8
SHA512 169bbe863284377208e5096949aa970a93e1084639d27400bda3e08f21916d6d5e9cf7d5b224596e1e1ca8a2a4aafaf8be0ae58f036bb92d62ec2aef72ae43e9

memory/4940-56-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1008-63-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kgphpo32.exe

MD5 4acde883f0132c426e45f6e50f1e1412
SHA1 aedf497e6f3c61cf45226020c9d036129eaeea8c
SHA256 7e7ee893a81a90264a5141f598feacc5ffe54c6c9defc68ad4a357e7d33aa8e4
SHA512 ce7058c56a71448eb8a71daff17b645ee4da9b4efe69c202d24ad41b49de81015f8994bef656c53d687e309d6fcd6fe8c7ef82ddf99775e3caea281681583831

C:\Windows\SysWOW64\Kphmie32.exe

MD5 6ed9ff1437087d117f213461eae9e010
SHA1 b28aaa6c49695916b741992fb7ed36979c56b891
SHA256 509b2d62a8219cdf55fa383218f53ca2042f769217a94d74a17fe2a2275be1af
SHA512 d24cfd2f402b059fdd9a55c464e877c7db5bb5a5e0dbe8dfe54f4504b721ebfe651fd319f867b826be8ed5a4756033e2e876589e8ba4ba7615d9da09f402fa0f

memory/2448-71-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kmlnbi32.exe

MD5 98664b17008a966673be327135f386d5
SHA1 92b90ace34ebbc8af0ce2bfc3f900f200c6b3dca
SHA256 32ffcbd5040a3378a9dae5bdda141a712a7e90bb9e81e7ff7bf63333c8dd4b21
SHA512 8b39aabc3ed0db4c7ca1d7228a7612728e9139639534d467e93a3d246c36c23d23a5ab72c286c4db5847345953686c395c388d6578a954d9d896bd0b048bd6c6

memory/2856-79-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kdffocib.exe

MD5 57d489f29579f13f379077e12d90852f
SHA1 5a9f8831b3d0e01b2c6f2f57f791884c32dcab72
SHA256 e773dc293c1955bbb9838360bce640c707b146e7f766101f11b175289d39ed9a
SHA512 0c3dc8b33d3bca5d68780f921a671cd98cf2650cc071edf47aace6a665654e0477defc11cb0e6bc1526630190531ede29725503d92eeeb525c621e085ff38a29

memory/396-88-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kmnjhioc.exe

MD5 8dddd4d72f06c9922fc3c7bbe6f4dff2
SHA1 012dfec47cc232c84624f87948b283c6e49eadd1
SHA256 47079e86261e5dae3885ad996c2b8ef6c22cbe656e4a297b263738b37ecb5ab3
SHA512 e5c8da6a2aa4e1cc4629ac394f7c3b767ee499f649a40c9f44a100257b557b518f5455d5b74821de4eb6e93f76640cb9530df989fcf8aaaa3eb488ae9cc808a2

memory/672-95-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kckbqpnj.exe

MD5 ad7c9af0b25f34469639e4667cf35d2c
SHA1 0c27fe8e9af51892749746404883da66926f251c
SHA256 7acc85feb4a11bb31264f10cfdcffcc748bbb2f26930e698f461d8c4eb73f54a
SHA512 7b5ade08b0c5d6f134c9b0d912ac30a44acd180c93fd587f2a6a3ab88dc87ca3c02e8aeaf5760eed9a9072e04a255f9cb80a476b9ad4b496a186354c88a78865

memory/1052-104-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lpocjdld.exe

MD5 d0f8a910e0dee56796bec1729dd8e721
SHA1 8ebeb7d00cbd6c0f44c13f3a128aa427bab21157
SHA256 f48609f79b9c42c17b015450bb3de84faf8394fcbc64caeeeb6f6727d3742aab
SHA512 9ac18f5f4fb50daa9d4d3a01a758d0767d3dd353ea9a7838ba5c655b6049356e980c3411f1ef70245735fd38b62511c0a28c2617eee07b108c48a3fb5018ee9c

memory/2216-111-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lgikfn32.exe

MD5 ea612d0e74286f94af4346abadbd95e8
SHA1 f772f929442cefe580fc39c9d680e379d5cd5450
SHA256 4743caeb97686f29606bfd8029b2138643ac383b49c0074ea71f333001191679
SHA512 89d5f0ca133f666b166a0c6a19b093219a5a86f9d11e60c132a9aab35b5a44b87e91c1b6282f832430b67a7e0fb27adde8290a949571e1ae9759651d50b1ffb8

memory/2212-119-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ldmlpbbj.exe

MD5 3c30a2343344d01346b6853f8a64b8c9
SHA1 e375441f944c7cdbbef6c90f8d3af73d72f3e2e7
SHA256 63e3170713ea0e44eac709855ae552bafeae2050d061dc81db3b833dcd9da2cb
SHA512 685a9f64642b826269ab1aa9b3c9407dc93e467970d69931b692ba380d17512fcebe15f2772b49ec13c878f1aaa112c6364b7d8a34eef1b8437ebccda554cb7e

memory/1848-128-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lijdhiaa.exe

MD5 d79fa5c9ef8e002db81ff01d74c45cf2
SHA1 3c8dc24373b671077f3cba8a3bd83fa5843a3ac4
SHA256 4886aa3d4ca44297d95da97a740d7091e29f4771194a036afc81cd948fb41136
SHA512 d81829e019cc0cd8331ec75b85f77de47208ca87656c1a8f12f1d795db2ff78db0cbbbb1ea59e085b1d897da8d665147390e90f903613670994b48d5d8d1fdfe

memory/2124-135-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lcbiao32.exe

MD5 4799c94354a527668b1782311dea0691
SHA1 3934a97ada4e6fc72b6674c0c52eab09783d38dc
SHA256 41c6c2e22fbf5d6f654e01b5d3b7c717947bea5c6f60c261769e9621fe164de4
SHA512 84d8b43fc0663b5f8fffab6aa1587929b4d1824dc831c0c2d2ed076f2d07fc05cefaed364f2ed58cde337e41220f7088e6e203d4376a822162bd173cae093759

memory/2100-144-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lnhmng32.exe

MD5 f70bbc82c16585fe5db2c9000433a70e
SHA1 afdb9dd7a44d50542b89fa520cfd882a4ab63a4e
SHA256 ddd5c28f9108f7806021abb6e4b0295bb00e6de3baef5e06f4c8fda2173d385a
SHA512 690fc071a0a9e93e796301d3be7cbfabb9a4929020d957f21abe57b9de8e95c88b8227eca07a52cb7bfea58ef967f991a5fa258d0e5a2ec86694c84c88d2f89a

memory/5016-151-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lcdegnep.exe

MD5 4063ad301c7e2cddab4e50cef6927d1d
SHA1 82d32dbd092990c0630767e1a8314f7653f9c367
SHA256 92172def78ea5e1c794dee0e6bd4059ecca5ed47b9e7501d76c0526f0ebe0561
SHA512 126ea18b32d5d7035a8be9970c7afa681474b67155759b82d9761ea5b50d8a08c3cdb191a75c100ee37ec838de3ba7adaf9bf509527c4cfe8871da3a17386c18

memory/1624-159-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lnjjdgee.exe

MD5 f9919f158f699d2649ed8e2065e1e4a6
SHA1 9722b15aab36de13f8ddb432e9367fc063f79d98
SHA256 bba3ff3e21d29eb01b82db45555d85bf6db357b66828b5e8ab2049b3b4e620b3
SHA512 acb707ecb59eb1a9151415d72cd9a7704853359443cd204c0ed9252d749ce57a4610f5cebde8a1326fc52b38a59411cd33209b4523e30e784f596882f18b3fd1

memory/3984-168-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lcgblncm.exe

MD5 7df0f0da92fc4d88c10a82ba25f81db1
SHA1 196f909427c450e3638dc1547e3eb8fd93bccf5b
SHA256 2f77431f048a27a41eafddcc081b2885518b10ef058426985616a9829b58d0d4
SHA512 215d2adf0e1dd164b549625d8dfd2be59788f620066c497af69e091b744e625a955c17934412c129d5654385fbad5d2fd715649db45542f6aeee05b904f17738

memory/2036-176-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lknjmkdo.exe

MD5 6b41945929f8f47e8be05f6c003c1fd4
SHA1 6d6517c3f3f93686d88d7c99b00b22ef453c44dc
SHA256 b77db5ea1ece22fe59ac028efd136ebb9f2e2aeb23a81e249bdf774da2ff91db
SHA512 33d2de152a0166df886b1129d3417284f96395fc383a9d7d709530272aa418ffcf6dfd182a5f70f379f97ebf3030e88ac78704333bc06682bd6b624da054a56c

memory/2092-183-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mdfofakp.exe

MD5 ab78830a3fa1093437b89df51314c848
SHA1 8625554a042fec3e1de0514db3c9852665d29f47
SHA256 b96437167384cedc4a08c02d7d6835438eb160293832aa0b8ee8350df363e026
SHA512 9d9c2af950444bef7676e2cb052add360885091132a344e846d052efd0fae08f25bf47feb55224f5f90949d8a8fb3fd3ae499e6f26a545f62c77ee735cc5b6be

memory/4980-191-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Majopeii.exe

MD5 016ed278f73fcb4ce1f546d76ff52f3d
SHA1 5b9c4fc1f9189a42ea6365c6d0b4a2737a200a79
SHA256 12e311d52c1b788d09a0e63ac2cd01550a746848e315aa4b46978a46763bf8c7
SHA512 bb6bac10ffcdf6b208807e9d2a7624ceed0e1f4c28411d56d03affa9d009cfda7f850133997c390c1599b32108dd9fd84ffdbcbc32af82429fa334ff6d19780c

memory/4836-199-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mkbchk32.exe

MD5 9c7a0b5957a1f3fcc4f61d3e9b857638
SHA1 e8b7639928e8b1470387b0e2ce0780daf5a16afd
SHA256 af5b27217992bef59f82274d78e6aba3d94619ab8676a3b579da63ee8100703a
SHA512 de4aa44268ddfbd184e72bacdd4accf44598d3c7b50189ab715bf8c9351a563eb2b1e485e8f8ac596e0949a57fe1ac5fda9ed4c794beed210295b7498b58fdb5

memory/3196-208-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mnapdf32.exe

MD5 5a7cdb39ba65bb92f9832f4c649bd2d3
SHA1 7b04e502e9467cc5a99c943e718c91554bb4f7fa
SHA256 bd2d2211029e4af8b51fc41e2e56fc7596b04eab3f24b701bf9886aefa805af3
SHA512 facde2eef7aedbd5f979b8a36efe27b824b490c6f29b81fe8eb4567b7e4c1e15c644ff23034c325ee80e5a33793ec6665883c4bc6ec144434125979f5f9b7c41

memory/2728-216-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mgidml32.exe

MD5 34b48200cc88e234ad061772b55607d8
SHA1 564b455d9587726008ace851cc041b955536be25
SHA256 71ea8003bba4085703b0e15da8cd6c72128862a04b3ae2dc4a2d4b78fc7b3318
SHA512 5e0cabf2037c2fdb75b9fd15ed2413768e41263dd557a3522c22f9a8615e08712afa9d9398b07727c64e7d657b8cdc767180fe78f4ed4145476feda05a9db324

memory/4048-224-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mpaifalo.exe

MD5 3d5a6b4dceae4114284aedc6a2373d64
SHA1 7c37024e87d14bf5faf149aff634c0a47174bd67
SHA256 e6fe58ea1c42a4542aed66870728873f3b88d6c034bedf43f87726bd46061979
SHA512 8c1c67fe7988c69a1951af0dafa1678e5f13185501e30416dfc3bdac027c488e4841ebc2add6e4ca10c645c0aa13f76e44c897011103d31feb062571da0a5135

memory/2824-232-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mkgmcjld.exe

MD5 e24684b433b1461d1493e530374f8dfb
SHA1 40e7bccc20cbf8bd36551e0c365c6a31d22d0521
SHA256 76982cd2baf299f4f41ccfabea7aef2b4f724f43b09d4ecb567a9de3a4873acb
SHA512 9e27d682849b2bb961d103c0895ab3a8b4317e069c9d5fb1f9e5d8c8b4022c849bb2fadd12bf1c9095d0c7fe929aad369e86777e5994105bcdc50bca664c4bdb

memory/3732-239-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mpdelajl.exe

MD5 5282c4b4709041929c08c2dae54b7cf9
SHA1 ec2d2ef3796bfb1e890ccd0888c91cd1f819348f
SHA256 d9964e1839e1510a9da98b7ef2bbfb3e92db958e103280b97881a98e043b5e2a
SHA512 d6b2247a9f766f3928ac2b5c8c854927c7720bc5d61c40b3b2f97c2a8353e14dfa9ab2adf6472c4dea413921590070dff075372f4051cc4ce3fe8c27cf1413a4

memory/628-252-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mcbahlip.exe

MD5 0085f5a42533760fdb07521e6bc9dafe
SHA1 6b62604d26d1431f62d3d668485e8e8d8a9cdb94
SHA256 8754b5786130f320f580262bbc8db2ddb0358f0a50309e37c82ab56bbe33844d
SHA512 7f29d73a3e0814467909bfb4cc2906a79bc65286b490ae95148f400732b1c156e6e2bb4876a3fee8c924eefcde35863d17088f046b95ac2abc768d615652259b

memory/4688-256-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1832-266-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2948-272-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1752-279-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4552-280-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2140-290-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2768-292-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4676-302-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4692-304-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4460-310-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1688-316-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4104-322-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4248-332-0x0000000000400000-0x0000000000443000-memory.dmp

memory/652-334-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3368-340-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3368-341-0x0000000000400000-0x0000000000443000-memory.dmp

memory/652-342-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2400-375-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3324-379-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3900-378-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4748-377-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3328-376-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4940-374-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1008-373-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2448-372-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2856-371-0x0000000000400000-0x0000000000443000-memory.dmp

memory/396-370-0x0000000000400000-0x0000000000443000-memory.dmp

memory/672-369-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1052-368-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2216-367-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2212-366-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1848-365-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2124-364-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2100-363-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5016-362-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1624-361-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3984-360-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2036-359-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2092-358-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4980-357-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4836-356-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3196-355-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2728-354-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4048-353-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2824-352-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3732-351-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4688-350-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4552-349-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2768-348-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4676-347-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4692-346-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4460-345-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1688-344-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4104-343-0x0000000000400000-0x0000000000443000-memory.dmp