Malware Analysis Report

2025-08-05 22:11

Sample ID 240509-sad8cafe4w
Target 67766a96f77c08af351e490df1db8560_NeikiAnalytics
SHA256 5f78a6b19846a52c08c0591319e1248cdf7ebf3deb6662ab2cc09bcb53dcffae
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f78a6b19846a52c08c0591319e1248cdf7ebf3deb6662ab2cc09bcb53dcffae

Threat Level: Known bad

The file 67766a96f77c08af351e490df1db8560_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 14:55

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 14:55

Reported

2024-05-09 14:57

Platform

win7-20240215-en

Max time kernel

147s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ahakmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfdpip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Piehkkcl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpafkknm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Admemg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aiinen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Comimg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pipopl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pfiidobe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aplpai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Apomfh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gddifnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngkmnacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ccdlbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pfbccp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhfagipa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dngoibmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pcfcmd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qagcpljo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fjilieka.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmlapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfflopdh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Plcdgfbo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppoqge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ppoqge32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjmkcbcb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjijdadm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okoomd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aiinen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bopicc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pfdpip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fpfdalii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hmlnoc32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ndjdlffl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngkmnacm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncancbha.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbfjdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoomd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghlgdgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojficpfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqqapjnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Pminkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pipopl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcfcmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdpip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piblek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmnhfjmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pchpbded.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfflopdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Piehkkcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Plcdgfbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppoqge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiidobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Phjelg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndniaop.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabjem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhmbagfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjmkcbcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qagcpljo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahakmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbdna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apomfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aigaon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Admemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiinen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boiccdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bebkpn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bloqah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balijo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfagipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Baqbenep.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccdlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjndop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfgaiaci.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndjdlffl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndjdlffl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngkmnacm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngkmnacm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncancbha.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncancbha.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbfjdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbfjdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoomd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoomd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghlgdgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghlgdgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojficpfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojficpfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqqapjnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqqapjnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Pminkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pminkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pipopl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pipopl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcfcmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcfcmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdpip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdpip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piblek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piblek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmnhfjmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmnhfjmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pchpbded.exe N/A
N/A N/A C:\Windows\SysWOW64\Pchpbded.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfflopdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfflopdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Piehkkcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Piehkkcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Plcdgfbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Plcdgfbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppoqge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppoqge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiidobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiidobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Phjelg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phjelg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndniaop.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndniaop.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabjem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabjem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhmbagfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhmbagfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjmkcbcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjmkcbcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qagcpljo.exe N/A
N/A N/A C:\Windows\SysWOW64\Qagcpljo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahakmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahakmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Bgpkceld.dll C:\Windows\SysWOW64\Bebkpn32.exe N/A
File created C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File opened for modification C:\Windows\SysWOW64\Gangic32.exe C:\Windows\SysWOW64\Gopkmhjk.exe N/A
File opened for modification C:\Windows\SysWOW64\Icbimi32.exe C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Jdnaob32.dll C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Ckignd32.exe C:\Windows\SysWOW64\Baqbenep.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Ieqeidnl.exe C:\Windows\SysWOW64\Icbimi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aiinen32.exe C:\Windows\SysWOW64\Admemg32.exe N/A
File created C:\Windows\SysWOW64\Dlgohm32.dll C:\Windows\SysWOW64\Eeempocb.exe N/A
File created C:\Windows\SysWOW64\Khejeajg.dll C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Fnnajckm.dll C:\Windows\SysWOW64\Oqqapjnk.exe N/A
File created C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Glfhll32.exe N/A
File created C:\Windows\SysWOW64\Ndjdlffl.exe C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ncancbha.exe C:\Windows\SysWOW64\Ngkmnacm.exe N/A
File created C:\Windows\SysWOW64\Nofmgl32.dll C:\Windows\SysWOW64\Pminkk32.exe N/A
File created C:\Windows\SysWOW64\Ajenen32.dll C:\Windows\SysWOW64\Pmnhfjmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bhhnli32.exe N/A
File created C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Ddcdkl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gmjaic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Phjelg32.exe C:\Windows\SysWOW64\Pfiidobe.exe N/A
File created C:\Windows\SysWOW64\Ooghhh32.dll C:\Windows\SysWOW64\Gelppaof.exe N/A
File created C:\Windows\SysWOW64\Pfflopdh.exe C:\Windows\SysWOW64\Pchpbded.exe N/A
File created C:\Windows\SysWOW64\Bgpokk32.dll C:\Windows\SysWOW64\Ppoqge32.exe N/A
File created C:\Windows\SysWOW64\Ppamme32.exe C:\Windows\SysWOW64\Phjelg32.exe N/A
File created C:\Windows\SysWOW64\Fgdqfpma.dll C:\Windows\SysWOW64\Cjndop32.exe N/A
File created C:\Windows\SysWOW64\Ajbdna32.exe C:\Windows\SysWOW64\Aplpai32.exe N/A
File created C:\Windows\SysWOW64\Fcmgfkeg.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Bcqgok32.dll C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File created C:\Windows\SysWOW64\Hkfmal32.dll C:\Windows\SysWOW64\Chcqpmep.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe C:\Windows\SysWOW64\Hicodd32.exe N/A
File created C:\Windows\SysWOW64\Bbdoqc32.dll C:\Windows\SysWOW64\Pfbccp32.exe N/A
File created C:\Windows\SysWOW64\Cdjgej32.dll C:\Windows\SysWOW64\Piehkkcl.exe N/A
File created C:\Windows\SysWOW64\Fndldonj.dll C:\Windows\SysWOW64\Gbnccfpb.exe N/A
File created C:\Windows\SysWOW64\Glqllcbf.dll C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojficpfn.exe C:\Windows\SysWOW64\Oghlgdgk.exe N/A
File created C:\Windows\SysWOW64\Ifclcknc.dll C:\Windows\SysWOW64\Qhmbagfa.exe N/A
File created C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Cdlnkmha.exe N/A
File opened for modification C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Enihne32.exe N/A
File created C:\Windows\SysWOW64\Aimkgn32.dll C:\Windows\SysWOW64\Geolea32.exe N/A
File created C:\Windows\SysWOW64\Ecmkgokh.dll C:\Windows\SysWOW64\Hhmepp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcfcmd32.exe C:\Windows\SysWOW64\Pipopl32.exe N/A
File created C:\Windows\SysWOW64\Gbhfilfi.dll C:\Windows\SysWOW64\Cgbdhd32.exe N/A
File created C:\Windows\SysWOW64\Ngkmnacm.exe C:\Windows\SysWOW64\Ndjdlffl.exe N/A
File created C:\Windows\SysWOW64\Pmnhfjmg.exe C:\Windows\SysWOW64\Piblek32.exe N/A
File created C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Ahakmf32.exe N/A
File created C:\Windows\SysWOW64\Bhfagipa.exe C:\Windows\SysWOW64\Balijo32.exe N/A
File created C:\Windows\SysWOW64\Facklcaq.dll C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Hlcgeo32.exe C:\Windows\SysWOW64\Hiekid32.exe N/A
File created C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Pfbccp32.exe N/A
File created C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Ckignd32.exe N/A
File created C:\Windows\SysWOW64\Iecimppi.dll C:\Windows\SysWOW64\Emhlfmgj.exe N/A
File created C:\Windows\SysWOW64\Gbnccfpb.exe C:\Windows\SysWOW64\Gkgkbipp.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfbccp32.exe C:\Windows\SysWOW64\Pminkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Piblek32.exe C:\Windows\SysWOW64\Pfdpip32.exe N/A
File created C:\Windows\SysWOW64\Pndaof32.dll C:\Windows\SysWOW64\Ppamme32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkgkbipp.exe C:\Windows\SysWOW64\Gldkfl32.exe N/A
File created C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dmoipopd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bebkpn32.exe C:\Windows\SysWOW64\Boiccdnf.exe N/A
File created C:\Windows\SysWOW64\Bebkpn32.exe C:\Windows\SysWOW64\Boiccdnf.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhfagipa.exe C:\Windows\SysWOW64\Balijo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pminkk32.exe C:\Windows\SysWOW64\Oqqapjnk.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" C:\Windows\SysWOW64\Aplpai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Apomfh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbpqb32.dll" C:\Windows\SysWOW64\Bokphdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bpafkknm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ghoegl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngkmnacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Piehkkcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll" C:\Windows\SysWOW64\Faagpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiich32.dll" C:\Windows\SysWOW64\Oghlgdgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmdloao.dll" C:\Windows\SysWOW64\Pcfcmd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ncancbha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cfgaiaci.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Piehkkcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amndem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beehencq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ahokfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" C:\Windows\SysWOW64\Hobcak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpokk32.dll" C:\Windows\SysWOW64\Ppoqge32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pfiidobe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Balijo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ppamme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahdmkl.dll" C:\Windows\SysWOW64\Bjijdadm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmchlpl.dll" C:\Windows\SysWOW64\Pfdpip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ekholjqg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bebkpn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedlancd.dll" C:\Windows\SysWOW64\Nbfjdn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pfdpip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qagcpljo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll" C:\Windows\SysWOW64\Aiinen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonlfkdd.dll" C:\Windows\SysWOW64\Pfflopdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadhjcfk.dll" C:\Windows\SysWOW64\Phjelg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pabjem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bhahlj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gfefiemq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bloqah32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ddokpmfo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfdpip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" C:\Windows\SysWOW64\Ckignd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll" C:\Windows\SysWOW64\Emhlfmgj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe C:\Windows\SysWOW64\Ndjdlffl.exe
PID 1876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe C:\Windows\SysWOW64\Ndjdlffl.exe
PID 1876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe C:\Windows\SysWOW64\Ndjdlffl.exe
PID 1876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe C:\Windows\SysWOW64\Ndjdlffl.exe
PID 2900 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Ndjdlffl.exe C:\Windows\SysWOW64\Ngkmnacm.exe
PID 2900 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Ndjdlffl.exe C:\Windows\SysWOW64\Ngkmnacm.exe
PID 2900 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Ndjdlffl.exe C:\Windows\SysWOW64\Ngkmnacm.exe
PID 2900 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Ndjdlffl.exe C:\Windows\SysWOW64\Ngkmnacm.exe
PID 2652 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Ngkmnacm.exe C:\Windows\SysWOW64\Ncancbha.exe
PID 2652 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Ngkmnacm.exe C:\Windows\SysWOW64\Ncancbha.exe
PID 2652 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Ngkmnacm.exe C:\Windows\SysWOW64\Ncancbha.exe
PID 2652 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Ngkmnacm.exe C:\Windows\SysWOW64\Ncancbha.exe
PID 2572 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Ncancbha.exe C:\Windows\SysWOW64\Nbfjdn32.exe
PID 2572 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Ncancbha.exe C:\Windows\SysWOW64\Nbfjdn32.exe
PID 2572 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Ncancbha.exe C:\Windows\SysWOW64\Nbfjdn32.exe
PID 2572 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Ncancbha.exe C:\Windows\SysWOW64\Nbfjdn32.exe
PID 2660 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Nbfjdn32.exe C:\Windows\SysWOW64\Okoomd32.exe
PID 2660 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Nbfjdn32.exe C:\Windows\SysWOW64\Okoomd32.exe
PID 2660 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Nbfjdn32.exe C:\Windows\SysWOW64\Okoomd32.exe
PID 2660 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Nbfjdn32.exe C:\Windows\SysWOW64\Okoomd32.exe
PID 2432 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Okoomd32.exe C:\Windows\SysWOW64\Oghlgdgk.exe
PID 2432 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Okoomd32.exe C:\Windows\SysWOW64\Oghlgdgk.exe
PID 2432 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Okoomd32.exe C:\Windows\SysWOW64\Oghlgdgk.exe
PID 2432 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Okoomd32.exe C:\Windows\SysWOW64\Oghlgdgk.exe
PID 3020 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Oghlgdgk.exe C:\Windows\SysWOW64\Ojficpfn.exe
PID 3020 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Oghlgdgk.exe C:\Windows\SysWOW64\Ojficpfn.exe
PID 3020 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Oghlgdgk.exe C:\Windows\SysWOW64\Ojficpfn.exe
PID 3020 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Oghlgdgk.exe C:\Windows\SysWOW64\Ojficpfn.exe
PID 1564 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Ojficpfn.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 1564 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Ojficpfn.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 1564 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Ojficpfn.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 1564 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Ojficpfn.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 2400 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Pminkk32.exe
PID 2400 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Pminkk32.exe
PID 2400 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Pminkk32.exe
PID 2400 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Pminkk32.exe
PID 2360 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Pminkk32.exe C:\Windows\SysWOW64\Pfbccp32.exe
PID 2360 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Pminkk32.exe C:\Windows\SysWOW64\Pfbccp32.exe
PID 2360 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Pminkk32.exe C:\Windows\SysWOW64\Pfbccp32.exe
PID 2360 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Pminkk32.exe C:\Windows\SysWOW64\Pfbccp32.exe
PID 1016 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Pfbccp32.exe C:\Windows\SysWOW64\Pipopl32.exe
PID 1016 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Pfbccp32.exe C:\Windows\SysWOW64\Pipopl32.exe
PID 1016 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Pfbccp32.exe C:\Windows\SysWOW64\Pipopl32.exe
PID 1016 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Pfbccp32.exe C:\Windows\SysWOW64\Pipopl32.exe
PID 1576 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Pcfcmd32.exe
PID 1576 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Pcfcmd32.exe
PID 1576 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Pcfcmd32.exe
PID 1576 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Pipopl32.exe C:\Windows\SysWOW64\Pcfcmd32.exe
PID 2124 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Pcfcmd32.exe C:\Windows\SysWOW64\Pfdpip32.exe
PID 2124 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Pcfcmd32.exe C:\Windows\SysWOW64\Pfdpip32.exe
PID 2124 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Pcfcmd32.exe C:\Windows\SysWOW64\Pfdpip32.exe
PID 2124 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Pcfcmd32.exe C:\Windows\SysWOW64\Pfdpip32.exe
PID 1376 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Pfdpip32.exe C:\Windows\SysWOW64\Piblek32.exe
PID 1376 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Pfdpip32.exe C:\Windows\SysWOW64\Piblek32.exe
PID 1376 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Pfdpip32.exe C:\Windows\SysWOW64\Piblek32.exe
PID 1376 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Pfdpip32.exe C:\Windows\SysWOW64\Piblek32.exe
PID 2816 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Piblek32.exe C:\Windows\SysWOW64\Pmnhfjmg.exe
PID 2816 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Piblek32.exe C:\Windows\SysWOW64\Pmnhfjmg.exe
PID 2816 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Piblek32.exe C:\Windows\SysWOW64\Pmnhfjmg.exe
PID 2816 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Piblek32.exe C:\Windows\SysWOW64\Pmnhfjmg.exe
PID 2068 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Pmnhfjmg.exe C:\Windows\SysWOW64\Pchpbded.exe
PID 2068 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Pmnhfjmg.exe C:\Windows\SysWOW64\Pchpbded.exe
PID 2068 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Pmnhfjmg.exe C:\Windows\SysWOW64\Pchpbded.exe
PID 2068 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Pmnhfjmg.exe C:\Windows\SysWOW64\Pchpbded.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Ndjdlffl.exe

C:\Windows\system32\Ndjdlffl.exe

C:\Windows\SysWOW64\Ngkmnacm.exe

C:\Windows\system32\Ngkmnacm.exe

C:\Windows\SysWOW64\Ncancbha.exe

C:\Windows\system32\Ncancbha.exe

C:\Windows\SysWOW64\Nbfjdn32.exe

C:\Windows\system32\Nbfjdn32.exe

C:\Windows\SysWOW64\Okoomd32.exe

C:\Windows\system32\Okoomd32.exe

C:\Windows\SysWOW64\Oghlgdgk.exe

C:\Windows\system32\Oghlgdgk.exe

C:\Windows\SysWOW64\Ojficpfn.exe

C:\Windows\system32\Ojficpfn.exe

C:\Windows\SysWOW64\Oqqapjnk.exe

C:\Windows\system32\Oqqapjnk.exe

C:\Windows\SysWOW64\Pminkk32.exe

C:\Windows\system32\Pminkk32.exe

C:\Windows\SysWOW64\Pfbccp32.exe

C:\Windows\system32\Pfbccp32.exe

C:\Windows\SysWOW64\Pipopl32.exe

C:\Windows\system32\Pipopl32.exe

C:\Windows\SysWOW64\Pcfcmd32.exe

C:\Windows\system32\Pcfcmd32.exe

C:\Windows\SysWOW64\Pfdpip32.exe

C:\Windows\system32\Pfdpip32.exe

C:\Windows\SysWOW64\Piblek32.exe

C:\Windows\system32\Piblek32.exe

C:\Windows\SysWOW64\Pmnhfjmg.exe

C:\Windows\system32\Pmnhfjmg.exe

C:\Windows\SysWOW64\Pchpbded.exe

C:\Windows\system32\Pchpbded.exe

C:\Windows\SysWOW64\Pfflopdh.exe

C:\Windows\system32\Pfflopdh.exe

C:\Windows\SysWOW64\Piehkkcl.exe

C:\Windows\system32\Piehkkcl.exe

C:\Windows\SysWOW64\Plcdgfbo.exe

C:\Windows\system32\Plcdgfbo.exe

C:\Windows\SysWOW64\Ppoqge32.exe

C:\Windows\system32\Ppoqge32.exe

C:\Windows\SysWOW64\Pfiidobe.exe

C:\Windows\system32\Pfiidobe.exe

C:\Windows\SysWOW64\Phjelg32.exe

C:\Windows\system32\Phjelg32.exe

C:\Windows\SysWOW64\Ppamme32.exe

C:\Windows\system32\Ppamme32.exe

C:\Windows\SysWOW64\Pndniaop.exe

C:\Windows\system32\Pndniaop.exe

C:\Windows\SysWOW64\Pabjem32.exe

C:\Windows\system32\Pabjem32.exe

C:\Windows\SysWOW64\Qhmbagfa.exe

C:\Windows\system32\Qhmbagfa.exe

C:\Windows\SysWOW64\Qjmkcbcb.exe

C:\Windows\system32\Qjmkcbcb.exe

C:\Windows\SysWOW64\Qagcpljo.exe

C:\Windows\system32\Qagcpljo.exe

C:\Windows\SysWOW64\Ahakmf32.exe

C:\Windows\system32\Ahakmf32.exe

C:\Windows\SysWOW64\Amndem32.exe

C:\Windows\system32\Amndem32.exe

C:\Windows\SysWOW64\Aplpai32.exe

C:\Windows\system32\Aplpai32.exe

C:\Windows\SysWOW64\Ajbdna32.exe

C:\Windows\system32\Ajbdna32.exe

C:\Windows\SysWOW64\Apomfh32.exe

C:\Windows\system32\Apomfh32.exe

C:\Windows\SysWOW64\Aigaon32.exe

C:\Windows\system32\Aigaon32.exe

C:\Windows\SysWOW64\Admemg32.exe

C:\Windows\system32\Admemg32.exe

C:\Windows\SysWOW64\Aiinen32.exe

C:\Windows\system32\Aiinen32.exe

C:\Windows\SysWOW64\Apcfahio.exe

C:\Windows\system32\Apcfahio.exe

C:\Windows\SysWOW64\Aepojo32.exe

C:\Windows\system32\Aepojo32.exe

C:\Windows\SysWOW64\Ahokfj32.exe

C:\Windows\system32\Ahokfj32.exe

C:\Windows\SysWOW64\Boiccdnf.exe

C:\Windows\system32\Boiccdnf.exe

C:\Windows\SysWOW64\Bebkpn32.exe

C:\Windows\system32\Bebkpn32.exe

C:\Windows\SysWOW64\Bhahlj32.exe

C:\Windows\system32\Bhahlj32.exe

C:\Windows\SysWOW64\Bokphdld.exe

C:\Windows\system32\Bokphdld.exe

C:\Windows\SysWOW64\Beehencq.exe

C:\Windows\system32\Beehencq.exe

C:\Windows\SysWOW64\Bloqah32.exe

C:\Windows\system32\Bloqah32.exe

C:\Windows\SysWOW64\Balijo32.exe

C:\Windows\system32\Balijo32.exe

C:\Windows\SysWOW64\Bhfagipa.exe

C:\Windows\system32\Bhfagipa.exe

C:\Windows\SysWOW64\Bopicc32.exe

C:\Windows\system32\Bopicc32.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bhhnli32.exe

C:\Windows\system32\Bhhnli32.exe

C:\Windows\SysWOW64\Bjijdadm.exe

C:\Windows\system32\Bjijdadm.exe

C:\Windows\SysWOW64\Baqbenep.exe

C:\Windows\system32\Baqbenep.exe

C:\Windows\SysWOW64\Ckignd32.exe

C:\Windows\system32\Ckignd32.exe

C:\Windows\SysWOW64\Cljcelan.exe

C:\Windows\system32\Cljcelan.exe

C:\Windows\SysWOW64\Ccdlbf32.exe

C:\Windows\system32\Ccdlbf32.exe

C:\Windows\SysWOW64\Cjndop32.exe

C:\Windows\system32\Cjndop32.exe

C:\Windows\SysWOW64\Cphlljge.exe

C:\Windows\system32\Cphlljge.exe

C:\Windows\SysWOW64\Cgbdhd32.exe

C:\Windows\system32\Cgbdhd32.exe

C:\Windows\SysWOW64\Chcqpmep.exe

C:\Windows\system32\Chcqpmep.exe

C:\Windows\SysWOW64\Comimg32.exe

C:\Windows\system32\Comimg32.exe

C:\Windows\SysWOW64\Cfgaiaci.exe

C:\Windows\system32\Cfgaiaci.exe

C:\Windows\SysWOW64\Ckdjbh32.exe

C:\Windows\system32\Ckdjbh32.exe

C:\Windows\SysWOW64\Cdlnkmha.exe

C:\Windows\system32\Cdlnkmha.exe

C:\Windows\SysWOW64\Cobbhfhg.exe

C:\Windows\system32\Cobbhfhg.exe

C:\Windows\SysWOW64\Ddokpmfo.exe

C:\Windows\system32\Ddokpmfo.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dkkpbgli.exe

C:\Windows\system32\Dkkpbgli.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Dgdmmgpj.exe

C:\Windows\system32\Dgdmmgpj.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Dgfjbgmh.exe

C:\Windows\system32\Dgfjbgmh.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fcmgfkeg.exe

C:\Windows\system32\Fcmgfkeg.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gopkmhjk.exe

C:\Windows\system32\Gopkmhjk.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gkgkbipp.exe

C:\Windows\system32\Gkgkbipp.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hmlnoc32.exe

C:\Windows\system32\Hmlnoc32.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Inljnfkg.exe

C:\Windows\system32\Inljnfkg.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 140

Network

N/A

Files

memory/1876-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Ndjdlffl.exe

MD5 c78f9b2b9741de29f4c5fd2a8ad72bc6
SHA1 02d4ace294ac237b88fae71ae8138b60577ed3c2
SHA256 6e7d5617514ed1d9988c87ec8bb9121670cb9d1e762d9a66638eed83a4d86528
SHA512 e86ce0143e88dc156d34ff9b8da7d84112adac16b91c213b755ab1dd236a66e7e3d3cad3ab19ea49db05e381a676122fa113dccd091e9da21e2ddfee70900a0e

memory/1876-6-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2900-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1876-13-0x0000000000290000-0x00000000002C3000-memory.dmp

\Windows\SysWOW64\Ngkmnacm.exe

MD5 4f231994057dca282091ca97ae1b55dc
SHA1 f4fde18a17f78aa3a106f174d4340e312e7e1801
SHA256 22a8c4e35ea4e1a6166daa53cc147ffa956d895fe9756a33f7e62a2f362962e1
SHA512 968b451d18b559c3d9a86aeb109c9f2464efed353bab418c1fbf6ca10361298cb1e9c4b2e3ab5c83551c29c062d31001b93c276f61e56227fe88893e2d35c883

memory/2900-28-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2900-27-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Ncancbha.exe

MD5 4b125445aec80750465f7b242e0e4976
SHA1 a9278bfa531266166bd80928d4f750cd6a3b6a76
SHA256 fb36c6a3d4238463f38c7d98fcf285976d8314242efd4a8b9a46c74afbac4556
SHA512 d4e25793a9447268ce72469a16b6cc3b97b045038650d1958cf71a836c9371646fbf482c05406dfec0822dd35172f52031c9d2833365a9b98c1ca19f3d628ef6

memory/2652-36-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2572-45-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Okoomd32.exe

MD5 22f9f5fe58684049357129a5b458fbe7
SHA1 0a34b204205cd7baa1ede84c682ef675b914abfc
SHA256 962a0b9e4b2d1998909e4b5c3c1c8261a6fde4660838bf9a4401b6cc96c3704e
SHA512 2247151b1cb8867e9ee77a9c414ed68132bf1a6569c0a47ee88c0379f3f70ede6805773ea6c670bd58645d3fb1231b96c516eb88d252e03cd3a13a19a816fbc4

memory/2660-65-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Kedlancd.dll

MD5 48f86de5e6d2f4811ece86aa08d91d76
SHA1 23349771bc823cb8b14cdd57694f9106c0d93950
SHA256 1c7a496f439a47940038a76eeb8ea0bd582be043b8a558cf581edb05c41b799c
SHA512 3c186c446784bd8339ed40aa9bfe36b449a299d4f16edb18167230b1cad7db92300cd473d31eaa420a9a047737e99f3e85966968923e3aa87d5d883b68174b3d

C:\Windows\SysWOW64\Oghlgdgk.exe

MD5 ac1c0eb0de0742007703e7902e3663d3
SHA1 a78f138a123579d930fcff0547bb52686bcda525
SHA256 767f03312b28fdf6df7ed4bd0878705cc18d917f6e139df4474e5db791636216
SHA512 689ff07c0562285ceea20754c755380075979f160585edde3a01ba39b297594c5b2bbfe9e3476896d7e6e8df25c96490d7759e5a2d1c47cb013e146cf8ae4a80

\Windows\SysWOW64\Ojficpfn.exe

MD5 04f780eee7c06a865ef027f9215ce67a
SHA1 e9e1550ad7742117cad1c88b260ad6dd9ed3317c
SHA256 d829cfc34a1f28a8f753bf907d9adfbfb18b57927eac20ac14c3fab3a8198c49
SHA512 5d9aa4f8c02150110c2a0baa9d70c54664333a607dd27f95a50d469fc4c8fb2a2f92c2d60cdac791098668f8d2b55ba149f7c12133c45ff939744a1e91db8bd5

\Windows\SysWOW64\Oqqapjnk.exe

MD5 98d12b5016b36444121547fe8d24b1c3
SHA1 083c3e3820842b468288935d9b44c5c87fa2604e
SHA256 a988d6fc1ad338943c8c190f05e57d7023ce1bdb946f9214c54528a1739524ec
SHA512 fa9d5518c781ef2aa74b73fb584c1f47ccd244494680ec474fba4f183f755ff14b78c9c0874b78e617dd887d1971c218eb5ddedd2f73e16a6a564d546b6ff233

memory/1564-108-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1564-95-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Pminkk32.exe

MD5 372e8e1b3553efe74cea69750cbc66c0
SHA1 3f78abde301924b2429ba68e84024e032bb34879
SHA256 259d6dc42735330f78896532d046d9508aedb48f105d46b755bc0397b8565006
SHA512 ed9df7fb69c2c70e2f9f1618d334803b65309121ae1c130b6a38e013b4cdb225f1ad32404455f045a993bf17b92a421bc4ed91b9d0e132cf1997d38f6e114f30

C:\Windows\SysWOW64\Pfbccp32.exe

MD5 c15395d4476adb36fb0426cd5fc26509
SHA1 f6d44eaa22c65cf77d58b40be5d9d17d1bd011f4
SHA256 9d7995d39bccb5c11fe09dd3f041923610978e14e2808acee4656eae03a4e994
SHA512 83f8bfb1d84974a45036b8d12b0b1838f5c4aa0d85bb7ba2dd411314ee67a2e8046520f43b250c9760e7e460cf3d385a1e47d49a45e777e21c59ddcc01a4e8e9

C:\Windows\SysWOW64\Pcfcmd32.exe

MD5 30b7369afe99d13101b87c1a607cecbf
SHA1 f8dcf23dfc5147092e6058ecffc1babea79ec6f8
SHA256 add6f14e77de1a55640b1afec45516a600405e9e7be33f6d256ec67aeff6bb3f
SHA512 a16b7326fa1d3b836675e02f3411340815fcc8d364f19aa5b27ac7311a27ff57baf2ddd6b4e43c608fd0833b293a139790ac3bc861d5a4a1225c88a6c1a57294

C:\Windows\SysWOW64\Piblek32.exe

MD5 dfe34138abef536b079e85e1dfe73ef5
SHA1 7bcd98d610ae388d36af9cb01a52fff20c0d136e
SHA256 5f45aa457b1b65b4b3ed83fc009dfb58b119a84ca50d9329f2e88c6b0886c22a
SHA512 ebf6bdbd081bfd4f544c7152e2d2b2cea6aecf5c556946c85f334e495beb2bdb8256f92eaa99d227f395a5250186e933ab67912889730e33865fdb3482cb6a4c

C:\Windows\SysWOW64\Pfflopdh.exe

MD5 9c924de5f07dbf19879bcb52408eadc0
SHA1 ac1519071dae90879da548e167c580c8d4820163
SHA256 b1bda50ffe02fd3ade3bf925fa36f7698b3823442ce7a77ccb8d414608a5d7ff
SHA512 dfed2f7a8c59b12d2f9501444329b5e77e67bf15103eb36ee9183491fd9a06052ab71e8eb3a3b667fc966f1c1b3aab8d4be3f1c70cd49ccaa920e035c0937b54

C:\Windows\SysWOW64\Plcdgfbo.exe

MD5 2795559353efb8f568b7a33d1341c572
SHA1 c1213416b4515cb74d11e1557c2892dd16a26731
SHA256 03f949060e408a9daecfa77476478ede7ddc203116aad5bed3cd0264fee599bb
SHA512 262fd84bb9dde68c0b4725f478a0fc39f01f74bf49302311808d41276833b89bb5dea56740e05031c5cab0d192a1971e46777d50ce73a70e9a01a6f341aef78c

C:\Windows\SysWOW64\Ppamme32.exe

MD5 b7bb68a4b68a2b8f45707d1864109dca
SHA1 99af9e256f431a13ef4354490b4ad2676b9001bb
SHA256 59388562b4cb90bef5ed997e1ffb55e92f7587d65a39c7626d68b12f6958bf5f
SHA512 f615b74ebc6f05f4486f3dde342896f53724fb008de13d3c33d83969628331ca1d0e129572380700015e243f63951d32da42bb58c7047592433c6d53c7d63df3

C:\Windows\SysWOW64\Pndniaop.exe

MD5 8ec8c4e0c43c688ee29942792361e9b7
SHA1 2bf7bdf5741a51040aba8929826474ecba303297
SHA256 22995f7bfee6163da676fd854374a06b486141e3a7e5a648cb52d5b61c76c064
SHA512 6b3143bb85ced98bdaac4f64a92c79645cd665c2bd23affd3cd35b88714dfa8e9976a1e957a30ac3ff533a6ec912dc49d2b717d95a8d1427043f1b146b0c9fdb

C:\Windows\SysWOW64\Pabjem32.exe

MD5 c25736891730bf3a13942931534f9bed
SHA1 1846cc844cec9fff603589125b933b0561b8da0d
SHA256 42c363f92ed7c307c7a1b83e234c70e32c011f0d4a44cf8987578279464c1a58
SHA512 41980801deab8bde2869145e6ed5437218e781af95534a75fe4e4317e488cdae455743433f9d98ec0a8288676fb5019f6c73312394b236673bf22037f2e58983

C:\Windows\SysWOW64\Phjelg32.exe

MD5 28c5dba956b322c5a1c23b6fe9fd40ef
SHA1 16f4576537aa3ba30ce84c42314b2ef6e16d86aa
SHA256 aaece9c4b0b9b43fb1388f5fcf9b17c6afabfa23aeb4f66ef5bfd26e347d3228
SHA512 c29a6e356c427e563697eec85f363652018143e2f41c83118c3d830b32cd35cbc085c320c362a66c4d635e6fec2c358c946da35b80efbe8fb9e6e38d6291f5a7

memory/1672-332-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2704-354-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2644-372-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1536-383-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Admemg32.exe

MD5 6c60dda7ed3b838bfe724b4154baa38b
SHA1 602851bf738804ec725b038241ee6a1b0fbd35f3
SHA256 4eba2aff7dfcd7438b9830476b1159e74866ee27ffa046f2ebec24b3c050cdcb
SHA512 38065068b4a83e7a56ae67dbe7ee36fcf83c81008fcff8f8473108d18e3a28055e5419e97286b2e0c5a1a3036b1fb4e881238c9b8d03b650b5b736840be68357

C:\Windows\SysWOW64\Bokphdld.exe

MD5 3466309e41374af8bdc28307f765b172
SHA1 9c8f491c84d6b4d9bce6a0076eebb5564c8080f6
SHA256 acb997ae3953879621c2a273b426e4b12de429c486395bc5ced97d72cfa8c08d
SHA512 e582abcf69d3ba03c3bf165fe01801fed3e2e62e5b567e6d38a109bda5976ffd0e5806fbc705580fdcd5360e3b64584230bee480c149107295f98461dc1ad8f0

C:\Windows\SysWOW64\Bloqah32.exe

MD5 44b9db9249c33ab97810b29d837c7baf
SHA1 d0c01b1ceef46bbdb1c13d69801350cc43bd640d
SHA256 7500962cc007aa91a08ac2913b46f91c46a23feade1b813d6d5b5ab01c18a963
SHA512 6aac6e3e06f915a4bf60114eabe6299f8c557c539b1c543451bee821a5c145f3e14fd197dc12375138a2b8d140eb1518cc88b5aaae17eae134a382a87b41a2c1

C:\Windows\SysWOW64\Comimg32.exe

MD5 47395d74d0b2def1f68a4c2cb6284b54
SHA1 3dd09ada4205cca0900cf2b58c891ad907fe9ced
SHA256 3832cff72bbf1b89fa30fdabd92a8a9647f7dcbc782a48efe7586aba433718dd
SHA512 6e5bc8dd2be21fbf7b31ee104fc333b349d9b393be11a367c68044934a5b69aea059082f9e81cba536be86f7b74b8e1818b3aefebcb31a60db22cc3153a6d87c

C:\Windows\SysWOW64\Ddokpmfo.exe

MD5 f9358bdba8ca9101486554aff9a7d1f7
SHA1 3c7ccec5c6c10b62a80c8f51f00234627a998a04
SHA256 b077f36744ed35e076d0d10101bd16af82542745f144fdb4fc01a6b7b4825b75
SHA512 48c280b5c470fffffb5cfed2a0e7726099b841edc173cf62a7081c988c78158a8860eaa178931c6689b6b18ebf79dfcc78f45e3dd90d690836d7ae5d56340d3f

C:\Windows\SysWOW64\Dmoipopd.exe

MD5 c1afae375c5672456951c537f3be2916
SHA1 bf7892c0aff424f2ed8038c8877d74dd3be2bf32
SHA256 9cdaca937d911775e8adccaff02b009b0fac69472745b196064af36e63031584
SHA512 ada8a274442f99b662869b2484d2c8eb3bb1f4041e3fa03cc084cc62ab9c170d98ae1fbad64ee9f1baa803ddf8837756c1303557c407e18b73a762392dbf0468

C:\Windows\SysWOW64\Dmafennb.exe

MD5 5463fac9cd354eefdaa39f389e4d7dbe
SHA1 e030d63ba5563f747e6e6e136edfca932f7dc151
SHA256 9af1c4ee071184e2e24ee584780d87c02d03308ce8b0044d7e4340d2c4137b79
SHA512 9ecf549d87bd03fcee5ec4e694c8bee28c6fc328f726e0c115d4aa8e95c04016736b323f047dd029e08d41c818b3b56578b419f1d5bf3ac4e793ffd2e544e9dd

C:\Windows\SysWOW64\Dgfjbgmh.exe

MD5 d44eeaffa9b52fc00a2eec7c6c5cc6c9
SHA1 6c6e74750d2e86a9a6ab11b7bd28091db7a5f950
SHA256 dcbe34e66afb440825e268d60186087725af27a6175749060973c80a7948e6dd
SHA512 3542e318abc1c8f3e7a242cc223f126a0c7f5bf7dad4f3248a6fb702c7ed354afa098d35185aa2f12bdad38e558b3e1dbb516d1f3f042f075415a366b98013f6

C:\Windows\SysWOW64\Epieghdk.exe

MD5 cedbe7392dda563e5a07c14ffe3e9481
SHA1 61fdeb4142c1b43bef79697ea7cccbb0b22664b6
SHA256 bf344190ca617855cb5da0ea2925b127ecb8aa5305106e46688bd9ceb0cd8525
SHA512 545a331994a924777340652160c36c6d8c711b56eafdfb34eab3b4ab3e26800c66003122bcd8586a0713d177fe42659947191619a7ec671817903a1315548fb6

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 4566fddd0c1d7c5c66c4f0aafba5883a
SHA1 c7b4106fa0c96ec9ad0fc2f1274014a0c7915958
SHA256 5aa20c8ad8ea4e506b1d947037fd7ff16ecb1960f2dd9687717411ffe22f4a6a
SHA512 5043146f3df2f4e5039b23ce96476cc65e397d8c41bcaa42e15f3ef37ba2bdceb97433451b8f95ac9d2c8fe635cd791d999e32f80e5facdd7ee6069c83c68935

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 b6269635be494e3841006aaed3f90048
SHA1 40911ce3a6c78a3ca4a2a1c90709351878f00a9f
SHA256 a2f2d9354c3bdf8d73fda04b3bb19a37c11a44964026ddbc1e7bef711ea9f0e1
SHA512 f8a9b24752df1062ca51a78e47f59b3ec9d1d56f3743cd96ca4c3981c4c2c5ac96904ae1720f3501cede1471120f085fdfded3fb823061e0c56cb9feb7a060a0

C:\Windows\SysWOW64\Faagpp32.exe

MD5 3326962592403756864c6925ea459896
SHA1 d4aa10262c72ab00576939af8d50891078e44782
SHA256 a4feeeab8435d410df1b0e01c984c16f08e772e5de1a94fb151f320bbaccdb1d
SHA512 c4d99ccfb8e9279f27ec892220628157e7d5c4bad31822cd8d49d76e6e30d0d943212568da66d81d9d87f730a874fbfa405fad958d77e6cdfed84543e53a6c18

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 de79dec8f3367c688142b9a26eae9b1d
SHA1 ac7ac387d5218d0a1e846f2a0d487c167443d388
SHA256 215291dc659868bb61b12bf8b193340fe8703bc4ead270443960202930570445
SHA512 026022a20a9d1cc2c025e522a847b7f72781014585f179335fe169816786fa3e6461c4247fa982ec30f477ae6596e4a9ba617b022d169d0d5109a8dc956296db

C:\Windows\SysWOW64\Flmefm32.exe

MD5 3668194cecc898544c05e2a63ebafadb
SHA1 d799043fa1f18020bf2ee0c0d9e43fb80cc9c0d0
SHA256 1e7935110653948e3a5ebcd366af88d350698941cb21aae37da272af70dcf09a
SHA512 6272f0c26a80439bfc56c1b4b7618cb7ca1de49271f5ecd8cbaf8ee00c5d9007d7af48a9c7a407b0f41c784a7efc4177f0472f97cac5d7fee7d6e8b9304505b2

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 933c83b5ceecc4f05d61e6707c28f836
SHA1 6b2ad705d60a88b67aa52a052d94bf1f45cb0cf3
SHA256 4ab9b8da362e5e6a6741d94b8f3962a05ad7ca464608a7ba97b0940cb4975258
SHA512 879f5b93a9e3db7ad75b8a743edeb40afe2c1e57f1804fc5e41a6746557aaf07ec0ba5e703457f19ab2e1bb2a53926840e0d3bd99447c1c2dbe1b01fa02d0e70

C:\Windows\SysWOW64\Gopkmhjk.exe

MD5 3c86ba58f8c5385dae7af75d53e301d9
SHA1 59614854b281e8daa351181f9e7aeb69fc5e739a
SHA256 fb1d00a9824c130a65b3c1f93b1cd976b983eb641377ff778ef6fe91e1493a5c
SHA512 ada36217b8a26534db42bad47c3b0db385f35a0515bb9657d28b078559ea545f2302550acf475f900b0132e99fe982f1eba03b04f5658173de335c28042bf2c1

C:\Windows\SysWOW64\Gangic32.exe

MD5 1677e9c303cc1082becaa16bbe2d7ffc
SHA1 ea59d60e2991aaf2b1be7f994d249f18efc202c6
SHA256 a2ae307b8db82377c842bbbca7d39c654d278abf71fc506d39e6ae7aef4953d4
SHA512 2ea4b1f2e71f86260c34c5e6feff532f7b75dfba649ee72ace880f24fb565e5024e93d6a585f112c86a76d0f956e0ce54a26ec05aa0bc331c8db927ac8b754d1

C:\Windows\SysWOW64\Gkihhhnm.exe

MD5 5c39b61f640617c24da23db488b45792
SHA1 4e3f2371b6ab221b83db90787e0fa46ccff92392
SHA256 bb00dac10d59cd9d00796ec7c845fc18f4865d9598ee0baedd2440c28ace875c
SHA512 2756f51a1e97263ab8171e1f9916a92e9d552e2cfe046ccb0acd137bf06cf72fe25fc5713aa6d18edee66bcdfb03a60e2badd61fee12327ce8003fc3419760dc

C:\Windows\SysWOW64\Geolea32.exe

MD5 b6baab345397e0797cf1c46ce91e3f43
SHA1 84bd5f0155035d37c146cdf3752feeb5a7f265d5
SHA256 2c874a58fb3def4635d51fb85ccf04745626235299c41d0321b57977b6a8e647
SHA512 0edb38e7da17687e21e83d0d98bd3059ac3a1411af4fa1651c0bbccdfd3da2a8f2bb7bed7d30877df16c0017e61a5aeced97307177acd9dbdc8a380ebc4f6009

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 c295a923bfbe42054fe64385621c4039
SHA1 8e16d9084101841294f1ca6d9d90562ff31b4bd6
SHA256 80ece135fe2ebb1e974c065a1efbf32d46c9c44f52145397b7e27c2efed2edb9
SHA512 0e112dffeff7e036af7f69c26254de773ae29ee01118fee2c9393092cf8483932d018d4673160b9cac5f250a46cf0f5eae7c8879d238d4f4c0c5eb96a13b5b5a

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 a1e231df1c9c80fe383a9c86767b9cc7
SHA1 cac7a9b3ab14c1a1006d40eec72403688ebe440d
SHA256 a892ded9fc5a2fc6b0831d74f1699e7aca3288b4f4a4585bb25567cd02bea7e4
SHA512 ee91c210de59017ef7ce55a3ea65cbf161cc8808acbe04cddc2b13e235bf334bd93bc833bd7334932d8f8feae5f44c0650fb9c5153f17843ab4220be39523b27

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 67d0ab8e2be937a93319e5995e0e9edb
SHA1 9f8a07db8859e09769b796123a542bb481186e30
SHA256 7779fde24fb5fe3bd2d00ec34a926cee89dce4af878b0c7b393808adddae2581
SHA512 9437dec681a652ad16db758b47ca8f3b2ec6fc680c58bdd587c9279f24be2a01119d0affbf7a42b94c3a5edb6fb9a154b728c533201887640579ccab74da107c

C:\Windows\SysWOW64\Hmlnoc32.exe

MD5 b7a09bf0df25ed828b28f48194b8ee9f
SHA1 75739be510164708c672dc1baddd3a53363a75bd
SHA256 9bd6515d55849028633dc4a1cfd47195ca89974e3ac800defa5feb6eb97e45ca
SHA512 9ffb4fe32de04ccba80b4e5ac4b85f80f448b830c955e5c899159c5fbfd9d31cbe9ae3ee2ddb60ed13daefdfcc83463a9eb563a7085e1ae59a0fa09849347bea

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 a29819a39c40ef18c77820c26284ecd6
SHA1 b521185d1751e0f93205c8534a3b699469bfb969
SHA256 fc7d9773a950f10c4de794cc227ccd328431c5ec1281108253bc7da851d11e11
SHA512 4805fa54a317d790f92e3bae33fe4d640d3acacc0c8c0ddcf2f246d79d2320973e0fec3f7776e0471d211a7b1bca0bd0aaa0e07251b949c9013319ed12c4bf7f

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 91572e365ea53e95989e4d55ed3b3e88
SHA1 bf33d85aefae46bb1d41a433a5fdde81da44142c
SHA256 9d99fcd0a0967bab51bb21f9229bb360703b224932b68450989c141d827240b4
SHA512 b21f33f101be1cf0e1395ab203e2b835dbc098982fc280320ec4351c7b65a09e888459cc1cd4d12ffe6ff2425e59bb1fbc7d4a70a9c0013ef8b8fff730e5e340

C:\Windows\SysWOW64\Hicodd32.exe

MD5 4cf39dfe14f959d76cd616e202b6fac0
SHA1 11aa31e9f129c69d0cfb6783f9c29bf009313408
SHA256 f9161617943b91a9d69f70030494aa77f3dd49f83fe30dc7d84e7d17554b938c
SHA512 9062cdcadd429848c50525731aee24b4df3356e7164931e902795e61eb1de8fc8a34942b052c15dfaa4c91ef28b6a35ef566ff531f4be9e98ebac95e270da18b

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 48073d2f667c45e86b75cb9625c3a7b1
SHA1 6d69f48517120dc2df1f2f84c571941992931407
SHA256 e62a5b571db0e20ffad86f97ae10d1236eaef2123af1c2abd22b3e0803415cee
SHA512 7e772fad64885167c5c0b5c187d592f1b61cfe8a12f84060702338500d2e81fc17491a89a290db51748b078c22e20f8ea34d05e9263d3e4f292b0034a47e8d4f

C:\Windows\SysWOW64\Hggomh32.exe

MD5 ed6e1676aa9203cbca9d356088ec4ad9
SHA1 a9bddaec259d737c7d13d87d04dc8e099e84d71a
SHA256 d85a6e16914b17894391a901836c53559ac409063eafd35d109118d937111365
SHA512 30677bd03ef89686af5f054904928fb7e63404cec12b96d0ca68c90aa964045f25ff100c81aca5ee28b85f4fbe6c20953ee20fcfb495ac94d7a0e16b0d66a9a4

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 db3e1184ae9d175187e941c48ee0cb17
SHA1 4cb44ff0d8535427ab46bff5b50f8646f374d484
SHA256 12edd679051abc57e2b3f1aae5d5f3e0a2a74baba8f7a42966b42522cff3a5e6
SHA512 a8084bc54e164ca8c30f16342e374df8651c77ea985ef8a4308ed29bd17dbf6279d1bd40f5b7d1e7bd8274e1576207b3c7e9e4feeec83000bb3be5141b381125

C:\Windows\SysWOW64\Hpapln32.exe

MD5 f0f48498b850619b950564482a014e2a
SHA1 70882998afd3f2d3058f803fccf5fdd1040c7d5a
SHA256 d86edcee1913f4c033f5dc629c3c6ea9f898a1e1d146d4f55e0b5dfad63398a7
SHA512 033402c437d0c07e7558429b924e7b2ea955b2ffdfe99cffa311df6a2da68a5193fe58c1285e9d1336d646677eafd76c2d0cf2cebdd554263e8d272dc8cd6c5c

C:\Windows\SysWOW64\Henidd32.exe

MD5 d40027fba4d610dc38af172ba0256372
SHA1 aca3bd22f7c8b54200d384573c93a247328f0846
SHA256 4040025466feeaf6a3c5e2b6242d1f6202fe655c2396cbb2ec9d16961de4baa4
SHA512 81f1f51fd270e4eed2aa2e47f64a9672d6f6cc9da53535bf799482147b9f1488550953f1774d0294f1278bbcf5698dae84c20693c952b5f5b8b16cd9d4f6cf65

C:\Windows\SysWOW64\Icbimi32.exe

MD5 d8c490a311419c4d7aa91c0d1bef1c68
SHA1 4920646b59cf9792febdad6d99bf6c485fec8da3
SHA256 5c27fc31879be2da488c5ffdcc987ff0dfea47fc9a6d0578ef488ee0c5c770b4
SHA512 c33b5e51cb193ab8dab6594db23fd949ce6ae1d64843b028e4862c0190d06ee73c26945c917137dc7a40c923ef3ef7cc2f32d829dbcaa680fe31c9debe3640b7

C:\Windows\SysWOW64\Inljnfkg.exe

MD5 56053c75a0240d40e2c483824bfb1ffe
SHA1 fc2b32f0a0ad2300898f152026b72d8c30f88858
SHA256 69c1911e9f6610d65e7f943fa32961169dc83663aaecb020ac5542627055fb3d
SHA512 587424b9491702f830fda7ab4b2cfb51a46429590a08661fc7cd9685213f167729f28efdb9ad57117375d10056837d800a528ef59efd36b05b2ca221ec064f56

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 dd44f3f55e24f173a8d348a99fd655e3
SHA1 188daf11b178d78859aeb3beb7afb306f38cf05c
SHA256 5945fd217df4b10e47693c8ce988c2fff570d483b129a74ded9c51fd93fed9e7
SHA512 3bd9d4f56d7af93b4c998df3b7ee2a1fc9ff0321dfe29cbd9ea4baa9db4c31bdf5b740135f6d28aa1dc484b6571768e7bc6e90fe379f2df1c99c39132450b06b

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 0c50f0f5e9dbe49dde928d6abe4b1894
SHA1 318568fe3171744dc0c546aa1a4ff93a896712b9
SHA256 ebcba21714c90c14f1752652182913aa86058f4ab672ee18e8427c9508b2b72f
SHA512 1c4a6ba2b87f5fcbca2656aac2debd91206b599734d90ed1440968bf9e8871235ffbf2d2088c2c19641d18ec0ac59e502b27622a76cba45e0cd1943e6cfc660e

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 1f8526c1258424cb3af7c70e25e6d7fb
SHA1 3a903d0b193ec780ae7ead8a62341d31072bfa0a
SHA256 050b0d8ef2eaae9b36f37f2773e9bdc6e0b990293f93f69deca0615e10fec001
SHA512 50ccf79f2521627ca45aeef25542aca90abead286a83a85b5dfd50361a1c56a7a76eda89d46e782941f56da19c46361395deaaac2a08c918da6da8fbd6d88358

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 40d2c418a3f87d2e6ec7cb755c48f7ca
SHA1 69844d22ce3c7a29a754a56f131f042b914f5bd5
SHA256 74a799aaa111a01175db88ef88600782ed667698520a5c32c3cee4d3c9bfba38
SHA512 df3d914f7a9eaec53f406a54901dadbf7ad23a2538769e68f78a1ec5bec2661c55c641db8651bfd6a25832b87fbc4f6b5daa9f36ae9a786e96e4e8cab2250326

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 039d91c5bac2f60117db0815f2f93344
SHA1 46469541d33be7280886292bfd61e4d873813720
SHA256 e557f8db6c71a3caf6a75565b8bdff5b468c75d54b41a298145e062726c43336
SHA512 d2ebfcecf76987a6eb149899d4cb1a733a84a3358bffa237cd49764f582f9876162c78d6f124f111a42b57777bc177d1543c8c1f9230850664ca56db9c9889d6

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 f69a42e4710864565f5f3779479cc2dc
SHA1 92536c433687be15091974237c302f58f9e8841e
SHA256 a9a542b83073ed2b98e909a10a2de35d97ff73be5402068a5abacf2d57d3f467
SHA512 2d4995fb030f67a59759232a83200f20fc941348e59adc0e6e9bfd352ffb229456c176c241ba5b63d92283f33b75597251eb4deb48af31fc8d6362363eab3d88

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 638ab28fd561be22f29386bac0ebf11f
SHA1 c3ab820d0104b81468df85845364f88d6e5c6b41
SHA256 635bb7125d5e3043ca1bcb8d3b77c76c77db9215928c56d6f9cf136bf6804d3f
SHA512 f4f2e89716220360302d33e2ce4e0339e84555d455c626db4660c88e700fbe110cfb7bb6d271a5c635c01a3fa365bc724b54a4925f1618dcea77ad7e7215dbde

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 b4b148e52af1afad45310d7e6be946a6
SHA1 856bc33c412d70bb5af33499df621d3c122b0cad
SHA256 2edde49971855b894fa53286694cec5b91a70253c64281e51dc9c5ae5c06c727
SHA512 32b2eae48148c5a281733fb1684f7826e04222eb306402869ad923590811d61c21bfef3a3e2859cede3bf16de926e3d66875e27a09b18ab138875b42c6b2634d

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 69d0f5d587b2f872605f40a5c5cba51c
SHA1 618d4f51731ecc41a55c33af210719fda1b1d10a
SHA256 ea5c1e320c99e803459101063b82f30b8ac8a93dacd928ac0a44b799f7f4eac1
SHA512 49bfd0a6edd9af6ac4776e8ff7186df203a623f460b041b4e0317da6619c00ac51f71d5fe022d0c068809124833c6c33f07a1b3cf272385349a9ad463f6b2f8e

C:\Windows\SysWOW64\Hobcak32.exe

MD5 4ed36a13523fb4fcc2a55dee5c382fc4
SHA1 a92c07a6bbde8163b0c8b1cce1017fb71a661afd
SHA256 431f365b199631c0944fe37ac440eacc48c35b17fbdb3614546b574d5985c543
SHA512 47a31b66473c9c7e612b523b7f9b9b294c2ecc0df9094c91183b50e5fcd24322fa092c3e2f7e1713757a57b5d7bd45407047dd586b498abe283b5a96e75fa540

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 a8c77912001df3eb4e9df9b4928ae9d1
SHA1 454fc851c1445f06550332949bd25032754b3641
SHA256 e9121b2497315c6d478cfb45645e298a48a3bb8aa138c224a39351a30da5a52f
SHA512 45852a655735a515e9cd679593350524478820510c4b6b49cb920ad3175b1111f5e134d9e92aea8f3d4915eeb5c9bfb3b7c25ea33aa9165ebe3bfbfba0f34f3a

C:\Windows\SysWOW64\Hiekid32.exe

MD5 78b549af6d466058e84c0245b20ea18c
SHA1 69d90459ff84ae530f22921eb838285148c6a519
SHA256 1f7a64a6790666aeaccbd88cea4004af51bfcc0591c91ccb4fd0c047add486e0
SHA512 dd5858270d4175e559f06d82504279f64a91ec5649c3753fdfec771ee84aa503298642f72e477057dc88fcc7e3e34519e2c3050498b3b196f280e98f9bdefe7e

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 af22f10c0fabb540cf8b420c7c36d59b
SHA1 65dfada5b0e9f952bef3e743720828fc035954e6
SHA256 e2763147c2b306ad42c1525b8e949f472fb9f7367f030da06bb4f2ebbd5721ec
SHA512 8742c64e25ed8c783c7471a4ef54b13bd6d35d8c1a9f4fcc4f1d28edda030a056d50d2fbbb8f0dffb565b20f7d2ad75a4e1b54106cdbcdf50f2e0fa9a823bcd8

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 2969def3e3e2ab6a9e6e8d305ede389f
SHA1 1d3bcaa2fb9a4610ce7575b20503d0186159031e
SHA256 641b0a28a245b2ef27991190f1f0179a767021a5f436a77c3e72ef570cdec6ab
SHA512 a098e0b88b7b518e8be5012b32c3e44861b733031dccd296444de0b5f1aaac2f52af12631ce4ab8a138d644cda4e9c3fdb88c303cf081bd1045a61b3fcc2d5cc

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 9febaf2fdc1fa6b0de9bd79c712f83b7
SHA1 799faa371babfeaa8ed1c04bdf8d9ca480a82a47
SHA256 3050ddc2f9f4ade4cc1702dbdc579a06df5a3210e57d049a47a09b46b1d54610
SHA512 26a0f2c2a2fdc942296667e04f8777b3d9e48290f561b95959460da683e7dfcba2f11093d3b9b59717d29ab3738c8fcf538f57aef48955f06e00924958601e7a

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 f8e28e4069cba1b6a7acd077d4439f98
SHA1 428ed7ad51246f2b1eb21fe964333b2e0aa1738d
SHA256 7e783029b6fc141c7861b562e4e3fc75b5e7479341960f0bf39008842e0e1620
SHA512 5d4a5db89198f3f0a537b50c1c163856061702b6ec8d8f64686f7aaab4d07e9721ac46c7d77c5a7a8f95e7c3ae2dc6768dd5909690c387027615977a51eb7aea

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 2f64cbaaf3aabb82cebed4de486e5ade
SHA1 28735bd6996d83959440fbfd256ac8957385002a
SHA256 61d3943d9f619732289f8c91bed1bda1b649e9d4f7f22d33f920765477faa8e4
SHA512 d3493f4f85aaba9d109f1bb53a168f06137bdfa06943ab5990b8be311df3dd7edc88dddd584cead8a7ec74950930d45c556444616553d2e0da972b5b07569e10

C:\Windows\SysWOW64\Glfhll32.exe

MD5 a3fc7fc10c5a735a76aeeb9adfc02cd8
SHA1 b533ed9477e368a6f253294c6788854a60a8df8a
SHA256 23372941903efde04bd0dcbb863966f696af543c749daf95559a26b25db6ede5
SHA512 6eb336111354144ee813ebda1629519359c6863602fb1b45ff4edbdc24ed2232334303aa6d7aea744a675ef52dea4c6d7728b7f121d17829dbc85ee142d65075

C:\Windows\SysWOW64\Gelppaof.exe

MD5 a61d918c3c22576b2bff2273d75ce920
SHA1 b4bf63207943951b6d572e53156ef3758732933e
SHA256 a8f45404f5e57b17ba7b9cfb2d22a49fbab8da4f07c74869b6e759525f30dab0
SHA512 dc14161aa0531316f7a0f022c1b9a1fe93e94c7322b2fbe1d6ccd77c3108f8f33d5bf833a011fd13a410bea590171c2c85d943437b16655f051739047b34cbcf

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 8b30f70e566f250929b71f404f95af4b
SHA1 3fe211cf13f67a21e659cff2e48ff734ee58eac0
SHA256 5ca11eb21bbee85f51d5e54da44e2cf0a8c1150c7716269f61544ade30b28fdd
SHA512 f4bf9e8662661e13bf219ddb7fd4696bb2b44e18caa8981d23e2a8ce13f72bfc5466c5ce34162329568a6b9782a2093cbe9d30bdd4ea1d60542297477c9d4fad

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 8f61e11afde856077df3d0eadcf513ae
SHA1 b42f4540175467ad46c4e9f93c89fa798066ce1c
SHA256 ccaa4c54deb4a0a31671dce6a8bf08b5eabb78c2f007fd0c1264787cc42c6513
SHA512 7f86ddd8580993f49e5714becc078ab22e86e2df72893782d36242cf47101a0db3e7fc4e93b2f262e112ff33bd78a87f4e6ce2cfea468a10f1a52586a7372dc2

C:\Windows\SysWOW64\Gkgkbipp.exe

MD5 7dadf130ff18a44e8d64a094b95b07de
SHA1 373da14a930897204c3b82e02317d0b3a32cab2c
SHA256 8f218bcf4e48afe6e18f26b3bdeb79449415a9c063a74afa36c16710645e5686
SHA512 6485b25a52eec26ad4c9b6b39ce53abcfb24cd53968697d812674d9a18c493efb7eb0796fa1b0c503f956cd715e5144ac8bb21efe5b2290d51b1ac7551afa426

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 ba40ce2d404b0780d93b46dda91cd42b
SHA1 d9e3ee94181577824730343d19514ebe175d6b83
SHA256 294e64448d9e65ee29c78b8b9b16d3058176907adb8b7563f8b941ef2f2e5a79
SHA512 5ea5380f67c8f8f767c6fab9a152c2c24e23b911ed2fd7e65b8c0582c47df70cb6deff308310cc913f0b1c6f2bef24c5971f0abad22edb5511b275d1519299a6

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 32399776f9bf38eea0558b4268ac765c
SHA1 47fd2fca65e33d675b1c638a5334fb02a546521b
SHA256 a1543ad7046c62283105dae35c8b9edcec0b89440a0369f575a4c765449b0fd1
SHA512 ea58692371029452cfda7be214404e6005d1e66adc4c76e1d870ca55e93d71630249579d0c4bb82014a5af1c607d8f0c8b0f6b108e7e026576b0584ad75e952c

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 395d14429dfd972477fef5380acd7628
SHA1 c4a0dd0684e72e366c5bec41dc99196d777111c8
SHA256 a05cbec966fd4eb98dc8cd72217fa8a9c5c83a3e8a260fe8d62547ecfbe69e5a
SHA512 dc63ba23f98718c6fd78102abe0b32f943bca5cd03c267286363ae3f2a3e82d90b981072fa55d59fde7b9b6c91d1f6798e47b460db88ddc614174a01bc3ce2fc

C:\Windows\SysWOW64\Gicbeald.exe

MD5 eda2bd4f5aaf7f9b07e45aa445772fc0
SHA1 b211a626ffaae121047a11e502d250f50f7a6246
SHA256 dab7d3ea42382563f8ab096d4175c65bf22b0d1d6378e601a1b9b0a3eb54d719
SHA512 6732cd5b85e5cd1bfa9e7fe3879606a8037f2f8da14560152dd8f878af144e47994536feda37fa44333cab550789b51a15df3177ab85c74c9bded900caac895a

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 0421bedf21c16200de913c0abecca4c9
SHA1 c871d28497182c58a8329b3048818f34bcac493a
SHA256 8057b37e015d009fe41f177ba2faa5e25db9a9f29a5a8616c2319577a4f1ad84
SHA512 abcffc60a75e248bb86baf080ee64257bb0e0020da9ea1de591470f77961ba39c81d3c6133d722105665a5cea0024f9202c80068e813f730da41b9102c06692c

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 508a33a52ac4c32d3b9083b0bd6d5e62
SHA1 c86b59fe3c1157d39c9f0e57ad58858a64820440
SHA256 9f6337b48d583086981d2a00cc4cfff4ba06a79a1a898e88005af66d19d1c5d5
SHA512 e008698592a1c87d159dcb1d5e8a2cab60ee30fad8875d4bd2d5d8a4a89e3baeb16abe4f3eb3ca750b1d9d8bcca816e9e0e6de2207b29afaeeb9fb4818a2fe32

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 79fcd152faf5ce95775728801358355d
SHA1 399f7c2898c08687dad65af73c98df91fcdacd97
SHA256 a2bf442242e003e8884feb18d731fd4de9b660058f8c382da82184db879a2d6f
SHA512 0dc9bb29a436cd5f51ee5ff314fdf0728e1f7f3788f7e3aeb78d16e0a9ae3881c6abdcf9f947cef859e41495464e7cfe6dbf9d7badde367119193b8dcdcf6f81

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 fb6a0632ef0821e621fba9b13ede4326
SHA1 0959ddace342cd7f6d0f6e17c1799d887e0eb29a
SHA256 6aef87ffe6d55cebc4c58987a35fb65a5071cca5cb1a98ee3921587cea053f9d
SHA512 edf034c6547fc4af334c09b61840113f9c2e2474160c19b1ef07671e5a605eba22937705ebc90969f9a7bf920dda43fd9b42e081a561ee20ee85bb3dda195e4f

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 03f279048a32dcd2b6877aedb6e8fa54
SHA1 6bf334be3cf18b78188223f43f8ee0c44e453692
SHA256 366810775b3b0a6050f5565212d803230609ddb789ccf42dd5f9ae07737caf52
SHA512 7f73e3cb9468e7a38afd96dfb23d011f478bb621912bc484d42d7bc3d7a4dcf98070761929448a21ebda9147a4007d0f6a191fe27937586903b5ab9af2884178

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 05a864b479e2761ce8b2aa73e4d09c3b
SHA1 0e501c545ad859d2bb01f9f649a17d1a53db79a1
SHA256 c1fcb8053ec97d068344d5c5ff438be5451c36ce2bd12a44a82892527480fb34
SHA512 5a8135ab8bc4e1011393175650ccc918b6ef512aad2e9d601c3389a450330cbae8aa254285745f8e77dda9630ef6c196223ab1df7a49d7e41c072a5a0231d192

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 f8bf91cd18afe0c1bf73a481f96e3821
SHA1 21de3b0873dc1c7f0f18ee77e0882724ad0b08c7
SHA256 6d65b497aee6e4d13c49146d1e6df56f7055beb9bcf4130133627869e8a27e76
SHA512 c0e21d8d6635513caeee9122cd6773868c3ed0704f069fef9d845f8dbabb1fabfe504b9b9b07f042914741a7ce104c8f5ccdeb0e072c7b03f4e2fd12659f07aa

C:\Windows\SysWOW64\Fjilieka.exe

MD5 79f54e242908e6272c5b4fab0760ddbc
SHA1 b6b74037318e0f114fc7bf2c11694e9d50a57e8c
SHA256 152173235d1d0ee91749d32af25456c1c6ca95e5a1d51fa7513eba3be9f31764
SHA512 113aa427967aa2c5a388b06d28ae1d51762c4b1e74bf8d245e393d0f24f6cecc8f4181428b57e9db8d7e81f9acc592457e416a12977416d51b6873de549b0c06

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 61ef0595ff4149b908e30b26bebba0c2
SHA1 f6e3a81710741ad8040dba9f442f9a102289a8af
SHA256 f7a1784da418021c53e87507393d37f6ec299d2f05b997eaedd814f4ad709d3d
SHA512 0cbc62a15877bf2892ae073a150e17993a6df40bfef2e6b2685419f832692d8d5fdf55f304fc294e8c68d9d581d52de463ec9655e4c6f6ff19f87af11d41bd5a

C:\Windows\SysWOW64\Fcmgfkeg.exe

MD5 3dfdd6363d534deb1606d16d405a4acf
SHA1 0daa2cafa81814429013c1971e426202b5935acd
SHA256 ec2a8c6c106a126088ac43db7c64ee48db3b3f158d86fc3b17906d43bd8a31d4
SHA512 c9a59aff2b581e74fd35c9435c7cb94eb3403e4707ae58670923a604395334c3688b85bf255e5b06e0a646cf28b27f9feb0a15f0ef33b5d73847ae7998c39e2d

C:\Windows\SysWOW64\Eeempocb.exe

MD5 624281685251bcb7e9accc6ad636f12e
SHA1 e5a7e833a8481ac1b5579936320060fd3b421a88
SHA256 f45b8441b5d5120b2670b71d415c9dcbfa5a1ab69ad71b7ad52dc2a6463a6183
SHA512 a0909e87f75be75cadf9c058d7e270db26b7c67ba37b136f3f694e13113cedca2facf16fdfa0a0aa6df599857f87ae1895d66ac7266d798a59221e6825e0a73a

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 1d6245008f491496a720e7627d3927d1
SHA1 656700644c1ef94d8bc53a10d9ccc21239a67c83
SHA256 10197018cc60881f3a60fe9030017762579cc1440a06397377c28d54edaac4a3
SHA512 c250a0ee3460bdd0a316af6d7b20324db7b00e9c070aaffc80173269e95c22958c07c0419bf6b628266fa59d6233f20ede4f7a2f6cf55902e2c56bda36291daa

C:\Windows\SysWOW64\Enihne32.exe

MD5 9a306a0b9282c3781990b5c988d8734f
SHA1 78f9630091183f93b919074a823ddc10612cee3d
SHA256 27bbd6e35861081b55da93dd1236e14f48d510291f52f7d487e70db92585596f
SHA512 2bcd9dbbf9d5e299bc0abc55221843873a646634430400bf0dc1f53c53b6deda538415e9afa6f6d85c104ff994f5661e772ab50f25cf04a5e720cb65e11c07a8

C:\Windows\SysWOW64\Emhlfmgj.exe

MD5 281a67cc7974967e66d0546d26d4d4d1
SHA1 a4dadf9a56d9a32689caa4f9b5cdfc642f4f4f2a
SHA256 49b91fe95d30294e6c4295e4cdc054fe1ffaee69725c96c6c41b72faf6feadcd
SHA512 956759ddaf5cc64f347344cdcd9bec7048f6b8199b742e5ef38115b21512dac01d6688d01464b538b661780ad54667a6b3d6a5a51004fab0d5effbd8737abb95

C:\Windows\SysWOW64\Efncicpm.exe

MD5 fedefbfb7bb7e3ee69490d129825e8d3
SHA1 d5cbc236579521c03701e7d86269f05dfa30bda5
SHA256 b3ff95124f68d1692dd96fed056df7b85eb7219662c4ea1ad4f06240ee7a3118
SHA512 774f6b7d361bab3325b6c3afe18b08a10117dfb40cc320f8b3c38bd71f0de8bb6955411932d6d4e661f80269e7f294bda42b1a6a2f8fc5877e338923bb43bcc3

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 c3067708db268d67f0fcc4ba38bffaa2
SHA1 5906b2093c06b05a71e3a5e069419565b28185c5
SHA256 78f2d0c9f388900733729357b7c1901ebfdd5c14dee5b4f6e641d43388a1de26
SHA512 9a5f3c521642812ec49905328ef46c93e664f76f344ef16ebe4024e21cb236f3a88f3dcb0625dfe07d72f4e0f2e3d0df13985095b6a737a09efc33a7077bfc48

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 ccb1990f0d4465fbf83bf920537edd05
SHA1 4d9908b5da0300ae92ddf28147c7fe34524df981
SHA256 9d3817d3378e6cef0091e5d3b1c3ceee3514b992dcb193f716441fab3d4e0813
SHA512 fc05801a403c1a1261125e4dc42593d5a5b5233976a4b80fd1b838cbb9bb74efb7ac53d3457b5b71f11222f8e84eb329202bdbb66fd9bcbcaf48cd0e64bf663a

C:\Windows\SysWOW64\Dgdmmgpj.exe

MD5 105568d612355f3c24451bf77c0fce5a
SHA1 ab0f833b42c717a82532d034c53e9613cd4d04c9
SHA256 c3f35636bc6c441cca10cbb983e98dfc0d7e29ccdeb7354b7e394ce6982600ca
SHA512 17d3355fc7d0315790c36c8db40850d7b2e1827df5c62d1b9bd869f86c95d77600cb24f0cc4c7aea72ed84c91d33691f11d713840d6721d08aa5ba900a895b6f

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 8245b8eee5b28cb9081c08abcf40e3ad
SHA1 3ad204011fc3529891b56a432d7bc7a210f14d65
SHA256 ac460515fd591e4e02ebdbab8a3c4a57ff42b17bcb0cf5179e22ca90d11e7bb6
SHA512 3506a04075b1482ac333a58c954c2306e7d808c33c78362ecf991bf06441bddd68b80fc70eed9693bcd40347fe83e9349d56abab58080b13ea9257f2b528510a

C:\Windows\SysWOW64\Dkkpbgli.exe

MD5 5a897cd444a9d383c4edf3adc2c15e1e
SHA1 a479ab3734de8c4247af2d2e2278311bdc0d6cdb
SHA256 43cb5d1851f487f96732462cd464061844a07767f4e661d7a5b050854cac8772
SHA512 bff4d4d3e4df496c3125addfe5450b282d0bfe3fabe918953fb0dddfa6e3445f51bf51c5e79f8a1cefdc55f36e4e572d2f0bdbb468643cc129c4740d9bb7cd7c

C:\Windows\SysWOW64\Dngoibmo.exe

MD5 cb478864523372f657896c0a0efed8ce
SHA1 d8539ce13e9c124734a4ee7983a5e050ec9a06c0
SHA256 04e807c579edc720f0e744500a88f474297eca73d9aa6a4c8e2b23b99bf464d5
SHA512 84ea89c07c7c187a8ae688c17c3626d02a22e599a2b51650dca63f84588b6f4f443f21f26f951c7aa011b293064422c7e0dc3ebd9ee1ac434b4a55b8bfc9dcb5

C:\Windows\SysWOW64\Cobbhfhg.exe

MD5 5eb6d5dca2faae3eada9f1b80c54fec2
SHA1 58b4b4bbb56c8c0759339861debb8b49de0e1c63
SHA256 508aa3820d09f63e3a619bf89e09fc5130d64de58f15a48f2ab2a52e13726bc9
SHA512 cab3f9da3b88bb973c8b76b38315b74a8ff1fd8664b9007426a2242cf316bc9fea177d16d43a007eea7f60d38ecb4b5cb8a2c7bba7715b4b9130eeb62f954230

C:\Windows\SysWOW64\Cdlnkmha.exe

MD5 6306e7580562e1fee40f33431a9d000d
SHA1 6bbd60868a3abf836f6a8eecb0e695f3fdd587da
SHA256 c38a4161f9932482cda3f40ca78cc2bc7686db73bc2303ca8e17c5146a1b971c
SHA512 64c0f75006c8b1dc9855fbf3edd0f9f71e1fd6eede44e29397a3c638e3ee0ff037d4856c5fa5122baa436d482980e1c5fcd547a794e87ee7ccb505122dd3391a

C:\Windows\SysWOW64\Ckdjbh32.exe

MD5 acb8865db5c74b2830a2307e68c4b281
SHA1 beb3b6b2fd761876678908e15df992517cc4c22f
SHA256 966e2d6c5105d74c6df8ae6963d8fc82a0fce69ef0e7adc81858f711a780d8bb
SHA512 c8ca891dbaa84e7f0ecc8b3d4676ae7c0c0e6f0a03a7b2242fe24d4ca150557e535ac94532c0a56f8afffd8e2311961fda46aae6cfcc040f1a2a74820ee9b053

C:\Windows\SysWOW64\Cfgaiaci.exe

MD5 e82123bc690e560c0b79503e6b626088
SHA1 13b14403ceb1368c15410c26b2cabb2a7c999dff
SHA256 30bbc70c29d63c63ca5a6954b2eb9095c917b0e4726a2ee860515b5b26cd22d7
SHA512 b34e89038ac1f2116c2c44dbadec961e26ab8e76e3a4380005c8c4ce8f9b667799630b234e98b1d64cda7bf04738f220fd69ef0d88712d16b321c88a35f50862

C:\Windows\SysWOW64\Chcqpmep.exe

MD5 9b8578680f6f8f9a5a04f3112093d6dc
SHA1 4644b80ddf2810053a8d2a3b2075037bb5264d92
SHA256 9a13be8aa31b76933a67fd46081202901087d40cf459007de7ea01f60e515d8b
SHA512 aea327b6b0f5d0d5b6ab77eedadba4a36284713d45c3b63995db8a8334ab59d784b0c32c917b91933eebcc7485e1c2047f47210c976ea64d590b8a0d9f13f551

C:\Windows\SysWOW64\Cgbdhd32.exe

MD5 95322f1e125699c3846c5901e1661dd3
SHA1 62d1a19c3c8b34d74bdde473541387e367b40c52
SHA256 ead7e57e419f69d9be5e6fb223da7b623ad2056fe7736917d23b66efbcff73bb
SHA512 5eb6bde980a22965e0947de16225493040e2bce5b3744e8d16d411377c6fe407a9accbc2f45daa0e1a78a1260bd1a1ede57cc8da23eb443291e4a43c3a871dda

C:\Windows\SysWOW64\Cphlljge.exe

MD5 2770d26442ca661283360db18d54294d
SHA1 03b8ee6c2c740ed5cba94f3c8b78f9926436ba67
SHA256 54a0430fac50438c63b06763cc67b10d4c6329c443d63f1a4a14617cfbd9668e
SHA512 bf9746b23ad6831572eed7cf05c0652f4f1033322919349f15c3c604602477bc2c1b5d5603bba844afe11924ce375c4b0ec66e69ee212f0861028259705a73b7

C:\Windows\SysWOW64\Cjndop32.exe

MD5 5893c477fb9075e66dc1b65844755440
SHA1 299cba3e3da5c60454bf84dc44125f5123b50ef1
SHA256 d1c758e303697f465aaa3586a78d64aeb50cc8613d8ceb5c1da6fc2a989f6365
SHA512 9dc39aca90f0b516f1139250c3662d26acd716c1fdeb57531ba8206dc67c3ad01fb17f4f7bd62a5c6cc18c50f6441c82efffd730078356dcef725258cdfe6ad1

C:\Windows\SysWOW64\Ccdlbf32.exe

MD5 e8f1bdbd6410d881d195c2069aecb686
SHA1 53980c58d1fa128b5b58b3858c235021155485c4
SHA256 939481f7217df8919d0c2b966f3f1caa1560dc4b1f2a727183435a0cc5bdc37c
SHA512 038fe472c4ed4f6d8c6b35714146c7ca49eb28c456fed008658c313a15f53b03b1908e65ec4a4e24c5dbe703161fd3119bb66e5a5f81d050e28a5434a9895dc2

C:\Windows\SysWOW64\Cljcelan.exe

MD5 c962578bd641a39b08d6c3e1cbf74ddc
SHA1 69f6fb39bac06916251204f78da9ff7d68a55847
SHA256 89110114dab44d949f9d93628b7f5a2797e5b2c54c243be6117b78639132cc55
SHA512 207b1b5398f8887919bd32ec16793490bca0fd4a98e76f11e7cfa4514b21a73800e77faa422ccbda4125e1f921c18380d2093aeef1746124136bf1250ed0e241

C:\Windows\SysWOW64\Ckignd32.exe

MD5 b3cda6d000c21fdd31eb6a79aa0b9160
SHA1 1c314dbd68af9946298ea0d3216458d144bb999f
SHA256 1d198ef4094d40fa89a3f1a5bdc536a03ba821635b4b1df715393adf20006258
SHA512 78ebb808b92a526a48fa6d8bfac494d8f38fb1d0f6610c595315c898ee95756c0a3739c9653ffacd4313a59970d45823319cc1733ef79cfe1011dc5e804d8c73

C:\Windows\SysWOW64\Baqbenep.exe

MD5 8221398c5b51641fb1bb18bf5404e2f1
SHA1 9ffa73d960c6c032ebc9b6fbb02c7ec1ec93e38c
SHA256 87a3d4b01ec193a42064f9a6499d2c86803420b329270ac3f50788918c98bf0d
SHA512 d9f9b9f81e650297da918124b6155ec9ee8866f208ddc04a8038aa58b7446fbaeb1cd5f3b5f9d5c8c91f70818cf4a53ea48e8b10d433bfb8b07e4e9f44a4fdf4

C:\Windows\SysWOW64\Bjijdadm.exe

MD5 645e406c9e6da803d51c302e1ec634f6
SHA1 c49b709a937e5c369d8ad1daef1eb3f26f1d40ab
SHA256 35ff3816b40bca501f0743d109e72c7f934fe22f80394cd310628718a3da85e1
SHA512 dd65ef9212cb8f79e1f244ee790c68a37f4bc95db652aa2f0f191f77403ae2164ae41ccbcb22052b7a3f13abf886ceba481a8f8cbb890d2edb0fc6cf0178f2da

C:\Windows\SysWOW64\Bhhnli32.exe

MD5 b68130b6d61c7894f28ac9c6f278cdcc
SHA1 c26c965943cc4dc189daba6e512c7bf21ec5ffaa
SHA256 354008083d01ffdd9b3963918721f3e06ce1433bb01c50945850fbade80f15a7
SHA512 e57ea37bbfc1f4465815b5067918439f23669bfe1580968bf76d0291da870187eb474a676a591bfe739277c2a561cf14c083522d528430dec50fc695ec027ddb

C:\Windows\SysWOW64\Bpafkknm.exe

MD5 ce1a9859928dc64ed85716662b5c3949
SHA1 2d69c886861d5fc2eb7bc6e743041a2e0358a448
SHA256 7057e7512ebbdbde3f1e6ca896845a389b9af7ca154d8f543333d4aff738f164
SHA512 511dfea3fa525b88559f690ab2406b3a12ca8ec6dd43aebbb7a9bf2f9a1d5bbedc3d5998d9abf1d728025ba574a10fda51df5689bf9e55c03874f82513f16759

C:\Windows\SysWOW64\Bopicc32.exe

MD5 1c7c26810fbabce2ec2b677c30991973
SHA1 67916bb8d7f9ba24b28eee35cb55e5d1ae340da5
SHA256 07c987b6431ac5353e507df45ea010bbc6adc1396f239b0ca1a7893ab07760d8
SHA512 ca7845148122e847aae4b66804ba7e144b324fccb248f3591b8e01334b6aacf922f6b6a51ae499a85393bfba4c1d903e54f136445f22726a81bf7205cb47f8dd

C:\Windows\SysWOW64\Bhfagipa.exe

MD5 6834abff9aed8b24fb90523e7190cb05
SHA1 23bee622764a72b85b1dddb51c6c5503b8ea05ae
SHA256 95d7cd8ade9d3d0a199b62f99fa39e51170904ecc494ae0b503d514fabd73ded
SHA512 81b105f0e64be4f39dc6e946b62646ff6b1620a9f8d6318b5d8fd48d51d0a1669f325da74cd51614e8439adfe318018eb03acd97586f79f86c0c5bcd1199ac8a

C:\Windows\SysWOW64\Balijo32.exe

MD5 76543cb104d373b670af85368d004821
SHA1 74993d2680d465919d6ca7dba2d7e9444cc0080f
SHA256 9f766535dbb5ca485afe99d5739af9d5bdc1dfa1e04e193c1992c512b53b7fcd
SHA512 7dfabf1e0747ed0a6f35c6d5d212ba1db2644ff804b112104a394a1c0168140451883db24e789d6b57b6d70da44fd3e2c7cd39c528cd094c649268e733c5ca91

C:\Windows\SysWOW64\Beehencq.exe

MD5 56e3d2426b5c0408c4810f0acd4c6178
SHA1 1564e462aab8d454dd716c941978ff3fb5a35ca1
SHA256 27038577797fccb6463750f10455ab4c9b533826e538469c1aee5de3109be53f
SHA512 461a18e48f3eccf92b3d1bf557150da8325cd921614fe400143f99540a243c587ccf3f5996b9a96b9be2560036ad892a6a9e38c7b0a9997a3bf98aa50b0ba765

memory/1480-503-0x0000000000260000-0x0000000000293000-memory.dmp

memory/1480-502-0x0000000000260000-0x0000000000293000-memory.dmp

memory/1480-493-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2376-492-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2376-491-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Bhahlj32.exe

MD5 6a07e6a9028c9eb0bcc414203ebf7801
SHA1 ad0798d5def7d880539fc16803324da2f0d79138
SHA256 3938e369a36c60f02cc3a827e6c85267a535e92b01c2d173b3824e90e07b8dd5
SHA512 3f8ba877e040e2b796a72b7ad317be1e77dd88a032f2832a63094cc4e864ddea699c553678b44f2dc0bd94861ed34fb0b4a25048e1f44640f67b68c457950f37

memory/2376-486-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-485-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/3028-484-0x00000000005D0000-0x0000000000603000-memory.dmp

C:\Windows\SysWOW64\Bebkpn32.exe

MD5 9552008d9a5594753c23ab19bea2f467
SHA1 91a4d28afcf3fb9ed7958aee49d56dbfea1ddb9f
SHA256 a2f52fa9be3028ad6b2e9e627c6f345715653821a9e9126781405385b2268b12
SHA512 134c1331fede8c226af6bfe38f670af328a06fae76a5831a4463cccc4c7f8d29f5256f620bd474204fa12837e0271a5419f0c96c6be7e880e0630665fe8e7db3

memory/3028-471-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1424-470-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Boiccdnf.exe

MD5 889dfbfaa4ba0576ed3a4abd056b0c9a
SHA1 7192d2cc8dd1db65345d6806df051342d68cb229
SHA256 e16529a4553d8239c6d054f005790cf3ff2db57a991a5a909a99e384b42790d9
SHA512 7c12c94cf3a3003641b7c0b5825877816004c7f0c81d1e3807ebfc0dd2db4d5c33a7f6a728676d7c946fb68be26bae760eed02d82d796096878e37bc1f05783a

memory/1424-466-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1424-460-0x0000000000400000-0x0000000000433000-memory.dmp

memory/580-459-0x00000000002A0000-0x00000000002D3000-memory.dmp

C:\Windows\SysWOW64\Ahokfj32.exe

MD5 768d351356bfbc191b2df5c6788c9ef1
SHA1 9d3f5cc02a3b2b9f3af17b4d4b5a4a3c6ed648b0
SHA256 3a57c9c175a5700f0b838f43b4cff4a7d43e054775ae4f0fcdc22b94a74fdf0e
SHA512 0b9069c22dd3f010fe603a6b773c1d1e96071521759a1a49fa638d6327f4718d447dc3970b1ad1638b58e48208f8e53e79c755cdb28d20ce7c782ff17cc185d2

memory/580-455-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/580-449-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2508-448-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2508-447-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Aepojo32.exe

MD5 487c58d28a03a2522098daba8c8596cc
SHA1 8394d618ca29c03872aa1d7a652599ec1b7365cd
SHA256 8793534d756524863e9b2c801d125410e4e5741f6a15543181214b7606057731
SHA512 15dd546724bfa214766eabfda741243cd05aecdfcf3721b1c953e52f0a784a9acf52900ea039bd4930908d966fac5efa962eeb3e8cdb791341431f2c869dfdfb

memory/2508-438-0x0000000000400000-0x0000000000433000-memory.dmp

memory/888-437-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Apcfahio.exe

MD5 6bdafde161891148d6532f741b53e843
SHA1 b5bb09581f5df442ab5169d5ca9cb310a1dfa412
SHA256 12e1f987a5375911dca11747426fda424ee7a23475b0662c44a9518f9948f330
SHA512 1747f39798352599d7bf2544a72ca0332ea8c4798c3e6b305cfef44d0434a974e5c7e737792329a8c01e71e4fac9d556610ca91644e45e67979c1fa4bcac51c2

memory/888-433-0x0000000000440000-0x0000000000473000-memory.dmp

memory/888-427-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1696-426-0x0000000000260000-0x0000000000293000-memory.dmp

memory/1696-425-0x0000000000260000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Aiinen32.exe

MD5 90f6ece991c63b62e3deb7928136f5ec
SHA1 48f5551d6357059ee393bc05b0f67709df75f4ed
SHA256 f86b71ccc673c236cf7692d9c28e2314c79a0849e7a0c3752221ec0c83d39b4c
SHA512 ad0ff3345270468867e15cc3acd549b0b7017795ba199caf69c489b3191e5c88e2c08df3402b2e39ac634a4efd81f003a1668cf5058c23cba3a876b653191ebd

memory/1696-420-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2448-419-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2448-411-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2448-405-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2588-404-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2588-403-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Aigaon32.exe

MD5 643eb887d609f1ef39fd5a107871bab4
SHA1 4c22ec9eaaf5888160f1776c942ca61fa7e89f59
SHA256 ba9a373d5f93dc141cc3727ddad26504c6ea50f54f423d854c94619ac8179f18
SHA512 048dfd8a9b21d47ddcac2d55ed4ccec354c78be64ce6cf4ab76551a1d42c056dbdf3fffd1f821fd6aa530ed83c55a069fb8524dad52ed0fa2f720a25c13c8ea4

memory/2588-394-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1536-393-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Apomfh32.exe

MD5 e4f9ea77a3efc0d565407cdf0e2ec25e
SHA1 8c015387a25b8395d51df3aa911f627ee85bac6e
SHA256 94cbcc3ec2caf09626beb8969b2ace4b52128109274a26d9f2a66466ab72dba8
SHA512 613124e09a2db626a1ac2db4441700f87c2c809dcaa714c4f6578d241fac2773e2732273e0b07f0c18e914362dc232eb69a6f6ee62104bc0192c376967e08762

memory/1536-389-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2644-382-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2644-381-0x0000000000280000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Ajbdna32.exe

MD5 1a924d13d6d87b973ff571eb4dc9b797
SHA1 512a5f4dd6ef67c5fc60d52e5e8cda0486f08541
SHA256 bbbb4e37d95544352369947e3dfa569fd8e728ad15f09c837754041d4814e219
SHA512 f879500ebb5acf7181c80d1f7475b5a4c43834522c77dcc4d0e641963fe61899edbc25a9d17b04e6a7bbd1157efbf1c298b6bad3d0141ec8358850f254335715

memory/1588-371-0x00000000002C0000-0x00000000002F3000-memory.dmp

memory/1588-370-0x00000000002C0000-0x00000000002F3000-memory.dmp

C:\Windows\SysWOW64\Aplpai32.exe

MD5 02a7ae8ee4d7ef32291732dfbfb2e6b8
SHA1 c212f8d93632f5f71529034f9a81e494fdf2b730
SHA256 ee64d0ea3e050c15b132252abbeade798d0b4e3e025323c16c1bd52f6aba9049
SHA512 d13e286bea53ebb3a917dcc5bb73689a3a32e145de1da403ac6a03bfae6fc4bf30423b1479e56dd78b1af85d22b8731310058273128900f0a13b99621a48fdd7

memory/1588-361-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2704-360-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2704-359-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Amndem32.exe

MD5 9f005b3f48ecacc220a577094a9d13a2
SHA1 600ad3f8441373cad224644d61413eeddd7c5428
SHA256 927435f79c91ff11a9226e43172f2240578666f0f9d34f72c7030f29933d34c3
SHA512 dd12f520b6326d50fb56516d1c0ce7df8d3c924c723c7b16c94cba4c7b80108fac4512f74884d552665e47da44c63c73f22f44d74e805df32a92845eefb6a5a8

memory/2564-352-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2564-351-0x0000000000310000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Ahakmf32.exe

MD5 7e264c5e513c064c37f2954666bc0ca6
SHA1 3bf858558e649bf2df647b43f7fe45f176c57e2c
SHA256 4ee05fc2090f4f2c20cbde1926280abbd516a9846f6ec6cec96071a8612dd88f
SHA512 4c94675bc8292d7c53170a8afed21b4fb68167e38c9bbbba8cb40db84be05c70ca3c8d09f66124da528eb8ab3a8a5e6204f7db5bc83196986096da28b89121f2

memory/2564-339-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1672-338-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1672-337-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Qagcpljo.exe

MD5 6ebddfe409e79ec7dab84b004181c58f
SHA1 0f0e288a4160eb1ee28ad1aea054f6b069c42fb2
SHA256 00d09557578e8e208a6c33173ba649fa56bbc0c52fcd21b6f30ec6758f1266a5
SHA512 36e9d2ba866df71fbb74863af85e624afe49672f3a0408774228896132ed2c2f6b3af16970a38ad829e242d9aeca9ee17607fe6596830b56522d3b5fac86736f

memory/1056-331-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Qjmkcbcb.exe

MD5 a69f664e0b5d08837f56fd2313f554dc
SHA1 3b01db3bde6f753423be1671f0d9dc86947a236e
SHA256 55b695fc2fa4a3c33c1d246cf420e63e707dcf1b1db962327b3e2b0539d2d2a4
SHA512 3a04f7da7e3ad5a70121ee8c251f6a0bec6d77f4e288c80558f84c99735c389478b3ce292360f9806d42b9ac5227daad59338336a9d183436ced2dac667981ba

memory/1056-323-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1056-317-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2032-316-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2032-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1932-314-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/1932-313-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1300-312-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1300-311-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3060-310-0x0000000000250000-0x0000000000283000-memory.dmp

memory/3060-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/448-308-0x00000000003A0000-0x00000000003D3000-memory.dmp

memory/448-307-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1908-306-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1908-305-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1772-304-0x0000000000260000-0x0000000000293000-memory.dmp

memory/1772-303-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1420-302-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/1420-301-0x0000000000400000-0x0000000000433000-memory.dmp

memory/772-300-0x0000000000440000-0x0000000000473000-memory.dmp

memory/772-299-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1048-298-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/1048-297-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2068-296-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2068-295-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2068-294-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2816-293-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1376-292-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2124-291-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1576-290-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1016-289-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2360-288-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2400-287-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2400-286-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qhmbagfa.exe

MD5 a3b1178f772be3e25006cd903a574b01
SHA1 e7001fd1815eda1634db5eba2c416a1b970eb1aa
SHA256 a7743c0a449d8b36603056951b0091449d14f2ca0569396d2cd0923c98f454f7
SHA512 c29fc37a81585cd3df39c94874faba0176474f2f568afb6208c3eb0952add12918b2e33c62dc274b7d5e6aa2b27fa1496cc2a552b5d619bfbeddc0af210fda12

C:\Windows\SysWOW64\Pfiidobe.exe

MD5 8be8918445915fe9e56405ce91c072f5
SHA1 dcb885c56dba3bd5e4446410134e3c7c1741fe25
SHA256 4e0cde7685b8ebf3072e70b33d8b503eadaf0d2e7751e23dbaa810fa62c11582
SHA512 d46abc21ca8b5b58b1d7f02d05ffeadbd00e9c2d8d1dec8f0ad68cb596131afe47cd7093bcce2c9c72d9351c122f429dbd98e70c5961e8e01feb49dbcea08823

C:\Windows\SysWOW64\Ppoqge32.exe

MD5 41c47c33cc5c156cba60eca06ab5802b
SHA1 390e1fb1656c24ed6d5e7df16284559d0070baea
SHA256 997a4d7c58c8b2407cdf8562dd6a6f04bb64db2db563fc429eabf519419a34f7
SHA512 3204ed6da1a9c4a96f68d54b81074a311a86c5e92de7f0ecb3552abf176e3bdcc5c9e755b6ddda54f7d30e647722acd6cb76bcdd1933e34dd89f724de113deb5

C:\Windows\SysWOW64\Piehkkcl.exe

MD5 c9e4de4e329d8f341e740b831138da6a
SHA1 301faecbac5f97b7cc8e22461710539f37e474ae
SHA256 7ba8eb18bfd3cbdba542eebc5ba875b7a1a237aa634646b7bdfb759de398fc8f
SHA512 6405bfbee429fa031980dbe35842f39205498d7a2854ce25dc8e66dd2eb23e8550c1f1a603243ba13ad85d8ae6844d20267914de04cd2dc3d6c1787f7aa6d5a2

C:\Windows\SysWOW64\Pchpbded.exe

MD5 8114a121592f9413bc92791d08989908
SHA1 df22d1abbf095334f63376c3ae375dbb9ac8bfcc
SHA256 23c014069e8e2f69196e6600f0dd3cab5174860cf829ac2b3b8e7f15d43ec653
SHA512 60b9adb50ec7d6709da06548a3c0a2c2a9e743228d5267dcadd96860baab8f6b21d1de23ee071d0589892319b2592d953621e669991aa7e556c3996337ee4c06

C:\Windows\SysWOW64\Pmnhfjmg.exe

MD5 4f8765a44b5b9b75324437d991071b53
SHA1 f3d0b3bf5045f00bb6f6aaf2e657fa6e62bcf497
SHA256 7a00f3fc0c3a1ed40310aa75065f67a4f6d0ce0dc9301f4cdef67810a54f9acf
SHA512 7e2eb6fef0333a05d530353dba7c10911044526c5956e69928805221da607a8c6642a9f4792c263d895a3323cc63677bae58266b8f6ce64a2b382d4691d14615

C:\Windows\SysWOW64\Piblek32.exe

MD5 4b9ed4defeec1e742d9b52631ceb0463
SHA1 337485abf7474ea8a579f83febecbc79dfde07e2
SHA256 ac8913bc6c73d627a05a3d8dbe33ed3ad3f629df3b154e6c2dce009cafe4601f
SHA512 4407f8b410f0e15ce6e9211b862fb1a99636644f701a3849f98fe3a02088ec24590cd5a441e7770ab14e5d5dcabca90b628eb7459700e4e043122233ad91bfaa

C:\Windows\SysWOW64\Pfdpip32.exe

MD5 b2864a99a7f1ffd0b11152014410e630
SHA1 e698eb98e800af23e5f9629aae8e8debc82b6b66
SHA256 650a90a92bfdcb092318665e5d6686c59e28103632bc7721ba111b61920b52a8
SHA512 e75a59c9cbcd0dd34968a2a7b3e4a2e0c45e7d0006c0f60df97d82d52337d38c47689026769101c6cbfd12052ac9e83d72d683d9b2485782e0a9c4595e7a3a64

C:\Windows\SysWOW64\Pcfcmd32.exe

MD5 25c49850d1df20b75b4de0acb9e01ad1
SHA1 b97fc13dbaede6338502e0f40ac40d903308d0d8
SHA256 06e9a23f1a55cf526160aa52e1e1ab3cf570166127080738707b972451ab8832
SHA512 65f72b9dd276d03c99cc28c784877776e8be282830c7325d81192cec8d2bf2e0252391ab5c04e70a9a73c69544c1643f808ca91ed7b998d3979600dfc57b4d0d

C:\Windows\SysWOW64\Pipopl32.exe

MD5 fdcd02a26661ad613486b5f92a7cd0c5
SHA1 e52b9b6584fbe13baba3a5eba514eab0522e5fc4
SHA256 3b555593730ce75f5925a34f8ea6772a78577a8dbb386a51b1b4a435a88cca5d
SHA512 9228a47fdfe90f850a79473cb35edfc911e7e07f0f2950de5b6d41132950339420a848c6b03552e2de6906e2a63bd82ba8b45acff323ddf2cd53f3901a0eb24f

memory/3020-89-0x0000000000310000-0x0000000000343000-memory.dmp

memory/3020-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2660-59-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nbfjdn32.exe

MD5 46f0f3f1e509c40a54a6f731997f362e
SHA1 044d2cabfff5fbcd147bdda66916d377d1028af6
SHA256 fb4e0722e43222f00b442a28a86ce936174fa7e443b9e4a036fcf0a7708a1aa0
SHA512 51a65e0a46cdaecbab6cc6ebcf6779a26f24bdf7efe5b4f3214cc2e1ea992070eda4632c55b97eacce0e367784b68860fa3b5d3445766c4e2f9f6bd7073a4de9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 14:55

Reported

2024-05-09 14:57

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcnejk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hboagf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lgikfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njljefql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gameonno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jkdnpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laalifad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gjapmdid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpofpdgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Efneehef.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmfbjnbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iiibkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcqjfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ibjqcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iakaql32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jmbklj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mglack32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffjdqg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gqikdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcnnaikp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hccglh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iapjlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jmnaakne.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Digkijmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fckhdk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fflaff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fqaeco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjfihc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgfoan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Digkijmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gjjjle32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gfhqbe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnjbke32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebploj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hmmhjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gcekkjcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hjfihc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Habnjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lddbqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fbllkh32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Cpofpdgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Digkijmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhlhjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dofpgqji.exe N/A
N/A N/A C:\Windows\SysWOW64\Dadlclim.exe N/A
N/A N/A C:\Windows\SysWOW64\Dljqpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcdimopp.exe N/A
N/A N/A C:\Windows\SysWOW64\Debeijoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dllmfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebploj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqalmafo.exe N/A
N/A N/A C:\Windows\SysWOW64\Efneehef.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecbenm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehonfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqfeha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgbpihg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjnjqfij.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbioei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjqgff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmocba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fomonm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbllkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjcclf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmapha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckhdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffjdqg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fihqmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqohnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcnejk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fflaff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fijmbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqaeco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbcakg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjjjle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gimjhafg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqdbiofi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcbnejem.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfqjafdq.exe N/A
N/A N/A C:\Windows\SysWOW64\Giofnacd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqfooodg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcekkjcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfcgge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Giacca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqikdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjapmdid.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmoliohh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqkhjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcidfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfhqbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gifmnpnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Gameonno.exe N/A
N/A N/A C:\Windows\SysWOW64\Gppekj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hboagf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfihc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hihicplj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hapaemll.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcnnaikp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfljmdjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmfbjnbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Habnjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcqjfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfofbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Himcoo32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Eqfeha32.exe C:\Windows\SysWOW64\Ehonfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hfljmdjc.exe C:\Windows\SysWOW64\Hcnnaikp.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Nklfoi32.exe N/A
File created C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kkkdan32.exe N/A
File created C:\Windows\SysWOW64\Lddbqa32.exe C:\Windows\SysWOW64\Lphfpbdi.exe N/A
File created C:\Windows\SysWOW64\Ebploj32.exe C:\Windows\SysWOW64\Dllmfd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gcidfi32.exe C:\Windows\SysWOW64\Gqkhjn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jpjqhgol.exe C:\Windows\SysWOW64\Jjmhppqd.exe N/A
File created C:\Windows\SysWOW64\Nphqml32.dll C:\Windows\SysWOW64\Kmegbjgn.exe N/A
File opened for modification C:\Windows\SysWOW64\Gqikdn32.exe C:\Windows\SysWOW64\Giacca32.exe N/A
File created C:\Windows\SysWOW64\Fomonm32.exe C:\Windows\SysWOW64\Fmocba32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ipldfi32.exe C:\Windows\SysWOW64\Hmmhjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
File created C:\Windows\SysWOW64\Mgghhlhq.exe C:\Windows\SysWOW64\Mpmokb32.exe N/A
File created C:\Windows\SysWOW64\Digkijmd.exe C:\Windows\SysWOW64\Cpofpdgd.exe N/A
File created C:\Windows\SysWOW64\Jaljgidl.exe C:\Windows\SysWOW64\Jidbflcj.exe N/A
File created C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File opened for modification C:\Windows\SysWOW64\Dofpgqji.exe C:\Windows\SysWOW64\Dhlhjf32.exe N/A
File created C:\Windows\SysWOW64\Jcgaen32.dll C:\Windows\SysWOW64\Ehonfc32.exe N/A
File created C:\Windows\SysWOW64\Hjfihc32.exe C:\Windows\SysWOW64\Hboagf32.exe N/A
File created C:\Windows\SysWOW64\Khehmdgi.dll C:\Windows\SysWOW64\Lkiqbl32.exe N/A
File created C:\Windows\SysWOW64\Fmocba32.exe C:\Windows\SysWOW64\Fjqgff32.exe N/A
File opened for modification C:\Windows\SysWOW64\Imbaemhc.exe C:\Windows\SysWOW64\Ijdeiaio.exe N/A
File created C:\Windows\SysWOW64\Lihoogdd.dll C:\Windows\SysWOW64\Idofhfmm.exe N/A
File created C:\Windows\SysWOW64\Ogaodjbe.dll C:\Windows\SysWOW64\Fjnjqfij.exe N/A
File created C:\Windows\SysWOW64\Kmgdgjek.exe C:\Windows\SysWOW64\Kkihknfg.exe N/A
File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Ndbnboqb.exe N/A
File created C:\Windows\SysWOW64\Cgfgaq32.dll C:\Windows\SysWOW64\Nkncdifl.exe N/A
File created C:\Windows\SysWOW64\Lknjmkdo.exe C:\Windows\SysWOW64\Lddbqa32.exe N/A
File created C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fbgbpihg.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjcclf32.exe C:\Windows\SysWOW64\Fbllkh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kgbefoji.exe N/A
File created C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Laciofpa.exe N/A
File created C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mgekbljc.exe N/A
File created C:\Windows\SysWOW64\Gqdbiofi.exe C:\Windows\SysWOW64\Gimjhafg.exe N/A
File created C:\Windows\SysWOW64\Honckk32.dll C:\Windows\SysWOW64\Hmfbjnbp.exe N/A
File created C:\Windows\SysWOW64\Kbdmpqcb.exe C:\Windows\SysWOW64\Kpepcedo.exe N/A
File created C:\Windows\SysWOW64\Mgekbljc.exe C:\Windows\SysWOW64\Mdfofakp.exe N/A
File created C:\Windows\SysWOW64\Hfachc32.exe C:\Windows\SysWOW64\Hccglh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Nacbfdao.exe N/A
File created C:\Windows\SysWOW64\Fmapha32.exe C:\Windows\SysWOW64\Fjcclf32.exe N/A
File created C:\Windows\SysWOW64\Ekfnlmai.dll C:\Windows\SysWOW64\Fqohnp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lphfpbdi.exe C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File created C:\Windows\SysWOW64\Njcqqgjb.dll C:\Windows\SysWOW64\Mjeddggd.exe N/A
File created C:\Windows\SysWOW64\Kdffocib.exe C:\Windows\SysWOW64\Kmlnbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kdffocib.exe N/A
File created C:\Windows\SysWOW64\Nqklmpdd.exe C:\Windows\SysWOW64\Nnmopdep.exe N/A
File created C:\Windows\SysWOW64\Cfjbmnlq.dll C:\Windows\SysWOW64\Fihqmb32.exe N/A
File created C:\Windows\SysWOW64\Hpbjkl32.dll C:\Windows\SysWOW64\Fcnejk32.exe N/A
File created C:\Windows\SysWOW64\Mngoghpn.dll C:\Windows\SysWOW64\Gameonno.exe N/A
File created C:\Windows\SysWOW64\Kpccnefa.exe C:\Windows\SysWOW64\Kmegbjgn.exe N/A
File created C:\Windows\SysWOW64\Ffjdqg32.exe C:\Windows\SysWOW64\Fckhdk32.exe N/A
File created C:\Windows\SysWOW64\Geekfi32.dll C:\Windows\SysWOW64\Himcoo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmmhjm32.exe C:\Windows\SysWOW64\Hjolnb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Maohkd32.exe C:\Windows\SysWOW64\Mjhqjg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Maaepd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbcakg32.exe C:\Windows\SysWOW64\Fqaeco32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iiibkn32.exe C:\Windows\SysWOW64\Ijfboafl.exe N/A
File created C:\Windows\SysWOW64\Ogijli32.dll C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mgekbljc.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
File created C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Lgikfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Geegicjl.dll C:\Windows\SysWOW64\Mglack32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kaemnhla.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmocba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll" C:\Windows\SysWOW64\Ijfboafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll" C:\Windows\SysWOW64\Lknjmkdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mcbahlip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll" C:\Windows\SysWOW64\Hfofbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iiibkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll" C:\Windows\SysWOW64\Mjjmog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipldfi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mdmegp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fmocba32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gifmnpnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcnnaikp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Himcoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hadkpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll" C:\Windows\SysWOW64\Kdffocib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" C:\Windows\SysWOW64\Lcbiao32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dllmfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fqaeco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gqdbiofi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll" C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iakaql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" C:\Windows\SysWOW64\Iiibkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fomonm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gjjjle32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll" C:\Windows\SysWOW64\Iikopmkd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gameonno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hboagf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll" C:\Windows\SysWOW64\Eqalmafo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfnlmai.dll" C:\Windows\SysWOW64\Fqohnp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpjqhgol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll" C:\Windows\SysWOW64\Jidbflcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fjcclf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnjbke32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gjjjle32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gqikdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll" C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll" C:\Windows\SysWOW64\Fmocba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gqfooodg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll" C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll" C:\Windows\SysWOW64\Gfqjafdq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmoliohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mjjmog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbgbpihg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll" C:\Windows\SysWOW64\Jplmmfmi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 1616 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 1616 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe C:\Windows\SysWOW64\Cpofpdgd.exe
PID 5076 wrote to memory of 3080 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Digkijmd.exe
PID 5076 wrote to memory of 3080 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Digkijmd.exe
PID 5076 wrote to memory of 3080 N/A C:\Windows\SysWOW64\Cpofpdgd.exe C:\Windows\SysWOW64\Digkijmd.exe
PID 3080 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Digkijmd.exe C:\Windows\SysWOW64\Dhlhjf32.exe
PID 3080 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Digkijmd.exe C:\Windows\SysWOW64\Dhlhjf32.exe
PID 3080 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Digkijmd.exe C:\Windows\SysWOW64\Dhlhjf32.exe
PID 4952 wrote to memory of 776 N/A C:\Windows\SysWOW64\Dhlhjf32.exe C:\Windows\SysWOW64\Dofpgqji.exe
PID 4952 wrote to memory of 776 N/A C:\Windows\SysWOW64\Dhlhjf32.exe C:\Windows\SysWOW64\Dofpgqji.exe
PID 4952 wrote to memory of 776 N/A C:\Windows\SysWOW64\Dhlhjf32.exe C:\Windows\SysWOW64\Dofpgqji.exe
PID 776 wrote to memory of 3680 N/A C:\Windows\SysWOW64\Dofpgqji.exe C:\Windows\SysWOW64\Dadlclim.exe
PID 776 wrote to memory of 3680 N/A C:\Windows\SysWOW64\Dofpgqji.exe C:\Windows\SysWOW64\Dadlclim.exe
PID 776 wrote to memory of 3680 N/A C:\Windows\SysWOW64\Dofpgqji.exe C:\Windows\SysWOW64\Dadlclim.exe
PID 3680 wrote to memory of 3752 N/A C:\Windows\SysWOW64\Dadlclim.exe C:\Windows\SysWOW64\Dljqpd32.exe
PID 3680 wrote to memory of 3752 N/A C:\Windows\SysWOW64\Dadlclim.exe C:\Windows\SysWOW64\Dljqpd32.exe
PID 3680 wrote to memory of 3752 N/A C:\Windows\SysWOW64\Dadlclim.exe C:\Windows\SysWOW64\Dljqpd32.exe
PID 3752 wrote to memory of 372 N/A C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 3752 wrote to memory of 372 N/A C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 3752 wrote to memory of 372 N/A C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 372 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Debeijoc.exe
PID 372 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Debeijoc.exe
PID 372 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Debeijoc.exe
PID 1816 wrote to memory of 3864 N/A C:\Windows\SysWOW64\Debeijoc.exe C:\Windows\SysWOW64\Dllmfd32.exe
PID 1816 wrote to memory of 3864 N/A C:\Windows\SysWOW64\Debeijoc.exe C:\Windows\SysWOW64\Dllmfd32.exe
PID 1816 wrote to memory of 3864 N/A C:\Windows\SysWOW64\Debeijoc.exe C:\Windows\SysWOW64\Dllmfd32.exe
PID 3864 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Dllmfd32.exe C:\Windows\SysWOW64\Ebploj32.exe
PID 3864 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Dllmfd32.exe C:\Windows\SysWOW64\Ebploj32.exe
PID 3864 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Dllmfd32.exe C:\Windows\SysWOW64\Ebploj32.exe
PID 2684 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Ebploj32.exe C:\Windows\SysWOW64\Eqalmafo.exe
PID 2684 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Ebploj32.exe C:\Windows\SysWOW64\Eqalmafo.exe
PID 2684 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Ebploj32.exe C:\Windows\SysWOW64\Eqalmafo.exe
PID 4712 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Efneehef.exe
PID 4712 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Efneehef.exe
PID 4712 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Efneehef.exe
PID 2032 wrote to memory of 4332 N/A C:\Windows\SysWOW64\Efneehef.exe C:\Windows\SysWOW64\Ecbenm32.exe
PID 2032 wrote to memory of 4332 N/A C:\Windows\SysWOW64\Efneehef.exe C:\Windows\SysWOW64\Ecbenm32.exe
PID 2032 wrote to memory of 4332 N/A C:\Windows\SysWOW64\Efneehef.exe C:\Windows\SysWOW64\Ecbenm32.exe
PID 4332 wrote to memory of 4272 N/A C:\Windows\SysWOW64\Ecbenm32.exe C:\Windows\SysWOW64\Ehonfc32.exe
PID 4332 wrote to memory of 4272 N/A C:\Windows\SysWOW64\Ecbenm32.exe C:\Windows\SysWOW64\Ehonfc32.exe
PID 4332 wrote to memory of 4272 N/A C:\Windows\SysWOW64\Ecbenm32.exe C:\Windows\SysWOW64\Ehonfc32.exe
PID 4272 wrote to memory of 4924 N/A C:\Windows\SysWOW64\Ehonfc32.exe C:\Windows\SysWOW64\Eqfeha32.exe
PID 4272 wrote to memory of 4924 N/A C:\Windows\SysWOW64\Ehonfc32.exe C:\Windows\SysWOW64\Eqfeha32.exe
PID 4272 wrote to memory of 4924 N/A C:\Windows\SysWOW64\Ehonfc32.exe C:\Windows\SysWOW64\Eqfeha32.exe
PID 4924 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Eqfeha32.exe C:\Windows\SysWOW64\Fbgbpihg.exe
PID 4924 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Eqfeha32.exe C:\Windows\SysWOW64\Fbgbpihg.exe
PID 4924 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Eqfeha32.exe C:\Windows\SysWOW64\Fbgbpihg.exe
PID 3504 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Fbgbpihg.exe C:\Windows\SysWOW64\Fjnjqfij.exe
PID 3504 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Fbgbpihg.exe C:\Windows\SysWOW64\Fjnjqfij.exe
PID 3504 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Fbgbpihg.exe C:\Windows\SysWOW64\Fjnjqfij.exe
PID 5004 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 5004 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 5004 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 2976 wrote to memory of 1428 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Fbioei32.exe
PID 2976 wrote to memory of 1428 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Fbioei32.exe
PID 2976 wrote to memory of 1428 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Fbioei32.exe
PID 1428 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Fbioei32.exe C:\Windows\SysWOW64\Fjqgff32.exe
PID 1428 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Fbioei32.exe C:\Windows\SysWOW64\Fjqgff32.exe
PID 1428 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Fbioei32.exe C:\Windows\SysWOW64\Fjqgff32.exe
PID 1036 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Fjqgff32.exe C:\Windows\SysWOW64\Fmocba32.exe
PID 1036 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Fjqgff32.exe C:\Windows\SysWOW64\Fmocba32.exe
PID 1036 wrote to memory of 1020 N/A C:\Windows\SysWOW64\Fjqgff32.exe C:\Windows\SysWOW64\Fmocba32.exe
PID 1020 wrote to memory of 4748 N/A C:\Windows\SysWOW64\Fmocba32.exe C:\Windows\SysWOW64\Fomonm32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Cpofpdgd.exe

C:\Windows\system32\Cpofpdgd.exe

C:\Windows\SysWOW64\Digkijmd.exe

C:\Windows\system32\Digkijmd.exe

C:\Windows\SysWOW64\Dhlhjf32.exe

C:\Windows\system32\Dhlhjf32.exe

C:\Windows\SysWOW64\Dofpgqji.exe

C:\Windows\system32\Dofpgqji.exe

C:\Windows\SysWOW64\Dadlclim.exe

C:\Windows\system32\Dadlclim.exe

C:\Windows\SysWOW64\Dljqpd32.exe

C:\Windows\system32\Dljqpd32.exe

C:\Windows\SysWOW64\Dcdimopp.exe

C:\Windows\system32\Dcdimopp.exe

C:\Windows\SysWOW64\Debeijoc.exe

C:\Windows\system32\Debeijoc.exe

C:\Windows\SysWOW64\Dllmfd32.exe

C:\Windows\system32\Dllmfd32.exe

C:\Windows\SysWOW64\Ebploj32.exe

C:\Windows\system32\Ebploj32.exe

C:\Windows\SysWOW64\Eqalmafo.exe

C:\Windows\system32\Eqalmafo.exe

C:\Windows\SysWOW64\Efneehef.exe

C:\Windows\system32\Efneehef.exe

C:\Windows\SysWOW64\Ecbenm32.exe

C:\Windows\system32\Ecbenm32.exe

C:\Windows\SysWOW64\Ehonfc32.exe

C:\Windows\system32\Ehonfc32.exe

C:\Windows\SysWOW64\Eqfeha32.exe

C:\Windows\system32\Eqfeha32.exe

C:\Windows\SysWOW64\Fbgbpihg.exe

C:\Windows\system32\Fbgbpihg.exe

C:\Windows\SysWOW64\Fjnjqfij.exe

C:\Windows\system32\Fjnjqfij.exe

C:\Windows\SysWOW64\Fmmfmbhn.exe

C:\Windows\system32\Fmmfmbhn.exe

C:\Windows\SysWOW64\Fbioei32.exe

C:\Windows\system32\Fbioei32.exe

C:\Windows\SysWOW64\Fjqgff32.exe

C:\Windows\system32\Fjqgff32.exe

C:\Windows\SysWOW64\Fmocba32.exe

C:\Windows\system32\Fmocba32.exe

C:\Windows\SysWOW64\Fomonm32.exe

C:\Windows\system32\Fomonm32.exe

C:\Windows\SysWOW64\Fbllkh32.exe

C:\Windows\system32\Fbllkh32.exe

C:\Windows\SysWOW64\Fjcclf32.exe

C:\Windows\system32\Fjcclf32.exe

C:\Windows\SysWOW64\Fmapha32.exe

C:\Windows\system32\Fmapha32.exe

C:\Windows\SysWOW64\Fckhdk32.exe

C:\Windows\system32\Fckhdk32.exe

C:\Windows\SysWOW64\Ffjdqg32.exe

C:\Windows\system32\Ffjdqg32.exe

C:\Windows\SysWOW64\Fihqmb32.exe

C:\Windows\system32\Fihqmb32.exe

C:\Windows\SysWOW64\Fqohnp32.exe

C:\Windows\system32\Fqohnp32.exe

C:\Windows\SysWOW64\Fcnejk32.exe

C:\Windows\system32\Fcnejk32.exe

C:\Windows\SysWOW64\Fflaff32.exe

C:\Windows\system32\Fflaff32.exe

C:\Windows\SysWOW64\Fijmbb32.exe

C:\Windows\system32\Fijmbb32.exe

C:\Windows\SysWOW64\Fqaeco32.exe

C:\Windows\system32\Fqaeco32.exe

C:\Windows\SysWOW64\Gbcakg32.exe

C:\Windows\system32\Gbcakg32.exe

C:\Windows\SysWOW64\Gjjjle32.exe

C:\Windows\system32\Gjjjle32.exe

C:\Windows\SysWOW64\Gimjhafg.exe

C:\Windows\system32\Gimjhafg.exe

C:\Windows\SysWOW64\Gqdbiofi.exe

C:\Windows\system32\Gqdbiofi.exe

C:\Windows\SysWOW64\Gcbnejem.exe

C:\Windows\system32\Gcbnejem.exe

C:\Windows\SysWOW64\Gfqjafdq.exe

C:\Windows\system32\Gfqjafdq.exe

C:\Windows\SysWOW64\Giofnacd.exe

C:\Windows\system32\Giofnacd.exe

C:\Windows\SysWOW64\Gqfooodg.exe

C:\Windows\system32\Gqfooodg.exe

C:\Windows\SysWOW64\Gcekkjcj.exe

C:\Windows\system32\Gcekkjcj.exe

C:\Windows\SysWOW64\Gfcgge32.exe

C:\Windows\system32\Gfcgge32.exe

C:\Windows\SysWOW64\Giacca32.exe

C:\Windows\system32\Giacca32.exe

C:\Windows\SysWOW64\Gqikdn32.exe

C:\Windows\system32\Gqikdn32.exe

C:\Windows\SysWOW64\Gjapmdid.exe

C:\Windows\system32\Gjapmdid.exe

C:\Windows\SysWOW64\Gmoliohh.exe

C:\Windows\system32\Gmoliohh.exe

C:\Windows\SysWOW64\Gqkhjn32.exe

C:\Windows\system32\Gqkhjn32.exe

C:\Windows\SysWOW64\Gcidfi32.exe

C:\Windows\system32\Gcidfi32.exe

C:\Windows\SysWOW64\Gfhqbe32.exe

C:\Windows\system32\Gfhqbe32.exe

C:\Windows\SysWOW64\Gifmnpnl.exe

C:\Windows\system32\Gifmnpnl.exe

C:\Windows\SysWOW64\Gameonno.exe

C:\Windows\system32\Gameonno.exe

C:\Windows\SysWOW64\Gppekj32.exe

C:\Windows\system32\Gppekj32.exe

C:\Windows\SysWOW64\Hboagf32.exe

C:\Windows\system32\Hboagf32.exe

C:\Windows\SysWOW64\Hjfihc32.exe

C:\Windows\system32\Hjfihc32.exe

C:\Windows\SysWOW64\Hihicplj.exe

C:\Windows\system32\Hihicplj.exe

C:\Windows\SysWOW64\Hapaemll.exe

C:\Windows\system32\Hapaemll.exe

C:\Windows\SysWOW64\Hcnnaikp.exe

C:\Windows\system32\Hcnnaikp.exe

C:\Windows\SysWOW64\Hfljmdjc.exe

C:\Windows\system32\Hfljmdjc.exe

C:\Windows\SysWOW64\Hmfbjnbp.exe

C:\Windows\system32\Hmfbjnbp.exe

C:\Windows\SysWOW64\Habnjm32.exe

C:\Windows\system32\Habnjm32.exe

C:\Windows\SysWOW64\Hcqjfh32.exe

C:\Windows\system32\Hcqjfh32.exe

C:\Windows\SysWOW64\Hfofbd32.exe

C:\Windows\system32\Hfofbd32.exe

C:\Windows\SysWOW64\Himcoo32.exe

C:\Windows\system32\Himcoo32.exe

C:\Windows\SysWOW64\Hadkpm32.exe

C:\Windows\system32\Hadkpm32.exe

C:\Windows\SysWOW64\Hccglh32.exe

C:\Windows\system32\Hccglh32.exe

C:\Windows\SysWOW64\Hfachc32.exe

C:\Windows\system32\Hfachc32.exe

C:\Windows\SysWOW64\Hippdo32.exe

C:\Windows\system32\Hippdo32.exe

C:\Windows\SysWOW64\Hjolnb32.exe

C:\Windows\system32\Hjolnb32.exe

C:\Windows\SysWOW64\Hmmhjm32.exe

C:\Windows\system32\Hmmhjm32.exe

C:\Windows\SysWOW64\Ipldfi32.exe

C:\Windows\system32\Ipldfi32.exe

C:\Windows\SysWOW64\Ibjqcd32.exe

C:\Windows\system32\Ibjqcd32.exe

C:\Windows\SysWOW64\Ijaida32.exe

C:\Windows\system32\Ijaida32.exe

C:\Windows\SysWOW64\Iidipnal.exe

C:\Windows\system32\Iidipnal.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Icjmmg32.exe

C:\Windows\system32\Icjmmg32.exe

C:\Windows\SysWOW64\Ifhiib32.exe

C:\Windows\system32\Ifhiib32.exe

C:\Windows\SysWOW64\Ijdeiaio.exe

C:\Windows\system32\Ijdeiaio.exe

C:\Windows\SysWOW64\Imbaemhc.exe

C:\Windows\system32\Imbaemhc.exe

C:\Windows\SysWOW64\Ipqnahgf.exe

C:\Windows\system32\Ipqnahgf.exe

C:\Windows\SysWOW64\Ibojncfj.exe

C:\Windows\system32\Ibojncfj.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Iiibkn32.exe

C:\Windows\system32\Iiibkn32.exe

C:\Windows\SysWOW64\Iapjlk32.exe

C:\Windows\system32\Iapjlk32.exe

C:\Windows\SysWOW64\Idofhfmm.exe

C:\Windows\system32\Idofhfmm.exe

C:\Windows\SysWOW64\Iikopmkd.exe

C:\Windows\system32\Iikopmkd.exe

C:\Windows\SysWOW64\Jjmhppqd.exe

C:\Windows\system32\Jjmhppqd.exe

C:\Windows\SysWOW64\Jpjqhgol.exe

C:\Windows\system32\Jpjqhgol.exe

C:\Windows\SysWOW64\Jjpeepnb.exe

C:\Windows\system32\Jjpeepnb.exe

C:\Windows\SysWOW64\Jmnaakne.exe

C:\Windows\system32\Jmnaakne.exe

C:\Windows\SysWOW64\Jplmmfmi.exe

C:\Windows\system32\Jplmmfmi.exe

C:\Windows\SysWOW64\Jfffjqdf.exe

C:\Windows\system32\Jfffjqdf.exe

C:\Windows\SysWOW64\Jidbflcj.exe

C:\Windows\system32\Jidbflcj.exe

C:\Windows\SysWOW64\Jaljgidl.exe

C:\Windows\system32\Jaljgidl.exe

C:\Windows\SysWOW64\Jdjfcecp.exe

C:\Windows\system32\Jdjfcecp.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jmbklj32.exe

C:\Windows\system32\Jmbklj32.exe

C:\Windows\SysWOW64\Jpaghf32.exe

C:\Windows\system32\Jpaghf32.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kmgdgjek.exe

C:\Windows\system32\Kmgdgjek.exe

C:\Windows\SysWOW64\Kpepcedo.exe

C:\Windows\system32\Kpepcedo.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kkkdan32.exe

C:\Windows\system32\Kkkdan32.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kmnjhioc.exe

C:\Windows\system32\Kmnjhioc.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lgkhlnbn.exe

C:\Windows\system32\Lgkhlnbn.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lphfpbdi.exe

C:\Windows\system32\Lphfpbdi.exe

C:\Windows\SysWOW64\Lddbqa32.exe

C:\Windows\system32\Lddbqa32.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mgekbljc.exe

C:\Windows\system32\Mgekbljc.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nnjbke32.exe

C:\Windows\system32\Nnjbke32.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6180 -ip 6180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 224

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 224.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1616-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cpofpdgd.exe

MD5 4cdc81866f9092f157d8cf0e8e5744b3
SHA1 6183697af30b7c0103421dc51a920c6cc458f064
SHA256 3f651e1cf4a1d469a6eefd5a4a30b97c7dac21e40c7bfaf5c1a2199f94cd9bea
SHA512 b361fed3f7448239cca36b0bfa01f623e38d94e0547afac29466f929d42b73319dc490f7f960ed9a17e52f077fcc4249693513dc0cf0b4d36fd809641d19561b

memory/5076-7-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Digkijmd.exe

MD5 fd6f1930cb4ae7228a1356bd72522781
SHA1 eccaf72179bfdde5bbe772769250498d8000b62a
SHA256 e41056acf2eaeb22613748ed77daf1718a71a56eda10a80533ae027828fd1256
SHA512 fda4188797889242dd74f39e41f38e48d964d84e8461f4da75d75c79a0c3bc07801e95e32370b1a415e1d4aa34b6c6e1d4c25201a43391da63bb3fda5e39ee99

memory/3080-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4952-24-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dhlhjf32.exe

MD5 2c31d8258dca3f890b74f93aedc6c172
SHA1 19066b3f99d575a7e5d43fc95e97384618765e9c
SHA256 af32b5db95463f63bb5ddd71b7931b2761ecd9464f88e585dffc633a0ca1cbdc
SHA512 4ad63eb6dd2a0fd9b8fcc045e63630ac462d47197d1a7774f1d4e14825910181820f193d8ec1c7c7087de7dd6c833ef13fd18b282eb00eb850390ef9cf51d86f

C:\Windows\SysWOW64\Dofpgqji.exe

MD5 70b4c166eb77c67797161f0b30791d76
SHA1 362eb66d5d0bfd2cc48905b79042f21493c16c9e
SHA256 f72e4676f39bb58a668ef321cc4f86960ade0529cf66d886e41b121fc3438e44
SHA512 ba0fd8de2133d593a5548c7087d79487390290d7cc19b1c86082448d861b165c0ced330abd754f1d161a3797c8b1fc765be602915ce91928aae4822242227c60

C:\Windows\SysWOW64\Hqlqig32.dll

MD5 972016f9e2103e60c36e637a5cb5ee78
SHA1 05531041e5daebcbe1dbf821ef841c64b3d9118c
SHA256 af107bb14ad356f0e926496fa3668a9f039abea2bd89dc6590fd19eaaad71187
SHA512 ed04f917629001de0e7a7f0b9c83d5612589eb825275b6d86148ccaacef36f20fbb5c463ac3b3174db2f25bbca095f903c2af6550e0f16bb0727600df8758145

C:\Windows\SysWOW64\Dadlclim.exe

MD5 3deb7e5595781f7390d9f503ccc9cf49
SHA1 bc20ff69a8cb14d05711b1dc5c8141db5cda51e8
SHA256 69892c9f77ab9da5a8ab94f56a06b4c6fbc1b8150f717f8596a99d9e273d08ae
SHA512 e9401b72de34bbf0d7e5897396e934439eee93cd3675208553a05f5f4620e1b2db60a76764b8fc59e18c2c3908287227bdbf11837bb65cd4a27cdf0438bba593

memory/3680-43-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3752-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dljqpd32.exe

MD5 7126f09f34e6b4f41c1f8460519e58fe
SHA1 e76dec6ab304647a0bc0a214853cb27a4d311728
SHA256 2f0e02bc467f928c27cfe54cf239ccbd16ce2208a920b101271aaf445df2f34b
SHA512 f258cc6f578eae069bbdd967368a85223378d747bf09aae2c8b406f392531ad93e8b5c2b78c305bf2440efd35c86abccf6eb17ff6c86789f4eccfdb5fb6fe8d9

C:\Windows\SysWOW64\Dcdimopp.exe

MD5 9ed75be359115364478897fe2ebe5c75
SHA1 dd3c546ca3eabebcff97ea9028a278a439acbe48
SHA256 648902cd45b623d35560894938f48ce147fb2dc64898d6ea1638fc997dae1edc
SHA512 c55d71b494b9d6a5f9ee767c68315a65aedaef0b65c6655d8ae55fc9bed545d6bdae5cddf8f643486f7227c44c0dce3d0481d6491ee7ad256660d13d1053a5c8

C:\Windows\SysWOW64\Debeijoc.exe

MD5 c19ae3058cc6b730f987e8081f390d5a
SHA1 348df8dac982c01381d89e3380c49cfc73550b02
SHA256 7f9c330533da4b395b4b185353dcc600cc6084d3011625f67b2eb07d573c7e3b
SHA512 35d2e37dc18c10692cbb8733e45a39be9a9693996a82ba02bbd97baf46ff690383b6f76b48c2677dbde0661ad59cd1736c72e4abb17758b0fe1b5a2e2d6f8393

C:\Windows\SysWOW64\Dllmfd32.exe

MD5 1dca5ea87f5f94697ca63ee5f0cdbf95
SHA1 fc57739d5d0477e66aa9559e01f8918927f06a27
SHA256 358967e402f1db0c4c6f461a11cc39a5de353f3f1667742db0633f95f9e75c4d
SHA512 101be732cfe6c28cbfa8aeb73a752fc41c495bee1982651002154874ca24e332e94a428e5675c048ac7856a726af5e4078b35cf82533674fdeba1fd91b6bdbd7

memory/1816-69-0x0000000000400000-0x0000000000433000-memory.dmp

memory/372-68-0x0000000000400000-0x0000000000433000-memory.dmp

memory/776-35-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dofpgqji.exe

MD5 649599a4669b575394da558145f99ef2
SHA1 d6d0debdb5be77e1fbe9b34b9e57e7ee14a14a45
SHA256 e298ff2e9aa99bd8209f4c535c7844169e21b1c685a37060dd4e8276d34e75a7
SHA512 94fc940a560dc25eaa37d49a04165665d9fccf7d3183a10e27e37949d61100266978682434985d1c1a056d2389cee57f70a75c92a06265818a446de5a2052dba

memory/3864-72-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ebploj32.exe

MD5 32c9d6a7ea63caea79a4b6a9bb660aaf
SHA1 58680a26436e939ff04e56d54b26809fbda92616
SHA256 c97518a61f6f947abfa30bab253b7573b27cd2f527f693299c026d3efbb42550
SHA512 39996e8f286ee8a4bbe43318b2f83bb169b1fdedc8d3eb230e82932d3bdfbd08a8e8f561e892fa27271e1901bd77bbd51bc42d94c2066d7c45b2242a47319773

memory/2684-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4712-87-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eqalmafo.exe

MD5 260156a3a2aebb41a64d4790cf3643fc
SHA1 cd30a8140b7b466fb14c9251c6de689eae2eaf67
SHA256 3cfe18bd661e9270a1cb533e8f1224fd55f7fb8b02d5a3280aa65971cd45d394
SHA512 fca18d97df609edff99db402b9f839f58b8ee9f1725891b95c53363e15254778eed95b7381d2b54182beb427cacca4e0445833d3f322a48d19287831b3556b0b

memory/4332-104-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3504-128-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fjnjqfij.exe

MD5 235be50e1422257aa77b79869fe557f6
SHA1 a2287e9d845f367562f23f33857fe4fb42aa9e37
SHA256 d3a1e2094307cbba3d336198d465646e7934667e94a492e833e6b1469fe58287
SHA512 4015b4301f904cf627585d5ed0d95283fba0b0b37fb6e6376ebb0fd7685d797e1664dc7801556152617a944893e07b2b085156488e247e0447d68a107d6fab88

memory/5004-136-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fjnjqfij.exe

MD5 06881340ba84e67a75b2049196ef3b61
SHA1 765b0d3eaa70349e2b3ea40913a6eacde5b3bc67
SHA256 50223b930092fcd206a159fa9de6689afc9aa090b26209f8f64396665dcd9f47
SHA512 ec01b4fb08216e44abbe041329b0fd0127fa558d937d095caaaad385f05b0b7c9bc6d76583f7fb8216c1e102b09ea26e72664166da60d09c7192a05335129f40

C:\Windows\SysWOW64\Fmmfmbhn.exe

MD5 59076022bf85ee23be4ee1df7b8fbad3
SHA1 58e5b1ed40379354ffba23bf392e50c2f1e8a2c0
SHA256 ba1fe82d130a98fc38d54bccd90ac1694178ee96b7bd5340b6c783d7eb3a0f17
SHA512 bd292c9d0c36db32b9ab2edd6db7be764594e293c99bcc3ca9fc6aac6c6066e09e6e3b14c2d7672bf5d4c200ea4aecc2e872fd962d4bdc1318820afdb36c8cd2

C:\Windows\SysWOW64\Fbioei32.exe

MD5 1525b319f4ed37636dacc1dd5585d96b
SHA1 d539859b7f609dfb21cd1a96ae86b59462bc2ae5
SHA256 6fbbe404e70ececf01e206fb498ab8fdb398f337a03cdc1a679a2d7e21eff124
SHA512 6aa63ca89ad4c9ee75c2a42ae0c0a3d4d18ec68b7aa2cdd479987bb23b82e3042a356b2167d40fe4246bdbe5dbfd93baf3a1c892d559a06ed26d04e7687c85ea

C:\Windows\SysWOW64\Fjqgff32.exe

MD5 c269aeef6ccef798c61a3e40f8b6eccd
SHA1 ededd54da46bce8e195cdda009ef326cf9fee7b4
SHA256 381bb2bb61d2a7988dc0ea537f8fc45a30d04bfda7afd1ac84edf4886105c997
SHA512 5f4f1f2154ddd5125b5c09d397e88a6d5fde5a8b6e16cbd6986594a636165ddc2ed2c6f7c2e5bf09bb0f5558dfaa16418c667afe8d38981550adca92fefc984f

C:\Windows\SysWOW64\Fmocba32.exe

MD5 83cf333fae191a29ecaeb6a66f7b75b6
SHA1 3cb3d2164d6bedbe0e1538d1e573d2ea92c1f1cb
SHA256 ab56b0d8cd0d8a2cd1cb5799668ce34a3eb18b96624436670087d503eb66514a
SHA512 ef8bca021937f92da8973bbb7ed73a816ed796cc93957dd55048b9182fb548c138d506c957e5ad8228f50467c14f1e626d6140cd27fa333c377c60bf4a996f95

C:\Windows\SysWOW64\Fomonm32.exe

MD5 df27511dbd6a570b63d581d599f337cf
SHA1 c23a37fadd9068d988756141637a74dac46239cb
SHA256 f2f6be2d3b22d8c8902dfe961c40835075897bd6db24d389b97d52b2fcc733e1
SHA512 51d3b768349513dd5f2c8c671752f53604ecfc8f776c1f7cd72474c3377f617ee7399ce5672941c63b4298919e706c999f9c537ce8d406f20a1a70a03500b3c6

C:\Windows\SysWOW64\Fjcclf32.exe

MD5 e012dfb16f8a5e2f15164943d6a13771
SHA1 7d060a398869bf55f62294f833cdc3db228cba1f
SHA256 fc03cb99fbc73192a94c8951e02175f991e3c8f219517120a0d1a291e4b9ad65
SHA512 e975d2f04b699816ea111b3c8a5e6652a9e4724a1f85425b7c6a405c285ce0fb1ec4f63c942337afd1d522fcb93cc6e85ee64477e6d71408e2b4779599fde60b

C:\Windows\SysWOW64\Ffjdqg32.exe

MD5 d150db351a8b00b67bd3c34f263fce30
SHA1 560a8ce31fcf8561563abdc8babdff204d5e7408
SHA256 994b979506897953393537359af7a4368957936d62df4bd4ea3393aa664f4d5b
SHA512 1e5da6c2484d096db4aa51a28a45af5f9eb7b660b0fd7f61316e628cb2b07794f8f64a377508afd14ff7211529374ba2b7a192516d8e2cda66d5ac36200308e8

C:\Windows\SysWOW64\Fqohnp32.exe

MD5 3eea56a08b7dd79e8750e932e7d2ff71
SHA1 9ae61143915cc180f964cb1b5856d38157b7df81
SHA256 ebf73763fc92dda107502ad6bf979d58e3e0be9ef259ee9b149eee7844230ddf
SHA512 c847cf61f8ca0bc7ca904896fb2f37f094fb0f7af2080c02ef341f8e67d78ac49790d7a2c43d1f7d61743f6eb04a3deeac104480d514f5e0b52b73dd93c662ff

C:\Windows\SysWOW64\Fcnejk32.exe

MD5 2dc47bf71c7abcc3d84993c8aa570400
SHA1 d029a2eaec43a82621f246c8e60280dc947841dd
SHA256 c8e5819e3deec71437c58ada4eae587a79b3dceaf84aa2a35c17b6660b763724
SHA512 f8f1c280c4c08b4ace945d5d2120c5af87b33d65907d3e1fd21d70d755304c81812a3dcffed82579225cedf60aa9ebbb20f6fa1695186cf4f663ed7b63146738

C:\Windows\SysWOW64\Fijmbb32.exe

MD5 1f1cb89b2b164b4bb8edac0681feb747
SHA1 a6ed3a6d5d7c416466519cc9944e8f7eb063fb7f
SHA256 02e7c157e9a7ff4cf1e4dec7611120ffb309e4b335febb617949324422663288
SHA512 af1fd6b4bc8642b1d67b9a6a15438348cebea77c619d0dd9fa9787f9ed6278d89a120b9e7cfb602f3faa2d09de8c41fd21bf41297954369011eff785f7d9ce2e

memory/3144-437-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1084-453-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2128-541-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5556-574-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Iikopmkd.exe

MD5 c2cd8fe620f14bcecd90e3d55141ebaf
SHA1 a3a3834f2434620667819e4453a658dc216f5366
SHA256 9df45b75bfdcf91877c81b8b82511658416c5cefd0334837e1905b3801bf6e57
SHA512 b5eecd95168ec23f82080d1b742b2541dc0092b89b06d24dc205f0f242c09c12e0155a39ce0ea4ac1c44f9e41fa907a189a5d1d4c8363eca37075c21061e8979

C:\Windows\SysWOW64\Jpjqhgol.exe

MD5 bc7aa22391c019ce623e4ae2dce1dd4c
SHA1 ae2346038e5729723fb00ede5fcd69573be12f93
SHA256 aa420ee323507f4d0445a7f0c8b1b36d6bf8575fb8c3ff372b5e7aa46249d452
SHA512 ca4d0d9d1811189871d994fa8811e5c27c1605cb65946a22d1239ce78ef291c256c250ff16eb945bc0f51eccf3c53e448ee4f7f1fbb363c77b4d005b1a275a87

memory/5812-592-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5984-618-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6068-628-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kkkdan32.exe

MD5 564cc99efcdc07148ef6e94c029252aa
SHA1 a3e294151a57b2bac271484593e04ce8a9020dad
SHA256 ee18a9f45892caa3a4837d3d905c5cf829509f099820a62463262219544842e5
SHA512 183f5bb889de10e448be22e4f1f840723ac6294f5bf569034e76922102d3600789e331a564c3eb441be711d457ca97dae11822b944a28da9fd0c87b1ac977593

C:\Windows\SysWOW64\Kgbefoji.exe

MD5 7e32a62706b8540aec166aa8e71e2084
SHA1 d5606fe7e423c4975089ef4ef311927dcfe6c28b
SHA256 33d480fbcf0b88e2ab6ab56bcd2a5dc07c7a64a212d919b35ba79a5e0bf4852b
SHA512 194c236b07ed0c050e307038ef1ae844025dede3997e55625d8e0a770d1dc5cfe148ea554bcf095acdc3b6916da1997557463544e905d0cd53a33edd82a50942

C:\Windows\SysWOW64\Kdffocib.exe

MD5 31a1897bfa8187f978bae3648181aeb0
SHA1 d05b7c35efb8d9152a50a6124507aadb9ea7f6e7
SHA256 6239905811eb6f18c2282b7f78bebb6b034c01cc2d784d55f9e8f7ef6ce4cc79
SHA512 80b7e889d8a57d37f07fc244a7dbf1434483b98843e4d00c40798cada7f7ad2048ae6458f5847862bfdb26fcf27a3115c6320ded0e4329034389f42b8694272c

C:\Windows\SysWOW64\Mjcgohig.exe

MD5 4b986c6e98c9639c0651244bfb48af8f
SHA1 6bbdd5bc8a56f2166dae1af2f834cd88fecd07fb
SHA256 0c05dd0f45bc5d178151c5868c3c73c0ea917b9f8ad941e46156369438748b7b
SHA512 361dc0de6749fab522d8e5dbe036264445d2203a8d59a6e067c328e731f14f967dc1dba76c420ee8c9bc7cdfcc1b02134c5c04d1beb7c1a8c50f871d5a8ca91e

C:\Windows\SysWOW64\Nnjbke32.exe

MD5 1f40be1de6fff59e88b76c4765c75514
SHA1 9e9f444acf4335c54787d20aff5afe6af47b693a
SHA256 7243e57e14db2ececac3df680bfa5d43255510dbbb7212abcd52543e7adc0f80
SHA512 e5da621c29b86b4b738fd60f449be3f1cf8a54e9b383817fe266837a360d73675c2ff7a4a5d13fd65fc96b634470bdd1bfad536d02eb671749dae16afc0f12c4

C:\Windows\SysWOW64\Nqmhbpba.exe

MD5 3a7c17d3253455954c948cb195d6468d
SHA1 acef7a66e94ca2c091bc30c9f34fc7b2ab38716a
SHA256 b1b9e134595b164131068f859d7d6ef87483b22e37e0561641267b29caf1430e
SHA512 191975c17f74fe409708331d96a7dcb6782cc52dfa889798397d08bcfc1841833289d3b3d54fcedfd8c0b30292c2a14a1792ff9add7cc95802d447c6f7952149

C:\Windows\SysWOW64\Nqklmpdd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Nnmopdep.exe

MD5 ddcd927c0e68e9eba6266cc2903e5735
SHA1 0eedf94c2296f358b0c00e2314c198b568797122
SHA256 958fc5d15f9509e05fd8fadbada6551f090d8cce18d5fb65b74b0497a7041353
SHA512 79102f3db015ae55004098114b2fadf20f526887a87ee5d55442a6056cacc6d497e6ce6c6176131ae0fed109bab6cee0b3709b3eaa760b59d6bd1a3f4a2ce209

C:\Windows\SysWOW64\Njljefql.exe

MD5 796e291985d18b9aa74c0686673eac6c
SHA1 fc953b160b89527a45fbd7de7ec8e589db81ecd5
SHA256 9c7ce15bf96adc826c4b64a5241c0a13533d65d66393565dec5b49551ec75398
SHA512 ef045355ec60434b90b730d73182166b64028f254cf2b4406a8848c7bc33ee4388f6b15eab46bb6534b72b9e222136fb1d84c832f5ef4204e2b95ad3035a8e31

memory/756-1182-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5508-1140-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-1133-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mjqjih32.exe

MD5 7e9bfbaf4a0e4ddee7f8108f7aff219f
SHA1 8d336ba300c1d40cc0fabd552ba181849bb65b2d
SHA256 8b93834f9313c60a6a1bcf13c86b60eedfb4480a5c605f0974bfd1374116ab6d
SHA512 87d52656834b3d9c506ab8d4168f16be9343de5f3c4db496076581675426c516941b45424b9b6669137a1acd38308e292196e5ff19c3991bbd6104f9caab386f

C:\Windows\SysWOW64\Laciofpa.exe

MD5 b8f68975028b474b084ced8b64e8fe26
SHA1 9158e865dcf51dcfca741af4450d501bec166cb6
SHA256 b77a508b364b3de440f676570122c30a1504fcb4a89b0706571313b12fe22549
SHA512 b66248c3dfe835216fcfb1863c81638d3c7bb6a036671571a33efffa53ff85a7088615bad1dbc0ae118edca3f1349bd55b9751b3a185c701d3ab3843da5497b7

C:\Windows\SysWOW64\Ldmlpbbj.exe

MD5 eca83c2f785cb69b977f756081d8520c
SHA1 6d2f76a19737133bbafd15cd305b57c5f0323c0c
SHA256 7085c6d39513cce94ddd1088319bdf1921686a3eed791dc57a42f37ed749aa09
SHA512 ef83cb183858c07fb721ed48b04caeafcdc4fd9b4fc9424258e4f76797043f1ea92ab4c94b5a404634a9f936765324b7068e7ca35c30f1781d9e55c4499571e4

C:\Windows\SysWOW64\Kpepcedo.exe

MD5 62b4c1bc8866a33a8686a770a0ac5135
SHA1 0697bc0f824a82829906a4f66473350a2b89ed71
SHA256 51a0edc0f0dacd0958f63e68c498f1010c2534ba685e9343565f09b9090efa5b
SHA512 8b1cda76d731288bccf32f2da8c46527fe0cc09418752df23209ad0fcc165fcc3f67b7a8e793870d320ac698386f653cb343062e057f876ef668536bfe86676c

C:\Windows\SysWOW64\Kkihknfg.exe

MD5 586095ed26722a06de0d6ab188cc9d9b
SHA1 2f423a43dde7fbfd69d8fe998238c083e662fa94
SHA256 bbd0b8fda69d2a0a72a214b1ffdf95ce268ac913b1eff4497c5a655275dd0d13
SHA512 9f7351f7393433705faab328e525362d05ac619d9055ba63ad0a85ad1372d065e461778e084f6499f605d2655a30c904a335cdeb7c8d4dc0d4689b70672fbac4

C:\Windows\SysWOW64\Jpaghf32.exe

MD5 ee13222aeb5483207083f0c26ca5fb4f
SHA1 395d58db5d16116feb3dabf725aa5bdfde5146b7
SHA256 5f9cc20742b2be7598fc9a4565a6631ae0d16acf297db0dfaf86d38ae3726d1e
SHA512 901cdfa9f87e59cdb7a759f25bc8c2f71880b03428d808d5f1eee9244620872828c8244204fe90434719a83287e67aa95c8eb8daa443c1a5d5266a9d0bca7c74

memory/6112-634-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jdjfcecp.exe

MD5 e775c8968d13d611776b45c13fc149e8
SHA1 8a1a0a6fbb6f4caf2a264a3b46d18ceec5d2c2fd
SHA256 3bf2bee66209c6bc903f1fd997bac0eafa185cdd7d939493275deb1c97279614
SHA512 782878cc2dc883a4bd0a4f252532717862e27474822c471a9d3c14300fda28640d21b41a0939a9659eb9d60e1db0cb6dedbc4b97727ca42c346ea988002618ab

memory/6028-626-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5936-614-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5896-609-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jplmmfmi.exe

MD5 793e11a3d3a28895e03bea2b795ef890
SHA1 ae884eadcfab21ea3396ccd18f2f0d51ddbd1788
SHA256 20ed029ef13494520a8f81399b93d8b8db02e10d5a08c0ae7435457afff04aed
SHA512 068d8825714b3ce3b3df3809242b96b0b7dbbaac624e171f437350635113025f1b29aa05fbef6f1a04f8046217bb56061223aca68e2bd189b9d56b3eec874ca9

memory/5852-602-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5764-586-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5716-581-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5448-573-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2076-572-0x0000000000400000-0x0000000000433000-memory.dmp

memory/532-571-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5412-570-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5376-569-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5340-568-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5304-567-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5272-566-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5236-565-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5196-564-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5160-562-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5124-561-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1940-560-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5032-559-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4344-558-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4452-557-0x0000000000400000-0x0000000000433000-memory.dmp

memory/932-556-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4048-555-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3952-554-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2228-553-0x0000000000400000-0x0000000000433000-memory.dmp

memory/32-551-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2448-548-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4364-547-0x0000000000400000-0x0000000000433000-memory.dmp

memory/468-545-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3128-544-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1944-543-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2064-542-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3276-538-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1936-540-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2636-537-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2184-536-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4920-535-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1256-534-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4296-454-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3916-452-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3748-451-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4984-450-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1924-449-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1184-448-0x0000000000400000-0x0000000000433000-memory.dmp

memory/896-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1644-446-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4076-445-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4464-444-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4064-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3652-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1400-441-0x0000000000400000-0x0000000000433000-memory.dmp

memory/364-440-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3344-439-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4428-438-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2376-436-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3696-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5112-434-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3908-433-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1860-432-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1588-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3368-430-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3708-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2552-428-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3512-427-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4748-426-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1020-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1036-424-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1428-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2976-422-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fflaff32.exe

MD5 42c2f42e94b2a4267dc05fb0590a78c9
SHA1 bdc645ab75f112715990a82b5b40a990ef51d116
SHA256 917dd69c6baed6e9dc2a077c0e2ae5093ffedd98a427ed4a64aed1bf19370b81
SHA512 45c6805ca09eada0aa14fb69efd0dda9d59c520d9eb64df6d66c70f0e0de64bbf1e53c62e364b018f89c0ce908f6ffb0dbad9ab8dbc2d1faf5ac38b5be0a7b62

C:\Windows\SysWOW64\Fihqmb32.exe

MD5 af3036a7f5d9e25cca057f50833f875c
SHA1 99ea43d38c727f8c9ce91d0ab6443336e20edf62
SHA256 7628b1580411f6da483a627f4eb3fbbda328696b685d4721512dc5409ba6c794
SHA512 bec4da1d63352773048ad486328117272273888439eebb084e71a8941fcb765c8d35c11b13f3337c969ebfac09d065a59511965c522a596c246da88aa438535a

C:\Windows\SysWOW64\Fckhdk32.exe

MD5 98110434e2aca38b20d6829ea401d5a9
SHA1 a2c07881bae278b0b09716b6258acff6ae5533a1
SHA256 0cde9710fbf6e571d9d7509b853992968c7a3819a7a62d4e6f34b62f9bc6edad
SHA512 c0b75ab909cb14ee3f7b2cf7a9fc4037e3318c92ec6f7208a849674b44a04ed78b609598d3d81555bed64b0a364adf68565bdb33754117599002daa7f27a4246

C:\Windows\SysWOW64\Fmapha32.exe

MD5 82206c1fa9ae612875f5a2cfd6cefbf6
SHA1 a25b2780fa10082ab2160ca2c28039da9db0cd1f
SHA256 e0ca886aff008ae89e434576fd696e80e1229d69702600ad6914911983515fc5
SHA512 82757034f45b2c6ea341602854da03cfdcea1bb3f59d261cefaade0728d6fc97d599cd348e7ba471deed62f403db26219b32023c6a094e07e076f012b01f09e4

C:\Windows\SysWOW64\Fbllkh32.exe

MD5 df3c162d182c02c171452fd15b6f3f16
SHA1 528b8bf5fd6bb4978626a39cdb50ec87e88062e6
SHA256 7d49133ab62268f986716a48bff2b4f36996d3d96b2b1ce0a4342a023c3273ae
SHA512 53bb02d8e3f9a03f6848470bbc4bfd73ce1103786d1959ed697310cfa08b0eb51036a0933e813fd0b1a94df98790b9833f52ecae3a83bb2c715dc0aa592e50d4

C:\Windows\SysWOW64\Fbgbpihg.exe

MD5 65491c34b4c7e930b43b5aba017c398e
SHA1 a60bfd6ac13fcd7090a0d9323af4c57c0c48f34b
SHA256 9846dda9fcc1eb51a07ded41245dbea745b42c234c3e3fafc7de997f645d56c8
SHA512 5b341c8607535c0f6f8efaec42efe4159d93ae0ce4ae9614558235ab28d821a5f43b49ce4b1dfe3d63dfc2df6f05aa093245752b5e29d5aa013859c723d7bc29

memory/4924-124-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eqfeha32.exe

MD5 b636665700cd519424831e8c47a7b71a
SHA1 1ade4854e1494857ef9795ae8bc999af26a84cfb
SHA256 61c3b11f368ba5b9f7ad0683590167e373b25ca1889fa54a6a506808ee47fe7b
SHA512 2ce2bc2559c7f1df71579297a52f83ef9e002b29af39806d5eaead0cdbe056b40b74786c196aec1cd43fdbef9d717451ae8ae9c3c2438063acc4574b10d616a7

memory/4272-116-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ehonfc32.exe

MD5 745057a32530d2447479f2c47d9d4cbd
SHA1 00ddbdbac0e1438b96907d3932f6f77ff7936ebc
SHA256 9c97994155cac2837433cbf3c1ea7d364c010c5ceabac48593097bf86158088f
SHA512 33c765e3eee20c64f99889366fc2c59e5a5156eaa906f2c00a0024510c68322b3b46c925b8052fba8b73944412db9bce50f6bb3f06c70a89b412071cfbe1cfab

C:\Windows\SysWOW64\Ecbenm32.exe

MD5 4a9cd92587883bc864e8ae3d391e3e6e
SHA1 c4e5ee8c4e4afbecc14e1573a3a6e6af42a4279b
SHA256 5b420909279a21034320a114a4c5cffd98bee863fee17797ccab0112da1d09fa
SHA512 669042d4b3bb06faf5facb80116d196b68d92d9fdbebd05a441d8bd6f5be4b717455294474cc38a1589d72b235cf1b30a2e4a66b593a5fe375c4c6b747213d29

C:\Windows\SysWOW64\Efneehef.exe

MD5 e6cdfc23884846a6a68855e3b95058cb
SHA1 1e107c8972aeb404cfa3b731afd4081512558276
SHA256 e59dedf79783d81feffc108c6ec855d12080b69797f2b966168612566fae43e9
SHA512 650d17c327a015a7c94bec47ea19cd82dc41756eb2a00ba5b968bfe9337cb4ae3b98d24a508556cf8fb1a3f9cdf0121512b5d866e9dce57caef6b11d05b8d734

memory/2032-95-0x0000000000400000-0x0000000000433000-memory.dmp